aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/Kconfig1
-rw-r--r--net/Makefile1
-rw-r--r--net/bluetooth/Kconfig9
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/cmtp/capi.c3
-rw-r--r--net/bluetooth/hci_conn.c79
-rw-r--r--net/bluetooth/hci_core.c195
-rw-r--r--net/bluetooth/hci_event.c206
-rw-r--r--net/bluetooth/hci_sock.c70
-rw-r--r--net/bluetooth/l2cap_core.c868
-rw-r--r--net/bluetooth/l2cap_sock.c375
-rw-r--r--net/bluetooth/mgmt.c133
-rw-r--r--net/bluetooth/rfcomm/sock.c6
-rw-r--r--net/bluetooth/smp.c534
-rw-r--r--net/core/sock.c6
-rw-r--r--net/mac80211/aes_ccm.c37
-rw-r--r--net/mac80211/aes_ccm.h2
-rw-r--r--net/mac80211/aes_cmac.c10
-rw-r--r--net/mac80211/aes_cmac.h2
-rw-r--r--net/mac80211/agg-rx.c21
-rw-r--r--net/mac80211/cfg.c62
-rw-r--r--net/mac80211/debugfs_key.c13
-rw-r--r--net/mac80211/driver-ops.h20
-rw-r--r--net/mac80211/driver-trace.h55
-rw-r--r--net/mac80211/ht.c6
-rw-r--r--net/mac80211/ieee80211_i.h26
-rw-r--r--net/mac80211/key.c171
-rw-r--r--net/mac80211/key.h30
-rw-r--r--net/mac80211/mesh_pathtbl.c4
-rw-r--r--net/mac80211/mlme.c56
-rw-r--r--net/mac80211/pm.c51
-rw-r--r--net/mac80211/rc80211_minstrel.c9
-rw-r--r--net/mac80211/rc80211_minstrel.h12
-rw-r--r--net/mac80211/rc80211_minstrel_ht.c7
-rw-r--r--net/mac80211/rx.c35
-rw-r--r--net/mac80211/scan.c45
-rw-r--r--net/mac80211/sta_info.h6
-rw-r--r--net/mac80211/tkip.c108
-rw-r--r--net/mac80211/tkip.h8
-rw-r--r--net/mac80211/tx.c14
-rw-r--r--net/mac80211/util.c23
-rw-r--r--net/mac80211/wme.c3
-rw-r--r--net/mac80211/wme.h5
-rw-r--r--net/mac80211/work.c2
-rw-r--r--net/mac80211/wpa.c94
-rw-r--r--net/netlink/af_netlink.c2
-rw-r--r--net/nfc/Kconfig16
-rw-r--r--net/nfc/Makefile7
-rw-r--r--net/nfc/af_nfc.c98
-rw-r--r--net/nfc/core.c468
-rw-r--r--net/nfc/netlink.c537
-rw-r--r--net/nfc/nfc.h117
-rw-r--r--net/nfc/rawsock.c354
-rw-r--r--net/wireless/mlme.c15
-rw-r--r--net/wireless/nl80211.c232
-rw-r--r--net/wireless/nl80211.h4
-rw-r--r--net/wireless/scan.c7
57 files changed, 4312 insertions, 970 deletions
diff --git a/net/Kconfig b/net/Kconfig
index 878151c772c9..a07314844238 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -322,6 +322,7 @@ source "net/rfkill/Kconfig"
322source "net/9p/Kconfig" 322source "net/9p/Kconfig"
323source "net/caif/Kconfig" 323source "net/caif/Kconfig"
324source "net/ceph/Kconfig" 324source "net/ceph/Kconfig"
325source "net/nfc/Kconfig"
325 326
326 327
327endif # if NET 328endif # if NET
diff --git a/net/Makefile b/net/Makefile
index a51d9465e628..acdde4950de4 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -68,3 +68,4 @@ obj-$(CONFIG_WIMAX) += wimax/
68obj-$(CONFIG_DNS_RESOLVER) += dns_resolver/ 68obj-$(CONFIG_DNS_RESOLVER) += dns_resolver/
69obj-$(CONFIG_CEPH_LIB) += ceph/ 69obj-$(CONFIG_CEPH_LIB) += ceph/
70obj-$(CONFIG_BATMAN_ADV) += batman-adv/ 70obj-$(CONFIG_BATMAN_ADV) += batman-adv/
71obj-$(CONFIG_NFC) += nfc/
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 6ae5ec508587..bfb3dc03c9de 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -6,6 +6,7 @@ menuconfig BT
6 tristate "Bluetooth subsystem support" 6 tristate "Bluetooth subsystem support"
7 depends on NET && !S390 7 depends on NET && !S390
8 depends on RFKILL || !RFKILL 8 depends on RFKILL || !RFKILL
9 select CRYPTO
9 help 10 help
10 Bluetooth is low-cost, low-power, short-range wireless technology. 11 Bluetooth is low-cost, low-power, short-range wireless technology.
11 It was designed as a replacement for cables and other short-range 12 It was designed as a replacement for cables and other short-range
@@ -22,6 +23,7 @@ menuconfig BT
22 BNEP Module (Bluetooth Network Encapsulation Protocol) 23 BNEP Module (Bluetooth Network Encapsulation Protocol)
23 CMTP Module (CAPI Message Transport Protocol) 24 CMTP Module (CAPI Message Transport Protocol)
24 HIDP Module (Human Interface Device Protocol) 25 HIDP Module (Human Interface Device Protocol)
26 SMP Module (Security Manager Protocol)
25 27
26 Say Y here to compile Bluetooth support into the kernel or say M to 28 Say Y here to compile Bluetooth support into the kernel or say M to
27 compile it as module (bluetooth). 29 compile it as module (bluetooth).
@@ -36,11 +38,18 @@ if BT != n
36config BT_L2CAP 38config BT_L2CAP
37 bool "L2CAP protocol support" 39 bool "L2CAP protocol support"
38 select CRC16 40 select CRC16
41 select CRYPTO
42 select CRYPTO_BLKCIPHER
43 select CRYPTO_AES
44 select CRYPTO_ECB
39 help 45 help
40 L2CAP (Logical Link Control and Adaptation Protocol) provides 46 L2CAP (Logical Link Control and Adaptation Protocol) provides
41 connection oriented and connection-less data transport. L2CAP 47 connection oriented and connection-less data transport. L2CAP
42 support is required for most Bluetooth applications. 48 support is required for most Bluetooth applications.
43 49
50 Also included is support for SMP (Security Manager Protocol) which
51 is the security layer on top of LE (Low Energy) links.
52
44config BT_SCO 53config BT_SCO
45 bool "SCO links support" 54 bool "SCO links support"
46 help 55 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index f04fe9a9d634..9b67f3d08fa4 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -9,5 +9,5 @@ obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o 12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o 13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 744233cba244..040f67b12978 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -326,7 +326,7 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
326{ 326{
327 struct capi_ctr *ctrl = &session->ctrl; 327 struct capi_ctr *ctrl = &session->ctrl;
328 struct cmtp_application *application; 328 struct cmtp_application *application;
329 __u16 cmd, appl; 329 __u16 appl;
330 __u32 contr; 330 __u32 contr;
331 331
332 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 332 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
@@ -344,7 +344,6 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
344 return; 344 return;
345 } 345 }
346 346
347 cmd = CAPICMD(CAPIMSG_COMMAND(skb->data), CAPIMSG_SUBCOMMAND(skb->data));
348 appl = CAPIMSG_APPID(skb->data); 347 appl = CAPIMSG_APPID(skb->data);
349 contr = CAPIMSG_CONTROL(skb->data); 348 contr = CAPIMSG_CONTROL(skb->data);
350 349
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index bcd158f40bb9..ea7f031f3b04 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -53,11 +53,13 @@ static void hci_le_connect(struct hci_conn *conn)
53 conn->state = BT_CONNECT; 53 conn->state = BT_CONNECT;
54 conn->out = 1; 54 conn->out = 1;
55 conn->link_mode |= HCI_LM_MASTER; 55 conn->link_mode |= HCI_LM_MASTER;
56 conn->sec_level = BT_SECURITY_LOW;
56 57
57 memset(&cp, 0, sizeof(cp)); 58 memset(&cp, 0, sizeof(cp));
58 cp.scan_interval = cpu_to_le16(0x0004); 59 cp.scan_interval = cpu_to_le16(0x0004);
59 cp.scan_window = cpu_to_le16(0x0004); 60 cp.scan_window = cpu_to_le16(0x0004);
60 bacpy(&cp.peer_addr, &conn->dst); 61 bacpy(&cp.peer_addr, &conn->dst);
62 cp.peer_addr_type = conn->dst_type;
61 cp.conn_interval_min = cpu_to_le16(0x0008); 63 cp.conn_interval_min = cpu_to_le16(0x0008);
62 cp.conn_interval_max = cpu_to_le16(0x0100); 64 cp.conn_interval_max = cpu_to_le16(0x0100);
63 cp.supervision_timeout = cpu_to_le16(0x0064); 65 cp.supervision_timeout = cpu_to_le16(0x0064);
@@ -203,6 +205,55 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
203} 205}
204EXPORT_SYMBOL(hci_le_conn_update); 206EXPORT_SYMBOL(hci_le_conn_update);
205 207
208void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
209 __u8 ltk[16])
210{
211 struct hci_dev *hdev = conn->hdev;
212 struct hci_cp_le_start_enc cp;
213
214 BT_DBG("%p", conn);
215
216 memset(&cp, 0, sizeof(cp));
217
218 cp.handle = cpu_to_le16(conn->handle);
219 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
220 cp.ediv = ediv;
221 memcpy(cp.rand, rand, sizeof(rand));
222
223 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
224}
225EXPORT_SYMBOL(hci_le_start_enc);
226
227void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16])
228{
229 struct hci_dev *hdev = conn->hdev;
230 struct hci_cp_le_ltk_reply cp;
231
232 BT_DBG("%p", conn);
233
234 memset(&cp, 0, sizeof(cp));
235
236 cp.handle = cpu_to_le16(conn->handle);
237 memcpy(cp.ltk, ltk, sizeof(ltk));
238
239 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
240}
241EXPORT_SYMBOL(hci_le_ltk_reply);
242
243void hci_le_ltk_neg_reply(struct hci_conn *conn)
244{
245 struct hci_dev *hdev = conn->hdev;
246 struct hci_cp_le_ltk_neg_reply cp;
247
248 BT_DBG("%p", conn);
249
250 memset(&cp, 0, sizeof(cp));
251
252 cp.handle = cpu_to_le16(conn->handle);
253
254 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(cp), &cp);
255}
256
206/* Device _must_ be locked */ 257/* Device _must_ be locked */
207void hci_sco_setup(struct hci_conn *conn, __u8 status) 258void hci_sco_setup(struct hci_conn *conn, __u8 status)
208{ 259{
@@ -450,14 +501,23 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
450 BT_DBG("%s dst %s", hdev->name, batostr(dst)); 501 BT_DBG("%s dst %s", hdev->name, batostr(dst));
451 502
452 if (type == LE_LINK) { 503 if (type == LE_LINK) {
504 struct adv_entry *entry;
505
453 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 506 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
454 if (le) 507 if (le)
455 return ERR_PTR(-EBUSY); 508 return ERR_PTR(-EBUSY);
509
510 entry = hci_find_adv_entry(hdev, dst);
511 if (!entry)
512 return ERR_PTR(-EHOSTUNREACH);
513
456 le = hci_conn_add(hdev, LE_LINK, dst); 514 le = hci_conn_add(hdev, LE_LINK, dst);
457 if (!le) 515 if (!le)
458 return ERR_PTR(-ENOMEM); 516 return ERR_PTR(-ENOMEM);
459 if (le->state == BT_OPEN) 517
460 hci_le_connect(le); 518 le->dst_type = entry->bdaddr_type;
519
520 hci_le_connect(le);
461 521
462 hci_conn_hold(le); 522 hci_conn_hold(le);
463 523
@@ -500,7 +560,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
500 if (acl->state == BT_CONNECTED && 560 if (acl->state == BT_CONNECTED &&
501 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 561 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
502 acl->power_save = 1; 562 acl->power_save = 1;
503 hci_conn_enter_active_mode(acl); 563 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
504 564
505 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) { 565 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) {
506 /* defer SCO setup until mode change completed */ 566 /* defer SCO setup until mode change completed */
@@ -551,6 +611,8 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
551 cp.handle = cpu_to_le16(conn->handle); 611 cp.handle = cpu_to_le16(conn->handle);
552 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 612 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
553 sizeof(cp), &cp); 613 sizeof(cp), &cp);
614 if (conn->key_type != 0xff)
615 set_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
554 } 616 }
555 617
556 return 0; 618 return 0;
@@ -634,9 +696,7 @@ int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
634 if (sec_level != BT_SECURITY_HIGH) 696 if (sec_level != BT_SECURITY_HIGH)
635 return 1; /* Accept if non-secure is required */ 697 return 1; /* Accept if non-secure is required */
636 698
637 if (conn->key_type == HCI_LK_AUTH_COMBINATION || 699 if (conn->sec_level == BT_SECURITY_HIGH)
638 (conn->key_type == HCI_LK_COMBINATION &&
639 conn->pin_length == 16))
640 return 1; 700 return 1;
641 701
642 return 0; /* Reject not secure link */ 702 return 0; /* Reject not secure link */
@@ -679,7 +739,7 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
679EXPORT_SYMBOL(hci_conn_switch_role); 739EXPORT_SYMBOL(hci_conn_switch_role);
680 740
681/* Enter active mode */ 741/* Enter active mode */
682void hci_conn_enter_active_mode(struct hci_conn *conn) 742void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
683{ 743{
684 struct hci_dev *hdev = conn->hdev; 744 struct hci_dev *hdev = conn->hdev;
685 745
@@ -688,7 +748,10 @@ void hci_conn_enter_active_mode(struct hci_conn *conn)
688 if (test_bit(HCI_RAW, &hdev->flags)) 748 if (test_bit(HCI_RAW, &hdev->flags))
689 return; 749 return;
690 750
691 if (conn->mode != HCI_CM_SNIFF || !conn->power_save) 751 if (conn->mode != HCI_CM_SNIFF)
752 goto timer;
753
754 if (!conn->power_save && !force_active)
692 goto timer; 755 goto timer;
693 756
694 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) { 757 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 815269b07f20..0029e178e52e 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -42,6 +42,7 @@
42#include <linux/notifier.h> 42#include <linux/notifier.h>
43#include <linux/rfkill.h> 43#include <linux/rfkill.h>
44#include <linux/timer.h> 44#include <linux/timer.h>
45#include <linux/crypto.h>
45#include <net/sock.h> 46#include <net/sock.h>
46 47
47#include <asm/system.h> 48#include <asm/system.h>
@@ -59,6 +60,8 @@ static void hci_tx_task(unsigned long arg);
59 60
60static DEFINE_RWLOCK(hci_task_lock); 61static DEFINE_RWLOCK(hci_task_lock);
61 62
63static int enable_smp;
64
62/* HCI device list */ 65/* HCI device list */
63LIST_HEAD(hci_dev_list); 66LIST_HEAD(hci_dev_list);
64DEFINE_RWLOCK(hci_dev_list_lock); 67DEFINE_RWLOCK(hci_dev_list_lock);
@@ -1202,6 +1205,177 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1202 return 0; 1205 return 0;
1203} 1206}
1204 1207
1208struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
1209 bdaddr_t *bdaddr)
1210{
1211 struct list_head *p;
1212
1213 list_for_each(p, &hdev->blacklist) {
1214 struct bdaddr_list *b;
1215
1216 b = list_entry(p, struct bdaddr_list, list);
1217
1218 if (bacmp(bdaddr, &b->bdaddr) == 0)
1219 return b;
1220 }
1221
1222 return NULL;
1223}
1224
1225int hci_blacklist_clear(struct hci_dev *hdev)
1226{
1227 struct list_head *p, *n;
1228
1229 list_for_each_safe(p, n, &hdev->blacklist) {
1230 struct bdaddr_list *b;
1231
1232 b = list_entry(p, struct bdaddr_list, list);
1233
1234 list_del(p);
1235 kfree(b);
1236 }
1237
1238 return 0;
1239}
1240
1241int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
1242{
1243 struct bdaddr_list *entry;
1244 int err;
1245
1246 if (bacmp(bdaddr, BDADDR_ANY) == 0)
1247 return -EBADF;
1248
1249 hci_dev_lock(hdev);
1250
1251 if (hci_blacklist_lookup(hdev, bdaddr)) {
1252 err = -EEXIST;
1253 goto err;
1254 }
1255
1256 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1257 if (!entry) {
1258 return -ENOMEM;
1259 goto err;
1260 }
1261
1262 bacpy(&entry->bdaddr, bdaddr);
1263
1264 list_add(&entry->list, &hdev->blacklist);
1265
1266 err = 0;
1267
1268err:
1269 hci_dev_unlock(hdev);
1270 return err;
1271}
1272
1273int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1274{
1275 struct bdaddr_list *entry;
1276 int err = 0;
1277
1278 hci_dev_lock(hdev);
1279
1280 if (bacmp(bdaddr, BDADDR_ANY) == 0) {
1281 hci_blacklist_clear(hdev);
1282 goto done;
1283 }
1284
1285 entry = hci_blacklist_lookup(hdev, bdaddr);
1286 if (!entry) {
1287 err = -ENOENT;
1288 goto done;
1289 }
1290
1291 list_del(&entry->list);
1292 kfree(entry);
1293
1294done:
1295 hci_dev_unlock(hdev);
1296 return err;
1297}
1298
1299static void hci_clear_adv_cache(unsigned long arg)
1300{
1301 struct hci_dev *hdev = (void *) arg;
1302
1303 hci_dev_lock(hdev);
1304
1305 hci_adv_entries_clear(hdev);
1306
1307 hci_dev_unlock(hdev);
1308}
1309
1310int hci_adv_entries_clear(struct hci_dev *hdev)
1311{
1312 struct adv_entry *entry, *tmp;
1313
1314 list_for_each_entry_safe(entry, tmp, &hdev->adv_entries, list) {
1315 list_del(&entry->list);
1316 kfree(entry);
1317 }
1318
1319 BT_DBG("%s adv cache cleared", hdev->name);
1320
1321 return 0;
1322}
1323
1324struct adv_entry *hci_find_adv_entry(struct hci_dev *hdev, bdaddr_t *bdaddr)
1325{
1326 struct adv_entry *entry;
1327
1328 list_for_each_entry(entry, &hdev->adv_entries, list)
1329 if (bacmp(bdaddr, &entry->bdaddr) == 0)
1330 return entry;
1331
1332 return NULL;
1333}
1334
1335static inline int is_connectable_adv(u8 evt_type)
1336{
1337 if (evt_type == ADV_IND || evt_type == ADV_DIRECT_IND)
1338 return 1;
1339
1340 return 0;
1341}
1342
1343int hci_add_adv_entry(struct hci_dev *hdev,
1344 struct hci_ev_le_advertising_info *ev)
1345{
1346 struct adv_entry *entry;
1347
1348 if (!is_connectable_adv(ev->evt_type))
1349 return -EINVAL;
1350
1351 /* Only new entries should be added to adv_entries. So, if
1352 * bdaddr was found, don't add it. */
1353 if (hci_find_adv_entry(hdev, &ev->bdaddr))
1354 return 0;
1355
1356 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
1357 if (!entry)
1358 return -ENOMEM;
1359
1360 bacpy(&entry->bdaddr, &ev->bdaddr);
1361 entry->bdaddr_type = ev->bdaddr_type;
1362
1363 list_add(&entry->list, &hdev->adv_entries);
1364
1365 BT_DBG("%s adv entry added: address %s type %u", hdev->name,
1366 batostr(&entry->bdaddr), entry->bdaddr_type);
1367
1368 return 0;
1369}
1370
1371static struct crypto_blkcipher *alloc_cypher(void)
1372{
1373 if (enable_smp)
1374 return crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1375
1376 return ERR_PTR(-ENOTSUPP);
1377}
1378
1205/* Register HCI device */ 1379/* Register HCI device */
1206int hci_register_dev(struct hci_dev *hdev) 1380int hci_register_dev(struct hci_dev *hdev)
1207{ 1381{
@@ -1268,6 +1442,10 @@ int hci_register_dev(struct hci_dev *hdev)
1268 1442
1269 INIT_LIST_HEAD(&hdev->remote_oob_data); 1443 INIT_LIST_HEAD(&hdev->remote_oob_data);
1270 1444
1445 INIT_LIST_HEAD(&hdev->adv_entries);
1446 setup_timer(&hdev->adv_timer, hci_clear_adv_cache,
1447 (unsigned long) hdev);
1448
1271 INIT_WORK(&hdev->power_on, hci_power_on); 1449 INIT_WORK(&hdev->power_on, hci_power_on);
1272 INIT_WORK(&hdev->power_off, hci_power_off); 1450 INIT_WORK(&hdev->power_off, hci_power_off);
1273 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev); 1451 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1282,6 +1460,11 @@ int hci_register_dev(struct hci_dev *hdev)
1282 if (!hdev->workqueue) 1460 if (!hdev->workqueue)
1283 goto nomem; 1461 goto nomem;
1284 1462
1463 hdev->tfm = alloc_cypher();
1464 if (IS_ERR(hdev->tfm))
1465 BT_INFO("Failed to load transform for ecb(aes): %ld",
1466 PTR_ERR(hdev->tfm));
1467
1285 hci_register_sysfs(hdev); 1468 hci_register_sysfs(hdev);
1286 1469
1287 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 1470 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
@@ -1330,6 +1513,9 @@ int hci_unregister_dev(struct hci_dev *hdev)
1330 !test_bit(HCI_SETUP, &hdev->flags)) 1513 !test_bit(HCI_SETUP, &hdev->flags))
1331 mgmt_index_removed(hdev->id); 1514 mgmt_index_removed(hdev->id);
1332 1515
1516 if (!IS_ERR(hdev->tfm))
1517 crypto_free_blkcipher(hdev->tfm);
1518
1333 hci_notify(hdev, HCI_DEV_UNREG); 1519 hci_notify(hdev, HCI_DEV_UNREG);
1334 1520
1335 if (hdev->rfkill) { 1521 if (hdev->rfkill) {
@@ -1340,6 +1526,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1340 hci_unregister_sysfs(hdev); 1526 hci_unregister_sysfs(hdev);
1341 1527
1342 hci_del_off_timer(hdev); 1528 hci_del_off_timer(hdev);
1529 del_timer(&hdev->adv_timer);
1343 1530
1344 destroy_workqueue(hdev->workqueue); 1531 destroy_workqueue(hdev->workqueue);
1345 1532
@@ -1348,6 +1535,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1348 hci_uuids_clear(hdev); 1535 hci_uuids_clear(hdev);
1349 hci_link_keys_clear(hdev); 1536 hci_link_keys_clear(hdev);
1350 hci_remote_oob_data_clear(hdev); 1537 hci_remote_oob_data_clear(hdev);
1538 hci_adv_entries_clear(hdev);
1351 hci_dev_unlock_bh(hdev); 1539 hci_dev_unlock_bh(hdev);
1352 1540
1353 __hci_dev_put(hdev); 1541 __hci_dev_put(hdev);
@@ -1891,7 +2079,7 @@ static inline void hci_sched_acl(struct hci_dev *hdev)
1891 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 2079 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1892 BT_DBG("skb %p len %d", skb, skb->len); 2080 BT_DBG("skb %p len %d", skb, skb->len);
1893 2081
1894 hci_conn_enter_active_mode(conn); 2082 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
1895 2083
1896 hci_send_frame(skb); 2084 hci_send_frame(skb);
1897 hdev->acl_last_tx = jiffies; 2085 hdev->acl_last_tx = jiffies;
@@ -2030,7 +2218,7 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2030 if (conn) { 2218 if (conn) {
2031 register struct hci_proto *hp; 2219 register struct hci_proto *hp;
2032 2220
2033 hci_conn_enter_active_mode(conn); 2221 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2034 2222
2035 /* Send to upper protocol */ 2223 /* Send to upper protocol */
2036 hp = hci_proto[HCI_PROTO_L2CAP]; 2224 hp = hci_proto[HCI_PROTO_L2CAP];
@@ -2164,3 +2352,6 @@ static void hci_cmd_task(unsigned long arg)
2164 } 2352 }
2165 } 2353 }
2166} 2354}
2355
2356module_param(enable_smp, bool, 0644);
2357MODULE_PARM_DESC(enable_smp, "Enable SMP support (LE only)");
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 77930aa522e3..ac2c5e89617c 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -841,6 +841,57 @@ static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
841 rp->randomizer, rp->status); 841 rp->randomizer, rp->status);
842} 842}
843 843
844static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
845 struct sk_buff *skb)
846{
847 struct hci_cp_le_set_scan_enable *cp;
848 __u8 status = *((__u8 *) skb->data);
849
850 BT_DBG("%s status 0x%x", hdev->name, status);
851
852 if (status)
853 return;
854
855 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
856 if (!cp)
857 return;
858
859 hci_dev_lock(hdev);
860
861 if (cp->enable == 0x01) {
862 del_timer(&hdev->adv_timer);
863 hci_adv_entries_clear(hdev);
864 } else if (cp->enable == 0x00) {
865 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT);
866 }
867
868 hci_dev_unlock(hdev);
869}
870
871static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
872{
873 struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
874
875 BT_DBG("%s status 0x%x", hdev->name, rp->status);
876
877 if (rp->status)
878 return;
879
880 hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
881}
882
883static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
884{
885 struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
886
887 BT_DBG("%s status 0x%x", hdev->name, rp->status);
888
889 if (rp->status)
890 return;
891
892 hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
893}
894
844static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 895static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
845{ 896{
846 BT_DBG("%s status 0x%x", hdev->name, status); 897 BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1209,16 +1260,23 @@ static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1209 } else { 1260 } else {
1210 if (!conn) { 1261 if (!conn) {
1211 conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr); 1262 conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr);
1212 if (conn) 1263 if (conn) {
1264 conn->dst_type = cp->peer_addr_type;
1213 conn->out = 1; 1265 conn->out = 1;
1214 else 1266 } else {
1215 BT_ERR("No memory for new connection"); 1267 BT_ERR("No memory for new connection");
1268 }
1216 } 1269 }
1217 } 1270 }
1218 1271
1219 hci_dev_unlock(hdev); 1272 hci_dev_unlock(hdev);
1220} 1273}
1221 1274
1275static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1276{
1277 BT_DBG("%s status 0x%x", hdev->name, status);
1278}
1279
1222static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1280static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1223{ 1281{
1224 __u8 status = *((__u8 *) skb->data); 1282 __u8 status = *((__u8 *) skb->data);
@@ -1462,51 +1520,58 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1462 hci_dev_lock(hdev); 1520 hci_dev_lock(hdev);
1463 1521
1464 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 1522 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1465 if (conn) { 1523 if (!conn)
1466 if (!ev->status) { 1524 goto unlock;
1525
1526 if (!ev->status) {
1527 if (!(conn->ssp_mode > 0 && hdev->ssp_mode > 0) &&
1528 test_bit(HCI_CONN_REAUTH_PEND, &conn->pend)) {
1529 BT_INFO("re-auth of legacy device is not possible.");
1530 } else {
1467 conn->link_mode |= HCI_LM_AUTH; 1531 conn->link_mode |= HCI_LM_AUTH;
1468 conn->sec_level = conn->pending_sec_level; 1532 conn->sec_level = conn->pending_sec_level;
1469 } else {
1470 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1471 } 1533 }
1534 } else {
1535 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1536 }
1472 1537
1473 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1538 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1539 clear_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
1474 1540
1475 if (conn->state == BT_CONFIG) { 1541 if (conn->state == BT_CONFIG) {
1476 if (!ev->status && hdev->ssp_mode > 0 && 1542 if (!ev->status && hdev->ssp_mode > 0 && conn->ssp_mode > 0) {
1477 conn->ssp_mode > 0) { 1543 struct hci_cp_set_conn_encrypt cp;
1478 struct hci_cp_set_conn_encrypt cp; 1544 cp.handle = ev->handle;
1479 cp.handle = ev->handle; 1545 cp.encrypt = 0x01;
1480 cp.encrypt = 0x01; 1546 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1481 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1547 &cp);
1482 sizeof(cp), &cp);
1483 } else {
1484 conn->state = BT_CONNECTED;
1485 hci_proto_connect_cfm(conn, ev->status);
1486 hci_conn_put(conn);
1487 }
1488 } else { 1548 } else {
1489 hci_auth_cfm(conn, ev->status); 1549 conn->state = BT_CONNECTED;
1490 1550 hci_proto_connect_cfm(conn, ev->status);
1491 hci_conn_hold(conn);
1492 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1493 hci_conn_put(conn); 1551 hci_conn_put(conn);
1494 } 1552 }
1553 } else {
1554 hci_auth_cfm(conn, ev->status);
1495 1555
1496 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) { 1556 hci_conn_hold(conn);
1497 if (!ev->status) { 1557 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1498 struct hci_cp_set_conn_encrypt cp; 1558 hci_conn_put(conn);
1499 cp.handle = ev->handle; 1559 }
1500 cp.encrypt = 0x01; 1560
1501 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1561 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
1502 sizeof(cp), &cp); 1562 if (!ev->status) {
1503 } else { 1563 struct hci_cp_set_conn_encrypt cp;
1504 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); 1564 cp.handle = ev->handle;
1505 hci_encrypt_cfm(conn, ev->status, 0x00); 1565 cp.encrypt = 0x01;
1506 } 1566 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1567 &cp);
1568 } else {
1569 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1570 hci_encrypt_cfm(conn, ev->status, 0x00);
1507 } 1571 }
1508 } 1572 }
1509 1573
1574unlock:
1510 hci_dev_unlock(hdev); 1575 hci_dev_unlock(hdev);
1511} 1576}
1512 1577
@@ -1557,6 +1622,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
1557 /* Encryption implies authentication */ 1622 /* Encryption implies authentication */
1558 conn->link_mode |= HCI_LM_AUTH; 1623 conn->link_mode |= HCI_LM_AUTH;
1559 conn->link_mode |= HCI_LM_ENCRYPT; 1624 conn->link_mode |= HCI_LM_ENCRYPT;
1625 conn->sec_level = conn->pending_sec_level;
1560 } else 1626 } else
1561 conn->link_mode &= ~HCI_LM_ENCRYPT; 1627 conn->link_mode &= ~HCI_LM_ENCRYPT;
1562 } 1628 }
@@ -1816,6 +1882,18 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1816 hci_cc_user_confirm_neg_reply(hdev, skb); 1882 hci_cc_user_confirm_neg_reply(hdev, skb);
1817 break; 1883 break;
1818 1884
1885 case HCI_OP_LE_SET_SCAN_ENABLE:
1886 hci_cc_le_set_scan_enable(hdev, skb);
1887 break;
1888
1889 case HCI_OP_LE_LTK_REPLY:
1890 hci_cc_le_ltk_reply(hdev, skb);
1891 break;
1892
1893 case HCI_OP_LE_LTK_NEG_REPLY:
1894 hci_cc_le_ltk_neg_reply(hdev, skb);
1895 break;
1896
1819 default: 1897 default:
1820 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1898 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1821 break; 1899 break;
@@ -1894,6 +1972,10 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1894 hci_cs_le_create_conn(hdev, ev->status); 1972 hci_cs_le_create_conn(hdev, ev->status);
1895 break; 1973 break;
1896 1974
1975 case HCI_OP_LE_START_ENC:
1976 hci_cs_le_start_enc(hdev, ev->status);
1977 break;
1978
1897 default: 1979 default:
1898 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1980 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1899 break; 1981 break;
@@ -2658,6 +2740,8 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2658 hci_dev_unlock(hdev); 2740 hci_dev_unlock(hdev);
2659 return; 2741 return;
2660 } 2742 }
2743
2744 conn->dst_type = ev->bdaddr_type;
2661 } 2745 }
2662 2746
2663 if (ev->status) { 2747 if (ev->status) {
@@ -2670,6 +2754,7 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2670 2754
2671 mgmt_connected(hdev->id, &ev->bdaddr); 2755 mgmt_connected(hdev->id, &ev->bdaddr);
2672 2756
2757 conn->sec_level = BT_SECURITY_LOW;
2673 conn->handle = __le16_to_cpu(ev->handle); 2758 conn->handle = __le16_to_cpu(ev->handle);
2674 conn->state = BT_CONNECTED; 2759 conn->state = BT_CONNECTED;
2675 2760
@@ -2682,6 +2767,49 @@ unlock:
2682 hci_dev_unlock(hdev); 2767 hci_dev_unlock(hdev);
2683} 2768}
2684 2769
2770static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2771 struct sk_buff *skb)
2772{
2773 struct hci_ev_le_advertising_info *ev;
2774 u8 num_reports;
2775
2776 num_reports = skb->data[0];
2777 ev = (void *) &skb->data[1];
2778
2779 hci_dev_lock(hdev);
2780
2781 hci_add_adv_entry(hdev, ev);
2782
2783 while (--num_reports) {
2784 ev = (void *) (ev->data + ev->length + 1);
2785 hci_add_adv_entry(hdev, ev);
2786 }
2787
2788 hci_dev_unlock(hdev);
2789}
2790
2791static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2792 struct sk_buff *skb)
2793{
2794 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2795 struct hci_cp_le_ltk_reply cp;
2796 struct hci_conn *conn;
2797
2798 BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2799
2800 hci_dev_lock(hdev);
2801
2802 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2803
2804 memset(&cp, 0, sizeof(cp));
2805 cp.handle = cpu_to_le16(conn->handle);
2806 memcpy(cp.ltk, conn->ltk, sizeof(conn->ltk));
2807
2808 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2809
2810 hci_dev_unlock(hdev);
2811}
2812
2685static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 2813static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2686{ 2814{
2687 struct hci_ev_le_meta *le_ev = (void *) skb->data; 2815 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -2693,6 +2821,14 @@ static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2693 hci_le_conn_complete_evt(hdev, skb); 2821 hci_le_conn_complete_evt(hdev, skb);
2694 break; 2822 break;
2695 2823
2824 case HCI_EV_LE_ADVERTISING_REPORT:
2825 hci_le_adv_report_evt(hdev, skb);
2826 break;
2827
2828 case HCI_EV_LE_LTK_REQ:
2829 hci_le_ltk_request_evt(hdev, skb);
2830 break;
2831
2696 default: 2832 default:
2697 break; 2833 break;
2698 } 2834 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 295e4a88fff8..ff02cf5e77cc 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -180,82 +180,24 @@ static int hci_sock_release(struct socket *sock)
180 return 0; 180 return 0;
181} 181}
182 182
183struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr) 183static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
184{
185 struct list_head *p;
186
187 list_for_each(p, &hdev->blacklist) {
188 struct bdaddr_list *b;
189
190 b = list_entry(p, struct bdaddr_list, list);
191
192 if (bacmp(bdaddr, &b->bdaddr) == 0)
193 return b;
194 }
195
196 return NULL;
197}
198
199static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg)
200{ 184{
201 bdaddr_t bdaddr; 185 bdaddr_t bdaddr;
202 struct bdaddr_list *entry;
203 186
204 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 187 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
205 return -EFAULT; 188 return -EFAULT;
206 189
207 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 190 return hci_blacklist_add(hdev, &bdaddr);
208 return -EBADF;
209
210 if (hci_blacklist_lookup(hdev, &bdaddr))
211 return -EEXIST;
212
213 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
214 if (!entry)
215 return -ENOMEM;
216
217 bacpy(&entry->bdaddr, &bdaddr);
218
219 list_add(&entry->list, &hdev->blacklist);
220
221 return 0;
222}
223
224int hci_blacklist_clear(struct hci_dev *hdev)
225{
226 struct list_head *p, *n;
227
228 list_for_each_safe(p, n, &hdev->blacklist) {
229 struct bdaddr_list *b;
230
231 b = list_entry(p, struct bdaddr_list, list);
232
233 list_del(p);
234 kfree(b);
235 }
236
237 return 0;
238} 191}
239 192
240static int hci_blacklist_del(struct hci_dev *hdev, void __user *arg) 193static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
241{ 194{
242 bdaddr_t bdaddr; 195 bdaddr_t bdaddr;
243 struct bdaddr_list *entry;
244 196
245 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 197 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
246 return -EFAULT; 198 return -EFAULT;
247 199
248 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 200 return hci_blacklist_del(hdev, &bdaddr);
249 return hci_blacklist_clear(hdev);
250
251 entry = hci_blacklist_lookup(hdev, &bdaddr);
252 if (!entry)
253 return -ENOENT;
254
255 list_del(&entry->list);
256 kfree(entry);
257
258 return 0;
259} 201}
260 202
261/* Ioctls that require bound socket */ 203/* Ioctls that require bound socket */
@@ -290,12 +232,12 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
290 case HCIBLOCKADDR: 232 case HCIBLOCKADDR:
291 if (!capable(CAP_NET_ADMIN)) 233 if (!capable(CAP_NET_ADMIN))
292 return -EACCES; 234 return -EACCES;
293 return hci_blacklist_add(hdev, (void __user *) arg); 235 return hci_sock_blacklist_add(hdev, (void __user *) arg);
294 236
295 case HCIUNBLOCKADDR: 237 case HCIUNBLOCKADDR:
296 if (!capable(CAP_NET_ADMIN)) 238 if (!capable(CAP_NET_ADMIN))
297 return -EACCES; 239 return -EACCES;
298 return hci_blacklist_del(hdev, (void __user *) arg); 240 return hci_sock_blacklist_del(hdev, (void __user *) arg);
299 241
300 default: 242 default:
301 if (hdev->ioctl) 243 if (hdev->ioctl)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ebff14c69078..fc219ec28711 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -54,6 +54,7 @@
54#include <net/bluetooth/bluetooth.h> 54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
57#include <net/bluetooth/smp.h>
57 58
58int disable_ertm; 59int disable_ertm;
59 60
@@ -62,18 +63,34 @@ static u8 l2cap_fixed_chan[8] = { 0x02, };
62 63
63static struct workqueue_struct *_busy_wq; 64static struct workqueue_struct *_busy_wq;
64 65
65LIST_HEAD(chan_list); 66static LIST_HEAD(chan_list);
66DEFINE_RWLOCK(chan_list_lock); 67static DEFINE_RWLOCK(chan_list_lock);
67 68
68static void l2cap_busy_work(struct work_struct *work); 69static void l2cap_busy_work(struct work_struct *work);
69 70
70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data); 72 u8 code, u8 ident, u16 dlen, void *data);
73static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
74 void *data);
72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data); 75static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
76static void l2cap_send_disconn_req(struct l2cap_conn *conn,
77 struct l2cap_chan *chan, int err);
73 78
74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75 80
76/* ---- L2CAP channels ---- */ 81/* ---- L2CAP channels ---- */
82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{ 95{
79 struct l2cap_chan *c; 96 struct l2cap_chan *c;
@@ -204,6 +221,62 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
204 return 0; 221 return 0;
205} 222}
206 223
224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
225{
226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
227
228 if (!mod_timer(timer, jiffies + timeout))
229 chan_hold(chan);
230}
231
232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
233{
234 BT_DBG("chan %p state %d", chan, chan->state);
235
236 if (timer_pending(timer) && del_timer(timer))
237 chan_put(chan);
238}
239
240static void l2cap_state_change(struct l2cap_chan *chan, int state)
241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
244}
245
246static void l2cap_chan_timeout(unsigned long arg)
247{
248 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
249 struct sock *sk = chan->sk;
250 int reason;
251
252 BT_DBG("chan %p state %d", chan, chan->state);
253
254 bh_lock_sock(sk);
255
256 if (sock_owned_by_user(sk)) {
257 /* sk is owned by user. Try again later */
258 __set_chan_timer(chan, HZ / 5);
259 bh_unlock_sock(sk);
260 chan_put(chan);
261 return;
262 }
263
264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
265 reason = ECONNREFUSED;
266 else if (chan->state == BT_CONNECT &&
267 chan->sec_level != BT_SECURITY_SDP)
268 reason = ECONNREFUSED;
269 else
270 reason = ETIMEDOUT;
271
272 l2cap_chan_close(chan, reason);
273
274 bh_unlock_sock(sk);
275
276 chan->ops->close(chan->data);
277 chan_put(chan);
278}
279
207struct l2cap_chan *l2cap_chan_create(struct sock *sk) 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
208{ 281{
209 struct l2cap_chan *chan; 282 struct l2cap_chan *chan;
@@ -218,6 +291,12 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
218 list_add(&chan->global_l, &chan_list); 291 list_add(&chan->global_l, &chan_list);
219 write_unlock_bh(&chan_list_lock); 292 write_unlock_bh(&chan_list_lock);
220 293
294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
295
296 chan->state = BT_OPEN;
297
298 atomic_set(&chan->refcnt, 1);
299
221 return chan; 300 return chan;
222} 301}
223 302
@@ -227,13 +306,11 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
227 list_del(&chan->global_l); 306 list_del(&chan->global_l);
228 write_unlock_bh(&chan_list_lock); 307 write_unlock_bh(&chan_list_lock);
229 308
230 kfree(chan); 309 chan_put(chan);
231} 310}
232 311
233static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
234{ 313{
235 struct sock *sk = chan->sk;
236
237 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
238 chan->psm, chan->dcid); 315 chan->psm, chan->dcid);
239 316
@@ -241,7 +318,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
241 318
242 chan->conn = conn; 319 chan->conn = conn;
243 320
244 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) { 321 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
245 if (conn->hcon->type == LE_LINK) { 322 if (conn->hcon->type == LE_LINK) {
246 /* LE connection */ 323 /* LE connection */
247 chan->omtu = L2CAP_LE_DEFAULT_MTU; 324 chan->omtu = L2CAP_LE_DEFAULT_MTU;
@@ -252,7 +329,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
252 chan->scid = l2cap_alloc_cid(conn); 329 chan->scid = l2cap_alloc_cid(conn);
253 chan->omtu = L2CAP_DEFAULT_MTU; 330 chan->omtu = L2CAP_DEFAULT_MTU;
254 } 331 }
255 } else if (sk->sk_type == SOCK_DGRAM) { 332 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
256 /* Connectionless socket */ 333 /* Connectionless socket */
257 chan->scid = L2CAP_CID_CONN_LESS; 334 chan->scid = L2CAP_CID_CONN_LESS;
258 chan->dcid = L2CAP_CID_CONN_LESS; 335 chan->dcid = L2CAP_CID_CONN_LESS;
@@ -264,20 +341,20 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
264 chan->omtu = L2CAP_DEFAULT_MTU; 341 chan->omtu = L2CAP_DEFAULT_MTU;
265 } 342 }
266 343
267 sock_hold(sk); 344 chan_hold(chan);
268 345
269 list_add(&chan->list, &conn->chan_l); 346 list_add(&chan->list, &conn->chan_l);
270} 347}
271 348
272/* Delete channel. 349/* Delete channel.
