+1 -1

drivers/bluetooth/bluecard_cs.c

reviewed

··· 901 901 902 902 bluecard_close(info); 903 903 904 904 - del_timer(&(info->timer)); 904 904 + del_timer_sync(&(info->timer)); 905 905 906 906 pcmcia_disable_device(link); 907 907 }

+6 -5

drivers/bluetooth/btmrvl_main.c

reviewed

··· 59 59 priv->btmrvl_dev.sendcmdflag = false; 60 60 priv->adapter->cmd_complete = true; 61 61 wake_up_interruptible(&priv->adapter->cmd_wait_q); 62 62 - } 63 62 64 64 - if (hci_opcode_ogf(opcode) == 0x3F) { 65 65 - BT_DBG("vendor event skipped: opcode=%#4.4x", opcode); 66 66 - kfree_skb(skb); 67 67 - return false; 63 63 + if (hci_opcode_ogf(opcode) == 0x3F) { 64 64 + BT_DBG("vendor event skipped: opcode=%#4.4x", 65 65 + opcode); 66 66 + kfree_skb(skb); 67 67 + return false; 68 68 + } 68 69 } 69 70 } 70 71

+2 -1

include/net/bluetooth/hci_core.h

reviewed

··· 189 189 __u16 page_scan_window; 190 190 __u8 page_scan_type; 191 191 __u8 le_adv_channel_map; 192 192 + __u8 le_scan_type; 192 193 __u16 le_scan_interval; 193 194 __u16 le_scan_window; 194 195 __u16 le_conn_min_interval; ··· 1237 1236 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr, 1238 1237 u8 status); 1239 1238 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr, 1240 1240 - u8 link_type, u8 addr_type, __le32 value, 1239 1239 + u8 link_type, u8 addr_type, u32 value, 1241 1240 u8 confirm_hint); 1242 1241 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr, 1243 1242 u8 link_type, u8 addr_type, u8 status);

+61 -2

net/bluetooth/hci_event.c

reviewed

··· 199 199 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 200 200 hdev->scan_rsp_data_len = 0; 201 201 202 202 + hdev->le_scan_type = LE_SCAN_PASSIVE; 203 203 + 202 204 hdev->ssp_debug_mode = 0; 203 205 } 204 206 ··· 999 997 hci_dev_unlock(hdev); 1000 998 } 1001 999 1000 1000 + static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1001 1001 + { 1002 1002 + struct hci_cp_le_set_scan_param *cp; 1003 1003 + __u8 status = *((__u8 *) skb->data); 1004 1004 + 1005 1005 + BT_DBG("%s status 0x%2.2x", hdev->name, status); 1006 1006 + 1007 1007 + cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1008 1008 + if (!cp) 1009 1009 + return; 1010 1010 + 1011 1011 + hci_dev_lock(hdev); 1012 1012 + 1013 1013 + if (!status) 1014 1014 + hdev->le_scan_type = cp->type; 1015 1015 + 1016 1016 + hci_dev_unlock(hdev); 1017 1017 + } 1018 1018 + 1002 1019 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1003 1020 struct sk_buff *skb) 1004 1021 { ··· 1720 1699 queue_delayed_work(conn->hdev->workqueue, 1721 1700 &conn->le_conn_timeout, 1722 1701 HCI_LE_CONN_TIMEOUT); 1702 1702 + 1703 1703 + unlock: 1704 1704 + hci_dev_unlock(hdev); 1705 1705 + } 1706 1706 + 1707 1707 + static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 1708 1708 + { 1709 1709 + struct hci_cp_le_start_enc *cp; 1710 1710 + struct hci_conn *conn; 1711 1711 + 1712 1712 + BT_DBG("%s status 0x%2.2x", hdev->name, status); 1713 1713 + 1714 1714 + if (!status) 1715 1715 + return; 1716 1716 + 1717 1717 + hci_dev_lock(hdev); 1718 1718 + 1719 1719 + cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 1720 1720 + if (!cp) 1721 1721 + goto unlock; 1722 1722 + 1723 1723 + conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1724 1724 + if (!conn) 1725 1725 + goto unlock; 1726 1726 + 1727 1727 + if (conn->state != BT_CONNECTED) 1728 1728 + goto unlock; 1729 1729 + 1730 1730 + hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 1731 1731 + hci_conn_drop(conn); 1723 1732 1724 1733 unlock: 1725 1734 hci_dev_unlock(hdev); ··· 2539 2488 hci_cc_le_set_adv_enable(hdev, skb); 2540 2489 break; 2541 2490 2491 2491 + case HCI_OP_LE_SET_SCAN_PARAM: 2492 2492 + hci_cc_le_set_scan_param(hdev, skb); 2493 2493 + break; 2494 2494 + 2542 2495 case HCI_OP_LE_SET_SCAN_ENABLE: 2543 2496 hci_cc_le_set_scan_enable(hdev, skb); 2544 2497 break; ··· 2664 2609 2665 2610 case HCI_OP_LE_CREATE_CONN: 2666 2611 hci_cs_le_create_conn(hdev, ev->status); 2612 2612 + break; 2613 2613 + 2614 2614 + case HCI_OP_LE_START_ENC: 2615 2615 + hci_cs_le_start_enc(hdev, ev->status); 2667 2616 break; 2668 2617 2669 2618 default: ··· 3518 3459 } 3519 3460 3520 3461 confirm: 3521 3521 - mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, ev->passkey, 3522 3522 - confirm_hint); 3462 3462 + mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 3463 3463 + le32_to_cpu(ev->passkey), confirm_hint); 3523 3464 3524 3465 unlock: 3525 3466 hci_dev_unlock(hdev);

+2 -1

net/bluetooth/l2cap_sock.c

reviewed

··· 360 360 361 361 BT_DBG("sock %p, sk %p", sock, sk); 362 362 363 363 - if (peer && sk->sk_state != BT_CONNECTED) 363 363 + if (peer && sk->sk_state != BT_CONNECTED && 364 364 + sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 364 365 return -ENOTCONN; 365 366 366 367 memset(la, 0, sizeof(struct sockaddr_l2));

+4 -16

net/bluetooth/mgmt.c

reviewed

··· 2762 2762 2763 2763 static void pairing_complete(struct pending_cmd *cmd, u8 status) 2764 2764 { 2765 2765 - const struct mgmt_cp_pair_device *cp = cmd->param; 2766 2765 struct mgmt_rp_pair_device rp; 2767 2766 struct hci_conn *conn = cmd->user_data; 2768 2767 2769 2769 - /* If we had a pairing failure we might have already received 2770 2770 - * the remote Identity Address Information and updated the 2771 2771 - * hci_conn variables with it, however we would not yet have 2772 2772 - * notified user space of the resolved identity. Therefore, use 2773 2773 - * the address given in the Pair Device command in case the 2774 2774 - * pairing failed. 2775 2775 - */ 2776 2776 - if (status) { 2777 2777 - memcpy(&rp.addr, &cp->addr, sizeof(rp.addr)); 2778 2778 - } else { 2779 2779 - bacpy(&rp.addr.bdaddr, &conn->dst); 2780 2780 - rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type); 2781 2781 - } 2768 2768 + bacpy(&rp.addr.bdaddr, &conn->dst); 2769 2769 + rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type); 2782 2770 2783 2771 cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, status, 2784 2772 &rp, sizeof(rp)); ··· 5326 5338 } 5327 5339 5328 5340 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr, 5329 5329 - u8 link_type, u8 addr_type, __le32 value, 