273 * Must be called on the locked socket. */ 350 * Must be called on the locked socket. */
274void l2cap_chan_del(struct l2cap_chan *chan, int err) 351static void l2cap_chan_del(struct l2cap_chan *chan, int err)
275{ 352{
276 struct sock *sk = chan->sk; 353 struct sock *sk = chan->sk;
277 struct l2cap_conn *conn = chan->conn; 354 struct l2cap_conn *conn = chan->conn;
278 struct sock *parent = bt_sk(sk)->parent; 355 struct sock *parent = bt_sk(sk)->parent;
279 356
280 l2cap_sock_clear_timer(sk); 357 __clear_chan_timer(chan);
281 358
282 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
283 360
@@ -286,13 +363,13 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
286 write_lock_bh(&conn->chan_lock); 363 write_lock_bh(&conn->chan_lock);
287 list_del(&chan->list); 364 list_del(&chan->list);
288 write_unlock_bh(&conn->chan_lock); 365 write_unlock_bh(&conn->chan_lock);
289 __sock_put(sk); 366 chan_put(chan);
290 367
291 chan->conn = NULL; 368 chan->conn = NULL;
292 hci_conn_put(conn->hcon); 369 hci_conn_put(conn->hcon);
293 } 370 }
294 371
295 sk->sk_state = BT_CLOSED; 372 l2cap_state_change(chan, BT_CLOSED);
296 sock_set_flag(sk, SOCK_ZAPPED); 373 sock_set_flag(sk, SOCK_ZAPPED);
297 374
298 if (err) 375 if (err)
@@ -304,8 +381,8 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
304 } else 381 } else
305 sk->sk_state_change(sk); 382 sk->sk_state_change(sk);
306 383
307 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE && 384 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
308 chan->conf_state & L2CAP_CONF_INPUT_DONE)) 385 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
309 return; 386 return;
310 387
311 skb_queue_purge(&chan->tx_q); 388 skb_queue_purge(&chan->tx_q);
@@ -313,9 +390,9 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
313 if (chan->mode == L2CAP_MODE_ERTM) { 390 if (chan->mode == L2CAP_MODE_ERTM) {
314 struct srej_list *l, *tmp; 391 struct srej_list *l, *tmp;
315 392
316 del_timer(&chan->retrans_timer); 393 __clear_retrans_timer(chan);
317 del_timer(&chan->monitor_timer); 394 __clear_monitor_timer(chan);
318 del_timer(&chan->ack_timer); 395 __clear_ack_timer(chan);
319 396
320 skb_queue_purge(&chan->srej_q); 397 skb_queue_purge(&chan->srej_q);
321 skb_queue_purge(&chan->busy_q); 398 skb_queue_purge(&chan->busy_q);
@@ -327,11 +404,86 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
327 } 404 }
328} 405}
329 406
330static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 407static void l2cap_chan_cleanup_listen(struct sock *parent)
331{ 408{
409 struct sock *sk;
410
411 BT_DBG("parent %p", parent);
412
413 /* Close not yet accepted channels */
414 while ((sk = bt_accept_dequeue(parent, NULL))) {
415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
416 __clear_chan_timer(chan);
417 lock_sock(sk);
418 l2cap_chan_close(chan, ECONNRESET);
419 release_sock(sk);
420 chan->ops->close(chan->data);
421 }
422}
423
424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
425{
426 struct l2cap_conn *conn = chan->conn;
332 struct sock *sk = chan->sk; 427 struct sock *sk = chan->sk;
333 428
334 if (sk->sk_type == SOCK_RAW) { 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
430
431 switch (chan->state) {
432 case BT_LISTEN:
433 l2cap_chan_cleanup_listen(sk);
434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
437 break;
438
439 case BT_CONNECTED:
440 case BT_CONFIG:
441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
442 conn->hcon->type == ACL_LINK) {
443 __clear_chan_timer(chan);
444 __set_chan_timer(chan, sk->sk_sndtimeo);
445 l2cap_send_disconn_req(conn, chan, reason);
446 } else
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT2:
451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
452 conn->hcon->type == ACL_LINK) {
453 struct l2cap_conn_rsp rsp;
454 __u16 result;
455
456 if (bt_sk(sk)->defer_setup)
457 result = L2CAP_CR_SEC_BLOCK;
458 else
459 result = L2CAP_CR_BAD_PSM;
460 l2cap_state_change(chan, BT_DISCONN);
461
462 rsp.scid = cpu_to_le16(chan->dcid);
463 rsp.dcid = cpu_to_le16(chan->scid);
464 rsp.result = cpu_to_le16(result);
465 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
467 sizeof(rsp), &rsp);
468 }
469
470 l2cap_chan_del(chan, reason);
471 break;
472
473 case BT_CONNECT:
474 case BT_DISCONN:
475 l2cap_chan_del(chan, reason);
476 break;
477
478 default:
479 sock_set_flag(sk, SOCK_ZAPPED);
480 break;
481 }
482}
483
484static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
485{
486 if (chan->chan_type == L2CAP_CHAN_RAW) {
335 switch (chan->sec_level) { 487 switch (chan->sec_level) {
336 case BT_SECURITY_HIGH: 488 case BT_SECURITY_HIGH:
337 return HCI_AT_DEDICATED_BONDING_MITM; 489 return HCI_AT_DEDICATED_BONDING_MITM;
@@ -371,7 +523,7 @@ static inline int l2cap_check_security(struct l2cap_chan *chan)
371 return hci_conn_security(conn->hcon, chan->sec_level, auth_type); 523 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
372} 524}
373 525
374u8 l2cap_get_ident(struct l2cap_conn *conn) 526static u8 l2cap_get_ident(struct l2cap_conn *conn)
375{ 527{
376 u8 id; 528 u8 id;
377 529
@@ -393,7 +545,7 @@ u8 l2cap_get_ident(struct l2cap_conn *conn)
393 return id; 545 return id;
394} 546}
395 547
396void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data) 548static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
397{ 549{
398 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 550 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
399 u8 flags; 551 u8 flags;
@@ -408,6 +560,8 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
408 else 560 else
409 flags = ACL_START; 561 flags = ACL_START;
410 562
563 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
564
411 hci_send_acl(conn->hcon, skb, flags); 565 hci_send_acl(conn->hcon, skb, flags);
412} 566}
413 567
@@ -415,13 +569,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
415{ 569{
416 struct sk_buff *skb; 570 struct sk_buff *skb;
417 struct l2cap_hdr *lh; 571 struct l2cap_hdr *lh;
418 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419 struct l2cap_conn *conn = chan->conn; 572 struct l2cap_conn *conn = chan->conn;
420 struct sock *sk = (struct sock *)pi;
421 int count, hlen = L2CAP_HDR_SIZE + 2; 573 int count, hlen = L2CAP_HDR_SIZE + 2;
422 u8 flags; 574 u8 flags;
423 575
424 if (sk->sk_state != BT_CONNECTED) 576 if (chan->state != BT_CONNECTED)
425 return; 577 return;
426 578
427 if (chan->fcs == L2CAP_FCS_CRC16) 579 if (chan->fcs == L2CAP_FCS_CRC16)
@@ -432,15 +584,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
432 count = min_t(unsigned int, conn->mtu, hlen); 584 count = min_t(unsigned int, conn->mtu, hlen);
433 control |= L2CAP_CTRL_FRAME_TYPE; 585 control |= L2CAP_CTRL_FRAME_TYPE;
434 586
435 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 587 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
436 control |= L2CAP_CTRL_FINAL; 588 control |= L2CAP_CTRL_FINAL;
437 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
438 }
439 589
440 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) { 590 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
441 control |= L2CAP_CTRL_POLL; 591 control |= L2CAP_CTRL_POLL;
442 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
443 }
444 592
445 skb = bt_skb_alloc(count, GFP_ATOMIC); 593 skb = bt_skb_alloc(count, GFP_ATOMIC);
446 if (!skb) 594 if (!skb)
@@ -461,14 +609,16 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
461 else 609 else
462 flags = ACL_START; 610 flags = ACL_START;
463 611
612 bt_cb(skb)->force_active = chan->force_active;
613
464 hci_send_acl(chan->conn->hcon, skb, flags); 614 hci_send_acl(chan->conn->hcon, skb, flags);
465} 615}
466 616
467static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control) 617static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
468{ 618{
469 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 619 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
470 control |= L2CAP_SUPER_RCV_NOT_READY; 620 control |= L2CAP_SUPER_RCV_NOT_READY;
471 chan->conn_state |= L2CAP_CONN_RNR_SENT; 621 set_bit(CONN_RNR_SENT, &chan->conn_state);
472 } else 622 } else
473 control |= L2CAP_SUPER_RCV_READY; 623 control |= L2CAP_SUPER_RCV_READY;
474 624
@@ -479,7 +629,7 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
479 629
480static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 630static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
481{ 631{
482 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND); 632 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
483} 633}
484 634
485static void l2cap_do_start(struct l2cap_chan *chan) 635static void l2cap_do_start(struct l2cap_chan *chan)
@@ -497,7 +647,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
497 req.psm = chan->psm; 647 req.psm = chan->psm;
498 648
499 chan->ident = l2cap_get_ident(conn); 649 chan->ident = l2cap_get_ident(conn);
500 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 650 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
501 651
502 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
503 sizeof(req), &req); 653 sizeof(req), &req);
@@ -533,7 +683,7 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
533 } 683 }
534} 684}
535 685
536void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err) 686static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
537{ 687{
538 struct sock *sk; 688 struct sock *sk;
539 struct l2cap_disconn_req req; 689 struct l2cap_disconn_req req;
@@ -544,9 +694,9 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
544 sk = chan->sk; 694 sk = chan->sk;
545 695
546 if (chan->mode == L2CAP_MODE_ERTM) { 696 if (chan->mode == L2CAP_MODE_ERTM) {
547 del_timer(&chan->retrans_timer); 697 __clear_retrans_timer(chan);
548 del_timer(&chan->monitor_timer); 698 __clear_monitor_timer(chan);
549 del_timer(&chan->ack_timer); 699 __clear_ack_timer(chan);
550 } 700 }
551 701
552 req.dcid = cpu_to_le16(chan->dcid); 702 req.dcid = cpu_to_le16(chan->dcid);
@@ -554,7 +704,7 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
554 l2cap_send_cmd(conn, l2cap_get_ident(conn), 704 l2cap_send_cmd(conn, l2cap_get_ident(conn),
555 L2CAP_DISCONN_REQ, sizeof(req), &req); 705 L2CAP_DISCONN_REQ, sizeof(req), &req);
556 706
557 sk->sk_state = BT_DISCONN; 707 l2cap_state_change(chan, BT_DISCONN);
558 sk->sk_err = err; 708 sk->sk_err = err;
559} 709}
560 710
@@ -572,13 +722,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
572 722
573 bh_lock_sock(sk); 723 bh_lock_sock(sk);
574 724
575 if (sk->sk_type != SOCK_SEQPACKET && 725 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
576 sk->sk_type != SOCK_STREAM) {
577 bh_unlock_sock(sk); 726 bh_unlock_sock(sk);
578 continue; 727 continue;
579 } 728 }
580 729
581 if (sk->sk_state == BT_CONNECT) { 730 if (chan->state == BT_CONNECT) {
582 struct l2cap_conn_req req; 731 struct l2cap_conn_req req;
583 732
584 if (!l2cap_check_security(chan) || 733 if (!l2cap_check_security(chan) ||
@@ -587,14 +736,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
587 continue; 736 continue;
588 } 737 }
589 738
590 if (!l2cap_mode_supported(chan->mode, 739 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
591 conn->feat_mask) 740 && test_bit(CONF_STATE2_DEVICE,
592 && chan->conf_state & 741 &chan->conf_state)) {
593 L2CAP_CONF_STATE2_DEVICE) { 742 /* l2cap_chan_close() calls list_del(chan)
594 /* __l2cap_sock_close() calls list_del(chan)
595 * so release the lock */ 743 * so release the lock */
596 read_unlock_bh(&conn->chan_lock); 744 read_unlock_bh(&conn->chan_lock);
597 __l2cap_sock_close(sk, ECONNRESET); 745 l2cap_chan_close(chan, ECONNRESET);
598 read_lock_bh(&conn->chan_lock); 746 read_lock_bh(&conn->chan_lock);
599 bh_unlock_sock(sk); 747 bh_unlock_sock(sk);
600 continue; 748 continue;
@@ -604,12 +752,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
604 req.psm = chan->psm; 752 req.psm = chan->psm;
605 753
606 chan->ident = l2cap_get_ident(conn); 754 chan->ident = l2cap_get_ident(conn);
607 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 755 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
608 756
609 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 757 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
610 sizeof(req), &req); 758 sizeof(req), &req);
611 759
612 } else if (sk->sk_state == BT_CONNECT2) { 760 } else if (chan->state == BT_CONNECT2) {
613 struct l2cap_conn_rsp rsp; 761 struct l2cap_conn_rsp rsp;
614 char buf[128]; 762 char buf[128];
615 rsp.scid = cpu_to_le16(chan->dcid); 763 rsp.scid = cpu_to_le16(chan->dcid);
@@ -623,7 +771,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
623 parent->sk_data_ready(parent, 0); 771 parent->sk_data_ready(parent, 0);
624 772
625 } else { 773 } else {
626 sk->sk_state = BT_CONFIG; 774 l2cap_state_change(chan, BT_CONFIG);
627 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 775 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
628 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 776 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
629 } 777 }
@@ -635,13 +783,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
635 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 783 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
636 sizeof(rsp), &rsp); 784 sizeof(rsp), &rsp);
637 785
638 if (chan->conf_state & L2CAP_CONF_REQ_SENT || 786 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
639 rsp.result != L2CAP_CR_SUCCESS) { 787 rsp.result != L2CAP_CR_SUCCESS) {
640 bh_unlock_sock(sk); 788 bh_unlock_sock(sk);
641 continue; 789 continue;
642 } 790 }
643 791
644 chan->conf_state |= L2CAP_CONF_REQ_SENT; 792 set_bit(CONF_REQ_SENT, &chan->conf_state);
645 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 793 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
646 l2cap_build_conf_req(chan, buf), buf); 794 l2cap_build_conf_req(chan, buf), buf);
647 chan->num_conf_req++; 795 chan->num_conf_req++;
@@ -665,7 +813,7 @@ static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdadd
665 list_for_each_entry(c, &chan_list, global_l) { 813 list_for_each_entry(c, &chan_list, global_l) {
666 struct sock *sk = c->sk; 814 struct sock *sk = c->sk;
667 815
668 if (state && sk->sk_state != state) 816 if (state && c->state != state)
669 continue; 817 continue;
670 818
671 if (c->scid == cid) { 819 if (c->scid == cid) {
@@ -709,24 +857,16 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
709 goto clean; 857 goto clean;
710 } 858 }
711 859
712 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 860 chan = pchan->ops->new_connection(pchan->data);
713 if (!sk) 861 if (!chan)
714 goto clean;
715
716 chan = l2cap_chan_create(sk);
717 if (!chan) {
718 l2cap_sock_kill(sk);
719 goto clean; 862 goto clean;
720 }
721 863
722 l2cap_pi(sk)->chan = chan; 864 sk = chan->sk;
723 865
724 write_lock_bh(&conn->chan_lock); 866 write_lock_bh(&conn->chan_lock);
725 867
726 hci_conn_hold(conn->hcon); 868 hci_conn_hold(conn->hcon);
727 869
728 l2cap_sock_init(sk, parent);
729
730 bacpy(&bt_sk(sk)->src, conn->src); 870 bacpy(&bt_sk(sk)->src, conn->src);
731 bacpy(&bt_sk(sk)->dst, conn->dst); 871 bacpy(&bt_sk(sk)->dst, conn->dst);
732 872
@@ -734,9 +874,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
734 874
735 __l2cap_chan_add(conn, chan); 875 __l2cap_chan_add(conn, chan);
736 876
737 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 877 __set_chan_timer(chan, sk->sk_sndtimeo);
738 878
739 sk->sk_state = BT_CONNECTED; 879 l2cap_state_change(chan, BT_CONNECTED);
740 parent->sk_data_ready(parent, 0); 880 parent->sk_data_ready(parent, 0);
741 881
742 write_unlock_bh(&conn->chan_lock); 882 write_unlock_bh(&conn->chan_lock);
@@ -745,6 +885,23 @@ clean:
745 bh_unlock_sock(parent); 885 bh_unlock_sock(parent);
746} 886}
747 887
888static void l2cap_chan_ready(struct sock *sk)
889{
890 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
891 struct sock *parent = bt_sk(sk)->parent;
892
893 BT_DBG("sk %p, parent %p", sk, parent);
894
895 chan->conf_state = 0;
896 __clear_chan_timer(chan);
897
898 l2cap_state_change(chan, BT_CONNECTED);
899 sk->sk_state_change(sk);
900
901 if (parent)
902 parent->sk_data_ready(parent, 0);
903}
904
748static void l2cap_conn_ready(struct l2cap_conn *conn) 905static void l2cap_conn_ready(struct l2cap_conn *conn)
749{ 906{
750 struct l2cap_chan *chan; 907 struct l2cap_chan *chan;
@@ -762,17 +919,15 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
762 bh_lock_sock(sk); 919 bh_lock_sock(sk);
763 920
764 if (conn->hcon->type == LE_LINK) { 921 if (conn->hcon->type == LE_LINK) {
765 l2cap_sock_clear_timer(sk); 922 if (smp_conn_security(conn, chan->sec_level))
766 sk->sk_state = BT_CONNECTED; 923 l2cap_chan_ready(sk);
767 sk->sk_state_change(sk);
768 }
769 924
770 if (sk->sk_type != SOCK_SEQPACKET && 925 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
771 sk->sk_type != SOCK_STREAM) { 926 __clear_chan_timer(chan);
772 l2cap_sock_clear_timer(sk); 927 l2cap_state_change(chan, BT_CONNECTED);
773 sk->sk_state = BT_CONNECTED;
774 sk->sk_state_change(sk); 928 sk->sk_state_change(sk);
775 } else if (sk->sk_state == BT_CONNECT) 929
930 } else if (chan->state == BT_CONNECT)
776 l2cap_do_start(chan); 931 l2cap_do_start(chan);
777 932
778 bh_unlock_sock(sk); 933 bh_unlock_sock(sk);
@@ -810,6 +965,45 @@ static void l2cap_info_timeout(unsigned long arg)
810 l2cap_conn_start(conn); 965 l2cap_conn_start(conn);
811} 966}
812 967
968static void l2cap_conn_del(struct hci_conn *hcon, int err)
969{
970 struct l2cap_conn *conn = hcon->l2cap_data;
971 struct l2cap_chan *chan, *l;
972 struct sock *sk;
973
974 if (!conn)
975 return;
976
977 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
978
979 kfree_skb(conn->rx_skb);
980
981 /* Kill channels */
982 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
983 sk = chan->sk;
984 bh_lock_sock(sk);
985 l2cap_chan_del(chan, err);
986 bh_unlock_sock(sk);
987 chan->ops->close(chan->data);
988 }
989
990 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
991 del_timer_sync(&conn->info_timer);
992
993 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
994 del_timer(&conn->security_timer);
995
996 hcon->l2cap_data = NULL;
997 kfree(conn);
998}
999
1000static void security_timeout(unsigned long arg)
1001{
1002 struct l2cap_conn *conn = (void *) arg;
1003
1004 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1005}
1006
813static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1007static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
814{ 1008{
815 struct l2cap_conn *conn = hcon->l2cap_data; 1009 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -841,7 +1035,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
841 1035
842 INIT_LIST_HEAD(&conn->chan_l); 1036 INIT_LIST_HEAD(&conn->chan_l);
843 1037
844 if (hcon->type != LE_LINK) 1038 if (hcon->type == LE_LINK)
1039 setup_timer(&conn->security_timer, security_timeout,
1040 (unsigned long) conn);
1041 else
845 setup_timer(&conn->info_timer, l2cap_info_timeout, 1042 setup_timer(&conn->info_timer, l2cap_info_timeout,
846 (unsigned long) conn); 1043 (unsigned long) conn);
847 1044
@@ -850,35 +1047,6 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
850 return conn; 1047 return conn;
851} 1048}
852 1049
853static void l2cap_conn_del(struct hci_conn *hcon, int err)
854{
855 struct l2cap_conn *conn = hcon->l2cap_data;
856 struct l2cap_chan *chan, *l;
857 struct sock *sk;
858
859 if (!conn)
860 return;
861
862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
863
864 kfree_skb(conn->rx_skb);
865
866 /* Kill channels */
867 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
868 sk = chan->sk;
869 bh_lock_sock(sk);
870 l2cap_chan_del(chan, err);
871 bh_unlock_sock(sk);
872 l2cap_sock_kill(sk);
873 }
874
875 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
876 del_timer_sync(&conn->info_timer);
877
878 hcon->l2cap_data = NULL;
879 kfree(conn);
880}
881
882static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 1050static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
883{ 1051{
884 write_lock_bh(&conn->chan_lock); 1052 write_lock_bh(&conn->chan_lock);
@@ -900,7 +1068,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr
900 list_for_each_entry(c, &chan_list, global_l) { 1068 list_for_each_entry(c, &chan_list, global_l) {
901 struct sock *sk = c->sk; 1069 struct sock *sk = c->sk;
902 1070
903 if (state && sk->sk_state != state) 1071 if (state && c->state != state)
904 continue; 1072 continue;
905 1073
906 if (c->psm == psm) { 1074 if (c->psm == psm) {
@@ -967,15 +1135,14 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
967 1135
968 l2cap_chan_add(conn, chan); 1136 l2cap_chan_add(conn, chan);
969 1137
970 sk->sk_state = BT_CONNECT; 1138 l2cap_state_change(chan, BT_CONNECT);
971 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 1139 __set_chan_timer(chan, sk->sk_sndtimeo);
972 1140
973 if (hcon->state == BT_CONNECTED) { 1141 if (hcon->state == BT_CONNECTED) {
974 if (sk->sk_type != SOCK_SEQPACKET && 1142 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
975 sk->sk_type != SOCK_STREAM) { 1143 __clear_chan_timer(chan);
976 l2cap_sock_clear_timer(sk);
977 if (l2cap_check_security(chan)) 1144 if (l2cap_check_security(chan))
978 sk->sk_state = BT_CONNECTED; 1145 l2cap_state_change(chan, BT_CONNECTED);
979 } else 1146 } else
980 l2cap_do_start(chan); 1147 l2cap_do_start(chan);
981 } 1148 }
@@ -1035,7 +1202,7 @@ static void l2cap_monitor_timeout(unsigned long arg)
1035 } 1202 }
1036 1203
1037 chan->retry_count++; 1204 chan->retry_count++;
1038 __mod_monitor_timer(); 1205 __set_monitor_timer(chan);
1039 1206
1040 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1207 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1041 bh_unlock_sock(sk); 1208 bh_unlock_sock(sk);
@@ -1050,9 +1217,9 @@ static void l2cap_retrans_timeout(unsigned long arg)
1050 1217
1051 bh_lock_sock(sk); 1218 bh_lock_sock(sk);
1052 chan->retry_count = 1; 1219 chan->retry_count = 1;
1053 __mod_monitor_timer(); 1220 __set_monitor_timer(chan);
1054 1221
1055 chan->conn_state |= L2CAP_CONN_WAIT_F; 1222 set_bit(CONN_WAIT_F, &chan->conn_state);
1056 1223
1057 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1224 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1058 bh_unlock_sock(sk); 1225 bh_unlock_sock(sk);
@@ -1074,7 +1241,7 @@ static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1074 } 1241 }
1075 1242
1076 if (!chan->unacked_frames) 1243 if (!chan->unacked_frames)
1077 del_timer(&chan->retrans_timer); 1244 __clear_retrans_timer(chan);
1078} 1245}
1079 1246
1080void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 1247void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1089,6 +1256,7 @@ void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1089 else 1256 else
1090 flags = ACL_START; 1257 flags = ACL_START;
1091 1258
1259 bt_cb(skb)->force_active = chan->force_active;
1092 hci_send_acl(hcon, skb, flags); 1260 hci_send_acl(hcon, skb, flags);
1093} 1261}
1094 1262
@@ -1142,10 +1310,8 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1142 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1310 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1143 control &= L2CAP_CTRL_SAR; 1311 control &= L2CAP_CTRL_SAR;
1144 1312
1145 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1313 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1146 control |= L2CAP_CTRL_FINAL; 1314 control |= L2CAP_CTRL_FINAL;
1147 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1148 }
1149 1315
1150 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1316 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1151 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1317 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
@@ -1163,11 +1329,10 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1163int l2cap_ertm_send(struct l2cap_chan *chan) 1329int l2cap_ertm_send(struct l2cap_chan *chan)
1164{ 1330{
1165 struct sk_buff *skb, *tx_skb; 1331 struct sk_buff *skb, *tx_skb;
1166 struct sock *sk = chan->sk;
1167 u16 control, fcs; 1332 u16 control, fcs;
1168 int nsent = 0; 1333 int nsent = 0;
1169 1334
1170 if (sk->sk_state != BT_CONNECTED) 1335 if (chan->state != BT_CONNECTED)
1171 return -ENOTCONN; 1336 return -ENOTCONN;
1172 1337
1173 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) { 1338 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
@@ -1185,10 +1350,9 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1185 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1350 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1186 control &= L2CAP_CTRL_SAR; 1351 control &= L2CAP_CTRL_SAR;
1187 1352
1188 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1353 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1189 control |= L2CAP_CTRL_FINAL; 1354 control |= L2CAP_CTRL_FINAL;
1190 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1355
1191 }
1192 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1356 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1193 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1357 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1194 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1358 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
@@ -1201,7 +1365,7 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1201 1365
1202 l2cap_do_send(chan, tx_skb); 1366 l2cap_do_send(chan, tx_skb);
1203 1367
1204 __mod_retrans_timer(); 1368 __set_retrans_timer(chan);
1205 1369
1206 bt_cb(skb)->tx_seq = chan->next_tx_seq; 1370 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1207 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64; 1371 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
@@ -1240,9 +1404,9 @@ static void l2cap_send_ack(struct l2cap_chan *chan)
1240 1404
1241 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1405 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1242 1406
1243 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1407 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1244 control |= L2CAP_SUPER_RCV_NOT_READY; 1408 control |= L2CAP_SUPER_RCV_NOT_READY;
1245 chan->conn_state |= L2CAP_CONN_RNR_SENT; 1409 set_bit(CONN_RNR_SENT, &chan->conn_state);
1246 l2cap_send_sframe(chan, control); 1410 l2cap_send_sframe(chan, control);
1247 return; 1411 return;
1248 } 1412 }
@@ -1450,28 +1614,83 @@ int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t le
1450 return size; 1614 return size;
1451} 1615}
1452 1616
1453static void l2cap_chan_ready(struct sock *sk) 1617int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1454{ 1618{
1455 struct sock *parent = bt_sk(sk)->parent; 1619 struct sk_buff *skb;
1456 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1620 u16 control;
1621 int err;
1457 1622
1458 BT_DBG("sk %p, parent %p", sk, parent); 1623 /* Connectionless channel */
1624 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1625 skb = l2cap_create_connless_pdu(chan, msg, len);
1626 if (IS_ERR(skb))
1627 return PTR_ERR(skb);
1459 1628
1460 chan->conf_state = 0; 1629 l2cap_do_send(chan, skb);
1461 l2cap_sock_clear_timer(sk); 1630 return len;
1631 }
1462 1632
1463 if (!parent) { 1633 switch (chan->mode) {
1464 /* Outgoing channel. 1634 case L2CAP_MODE_BASIC:
1465 * Wake up socket sleeping on connect. 1635 /* Check outgoing MTU */
1466 */ 1636 if (len > chan->omtu)
1467 sk->sk_state = BT_CONNECTED; 1637 return -EMSGSIZE;
1468 sk->sk_state_change(sk); 1638
1469 } else { 1639 /* Create a basic PDU */
1470 /* Incoming channel. 1640 skb = l2cap_create_basic_pdu(chan, msg, len);
1471 * Wake up socket sleeping on accept. 1641 if (IS_ERR(skb))
1472 */ 1642 return PTR_ERR(skb);
1473 parent->sk_data_ready(parent, 0); 1643
1644 l2cap_do_send(chan, skb);
1645 err = len;
1646 break;
1647
1648 case L2CAP_MODE_ERTM:
1649 case L2CAP_MODE_STREAMING:
1650 /* Entire SDU fits into one PDU */
1651 if (len <= chan->remote_mps) {
1652 control = L2CAP_SDU_UNSEGMENTED;
1653 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1654 0);
1655 if (IS_ERR(skb))
1656 return PTR_ERR(skb);
1657
1658 __skb_queue_tail(&chan->tx_q, skb);
1659
1660 if (chan->tx_send_head == NULL)
1661 chan->tx_send_head = skb;
1662
1663 } else {
1664 /* Segment SDU into multiples PDUs */
1665 err = l2cap_sar_segment_sdu(chan, msg, len);
1666 if (err < 0)
1667 return err;
1668 }
1669
1670 if (chan->mode == L2CAP_MODE_STREAMING) {
1671 l2cap_streaming_send(chan);
1672 err = len;
1673 break;
1674 }
1675
1676 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1677 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1678 err = len;
1679 break;
1680 }
1681
1682 err = l2cap_ertm_send(chan);
1683 if (err >= 0)
1684 err = len;
1685
1686 break;
1687
1688 default:
1689 BT_DBG("bad state %1.1x", chan->mode);
1690 err = -EBADFD;
1474 } 1691 }
1692
1693 return err;
1475} 1694}
1476 1695
1477/* Copy frame to all raw sockets on that connection */ 1696/* Copy frame to all raw sockets on that connection */
@@ -1485,7 +1704,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1485 read_lock(&conn->chan_lock); 1704 read_lock(&conn->chan_lock);
1486 list_for_each_entry(chan, &conn->chan_l, list) { 1705 list_for_each_entry(chan, &conn->chan_l, list) {
1487 struct sock *sk = chan->sk; 1706 struct sock *sk = chan->sk;
1488 if (sk->sk_type != SOCK_RAW) 1707 if (chan->chan_type != L2CAP_CHAN_RAW)
1489 continue; 1708 continue;
1490 1709
1491 /* Don't send frame to the socket it came from */ 1710 /* Don't send frame to the socket it came from */
@@ -1495,7 +1714,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1495 if (!nskb) 1714 if (!nskb)
1496 continue; 1715 continue;
1497 1716
1498 if (sock_queue_rcv_skb(sk, nskb)) 1717 if (chan->ops->recv(chan->data, nskb))
1499 kfree_skb(nskb); 1718 kfree_skb(nskb);
1500 } 1719 }
1501 read_unlock(&conn->chan_lock); 1720 read_unlock(&conn->chan_lock);
@@ -1690,7 +1909,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1690 switch (chan->mode) { 1909 switch (chan->mode) {
1691 case L2CAP_MODE_STREAMING: 1910 case L2CAP_MODE_STREAMING:
1692 case L2CAP_MODE_ERTM: 1911 case L2CAP_MODE_ERTM:
1693 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE) 1912 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
1694 break; 1913 break;
1695 1914
1696 /* fall through */ 1915 /* fall through */
@@ -1737,7 +1956,7 @@ done:
1737 break; 1956 break;
1738 1957
1739 if (chan->fcs == L2CAP_FCS_NONE || 1958 if (chan->fcs == L2CAP_FCS_NONE ||
1740 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1959 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1741 chan->fcs = L2CAP_FCS_NONE; 1960 chan->fcs = L2CAP_FCS_NONE;
1742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1961 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1743 } 1962 }
@@ -1760,7 +1979,7 @@ done:
1760 break; 1979 break;
1761 1980
1762 if (chan->fcs == L2CAP_FCS_NONE || 1981 if (chan->fcs == L2CAP_FCS_NONE ||
1763 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1982 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1764 chan->fcs = L2CAP_FCS_NONE; 1983 chan->fcs = L2CAP_FCS_NONE;
1765 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1984 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1766 } 1985 }
@@ -1812,7 +2031,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1812 2031
1813 case L2CAP_CONF_FCS: 2032 case L2CAP_CONF_FCS:
1814 if (val == L2CAP_FCS_NONE) 2033 if (val == L2CAP_FCS_NONE)
1815 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV; 2034 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
1816 2035
1817 break; 2036 break;
1818 2037
@@ -1832,7 +2051,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1832 switch (chan->mode) { 2051 switch (chan->mode) {
1833 case L2CAP_MODE_STREAMING: 2052 case L2CAP_MODE_STREAMING:
1834 case L2CAP_MODE_ERTM: 2053 case L2CAP_MODE_ERTM:
1835 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) { 2054 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
1836 chan->mode = l2cap_select_mode(rfc.mode, 2055 chan->mode = l2cap_select_mode(rfc.mode,
1837 chan->conn->feat_mask); 2056 chan->conn->feat_mask);
1838 break; 2057 break;
@@ -1865,14 +2084,14 @@ done:
1865 result = L2CAP_CONF_UNACCEPT; 2084 result = L2CAP_CONF_UNACCEPT;
1866 else { 2085 else {
1867 chan->omtu = mtu; 2086 chan->omtu = mtu;
1868 chan->conf_state |= L2CAP_CONF_MTU_DONE; 2087 set_bit(CONF_MTU_DONE, &chan->conf_state);
1869 } 2088 }
1870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); 2089 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1871 2090
1872 switch (rfc.mode) { 2091 switch (rfc.mode) {
1873 case L2CAP_MODE_BASIC: 2092 case L2CAP_MODE_BASIC:
1874 chan->fcs = L2CAP_FCS_NONE; 2093 chan->fcs = L2CAP_FCS_NONE;
1875 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2094 set_bit(CONF_MODE_DONE, &chan->conf_state);
1876 break; 2095 break;
1877 2096
1878 case L2CAP_MODE_ERTM: 2097 case L2CAP_MODE_ERTM:
@@ -1889,7 +2108,7 @@ done:
1889 rfc.monitor_timeout = 2108 rfc.monitor_timeout =
1890 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO); 2109 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1891 2110
1892 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2111 set_bit(CONF_MODE_DONE, &chan->conf_state);
1893 2112
1894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2113 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1895 sizeof(rfc), (unsigned long) &rfc); 2114 sizeof(rfc), (unsigned long) &rfc);
@@ -1902,7 +2121,7 @@ done:
1902 2121
1903 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size); 2122 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1904 2123
1905 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2124 set_bit(CONF_MODE_DONE, &chan->conf_state);
1906 2125
1907 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2126 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1908 sizeof(rfc), (unsigned long) &rfc); 2127 sizeof(rfc), (unsigned long) &rfc);
@@ -1917,7 +2136,7 @@ done:
1917 } 2136 }
1918 2137
1919 if (result == L2CAP_CONF_SUCCESS) 2138 if (result == L2CAP_CONF_SUCCESS)
1920 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE; 2139 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
1921 } 2140 }
1922 rsp->scid = cpu_to_le16(chan->dcid); 2141 rsp->scid = cpu_to_le16(chan->dcid);
1923 rsp->result = cpu_to_le16(result); 2142 rsp->result = cpu_to_le16(result);
@@ -1959,7 +2178,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
1959 if (olen == sizeof(rfc)) 2178 if (olen == sizeof(rfc))
1960 memcpy(&rfc, (void *)val, olen); 2179 memcpy(&rfc, (void *)val, olen);
1961 2180
1962 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) && 2181 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
1963 rfc.mode != chan->mode) 2182 rfc.mode != chan->mode)
1964 return -ECONNREFUSED; 2183 return -ECONNREFUSED;
1965 2184
@@ -2021,10 +2240,9 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2021 l2cap_send_cmd(conn, chan->ident, 2240 l2cap_send_cmd(conn, chan->ident,
2022 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 2241 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2023 2242
2024 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2243 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2025 return; 2244 return;
2026 2245
2027 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2028 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2246 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2029 l2cap_build_conf_req(chan, buf), buf); 2247 l2cap_build_conf_req(chan, buf), buf);
2030 chan->num_conf_req++; 2248 chan->num_conf_req++;
@@ -2124,17 +2342,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2124 goto response; 2342 goto response;
2125 } 2343 }
2126 2344
2127 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 2345 chan = pchan->ops->new_connection(pchan->data);
2128 if (!sk) 2346 if (!chan)
2129 goto response;
2130
2131 chan = l2cap_chan_create(sk);
2132 if (!chan) {
2133 l2cap_sock_kill(sk);
2134 goto response; 2347 goto response;
2135 }
2136 2348
2137 l2cap_pi(sk)->chan = chan; 2349 sk = chan->sk;
2138 2350
2139 write_lock_bh(&conn->chan_lock); 2351 write_lock_bh(&conn->chan_lock);
2140 2352
@@ -2142,13 +2354,12 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2142 if (__l2cap_get_chan_by_dcid(conn, scid)) { 2354 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2143 write_unlock_bh(&conn->chan_lock); 2355 write_unlock_bh(&conn->chan_lock);
2144 sock_set_flag(sk, SOCK_ZAPPED); 2356 sock_set_flag(sk, SOCK_ZAPPED);
2145 l2cap_sock_kill(sk); 2357 chan->ops->close(chan->data);
2146 goto response; 2358 goto response;
2147 } 2359 }
2148 2360
2149 hci_conn_hold(conn->hcon); 2361 hci_conn_hold(conn->hcon);
2150 2362
2151 l2cap_sock_init(sk, parent);
2152 bacpy(&bt_sk(sk)->src, conn->src); 2363 bacpy(&bt_sk(sk)->src, conn->src);
2153 bacpy(&bt_sk(sk)->dst, conn->dst); 2364 bacpy(&bt_sk(sk)->dst, conn->dst);
2154 chan->psm = psm; 2365 chan->psm = psm;
@@ -2160,29 +2371,29 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2160 2371
2161 dcid = chan->scid; 2372 dcid = chan->scid;
2162 2373
2163 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 2374 __set_chan_timer(chan, sk->sk_sndtimeo);
2164 2375
2165 chan->ident = cmd->ident; 2376 chan->ident = cmd->ident;
2166 2377
2167 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2168 if (l2cap_check_security(chan)) { 2379 if (l2cap_check_security(chan)) {
2169 if (bt_sk(sk)->defer_setup) { 2380 if (bt_sk(sk)->defer_setup) {
2170 sk->sk_state = BT_CONNECT2; 2381 l2cap_state_change(chan, BT_CONNECT2);
2171 result = L2CAP_CR_PEND; 2382 result = L2CAP_CR_PEND;
2172 status = L2CAP_CS_AUTHOR_PEND; 2383 status = L2CAP_CS_AUTHOR_PEND;
2173 parent->sk_data_ready(parent, 0); 2384 parent->sk_data_ready(parent, 0);
2174 } else { 2385 } else {
2175 sk->sk_state = BT_CONFIG; 2386 l2cap_state_change(chan, BT_CONFIG);
2176 result = L2CAP_CR_SUCCESS; 2387 result = L2CAP_CR_SUCCESS;
2177 status = L2CAP_CS_NO_INFO; 2388 status = L2CAP_CS_NO_INFO;
2178 } 2389 }
2179 } else { 2390 } else {
2180 sk->sk_state = BT_CONNECT2; 2391 l2cap_state_change(chan, BT_CONNECT2);
2181 result = L2CAP_CR_PEND; 2392 result = L2CAP_CR_PEND;
2182 status = L2CAP_CS_AUTHEN_PEND; 2393 status = L2CAP_CS_AUTHEN_PEND;
2183 } 2394 }
2184 } else { 2395 } else {
2185 sk->sk_state = BT_CONNECT2; 2396 l2cap_state_change(chan, BT_CONNECT2);
2186 result = L2CAP_CR_PEND; 2397 result = L2CAP_CR_PEND;
2187 status = L2CAP_CS_NO_INFO; 2398 status = L2CAP_CS_NO_INFO;
2188 } 2399 }
@@ -2213,10 +2424,10 @@ sendresp:
2213 L2CAP_INFO_REQ, sizeof(info), &info); 2424 L2CAP_INFO_REQ, sizeof(info), &info);
2214 } 2425 }
2215 2426
2216 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) && 2427 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2217 result == L2CAP_CR_SUCCESS) { 2428 result == L2CAP_CR_SUCCESS) {
2218 u8 buf[128]; 2429 u8 buf[128];
2219 chan->conf_state |= L2CAP_CONF_REQ_SENT; 2430 set_bit(CONF_REQ_SENT, &chan->conf_state);
2220 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2221 l2cap_build_conf_req(chan, buf), buf); 2432 l2cap_build_conf_req(chan, buf), buf);
2222 chan->num_conf_req++; 2433 chan->num_conf_req++;
@@ -2254,31 +2465,29 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2254 2465
2255 switch (result) { 2466 switch (result) {
2256 case L2CAP_CR_SUCCESS: 2467 case L2CAP_CR_SUCCESS:
2257 sk->sk_state = BT_CONFIG; 2468 l2cap_state_change(chan, BT_CONFIG);
2258 chan->ident = 0; 2469 chan->ident = 0;
2259 chan->dcid = dcid; 2470 chan->dcid = dcid;
2260 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2471 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2261 2472
2262 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2473 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2263 break; 2474 break;
2264 2475
2265 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2266
2267 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2268 l2cap_build_conf_req(chan, req), req); 2477 l2cap_build_conf_req(chan, req), req);
2269 chan->num_conf_req++; 2478 chan->num_conf_req++;
2270 break; 2479 break;
2271 2480
2272 case L2CAP_CR_PEND: 2481 case L2CAP_CR_PEND:
2273 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 2482 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2274 break; 2483 break;
2275 2484
2276 default: 2485 default:
2277 /* don't delete l2cap channel if sk is owned by user */ 2486 /* don't delete l2cap channel if sk is owned by user */
2278 if (sock_owned_by_user(sk)) { 2487 if (sock_owned_by_user(sk)) {
2279 sk->sk_state = BT_DISCONN; 2488 l2cap_state_change(chan, BT_DISCONN);
2280 l2cap_sock_clear_timer(sk); 2489 __clear_chan_timer(chan);
2281 l2cap_sock_set_timer(sk, HZ / 5); 2490 __set_chan_timer(chan, HZ / 5);
2282 break; 2491 break;
2283 } 2492 }
2284 2493
@@ -2292,14 +2501,12 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2292 2501
2293static inline void set_default_fcs(struct l2cap_chan *chan) 2502static inline void set_default_fcs(struct l2cap_chan *chan)
2294{ 2503{
2295 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2296
2297 /* FCS is enabled only in ERTM or streaming mode, if one or both 2504 /* FCS is enabled only in ERTM or streaming mode, if one or both
2298 * sides request it. 2505 * sides request it.
2299 */ 2506 */
2300 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 2507 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2301 chan->fcs = L2CAP_FCS_NONE; 2508 chan->fcs = L2CAP_FCS_NONE;
2302 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV)) 2509 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2303 chan->fcs = L2CAP_FCS_CRC16; 2510 chan->fcs = L2CAP_FCS_CRC16;
2304} 2511}
2305 2512
@@ -2323,8 +2530,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2323 2530
2324 sk = chan->sk; 2531 sk = chan->sk;
2325 2532
2326 if ((bt_sk(sk)->defer_setup && sk->sk_state != BT_CONNECT2) || 2533 if ((bt_sk(sk)->defer_setup && chan->state != BT_CONNECT2) ||
2327 (!bt_sk(sk)->defer_setup && sk->sk_state != BT_CONFIG)) { 2534 (!bt_sk(sk)->defer_setup && chan->state != BT_CONFIG)) {
2328 struct l2cap_cmd_rej rej; 2535 struct l2cap_cmd_rej rej;
2329 2536
2330 rej.reason = cpu_to_le16(0x0002); 2537 rej.reason = cpu_to_le16(0x0002);
@@ -2367,13 +2574,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2367 /* Reset config buffer. */ 2574 /* Reset config buffer. */
2368 chan->conf_len = 0; 2575 chan->conf_len = 0;
2369 2576
2370 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2577 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2371 goto unlock; 2578 goto unlock;
2372 2579
2373 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) { 2580 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2374 set_default_fcs(chan); 2581 set_default_fcs(chan);
2375 2582
2376 sk->sk_state = BT_CONNECTED; 2583 l2cap_state_change(chan, BT_CONNECTED);
2377 2584
2378 chan->next_tx_seq = 0; 2585 chan->next_tx_seq = 0;
2379 chan->expected_tx_seq = 0; 2586 chan->expected_tx_seq = 0;
@@ -2385,9 +2592,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2385 goto unlock; 2592 goto unlock;
2386 } 2593 }
2387 2594
2388 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) { 2595 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2389 u8 buf[64]; 2596 u8 buf[64];
2390 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2391 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2597 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2392 l2cap_build_conf_req(chan, buf), buf); 2598 l2cap_build_conf_req(chan, buf), buf);
2393 chan->num_conf_req++; 2599 chan->num_conf_req++;
@@ -2452,7 +2658,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2452 2658
2453 default: 2659 default:
2454 sk->sk_err = ECONNRESET; 2660 sk->sk_err = ECONNRESET;
2455 l2cap_sock_set_timer(sk, HZ * 5); 2661 __set_chan_timer(chan, HZ * 5);
2456 l2cap_send_disconn_req(conn, chan, ECONNRESET); 2662 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2457 goto done; 2663 goto done;
2458 } 2664 }
@@ -2460,12 +2666,12 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2460 if (flags & 0x01) 2666 if (flags & 0x01)
2461 goto done; 2667 goto done;
2462 2668
2463 chan->conf_state |= L2CAP_CONF_INPUT_DONE; 2669 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2464 2670
2465 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) { 2671 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2466 set_default_fcs(chan); 2672 set_default_fcs(chan);
2467 2673
2468 sk->sk_state = BT_CONNECTED; 2674 l2cap_state_change(chan, BT_CONNECTED);
2469 chan->next_tx_seq = 0; 2675 chan->next_tx_seq = 0;
2470 chan->expected_tx_seq = 0; 2676 chan->expected_tx_seq = 0;
2471 skb_queue_head_init(&chan->tx_q); 2677 skb_queue_head_init(&chan->tx_q);
@@ -2507,9 +2713,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2507 2713
2508 /* don't delete l2cap channel if sk is owned by user */ 2714 /* don't delete l2cap channel if sk is owned by user */
2509 if (sock_owned_by_user(sk)) { 2715 if (sock_owned_by_user(sk)) {
2510 sk->sk_state = BT_DISCONN; 2716 l2cap_state_change(chan, BT_DISCONN);
2511 l2cap_sock_clear_timer(sk); 2717 __clear_chan_timer(chan);
2512 l2cap_sock_set_timer(sk, HZ / 5); 2718 __set_chan_timer(chan, HZ / 5);
2513 bh_unlock_sock(sk); 2719 bh_unlock_sock(sk);
2514 return 0; 2720 return 0;
2515 } 2721 }
@@ -2517,7 +2723,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2517 l2cap_chan_del(chan, ECONNRESET); 2723 l2cap_chan_del(chan, ECONNRESET);
2518 bh_unlock_sock(sk); 2724 bh_unlock_sock(sk);
2519 2725
2520 l2cap_sock_kill(sk); 2726 chan->ops->close(chan->data);
2521 return 0; 2727 return 0;
2522} 2728}
2523 2729
@@ -2541,9 +2747,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2541 2747
2542 /* don't delete l2cap channel if sk is owned by user */ 2748 /* don't delete l2cap channel if sk is owned by user */
2543 if (sock_owned_by_user(sk)) { 2749 if (sock_owned_by_user(sk)) {
2544 sk->sk_state = BT_DISCONN; 2750 l2cap_state_change(chan,BT_DISCONN);
2545 l2cap_sock_clear_timer(sk); 2751 __clear_chan_timer(chan);
2546 l2cap_sock_set_timer(sk, HZ / 5); 2752 __set_chan_timer(chan, HZ / 5);
2547 bh_unlock_sock(sk); 2753 bh_unlock_sock(sk);
2548 return 0; 2754 return 0;
2549 } 2755 }
@@ -2551,7 +2757,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2551 l2cap_chan_del(chan, 0); 2757 l2cap_chan_del(chan, 0);
2552 bh_unlock_sock(sk); 2758 bh_unlock_sock(sk);
2553 2759
2554 l2cap_sock_kill(sk); 2760 chan->ops->close(chan->data);
2555 return 0; 2761 return 0;
2556} 2762}
2557 2763
@@ -2859,18 +3065,18 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2859 3065
2860 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3066 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2861 3067
2862 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3068 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
2863 control |= L2CAP_SUPER_RCV_NOT_READY; 3069 control |= L2CAP_SUPER_RCV_NOT_READY;
2864 l2cap_send_sframe(chan, control); 3070 l2cap_send_sframe(chan, control);
2865 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3071 set_bit(CONN_RNR_SENT, &chan->conn_state);
2866 } 3072 }
2867 3073
2868 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY) 3074 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2869 l2cap_retransmit_frames(chan); 3075 l2cap_retransmit_frames(chan);
2870 3076
2871 l2cap_ertm_send(chan); 3077 l2cap_ertm_send(chan);
2872 3078
2873 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) && 3079 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2874 chan->frames_sent == 0) { 3080 chan->frames_sent == 0) {
2875 control |= L2CAP_SUPER_RCV_READY; 3081 control |= L2CAP_SUPER_RCV_READY;
2876 l2cap_send_sframe(chan, control); 3082 l2cap_send_sframe(chan, control);
@@ -2926,17 +3132,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2926 3132
2927 switch (control & L2CAP_CTRL_SAR) { 3133 switch (control & L2CAP_CTRL_SAR) {
2928 case L2CAP_SDU_UNSEGMENTED: 3134 case L2CAP_SDU_UNSEGMENTED:
2929 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3135 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2930 goto drop; 3136 goto drop;
2931 3137
2932 err = sock_queue_rcv_skb(chan->sk, skb); 3138 return chan->ops->recv(chan->data, skb);
2933 if (!err)
2934 return err;
2935
2936 break;
2937 3139
2938 case L2CAP_SDU_START: 3140 case L2CAP_SDU_START:
2939 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3141 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2940 goto drop; 3142 goto drop;
2941 3143
2942 chan->sdu_len = get_unaligned_le16(skb->data); 3144 chan->sdu_len = get_unaligned_le16(skb->data);
@@ -2955,12 +3157,12 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2955 3157
2956 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3158 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2957 3159
2958 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3160 set_bit(CONN_SAR_SDU, &chan->conn_state);
2959 chan->partial_sdu_len = skb->len; 3161 chan->partial_sdu_len = skb->len;
2960 break; 3162 break;
2961 3163
2962 case L2CAP_SDU_CONTINUE: 3164 case L2CAP_SDU_CONTINUE:
2963 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3165 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2964 goto disconnect; 3166 goto disconnect;
2965 3167
2966 if (!chan->sdu) 3168 if (!chan->sdu)
@@ -2975,13 +3177,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2975 break; 3177 break;
2976 3178
2977 case L2CAP_SDU_END: 3179 case L2CAP_SDU_END:
2978 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3180 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2979 goto disconnect; 3181 goto disconnect;
2980 3182
2981 if (!chan->sdu) 3183 if (!chan->sdu)
2982 goto disconnect; 3184 goto disconnect;
2983 3185
2984 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) { 3186 if (!test_bit(CONN_SAR_RETRY, &chan->conn_state)) {
2985 chan->partial_sdu_len += skb->len; 3187 chan->partial_sdu_len += skb->len;
2986 3188
2987 if (chan->partial_sdu_len > chan->imtu) 3189 if (chan->partial_sdu_len > chan->imtu)
@@ -2995,19 +3197,19 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2995 3197
2996 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3198 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2997 if (!_skb) { 3199 if (!_skb) {
2998 chan->conn_state |= L2CAP_CONN_SAR_RETRY; 3200 set_bit(CONN_SAR_RETRY, &chan->conn_state);
2999 return -ENOMEM; 3201 return -ENOMEM;
3000 } 3202 }
3001 3203
3002 err = sock_queue_rcv_skb(chan->sk, _skb); 3204 err = chan->ops->recv(chan->data, _skb);
3003 if (err < 0) { 3205 if (err < 0) {
3004 kfree_skb(_skb); 3206 kfree_skb(_skb);
3005 chan->conn_state |= L2CAP_CONN_SAR_RETRY; 3207 set_bit(CONN_SAR_RETRY, &chan->conn_state);
3006 return err; 3208 return err;
3007 } 3209 }
3008 3210
3009 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY; 3211 clear_bit(CONN_SAR_RETRY, &chan->conn_state);
3010 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3212 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3011 3213
3012 kfree_skb(chan->sdu); 3214 kfree_skb(chan->sdu);
3013 break; 3215 break;
@@ -3043,7 +3245,7 @@ static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3043 chan->buffer_seq = (chan->buffer_seq + 1) % 64; 3245 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3044 } 3246 }
3045 3247
3046 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT)) 3248 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3047 goto done; 3249 goto done;
3048 3250
3049 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3251 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
@@ -3051,14 +3253,14 @@ static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3051 l2cap_send_sframe(chan, control); 3253 l2cap_send_sframe(chan, control);
3052 chan->retry_count = 1; 3254 chan->retry_count = 1;
3053 3255
3054 del_timer(&chan->retrans_timer); 3256 __clear_retrans_timer(chan);
3055 __mod_monitor_timer(); 3257 __set_monitor_timer(chan);
3056 3258
3057 chan->conn_state |= L2CAP_CONN_WAIT_F; 3259 set_bit(CONN_WAIT_F, &chan->conn_state);
3058 3260
3059done: 3261done:
3060 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY; 3262 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3061 chan->conn_state &= ~L2CAP_CONN_RNR_SENT; 3263 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3062 3264
3063 BT_DBG("chan %p, Exit local busy", chan); 3265 BT_DBG("chan %p, Exit local busy", chan);
3064 3266
@@ -3116,7 +3318,7 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3116{ 3318{
3117 int sctrl, err; 3319 int sctrl, err;
3118 3320
3119 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3321 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3120 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3322 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3121 __skb_queue_tail(&chan->busy_q, skb); 3323 __skb_queue_tail(&chan->busy_q, skb);
3122 return l2cap_try_push_rx_skb(chan); 3324 return l2cap_try_push_rx_skb(chan);
@@ -3133,7 +3335,7 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3133 /* Busy Condition */ 3335 /* Busy Condition */
3134 BT_DBG("chan %p, Enter local busy", chan); 3336 BT_DBG("chan %p, Enter local busy", chan);
3135 3337
3136 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY; 3338 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3137 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3339 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3138 __skb_queue_tail(&chan->busy_q, skb); 3340 __skb_queue_tail(&chan->busy_q, skb);
3139 3341
@@ -3141,9 +3343,9 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3141 sctrl |= L2CAP_SUPER_RCV_NOT_READY; 3343 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3142 l2cap_send_sframe(chan, sctrl); 3344 l2cap_send_sframe(chan, sctrl);
3143 3345
3144 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3346 set_bit(CONN_RNR_SENT, &chan->conn_state);
3145 3347
3146 del_timer(&chan->ack_timer); 3348 __clear_ack_timer(chan);
3147 3349
3148 queue_work(_busy_wq, &chan->busy_work); 3350 queue_work(_busy_wq, &chan->busy_work);
3149 3351
@@ -3162,19 +3364,19 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3162 3364
3163 switch (control & L2CAP_CTRL_SAR) { 3365 switch (control & L2CAP_CTRL_SAR) {
3164 case L2CAP_SDU_UNSEGMENTED: 3366 case L2CAP_SDU_UNSEGMENTED:
3165 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3367 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3166 kfree_skb(chan->sdu); 3368 kfree_skb(chan->sdu);
3167 break; 3369 break;
3168 } 3370 }
3169 3371
3170 err = sock_queue_rcv_skb(chan->sk, skb); 3372 err = chan->ops->recv(chan->data, skb);
3171 if (!err) 3373 if (!err)
3172 return 0; 3374 return 0;
3173 3375
3174 break; 3376 break;
3175 3377
3176 case L2CAP_SDU_START: 3378 case L2CAP_SDU_START:
3177 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3379 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3178 kfree_skb(chan->sdu); 3380 kfree_skb(chan->sdu);
3179 break; 3381 break;
3180 } 3382 }
@@ -3195,13 +3397,13 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3195 3397
3196 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3398 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3197 3399
3198 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3400 set_bit(CONN_SAR_SDU, &chan->conn_state);
3199 chan->partial_sdu_len = skb->len; 3401 chan->partial_sdu_len = skb->len;
3200 err = 0; 3402 err = 0;
3201 break; 3403 break;
3202 3404
3203 case L2CAP_SDU_CONTINUE: 3405 case L2CAP_SDU_CONTINUE:
3204 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3406 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3205 break; 3407 break;
3206 3408
3207 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3409 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
@@ -3215,12 +3417,12 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3215 break; 3417 break;
3216 3418
3217 case L2CAP_SDU_END: 3419 case L2CAP_SDU_END:
3218 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3420 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3219 break; 3421 break;
3220 3422
3221 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3423 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3222 3424
3223 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3425 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3224 chan->partial_sdu_len += skb->len; 3426 chan->partial_sdu_len += skb->len;
3225 3427
3226 if (chan->partial_sdu_len > chan->imtu) 3428 if (chan->partial_sdu_len > chan->imtu)
@@ -3228,7 +3430,7 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3228 3430
3229 if (chan->partial_sdu_len == chan->sdu_len) { 3431 if (chan->partial_sdu_len == chan->sdu_len) {
3230 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3432 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3231 err = sock_queue_rcv_skb(chan->sk, _skb); 3433 err = chan->ops->recv(chan->data, _skb);
3232 if (err < 0) 3434 if (err < 0)
3233 kfree_skb(_skb); 3435 kfree_skb(_skb);
3234 } 3436 }
@@ -3311,11 +3513,11 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3311 tx_seq, rx_control); 3513 tx_seq, rx_control);
3312 3514
3313 if (L2CAP_CTRL_FINAL & rx_control && 3515 if (L2CAP_CTRL_FINAL & rx_control &&
3314 chan->conn_state & L2CAP_CONN_WAIT_F) { 3516 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3315 del_timer(&chan->monitor_timer); 3517 __clear_monitor_timer(chan);
3316 if (chan->unacked_frames > 0) 3518 if (chan->unacked_frames > 0)
3317 __mod_retrans_timer(); 3519 __set_retrans_timer(chan);
3318 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3520 clear_bit(CONN_WAIT_F, &chan->conn_state);
3319 } 3521 }
3320 3522
3321 chan->expected_ack_seq = req_seq; 3523 chan->expected_ack_seq = req_seq;
@@ -3334,10 +3536,10 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3334 goto drop; 3536 goto drop;
3335 } 3537 }
3336 3538
3337 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY) 3539 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3338 goto drop; 3540 goto drop;
3339 3541
3340 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3542 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3341 struct srej_list *first; 3543 struct srej_list *first;
3342 3544
3343 first = list_first_entry(&chan->srej_l, 3545 first = list_first_entry(&chan->srej_l,
@@ -3351,7 +3553,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3351 3553
3352 if (list_empty(&chan->srej_l)) { 3554 if (list_empty(&chan->srej_l)) {
3353 chan->buffer_seq = chan->buffer_seq_srej; 3555 chan->buffer_seq = chan->buffer_seq_srej;
3354 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3556 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3355 l2cap_send_ack(chan); 3557 l2cap_send_ack(chan);
3356 BT_DBG("chan %p, Exit SREJ_SENT", chan); 3558 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3357 } 3559 }
@@ -3380,7 +3582,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3380 if (tx_seq_offset < expected_tx_seq_offset) 3582 if (tx_seq_offset < expected_tx_seq_offset)
3381 goto drop; 3583 goto drop;
3382 3584
3383 chan->conn_state |= L2CAP_CONN_SREJ_SENT; 3585 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3384 3586
3385 BT_DBG("chan %p, Enter SREJ", chan); 3587 BT_DBG("chan %p, Enter SREJ", chan);
3386 3588
@@ -3391,18 +3593,18 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3391 __skb_queue_head_init(&chan->busy_q); 3593 __skb_queue_head_init(&chan->busy_q);
3392 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar); 3594 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3393 3595
3394 chan->conn_state |= L2CAP_CONN_SEND_PBIT; 3596 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3395 3597
3396 l2cap_send_srejframe(chan, tx_seq); 3598 l2cap_send_srejframe(chan, tx_seq);
3397 3599
3398 del_timer(&chan->ack_timer); 3600 __clear_ack_timer(chan);
3399 } 3601 }
3400 return 0; 3602 return 0;
3401 3603
3402expected: 3604expected:
3403 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64; 3605 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3404 3606
3405 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3607 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3406 bt_cb(skb)->tx_seq = tx_seq; 3608 bt_cb(skb)->tx_seq = tx_seq;
3407 bt_cb(skb)->sar = sar; 3609 bt_cb(skb)->sar = sar;
3408 __skb_queue_tail(&chan->srej_q, skb); 3610 __skb_queue_tail(&chan->srej_q, skb);
@@ -3414,13 +3616,11 @@ expected:
3414 return 0; 3616 return 0;
3415 3617
3416 if (rx_control & L2CAP_CTRL_FINAL) { 3618 if (rx_control & L2CAP_CTRL_FINAL) {
3417 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3619 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3418 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3419 else
3420 l2cap_retransmit_frames(chan); 3620 l2cap_retransmit_frames(chan);
3421 } 3621 }
3422 3622
3423 __mod_ack_timer(); 3623 __set_ack_timer(chan);
3424 3624
3425 chan->num_acked = (chan->num_acked + 1) % num_to_ack; 3625 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3426 if (chan->num_acked == num_to_ack - 1) 3626 if (chan->num_acked == num_to_ack - 1)
@@ -3442,33 +3642,31 @@ static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_co
3442 l2cap_drop_acked_frames(chan); 3642 l2cap_drop_acked_frames(chan);
3443 3643
3444 if (rx_control & L2CAP_CTRL_POLL) { 3644 if (rx_control & L2CAP_CTRL_POLL) {
3445 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3645 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3446 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3646 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3447 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3647 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3448 (chan->unacked_frames > 0)) 3648 (chan->unacked_frames > 0))
3449 __mod_retrans_timer(); 3649 __set_retrans_timer(chan);
3450 3650
3451 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3651 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3452 l2cap_send_srejtail(chan); 3652 l2cap_send_srejtail(chan);
3453 } else { 3653 } else {
3454 l2cap_send_i_or_rr_or_rnr(chan); 3654 l2cap_send_i_or_rr_or_rnr(chan);
3455 } 3655 }
3456 3656
3457 } else if (rx_control & L2CAP_CTRL_FINAL) { 3657 } else if (rx_control & L2CAP_CTRL_FINAL) {
3458 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3658 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3459 3659
3460 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3660 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3461 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3462 else
3463 l2cap_retransmit_frames(chan); 3661 l2cap_retransmit_frames(chan);
3464 3662
3465 } else { 3663 } else {
3466 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3664 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3467 (chan->unacked_frames > 0)) 3665 (chan->unacked_frames > 0))
3468 __mod_retrans_timer(); 3666 __set_retrans_timer(chan);
3469 3667
3470 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3668 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3471 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) 3669 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3472 l2cap_send_ack(chan); 3670 l2cap_send_ack(chan);
3473 else 3671 else
3474 l2cap_ertm_send(chan); 3672 l2cap_ertm_send(chan);
@@ -3481,21 +3679,19 @@ static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_c
3481 3679
3482 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3680 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3483 3681
3484 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3682 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3485 3683
3486 chan->expected_ack_seq = tx_seq; 3684 chan->expected_ack_seq = tx_seq;
3487 l2cap_drop_acked_frames(chan); 3685 l2cap_drop_acked_frames(chan);
3488 3686
3489 if (rx_control & L2CAP_CTRL_FINAL) { 3687 if (rx_control & L2CAP_CTRL_FINAL) {
3490 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3688 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3491 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3492 else
3493 l2cap_retransmit_frames(chan); 3689 l2cap_retransmit_frames(chan);
3494 } else { 3690 } else {
3495 l2cap_retransmit_frames(chan); 3691 l2cap_retransmit_frames(chan);
3496 3692
3497 if (chan->conn_state & L2CAP_CONN_WAIT_F) 3693 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3498 chan->conn_state |= L2CAP_CONN_REJ_ACT; 3694 set_bit(CONN_REJ_ACT, &chan->conn_state);
3499 } 3695 }
3500} 3696}
3501static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control) 3697static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
@@ -3504,32 +3700,32 @@ static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_
3504 3700
3505 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3701 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3506 3702
3507 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3703 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3508 3704
3509 if (rx_control & L2CAP_CTRL_POLL) { 3705 if (rx_control & L2CAP_CTRL_POLL) {
3510 chan->expected_ack_seq = tx_seq; 3706 chan->expected_ack_seq = tx_seq;
3511 l2cap_drop_acked_frames(chan); 3707 l2cap_drop_acked_frames(chan);
3512 3708
3513 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3709 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3514 l2cap_retransmit_one_frame(chan, tx_seq); 3710 l2cap_retransmit_one_frame(chan, tx_seq);
3515 3711
3516 l2cap_ertm_send(chan); 3712 l2cap_ertm_send(chan);
3517 3713
3518 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3714 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3519 chan->srej_save_reqseq = tx_seq; 3715 chan->srej_save_reqseq = tx_seq;
3520 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3716 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3521 } 3717 }
3522 } else if (rx_control & L2CAP_CTRL_FINAL) { 3718 } else if (rx_control & L2CAP_CTRL_FINAL) {
3523 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) && 3719 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3524 chan->srej_save_reqseq == tx_seq) 3720 chan->srej_save_reqseq == tx_seq)
3525 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3721 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3526 else 3722 else
3527 l2cap_retransmit_one_frame(chan, tx_seq); 3723 l2cap_retransmit_one_frame(chan, tx_seq);
3528 } else { 3724 } else {
3529 l2cap_retransmit_one_frame(chan, tx_seq); 3725 l2cap_retransmit_one_frame(chan, tx_seq);
3530 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3726 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3531 chan->srej_save_reqseq = tx_seq; 3727 chan->srej_save_reqseq = tx_seq;
3532 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3728 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3533 } 3729 }
3534 } 3730 }
3535} 3731}
@@ -3540,15 +3736,15 @@ static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_c
3540 3736
3541 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3737 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3542 3738
3543 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3739 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3544 chan->expected_ack_seq = tx_seq; 3740 chan->expected_ack_seq = tx_seq;
3545 l2cap_drop_acked_frames(chan); 3741 l2cap_drop_acked_frames(chan);
3546 3742
3547 if (rx_control & L2CAP_CTRL_POLL) 3743 if (rx_control & L2CAP_CTRL_POLL)
3548 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3744 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3549 3745
3550 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) { 3746 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3551 del_timer(&chan->retrans_timer); 3747 __clear_retrans_timer(chan);
3552 if (rx_control & L2CAP_CTRL_POLL) 3748 if (rx_control & L2CAP_CTRL_POLL)
3553 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL); 3749 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3554 return; 3750 return;
@@ -3565,11 +3761,11 @@ static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_cont
3565 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len); 3761 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3566 3762
3567 if (L2CAP_CTRL_FINAL & rx_control && 3763 if (L2CAP_CTRL_FINAL & rx_control &&
3568 chan->conn_state & L2CAP_CONN_WAIT_F) { 3764 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3569 del_timer(&chan->monitor_timer); 3765 __clear_monitor_timer(chan);
3570 if (chan->unacked_frames > 0) 3766 if (chan->unacked_frames > 0)
3571 __mod_retrans_timer(); 3767 __set_retrans_timer(chan);
3572 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3768 clear_bit(CONN_WAIT_F, &chan->conn_state);
3573 } 3769 }
3574 3770
3575 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3771 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
@@ -3668,7 +3864,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3668{ 3864{
3669 struct l2cap_chan *chan; 3865 struct l2cap_chan *chan;
3670 struct sock *sk = NULL; 3866 struct sock *sk = NULL;
3671 struct l2cap_pinfo *pi;
3672 u16 control; 3867 u16 control;
3673 u8 tx_seq; 3868 u8 tx_seq;
3674 int len; 3869 int len;
@@ -3680,11 +3875,10 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3680 } 3875 }
3681 3876
3682 sk = chan->sk; 3877 sk = chan->sk;
3683 pi = l2cap_pi(sk);
3684 3878
3685 BT_DBG("chan %p, len %d", chan, skb->len); 3879 BT_DBG("chan %p, len %d", chan, skb->len);
3686 3880
3687 if (sk->sk_state != BT_CONNECTED) 3881 if (chan->state != BT_CONNECTED)
3688 goto drop; 3882 goto drop;
3689 3883
3690 switch (chan->mode) { 3884 switch (chan->mode) {
@@ -3697,7 +3891,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3697 if (chan->imtu < skb->len) 3891 if (chan->imtu < skb->len)
3698 goto drop; 3892 goto drop;
3699 3893
3700 if (!sock_queue_rcv_skb(sk, skb)) 3894 if (!chan->ops->recv(chan->data, skb))
3701 goto done; 3895 goto done;
3702 break; 3896 break;
3703 3897
@@ -3769,13 +3963,13 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
3769 3963
3770 BT_DBG("sk %p, len %d", sk, skb->len); 3964 BT_DBG("sk %p, len %d", sk, skb->len);
3771 3965
3772 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3966 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3773 goto drop; 3967 goto drop;
3774 3968
3775 if (l2cap_pi(sk)->chan->imtu < skb->len) 3969 if (chan->imtu < skb->len)
3776 goto drop; 3970 goto drop;
3777 3971
3778 if (!sock_queue_rcv_skb(sk, skb)) 3972 if (!chan->ops->recv(chan->data, skb))
3779 goto done; 3973 goto done;
3780 3974
3781drop: 3975drop:
@@ -3802,13 +3996,13 @@ static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct
3802 3996
3803 BT_DBG("sk %p, len %d", sk, skb->len); 3997 BT_DBG("sk %p, len %d", sk, skb->len);
3804 3998
3805 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3999 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3806 goto drop; 4000 goto drop;
3807 4001
3808 if (l2cap_pi(sk)->chan->imtu < skb->len) 4002 if (chan->imtu < skb->len)
3809 goto drop; 4003 goto drop;
3810 4004
3811 if (!sock_queue_rcv_skb(sk, skb)) 4005 if (!chan->ops->recv(chan->data, skb))
3812 goto done; 4006 goto done;
3813 4007
3814drop: 4008drop:
@@ -3853,6 +4047,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3853 l2cap_att_channel(conn, cid, skb); 4047 l2cap_att_channel(conn, cid, skb);
3854 break; 4048 break;
3855 4049
4050 case L2CAP_CID_SMP:
4051 if (smp_sig_channel(conn, skb))
4052 l2cap_conn_del(conn->hcon, EACCES);
4053 break;
4054
3856 default: 4055 default:
3857 l2cap_data_channel(conn, cid, skb); 4056 l2cap_data_channel(conn, cid, skb);
3858 break; 4057 break;
@@ -3876,7 +4075,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3876 list_for_each_entry(c, &chan_list, global_l) { 4075 list_for_each_entry(c, &chan_list, global_l) {
3877 struct sock *sk = c->sk; 4076 struct sock *sk = c->sk;
3878 4077
3879 if (sk->sk_state != BT_LISTEN) 4078 if (c->state != BT_LISTEN)
3880 continue; 4079 continue;
3881 4080
3882 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 4081 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
@@ -3920,7 +4119,7 @@ static int l2cap_disconn_ind(struct hci_conn *hcon)
3920 4119
3921 BT_DBG("hcon %p", hcon); 4120 BT_DBG("hcon %p", hcon);
3922 4121
3923 if (hcon->type != ACL_LINK || !conn) 4122 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
3924 return 0x13; 4123 return 0x13;
3925 4124
3926 return conn->disc_reason; 4125 return conn->disc_reason;
@@ -3940,20 +4139,18 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3940 4139
3941static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 4140static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3942{ 4141{
3943 struct sock *sk = chan->sk; 4142 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
3944
3945 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3946 return; 4143 return;
3947 4144
3948 if (encrypt == 0x00) { 4145 if (encrypt == 0x00) {
3949 if (chan->sec_level == BT_SECURITY_MEDIUM) { 4146 if (chan->sec_level == BT_SECURITY_MEDIUM) {
3950 l2cap_sock_clear_timer(sk); 4147 __clear_chan_timer(chan);
3951 l2cap_sock_set_timer(sk, HZ * 5); 4148 __set_chan_timer(chan, HZ * 5);
3952 } else if (chan->sec_level == BT_SECURITY_HIGH) 4149 } else if (chan->sec_level == BT_SECURITY_HIGH)
3953 __l2cap_sock_close(sk, ECONNREFUSED); 4150 l2cap_chan_close(chan, ECONNREFUSED);
3954 } else { 4151 } else {
3955 if (chan->sec_level == BT_SECURITY_MEDIUM) 4152 if (chan->sec_level == BT_SECURITY_MEDIUM)
3956 l2cap_sock_clear_timer(sk); 4153 __clear_chan_timer(chan);
3957 } 4154 }
3958} 4155}
3959 4156
@@ -3974,34 +4171,47 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3974 4171
3975 bh_lock_sock(sk); 4172 bh_lock_sock(sk);
3976 4173
3977 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) { 4174 BT_DBG("chan->scid %d", chan->scid);
4175
4176 if (chan->scid == L2CAP_CID_LE_DATA) {
4177 if (!status && encrypt) {
4178 chan->sec_level = hcon->sec_level;
4179 del_timer(&conn->security_timer);
4180 l2cap_chan_ready(sk);
4181 }
4182
3978 bh_unlock_sock(sk); 4183 bh_unlock_sock(sk);
3979 continue; 4184 continue;
3980 } 4185 }
3981 4186
3982 if (!status && (sk->sk_state == BT_CONNECTED || 4187 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
3983 sk->sk_state == BT_CONFIG)) { 4188 bh_unlock_sock(sk);
4189 continue;
4190 }
4191
4192 if (!status && (chan->state == BT_CONNECTED ||
4193 chan->state == BT_CONFIG)) {
3984 l2cap_check_encryption(chan, encrypt); 4194 l2cap_check_encryption(chan, encrypt);
3985 bh_unlock_sock(sk); 4195 bh_unlock_sock(sk);
3986 continue; 4196 continue;
3987 } 4197 }
3988 4198
3989 if (sk->sk_state == BT_CONNECT) { 4199 if (chan->state == BT_CONNECT) {
3990 if (!status) { 4200 if (!status) {
3991 struct l2cap_conn_req req; 4201 struct l2cap_conn_req req;
3992 req.scid = cpu_to_le16(chan->scid); 4202 req.scid = cpu_to_le16(chan->scid);
3993 req.psm = chan->psm; 4203 req.psm = chan->psm;
3994 4204
3995 chan->ident = l2cap_get_ident(conn); 4205 chan->ident = l2cap_get_ident(conn);
3996 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 4206 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3997 4207
3998 l2cap_send_cmd(conn, chan->ident, 4208 l2cap_send_cmd(conn, chan->ident,
3999 L2CAP_CONN_REQ, sizeof(req), &req); 4209 L2CAP_CONN_REQ, sizeof(req), &req);
4000 } else { 4210 } else {
4001 l2cap_sock_clear_timer(sk); 4211 __clear_chan_timer(chan);
4002 l2cap_sock_set_timer(sk, HZ / 10); 4212 __set_chan_timer(chan, HZ / 10);
4003 } 4213 }
4004 } else if (sk->sk_state == BT_CONNECT2) { 4214 } else if (chan->state == BT_CONNECT2) {
4005 struct l2cap_conn_rsp rsp; 4215 struct l2cap_conn_rsp rsp;
4006 __u16 res, stat; 4216 __u16 res, stat;
4007 4217
@@ -4012,13 +4222,13 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4012 stat = L2CAP_CS_AUTHOR_PEND; 4222 stat = L2CAP_CS_AUTHOR_PEND;
4013 parent->sk_data_ready(parent, 0); 4223 parent->sk_data_ready(parent, 0);
4014 } else { 4224 } else {
4015 sk->sk_state = BT_CONFIG; 4225 l2cap_state_change(chan, BT_CONFIG);
4016 res = L2CAP_CR_SUCCESS; 4226 res = L2CAP_CR_SUCCESS;
4017 stat = L2CAP_CS_NO_INFO; 4227 stat = L2CAP_CS_NO_INFO;
4018 } 4228 }
4019 } else { 4229 } else {
4020 sk->sk_state = BT_DISCONN; 4230 l2cap_state_change(chan, BT_DISCONN);
4021 l2cap_sock_set_timer(sk, HZ / 10); 4231 __set_chan_timer(chan, HZ / 10);
4022 res = L2CAP_CR_SEC_BLOCK; 4232 res = L2CAP_CR_SEC_BLOCK;
4023 stat = L2CAP_CS_NO_INFO; 4233 stat = L2CAP_CS_NO_INFO;
4024 } 4234 }
@@ -4162,10 +4372,10 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4162 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 4372 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4163 batostr(&bt_sk(sk)->src), 4373 batostr(&bt_sk(sk)->src),
4164 batostr(&bt_sk(sk)->dst), 4374 batostr(&bt_sk(sk)->dst),
4165 sk->sk_state, __le16_to_cpu(c->psm), 4375 c->state, __le16_to_cpu(c->psm),
4166 c->scid, c->dcid, c->imtu, c->omtu, 4376 c->scid, c->dcid, c->imtu, c->omtu,
4167 c->sec_level, c->mode); 4377 c->sec_level, c->mode);
4168 } 4378}
4169 4379
4170 read_unlock_bh(&chan_list_lock); 4380 read_unlock_bh(&chan_list_lock);
4171 4381
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8248303f44e8..39082d4e77ce 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -29,54 +29,11 @@
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h> 31#include <net/bluetooth/l2cap.h>
32#include <net/bluetooth/smp.h>
32 33
33static const struct proto_ops l2cap_sock_ops; 34static const struct proto_ops l2cap_sock_ops;
34 35static void l2cap_sock_init(struct sock *sk, struct sock *parent);
35/* ---- L2CAP timers ---- */ 36static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
36static void l2cap_sock_timeout(unsigned long arg)
37{
38 struct sock *sk = (struct sock *) arg;
39 int reason;
40
41 BT_DBG("sock %p state %d", sk, sk->sk_state);
42
43 bh_lock_sock(sk);
44
45 if (sock_owned_by_user(sk)) {
46 /* sk is owned by user. Try again later */
47 l2cap_sock_set_timer(sk, HZ / 5);
48 bh_unlock_sock(sk);
49 sock_put(sk);
50 return;
51 }
52
53 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
54 reason = ECONNREFUSED;
55 else if (sk->sk_state == BT_CONNECT &&
56 l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
57 reason = ECONNREFUSED;
58 else
59 reason = ETIMEDOUT;
60
61 __l2cap_sock_close(sk, reason);
62
63 bh_unlock_sock(sk);
64
65 l2cap_sock_kill(sk);
66 sock_put(sk);
67}
68
69void l2cap_sock_set_timer(struct sock *sk, long timeout)
70{
71 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
72 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
73}
74
75void l2cap_sock_clear_timer(struct sock *sk)
76{
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78 sk_stop_timer(sk, &sk->sk_timer);
79}
80 37
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 38static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{ 39{
@@ -133,6 +90,8 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
133 chan->sec_level = BT_SECURITY_SDP; 90 chan->sec_level = BT_SECURITY_SDP;
134 91
135 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr); 92 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
93
94 chan->state = BT_BOUND;
136 sk->sk_state = BT_BOUND; 95 sk->sk_state = BT_BOUND;
137 96
138done: 97done:
@@ -162,7 +121,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
162 121
163 lock_sock(sk); 122 lock_sock(sk);
164 123
165 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) 124 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED
166 && !(la.l2_psm || la.l2_cid)) { 125 && !(la.l2_psm || la.l2_cid)) {
167 err = -EINVAL; 126 err = -EINVAL;
168 goto done; 127 goto done;
@@ -204,8 +163,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
204 } 163 }
205 164
206 /* PSM must be odd and lsb of upper byte must be 0 */ 165 /* PSM must be odd and lsb of upper byte must be 0 */
207 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && 166 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && !la.l2_cid &&
208 sk->sk_type != SOCK_RAW && !la.l2_cid) { 167 chan->chan_type != L2CAP_CHAN_RAW) {
209 err = -EINVAL; 168 err = -EINVAL;
210 goto done; 169 goto done;
211 } 170 }
@@ -258,6 +217,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
258 217
259 sk->sk_max_ack_backlog = backlog; 218 sk->sk_max_ack_backlog = backlog;
260 sk->sk_ack_backlog = 0; 219 sk->sk_ack_backlog = 0;
220
221 chan->state = BT_LISTEN;
261 sk->sk_state = BT_LISTEN; 222 sk->sk_state = BT_LISTEN;
262 223
263done: 224done:
@@ -437,6 +398,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
437 struct sock *sk = sock->sk; 398 struct sock *sk = sock->sk;
438 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 399 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 struct bt_security sec; 400 struct bt_security sec;
401 struct bt_power pwr;
440 int len, err = 0; 402 int len, err = 0;
441 403
442 BT_DBG("sk %p", sk); 404 BT_DBG("sk %p", sk);
@@ -454,8 +416,8 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
454 416
455 switch (optname) { 417 switch (optname) {
456 case BT_SECURITY: 418 case BT_SECURITY:
457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 419 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
458 && sk->sk_type != SOCK_RAW) { 420 chan->chan_type != L2CAP_CHAN_RAW) {
459 err = -EINVAL; 421 err = -EINVAL;
460 break; 422 break;
461 } 423 }
@@ -485,6 +447,21 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
485 447
486 break; 448 break;
487 449
450 case BT_POWER:
451 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
452 && sk->sk_type != SOCK_RAW) {
453 err = -EINVAL;
454 break;
455 }
456
457 pwr.force_active = chan->force_active;
458
459 len = min_t(unsigned int, len, sizeof(pwr));
460 if (copy_to_user(optval, (char *) &pwr, len))
461 err = -EFAULT;
462
463 break;
464
488 default: 465 default:
489 err = -ENOPROTOOPT; 466 err = -ENOPROTOOPT;
490 break; 467 break;
@@ -535,7 +512,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
535 chan->mode = opts.mode; 512 chan->mode = opts.mode;
536 switch (chan->mode) { 513 switch (chan->mode) {
537 case L2CAP_MODE_BASIC: 514 case L2CAP_MODE_BASIC:
538 chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE; 515 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
539 break; 516 break;
540 case L2CAP_MODE_ERTM: 517 case L2CAP_MODE_ERTM:
541 case L2CAP_MODE_STREAMING: 518 case L2CAP_MODE_STREAMING:
@@ -585,6 +562,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
585 struct sock *sk = sock->sk; 562 struct sock *sk = sock->sk;
586 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 563 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
587 struct bt_security sec; 564 struct bt_security sec;
565 struct bt_power pwr;
566 struct l2cap_conn *conn;
588 int len, err = 0; 567 int len, err = 0;
589 u32 opt; 568 u32 opt;
590 569
@@ -600,8 +579,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
600 579
601 switch (optname) { 580 switch (optname) {
602 case BT_SECURITY: 581 case BT_SECURITY:
603 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 582 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
604 && sk->sk_type != SOCK_RAW) { 583 chan->chan_type != L2CAP_CHAN_RAW) {
605 err = -EINVAL; 584 err = -EINVAL;
606 break; 585 break;
607 } 586 }
@@ -621,6 +600,20 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
621 } 600 }
622 601
623 chan->sec_level = sec.level; 602 chan->sec_level = sec.level;
603
604 conn = chan->conn;
605 if (conn && chan->scid == L2CAP_CID_LE_DATA) {
606 if (!conn->hcon->out) {
607 err = -EINVAL;
608 break;
609 }
610
611 if (smp_conn_security(conn, sec.level))
612 break;
613
614 err = 0;
615 sk->sk_state = BT_CONFIG;
616 }
624 break; 617 break;
625 618
626 case BT_DEFER_SETUP: 619 case BT_DEFER_SETUP:
@@ -661,6 +654,23 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
661 chan->flushable = opt; 654 chan->flushable = opt;
662 break; 655 break;
663 656
657 case BT_POWER:
658 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
659 chan->chan_type != L2CAP_CHAN_RAW) {
660 err = -EINVAL;
661 break;
662 }
663
664 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
665
666 len = min_t(unsigned int, sizeof(pwr), optlen);
667 if (copy_from_user((char *) &pwr, optval, len)) {
668 err = -EFAULT;
669 break;
670 }
671 chan->force_active = pwr.force_active;
672 break;
673
664 default: 674 default:
665 err = -ENOPROTOOPT; 675 err = -ENOPROTOOPT;
666 break; 676 break;
@@ -674,8 +684,6 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
674{ 684{
675 struct sock *sk = sock->sk; 685 struct sock *sk = sock->sk;
676 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 686 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
677 struct sk_buff *skb;
678 u16 control;
679 int err; 687 int err;
680 688
681 BT_DBG("sock %p, sk %p", sock, sk); 689 BT_DBG("sock %p, sk %p", sock, sk);
@@ -690,87 +698,12 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
690 lock_sock(sk); 698 lock_sock(sk);
691 699
692 if (sk->sk_state != BT_CONNECTED) { 700 if (sk->sk_state != BT_CONNECTED) {
693 err = -ENOTCONN; 701 release_sock(sk);
694 goto done; 702 return -ENOTCONN;
695 }
696
697 /* Connectionless channel */
698 if (sk->sk_type == SOCK_DGRAM) {
699 skb = l2cap_create_connless_pdu(chan, msg, len);
700 if (IS_ERR(skb)) {
701 err = PTR_ERR(skb);
702 } else {
703 l2cap_do_send(chan, skb);
704 err = len;
705 }
706 goto done;
707 } 703 }
708 704
709 switch (chan->mode) { 705 err = l2cap_chan_send(chan, msg, len);
710 case L2CAP_MODE_BASIC:
711 /* Check outgoing MTU */
712 if (len > chan->omtu) {
713 err = -EMSGSIZE;
714 goto done;
715 }
716
717 /* Create a basic PDU */
718 skb = l2cap_create_basic_pdu(chan, msg, len);
719 if (IS_ERR(skb)) {
720 err = PTR_ERR(skb);
721 goto done;
722 }
723
724 l2cap_do_send(chan, skb);
725 err = len;
726 break;
727
728 case L2CAP_MODE_ERTM:
729 case L2CAP_MODE_STREAMING:
730 /* Entire SDU fits into one PDU */
731 if (len <= chan->remote_mps) {
732 control = L2CAP_SDU_UNSEGMENTED;
733 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
734 0);
735 if (IS_ERR(skb)) {
736 err = PTR_ERR(skb);
737 goto done;
738 }
739 __skb_queue_tail(&chan->tx_q, skb);
740
741 if (chan->tx_send_head == NULL)
742 chan->tx_send_head = skb;
743
744 } else {
745 /* Segment SDU into multiples PDUs */
746 err = l2cap_sar_segment_sdu(chan, msg, len);
747 if (err < 0)
748 goto done;
749 }
750
751 if (chan->mode == L2CAP_MODE_STREAMING) {
752 l2cap_streaming_send(chan);
753 err = len;
754 break;
755 }
756
757 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
758 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
759 err = len;
760 break;
761 }
762 err = l2cap_ertm_send(chan);
763
764 if (err >= 0)
765 err = len;
766 break;
767
768 default:
769 BT_DBG("bad state %1.1x", chan->mode);
770 err = -EBADFD;
771 }
772 706
773done:
774 release_sock(sk); 707 release_sock(sk);
775 return err; 708 return err;
776} 709}
@@ -800,7 +733,7 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
800/* Kill socket (only if zapped and orphan) 733/* Kill socket (only if zapped and orphan)
801 * Must be called on unlocked socket. 734 * Must be called on unlocked socket.
802 */ 735 */
803void l2cap_sock_kill(struct sock *sk) 736static void l2cap_sock_kill(struct sock *sk)
804{ 737{
805 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 738 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
806 return; 739 return;
@@ -814,87 +747,6 @@ void l2cap_sock_kill(struct sock *sk)
814 sock_put(sk); 747 sock_put(sk);
815} 748}
816 749
817/* Must be called on unlocked socket. */
818static void l2cap_sock_close(struct sock *sk)
819{
820 l2cap_sock_clear_timer(sk);
821 lock_sock(sk);
822 __l2cap_sock_close(sk, ECONNRESET);
823 release_sock(sk);
824 l2cap_sock_kill(sk);
825}
826
827static void l2cap_sock_cleanup_listen(struct sock *parent)
828{
829 struct sock *sk;
830
831 BT_DBG("parent %p", parent);
832
833 /* Close not yet accepted channels */
834 while ((sk = bt_accept_dequeue(parent, NULL)))
835 l2cap_sock_close(sk);
836
837 parent->sk_state = BT_CLOSED;
838 sock_set_flag(parent, SOCK_ZAPPED);
839}
840
841void __l2cap_sock_close(struct sock *sk, int reason)
842{
843 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
844 struct l2cap_conn *conn = chan->conn;
845
846 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
847
848 switch (sk->sk_state) {
849 case BT_LISTEN:
850 l2cap_sock_cleanup_listen(sk);
851 break;
852
853 case BT_CONNECTED:
854 case BT_CONFIG:
855 if ((sk->sk_type == SOCK_SEQPACKET ||
856 sk->sk_type == SOCK_STREAM) &&
857 conn->hcon->type == ACL_LINK) {
858 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
859 l2cap_send_disconn_req(conn, chan, reason);
860 } else
861 l2cap_chan_del(chan, reason);
862 break;
863
864 case BT_CONNECT2:
865 if ((sk->sk_type == SOCK_SEQPACKET ||
866 sk->sk_type == SOCK_STREAM) &&
867 conn->hcon->type == ACL_LINK) {
868 struct l2cap_conn_rsp rsp;
869 __u16 result;
870
871 if (bt_sk(sk)->defer_setup)
872 result = L2CAP_CR_SEC_BLOCK;
873 else
874 result = L2CAP_CR_BAD_PSM;
875
876 rsp.scid = cpu_to_le16(chan->dcid);
877 rsp.dcid = cpu_to_le16(chan->scid);
878 rsp.result = cpu_to_le16(result);
879 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
880 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
881 sizeof(rsp), &rsp);
882 }
883
884 l2cap_chan_del(chan, reason);
885 break;
886
887 case BT_CONNECT:
888 case BT_DISCONN:
889 l2cap_chan_del(chan, reason);
890 break;
891
892 default:
893 sock_set_flag(sk, SOCK_ZAPPED);
894 break;
895 }
896}
897
898static int l2cap_sock_shutdown(struct socket *sock, int how) 750static int l2cap_sock_shutdown(struct socket *sock, int how)
899{ 751{
900 struct sock *sk = sock->sk; 752 struct sock *sk = sock->sk;
@@ -912,8 +764,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
912 err = __l2cap_wait_ack(sk); 764 err = __l2cap_wait_ack(sk);
913 765
914 sk->sk_shutdown = SHUTDOWN_MASK; 766 sk->sk_shutdown = SHUTDOWN_MASK;
915 l2cap_sock_clear_timer(sk); 767 l2cap_chan_close(chan, 0);
916 __l2cap_sock_close(sk, 0);
917 768
918 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime) 769 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
919 err = bt_sock_wait_state(sk, BT_CLOSED, 770 err = bt_sock_wait_state(sk, BT_CLOSED,
@@ -944,6 +795,49 @@ static int l2cap_sock_release(struct socket *sock)
944 return err; 795 return err;
945} 796}
946 797
798static struct l2cap_chan *l2cap_sock_new_connection_cb(void *data)
799{
800 struct sock *sk, *parent = data;
801
802 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
803 GFP_ATOMIC);
804 if (!sk)
805 return NULL;
806
807 l2cap_sock_init(sk, parent);
808
809 return l2cap_pi(sk)->chan;
810}
811
812static int l2cap_sock_recv_cb(void *data, struct sk_buff *skb)
813{
814 struct sock *sk = data;
815
816 return sock_queue_rcv_skb(sk, skb);
817}
818
819static void l2cap_sock_close_cb(void *data)
820{
821 struct sock *sk = data;
822
823 l2cap_sock_kill(sk);
824}
825
826static void l2cap_sock_state_change_cb(void *data, int state)
827{
828 struct sock *sk = data;
829
830 sk->sk_state = state;
831}
832
833static struct l2cap_ops l2cap_chan_ops = {
834 .name = "L2CAP Socket Interface",
835 .new_connection = l2cap_sock_new_connection_cb,
836 .recv = l2cap_sock_recv_cb,
837 .close = l2cap_sock_close_cb,
838 .state_change = l2cap_sock_state_change_cb,
839};
840
947static void l2cap_sock_destruct(struct sock *sk) 841static void l2cap_sock_destruct(struct sock *sk)
948{ 842{
949 BT_DBG("sk %p", sk); 843 BT_DBG("sk %p", sk);
@@ -952,7 +846,7 @@ static void l2cap_sock_destruct(struct sock *sk)
952 skb_queue_purge(&sk->sk_write_queue); 846 skb_queue_purge(&sk->sk_write_queue);
953} 847}
954 848
955void l2cap_sock_init(struct sock *sk, struct sock *parent) 849static void l2cap_sock_init(struct sock *sk, struct sock *parent)
956{ 850{
957 struct l2cap_pinfo *pi = l2cap_pi(sk); 851 struct l2cap_pinfo *pi = l2cap_pi(sk);
958 struct l2cap_chan *chan = pi->chan; 852 struct l2cap_chan *chan = pi->chan;
@@ -965,6 +859,7 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
965 sk->sk_type = parent->sk_type; 859 sk->sk_type = parent->sk_type;
966 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup; 860 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
967 861
862 chan->chan_type = pchan->chan_type;
968 chan->imtu = pchan->imtu; 863 chan->imtu = pchan->imtu;
969 chan->omtu = pchan->omtu; 864 chan->omtu = pchan->omtu;
970 chan->conf_state = pchan->conf_state; 865 chan->conf_state = pchan->conf_state;
@@ -976,12 +871,27 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
976 chan->role_switch = pchan->role_switch; 871 chan->role_switch = pchan->role_switch;
977 chan->force_reliable = pchan->force_reliable; 872 chan->force_reliable = pchan->force_reliable;
978 chan->flushable = pchan->flushable; 873 chan->flushable = pchan->flushable;
874 chan->force_active = pchan->force_active;
979 } else { 875 } else {
876
877 switch (sk->sk_type) {
878 case SOCK_RAW:
879 chan->chan_type = L2CAP_CHAN_RAW;
880 break;
881 case SOCK_DGRAM:
882 chan->chan_type = L2CAP_CHAN_CONN_LESS;
883 break;
884 case SOCK_SEQPACKET:
885 case SOCK_STREAM:
886 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
887 break;
888 }
889
980 chan->imtu = L2CAP_DEFAULT_MTU; 890 chan->imtu = L2CAP_DEFAULT_MTU;
981 chan->omtu = 0; 891 chan->omtu = 0;
982 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 892 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
983 chan->mode = L2CAP_MODE_ERTM; 893 chan->mode = L2CAP_MODE_ERTM;
984 chan->conf_state |= L2CAP_CONF_STATE2_DEVICE; 894 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
985 } else { 895 } else {
986 chan->mode = L2CAP_MODE_BASIC; 896 chan->mode = L2CAP_MODE_BASIC;
987 } 897 }
@@ -992,10 +902,15 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
992 chan->role_switch = 0; 902 chan->role_switch = 0;
993 chan->force_reliable = 0; 903 chan->force_reliable = 0;
994 chan->flushable = BT_FLUSHABLE_OFF; 904 chan->flushable = BT_FLUSHABLE_OFF;
905 chan->force_active = BT_POWER_FORCE_ACTIVE_ON;
906
995 } 907 }
996 908
997 /* Default config options */ 909 /* Default config options */
998 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 910 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
911
912 chan->data = sk;
913 chan->ops = &l2cap_chan_ops;
999} 914}
1000 915
1001static struct proto l2cap_proto = { 916static struct proto l2cap_proto = {
@@ -1004,9 +919,10 @@ static struct proto l2cap_proto = {
1004 .obj_size = sizeof(struct l2cap_pinfo) 919 .obj_size = sizeof(struct l2cap_pinfo)
1005}; 920};
1006 921
1007struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio) 922static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1008{ 923{
1009 struct sock *sk; 924 struct sock *sk;
925 struct l2cap_chan *chan;
1010 926
1011 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto); 927 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1012 if (!sk) 928 if (!sk)
@@ -1023,7 +939,13 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
1023 sk->sk_protocol = proto; 939 sk->sk_protocol = proto;
1024 sk->sk_state = BT_OPEN; 940 sk->sk_state = BT_OPEN;
1025 941
1026 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk); 942 chan = l2cap_chan_create(sk);
943 if (!chan) {
944 l2cap_sock_kill(sk);
945 return NULL;
946 }
947
948 l2cap_pi(sk)->chan = chan;
1027 949
1028 return sk; 950 return sk;
1029} 951}
@@ -1032,7 +954,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1032 int kern) 954 int kern)
1033{ 955{
1034 struct sock *sk; 956 struct sock *sk;
1035 struct l2cap_chan *chan;
1036 957
1037 BT_DBG("sock %p", sock); 958 BT_DBG("sock %p", sock);
1038 959
@@ -1051,14 +972,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1051 if (!sk) 972 if (!sk)
1052 return -ENOMEM; 973 return -ENOMEM;
1053 974
1054 chan = l2cap_chan_create(sk);
1055 if (!chan) {
1056 l2cap_sock_kill(sk);
1057 return -ENOMEM;
1058 }
1059
1060 l2cap_pi(sk)->chan = chan;
1061
1062 l2cap_sock_init(sk, NULL); 975 l2cap_sock_init(sk, NULL);
1063 return 0; 976 return 0;
1064} 977}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index dae382ce7020..64c0418a6221 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -41,7 +41,7 @@ struct pending_cmd {
41 void *user_data; 41 void *user_data;
42}; 42};
43 43
44LIST_HEAD(cmd_list); 44static LIST_HEAD(cmd_list);
45 45
46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status) 46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
47{ 47{
@@ -990,7 +990,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
990 990
991 put_unaligned_le16(conn->handle, &dc.handle); 991 put_unaligned_le16(conn->handle, &dc.handle);
992 dc.reason = 0x13; /* Remote User Terminated Connection */ 992 dc.reason = 0x13; /* Remote User Terminated Connection */
993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, 0, NULL); 993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
994 } 994 }
995 995
996unlock: 996unlock:
@@ -1092,8 +1092,6 @@ static int get_connections(struct sock *sk, u16 index)
1092 1092
1093 put_unaligned_le16(count, &rp->conn_count); 1093 put_unaligned_le16(count, &rp->conn_count);
1094 1094
1095 read_lock(&hci_dev_list_lock);
1096
1097 i = 0; 1095 i = 0;
1098 list_for_each(p, &hdev->conn_hash.list) { 1096 list_for_each(p, &hdev->conn_hash.list) {
1099 struct hci_conn *c = list_entry(p, struct hci_conn, list); 1097 struct hci_conn *c = list_entry(p, struct hci_conn, list);
@@ -1101,8 +1099,6 @@ static int get_connections(struct sock *sk, u16 index)
1101 bacpy(&rp->conn[i++], &c->dst); 1099 bacpy(&rp->conn[i++], &c->dst);
1102 } 1100 }
1103 1101
1104 read_unlock(&hci_dev_list_lock);
1105
1106 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len); 1102 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len);
1107 1103
1108unlock: 1104unlock:
@@ -1112,11 +1108,32 @@ unlock:
1112 return err; 1108 return err;
1113} 1109}
1114 1110
1111static int send_pin_code_neg_reply(struct sock *sk, u16 index,
1112 struct hci_dev *hdev, struct mgmt_cp_pin_code_neg_reply *cp)
1113{
1114 struct pending_cmd *cmd;
1115 int err;
1116
1117 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, cp,
1118 sizeof(*cp));
1119 if (!cmd)
1120 return -ENOMEM;
1121
1122 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1123 &cp->bdaddr);
1124 if (err < 0)
1125 mgmt_pending_remove(cmd);
1126
1127 return err;
1128}
1129
1115static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data, 1130static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1116 u16 len) 1131 u16 len)
1117{ 1132{
1118 struct hci_dev *hdev; 1133 struct hci_dev *hdev;
1134 struct hci_conn *conn;
1119 struct mgmt_cp_pin_code_reply *cp; 1135 struct mgmt_cp_pin_code_reply *cp;
1136 struct mgmt_cp_pin_code_neg_reply ncp;
1120 struct hci_cp_pin_code_reply reply; 1137 struct hci_cp_pin_code_reply reply;
1121 struct pending_cmd *cmd; 1138 struct pending_cmd *cmd;
1122 int err; 1139 int err;
@@ -1139,6 +1156,25 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1139 goto failed; 1156 goto failed;
1140 } 1157 }
1141 1158
1159 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1160 if (!conn) {
1161 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENOTCONN);
1162 goto failed;
1163 }
1164
1165 if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
1166 bacpy(&ncp.bdaddr, &cp->bdaddr);
1167
1168 BT_ERR("PIN code is not 16 bytes long");
1169
1170 err = send_pin_code_neg_reply(sk, index, hdev, &ncp);
1171 if (err >= 0)
1172 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY,
1173 EINVAL);
1174
1175 goto failed;
1176 }
1177
1142 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len); 1178 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len);
1143 if (!cmd) { 1179 if (!cmd) {
1144 err = -ENOMEM; 1180 err = -ENOMEM;
@@ -1147,7 +1183,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1147 1183
1148 bacpy(&reply.bdaddr, &cp->bdaddr); 1184 bacpy(&reply.bdaddr, &cp->bdaddr);
1149 reply.pin_len = cp->pin_len; 1185 reply.pin_len = cp->pin_len;
1150 memcpy(reply.pin_code, cp->pin_code, 16); 1186 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
1151 1187
1152 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply); 1188 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
1153 if (err < 0) 1189 if (err < 0)
@@ -1165,7 +1201,6 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1165{ 1201{
1166 struct hci_dev *hdev; 1202 struct hci_dev *hdev;
1167 struct mgmt_cp_pin_code_neg_reply *cp; 1203 struct mgmt_cp_pin_code_neg_reply *cp;
1168 struct pending_cmd *cmd;
1169 int err; 1204 int err;
1170 1205
1171 BT_DBG(""); 1206 BT_DBG("");
@@ -1189,17 +1224,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1189 goto failed; 1224 goto failed;
1190 } 1225 }
1191 1226
1192 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, 1227 err = send_pin_code_neg_reply(sk, index, hdev, cp);
1193 data, len);
1194 if (!cmd) {
1195 err = -ENOMEM;
1196 goto failed;
1197 }
1198
1199 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1200 &cp->bdaddr);
1201 if (err < 0)
1202 mgmt_pending_remove(cmd);
1203 1228
1204failed: 1229failed:
1205 hci_dev_unlock(hdev); 1230 hci_dev_unlock(hdev);
@@ -1641,6 +1666,70 @@ failed:
1641 return err; 1666 return err;
1642} 1667}
1643 1668
1669static int block_device(struct sock *sk, u16 index, unsigned char *data,
1670 u16 len)
1671{
1672 struct hci_dev *hdev;
1673 struct mgmt_cp_block_device *cp;
1674 int err;
1675
1676 BT_DBG("hci%u", index);
1677
1678 cp = (void *) data;
1679
1680 if (len != sizeof(*cp))
1681 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1682 EINVAL);
1683
1684 hdev = hci_dev_get(index);
1685 if (!hdev)
1686 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1687 ENODEV);
1688
1689 err = hci_blacklist_add(hdev, &cp->bdaddr);
1690
1691 if (err < 0)
1692 err = cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE, -err);
1693 else
1694 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE,
1695 NULL, 0);
1696 hci_dev_put(hdev);
1697
1698 return err;
1699}
1700
1701static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1702 u16 len)
1703{
1704 struct hci_dev *hdev;
1705 struct mgmt_cp_unblock_device *cp;
1706 int err;
1707
1708 BT_DBG("hci%u", index);
1709
1710 cp = (void *) data;
1711
1712 if (len != sizeof(*cp))
1713 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1714 EINVAL);
1715
1716 hdev = hci_dev_get(index);
1717 if (!hdev)
1718 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1719 ENODEV);
1720
1721 err = hci_blacklist_del(hdev, &cp->bdaddr);
1722
1723 if (err < 0)
1724 err = cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE, -err);
1725 else
1726 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1727 NULL, 0);
1728 hci_dev_put(hdev);
1729
1730 return err;
1731}
1732
1644int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 1733int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1645{ 1734{
1646 unsigned char *buf; 1735 unsigned char *buf;
@@ -1755,6 +1844,12 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1755 case MGMT_OP_STOP_DISCOVERY: 1844 case MGMT_OP_STOP_DISCOVERY:
1756 err = stop_discovery(sk, index); 1845 err = stop_discovery(sk, index);
1757 break; 1846 break;
1847 case MGMT_OP_BLOCK_DEVICE:
1848 err = block_device(sk, index, buf + sizeof(*hdr), len);
1849 break;
1850 case MGMT_OP_UNBLOCK_DEVICE:
1851 err = unblock_device(sk, index, buf + sizeof(*hdr), len);
1852 break;
1758 default: 1853 default:
1759 BT_DBG("Unknown op %u", opcode); 1854 BT_DBG("Unknown op %u", opcode);
1760 err = cmd_status(sk, index, opcode, 0x01); 1855 err = cmd_status(sk, index, opcode, 0x01);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 1b10727ce523..8f01e6b11a70 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -679,7 +679,8 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
679{ 679{
680 struct sock *sk = sock->sk; 680 struct sock *sk = sock->sk;
681 struct bt_security sec; 681 struct bt_security sec;
682 int len, err = 0; 682 int err = 0;
683 size_t len;
683 u32 opt; 684 u32 opt;
684 685
685 BT_DBG("sk %p", sk); 686 BT_DBG("sk %p", sk);
@@ -741,7 +742,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
741static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 742static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
742{ 743{
743 struct sock *sk = sock->sk; 744 struct sock *sk = sock->sk;
744 struct sock *l2cap_sk;
745 struct rfcomm_conninfo cinfo; 745 struct rfcomm_conninfo cinfo;
746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
747 int len, err = 0; 747 int len, err = 0;
@@ -786,8 +786,6 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
786 break; 786 break;
787 } 787 }
788 788
789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
790
791 memset(&cinfo, 0, sizeof(cinfo)); 789 memset(&cinfo, 0, sizeof(cinfo));
792 cinfo.hci_handle = conn->hcon->handle; 790 cinfo.hci_handle = conn->hcon->handle;
793 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 791 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
new file mode 100644
index 000000000000..a36f8707d964
--- /dev/null
+++ b/net/bluetooth/smp.c
@@ -0,0 +1,534 @@
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/smp.h>
27#include <linux/crypto.h>
28#include <linux/scatterlist.h>
29#include <crypto/b128ops.h>
30
31#define SMP_TIMEOUT 30000 /* 30 seconds */
32
33static inline void swap128(u8 src[16], u8 dst[16])
34{
35 int i;
36 for (i = 0; i < 16; i++)
37 dst[15 - i] = src[i];
38}
39
40static inline void swap56(u8 src[7], u8 dst[7])
41{
42 int i;
43 for (i = 0; i < 7; i++)
44 dst[6 - i] = src[i];
45}
46
47static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
48{
49 struct blkcipher_desc desc;
50 struct scatterlist sg;
51 int err, iv_len;
52 unsigned char iv[128];
53
54 if (tfm == NULL) {
55 BT_ERR("tfm %p", tfm);
56 return -EINVAL;
57 }
58
59 desc.tfm = tfm;
60 desc.flags = 0;
61
62 err = crypto_blkcipher_setkey(tfm, k, 16);
63 if (err) {
64 BT_ERR("cipher setkey failed: %d", err);
65 return err;
66 }
67
68 sg_init_one(&sg, r, 16);
69
70 iv_len = crypto_blkcipher_ivsize(tfm);
71 if (iv_len) {
72 memset(&iv, 0xff, iv_len);
73 crypto_blkcipher_set_iv(tfm, iv, iv_len);
74 }
75
76 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
77 if (err)
78 BT_ERR("Encrypt data error %d", err);
79
80 return err;
81}
82
83static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
84 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
85 u8 _rat, bdaddr_t *ra, u8 res[16])
86{
87 u8 p1[16], p2[16];
88 int err;
89
90 memset(p1, 0, 16);
91
92 /* p1 = pres || preq || _rat || _iat */
93 swap56(pres, p1);
94 swap56(preq, p1 + 7);
95 p1[14] = _rat;
96 p1[15] = _iat;
97
98 memset(p2, 0, 16);
99
100 /* p2 = padding || ia || ra */
101 baswap((bdaddr_t *) (p2 + 4), ia);
102 baswap((bdaddr_t *) (p2 + 10), ra);
103
104 /* res = r XOR p1 */
105 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
106
107 /* res = e(k, res) */
108 err = smp_e(tfm, k, res);
109 if (err) {
110 BT_ERR("Encrypt data error");
111 return err;
112 }
113
114 /* res = res XOR p2 */
115 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
116
117 /* res = e(k, res) */
118 err = smp_e(tfm, k, res);
119 if (err)
120 BT_ERR("Encrypt data error");
121
122 return err;
123}
124
125static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
126 u8 r1[16], u8 r2[16], u8 _r[16])
127{
128 int err;
129
130 /* Just least significant octets from r1 and r2 are considered */
131 memcpy(_r, r1 + 8, 8);
132 memcpy(_r + 8, r2 + 8, 8);
133
134 err = smp_e(tfm, k, _r);
135 if (err)
136 BT_ERR("Encrypt data error");
137
138 return err;
139}
140
141static int smp_rand(u8 *buf)
142{
143 get_random_bytes(buf, 16);
144
145 return 0;
146}
147
148static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
149 u16 dlen, void *data)
150{
151 struct sk_buff *skb;
152 struct l2cap_hdr *lh;
153 int len;
154
155 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
156
157 if (len > conn->mtu)
158 return NULL;
159
160 skb = bt_skb_alloc(len, GFP_ATOMIC);
161 if (!skb)
162 return NULL;
163
164 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
165 lh->len = cpu_to_le16(sizeof(code) + dlen);
166 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
167
168 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
169
170 memcpy(skb_put(skb, dlen), data, dlen);
171
172 return skb;
173}
174
175static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
176{
177 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
178
179 BT_DBG("code 0x%2.2x", code);
180
181 if (!skb)
182 return;
183
184 hci_send_acl(conn->hcon, skb, 0);
185}
186
187static __u8 seclevel_to_authreq(__u8 level)
188{
189 switch (level) {
190 case BT_SECURITY_HIGH:
191 /* Right now we don't support bonding */
192 return SMP_AUTH_MITM;
193
194 default:
195 return SMP_AUTH_NONE;
196 }
197}
198
199static void build_pairing_cmd(struct l2cap_conn *conn,
200 struct smp_cmd_pairing *cmd, __u8 authreq)
201{
202 cmd->io_capability = conn->hcon->io_capability;
203 cmd->oob_flag = SMP_OOB_NOT_PRESENT;
204 cmd->max_key_size = SMP_MAX_ENC_KEY_SIZE;
205 cmd->init_key_dist = 0x00;
206 cmd->resp_key_dist = 0x00;
207 cmd->auth_req = authreq;
208}
209
210static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
211{
212 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
213 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
214 return SMP_ENC_KEY_SIZE;
215
216 conn->smp_key_size = max_key_size;
217
218 return 0;
219}
220
221static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
222{
223 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
224 u8 key_size;
225
226 BT_DBG("conn %p", conn);
227
228 conn->preq[0] = SMP_CMD_PAIRING_REQ;
229 memcpy(&conn->preq[1], req, sizeof(*req));
230 skb_pull(skb, sizeof(*req));
231
232 if (req->oob_flag)
233 return SMP_OOB_NOT_AVAIL;
234
235 /* We didn't start the pairing, so no requirements */
236 build_pairing_cmd(conn, &rsp, SMP_AUTH_NONE);
237
238 key_size = min(req->max_key_size, rsp.max_key_size);
239 if (check_enc_key_size(conn, key_size))
240 return SMP_ENC_KEY_SIZE;
241
242 /* Just works */
243 memset(conn->tk, 0, sizeof(conn->tk));
244
245 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
246 memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
247
248 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
249
250 mod_timer(&conn->security_timer, jiffies +
251 msecs_to_jiffies(SMP_TIMEOUT));
252
253 return 0;
254}
255
256static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
257{
258 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
259 struct smp_cmd_pairing_confirm cp;
260 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
261 int ret;
262 u8 res[16], key_size;
263
264 BT_DBG("conn %p", conn);
265
266 skb_pull(skb, sizeof(*rsp));
267
268 req = (void *) &conn->preq[1];
269
270 key_size = min(req->max_key_size, rsp->max_key_size);
271 if (check_enc_key_size(conn, key_size))
272 return SMP_ENC_KEY_SIZE;
273
274 if (rsp->oob_flag)
275 return SMP_OOB_NOT_AVAIL;
276
277 /* Just works */
278 memset(conn->tk, 0, sizeof(conn->tk));
279
280 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
281 memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
282
283 ret = smp_rand(conn->prnd);
284 if (ret)
285 return SMP_UNSPECIFIED;
286
287 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
288 conn->src, conn->hcon->dst_type, conn->dst, res);
289 if (ret)
290 return SMP_UNSPECIFIED;
291
292 swap128(res, cp.confirm_val);
293
294 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
295
296 return 0;
297}
298
299static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
300{
301 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
302
303 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
304
305 memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
306 skb_pull(skb, sizeof(conn->pcnf));
307
308 if (conn->hcon->out) {
309 u8 random[16];
310
311 swap128(conn->prnd, random);
312 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
313 random);
314 } else {
315 struct smp_cmd_pairing_confirm cp;
316 int ret;
317 u8 res[16];
318
319 ret = smp_rand(conn->prnd);
320 if (ret)
321 return SMP_UNSPECIFIED;
322
323 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
324 conn->hcon->dst_type, conn->dst,
325 0, conn->src, res);
326 if (ret)
327 return SMP_CONFIRM_FAILED;
328
329 swap128(res, cp.confirm_val);
330
331 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
332 }
333
334 mod_timer(&conn->security_timer, jiffies +
335 msecs_to_jiffies(SMP_TIMEOUT));
336
337 return 0;
338}
339
340static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
341{
342 struct hci_conn *hcon = conn->hcon;
343 struct crypto_blkcipher *tfm = hcon->hdev->tfm;
344 int ret;
345 u8 key[16], res[16], random[16], confirm[16];
346
347 swap128(skb->data, random);
348 skb_pull(skb, sizeof(random));
349
350 memset(hcon->ltk, 0, sizeof(hcon->ltk));
351
352 if (conn->hcon->out)
353 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
354 conn->src, conn->hcon->dst_type, conn->dst,
355 res);
356 else
357 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
358 conn->hcon->dst_type, conn->dst, 0, conn->src,
359 res);
360 if (ret)
361 return SMP_UNSPECIFIED;
362
363 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
364
365 swap128(res, confirm);
366
367 if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
368 BT_ERR("Pairing failed (confirmation values mismatch)");
369 return SMP_CONFIRM_FAILED;
370 }
371
372 if (conn->hcon->out) {
373 __le16 ediv;
374 u8 rand[8];
375
376 smp_s1(tfm, conn->tk, random, conn->prnd, key);
377 swap128(key, hcon->ltk);
378
379 memset(hcon->ltk + conn->smp_key_size, 0,
380 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
381
382 memset(rand, 0, sizeof(rand));
383 ediv = 0;
384 hci_le_start_enc(hcon, ediv, rand, hcon->ltk);
385 } else {
386 u8 r[16];
387
388 swap128(conn->prnd, r);
389 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
390
391 smp_s1(tfm, conn->tk, conn->prnd, random, key);
392 swap128(key, hcon->ltk);
393
394 memset(hcon->ltk + conn->smp_key_size, 0,
395 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
396 }
397
398 return 0;
399}
400
401static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
402{
403 struct smp_cmd_security_req *rp = (void *) skb->data;
404 struct smp_cmd_pairing cp;
405 struct hci_conn *hcon = conn->hcon;
406
407 BT_DBG("conn %p", conn);
408
409 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
410 return 0;
411
412 skb_pull(skb, sizeof(*rp));
413
414 memset(&cp, 0, sizeof(cp));
415 build_pairing_cmd(conn, &cp, rp->auth_req);
416
417 conn->preq[0] = SMP_CMD_PAIRING_REQ;
418 memcpy(&conn->preq[1], &cp, sizeof(cp));
419
420 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
421
422 mod_timer(&conn->security_timer, jiffies +
423 msecs_to_jiffies(SMP_TIMEOUT));
424
425 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
426
427 return 0;
428}
429
430int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
431{
432 struct hci_conn *hcon = conn->hcon;
433 __u8 authreq;
434
435 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
436
437 if (IS_ERR(hcon->hdev->tfm))
438 return 1;
439
440 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
441 return 0;
442
443 if (sec_level == BT_SECURITY_LOW)
444 return 1;
445
446 if (hcon->sec_level >= sec_level)
447 return 1;
448
449 authreq = seclevel_to_authreq(sec_level);
450
451 if (hcon->link_mode & HCI_LM_MASTER) {
452 struct smp_cmd_pairing cp;
453
454 build_pairing_cmd(conn, &cp, authreq);
455 conn->preq[0] = SMP_CMD_PAIRING_REQ;
456 memcpy(&conn->preq[1], &cp, sizeof(cp));
457
458 mod_timer(&conn->security_timer, jiffies +
459 msecs_to_jiffies(SMP_TIMEOUT));
460
461 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
462 } else {
463 struct smp_cmd_security_req cp;
464 cp.auth_req = authreq;
465 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
466 }
467
468 hcon->pending_sec_level = sec_level;
469 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
470
471 return 0;
472}
473
474int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
475{
476 __u8 code = skb->data[0];
477 __u8 reason;
478 int err = 0;
479
480 if (IS_ERR(conn->hcon->hdev->tfm)) {
481 err = PTR_ERR(conn->hcon->hdev->tfm);
482 reason = SMP_PAIRING_NOTSUPP;
483 goto done;
484 }
485
486 skb_pull(skb, sizeof(code));
487
488 switch (code) {
489 case SMP_CMD_PAIRING_REQ:
490 reason = smp_cmd_pairing_req(conn, skb);
491 break;
492
493 case SMP_CMD_PAIRING_FAIL:
494 reason = 0;
495 err = -EPERM;
496 break;
497
498 case SMP_CMD_PAIRING_RSP:
499 reason = smp_cmd_pairing_rsp(conn, skb);
500 break;
501
502 case SMP_CMD_SECURITY_REQ:
503 reason = smp_cmd_security_req(conn, skb);
504 break;
505
506 case SMP_CMD_PAIRING_CONFIRM:
507 reason = smp_cmd_pairing_confirm(conn, skb);
508 break;
509
510 case SMP_CMD_PAIRING_RANDOM:
511 reason = smp_cmd_pairing_random(conn, skb);
512 break;
513
514 case SMP_CMD_ENCRYPT_INFO:
515 case SMP_CMD_MASTER_IDENT:
516 case SMP_CMD_IDENT_INFO:
517 case SMP_CMD_IDENT_ADDR_INFO:
518 case SMP_CMD_SIGN_INFO:
519 default:
520 BT_DBG("Unknown command code 0x%2.2x", code);
521
522 reason = SMP_CMD_NOTSUPP;
523 err = -EOPNOTSUPP;
524 goto done;
525 }
526
527done:
528 if (reason)
529 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
530 &reason);
531
532 kfree_skb(skb);
533 return err;
534}
diff --git a/net/core/sock.c b/net/core/sock.c
index 6e819780c232..84d6de809352 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -158,7 +158,7 @@ static const char *const af_family_key_strings[AF_MAX+1] = {
158 "sk_lock-AF_TIPC" , "sk_lock-AF_BLUETOOTH", "sk_lock-IUCV" , 158 "sk_lock-AF_TIPC" , "sk_lock-AF_BLUETOOTH", "sk_lock-IUCV" ,
159 "sk_lock-AF_RXRPC" , "sk_lock-AF_ISDN" , "sk_lock-AF_PHONET" , 159 "sk_lock-AF_RXRPC" , "sk_lock-AF_ISDN" , "sk_lock-AF_PHONET" ,
160 "sk_lock-AF_IEEE802154", "sk_lock-AF_CAIF" , "sk_lock-AF_ALG" , 160 "sk_lock-AF_IEEE802154", "sk_lock-AF_CAIF" , "sk_lock-AF_ALG" ,
161 "sk_lock-AF_MAX" 161 "sk_lock-AF_NFC" , "sk_lock-AF_MAX"
162}; 162};
163static const char *const af_family_slock_key_strings[AF_MAX+1] = { 163static const char *const af_family_slock_key_strings[AF_MAX+1] = {
164 "slock-AF_UNSPEC", "slock-AF_UNIX" , "slock-AF_INET" , 164 "slock-AF_UNSPEC", "slock-AF_UNIX" , "slock-AF_INET" ,
@@ -174,7 +174,7 @@ static const char *const af_family_slock_key_strings[AF_MAX+1] = {
174 "slock-AF_TIPC" , "slock-AF_BLUETOOTH", "slock-AF_IUCV" , 174 "slock-AF_TIPC" , "slock-AF_BLUETOOTH", "slock-AF_IUCV" ,
175 "slock-AF_RXRPC" , "slock-AF_ISDN" , "slock-AF_PHONET" , 175 "slock-AF_RXRPC" , "slock-AF_ISDN" , "slock-AF_PHONET" ,
176 "slock-AF_IEEE802154", "slock-AF_CAIF" , "slock-AF_ALG" , 176 "slock-AF_IEEE802154", "slock-AF_CAIF" , "slock-AF_ALG" ,
177 "slock-AF_MAX" 177 "slock-AF_NFC" , "slock-AF_MAX"
178}; 178};
179static const char *const af_family_clock_key_strings[AF_MAX+1] = { 179static const char *const af_family_clock_key_strings[AF_MAX+1] = {
180 "clock-AF_UNSPEC", "clock-AF_UNIX" , "clock-AF_INET" , 180 "clock-AF_UNSPEC", "clock-AF_UNIX" , "clock-AF_INET" ,
@@ -190,7 +190,7 @@ static const char *const af_family_clock_key_strings[AF_MAX+1] = {
190 "clock-AF_TIPC" , "clock-AF_BLUETOOTH", "clock-AF_IUCV" , 190 "clock-AF_TIPC" , "clock-AF_BLUETOOTH", "clock-AF_IUCV" ,
191 "clock-AF_RXRPC" , "clock-AF_ISDN" , "clock-AF_PHONET" , 191 "clock-AF_RXRPC" , "clock-AF_ISDN" , "clock-AF_PHONET" ,
192 "clock-AF_IEEE802154", "clock-AF_CAIF" , "clock-AF_ALG" , 192 "clock-AF_IEEE802154", "clock-AF_CAIF" , "clock-AF_ALG" ,
193 "clock-AF_MAX" 193 "clock-AF_NFC" , "clock-AF_MAX"
194}; 194};
195 195
196/* 196/*
diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
index b9b595c08112..0785e95c9924 100644
--- a/net/mac80211/aes_ccm.c
+++ b/net/mac80211/aes_ccm.c
@@ -11,6 +11,7 @@
11#include <linux/types.h> 11#include <linux/types.h>
12#include <linux/crypto.h> 12#include <linux/crypto.h>
13#include <linux/err.h> 13#include <linux/err.h>
14#include <crypto/aes.h>
14 15
15#include <net/mac80211.h> 16#include <net/mac80211.h>
16#include "key.h" 17#include "key.h"
@@ -21,21 +22,21 @@ static void aes_ccm_prepare(struct crypto_cipher *tfm, u8 *scratch, u8 *a)
21 int i; 22 int i;
22 u8 *b_0, *aad, *b, *s_0; 23 u8 *b_0, *aad, *b, *s_0;
23 24
24 b_0 = scratch + 3 * AES_BLOCK_LEN; 25 b_0 = scratch + 3 * AES_BLOCK_SIZE;
25 aad = scratch + 4 * AES_BLOCK_LEN; 26 aad = scratch + 4 * AES_BLOCK_SIZE;
26 b = scratch; 27 b = scratch;
27 s_0 = scratch + AES_BLOCK_LEN; 28 s_0 = scratch + AES_BLOCK_SIZE;
28 29
29 crypto_cipher_encrypt_one(tfm, b, b_0); 30 crypto_cipher_encrypt_one(tfm, b, b_0);
30 31
31 /* Extra Authenticate-only data (always two AES blocks) */ 32 /* Extra Authenticate-only data (always two AES blocks) */
32 for (i = 0; i < AES_BLOCK_LEN; i++) 33 for (i = 0; i < AES_BLOCK_SIZE; i++)
33 aad[i] ^= b[i]; 34 aad[i] ^= b[i];
34 crypto_cipher_encrypt_one(tfm, b, aad); 35 crypto_cipher_encrypt_one(tfm, b, aad);
35 36
36 aad += AES_BLOCK_LEN; 37 aad += AES_BLOCK_SIZE;
37 38
38 for (i = 0; i < AES_BLOCK_LEN; i++) 39 for (i = 0; i < AES_BLOCK_SIZE; i++)
39 aad[i] ^= b[i]; 40 aad[i] ^= b[i];
40 crypto_cipher_encrypt_one(tfm, a, aad); 41 crypto_cipher_encrypt_one(tfm, a, aad);
41 42
@@ -57,12 +58,12 @@ void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch,
57 u8 *pos, *cpos, *b, *s_0, *e, *b_0; 58 u8 *pos, *cpos, *b, *s_0, *e, *b_0;
58 59
59 b = scratch; 60 b = scratch;
60 s_0 = scratch + AES_BLOCK_LEN; 61 s_0 = scratch + AES_BLOCK_SIZE;
61 e = scratch + 2 * AES_BLOCK_LEN; 62 e = scratch + 2 * AES_BLOCK_SIZE;
62 b_0 = scratch + 3 * AES_BLOCK_LEN; 63 b_0 = scratch + 3 * AES_BLOCK_SIZE;
63 64
64 num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN); 65 num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE);
65 last_len = data_len % AES_BLOCK_LEN; 66 last_len = data_len % AES_BLOCK_SIZE;
66 aes_ccm_prepare(tfm, scratch, b); 67 aes_ccm_prepare(tfm, scratch, b);
67 68
68 /* Process payload blocks */ 69 /* Process payload blocks */
@@ -70,7 +71,7 @@ void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch,
70 cpos = cdata; 71 cpos = cdata;
71 for (j = 1; j <= num_blocks; j++) { 72 for (j = 1; j <= num_blocks; j++) {
72 int blen = (j == num_blocks && last_len) ? 73 int blen = (j == num_blocks && last_len) ?
73 last_len : AES_BLOCK_LEN; 74 last_len : AES_BLOCK_SIZE;
74 75
75 /* Authentication followed by encryption */ 76 /* Authentication followed by encryption */
76 for (i = 0; i < blen; i++) 77 for (i = 0; i < blen; i++)
@@ -96,12 +97,12 @@ int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch,
96 u8 *pos, *cpos, *b, *s_0, *a, *b_0; 97 u8 *pos, *cpos, *b, *s_0, *a, *b_0;
97 98
98 b = scratch; 99 b = scratch;
99 s_0 = scratch + AES_BLOCK_LEN; 100 s_0 = scratch + AES_BLOCK_SIZE;
100 a = scratch + 2 * AES_BLOCK_LEN; 101 a = scratch + 2 * AES_BLOCK_SIZE;
101 b_0 = scratch + 3 * AES_BLOCK_LEN; 102 b_0 = scratch + 3 * AES_BLOCK_SIZE;
102 103
103 num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN); 104 num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE);
104 last_len = data_len % AES_BLOCK_LEN; 105 last_len = data_len % AES_BLOCK_SIZE;
105 aes_ccm_prepare(tfm, scratch, a); 106 aes_ccm_prepare(tfm, scratch, a);
106 107
107 /* Process payload blocks */ 108 /* Process payload blocks */
@@ -109,7 +110,7 @@ int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch,
109 pos = data; 110 pos = data;
110 for (j = 1; j <= num_blocks; j++) { 111 for (j = 1; j <= num_blocks; j++) {
111 int blen = (j == num_blocks && last_len) ? 112 int blen = (j == num_blocks && last_len) ?
112 last_len : AES_BLOCK_LEN; 113 last_len : AES_BLOCK_SIZE;
113 114
114 /* Decryption followed by authentication */ 115 /* Decryption followed by authentication */
115 b_0[14] = (j >> 8) & 0xff; 116 b_0[14] = (j >> 8) & 0xff;
diff --git a/net/mac80211/aes_ccm.h b/net/mac80211/aes_ccm.h
index 6e7820ef3448..5b7d744e2370 100644
--- a/net/mac80211/aes_ccm.h
+++ b/net/mac80211/aes_ccm.h
@@ -12,8 +12,6 @@
12 12
13#include <linux/crypto.h> 13#include <linux/crypto.h>
14 14
15#define AES_BLOCK_LEN 16
16
17struct crypto_cipher *ieee80211_aes_key_setup_encrypt(const u8 key[]); 15struct crypto_cipher *ieee80211_aes_key_setup_encrypt(const u8 key[]);
18void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch, 16void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch,
19 u8 *data, size_t data_len, 17 u8 *data, size_t data_len,
diff --git a/net/mac80211/aes_cmac.c b/net/mac80211/aes_cmac.c
index d502b2684a66..8dfd70d8fcfb 100644
--- a/net/mac80211/aes_cmac.c
+++ b/net/mac80211/aes_cmac.c
@@ -11,12 +11,12 @@
11#include <linux/types.h> 11#include <linux/types.h>
12#include <linux/crypto.h> 12#include <linux/crypto.h>
13#include <linux/err.h> 13#include <linux/err.h>
14#include <crypto/aes.h>
14 15
15#include <net/mac80211.h> 16#include <net/mac80211.h>
16#include "key.h" 17#include "key.h"
17#include "aes_cmac.h" 18#include "aes_cmac.h"
18 19
19#define AES_BLOCK_SIZE 16
20#define AES_CMAC_KEY_LEN 16 20#define AES_CMAC_KEY_LEN 16
21#define CMAC_TLEN 8 /* CMAC TLen = 64 bits (8 octets) */ 21#define CMAC_TLEN 8 /* CMAC TLen = 64 bits (8 octets) */
22#define AAD_LEN 20 22#define AAD_LEN 20
@@ -35,10 +35,10 @@ static void gf_mulx(u8 *pad)
35} 35}
36 36
37 37
38static void aes_128_cmac_vector(struct crypto_cipher *tfm, u8 *scratch, 38static void aes_128_cmac_vector(struct crypto_cipher *tfm, size_t num_elem,
39 size_t num_elem,
40 const u8 *addr[], const size_t *len, u8 *mac) 39 const u8 *addr[], const size_t *len, u8 *mac)
41{ 40{
41 u8 scratch[2 * AES_BLOCK_SIZE];
42 u8 *cbc, *pad; 42 u8 *cbc, *pad;
43 const u8 *pos, *end; 43 const u8 *pos, *end;
44 size_t i, e, left, total_len; 44 size_t i, e, left, total_len;
@@ -95,7 +95,7 @@ static void aes_128_cmac_vector(struct crypto_cipher *tfm, u8 *scratch,
95} 95}
96 96
97 97
98void ieee80211_aes_cmac(struct crypto_cipher *tfm, u8 *scratch, const u8 *aad, 98void ieee80211_aes_cmac(struct crypto_cipher *tfm, const u8 *aad,
99 const u8 *data, size_t data_len, u8 *mic) 99 const u8 *data, size_t data_len, u8 *mic)
100{ 100{
101 const u8 *addr[3]; 101 const u8 *addr[3];
@@ -110,7 +110,7 @@ void ieee80211_aes_cmac(struct crypto_cipher *tfm, u8 *scratch, const u8 *aad,
110 addr[2] = zero; 110 addr[2] = zero;
111 len[2] = CMAC_TLEN; 111 len[2] = CMAC_TLEN;
112 112
113 aes_128_cmac_vector(tfm, scratch, 3, addr, len, mic); 113 aes_128_cmac_vector(tfm, 3, addr, len, mic);
114} 114}
115 115
116 116
diff --git a/net/mac80211/aes_cmac.h b/net/mac80211/aes_cmac.h
index 0eb9a4831508..20785a647254 100644
--- a/net/mac80211/aes_cmac.h
+++ b/net/mac80211/aes_cmac.h
@@ -12,7 +12,7 @@
12#include <linux/crypto.h> 12#include <linux/crypto.h>
13 13
14struct crypto_cipher * ieee80211_aes_cmac_key_setup(const u8 key[]); 14struct crypto_cipher * ieee80211_aes_cmac_key_setup(const u8 key[]);
15void ieee80211_aes_cmac(struct crypto_cipher *tfm, u8 *scratch, const u8 *aad, 15void ieee80211_aes_cmac(struct crypto_cipher *tfm, const u8 *aad,
16 const u8 *data, size_t data_len, u8 *mic); 16 const u8 *data, size_t data_len, u8 *mic);
17void ieee80211_aes_cmac_key_free(struct crypto_cipher *tfm); 17void ieee80211_aes_cmac_key_free(struct crypto_cipher *tfm);
18 18
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 9c0d76cdca92..ebadb9ac9a7e 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -100,6 +100,21 @@ void __ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
100 mutex_unlock(&sta->ampdu_mlme.mtx); 100 mutex_unlock(&sta->ampdu_mlme.mtx);
101} 101}
102 102
103void ieee80211_stop_rx_ba_session(struct ieee80211_vif *vif, u16 ba_rx_bitmap,
104 const u8 *addr)
105{
106 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
107 struct sta_info *sta = sta_info_get(sdata, addr);
108 int i;
109
110 for (i = 0; i < STA_TID_NUM; i++)
111 if (ba_rx_bitmap & BIT(i))
112 set_bit(i, sta->ampdu_mlme.tid_rx_stop_requested);
113
114 ieee80211_queue_work(&sta->local->hw, &sta->ampdu_mlme.work);
115}
116EXPORT_SYMBOL(ieee80211_stop_rx_ba_session);
117
103/* 118/*
104 * After accepting the AddBA Request we activated a timer, 119 * After accepting the AddBA Request we activated a timer,
105 * resetting it after each frame that arrives from the originator. 120 * resetting it after each frame that arrives from the originator.
@@ -247,7 +262,11 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
247 "%pM on tid %u\n", 262 "%pM on tid %u\n",
248 mgmt->sa, tid); 263 mgmt->sa, tid);
249#endif /* CONFIG_MAC80211_HT_DEBUG */ 264#endif /* CONFIG_MAC80211_HT_DEBUG */
250 goto end; 265
266 /* delete existing Rx BA session on the same tid */
267 ___ieee80211_stop_rx_ba_session(sta, tid, WLAN_BACK_RECIPIENT,
268 WLAN_STATUS_UNSPECIFIED_QOS,
269 false);
251 } 270 }
252 271
253 /* prepare A-MPDU MLME for Rx aggregation */ 272 /* prepare A-MPDU MLME for Rx aggregation */
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index be70c70d3f5b..bfc36e904764 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -209,6 +209,7 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
209 u8 seq[6] = {0}; 209 u8 seq[6] = {0};
210 struct key_params params; 210 struct key_params params;
211 struct ieee80211_key *key = NULL; 211 struct ieee80211_key *key = NULL;
212 u64 pn64;
212 u32 iv32; 213 u32 iv32;
213 u16 iv16; 214 u16 iv16;
214 int err = -ENOENT; 215 int err = -ENOENT;
@@ -256,22 +257,24 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
256 params.seq_len = 6; 257 params.seq_len = 6;
257 break; 258 break;
258 case WLAN_CIPHER_SUITE_CCMP: 259 case WLAN_CIPHER_SUITE_CCMP:
259 seq[0] = key->u.ccmp.tx_pn[5]; 260 pn64 = atomic64_read(&key->u.ccmp.tx_pn);
260 seq[1] = key->u.ccmp.tx_pn[4]; 261 seq[0] = pn64;
261 seq[2] = key->u.ccmp.tx_pn[3]; 262 seq[1] = pn64 >> 8;
262 seq[3] = key->u.ccmp.tx_pn[2]; 263 seq[2] = pn64 >> 16;
263 seq[4] = key->u.ccmp.tx_pn[1]; 264 seq[3] = pn64 >> 24;
264 seq[5] = key->u.ccmp.tx_pn[0]; 265 seq[4] = pn64 >> 32;
266 seq[5] = pn64 >> 40;
265 params.seq = seq; 267 params.seq = seq;
266 params.seq_len = 6; 268 params.seq_len = 6;
267 break; 269 break;
268 case WLAN_CIPHER_SUITE_AES_CMAC: 270 case WLAN_CIPHER_SUITE_AES_CMAC:
269 seq[0] = key->u.aes_cmac.tx_pn[5]; 271 pn64 = atomic64_read(&key->u.aes_cmac.tx_pn);
270 seq[1] = key->u.aes_cmac.tx_pn[4]; 272 seq[0] = pn64;
271 seq[2] = key->u.aes_cmac.tx_pn[3]; 273 seq[1] = pn64 >> 8;
272 seq[3] = key->u.aes_cmac.tx_pn[2]; 274 seq[2] = pn64 >> 16;
273 seq[4] = key->u.aes_cmac.tx_pn[1]; 275 seq[3] = pn64 >> 24;
274 seq[5] = key->u.aes_cmac.tx_pn[0]; 276 seq[4] = pn64 >> 32;
277 seq[5] = pn64 >> 40;
275 params.seq = seq; 278 params.seq = seq;
276 params.seq_len = 6; 279 params.seq_len = 6;
277 break; 280 break;
@@ -674,8 +677,11 @@ static void sta_apply_parameters(struct ieee80211_local *local,
674 677
675 if (mask & BIT(NL80211_STA_FLAG_WME)) { 678 if (mask & BIT(NL80211_STA_FLAG_WME)) {
676 sta->flags &= ~WLAN_STA_WME; 679 sta->flags &= ~WLAN_STA_WME;
677 if (set & BIT(NL80211_STA_FLAG_WME)) 680 sta->sta.wme = false;
681 if (set & BIT(NL80211_STA_FLAG_WME)) {
678 sta->flags |= WLAN_STA_WME; 682 sta->flags |= WLAN_STA_WME;
683 sta->sta.wme = true;
684 }
679 } 685 }
680 686
681 if (mask & BIT(NL80211_STA_FLAG_MFP)) { 687 if (mask & BIT(NL80211_STA_FLAG_MFP)) {
@@ -1554,6 +1560,19 @@ static int ieee80211_testmode_cmd(struct wiphy *wiphy, void *data, int len)
1554 1560
1555 return local->ops->testmode_cmd(&local->hw, data, len); 1561 return local->ops->testmode_cmd(&local->hw, data, len);
1556} 1562}
1563
1564static int ieee80211_testmode_dump(struct wiphy *wiphy,
1565 struct sk_buff *skb,
1566 struct netlink_callback *cb,
1567 void *data, int len)
1568{
1569 struct ieee80211_local *local = wiphy_priv(wiphy);
1570
1571 if (!local->ops->testmode_dump)
1572 return -EOPNOTSUPP;
1573
1574 return local->ops->testmode_dump(&local->hw, skb, cb, data, len);
1575}
1557#endif 1576#endif
1558 1577
1559int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata, 1578int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
@@ -2085,6 +2104,21 @@ static void ieee80211_get_ringparam(struct wiphy *wiphy,
2085 drv_get_ringparam(local, tx, tx_max, rx, rx_max); 2104 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
2086} 2105}
2087 2106
2107static int ieee80211_set_rekey_data(struct wiphy *wiphy,
2108 struct net_device *dev,
2109 struct cfg80211_gtk_rekey_data *data)
2110{
2111 struct ieee80211_local *local = wiphy_priv(wiphy);
2112 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
2113
2114 if (!local->ops->set_rekey_data)
2115 return -EOPNOTSUPP;
2116
2117 drv_set_rekey_data(local, sdata, data);
2118
2119 return 0;
2120}
2121
2088struct cfg80211_ops mac80211_config_ops = { 2122struct cfg80211_ops mac80211_config_ops = {
2089 .add_virtual_intf = ieee80211_add_iface, 2123 .add_virtual_intf = ieee80211_add_iface,
2090 .del_virtual_intf = ieee80211_del_iface, 2124 .del_virtual_intf = ieee80211_del_iface,
@@ -2134,6 +2168,7 @@ struct cfg80211_ops mac80211_config_ops = {
2134 .set_wds_peer = ieee80211_set_wds_peer, 2168 .set_wds_peer = ieee80211_set_wds_peer,
2135 .rfkill_poll = ieee80211_rfkill_poll, 2169 .rfkill_poll = ieee80211_rfkill_poll,
2136 CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd) 2170 CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd)
2171 CFG80211_TESTMODE_DUMP(ieee80211_testmode_dump)
2137 .set_power_mgmt = ieee80211_set_power_mgmt, 2172 .set_power_mgmt = ieee80211_set_power_mgmt,
2138 .set_bitrate_mask = ieee80211_set_bitrate_mask, 2173 .set_bitrate_mask = ieee80211_set_bitrate_mask,
2139 .remain_on_channel = ieee80211_remain_on_channel, 2174 .remain_on_channel = ieee80211_remain_on_channel,
@@ -2146,4 +2181,5 @@ struct cfg80211_ops mac80211_config_ops = {
2146 .get_antenna = ieee80211_get_antenna, 2181 .get_antenna = ieee80211_get_antenna,
2147 .set_ringparam = ieee80211_set_ringparam, 2182 .set_ringparam = ieee80211_set_ringparam,
2148 .get_ringparam = ieee80211_get_ringparam, 2183 .get_ringparam = ieee80211_get_ringparam,
2184 .set_rekey_data = ieee80211_set_rekey_data,
2149}; 2185};
diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index 33c58b85c911..38e6101190d9 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -78,7 +78,7 @@ KEY_OPS(algorithm);
78static ssize_t key_tx_spec_read(struct file *file, char __user *userbuf, 78static ssize_t key_tx_spec_read(struct file *file, char __user *userbuf,
79 size_t count, loff_t *ppos) 79 size_t count, loff_t *ppos)
80{ 80{
81 const u8 *tpn; 81 u64 pn;
82 char buf[20]; 82 char buf[20];
83 int len; 83 int len;
84 struct ieee80211_key *key = file->private_data; 84 struct ieee80211_key *key = file->private_data;
@@ -94,15 +94,16 @@ static ssize_t key_tx_spec_read(struct file *file, char __user *userbuf,
94 key->u.tkip.tx.iv16); 94 key->u.tkip.tx.iv16);
95 break; 95 break;
96 case WLAN_CIPHER_SUITE_CCMP: 96 case WLAN_CIPHER_SUITE_CCMP:
97 tpn = key->u.ccmp.tx_pn; 97 pn = atomic64_read(&key->u.ccmp.tx_pn);
98 len = scnprintf(buf, sizeof(buf), "%02x%02x%02x%02x%02x%02x\n", 98 len = scnprintf(buf, sizeof(buf), "%02x%02x%02x%02x%02x%02x\n",
99 tpn[0], tpn[1], tpn[2], tpn[3], tpn[4], tpn[5]); 99 (u8)(pn >> 40), (u8)(pn >> 32), (u8)(pn >> 24),
100 (u8)(pn >> 16), (u8)(pn >> 8), (u8)pn);
100 break; 101 break;
101 case WLAN_CIPHER_SUITE_AES_CMAC: 102 case WLAN_CIPHER_SUITE_AES_CMAC:
102 tpn = key->u.aes_cmac.tx_pn; 103 pn = atomic64_read(&key->u.aes_cmac.tx_pn);
103 len = scnprintf(buf, sizeof(buf), "%02x%02x%02x%02x%02x%02x\n", 104 len = scnprintf(buf, sizeof(buf), "%02x%02x%02x%02x%02x%02x\n",
104 tpn[0], tpn[1], tpn[2], tpn[3], tpn[4], 105 (u8)(pn >> 40), (u8)(pn >> 32), (u8)(pn >> 24),
105 tpn[5]); 106 (u8)(pn >> 16), (u8)(pn >> 8), (u8)pn);
106 break; 107 break;
107 default: 108 default:
108 return 0; 109 return 0;
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index eebf7a67daf7..edd2dd79c9be 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -218,6 +218,16 @@ static inline int drv_hw_scan(struct ieee80211_local *local,
218 return ret; 218 return ret;
219} 219}
220 220
221static inline void drv_cancel_hw_scan(struct ieee80211_local *local,
222 struct ieee80211_sub_if_data *sdata)
223{
224 might_sleep();
225
226 trace_drv_cancel_hw_scan(local, sdata);
227 local->ops->cancel_hw_scan(&local->hw, &sdata->vif);
228 trace_drv_return_void(local);
229}
230
221static inline int 231static inline int
222drv_sched_scan_start(struct ieee80211_local *local, 232drv_sched_scan_start(struct ieee80211_local *local,
223 struct ieee80211_sub_if_data *sdata, 233 struct ieee80211_sub_if_data *sdata,
@@ -637,4 +647,14 @@ static inline int drv_set_bitrate_mask(struct ieee80211_local *local,
637 return ret; 647 return ret;
638} 648}
639 649
650static inline void drv_set_rekey_data(struct ieee80211_local *local,
651 struct ieee80211_sub_if_data *sdata,
652 struct cfg80211_gtk_rekey_data *data)
653{
654 trace_drv_set_rekey_data(local, sdata, data);
655 if (local->ops->set_rekey_data)
656 local->ops->set_rekey_data(&local->hw, &sdata->vif, data);
657 trace_drv_return_void(local);
658}
659
640#endif /* __MAC80211_DRIVER_OPS */ 660#endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index ed9edcbd9aa5..31a9dfa81f65 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -460,6 +460,12 @@ DEFINE_EVENT(local_sdata_evt, drv_hw_scan,
460 TP_ARGS(local, sdata) 460 TP_ARGS(local, sdata)
461); 461);
462 462
463DEFINE_EVENT(local_sdata_evt, drv_cancel_hw_scan,
464 TP_PROTO(struct ieee80211_local *local,
465 struct ieee80211_sub_if_data *sdata),
466 TP_ARGS(local, sdata)
467);
468
463DEFINE_EVENT(local_sdata_evt, drv_sched_scan_start, 469DEFINE_EVENT(local_sdata_evt, drv_sched_scan_start,
464 TP_PROTO(struct ieee80211_local *local, 470 TP_PROTO(struct ieee80211_local *local,
465 struct ieee80211_sub_if_data *sdata), 471 struct ieee80211_sub_if_data *sdata),
@@ -1018,6 +1024,34 @@ TRACE_EVENT(drv_set_bitrate_mask,
1018 ) 1024 )
1019); 1025);
1020 1026
1027TRACE_EVENT(drv_set_rekey_data,
1028 TP_PROTO(struct ieee80211_local *local,
1029 struct ieee80211_sub_if_data *sdata,
1030 struct cfg80211_gtk_rekey_data *data),
1031
1032 TP_ARGS(local, sdata, data),
1033
1034 TP_STRUCT__entry(
1035 LOCAL_ENTRY
1036 VIF_ENTRY
1037 __array(u8, kek, NL80211_KEK_LEN)
1038 __array(u8, kck, NL80211_KCK_LEN)
1039 __array(u8, replay_ctr, NL80211_REPLAY_CTR_LEN)
1040 ),
1041
1042 TP_fast_assign(
1043 LOCAL_ASSIGN;
1044 VIF_ASSIGN;
1045 memcpy(__entry->kek, data->kek, NL80211_KEK_LEN);
1046 memcpy(__entry->kck, data->kck, NL80211_KCK_LEN);
1047 memcpy(__entry->replay_ctr, data->replay_ctr,
1048 NL80211_REPLAY_CTR_LEN);
1049 ),
1050
1051 TP_printk(LOCAL_PR_FMT VIF_PR_FMT,
1052 LOCAL_PR_ARG, VIF_PR_ARG)
1053);
1054
1021/* 1055/*
1022 * Tracing for API calls that drivers call. 1056 * Tracing for API calls that drivers call.
1023 */ 1057 */
@@ -1287,6 +1321,27 @@ DEFINE_EVENT(local_only_evt, api_remain_on_channel_expired,
1287 TP_ARGS(local) 1321 TP_ARGS(local)
1288); 1322);
1289 1323
1324TRACE_EVENT(api_gtk_rekey_notify,
1325 TP_PROTO(struct ieee80211_sub_if_data *sdata,
1326 const u8 *bssid, const u8 *replay_ctr),
1327
1328 TP_ARGS(sdata, bssid, replay_ctr),
1329
1330 TP_STRUCT__entry(
1331 VIF_ENTRY
1332 __array(u8, bssid, ETH_ALEN)
1333 __array(u8, replay_ctr, NL80211_REPLAY_CTR_LEN)
1334 ),
1335
1336 TP_fast_assign(
1337 VIF_ASSIGN;
1338 memcpy(__entry->bssid, bssid, ETH_ALEN);
1339 memcpy(__entry->replay_ctr, replay_ctr, NL80211_REPLAY_CTR_LEN);
1340 ),
1341
1342 TP_printk(VIF_PR_FMT, VIF_PR_ARG)
1343);
1344
1290/* 1345/*
1291 * Tracing for internal functions 1346 * Tracing for internal functions
1292 * (which may also be called in response to driver calls) 1347 * (which may also be called in response to driver calls)
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 591add22bcc0..7cfc286946c0 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -140,6 +140,12 @@ void ieee80211_ba_session_work(struct work_struct *work)
140 sta, tid, WLAN_BACK_RECIPIENT, 140 sta, tid, WLAN_BACK_RECIPIENT,
141 WLAN_REASON_QSTA_TIMEOUT, true); 141 WLAN_REASON_QSTA_TIMEOUT, true);
142 142
143 if (test_and_clear_bit(tid,
144 sta->ampdu_mlme.tid_rx_stop_requested))
145 ___ieee80211_stop_rx_ba_session(
146 sta, tid, WLAN_BACK_RECIPIENT,
147 WLAN_REASON_UNSPECIFIED, true);
148
143 tid_tx = sta->ampdu_mlme.tid_start_tx[tid]; 149 tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
144 if (tid_tx) { 150 if (tid_tx) {
145 /* 151 /*
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 090b0ec1e056..4c7a831e7d1e 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -202,7 +202,22 @@ struct ieee80211_rx_data {
202 struct ieee80211_key *key; 202 struct ieee80211_key *key;
203 203
204 unsigned int flags; 204 unsigned int flags;
205 int queue; 205
206 /*
207 * Index into sequence numbers array, 0..16
208 * since the last (16) is used for non-QoS,
209 * will be 16 on non-QoS frames.
210 */
211 int seqno_idx;
212
213 /*
214 * Index into the security IV/PN arrays, 0..16
215 * since the last (16) is used for CCMP-encrypted
216 * management frames, will be set to 16 on mgmt
217 * frames and 0 on non-QoS frames.
218 */
219 int security_idx;
220
206 u32 tkip_iv32; 221 u32 tkip_iv32;
207 u16 tkip_iv16; 222 u16 tkip_iv16;
208}; 223};
@@ -544,6 +559,9 @@ struct ieee80211_sub_if_data {
544 /* keys */ 559 /* keys */
545 struct list_head key_list; 560 struct list_head key_list;
546 561
562 /* count for keys needing tailroom space allocation */
563 int crypto_tx_tailroom_needed_cnt;
564
547 struct net_device *dev; 565 struct net_device *dev;
548 struct ieee80211_local *local; 566 struct ieee80211_local *local;
549 567
@@ -1350,10 +1368,12 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
1350struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata, 1368struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
1351 u8 *dst, 1369 u8 *dst,
1352 const u8 *ssid, size_t ssid_len, 1370 const u8 *ssid, size_t ssid_len,
1353 const u8 *ie, size_t ie_len); 1371 const u8 *ie, size_t ie_len,
1372 bool directed);
1354void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst, 1373void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
1355 const u8 *ssid, size_t ssid_len, 1374 const u8 *ssid, size_t ssid_len,
1356 const u8 *ie, size_t ie_len); 1375 const u8 *ie, size_t ie_len,
1376 bool directed);
1357 1377
1358void ieee80211_sta_def_wmm_params(struct ieee80211_sub_if_data *sdata, 1378void ieee80211_sta_def_wmm_params(struct ieee80211_sub_if_data *sdata,
1359 const size_t supp_rates_len, 1379 const size_t supp_rates_len,
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index f825e2f0a57e..739bee13e813 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -61,6 +61,36 @@ static struct ieee80211_sta *get_sta_for_key(struct ieee80211_key *key)
61 return NULL; 61 return NULL;
62} 62}
63 63
64static void increment_tailroom_need_count(struct ieee80211_sub_if_data *sdata)
65{
66 /*
67 * When this count is zero, SKB resizing for allocating tailroom
68 * for IV or MMIC is skipped. But, this check has created two race
69 * cases in xmit path while transiting from zero count to one:
70 *
71 * 1. SKB resize was skipped because no key was added but just before
72 * the xmit key is added and SW encryption kicks off.
73 *
74 * 2. SKB resize was skipped because all the keys were hw planted but
75 * just before xmit one of the key is deleted and SW encryption kicks
76 * off.
77 *
78 * In both the above case SW encryption will find not enough space for
79 * tailroom and exits with WARN_ON. (See WARN_ONs at wpa.c)
80 *
81 * Solution has been explained at
82 * http://mid.gmane.org/1308590980.4322.19.camel@jlt3.sipsolutions.net
83 */
84
85 if (!sdata->crypto_tx_tailroom_needed_cnt++) {
86 /*
87 * Flush all XMIT packets currently using HW encryption or no
88 * encryption at all if the count transition is from 0 -> 1.
89 */
90 synchronize_net();
91 }
92}
93
64static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key) 94static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
65{ 95{
66 struct ieee80211_sub_if_data *sdata; 96 struct ieee80211_sub_if_data *sdata;
@@ -101,6 +131,11 @@ static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
101 131
102 if (!ret) { 132 if (!ret) {
103 key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; 133 key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
134
135 if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) ||
136 (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV)))
137 sdata->crypto_tx_tailroom_needed_cnt--;
138
104 return 0; 139 return 0;
105 } 140 }
106 141
@@ -142,6 +177,10 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key)
142 sta = get_sta_for_key(key); 177 sta = get_sta_for_key(key);
143 sdata = key->sdata; 178 sdata = key->sdata;
144 179
180 if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) ||
181 (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV)))
182 increment_tailroom_need_count(sdata);
183
145 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 184 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
146 sdata = container_of(sdata->bss, 185 sdata = container_of(sdata->bss,
147 struct ieee80211_sub_if_data, 186 struct ieee80211_sub_if_data,
@@ -330,6 +369,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
330 get_unaligned_le16(seq); 369 get_unaligned_le16(seq);
331 } 370 }
332 } 371 }
372 spin_lock_init(&key->u.tkip.txlock);
333 break; 373 break;
334 case WLAN_CIPHER_SUITE_CCMP: 374 case WLAN_CIPHER_SUITE_CCMP:
335 key->conf.iv_len = CCMP_HDR_LEN; 375 key->conf.iv_len = CCMP_HDR_LEN;
@@ -394,8 +434,10 @@ static void __ieee80211_key_destroy(struct ieee80211_key *key)
394 ieee80211_aes_key_free(key->u.ccmp.tfm); 434 ieee80211_aes_key_free(key->u.ccmp.tfm);
395 if (key->conf.cipher == WLAN_CIPHER_SUITE_AES_CMAC) 435 if (key->conf.cipher == WLAN_CIPHER_SUITE_AES_CMAC)
396 ieee80211_aes_cmac_key_free(key->u.aes_cmac.tfm); 436 ieee80211_aes_cmac_key_free(key->u.aes_cmac.tfm);
397 if (key->local) 437 if (key->local) {
398 ieee80211_debugfs_key_remove(key); 438 ieee80211_debugfs_key_remove(key);
439 key->sdata->crypto_tx_tailroom_needed_cnt--;
440 }
399 441
400 kfree(key); 442 kfree(key);
401} 443}
@@ -452,6 +494,8 @@ int ieee80211_key_link(struct ieee80211_key *key,
452 else 494 else
453 old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); 495 old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
454 496
497 increment_tailroom_need_count(sdata);
498
455 __ieee80211_key_replace(sdata, sta, pairwise, old_key, key); 499 __ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
456 __ieee80211_key_destroy(old_key); 500 __ieee80211_key_destroy(old_key);
457 501
@@ -498,12 +542,49 @@ void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata)
498 542
499 mutex_lock(&sdata->local->key_mtx); 543 mutex_lock(&sdata->local->key_mtx);
500 544
501 list_for_each_entry(key, &sdata->key_list, list) 545 sdata->crypto_tx_tailroom_needed_cnt = 0;
546
547 list_for_each_entry(key, &sdata->key_list, list) {
548 increment_tailroom_need_count(sdata);
502 ieee80211_key_enable_hw_accel(key); 549 ieee80211_key_enable_hw_accel(key);
550 }
503 551
504 mutex_unlock(&sdata->local->key_mtx); 552 mutex_unlock(&sdata->local->key_mtx);
505} 553}
506 554
555void ieee80211_iter_keys(struct ieee80211_hw *hw,
556 struct ieee80211_vif *vif,
557 void (*iter)(struct ieee80211_hw *hw,
558 struct ieee80211_vif *vif,
559 struct ieee80211_sta *sta,
560 struct ieee80211_key_conf *key,
561 void *data),
562 void *iter_data)
563{
564 struct ieee80211_local *local = hw_to_local(hw);
565 struct ieee80211_key *key;
566 struct ieee80211_sub_if_data *sdata;
567
568 ASSERT_RTNL();
569
570 mutex_lock(&local->key_mtx);
571 if (vif) {
572 sdata = vif_to_sdata(vif);
573 list_for_each_entry(key, &sdata->key_list, list)
574 iter(hw, &sdata->vif,
575 key->sta ? &key->sta->sta : NULL,
576 &key->conf, iter_data);
577 } else {
578 list_for_each_entry(sdata, &local->interfaces, list)
579 list_for_each_entry(key, &sdata->key_list, list)
580 iter(hw, &sdata->vif,
581 key->sta ? &key->sta->sta : NULL,
582 &key->conf, iter_data);
583 }
584 mutex_unlock(&local->key_mtx);
585}
586EXPORT_SYMBOL(ieee80211_iter_keys);
587
507void ieee80211_disable_keys(struct ieee80211_sub_if_data *sdata) 588void ieee80211_disable_keys(struct ieee80211_sub_if_data *sdata)
508{ 589{
509 struct ieee80211_key *key; 590 struct ieee80211_key *key;
@@ -533,3 +614,89 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata)
533 614
534 mutex_unlock(&sdata->local->key_mtx); 615 mutex_unlock(&sdata->local->key_mtx);
535} 616}
617
618
619void ieee80211_gtk_rekey_notify(struct ieee80211_vif *vif, const u8 *bssid,
620 const u8 *replay_ctr, gfp_t gfp)
621{
622 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
623
624 trace_api_gtk_rekey_notify(sdata, bssid, replay_ctr);
625
626 cfg80211_gtk_rekey_notify(sdata->dev, bssid, replay_ctr, gfp);
627}
628EXPORT_SYMBOL_GPL(ieee80211_gtk_rekey_notify);
629
630void ieee80211_get_key_tx_seq(struct ieee80211_key_conf *keyconf,
631 struct ieee80211_key_seq *seq)
632{
633 struct ieee80211_key *key;
634 u64 pn64;
635
636 if (WARN_ON(!(keyconf->flags & IEEE80211_KEY_FLAG_GENERATE_IV)))
637 return;
638
639 key = container_of(keyconf, struct ieee80211_key, conf);
640
641 switch (key->conf.cipher) {
642 case WLAN_CIPHER_SUITE_TKIP:
643 seq->tkip.iv32 = key->u.tkip.tx.iv32;
644 seq->tkip.iv16 = key->u.tkip.tx.iv16;
645 break;
646 case WLAN_CIPHER_SUITE_CCMP:
647 pn64 = atomic64_read(&key->u.ccmp.tx_pn);
648 seq->ccmp.pn[5] = pn64;
649 seq->ccmp.pn[4] = pn64 >> 8;
650 seq->ccmp.pn[3] = pn64 >> 16;
651 seq->ccmp.pn[2] = pn64 >> 24;
652 seq->ccmp.pn[1] = pn64 >> 32;
653 seq->ccmp.pn[0] = pn64 >> 40;
654 break;
655 case WLAN_CIPHER_SUITE_AES_CMAC:
656 pn64 = atomic64_read(&key->u.aes_cmac.tx_pn);
657 seq->ccmp.pn[5] = pn64;
658 seq->ccmp.pn[4] = pn64 >> 8;
659 seq->ccmp.pn[3] = pn64 >> 16;
660 seq->ccmp.pn[2] = pn64 >> 24;
661 seq->ccmp.pn[1] = pn64 >> 32;
662 seq->ccmp.pn[0] = pn64 >> 40;
663 break;
664 default:
665 WARN_ON(1);
666 }
667}
668EXPORT_SYMBOL(ieee80211_get_key_tx_seq);
669
670void ieee80211_get_key_rx_seq(struct ieee80211_key_conf *keyconf,
671 int tid, struct ieee80211_key_seq *seq)
672{
673 struct ieee80211_key *key;
674 const u8 *pn;
675
676 key = container_of(keyconf, struct ieee80211_key, conf);
677
678 switch (key->conf.cipher) {
679 case WLAN_CIPHER_SUITE_TKIP:
680 if (WARN_ON(tid < 0 || tid >= NUM_RX_DATA_QUEUES))
681 return;
682 seq->tkip.iv32 = key->u.tkip.rx[tid].iv32;
683 seq->tkip.iv16 = key->u.tkip.rx[tid].iv16;
684 break;
685 case WLAN_CIPHER_SUITE_CCMP:
686 if (WARN_ON(tid < -1 || tid >= NUM_RX_DATA_QUEUES))
687 return;
688 if (tid < 0)
689 pn = key->u.ccmp.rx_pn[NUM_RX_DATA_QUEUES];
690 else
691 pn = key->u.ccmp.rx_pn[tid];
692 memcpy(seq->ccmp.pn, pn, CCMP_PN_LEN);
693 break;
694 case WLAN_CIPHER_SUITE_AES_CMAC:
695 if (WARN_ON(tid != 0))
696 return;
697 pn = key->u.aes_cmac.rx_pn;
698 memcpy(seq->aes_cmac.pn, pn, CMAC_PN_LEN);
699 break;
700 }
701}
702EXPORT_SYMBOL(ieee80211_get_key_rx_seq);
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index d801d5351336..86b216b01415 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -28,8 +28,9 @@
28#define CCMP_PN_LEN 6 28#define CCMP_PN_LEN 6
29#define TKIP_IV_LEN 8 29#define TKIP_IV_LEN 8
30#define TKIP_ICV_LEN 4 30#define TKIP_ICV_LEN 4
31#define CMAC_PN_LEN 6
31 32
32#define NUM_RX_DATA_QUEUES 17 33#define NUM_RX_DATA_QUEUES 16
33 34
34struct ieee80211_local; 35struct ieee80211_local;
35struct ieee80211_sub_if_data; 36struct ieee80211_sub_if_data;
@@ -52,9 +53,10 @@ enum ieee80211_internal_tkip_state {
52}; 53};
53 54
54struct tkip_ctx { 55struct tkip_ctx {
55 u32 iv32; 56 u32 iv32; /* current iv32 */
56 u16 iv16; 57 u16 iv16; /* current iv16 */
57 u16 p1k[5]; 58 u16 p1k[5]; /* p1k cache */
59 u32 p1k_iv32; /* iv32 for which p1k computed */
58 enum ieee80211_internal_tkip_state state; 60 enum ieee80211_internal_tkip_state state;
59}; 61};
60 62
@@ -71,6 +73,9 @@ struct ieee80211_key {
71 73
72 union { 74 union {
73 struct { 75 struct {
76 /* protects tx context */
77 spinlock_t txlock;
78
74 /* last used TSC */ 79 /* last used TSC */
75 struct tkip_ctx tx; 80 struct tkip_ctx tx;
76 81
@@ -78,32 +83,23 @@ struct ieee80211_key {
78 struct tkip_ctx rx[NUM_RX_DATA_QUEUES]; 83 struct tkip_ctx rx[NUM_RX_DATA_QUEUES];
79 } tkip; 84 } tkip;
80 struct { 85 struct {
81 u8 tx_pn[6]; 86 atomic64_t tx_pn;
82 /* 87 /*
83 * Last received packet number. The first 88 * Last received packet number. The first
84 * NUM_RX_DATA_QUEUES counters are used with Data 89 * NUM_RX_DATA_QUEUES counters are used with Data
85 * frames and the last counter is used with Robust 90 * frames and the last counter is used with Robust
86 * Management frames. 91 * Management frames.
87 */ 92 */
88 u8 rx_pn[NUM_RX_DATA_QUEUES + 1][6]; 93 u8 rx_pn[NUM_RX_DATA_QUEUES + 1][CCMP_PN_LEN];
89 struct crypto_cipher *tfm; 94 struct crypto_cipher *tfm;
90 u32 replays; /* dot11RSNAStatsCCMPReplays */ 95 u32 replays; /* dot11RSNAStatsCCMPReplays */
91 /* scratch buffers for virt_to_page() (crypto API) */
92#ifndef AES_BLOCK_LEN
93#define AES_BLOCK_LEN 16
94#endif
95 u8 tx_crypto_buf[6 * AES_BLOCK_LEN];
96 u8 rx_crypto_buf[6 * AES_BLOCK_LEN];
97 } ccmp; 96 } ccmp;
98 struct { 97 struct {
99 u8 tx_pn[6]; 98 atomic64_t tx_pn;
100 u8 rx_pn[6]; 99 u8 rx_pn[CMAC_PN_LEN];
101 struct crypto_cipher *tfm; 100 struct crypto_cipher *tfm;
102 u32 replays; /* dot11RSNAStatsCMACReplays */ 101 u32 replays; /* dot11RSNAStatsCMACReplays */
103 u32 icverrors; /* dot11RSNAStatsCMACICVErrors */ 102 u32 icverrors; /* dot11RSNAStatsCMACICVErrors */
104 /* scratch buffers for virt_to_page() (crypto API) */
105 u8 tx_crypto_buf[2 * AES_BLOCK_LEN];
106 u8 rx_crypto_buf[2 * AES_BLOCK_LEN];
107 } aes_cmac; 103 } aes_cmac;
108 } u; 104 } u;
109 105
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 0d2faacc3e87..068ee6518254 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -647,12 +647,12 @@ int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
647 mpath = node->mpath; 647 mpath = node->mpath;
648 if (mpath->sdata == sdata && 648 if (mpath->sdata == sdata &&
649 memcmp(addr, mpath->dst, ETH_ALEN) == 0) { 649 memcmp(addr, mpath->dst, ETH_ALEN) == 0) {
650 spin_lock_bh(&mpath->state_lock); 650 spin_lock(&mpath->state_lock);
651 mpath->flags |= MESH_PATH_RESOLVING; 651 mpath->flags |= MESH_PATH_RESOLVING;
652 hlist_del_rcu(&node->list); 652 hlist_del_rcu(&node->list);
653 call_rcu(&node->rcu, mesh_path_node_reclaim); 653 call_rcu(&node->rcu, mesh_path_node_reclaim);
654 atomic_dec(&tbl->entries); 654 atomic_dec(&tbl->entries);
655 spin_unlock_bh(&mpath->state_lock); 655 spin_unlock(&mpath->state_lock);
656 goto enddel; 656 goto enddel;
657 } 657 }
658 } 658 }
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d595265d6c22..b6d9bd5f4d3c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -749,7 +749,7 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
749 container_of(work, struct ieee80211_local, 749 container_of(work, struct ieee80211_local,
750 dynamic_ps_enable_work); 750 dynamic_ps_enable_work);
751 struct ieee80211_sub_if_data *sdata = local->ps_sdata; 751 struct ieee80211_sub_if_data *sdata = local->ps_sdata;
752 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 752 struct ieee80211_if_managed *ifmgd;
753 unsigned long flags; 753 unsigned long flags;
754 int q; 754 int q;
755 755
@@ -757,26 +757,39 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
757 if (!sdata) 757 if (!sdata)
758 return; 758 return;
759 759
760 ifmgd = &sdata->u.mgd;
761
760 if (local->hw.conf.flags & IEEE80211_CONF_PS) 762 if (local->hw.conf.flags & IEEE80211_CONF_PS)
761 return; 763 return;
762 764
763 /* 765 if (!local->disable_dynamic_ps &&
764 * transmission can be stopped by others which leads to 766 local->hw.conf.dynamic_ps_timeout > 0) {
765 * dynamic_ps_timer expiry. Postpond the ps timer if it 767 /* don't enter PS if TX frames are pending */
766 * is not the actual idle state. 768 if (drv_tx_frames_pending(local)) {
767 */
768 spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
769 for (q = 0; q < local->hw.queues; q++) {
770 if (local->queue_stop_reasons[q]) {
771 spin_unlock_irqrestore(&local->queue_stop_reason_lock,
772 flags);
773 mod_timer(&local->dynamic_ps_timer, jiffies + 769 mod_timer(&local->dynamic_ps_timer, jiffies +
774 msecs_to_jiffies( 770 msecs_to_jiffies(
775 local->hw.conf.dynamic_ps_timeout)); 771 local->hw.conf.dynamic_ps_timeout));
776 return; 772 return;
777 } 773 }
774
775 /*
776 * transmission can be stopped by others which leads to
777 * dynamic_ps_timer expiry. Postpone the ps timer if it
778 * is not the actual idle state.
779 */
780 spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
781 for (q = 0; q < local->hw.queues; q++) {
782 if (local->queue_stop_reasons[q]) {
783 spin_unlock_irqrestore(&local->queue_stop_reason_lock,
784 flags);
785 mod_timer(&local->dynamic_ps_timer, jiffies +
786 msecs_to_jiffies(
787 local->hw.conf.dynamic_ps_timeout));
788 return;
789 }
790 }
791 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
778 } 792 }
779 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
780 793
781 if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) && 794 if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) &&
782 (!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED))) { 795 (!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED))) {
@@ -801,7 +814,8 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
801 ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS); 814 ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
802 } 815 }
803 816
804 netif_tx_wake_all_queues(sdata->dev); 817 if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
818 netif_tx_wake_all_queues(sdata->dev);
805} 819}
806 820
807void ieee80211_dynamic_ps_timer(unsigned long data) 821void ieee80211_dynamic_ps_timer(unsigned long data)
@@ -1204,7 +1218,8 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
1204 ieee80211_send_nullfunc(sdata->local, sdata, 0); 1218 ieee80211_send_nullfunc(sdata->local, sdata, 0);
1205 } else { 1219 } else {
1206 ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID); 1220 ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
1207 ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid[1], NULL, 0); 1221 ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid[1], NULL, 0,
1222 true);
1208 } 1223 }
1209 1224
1210 ifmgd->probe_send_count++; 1225 ifmgd->probe_send_count++;
@@ -1289,7 +1304,7 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
1289 1304
1290 ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID); 1305 ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
1291 skb = ieee80211_build_probe_req(sdata, ifmgd->associated->bssid, 1306 skb = ieee80211_build_probe_req(sdata, ifmgd->associated->bssid,
1292 ssid + 2, ssid[1], NULL, 0); 1307 ssid + 2, ssid[1], NULL, 0, true);
1293 1308
1294 return skb; 1309 return skb;
1295} 1310}
@@ -2200,12 +2215,16 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
2200{ 2215{
2201 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 2216 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2202 2217
2218 if (!ifmgd->associated)
2219 return;
2220
2203 if (test_and_clear_bit(TMR_RUNNING_TIMER, &ifmgd->timers_running)) 2221 if (test_and_clear_bit(TMR_RUNNING_TIMER, &ifmgd->timers_running))
2204 add_timer(&ifmgd->timer); 2222 add_timer(&ifmgd->timer);
2205 if (test_and_clear_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running)) 2223 if (test_and_clear_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running))
2206 add_timer(&ifmgd->chswitch_timer); 2224 add_timer(&ifmgd->chswitch_timer);
2207 ieee80211_sta_reset_beacon_monitor(sdata); 2225 ieee80211_sta_reset_beacon_monitor(sdata);
2208 ieee80211_restart_sta_timer(sdata); 2226 ieee80211_restart_sta_timer(sdata);
2227 ieee80211_queue_work(&sdata->local->hw, &sdata->u.mgd.monitor_work);
2209} 2228}
2210#endif 2229#endif
2211 2230
@@ -2652,3 +2671,10 @@ void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
2652 cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp); 2671 cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp);
2653} 2672}
2654EXPORT_SYMBOL(ieee80211_cqm_rssi_notify); 2673EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
2674
2675unsigned char ieee80211_get_operstate(struct ieee80211_vif *vif)
2676{
2677 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2678 return sdata->dev->operstate;
2679}
2680EXPORT_SYMBOL(ieee80211_get_operstate);
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index 730778a2c90c..f87e993e713b 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -6,6 +6,28 @@
6#include "driver-ops.h" 6#include "driver-ops.h"
7#include "led.h" 7#include "led.h"
8 8
9/* return value indicates whether the driver should be further notified */
10static bool ieee80211_quiesce(struct ieee80211_sub_if_data *sdata)
11{
12 switch (sdata->vif.type) {
13 case NL80211_IFTYPE_STATION:
14 ieee80211_sta_quiesce(sdata);
15 return true;
16 case NL80211_IFTYPE_ADHOC:
17 ieee80211_ibss_quiesce(sdata);
18 return true;
19 case NL80211_IFTYPE_MESH_POINT:
20 ieee80211_mesh_quiesce(sdata);
21 return true;
22 case NL80211_IFTYPE_AP_VLAN:
23 case NL80211_IFTYPE_MONITOR:
24 /* don't tell driver about this */
25 return false;
26 default:
27 return true;
28 }
29}
30
9int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) 31int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
10{ 32{
11 struct ieee80211_local *local = hw_to_local(hw); 33 struct ieee80211_local *local = hw_to_local(hw);
@@ -50,11 +72,19 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
50 local->wowlan = wowlan && local->open_count; 72 local->wowlan = wowlan && local->open_count;
51 if (local->wowlan) { 73 if (local->wowlan) {
52 int err = drv_suspend(local, wowlan); 74 int err = drv_suspend(local, wowlan);
53 if (err) { 75 if (err < 0) {
54 local->quiescing = false; 76 local->quiescing = false;
55 return err; 77 return err;
78 } else if (err > 0) {
79 WARN_ON(err != 1);
80 local->wowlan = false;
81 } else {
82 list_for_each_entry(sdata, &local->interfaces, list) {
83 cancel_work_sync(&sdata->work);
84 ieee80211_quiesce(sdata);
85 }
86 goto suspend;
56 } 87 }
57 goto suspend;
58 } 88 }
59 89
60 /* disable keys */ 90 /* disable keys */
@@ -82,23 +112,8 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
82 list_for_each_entry(sdata, &local->interfaces, list) { 112 list_for_each_entry(sdata, &local->interfaces, list) {
83 cancel_work_sync(&sdata->work); 113 cancel_work_sync(&sdata->work);
84 114
85 switch(sdata->vif.type) { 115 if (!ieee80211_quiesce(sdata))
86 case NL80211_IFTYPE_STATION:
87 ieee80211_sta_quiesce(sdata);
88 break;
89 case NL80211_IFTYPE_ADHOC:
90 ieee80211_ibss_quiesce(sdata);
91 break;
92 case NL80211_IFTYPE_MESH_POINT:
93 ieee80211_mesh_quiesce(sdata);
94 break;
95 case NL80211_IFTYPE_AP_VLAN:
96 case NL80211_IFTYPE_MONITOR:
97 /* don't tell driver about this */
98 continue; 116 continue;
99 default:
100 break;
101 }
102 117
103 if (!ieee80211_sdata_running(sdata)) 118 if (!ieee80211_sdata_running(sdata))
104 continue; 119 continue;
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index 8adac67395f7..58a89554b788 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -532,12 +532,21 @@ minstrel_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir)
532 mp->hw = hw; 532 mp->hw = hw;
533 mp->update_interval = 100; 533 mp->update_interval = 100;
534 534
535#ifdef CONFIG_MAC80211_DEBUGFS
536 mp->fixed_rate_idx = (u32) -1;
537 mp->dbg_fixed_rate = debugfs_create_u32("fixed_rate_idx",
538 S_IRUGO | S_IWUGO, debugfsdir, &mp->fixed_rate_idx);
539#endif
540
535 return mp; 541 return mp;
536} 542}
537 543
538static void 544static void
539minstrel_free(void *priv) 545minstrel_free(void *priv)
540{ 546{
547#ifdef CONFIG_MAC80211_DEBUGFS
548 debugfs_remove(((struct minstrel_priv *)priv)->dbg_fixed_rate);
549#endif
541 kfree(priv); 550 kfree(priv);
542} 551}
543 552
diff --git a/net/mac80211/rc80211_minstrel.h b/net/mac80211/rc80211_minstrel.h
index 0f5a83370aa6..5d278eccaef0 100644
--- a/net/mac80211/rc80211_minstrel.h
+++ b/net/mac80211/rc80211_minstrel.h
@@ -78,6 +78,18 @@ struct minstrel_priv {
78 unsigned int update_interval; 78 unsigned int update_interval;
79 unsigned int lookaround_rate; 79 unsigned int lookaround_rate;
80 unsigned int lookaround_rate_mrr; 80 unsigned int lookaround_rate_mrr;
81
82#ifdef CONFIG_MAC80211_DEBUGFS
83 /*
84 * enable fixed rate processing per RC
85 * - write static index to debugfs:ieee80211/phyX/rc/fixed_rate_idx
86 * - write -1 to enable RC processing again
87 * - setting will be applied on next update
88 */
89 u32 fixed_rate_idx;
90 struct dentry *dbg_fixed_rate;
91#endif
92
81}; 93};
82 94
83struct minstrel_debugfs_info { 95struct minstrel_debugfs_info {
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 333b5118be6d..66a1eeb279c6 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -609,6 +609,13 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
609 609
610 info->flags |= mi->tx_flags; 610 info->flags |= mi->tx_flags;
611 sample_idx = minstrel_get_sample_rate(mp, mi); 611 sample_idx = minstrel_get_sample_rate(mp, mi);
612
613#ifdef CONFIG_MAC80211_DEBUGFS
614 /* use fixed index if set */
615 if (mp->fixed_rate_idx != -1)
616 sample_idx = mp->fixed_rate_idx;
617#endif
618
612 if (sample_idx >= 0) { 619 if (sample_idx >= 0) {
613 sample = true; 620 sample = true;
614 minstrel_ht_set_rate(mp, mi, &ar[0], sample_idx, 621 minstrel_ht_set_rate(mp, mi, &ar[0], sample_idx,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 7fa8c6be7bf0..e6dccc70931d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -331,15 +331,18 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
331{ 331{
332 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 332 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
333 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 333 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
334 int tid; 334 int tid, seqno_idx, security_idx;
335 335
336 /* does the frame have a qos control field? */ 336 /* does the frame have a qos control field? */
337 if (ieee80211_is_data_qos(hdr->frame_control)) { 337 if (ieee80211_is_data_qos(hdr->frame_control)) {
338 u8 *qc = ieee80211_get_qos_ctl(hdr); 338 u8 *qc = ieee80211_get_qos_ctl(hdr);
339 /* frame has qos control */ 339 /* frame has qos control */
340 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 340 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
341 if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 341 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
342 status->rx_flags |= IEEE80211_RX_AMSDU; 342 status->rx_flags |= IEEE80211_RX_AMSDU;
343
344 seqno_idx = tid;
345 security_idx = tid;
343 } else { 346 } else {
344 /* 347 /*
345 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 348 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
@@ -352,10 +355,15 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
352 * 355 *
353 * We also use that counter for non-QoS STAs. 356 * We also use that counter for non-QoS STAs.
354 */ 357 */
355 tid = NUM_RX_DATA_QUEUES - 1; 358 seqno_idx = NUM_RX_DATA_QUEUES;
359 security_idx = 0;
360 if (ieee80211_is_mgmt(hdr->frame_control))
361 security_idx = NUM_RX_DATA_QUEUES;
362 tid = 0;
356 } 363 }
357 364
358 rx->queue = tid; 365 rx->seqno_idx = seqno_idx;
366 rx->security_idx = security_idx;
359 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 367 /* Set skb->priority to 1d tag if highest order bit of TID is not set.
360 * For now, set skb->priority to 0 for other cases. */ 368 * For now, set skb->priority to 0 for other cases. */
361 rx->skb->priority = (tid > 7) ? 0 : tid; 369 rx->skb->priority = (tid > 7) ? 0 : tid;
@@ -810,7 +818,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
810 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 818 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
811 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 819 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
812 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 820 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
813 rx->sta->last_seq_ctrl[rx->queue] == 821 rx->sta->last_seq_ctrl[rx->seqno_idx] ==
814 hdr->seq_ctrl)) { 822 hdr->seq_ctrl)) {
815 if (status->rx_flags & IEEE80211_RX_RA_MATCH) { 823 if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
816 rx->local->dot11FrameDuplicateCount++; 824 rx->local->dot11FrameDuplicateCount++;
@@ -818,7 +826,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
818 } 826 }
819 return RX_DROP_UNUSABLE; 827 return RX_DROP_UNUSABLE;
820 } else 828 } else
821 rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl; 829 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
822 } 830 }
823 831
824 if (unlikely(rx->skb->len < 16)) { 832 if (unlikely(rx->skb->len < 16)) {
@@ -1374,11 +1382,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1374 if (frag == 0) { 1382 if (frag == 0) {
1375 /* This is the first fragment of a new frame. */ 1383 /* This is the first fragment of a new frame. */
1376 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1384 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
1377 rx->queue, &(rx->skb)); 1385 rx->seqno_idx, &(rx->skb));
1378 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP && 1386 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
1379 ieee80211_has_protected(fc)) { 1387 ieee80211_has_protected(fc)) {
1380 int queue = ieee80211_is_mgmt(fc) ? 1388 int queue = rx->security_idx;
1381 NUM_RX_DATA_QUEUES : rx->queue;
1382 /* Store CCMP PN so that we can verify that the next 1389 /* Store CCMP PN so that we can verify that the next
1383 * fragment has a sequential PN value. */ 1390 * fragment has a sequential PN value. */
1384 entry->ccmp = 1; 1391 entry->ccmp = 1;
@@ -1392,7 +1399,8 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1392 /* This is a fragment for a frame that should already be pending in 1399 /* This is a fragment for a frame that should already be pending in
1393 * fragment cache. Add this fragment to the end of the pending entry. 1400 * fragment cache. Add this fragment to the end of the pending entry.
1394 */ 1401 */
1395 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr); 1402 entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
1403 rx->seqno_idx, hdr);
1396 if (!entry) { 1404 if (!entry) {
1397 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1405 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1398 return RX_DROP_MONITOR; 1406 return RX_DROP_MONITOR;
@@ -1412,8 +1420,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1412 if (pn[i]) 1420 if (pn[i])
1413 break; 1421 break;
1414 } 1422 }
1415 queue = ieee80211_is_mgmt(fc) ? 1423 queue = rx->security_idx;
1416 NUM_RX_DATA_QUEUES : rx->queue;
1417 rpn = rx->key->u.ccmp.rx_pn[queue]; 1424 rpn = rx->key->u.ccmp.rx_pn[queue];
1418 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1425 if (memcmp(pn, rpn, CCMP_PN_LEN))
1419 return RX_DROP_UNUSABLE; 1426 return RX_DROP_UNUSABLE;
@@ -2590,7 +2597,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
2590 .sta = sta, 2597 .sta = sta,
2591 .sdata = sta->sdata, 2598 .sdata = sta->sdata,
2592 .local = sta->local, 2599 .local = sta->local,
2593 .queue = tid, 2600 /* This is OK -- must be QoS data frame */
2601 .security_idx = tid,
2602 .seqno_idx = tid,
2594 .flags = 0, 2603 .flags = 0,
2595 }; 2604 };
2596 struct tid_ampdu_rx *tid_agg_rx; 2605 struct tid_ampdu_rx *tid_agg_rx;
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 669d2e32efb6..08a45ac3d6f8 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -228,6 +228,7 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
228static bool ieee80211_prep_hw_scan(struct ieee80211_local *local) 228static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
229{ 229{
230 struct cfg80211_scan_request *req = local->scan_req; 230 struct cfg80211_scan_request *req = local->scan_req;
231 struct ieee80211_sub_if_data *sdata = local->scan_sdata;
231 enum ieee80211_band band; 232 enum ieee80211_band band;
232 int i, ielen, n_chans; 233 int i, ielen, n_chans;
233 234
@@ -251,8 +252,8 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
251 local->hw_scan_req->n_channels = n_chans; 252 local->hw_scan_req->n_channels = n_chans;
252 253
253 ielen = ieee80211_build_preq_ies(local, (u8 *)local->hw_scan_req->ie, 254 ielen = ieee80211_build_preq_ies(local, (u8 *)local->hw_scan_req->ie,
254 req->ie, req->ie_len, band, (u32) -1, 255 req->ie, req->ie_len, band,
255 0); 256 sdata->rc_rateidx_mask[band], 0);
256 local->hw_scan_req->ie_len = ielen; 257 local->hw_scan_req->ie_len = ielen;
257 258
258 return true; 259 return true;
@@ -658,7 +659,8 @@ static void ieee80211_scan_state_send_probe(struct ieee80211_local *local,
658 sdata, NULL, 659 sdata, NULL,
659 local->scan_req->ssids[i].ssid, 660 local->scan_req->ssids[i].ssid,
660 local->scan_req->ssids[i].ssid_len, 661 local->scan_req->ssids[i].ssid_len,
661 local->scan_req->ie, local->scan_req->ie_len); 662 local->scan_req->ie, local->scan_req->ie_len,
663 false);
662 664
663 /* 665 /*
664 * After sending probe requests, wait for probe responses 666 * After sending probe requests, wait for probe responses
@@ -821,10 +823,8 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
821 */ 823 */
822void ieee80211_scan_cancel(struct ieee80211_local *local) 824void ieee80211_scan_cancel(struct ieee80211_local *local)
823{ 825{
824 bool abortscan;
825
826 /* 826 /*
827 * We are only canceling software scan, or deferred scan that was not 827 * We are canceling software scan, or deferred scan that was not
828 * yet really started (see __ieee80211_start_scan ). 828 * yet really started (see __ieee80211_start_scan ).
829 * 829 *
830 * Regarding hardware scan: 830 * Regarding hardware scan:
@@ -836,23 +836,30 @@ void ieee80211_scan_cancel(struct ieee80211_local *local)
836 * - we can not cancel scan_work since driver can schedule it 836 * - we can not cancel scan_work since driver can schedule it
837 * by ieee80211_scan_completed(..., true) to finish scan 837 * by ieee80211_scan_completed(..., true) to finish scan
838 * 838 *
839 * Hence low lever driver is responsible for canceling HW scan. 839 * Hence we only call the cancel_hw_scan() callback, but the low-level
840 * driver is still responsible for calling ieee80211_scan_completed()
841 * after the scan was completed/aborted.
840 */ 842 */
841 843
842 mutex_lock(&local->mtx); 844 mutex_lock(&local->mtx);
843 abortscan = local->scan_req && !test_bit(SCAN_HW_SCANNING, &local->scanning); 845 if (!local->scan_req)
844 if (abortscan) { 846 goto out;
845 /* 847
846 * The scan is canceled, but stop work from being pending. 848 if (test_bit(SCAN_HW_SCANNING, &local->scanning)) {
847 * 849 if (local->ops->cancel_hw_scan)
848 * If the work is currently running, it must be blocked on 850 drv_cancel_hw_scan(local, local->scan_sdata);
849 * the mutex, but we'll set scan_sdata = NULL and it'll 851 goto out;
850 * simply exit once it acquires the mutex.
851 */
852 cancel_delayed_work(&local->scan_work);
853 /* and clean up */
854 __ieee80211_scan_completed(&local->hw, true, false);
855 } 852 }
853
854 /*
855 * If the work is currently running, it must be blocked on
856 * the mutex, but we'll set scan_sdata = NULL and it'll
857 * simply exit once it acquires the mutex.
858 */
859 cancel_delayed_work(&local->scan_work);
860 /* and clean up */
861 __ieee80211_scan_completed(&local->hw, true, false);
862out:
856 mutex_unlock(&local->mtx); 863 mutex_unlock(&local->mtx);
857} 864}
858 865
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index c6ae8718bd57..28beb78e601e 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -158,6 +158,8 @@ struct tid_ampdu_rx {
158 * @work: work struct for starting/stopping aggregation 158 * @work: work struct for starting/stopping aggregation
159 * @tid_rx_timer_expired: bitmap indicating on which TIDs the 159 * @tid_rx_timer_expired: bitmap indicating on which TIDs the
160 * RX timer expired until the work for it runs 160 * RX timer expired until the work for it runs
161 * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the
162 * driver requested to close until the work for it runs
161 * @mtx: mutex to protect all TX data (except non-NULL assignments 163 * @mtx: mutex to protect all TX data (except non-NULL assignments
162 * to tid_tx[idx], which are protected by the sta spinlock) 164 * to tid_tx[idx], which are protected by the sta spinlock)
163 */ 165 */
@@ -166,6 +168,7 @@ struct sta_ampdu_mlme {
166 /* rx */ 168 /* rx */
167 struct tid_ampdu_rx __rcu *tid_rx[STA_TID_NUM]; 169 struct tid_ampdu_rx __rcu *tid_rx[STA_TID_NUM];
168 unsigned long tid_rx_timer_expired[BITS_TO_LONGS(STA_TID_NUM)]; 170 unsigned long tid_rx_timer_expired[BITS_TO_LONGS(STA_TID_NUM)];
171 unsigned long tid_rx_stop_requested[BITS_TO_LONGS(STA_TID_NUM)];
169 /* tx */ 172 /* tx */
170 struct work_struct work; 173 struct work_struct work;
171 struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM]; 174 struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM];
@@ -284,7 +287,8 @@ struct sta_info {
284 unsigned long rx_dropped; 287 unsigned long rx_dropped;
285 int last_signal; 288 int last_signal;
286 struct ewma avg_signal; 289 struct ewma avg_signal;
287 __le16 last_seq_ctrl[NUM_RX_DATA_QUEUES]; 290 /* Plus 1 for non-QoS frames */
291 __le16 last_seq_ctrl[NUM_RX_DATA_QUEUES + 1];
288 292
289 /* Updated from TX status path only, no locking requirements */ 293 /* Updated from TX status path only, no locking requirements */
290 unsigned long tx_filtered_count; 294 unsigned long tx_filtered_count;
diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
index 757e4eb2baf7..cc79e697cdb2 100644
--- a/net/mac80211/tkip.c
+++ b/net/mac80211/tkip.c
@@ -101,6 +101,7 @@ static void tkip_mixing_phase1(const u8 *tk, struct tkip_ctx *ctx,
101 p1k[4] += tkipS(p1k[3] ^ get_unaligned_le16(tk + 0 + j)) + i; 101 p1k[4] += tkipS(p1k[3] ^ get_unaligned_le16(tk + 0 + j)) + i;
102 } 102 }
103 ctx->state = TKIP_STATE_PHASE1_DONE; 103 ctx->state = TKIP_STATE_PHASE1_DONE;
104 ctx->p1k_iv32 = tsc_IV32;
104} 105}
105 106
106static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx, 107static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx,
@@ -140,60 +141,69 @@ static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx,
140/* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets 141/* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets
141 * of the IV. Returns pointer to the octet following IVs (i.e., beginning of 142 * of the IV. Returns pointer to the octet following IVs (i.e., beginning of
142 * the packet payload). */ 143 * the packet payload). */
143u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16) 144u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key)
144{ 145{
145 pos = write_tkip_iv(pos, iv16); 146 lockdep_assert_held(&key->u.tkip.txlock);
147
148 pos = write_tkip_iv(pos, key->u.tkip.tx.iv16);
146 *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */; 149 *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */;
147 put_unaligned_le32(key->u.tkip.tx.iv32, pos); 150 put_unaligned_le32(key->u.tkip.tx.iv32, pos);
148 return pos + 4; 151 return pos + 4;
149} 152}
150 153
151void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf, 154static void ieee80211_compute_tkip_p1k(struct ieee80211_key *key, u32 iv32)
152 struct sk_buff *skb, enum ieee80211_tkip_key_type type,
153 u8 *outkey)
154{ 155{
155 struct ieee80211_key *key = (struct ieee80211_key *) 156 struct ieee80211_sub_if_data *sdata = key->sdata;
156 container_of(keyconf, struct ieee80211_key, conf); 157 struct tkip_ctx *ctx = &key->u.tkip.tx;
157 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 158 const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
158 u8 *data;
159 const u8 *tk;
160 struct tkip_ctx *ctx;
161 u16 iv16;
162 u32 iv32;
163
164 data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control);
165 iv16 = data[2] | (data[0] << 8);
166 iv32 = get_unaligned_le32(&data[4]);
167
168 tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
169 ctx = &key->u.tkip.tx;
170 159
171#ifdef CONFIG_MAC80211_TKIP_DEBUG 160 lockdep_assert_held(&key->u.tkip.txlock);
172 printk(KERN_DEBUG "TKIP encrypt: iv16 = 0x%04x, iv32 = 0x%08x\n", 161
173 iv16, iv32); 162 /*
174 163 * Update the P1K when the IV32 is different from the value it
175 if (iv32 != ctx->iv32) { 164 * had when we last computed it (or when not initialised yet).
176 printk(KERN_DEBUG "skb: iv32 = 0x%08x key: iv32 = 0x%08x\n", 165 * This might flip-flop back and forth if packets are processed
177 iv32, ctx->iv32); 166 * out-of-order due to the different ACs, but then we have to
178 printk(KERN_DEBUG "Wrap around of iv16 in the middle of a " 167 * just compute the P1K more often.
179 "fragmented packet\n"); 168 */
180 } 169 if (ctx->p1k_iv32 != iv32 || ctx->state == TKIP_STATE_NOT_INIT)
181#endif 170 tkip_mixing_phase1(tk, ctx, sdata->vif.addr, iv32);
171}
182 172
183 /* Update the p1k only when the iv16 in the packet wraps around, this 173void ieee80211_get_tkip_p1k_iv(struct ieee80211_key_conf *keyconf,
184 * might occur after the wrap around of iv16 in the key in case of 174 u32 iv32, u16 *p1k)
185 * fragmented packets. */ 175{
186 if (iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT) 176 struct ieee80211_key *key = (struct ieee80211_key *)
187 tkip_mixing_phase1(tk, ctx, hdr->addr2, iv32); 177 container_of(keyconf, struct ieee80211_key, conf);
178 struct tkip_ctx *ctx = &key->u.tkip.tx;
179 unsigned long flags;
188 180
189 if (type == IEEE80211_TKIP_P1_KEY) { 181 spin_lock_irqsave(&key->u.tkip.txlock, flags);
190 memcpy(outkey, ctx->p1k, sizeof(u16) * 5); 182 ieee80211_compute_tkip_p1k(key, iv32);
191 return; 183 memcpy(p1k, ctx->p1k, sizeof(ctx->p1k));
192 } 184 spin_unlock_irqrestore(&key->u.tkip.txlock, flags);
185}
186EXPORT_SYMBOL(ieee80211_get_tkip_p1k_iv);
193 187
194 tkip_mixing_phase2(tk, ctx, iv16, outkey); 188void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf,
189 struct sk_buff *skb, u8 *p2k)
190{
191 struct ieee80211_key *key = (struct ieee80211_key *)
192 container_of(keyconf, struct ieee80211_key, conf);
193 const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
194 struct tkip_ctx *ctx = &key->u.tkip.tx;
195 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
196 const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control);
197 u32 iv32 = get_unaligned_le32(&data[4]);
198 u16 iv16 = data[2] | (data[0] << 8);
199 unsigned long flags;
200
201 spin_lock_irqsave(&key->u.tkip.txlock, flags);
202 ieee80211_compute_tkip_p1k(key, iv32);
203 tkip_mixing_phase2(tk, ctx, iv16, p2k);
204 spin_unlock_irqrestore(&key->u.tkip.txlock, flags);
195} 205}
196EXPORT_SYMBOL(ieee80211_get_tkip_key); 206EXPORT_SYMBOL(ieee80211_get_tkip_p2k);
197 207
198/* 208/*
199 * Encrypt packet payload with TKIP using @key. @pos is a pointer to the 209 * Encrypt packet payload with TKIP using @key. @pos is a pointer to the
@@ -204,19 +214,15 @@ EXPORT_SYMBOL(ieee80211_get_tkip_key);
204 */ 214 */
205int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, 215int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
206 struct ieee80211_key *key, 216 struct ieee80211_key *key,
207 u8 *pos, size_t payload_len, u8 *ta) 217 struct sk_buff *skb,
218 u8 *payload, size_t payload_len)
208{ 219{
209 u8 rc4key[16]; 220 u8 rc4key[16];
210 struct tkip_ctx *ctx = &key->u.tkip.tx;
211 const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
212
213 /* Calculate per-packet key */
214 if (ctx->iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT)
215 tkip_mixing_phase1(tk, ctx, ta, ctx->iv32);
216 221
217 tkip_mixing_phase2(tk, ctx, ctx->iv16, rc4key); 222 ieee80211_get_tkip_p2k(&key->conf, skb, rc4key);
218 223
219 return ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len); 224 return ieee80211_wep_encrypt_data(tfm, rc4key, 16,
225 payload, payload_len);
220} 226}
221 227
222/* Decrypt packet payload with TKIP using @key. @pos is a pointer to the 228/* Decrypt packet payload with TKIP using @key. @pos is a pointer to the
diff --git a/net/mac80211/tkip.h b/net/mac80211/tkip.h
index 1cab9c86978f..e3ecb659b90a 100644
--- a/net/mac80211/tkip.h
+++ b/net/mac80211/tkip.h
@@ -13,11 +13,13 @@
13#include <linux/crypto.h> 13#include <linux/crypto.h>
14#include "key.h" 14#include "key.h"
15 15
16u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16); 16u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key);
17 17
18int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, 18int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
19 struct ieee80211_key *key, 19 struct ieee80211_key *key,
20 u8 *pos, size_t payload_len, u8 *ta); 20 struct sk_buff *skb,
21 u8 *payload, size_t payload_len);
22
21enum { 23enum {
22 TKIP_DECRYPT_OK = 0, 24 TKIP_DECRYPT_OK = 0,
23 TKIP_DECRYPT_NO_EXT_IV = -1, 25 TKIP_DECRYPT_NO_EXT_IV = -1,
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 3104c844b544..e8d0d2d22665 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1474,18 +1474,14 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
1474 1474
1475/* device xmit handlers */ 1475/* device xmit handlers */
1476 1476
1477static int ieee80211_skb_resize(struct ieee80211_local *local, 1477static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
1478 struct sk_buff *skb, 1478 struct sk_buff *skb,
1479 int head_need, bool may_encrypt) 1479 int head_need, bool may_encrypt)
1480{ 1480{
1481 struct ieee80211_local *local = sdata->local;
1481 int tail_need = 0; 1482 int tail_need = 0;
1482 1483
1483 /* 1484 if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
1484 * This could be optimised, devices that do full hardware
1485 * crypto (including TKIP MMIC) need no tailroom... But we
1486 * have no drivers for such devices currently.
1487 */
1488 if (may_encrypt) {
1489 tail_need = IEEE80211_ENCRYPT_TAILROOM; 1485 tail_need = IEEE80211_ENCRYPT_TAILROOM;
1490 tail_need -= skb_tailroom(skb); 1486 tail_need -= skb_tailroom(skb);
1491 tail_need = max_t(int, tail_need, 0); 1487 tail_need = max_t(int, tail_need, 0);
@@ -1578,7 +1574,7 @@ static void ieee80211_xmit(struct ieee80211_sub_if_data *sdata,
1578 headroom -= skb_headroom(skb); 1574 headroom -= skb_headroom(skb);
1579 headroom = max_t(int, 0, headroom); 1575 headroom = max_t(int, 0, headroom);
1580 1576
1581 if (ieee80211_skb_resize(local, skb, headroom, may_encrypt)) { 1577 if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
1582 dev_kfree_skb(skb); 1578 dev_kfree_skb(skb);
1583 rcu_read_unlock(); 1579 rcu_read_unlock();
1584 return; 1580 return;
@@ -1945,7 +1941,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1945 head_need += IEEE80211_ENCRYPT_HEADROOM; 1941 head_need += IEEE80211_ENCRYPT_HEADROOM;
1946 head_need += local->tx_headroom; 1942 head_need += local->tx_headroom;
1947 head_need = max_t(int, 0, head_need); 1943 head_need = max_t(int, 0, head_need);
1948 if (ieee80211_skb_resize(local, skb, head_need, true)) 1944 if (ieee80211_skb_resize(sdata, skb, head_need, true))
1949 goto fail; 1945 goto fail;
1950 } 1946 }
1951 1947
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index d3fe2d237485..652e5695225a 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1018,7 +1018,8 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
1018struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata, 1018struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
1019 u8 *dst, 1019 u8 *dst,
1020 const u8 *ssid, size_t ssid_len, 1020 const u8 *ssid, size_t ssid_len,
1021 const u8 *ie, size_t ie_len) 1021 const u8 *ie, size_t ie_len,
1022 bool directed)
1022{ 1023{
1023 struct ieee80211_local *local = sdata->local; 1024 struct ieee80211_local *local = sdata->local;
1024 struct sk_buff *skb; 1025 struct sk_buff *skb;
@@ -1035,8 +1036,16 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
1035 return NULL; 1036 return NULL;
1036 } 1037 }
1037 1038
1038 chan = ieee80211_frequency_to_channel( 1039 /*
1039 local->hw.conf.channel->center_freq); 1040 * Do not send DS Channel parameter for directed probe requests
1041 * in order to maximize the chance that we get a response. Some
1042 * badly-behaved APs don't respond when this parameter is included.
1043 */
1044 if (directed)
1045 chan = 0;
1046 else
1047 chan = ieee80211_frequency_to_channel(
1048 local->hw.conf.channel->center_freq);
1040 1049
1041 buf_len = ieee80211_build_preq_ies(local, buf, ie, ie_len, 1050 buf_len = ieee80211_build_preq_ies(local, buf, ie, ie_len,
1042 local->hw.conf.channel->band, 1051 local->hw.conf.channel->band,
@@ -1062,11 +1071,13 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
1062 1071
1063void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst, 1072void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
1064 const u8 *ssid, size_t ssid_len, 1073 const u8 *ssid, size_t ssid_len,
1065 const u8 *ie, size_t ie_len) 1074 const u8 *ie, size_t ie_len,
1075 bool directed)
1066{ 1076{
1067 struct sk_buff *skb; 1077 struct sk_buff *skb;
1068 1078
1069 skb = ieee80211_build_probe_req(sdata, dst, ssid, ssid_len, ie, ie_len); 1079 skb = ieee80211_build_probe_req(sdata, dst, ssid, ssid_len, ie, ie_len,
1080 directed);
1070 if (skb) 1081 if (skb)
1071 ieee80211_tx_skb(sdata, skb); 1082 ieee80211_tx_skb(sdata, skb);
1072} 1083}
@@ -1276,7 +1287,9 @@ int ieee80211_reconfig(struct ieee80211_local *local)
1276 if (ieee80211_sdata_running(sdata)) 1287 if (ieee80211_sdata_running(sdata))
1277 ieee80211_enable_keys(sdata); 1288 ieee80211_enable_keys(sdata);
1278 1289
1290#ifdef CONFIG_PM
1279 wake_up: 1291 wake_up:
1292#endif
1280 ieee80211_wake_queues_by_reason(hw, 1293 ieee80211_wake_queues_by_reason(hw,
1281 IEEE80211_QUEUE_STOP_REASON_SUSPEND); 1294 IEEE80211_QUEUE_STOP_REASON_SUSPEND);
1282 1295
diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c
index 28bc084dbfb9..7a49532f14cb 100644
--- a/net/mac80211/wme.c
+++ b/net/mac80211/wme.c
@@ -151,8 +151,7 @@ void ieee80211_set_qos_hdr(struct ieee80211_local *local, struct sk_buff *skb)
151 tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK; 151 tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK;
152 152
153 if (unlikely(local->wifi_wme_noack_test)) 153 if (unlikely(local->wifi_wme_noack_test))
154 ack_policy |= QOS_CONTROL_ACK_POLICY_NOACK << 154 ack_policy |= IEEE80211_QOS_CTL_ACK_POLICY_NOACK;
155 QOS_CONTROL_ACK_POLICY_SHIFT;
156 /* qos header is 2 bytes, second reserved */ 155 /* qos header is 2 bytes, second reserved */
157 *p++ = ack_policy | tid; 156 *p++ = ack_policy | tid;
158 *p = 0; 157 *p = 0;
diff --git a/net/mac80211/wme.h b/net/mac80211/wme.h
index 6053b1c9feee..faead6d02026 100644
--- a/net/mac80211/wme.h
+++ b/net/mac80211/wme.h
@@ -13,11 +13,6 @@
13#include <linux/netdevice.h> 13#include <linux/netdevice.h>
14#include "ieee80211_i.h" 14#include "ieee80211_i.h"
15 15
16#define QOS_CONTROL_ACK_POLICY_NORMAL 0
17#define QOS_CONTROL_ACK_POLICY_NOACK 1
18
19#define QOS_CONTROL_ACK_POLICY_SHIFT 5
20
21extern const int ieee802_1d_to_ac[8]; 16extern const int ieee802_1d_to_ac[8];
22 17
23u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata, 18u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index d2e7f0e86677..edf8583280c9 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -450,7 +450,7 @@ ieee80211_direct_probe(struct ieee80211_work *wk)
450 * will not answer to direct packet in unassociated state. 450 * will not answer to direct packet in unassociated state.
451 */ 451 */
452 ieee80211_send_probe_req(sdata, NULL, wk->probe_auth.ssid, 452 ieee80211_send_probe_req(sdata, NULL, wk->probe_auth.ssid,
453 wk->probe_auth.ssid_len, NULL, 0); 453 wk->probe_auth.ssid_len, NULL, 0, true);
454 454
455 wk->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; 455 wk->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
456 run_again(local, wk->timeout); 456 run_again(local, wk->timeout);
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 8f6a302d2ac3..7bc8702808fa 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -15,6 +15,7 @@
15#include <linux/gfp.h> 15#include <linux/gfp.h>
16#include <asm/unaligned.h> 16#include <asm/unaligned.h>
17#include <net/mac80211.h> 17#include <net/mac80211.h>
18#include <crypto/aes.h>
18 19
19#include "ieee80211_i.h" 20#include "ieee80211_i.h"
20#include "michael.h" 21#include "michael.h"
@@ -86,11 +87,6 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
86 struct sk_buff *skb = rx->skb; 87 struct sk_buff *skb = rx->skb;
87 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 88 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
88 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 89 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
89 int queue = rx->queue;
90
91 /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
92 if (rx->queue == NUM_RX_DATA_QUEUES - 1)
93 queue = 0;
94 90
95 /* 91 /*
96 * it makes no sense to check for MIC errors on anything other 92 * it makes no sense to check for MIC errors on anything other
@@ -153,8 +149,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
153 149
154update_iv: 150update_iv:
155 /* update IV in key information to be able to detect replays */ 151 /* update IV in key information to be able to detect replays */
156 rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32; 152 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
157 rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16; 153 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
158 154
159 return RX_CONTINUE; 155 return RX_CONTINUE;
160 156
@@ -176,6 +172,7 @@ static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
176 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 172 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
177 struct ieee80211_key *key = tx->key; 173 struct ieee80211_key *key = tx->key;
178 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 174 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
175 unsigned long flags;
179 unsigned int hdrlen; 176 unsigned int hdrlen;
180 int len, tail; 177 int len, tail;
181 u8 *pos; 178 u8 *pos;
@@ -203,11 +200,12 @@ static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
203 pos += hdrlen; 200 pos += hdrlen;
204 201
205 /* Increase IV for the frame */ 202 /* Increase IV for the frame */
203 spin_lock_irqsave(&key->u.tkip.txlock, flags);
206 key->u.tkip.tx.iv16++; 204 key->u.tkip.tx.iv16++;
207 if (key->u.tkip.tx.iv16 == 0) 205 if (key->u.tkip.tx.iv16 == 0)
208 key->u.tkip.tx.iv32++; 206 key->u.tkip.tx.iv32++;
209 207 pos = ieee80211_tkip_add_iv(pos, key);
210 pos = ieee80211_tkip_add_iv(pos, key, key->u.tkip.tx.iv16); 208 spin_unlock_irqrestore(&key->u.tkip.txlock, flags);
211 209
212 /* hwaccel - with software IV */ 210 /* hwaccel - with software IV */
213 if (info->control.hw_key) 211 if (info->control.hw_key)
@@ -216,9 +214,8 @@ static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
216 /* Add room for ICV */ 214 /* Add room for ICV */
217 skb_put(skb, TKIP_ICV_LEN); 215 skb_put(skb, TKIP_ICV_LEN);
218 216
219 hdr = (struct ieee80211_hdr *) skb->data;
220 return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm, 217 return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm,
221 key, pos, len, hdr->addr2); 218 key, skb, pos, len);
222} 219}
223 220
224 221
@@ -246,11 +243,6 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
246 struct ieee80211_key *key = rx->key; 243 struct ieee80211_key *key = rx->key;
247 struct sk_buff *skb = rx->skb; 244 struct sk_buff *skb = rx->skb;
248 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 245 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
249 int queue = rx->queue;
250
251 /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
252 if (rx->queue == NUM_RX_DATA_QUEUES - 1)
253 queue = 0;
254 246
255 hdrlen = ieee80211_hdrlen(hdr->frame_control); 247 hdrlen = ieee80211_hdrlen(hdr->frame_control);
256 248
@@ -271,7 +263,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
271 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, 263 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
272 key, skb->data + hdrlen, 264 key, skb->data + hdrlen,
273 skb->len - hdrlen, rx->sta->sta.addr, 265 skb->len - hdrlen, rx->sta->sta.addr,
274 hdr->addr1, hwaccel, queue, 266 hdr->addr1, hwaccel, rx->security_idx,
275 &rx->tkip_iv32, 267 &rx->tkip_iv32,
276 &rx->tkip_iv16); 268 &rx->tkip_iv16);
277 if (res != TKIP_DECRYPT_OK) 269 if (res != TKIP_DECRYPT_OK)
@@ -299,8 +291,10 @@ static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *scratch,
299 unsigned int hdrlen; 291 unsigned int hdrlen;
300 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 292 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
301 293
302 b_0 = scratch + 3 * AES_BLOCK_LEN; 294 memset(scratch, 0, 6 * AES_BLOCK_SIZE);
303 aad = scratch + 4 * AES_BLOCK_LEN; 295
296 b_0 = scratch + 3 * AES_BLOCK_SIZE;
297 aad = scratch + 4 * AES_BLOCK_SIZE;
304 298
305 /* 299 /*
306 * Mask FC: zero subtype b4 b5 b6 (if not mgmt) 300 * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
@@ -389,8 +383,10 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
389 struct ieee80211_key *key = tx->key; 383 struct ieee80211_key *key = tx->key;
390 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 384 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
391 int hdrlen, len, tail; 385 int hdrlen, len, tail;
392 u8 *pos, *pn; 386 u8 *pos;
393 int i; 387 u8 pn[6];
388 u64 pn64;
389 u8 scratch[6 * AES_BLOCK_SIZE];
394 390
395 if (info->control.hw_key && 391 if (info->control.hw_key &&
396 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV)) { 392 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV)) {
@@ -418,14 +414,14 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
418 hdr = (struct ieee80211_hdr *) pos; 414 hdr = (struct ieee80211_hdr *) pos;
419 pos += hdrlen; 415 pos += hdrlen;
420 416
421 /* PN = PN + 1 */ 417 pn64 = atomic64_inc_return(&key->u.ccmp.tx_pn);
422 pn = key->u.ccmp.tx_pn;
423 418
424 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 419 pn[5] = pn64;
425 pn[i]++; 420 pn[4] = pn64 >> 8;
426 if (pn[i]) 421 pn[3] = pn64 >> 16;
427 break; 422 pn[2] = pn64 >> 24;
428 } 423 pn[1] = pn64 >> 32;
424 pn[0] = pn64 >> 40;
429 425
430 ccmp_pn2hdr(pos, pn, key->conf.keyidx); 426 ccmp_pn2hdr(pos, pn, key->conf.keyidx);
431 427
@@ -434,8 +430,8 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
434 return 0; 430 return 0;
435 431
436 pos += CCMP_HDR_LEN; 432 pos += CCMP_HDR_LEN;
437 ccmp_special_blocks(skb, pn, key->u.ccmp.tx_crypto_buf, 0); 433 ccmp_special_blocks(skb, pn, scratch, 0);
438 ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, key->u.ccmp.tx_crypto_buf, pos, len, 434 ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, scratch, pos, len,
439 pos, skb_put(skb, CCMP_MIC_LEN)); 435 pos, skb_put(skb, CCMP_MIC_LEN));
440 436
441 return 0; 437 return 0;
@@ -482,8 +478,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
482 478
483 ccmp_hdr2pn(pn, skb->data + hdrlen); 479 ccmp_hdr2pn(pn, skb->data + hdrlen);
484 480
485 queue = ieee80211_is_mgmt(hdr->frame_control) ? 481 queue = rx->security_idx;
486 NUM_RX_DATA_QUEUES : rx->queue;
487 482
488 if (memcmp(pn, key->u.ccmp.rx_pn[queue], CCMP_PN_LEN) <= 0) { 483 if (memcmp(pn, key->u.ccmp.rx_pn[queue], CCMP_PN_LEN) <= 0) {
489 key->u.ccmp.replays++; 484 key->u.ccmp.replays++;
@@ -491,11 +486,12 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
491 } 486 }
492 487
493 if (!(status->flag & RX_FLAG_DECRYPTED)) { 488 if (!(status->flag & RX_FLAG_DECRYPTED)) {
489 u8 scratch[6 * AES_BLOCK_SIZE];
494 /* hardware didn't decrypt/verify MIC */ 490 /* hardware didn't decrypt/verify MIC */
495 ccmp_special_blocks(skb, pn, key->u.ccmp.rx_crypto_buf, 1); 491 ccmp_special_blocks(skb, pn, scratch, 1);
496 492
497 if (ieee80211_aes_ccm_decrypt( 493 if (ieee80211_aes_ccm_decrypt(
498 key->u.ccmp.tfm, key->u.ccmp.rx_crypto_buf, 494 key->u.ccmp.tfm, scratch,
499 skb->data + hdrlen + CCMP_HDR_LEN, data_len, 495 skb->data + hdrlen + CCMP_HDR_LEN, data_len,
500 skb->data + skb->len - CCMP_MIC_LEN, 496 skb->data + skb->len - CCMP_MIC_LEN,
501 skb->data + hdrlen + CCMP_HDR_LEN)) 497 skb->data + hdrlen + CCMP_HDR_LEN))
@@ -526,6 +522,16 @@ static void bip_aad(struct sk_buff *skb, u8 *aad)
526} 522}
527 523
528 524
525static inline void bip_ipn_set64(u8 *d, u64 pn)
526{
527 *d++ = pn;
528 *d++ = pn >> 8;
529 *d++ = pn >> 16;
530 *d++ = pn >> 24;
531 *d++ = pn >> 32;
532 *d = pn >> 40;
533}
534
529static inline void bip_ipn_swap(u8 *d, const u8 *s) 535static inline void bip_ipn_swap(u8 *d, const u8 *s)
530{ 536{
531 *d++ = s[5]; 537 *d++ = s[5];
@@ -544,8 +550,8 @@ ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
544 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 550 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
545 struct ieee80211_key *key = tx->key; 551 struct ieee80211_key *key = tx->key;
546 struct ieee80211_mmie *mmie; 552 struct ieee80211_mmie *mmie;
547 u8 *pn, aad[20]; 553 u8 aad[20];
548 int i; 554 u64 pn64;
549 555
550 if (info->control.hw_key) 556 if (info->control.hw_key)
551 return 0; 557 return 0;
@@ -559,22 +565,17 @@ ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
559 mmie->key_id = cpu_to_le16(key->conf.keyidx); 565 mmie->key_id = cpu_to_le16(key->conf.keyidx);
560 566
561 /* PN = PN + 1 */ 567 /* PN = PN + 1 */
562 pn = key->u.aes_cmac.tx_pn; 568 pn64 = atomic64_inc_return(&key->u.aes_cmac.tx_pn);
563 569
564 for (i = sizeof(key->u.aes_cmac.tx_pn) - 1; i >= 0; i--) { 570 bip_ipn_set64(mmie->sequence_number, pn64);
565 pn[i]++;
566 if (pn[i])
567 break;
568 }
569 bip_ipn_swap(mmie->sequence_number, pn);
570 571
571 bip_aad(skb, aad); 572 bip_aad(skb, aad);
572 573
573 /* 574 /*
574 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64) 575 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
575 */ 576 */
576 ieee80211_aes_cmac(key->u.aes_cmac.tfm, key->u.aes_cmac.tx_crypto_buf, 577 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
577 aad, skb->data + 24, skb->len - 24, mmie->mic); 578 skb->data + 24, skb->len - 24, mmie->mic);
578 579
579 return TX_CONTINUE; 580 return TX_CONTINUE;
580} 581}
@@ -612,8 +613,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
612 if (!(status->flag & RX_FLAG_DECRYPTED)) { 613 if (!(status->flag & RX_FLAG_DECRYPTED)) {
613 /* hardware didn't decrypt/verify MIC */ 614 /* hardware didn't decrypt/verify MIC */
614 bip_aad(skb, aad); 615 bip_aad(skb, aad);
615 ieee80211_aes_cmac(key->u.aes_cmac.tfm, 616 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
616 key->u.aes_cmac.rx_crypto_buf, aad,
617 skb->data + 24, skb->len - 24, mic); 617 skb->data + 24, skb->len - 24, mic);
618 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) { 618 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
619 key->u.aes_cmac.icverrors++; 619 key->u.aes_cmac.icverrors++;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6ef64adf7362..a7ec8512f552 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1693,6 +1693,8 @@ static int netlink_dump(struct sock *sk)
1693 if (!nlh) 1693 if (!nlh)
1694 goto errout_skb; 1694 goto errout_skb;
1695 1695
1696 nl_dump_check_consistent(cb, nlh);
1697
1696 memcpy(nlmsg_data(nlh), &len, sizeof(len)); 1698 memcpy(nlmsg_data(nlh), &len, sizeof(len));
1697 1699
1698 if (sk_filter(sk, skb)) 1700 if (sk_filter(sk, skb))
diff --git a/net/nfc/Kconfig b/net/nfc/Kconfig
new file mode 100644
index 000000000000..33e095b124b3
--- /dev/null
+++ b/net/nfc/Kconfig
@@ -0,0 +1,16 @@
1#
2# NFC sybsystem configuration
3#
4
5menuconfig NFC
6 depends on NET && EXPERIMENTAL
7 tristate "NFC subsystem support (EXPERIMENTAL)"
8 default n
9 help
10 Say Y here if you want to build support for NFC (Near field
11 communication) devices.
12
13 To compile this support as a module, choose M here: the module will
14 be called nfc.
15
16source "drivers/nfc/Kconfig"
diff --git a/net/nfc/Makefile b/net/nfc/Makefile
new file mode 100644
index 000000000000..16250c353851
--- /dev/null
+++ b/net/nfc/Makefile
@@ -0,0 +1,7 @@
1#
2# Makefile for the Linux NFC subsystem.
3#
4
5obj-$(CONFIG_NFC) += nfc.o
6
7nfc-objs := core.o netlink.o af_nfc.o rawsock.o
diff --git a/net/nfc/af_nfc.c b/net/nfc/af_nfc.c
new file mode 100644
index 000000000000..e982cef8f49d
--- /dev/null
+++ b/net/nfc/af_nfc.c
@@ -0,0 +1,98 @@
1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 *
4 * Authors:
5 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
6 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the
20 * Free Software Foundation, Inc.,
21 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 */
23
24#include <linux/nfc.h>
25
26#include "nfc.h"
27
28static DEFINE_RWLOCK(proto_tab_lock);
29static const struct nfc_protocol *proto_tab[NFC_SOCKPROTO_MAX];
30
31static int nfc_sock_create(struct net *net, struct socket *sock, int proto,
32 int kern)
33{
34 int rc = -EPROTONOSUPPORT;
35
36 if (net != &init_net)
37 return -EAFNOSUPPORT;
38
39 if (proto < 0 || proto >= NFC_SOCKPROTO_MAX)
40 return -EINVAL;
41
42 read_lock(&proto_tab_lock);
43 if (proto_tab[proto] && try_module_get(proto_tab[proto]->owner)) {
44 rc = proto_tab[proto]->create(net, sock, proto_tab[proto]);
45 module_put(proto_tab[proto]->owner);
46 }
47 read_unlock(&proto_tab_lock);
48
49 return rc;
50}
51
52static struct net_proto_family nfc_sock_family_ops = {
53 .owner = THIS_MODULE,
54 .family = PF_NFC,
55 .create = nfc_sock_create,
56};
57
58int nfc_proto_register(const struct nfc_protocol *nfc_proto)
59{
60 int rc;
61
62 if (nfc_proto->id < 0 || nfc_proto->id >= NFC_SOCKPROTO_MAX)
63 return -EINVAL;
64
65 rc = proto_register(nfc_proto->proto, 0);
66 if (rc)
67 return rc;
68
69 write_lock(&proto_tab_lock);
70 if (proto_tab[nfc_proto->id])
71 rc = -EBUSY;
72 else
73 proto_tab[nfc_proto->id] = nfc_proto;
74 write_unlock(&proto_tab_lock);
75
76 return rc;
77}
78EXPORT_SYMBOL(nfc_proto_register);
79
80void nfc_proto_unregister(const struct nfc_protocol *nfc_proto)
81{
82 write_lock(&proto_tab_lock);
83 proto_tab[nfc_proto->id] = NULL;
84 write_unlock(&proto_tab_lock);
85
86 proto_unregister(nfc_proto->proto);
87}
88EXPORT_SYMBOL(nfc_proto_unregister);
89
90int __init af_nfc_init(void)
91{
92 return sock_register(&nfc_sock_family_ops);
93}
94
95void af_nfc_exit(void)
96{
97 sock_unregister(PF_NFC);
98}
diff --git a/net/nfc/core.c b/net/nfc/core.c
new file mode 100644
index 000000000000..b6fd4e1f2057
--- /dev/null
+++ b/net/nfc/core.c
@@ -0,0 +1,468 @@
1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 *
4 * Authors:
5 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
6 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the
20 * Free Software Foundation, Inc.,
21 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 */
23
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/module.h>
27#include <linux/slab.h>
28
29#include "nfc.h"
30
31#define VERSION "0.1"
32
33int nfc_devlist_generation;
34DEFINE_MUTEX(nfc_devlist_mutex);
35
36int nfc_printk(const char *level, const char *format, ...)
37{
38 struct va_format vaf;
39 va_list args;
40 int r;
41
42 va_start(args, format);
43
44 vaf.fmt = format;
45 vaf.va = &args;
46
47 r = printk("%sNFC: %pV\n", level, &vaf);
48
49 va_end(args);
50
51 return r;
52}
53EXPORT_SYMBOL(nfc_printk);
54
55/**
56 * nfc_start_poll - start polling for nfc targets
57 *
58 * @dev: The nfc device that must start polling
59 * @protocols: bitset of nfc protocols that must be used for polling
60 *
61 * The device remains polling for targets until a target is found or
62 * the nfc_stop_poll function is called.
63 */
64int nfc_start_poll(struct nfc_dev *dev, u32 protocols)
65{
66 int rc;
67
68 nfc_dbg("dev_name=%s protocols=0x%x", dev_name(&dev->dev), protocols);
69
70 if (!protocols)
71 return -EINVAL;
72
73 device_lock(&dev->dev);
74
75 if (!device_is_registered(&dev->dev)) {
76 rc = -ENODEV;
77 goto error;
78 }
79
80 if (dev->polling) {
81 rc = -EBUSY;
82 goto error;
83 }
84
85 rc = dev->ops->start_poll(dev, protocols);
86 if (!rc)
87 dev->polling = true;
88
89error:
90 device_unlock(&dev->dev);
91 return rc;
92}
93
94/**
95 * nfc_stop_poll - stop polling for nfc targets
96 *
97 * @dev: The nfc device that must stop polling
98 */
99int nfc_stop_poll(struct nfc_dev *dev)
100{
101 int rc = 0;
102
103 nfc_dbg("dev_name=%s", dev_name(&dev->dev));
104
105 device_lock(&dev->dev);
106
107 if (!device_is_registered(&dev->dev)) {
108 rc = -ENODEV;
109 goto error;
110 }
111
112 if (!dev->polling) {
113 rc = -EINVAL;
114 goto error;
115 }
116
117 dev->ops->stop_poll(dev);
118 dev->polling = false;
119
120error:
121 device_unlock(&dev->dev);
122 return rc;
123}
124
125/**
126 * nfc_activate_target - prepare the target for data exchange
127 *
128 * @dev: The nfc device that found the target
129 * @target_idx: index of the target that must be activated
130 * @protocol: nfc protocol that will be used for data exchange
131 */
132int nfc_activate_target(struct nfc_dev *dev, u32 target_idx, u32 protocol)
133{
134 int rc;
135
136 nfc_dbg("dev_name=%s target_idx=%u protocol=%u", dev_name(&dev->dev),
137 target_idx, protocol);
138
139 device_lock(&dev->dev);
140
141 if (!device_is_registered(&dev->dev)) {
142 rc = -ENODEV;
143 goto error;
144 }
145
146 rc = dev->ops->activate_target(dev, target_idx, protocol);
147
148error:
149 device_unlock(&dev->dev);
150 return rc;
151}
152
153/**
154 * nfc_deactivate_target - deactivate a nfc target
155 *
156 * @dev: The nfc device that found the target
157 * @target_idx: index of the target that must be deactivated
158 */
159int nfc_deactivate_target(struct nfc_dev *dev, u32 target_idx)
160{
161 int rc = 0;
162
163 nfc_dbg("dev_name=%s target_idx=%u", dev_name(&dev->dev), target_idx);
164
165 device_lock(&dev->dev);
166
167 if (!device_is_registered(&dev->dev)) {
168 rc = -ENODEV;
169 goto error;
170 }
171
172 dev->ops->deactivate_target(dev, target_idx);
173
174error:
175 device_unlock(&dev->dev);
176 return rc;
177}
178
179/**
180 * nfc_data_exchange - transceive data
181 *
182 * @dev: The nfc device that found the target
183 * @target_idx: index of the target
184 * @skb: data to be sent
185 * @cb: callback called when the response is received
186 * @cb_context: parameter for the callback function
187 *
188 * The user must wait for the callback before calling this function again.
189 */
190int nfc_data_exchange(struct nfc_dev *dev, u32 target_idx,
191 struct sk_buff *skb,
192 data_exchange_cb_t cb,
193 void *cb_context)
194{
195 int rc;
196
197 nfc_dbg("dev_name=%s target_idx=%u skb->len=%u", dev_name(&dev->dev),
198 target_idx, skb->len);
199
200 device_lock(&dev->dev);
201
202 if (!device_is_registered(&dev->dev)) {
203 rc = -ENODEV;
204 kfree_skb(skb);
205 goto error;
206 }
207
208 rc = dev->ops->data_exchange(dev, target_idx, skb, cb, cb_context);
209
210error:
211 device_unlock(&dev->dev);
212 return rc;
213}
214
215/**
216 * nfc_alloc_skb - allocate a skb for data exchange responses
217 *
218 * @size: size to allocate
219 * @gfp: gfp flags
220 */
221struct sk_buff *nfc_alloc_skb(unsigned int size, gfp_t gfp)
222{
223 struct sk_buff *skb;
224 unsigned int total_size;
225
226 total_size = size + 1;
227 skb = alloc_skb(total_size, gfp);
228
229 if (skb)
230 skb_reserve(skb, 1);
231
232 return skb;
233}
234EXPORT_SYMBOL(nfc_alloc_skb);
235
236/**
237 * nfc_targets_found - inform that targets were found
238 *
239 * @dev: The nfc device that found the targets
240 * @targets: array of nfc targets found
241 * @ntargets: targets array size
242 *
243 * The device driver must call this function when one or many nfc targets
244 * are found. After calling this function, the device driver must stop
245 * polling for targets.
246 */
247int nfc_targets_found(struct nfc_dev *dev, struct nfc_target *targets,
248 int n_targets)
249{
250 int i;
251
252 nfc_dbg("dev_name=%s n_targets=%d", dev_name(&dev->dev), n_targets);
253
254 dev->polling = false;
255
256 for (i = 0; i < n_targets; i++)
257 targets[i].idx = dev->target_idx++;
258
259 spin_lock_bh(&dev->targets_lock);
260
261 dev->targets_generation++;
262
263 kfree(dev->targets);
264 dev->targets = kmemdup(targets, n_targets * sizeof(struct nfc_target),
265 GFP_ATOMIC);
266
267 if (!dev->targets) {
268 dev->n_targets = 0;
269 spin_unlock_bh(&dev->targets_lock);
270 return -ENOMEM;
271 }
272
273 dev->n_targets = n_targets;
274 spin_unlock_bh(&dev->targets_lock);
275
276 nfc_genl_targets_found(dev);
277
278 return 0;
279}
280EXPORT_SYMBOL(nfc_targets_found);
281
282static void nfc_release(struct device *d)
283{
284 struct nfc_dev *dev = to_nfc_dev(d);
285
286 nfc_dbg("dev_name=%s", dev_name(&dev->dev));
287
288 nfc_genl_data_exit(&dev->genl_data);
289 kfree(dev->targets);
290 kfree(dev);
291}
292
293struct class nfc_class = {
294 .name = "nfc",
295 .dev_release = nfc_release,
296};
297EXPORT_SYMBOL(nfc_class);
298
299static int match_idx(struct device *d, void *data)
300{
301 struct nfc_dev *dev = to_nfc_dev(d);
302 unsigned *idx = data;
303
304 return dev->idx == *idx;
305}
306
307struct nfc_dev *nfc_get_device(unsigned idx)
308{
309 struct device *d;
310
311 d = class_find_device(&nfc_class, NULL, &idx, match_idx);
312 if (!d)
313 return NULL;
314
315 return to_nfc_dev(d);
316}
317
318/**
319 * nfc_allocate_device - allocate a new nfc device
320 *
321 * @ops: device operations
322 * @supported_protocols: NFC protocols supported by the device
323 */
324struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
325 u32 supported_protocols)
326{
327 static atomic_t dev_no = ATOMIC_INIT(0);
328 struct nfc_dev *dev;
329
330 if (!ops->start_poll || !ops->stop_poll || !ops->activate_target ||
331 !ops->deactivate_target || !ops->data_exchange)
332 return NULL;
333
334 if (!supported_protocols)
335 return NULL;
336
337 dev = kzalloc(sizeof(struct nfc_dev), GFP_KERNEL);
338 if (!dev)
339 return NULL;
340
341 dev->dev.class = &nfc_class;
342 dev->idx = atomic_inc_return(&dev_no) - 1;
343 dev_set_name(&dev->dev, "nfc%d", dev->idx);
344 device_initialize(&dev->dev);
345
346 dev->ops = ops;
347 dev->supported_protocols = supported_protocols;
348
349 spin_lock_init(&dev->targets_lock);
350 nfc_genl_data_init(&dev->genl_data);
351
352 /* first generation must not be 0 */
353 dev->targets_generation = 1;
354
355 return dev;
356}
357EXPORT_SYMBOL(nfc_allocate_device);
358
359/**
360 * nfc_register_device - register a nfc device in the nfc subsystem
361 *
362 * @dev: The nfc device to register
363 */
364int nfc_register_device(struct nfc_dev *dev)
365{
366 int rc;
367
368 nfc_dbg("dev_name=%s", dev_name(&dev->dev));
369
370 mutex_lock(&nfc_devlist_mutex);
371 nfc_devlist_generation++;
372 rc = device_add(&dev->dev);
373 mutex_unlock(&nfc_devlist_mutex);
374
375 if (rc < 0)
376 return rc;
377
378 rc = nfc_genl_device_added(dev);
379 if (rc)
380 nfc_dbg("The userspace won't be notified that the device %s was"
381 " added", dev_name(&dev->dev));
382
383
384 return 0;
385}
386EXPORT_SYMBOL(nfc_register_device);
387
388/**
389 * nfc_unregister_device - unregister a nfc device in the nfc subsystem
390 *
391 * @dev: The nfc device to unregister
392 */
393void nfc_unregister_device(struct nfc_dev *dev)
394{
395 int rc;
396
397 nfc_dbg("dev_name=%s", dev_name(&dev->dev));
398
399 mutex_lock(&nfc_devlist_mutex);
400 nfc_devlist_generation++;
401
402 /* lock to avoid unregistering a device while an operation
403 is in progress */
404 device_lock(&dev->dev);
405 device_del(&dev->dev);
406 device_unlock(&dev->dev);
407
408 mutex_unlock(&nfc_devlist_mutex);
409
410 rc = nfc_genl_device_removed(dev);
411 if (rc)
412 nfc_dbg("The userspace won't be notified that the device %s"
413 " was removed", dev_name(&dev->dev));
414
415}
416EXPORT_SYMBOL(nfc_unregister_device);
417
418static int __init nfc_init(void)
419{
420 int rc;
421
422 nfc_info("NFC Core ver %s", VERSION);
423
424 rc = class_register(&nfc_class);
425 if (rc)
426 return rc;
427
428 rc = nfc_genl_init();
429 if (rc)
430 goto err_genl;
431
432 /* the first generation must not be 0 */
433 nfc_devlist_generation = 1;
434
435 rc = rawsock_init();
436 if (rc)
437 goto err_rawsock;
438
439 rc = af_nfc_init();
440 if (rc)
441 goto err_af_nfc;
442
443 return 0;
444
445err_af_nfc:
446 rawsock_exit();
447err_rawsock:
448 nfc_genl_exit();
449err_genl:
450 class_unregister(&nfc_class);
451 return rc;
452}
453
454static void __exit nfc_exit(void)
455{
456 af_nfc_exit();
457 rawsock_exit();
458 nfc_genl_exit();
459 class_unregister(&nfc_class);
460}
461
462subsys_initcall(nfc_init);
463module_exit(nfc_exit);
464
465MODULE_AUTHOR("Lauro Ramos Venancio <lauro.venancio@openbossa.org>");
466MODULE_DESCRIPTION("NFC Core ver " VERSION);
467MODULE_VERSION(VERSION);
468MODULE_LICENSE("GPL");
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
new file mode 100644
index 000000000000..ccdff7953f7d
--- /dev/null
+++ b/net/nfc/netlink.c
@@ -0,0 +1,537 @@
1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 *
4 * Authors:
5 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
6 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the
20 * Free Software Foundation, Inc.,
21 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 */
23
24#include <net/genetlink.h>
25#include <linux/nfc.h>
26#include <linux/slab.h>
27
28#include "nfc.h"
29
30static struct genl_multicast_group nfc_genl_event_mcgrp = {
31 .name = NFC_GENL_MCAST_EVENT_NAME,
32};
33
34struct genl_family nfc_genl_family = {
35 .id = GENL_ID_GENERATE,
36 .hdrsize = 0,
37 .name = NFC_GENL_NAME,
38 .version = NFC_GENL_VERSION,
39 .maxattr = NFC_ATTR_MAX,
40};
41
42static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = {
43 [NFC_ATTR_DEVICE_INDEX] = { .type = NLA_U32 },
44 [NFC_ATTR_DEVICE_NAME] = { .type = NLA_STRING,
45 .len = NFC_DEVICE_NAME_MAXSIZE },
46 [NFC_ATTR_PROTOCOLS] = { .type = NLA_U32 },
47};
48
49static int nfc_genl_send_target(struct sk_buff *msg, struct nfc_target *target,
50 struct netlink_callback *cb, int flags)
51{
52 void *hdr;
53
54 nfc_dbg("entry");
55
56 hdr = genlmsg_put(msg, NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq,
57 &nfc_genl_family, flags, NFC_CMD_GET_TARGET);
58 if (!hdr)
59 return -EMSGSIZE;
60
61 genl_dump_check_consistent(cb, hdr, &nfc_genl_family);
62
63 NLA_PUT_U32(msg, NFC_ATTR_TARGET_INDEX, target->idx);
64 NLA_PUT_U32(msg, NFC_ATTR_PROTOCOLS,
65 target->supported_protocols);
66 NLA_PUT_U16(msg, NFC_ATTR_TARGET_SENS_RES, target->sens_res);
67 NLA_PUT_U8(msg, NFC_ATTR_TARGET_SEL_RES, target->sel_res);
68
69 return genlmsg_end(msg, hdr);
70
71nla_put_failure:
72 genlmsg_cancel(msg, hdr);
73 return -EMSGSIZE;
74}
75
76static struct nfc_dev *__get_device_from_cb(struct netlink_callback *cb)
77{
78 struct nfc_dev *dev;
79 int rc;
80 u32 idx;
81
82 rc = nlmsg_parse(cb->nlh, GENL_HDRLEN + nfc_genl_family.hdrsize,
83 nfc_genl_family.attrbuf,
84 nfc_genl_family.maxattr,
85 nfc_genl_policy);
86 if (rc < 0)
87 return ERR_PTR(rc);
88
89 if (!nfc_genl_family.attrbuf[NFC_ATTR_DEVICE_INDEX])
90 return ERR_PTR(-EINVAL);
91
92 idx = nla_get_u32(nfc_genl_family.attrbuf[NFC_ATTR_DEVICE_INDEX]);
93
94 dev = nfc_get_device(idx);
95 if (!dev)
96 return ERR_PTR(-ENODEV);
97
98 return dev;
99}
100
101static int nfc_genl_dump_targets(struct sk_buff *skb,
102 struct netlink_callback *cb)
103{
104 int i = cb->args[0];
105 struct nfc_dev *dev = (struct nfc_dev *) cb->args[1];
106 int rc;
107
108 nfc_dbg("entry");
109
110 if (!dev) {
111 dev = __get_device_from_cb(cb);
112 if (IS_ERR(dev))
113 return PTR_ERR(dev);
114
115 cb->args[1] = (long) dev;
116 }
117
118 spin_lock_bh(&dev->targets_lock);
119
120 cb->seq = dev->targets_generation;
121
122 while (i < dev->n_targets) {
123 rc = nfc_genl_send_target(skb, &dev->targets[i], cb,
124 NLM_F_MULTI);
125 if (rc < 0)
126 break;
127
128 i++;
129 }
130
131 spin_unlock_bh(&dev->targets_lock);
132
133 cb->args[0] = i;
134
135 return skb->len;
136}
137
138static int nfc_genl_dump_targets_done(struct netlink_callback *cb)
139{
140 struct nfc_dev *dev = (struct nfc_dev *) cb->args[1];
141
142 nfc_dbg("entry");
143
144 if (dev)
145 nfc_put_device(dev);
146
147 return 0;
148}
149
150int nfc_genl_targets_found(struct nfc_dev *dev)
151{
152 struct sk_buff *msg;
153 void *hdr;
154
155 nfc_dbg("entry");
156
157 dev->genl_data.poll_req_pid = 0;
158
159 msg = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
160 if (!msg)
161 return -ENOMEM;
162
163 hdr = genlmsg_put(msg, 0, 0, &nfc_genl_family, 0,
164 NFC_EVENT_TARGETS_FOUND);
165 if (!hdr)
166 goto free_msg;
167
168 NLA_PUT_U32(msg, NFC_ATTR_DEVICE_INDEX, dev->idx);
169
170 genlmsg_end(msg, hdr);
171
172 return genlmsg_multicast(msg, 0, nfc_genl_event_mcgrp.id, GFP_ATOMIC);
173
174nla_put_failure:
175 genlmsg_cancel(msg, hdr);
176free_msg:
177 nlmsg_free(msg);
178 return -EMSGSIZE;
179}
180
181int nfc_genl_device_added(struct nfc_dev *dev)
182{
183 struct sk_buff *msg;
184 void *hdr;
185
186 nfc_dbg("entry");
187
188 msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
189 if (!msg)
190 return -ENOMEM;
191
192 hdr = genlmsg_put(msg, 0, 0, &nfc_genl_family, 0,
193 NFC_EVENT_DEVICE_ADDED);
194 if (!hdr)
195 goto free_msg;
196
197 NLA_PUT_STRING(msg, NFC_ATTR_DEVICE_NAME, nfc_device_name(dev));
198 NLA_PUT_U32(msg, NFC_ATTR_DEVICE_INDEX, dev->idx);
199 NLA_PUT_U32(msg, NFC_ATTR_PROTOCOLS, dev->supported_protocols);
200
201 genlmsg_end(msg, hdr);
202
203 genlmsg_multicast(msg, 0, nfc_genl_event_mcgrp.id, GFP_KERNEL);
204
205 return 0;
206
207nla_put_failure:
208 genlmsg_cancel(msg, hdr);
209free_msg:
210 nlmsg_free(msg);
211 return -EMSGSIZE;
212}
213
214int nfc_genl_device_removed(struct nfc_dev *dev)
215{
216 struct sk_buff *msg;
217 void *hdr;
218
219 nfc_dbg("entry");
220
221 msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
222 if (!msg)
223 return -ENOMEM;
224
225 hdr = genlmsg_put(msg, 0, 0, &nfc_genl_family, 0,
226 NFC_EVENT_DEVICE_REMOVED);
227 if (!hdr)
228 goto free_msg;
229
230 NLA_PUT_U32(msg, NFC_ATTR_DEVICE_INDEX, dev->idx);
231
232 genlmsg_end(msg, hdr);
233
234 genlmsg_multicast(msg, 0, nfc_genl_event_mcgrp.id, GFP_KERNEL);
235
236 return 0;
237
238nla_put_failure:
239 genlmsg_cancel(msg, hdr);
240free_msg:
241 nlmsg_free(msg);
242 return -EMSGSIZE;
243}
244
245static int nfc_genl_send_device(struct sk_buff *msg, struct nfc_dev *dev,
246 u32 pid, u32 seq,
247 struct netlink_callback *cb,
248 int flags)
249{
250 void *hdr;
251
252 nfc_dbg("entry");
253
254 hdr = genlmsg_put(msg, pid, seq, &nfc_genl_family, flags,
255 NFC_CMD_GET_DEVICE);
256 if (!hdr)
257 return -EMSGSIZE;
258
259 if (cb)
260 genl_dump_check_consistent(cb, hdr, &nfc_genl_family);
261
262 NLA_PUT_STRING(msg, NFC_ATTR_DEVICE_NAME, nfc_device_name(dev));
263 NLA_PUT_U32(msg, NFC_ATTR_DEVICE_INDEX, dev->idx);
264 NLA_PUT_U32(msg, NFC_ATTR_PROTOCOLS, dev->supported_protocols);
265
266 return genlmsg_end(msg, hdr);
267
268nla_put_failure:
269 genlmsg_cancel(msg, hdr);
270 return -EMSGSIZE;
271}
272
273static int nfc_genl_dump_devices(struct sk_buff *skb,
274 struct netlink_callback *cb)
275{
276 struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0];
277 struct nfc_dev *dev = (struct nfc_dev *) cb->args[1];
278 bool first_call = false;
279
280 nfc_dbg("entry");
281
282 if (!iter) {
283 first_call = true;
284 iter = kmalloc(sizeof(struct class_dev_iter), GFP_KERNEL);
285 if (!iter)
286 return -ENOMEM;
287 cb->args[0] = (long) iter;
288 }
289
290 mutex_lock(&nfc_devlist_mutex);
291
292 cb->seq = nfc_devlist_generation;
293
294 if (first_call) {
295 nfc_device_iter_init(iter);
296 dev = nfc_device_iter_next(iter);
297 }
298
299 while (dev) {
300 int rc;
301
302 rc = nfc_genl_send_device(skb, dev, NETLINK_CB(cb->skb).pid,
303 cb->nlh->nlmsg_seq,
304 cb, NLM_F_MULTI);
305 if (rc < 0)
306 break;
307
308 dev = nfc_device_iter_next(iter);
309 }
310
311 mutex_unlock(&nfc_devlist_mutex);
312
313 cb->args[1] = (long) dev;
314
315 return skb->len;
316}
317
318static int nfc_genl_dump_devices_done(struct netlink_callback *cb)
319{
320 struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0];
321
322 nfc_dbg("entry");
323
324 nfc_device_iter_exit(iter);
325 kfree(iter);
326
327 return 0;
328}
329
330static int nfc_genl_get_device(struct sk_buff *skb, struct genl_info *info)
331{
332 struct sk_buff *msg;
333 struct nfc_dev *dev;
334 u32 idx;
335 int rc = -ENOBUFS;
336
337 nfc_dbg("entry");
338
339 if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
340 return -EINVAL;
341
342 idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
343
344 dev = nfc_get_device(idx);
345 if (!dev)
346 return -ENODEV;
347
348 msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
349 if (!msg) {
350 rc = -ENOMEM;
351 goto out_putdev;
352 }
353
354 rc = nfc_genl_send_device(msg, dev, info->snd_pid, info->snd_seq,
355 NULL, 0);
356 if (rc < 0)
357 goto out_free;
358
359 nfc_put_device(dev);
360
361 return genlmsg_reply(msg, info);
362
363out_free:
364 nlmsg_free(msg);
365out_putdev:
366 nfc_put_device(dev);
367 return rc;
368}
369
370static int nfc_genl_start_poll(struct sk_buff *skb, struct genl_info *info)
371{
372 struct nfc_dev *dev;
373 int rc;
374 u32 idx;
375 u32 protocols;
376
377 nfc_dbg("entry");
378
379 if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
380 !info->attrs[NFC_ATTR_PROTOCOLS])
381 return -EINVAL;
382
383 idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
384 protocols = nla_get_u32(info->attrs[NFC_ATTR_PROTOCOLS]);
385
386 dev = nfc_get_device(idx);
387 if (!dev)
388 return -ENODEV;
389
390 mutex_lock(&dev->genl_data.genl_data_mutex);
391
392 rc = nfc_start_poll(dev, protocols);
393 if (!rc)
394 dev->genl_data.poll_req_pid = info->snd_pid;
395
396 mutex_unlock(&dev->genl_data.genl_data_mutex);
397
398 nfc_put_device(dev);
399 return rc;
400}
401
402static int nfc_genl_stop_poll(struct sk_buff *skb, struct genl_info *info)
403{
404 struct nfc_dev *dev;
405 int rc;
406 u32 idx;
407
408 nfc_dbg("entry");
409
410 if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
411 return -EINVAL;
412
413 idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
414
415 dev = nfc_get_device(idx);
416 if (!dev)
417 return -ENODEV;
418
419 mutex_lock(&dev->genl_data.genl_data_mutex);
420
421 if (dev->genl_data.poll_req_pid != info->snd_pid) {
422 rc = -EBUSY;
423 goto out;
424 }
425
426 rc = nfc_stop_poll(dev);
427 dev->genl_data.poll_req_pid = 0;
428
429out:
430 mutex_unlock(&dev->genl_data.genl_data_mutex);
431 nfc_put_device(dev);
432 return rc;
433}
434
435static struct genl_ops nfc_genl_ops[] = {
436 {
437 .cmd = NFC_CMD_GET_DEVICE,
438 .doit = nfc_genl_get_device,
439 .dumpit = nfc_genl_dump_devices,
440 .done = nfc_genl_dump_devices_done,
441 .policy = nfc_genl_policy,
442 },
443 {
444 .cmd = NFC_CMD_START_POLL,
445 .doit = nfc_genl_start_poll,
446 .policy = nfc_genl_policy,
447 },
448 {
449 .cmd = NFC_CMD_STOP_POLL,
450 .doit = nfc_genl_stop_poll,
451 .policy = nfc_genl_policy,
452 },
453 {
454 .cmd = NFC_CMD_GET_TARGET,
455 .dumpit = nfc_genl_dump_targets,
456 .done = nfc_genl_dump_targets_done,
457 .policy = nfc_genl_policy,
458 },
459};
460
461static int nfc_genl_rcv_nl_event(struct notifier_block *this,
462 unsigned long event, void *ptr)
463{
464 struct netlink_notify *n = ptr;
465 struct class_dev_iter iter;
466 struct nfc_dev *dev;
467
468 if (event != NETLINK_URELEASE || n->protocol != NETLINK_GENERIC)
469 goto out;
470
471 nfc_dbg("NETLINK_URELEASE event from id %d", n->pid);
472
473 nfc_device_iter_init(&iter);
474 dev = nfc_device_iter_next(&iter);
475
476 while (dev) {
477 mutex_lock(&dev->genl_data.genl_data_mutex);
478 if (dev->genl_data.poll_req_pid == n->pid) {
479 nfc_stop_poll(dev);
480 dev->genl_data.poll_req_pid = 0;
481 }
482 mutex_unlock(&dev->genl_data.genl_data_mutex);
483 dev = nfc_device_iter_next(&iter);
484 }
485
486 nfc_device_iter_exit(&iter);
487
488out:
489 return NOTIFY_DONE;
490}
491
492void nfc_genl_data_init(struct nfc_genl_data *genl_data)
493{
494 genl_data->poll_req_pid = 0;
495 mutex_init(&genl_data->genl_data_mutex);
496}
497
498void nfc_genl_data_exit(struct nfc_genl_data *genl_data)
499{
500 mutex_destroy(&genl_data->genl_data_mutex);
501}
502
503static struct notifier_block nl_notifier = {
504 .notifier_call = nfc_genl_rcv_nl_event,
505};
506
507/**
508 * nfc_genl_init() - Initialize netlink interface
509 *
510 * This initialization function registers the nfc netlink family.
511 */
512int __init nfc_genl_init(void)
513{
514 int rc;
515
516 rc = genl_register_family_with_ops(&nfc_genl_family, nfc_genl_ops,
517 ARRAY_SIZE(nfc_genl_ops));
518 if (rc)
519 return rc;
520
521 rc = genl_register_mc_group(&nfc_genl_family, &nfc_genl_event_mcgrp);
522
523 netlink_register_notifier(&nl_notifier);
524
525 return rc;
526}
527
528/**
529 * nfc_genl_exit() - Deinitialize netlink interface
530 *
531 * This exit function unregisters the nfc netlink family.
532 */
533void nfc_genl_exit(void)
534{
535 netlink_unregister_notifier(&nl_notifier);
536 genl_unregister_family(&nfc_genl_family);
537}
diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
new file mode 100644
index 000000000000..aaf9832298f3
--- /dev/null
+++ b/net/nfc/nfc.h
@@ -0,0 +1,117 @@
1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 *
4 * Authors:
5 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
6 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the
20 * Free Software Foundation, Inc.,
21 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 */
23
24#ifndef __LOCAL_NFC_H
25#define __LOCAL_NFC_H
26
27#include <net/nfc.h>
28#include <net/sock.h>
29
30__attribute__((format (printf, 2, 3)))
31int nfc_printk(const char *level, const char *fmt, ...);
32
33#define nfc_info(fmt, arg...) nfc_printk(KERN_INFO, fmt, ##arg)
34#define nfc_err(fmt, arg...) nfc_printk(KERN_ERR, fmt, ##arg)
35#define nfc_dbg(fmt, arg...) pr_debug(fmt "\n", ##arg)
36
37struct nfc_protocol {
38 int id;
39 struct proto *proto;
40 struct module *owner;
41 int (*create)(struct net *net, struct socket *sock,
42 const struct nfc_protocol *nfc_proto);
43};
44
45struct nfc_rawsock {
46 struct sock sk;
47 struct nfc_dev *dev;
48 u32 target_idx;
49 struct work_struct tx_work;
50 bool tx_work_scheduled;
51};
52#define nfc_rawsock(sk) ((struct nfc_rawsock *) sk)
53#define to_rawsock_sk(_tx_work) \
54 ((struct sock *) container_of(_tx_work, struct nfc_rawsock, tx_work))
55
56int __init rawsock_init(void);
57void rawsock_exit(void);
58
59int __init af_nfc_init(void);
60void af_nfc_exit(void);
61int nfc_proto_register(const struct nfc_protocol *nfc_proto);
62void nfc_proto_unregister(const struct nfc_protocol *nfc_proto);
63
64extern int nfc_devlist_generation;
65extern struct mutex nfc_devlist_mutex;
66
67int __init nfc_genl_init(void);
68void nfc_genl_exit(void);
69
70void nfc_genl_data_init(struct nfc_genl_data *genl_data);
71void nfc_genl_data_exit(struct nfc_genl_data *genl_data);
72
73int nfc_genl_targets_found(struct nfc_dev *dev);
74
75int nfc_genl_device_added(struct nfc_dev *dev);
76int nfc_genl_device_removed(struct nfc_dev *dev);
77
78struct nfc_dev *nfc_get_device(unsigned idx);
79
80static inline void nfc_put_device(struct nfc_dev *dev)
81{
82 put_device(&dev->dev);
83}
84
85static inline void nfc_device_iter_init(struct class_dev_iter *iter)
86{
87 class_dev_iter_init(iter, &nfc_class, NULL, NULL);
88}
89
90static inline struct nfc_dev *nfc_device_iter_next(struct class_dev_iter *iter)
91{
92 struct device *d = class_dev_iter_next(iter);
93 if (!d)
94 return NULL;
95
96 return to_nfc_dev(d);
97}
98
99static inline void nfc_device_iter_exit(struct class_dev_iter *iter)
100{
101 class_dev_iter_exit(iter);
102}
103
104int nfc_start_poll(struct nfc_dev *dev, u32 protocols);
105
106int nfc_stop_poll(struct nfc_dev *dev);
107
108int nfc_activate_target(struct nfc_dev *dev, u32 target_idx, u32 protocol);
109
110int nfc_deactivate_target(struct nfc_dev *dev, u32 target_idx);
111
112int nfc_data_exchange(struct nfc_dev *dev, u32 target_idx,
113 struct sk_buff *skb,
114 data_exchange_cb_t cb,
115 void *cb_context);
116
117#endif /* __LOCAL_NFC_H */
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
new file mode 100644
index 000000000000..52de84a55115
--- /dev/null
+++ b/net/nfc/rawsock.c
@@ -0,0 +1,354 @@
1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 *
4 * Authors:
5 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
6 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the
20 * Free Software Foundation, Inc.,
21 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 */
23
24#include <net/tcp_states.h>
25#include <linux/nfc.h>
26
27#include "nfc.h"
28
29static void rawsock_write_queue_purge(struct sock *sk)
30{
31 nfc_dbg("sk=%p", sk);
32
33 spin_lock_bh(&sk->sk_write_queue.lock);
34 __skb_queue_purge(&sk->sk_write_queue);
35 nfc_rawsock(sk)->tx_work_scheduled = false;
36 spin_unlock_bh(&sk->sk_write_queue.lock);
37}
38
39static void rawsock_report_error(struct sock *sk, int err)
40{
41 nfc_dbg("sk=%p err=%d", sk, err);
42
43 sk->sk_shutdown = SHUTDOWN_MASK;
44 sk->sk_err = -err;
45 sk->sk_error_report(sk);
46
47 rawsock_write_queue_purge(sk);
48}
49
50static int rawsock_release(struct socket *sock)
51{
52 struct sock *sk = sock->sk;
53
54 nfc_dbg("sock=%p", sock);
55
56 sock_orphan(sk);
57 sock_put(sk);
58
59 return 0;
60}
61
62static int rawsock_connect(struct socket *sock, struct sockaddr *_addr,
63 int len, int flags)
64{
65 struct sock *sk = sock->sk;
66 struct sockaddr_nfc *addr = (struct sockaddr_nfc *)_addr;
67 struct nfc_dev *dev;
68 int rc = 0;
69
70 nfc_dbg("sock=%p sk=%p flags=%d", sock, sk, flags);
71
72 if (!addr || len < sizeof(struct sockaddr_nfc) ||
73 addr->sa_family != AF_NFC)
74 return -EINVAL;
75
76 nfc_dbg("addr dev_idx=%u target_idx=%u protocol=%u", addr->dev_idx,
77 addr->target_idx, addr->nfc_protocol);
78
79 lock_sock(sk);
80
81 if (sock->state == SS_CONNECTED) {
82 rc = -EISCONN;
83 goto error;
84 }
85
86 dev = nfc_get_device(addr->dev_idx);
87 if (!dev) {
88 rc = -ENODEV;
89 goto error;
90 }
91
92 if (addr->target_idx > dev->target_idx - 1 ||
93 addr->target_idx < dev->target_idx - dev->n_targets) {
94 rc = -EINVAL;
95 goto error;
96 }
97
98 if (addr->target_idx > dev->target_idx - 1 ||
99 addr->target_idx < dev->target_idx - dev->n_targets) {
100 rc = -EINVAL;
101 goto error;
102 }
103
104 rc = nfc_activate_target(dev, addr->target_idx, addr->nfc_protocol);
105 if (rc)
106 goto put_dev;
107
108 nfc_rawsock(sk)->dev = dev;
109 nfc_rawsock(sk)->target_idx = addr->target_idx;
110 sock->state = SS_CONNECTED;
111 sk->sk_state = TCP_ESTABLISHED;
112 sk->sk_state_change(sk);
113
114 release_sock(sk);
115 return 0;
116
117put_dev:
118 nfc_put_device(dev);
119error:
120 release_sock(sk);
121 return rc;
122}
123
124static int rawsock_add_header(struct sk_buff *skb)
125{
126
127 if (skb_cow_head(skb, 1))
128 return -ENOMEM;
129
130 *skb_push(skb, 1) = 0;
131
132 return 0;
133}
134
135static void rawsock_data_exchange_complete(void *context, struct sk_buff *skb,
136 int err)
137{
138 struct sock *sk = (struct sock *) context;
139
140 BUG_ON(in_irq());
141
142 nfc_dbg("sk=%p err=%d", sk, err);
143
144 if (err)
145 goto error;
146
147 err = rawsock_add_header(skb);
148 if (err)
149 goto error;
150
151 err = sock_queue_rcv_skb(sk, skb);
152 if (err)
153 goto error;
154
155 spin_lock_bh(&sk->sk_write_queue.lock);
156 if (!skb_queue_empty(&sk->sk_write_queue))
157 schedule_work(&nfc_rawsock(sk)->tx_work);
158 else
159 nfc_rawsock(sk)->tx_work_scheduled = false;
160 spin_unlock_bh(&sk->sk_write_queue.lock);
161
162 sock_put(sk);
163 return;
164
165error:
166 rawsock_report_error(sk, err);
167 sock_put(sk);
168}
169
170static void rawsock_tx_work(struct work_struct *work)
171{
172 struct sock *sk = to_rawsock_sk(work);
173 struct nfc_dev *dev = nfc_rawsock(sk)->dev;
174 u32 target_idx = nfc_rawsock(sk)->target_idx;
175 struct sk_buff *skb;
176 int rc;
177
178 nfc_dbg("sk=%p target_idx=%u", sk, target_idx);
179
180 if (sk->sk_shutdown & SEND_SHUTDOWN) {
181 rawsock_write_queue_purge(sk);
182 return;
183 }
184
185 skb = skb_dequeue(&sk->sk_write_queue);
186
187 sock_hold(sk);
188 rc = nfc_data_exchange(dev, target_idx, skb,
189 rawsock_data_exchange_complete, sk);
190 if (rc) {
191 rawsock_report_error(sk, rc);
192 sock_put(sk);
193 }
194}
195
196static int rawsock_sendmsg(struct kiocb *iocb, struct socket *sock,
197 struct msghdr *msg, size_t len)
198{
199 struct sock *sk = sock->sk;
200 struct sk_buff *skb;
201 int rc;
202
203 nfc_dbg("sock=%p sk=%p len=%zu", sock, sk, len);
204
205 if (msg->msg_namelen)
206 return -EOPNOTSUPP;
207
208 if (sock->state != SS_CONNECTED)
209 return -ENOTCONN;
210
211 skb = sock_alloc_send_skb(sk, len, msg->msg_flags & MSG_DONTWAIT,
212 &rc);
213 if (!skb)
214 return rc;
215
216 rc = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
217 if (rc < 0) {
218 kfree_skb(skb);
219 return rc;
220 }
221
222 spin_lock_bh(&sk->sk_write_queue.lock);
223 __skb_queue_tail(&sk->sk_write_queue, skb);
224 if (!nfc_rawsock(sk)->tx_work_scheduled) {
225 schedule_work(&nfc_rawsock(sk)->tx_work);
226 nfc_rawsock(sk)->tx_work_scheduled = true;
227 }
228 spin_unlock_bh(&sk->sk_write_queue.lock);
229
230 return len;
231}
232
233static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock,
234 struct msghdr *msg, size_t len, int flags)
235{
236 int noblock = flags & MSG_DONTWAIT;
237 struct sock *sk = sock->sk;
238 struct sk_buff *skb;
239 int copied;
240 int rc;
241
242 nfc_dbg("sock=%p sk=%p len=%zu flags=%d", sock, sk, len, flags);
243
244 skb = skb_recv_datagram(sk, flags, noblock, &rc);
245 if (!skb)
246 return rc;
247
248 msg->msg_namelen = 0;
249
250 copied = skb->len;
251 if (len < copied) {
252 msg->msg_flags |= MSG_TRUNC;
253 copied = len;
254 }
255
256 rc = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
257
258 skb_free_datagram(sk, skb);
259
260 return rc ? : copied;
261}
262
263
264static const struct proto_ops rawsock_ops = {
265 .family = PF_NFC,
266 .owner = THIS_MODULE,
267 .release = rawsock_release,
268 .bind = sock_no_bind,
269 .connect = rawsock_connect,
270 .socketpair = sock_no_socketpair,
271 .accept = sock_no_accept,
272 .getname = sock_no_getname,
273 .poll = datagram_poll,
274 .ioctl = sock_no_ioctl,
275 .listen = sock_no_listen,
276 .shutdown = sock_no_shutdown,
277 .setsockopt = sock_no_setsockopt,
278 .getsockopt = sock_no_getsockopt,
279 .sendmsg = rawsock_sendmsg,
280 .recvmsg = rawsock_recvmsg,
281 .mmap = sock_no_mmap,
282};
283
284static void rawsock_destruct(struct sock *sk)
285{
286 nfc_dbg("sk=%p", sk);
287
288 if (sk->sk_state == TCP_ESTABLISHED) {
289 nfc_deactivate_target(nfc_rawsock(sk)->dev,
290 nfc_rawsock(sk)->target_idx);
291 nfc_put_device(nfc_rawsock(sk)->dev);
292 }
293
294 skb_queue_purge(&sk->sk_receive_queue);
295
296 if (!sock_flag(sk, SOCK_DEAD)) {
297 nfc_err("Freeing alive NFC raw socket %p", sk);
298 return;
299 }
300}
301
302static int rawsock_create(struct net *net, struct socket *sock,
303 const struct nfc_protocol *nfc_proto)
304{
305 struct sock *sk;
306
307 nfc_dbg("sock=%p", sock);
308
309 if (sock->type != SOCK_SEQPACKET)
310 return -ESOCKTNOSUPPORT;
311
312 sock->ops = &rawsock_ops;
313
314 sk = sk_alloc(net, PF_NFC, GFP_KERNEL, nfc_proto->proto);
315 if (!sk)
316 return -ENOMEM;
317
318 sock_init_data(sock, sk);
319 sk->sk_protocol = nfc_proto->id;
320 sk->sk_destruct = rawsock_destruct;
321 sock->state = SS_UNCONNECTED;
322
323 INIT_WORK(&nfc_rawsock(sk)->tx_work, rawsock_tx_work);
324 nfc_rawsock(sk)->tx_work_scheduled = false;
325
326 return 0;
327}
328
329static struct proto rawsock_proto = {
330 .name = "NFC_RAW",
331 .owner = THIS_MODULE,
332 .obj_size = sizeof(struct nfc_rawsock),
333};
334
335static const struct nfc_protocol rawsock_nfc_proto = {
336 .id = NFC_SOCKPROTO_RAW,
337 .proto = &rawsock_proto,
338 .owner = THIS_MODULE,
339 .create = rawsock_create
340};
341
342int __init rawsock_init(void)
343{
344 int rc;
345
346 rc = nfc_proto_register(&rawsock_nfc_proto);
347
348 return rc;
349}
350
351void rawsock_exit(void)
352{
353 nfc_proto_unregister(&rawsock_nfc_proto);
354}
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 493b939970cd..832f6574e4ed 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -170,7 +170,9 @@ void __cfg80211_send_deauth(struct net_device *dev,
170 break; 170 break;
171 } 171 }
172 if (wdev->authtry_bsses[i] && 172 if (wdev->authtry_bsses[i] &&
173 memcmp(wdev->authtry_bsses[i]->pub.bssid, bssid, ETH_ALEN) == 0) { 173 memcmp(wdev->authtry_bsses[i]->pub.bssid, bssid,
174 ETH_ALEN) == 0 &&
175 memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) == 0) {
174 cfg80211_unhold_bss(wdev->authtry_bsses[i]); 176 cfg80211_unhold_bss(wdev->authtry_bsses[i]);
175 cfg80211_put_bss(&wdev->authtry_bsses[i]->pub); 177 cfg80211_put_bss(&wdev->authtry_bsses[i]->pub);
176 wdev->authtry_bsses[i] = NULL; 178 wdev->authtry_bsses[i] = NULL;
@@ -1082,3 +1084,14 @@ void cfg80211_cqm_pktloss_notify(struct net_device *dev,
1082 nl80211_send_cqm_pktloss_notify(rdev, dev, peer, num_packets, gfp); 1084 nl80211_send_cqm_pktloss_notify(rdev, dev, peer, num_packets, gfp);
1083} 1085}
1084EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify); 1086EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
1087
1088void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
1089 const u8 *replay_ctr, gfp_t gfp)
1090{
1091 struct wireless_dev *wdev = dev->ieee80211_ptr;
1092 struct wiphy *wiphy = wdev->wiphy;
1093 struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
1094
1095 nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
1096}
1097EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index cea338150d05..6a82c898f831 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -176,6 +176,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
176 [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED }, 176 [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
177 [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 }, 177 [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
178 [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 }, 178 [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
179 [NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
179}; 180};
180 181
181/* policy for the key attributes */ 182/* policy for the key attributes */
@@ -206,6 +207,14 @@ nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
206 [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED }, 207 [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
207}; 208};
208 209
210/* policy for GTK rekey offload attributes */
211static const struct nla_policy
212nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
213 [NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
214 [NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
215 [NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
216};
217
209/* ifidx get helper */ 218/* ifidx get helper */
210static int nl80211_get_ifidx(struct netlink_callback *cb) 219static int nl80211_get_ifidx(struct netlink_callback *cb)
211{ 220{
@@ -3632,7 +3641,8 @@ static int nl80211_stop_sched_scan(struct sk_buff *skb,
3632 return err; 3641 return err;
3633} 3642}
3634 3643
3635static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags, 3644static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
3645 u32 seq, int flags,
3636 struct cfg80211_registered_device *rdev, 3646 struct cfg80211_registered_device *rdev,
3637 struct wireless_dev *wdev, 3647 struct wireless_dev *wdev,
3638 struct cfg80211_internal_bss *intbss) 3648 struct cfg80211_internal_bss *intbss)
@@ -3644,11 +3654,13 @@ static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags,
3644 3654
3645 ASSERT_WDEV_LOCK(wdev); 3655 ASSERT_WDEV_LOCK(wdev);
3646 3656
3647 hdr = nl80211hdr_put(msg, pid, seq, flags, 3657 hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).pid, seq, flags,
3648 NL80211_CMD_NEW_SCAN_RESULTS); 3658 NL80211_CMD_NEW_SCAN_RESULTS);
3649 if (!hdr) 3659 if (!hdr)
3650 return -1; 3660 return -1;
3651 3661
3662 genl_dump_check_consistent(cb, hdr, &nl80211_fam);
3663
3652 NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation); 3664 NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation);
3653 NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex); 3665 NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex);
3654 3666
@@ -3737,11 +3749,12 @@ static int nl80211_dump_scan(struct sk_buff *skb,
3737 spin_lock_bh(&rdev->bss_lock); 3749 spin_lock_bh(&rdev->bss_lock);
3738 cfg80211_bss_expire(rdev); 3750 cfg80211_bss_expire(rdev);
3739 3751
3752 cb->seq = rdev->bss_generation;
3753
3740 list_for_each_entry(scan, &rdev->bss_list, list) { 3754 list_for_each_entry(scan, &rdev->bss_list, list) {
3741 if (++idx <= start) 3755 if (++idx <= start)
3742 continue; 3756 continue;
3743 if (nl80211_send_bss(skb, 3757 if (nl80211_send_bss(skb, cb,
3744 NETLINK_CB(cb->skb).pid,
3745 cb->nlh->nlmsg_seq, NLM_F_MULTI, 3758 cb->nlh->nlmsg_seq, NLM_F_MULTI,
3746 rdev, wdev, scan) < 0) { 3759 rdev, wdev, scan) < 0) {
3747 idx--; 3760 idx--;
@@ -3765,10 +3778,6 @@ static int nl80211_send_survey(struct sk_buff *msg, u32 pid, u32 seq,
3765 void *hdr; 3778 void *hdr;
3766 struct nlattr *infoattr; 3779 struct nlattr *infoattr;
3767 3780
3768 /* Survey without a channel doesn't make sense */
3769 if (!survey->channel)
3770 return -EINVAL;
3771
3772 hdr = nl80211hdr_put(msg, pid, seq, flags, 3781 hdr = nl80211hdr_put(msg, pid, seq, flags,
3773 NL80211_CMD_NEW_SURVEY_RESULTS); 3782 NL80211_CMD_NEW_SURVEY_RESULTS);
3774 if (!hdr) 3783 if (!hdr)
@@ -3831,6 +3840,8 @@ static int nl80211_dump_survey(struct sk_buff *skb,
3831 } 3840 }
3832 3841
3833 while (1) { 3842 while (1) {
3843 struct ieee80211_channel *chan;
3844
3834 res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx, 3845 res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx,
3835 &survey); 3846 &survey);
3836 if (res == -ENOENT) 3847 if (res == -ENOENT)
@@ -3838,6 +3849,19 @@ static int nl80211_dump_survey(struct sk_buff *skb,
3838 if (res) 3849 if (res)
3839 goto out_err; 3850 goto out_err;
3840 3851
3852 /* Survey without a channel doesn't make sense */
3853 if (!survey.channel) {
3854 res = -EINVAL;
3855 goto out;
3856 }
3857
3858 chan = ieee80211_get_channel(&dev->wiphy,
3859 survey.channel->center_freq);
3860 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
3861 survey_idx++;
3862 continue;
3863 }
3864
3841 if (nl80211_send_survey(skb, 3865 if (nl80211_send_survey(skb,
3842 NETLINK_CB(cb->skb).pid, 3866 NETLINK_CB(cb->skb).pid,
3843 cb->nlh->nlmsg_seq, NLM_F_MULTI, 3867 cb->nlh->nlmsg_seq, NLM_F_MULTI,
@@ -4372,6 +4396,93 @@ static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
4372 return err; 4396 return err;
4373} 4397}
4374 4398
4399static int nl80211_testmode_dump(struct sk_buff *skb,
4400 struct netlink_callback *cb)
4401{
4402 struct cfg80211_registered_device *dev;
4403 int err;
4404 long phy_idx;
4405 void *data = NULL;
4406 int data_len = 0;
4407
4408 if (cb->args[0]) {
4409 /*
4410 * 0 is a valid index, but not valid for args[0],
4411 * so we need to offset by 1.
4412 */
4413 phy_idx = cb->args[0] - 1;
4414 } else {
4415 err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
4416 nl80211_fam.attrbuf, nl80211_fam.maxattr,
4417 nl80211_policy);
4418 if (err)
4419 return err;
4420 if (!nl80211_fam.attrbuf[NL80211_ATTR_WIPHY])
4421 return -EINVAL;
4422 phy_idx = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_WIPHY]);
4423 if (nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA])
4424 cb->args[1] =
4425 (long)nl80211_fam.attrbuf[NL80211_ATTR_TESTDATA];
4426 }
4427
4428 if (cb->args[1]) {
4429 data = nla_data((void *)cb->args[1]);
4430 data_len = nla_len((void *)cb->args[1]);
4431 }
4432
4433 mutex_lock(&cfg80211_mutex);
4434 dev = cfg80211_rdev_by_wiphy_idx(phy_idx);
4435 if (!dev) {
4436 mutex_unlock(&cfg80211_mutex);
4437 return -ENOENT;
4438 }
4439 cfg80211_lock_rdev(dev);
4440 mutex_unlock(&cfg80211_mutex);
4441
4442 if (!dev->ops->testmode_dump) {
4443 err = -EOPNOTSUPP;
4444 goto out_err;
4445 }
4446
4447 while (1) {
4448 void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).pid,
4449 cb->nlh->nlmsg_seq, NLM_F_MULTI,
4450 NL80211_CMD_TESTMODE);
4451 struct nlattr *tmdata;
4452
4453 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, dev->wiphy_idx) < 0) {
4454 genlmsg_cancel(skb, hdr);
4455 break;
4456 }
4457
4458 tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
4459 if (!tmdata) {
4460 genlmsg_cancel(skb, hdr);
4461 break;
4462 }
4463 err = dev->ops->testmode_dump(&dev->wiphy, skb, cb,
4464 data, data_len);
4465 nla_nest_end(skb, tmdata);
4466
4467 if (err == -ENOBUFS || err == -ENOENT) {
4468 genlmsg_cancel(skb, hdr);
4469 break;
4470 } else if (err) {
4471 genlmsg_cancel(skb, hdr);
4472 goto out_err;
4473 }
4474
4475 genlmsg_end(skb, hdr);
4476 }
4477
4478 err = skb->len;
4479 /* see above */
4480 cb->args[0] = phy_idx + 1;
4481 out_err:
4482 cfg80211_unlock_rdev(dev);
4483 return err;
4484}
4485
4375static struct sk_buff * 4486static struct sk_buff *
4376__cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev, 4487__cfg80211_testmode_alloc_skb(struct cfg80211_registered_device *rdev,
4377 int approxlen, u32 pid, u32 seq, gfp_t gfp) 4488 int approxlen, u32 pid, u32 seq, gfp_t gfp)
@@ -5318,6 +5429,57 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
5318 return err; 5429 return err;
5319} 5430}
5320 5431
5432static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
5433{
5434 struct cfg80211_registered_device *rdev = info->user_ptr[0];
5435 struct net_device *dev = info->user_ptr[1];
5436 struct wireless_dev *wdev = dev->ieee80211_ptr;
5437 struct nlattr *tb[NUM_NL80211_REKEY_DATA];
5438 struct cfg80211_gtk_rekey_data rekey_data;
5439 int err;
5440
5441 if (!info->attrs[NL80211_ATTR_REKEY_DATA])
5442 return -EINVAL;
5443
5444 err = nla_parse(tb, MAX_NL80211_REKEY_DATA,
5445 nla_data(info->attrs[NL80211_ATTR_REKEY_DATA]),
5446 nla_len(info->attrs[NL80211_ATTR_REKEY_DATA]),
5447 nl80211_rekey_policy);
5448 if (err)
5449 return err;
5450
5451 if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
5452 return -ERANGE;
5453 if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
5454 return -ERANGE;
5455 if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
5456 return -ERANGE;
5457
5458 memcpy(rekey_data.kek, nla_data(tb[NL80211_REKEY_DATA_KEK]),
5459 NL80211_KEK_LEN);
5460 memcpy(rekey_data.kck, nla_data(tb[NL80211_REKEY_DATA_KCK]),
5461 NL80211_KCK_LEN);
5462 memcpy(rekey_data.replay_ctr,
5463 nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]),
5464 NL80211_REPLAY_CTR_LEN);
5465
5466 wdev_lock(wdev);
5467 if (!wdev->current_bss) {
5468 err = -ENOTCONN;
5469 goto out;
5470 }
5471
5472 if (!rdev->ops->set_rekey_data) {
5473 err = -EOPNOTSUPP;
5474 goto out;
5475 }
5476
5477 err = rdev->ops->set_rekey_data(&rdev->wiphy, dev, &rekey_data);
5478 out:
5479 wdev_unlock(wdev);
5480 return err;
5481}
5482
5321#define NL80211_FLAG_NEED_WIPHY 0x01 5483#define NL80211_FLAG_NEED_WIPHY 0x01
5322#define NL80211_FLAG_NEED_NETDEV 0x02 5484#define NL80211_FLAG_NEED_NETDEV 0x02
5323#define NL80211_FLAG_NEED_RTNL 0x04 5485#define NL80211_FLAG_NEED_RTNL 0x04
@@ -5669,6 +5831,7 @@ static struct genl_ops nl80211_ops[] = {
5669 { 5831 {
5670 .cmd = NL80211_CMD_TESTMODE, 5832 .cmd = NL80211_CMD_TESTMODE,
5671 .doit = nl80211_testmode_do, 5833 .doit = nl80211_testmode_do,
5834 .dumpit = nl80211_testmode_dump,
5672 .policy = nl80211_policy, 5835 .policy = nl80211_policy,
5673 .flags = GENL_ADMIN_PERM, 5836 .flags = GENL_ADMIN_PERM,
5674 .internal_flags = NL80211_FLAG_NEED_WIPHY | 5837 .internal_flags = NL80211_FLAG_NEED_WIPHY |
@@ -5848,6 +6011,14 @@ static struct genl_ops nl80211_ops[] = {
5848 .internal_flags = NL80211_FLAG_NEED_WIPHY | 6011 .internal_flags = NL80211_FLAG_NEED_WIPHY |
5849 NL80211_FLAG_NEED_RTNL, 6012 NL80211_FLAG_NEED_RTNL,
5850 }, 6013 },
6014 {
6015 .cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
6016 .doit = nl80211_set_rekey_data,
6017 .policy = nl80211_policy,
6018 .flags = GENL_ADMIN_PERM,
6019 .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
6020 NL80211_FLAG_NEED_RTNL,
6021 },
5851}; 6022};
5852 6023
5853static struct genl_multicast_group nl80211_mlme_mcgrp = { 6024static struct genl_multicast_group nl80211_mlme_mcgrp = {
@@ -6792,6 +6963,51 @@ nl80211_send_cqm_rssi_notify(struct cfg80211_registered_device *rdev,
6792 nlmsg_free(msg); 6963 nlmsg_free(msg);
6793} 6964}
6794 6965
6966void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
6967 struct net_device *netdev, const u8 *bssid,
6968 const u8 *replay_ctr, gfp_t gfp)
6969{
6970 struct sk_buff *msg;
6971 struct nlattr *rekey_attr;
6972 void *hdr;
6973
6974 msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
6975 if (!msg)
6976 return;
6977
6978 hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
6979 if (!hdr) {
6980 nlmsg_free(msg);
6981 return;
6982 }
6983
6984 NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
6985 NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
6986 NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid);
6987
6988 rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
6989 if (!rekey_attr)
6990 goto nla_put_failure;
6991
6992 NLA_PUT(msg, NL80211_REKEY_DATA_REPLAY_CTR,
6993 NL80211_REPLAY_CTR_LEN, replay_ctr);
6994
6995 nla_nest_end(msg, rekey_attr);
6996
6997 if (genlmsg_end(msg, hdr) < 0) {
6998 nlmsg_free(msg);
6999 return;
7000 }
7001
7002 genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
7003 nl80211_mlme_mcgrp.id, gfp);
7004 return;
7005
7006 nla_put_failure:
7007 genlmsg_cancel(msg, hdr);
7008 nlmsg_free(msg);
7009}
7010
6795void 7011void
6796nl80211_send_cqm_pktloss_notify(struct cfg80211_registered_device *rdev, 7012nl80211_send_cqm_pktloss_notify(struct cfg80211_registered_device *rdev,
6797 struct net_device *netdev, const u8 *peer, 7013 struct net_device *netdev, const u8 *peer,
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index 2f1bfb87a651..5d69c56400ae 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -109,4 +109,8 @@ nl80211_send_cqm_pktloss_notify(struct cfg80211_registered_device *rdev,
109 struct net_device *netdev, const u8 *peer, 109 struct net_device *netdev, const u8 *peer,
110 u32 num_packets, gfp_t gfp); 110 u32 num_packets, gfp_t gfp);
111 111
112void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
113 struct net_device *netdev, const u8 *bssid,
114 const u8 *replay_ctr, gfp_t gfp);
115
112#endif /* __NET_WIRELESS_NL80211_H */ 116#endif /* __NET_WIRELESS_NL80211_H */
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ae0c2256ba3b..1c4672e35144 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -132,18 +132,17 @@ EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
132int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 132int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
133 bool driver_initiated) 133 bool driver_initiated)
134{ 134{
135 int err;
136 struct net_device *dev; 135 struct net_device *dev;
137 136
138 lockdep_assert_held(&rdev->sched_scan_mtx); 137 lockdep_assert_held(&rdev->sched_scan_mtx);
139 138
140 if (!rdev->sched_scan_req) 139 if (!rdev->sched_scan_req)
141 return 0; 140 return -ENOENT;
142 141
143 dev = rdev->sched_scan_req->dev; 142 dev = rdev->sched_scan_req->dev;
144 143
145 if (!driver_initiated) { 144 if (!driver_initiated) {
146 err = rdev->ops->sched_scan_stop(&rdev->wiphy, dev); 145 int err = rdev->ops->sched_scan_stop(&rdev->wiphy, dev);
147 if (err) 146 if (err)
148 return err; 147 return err;
149 } 148 }
@@ -153,7 +152,7 @@ int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
153 kfree(rdev->sched_scan_req); 152 kfree(rdev->sched_scan_req);
154 rdev->sched_scan_req = NULL; 153 rdev->sched_scan_req = NULL;
155 154
156 return err; 155 return 0;
157} 156}
158 157
159static void bss_release(struct kref *ref) 158static void bss_release(struct kref *ref)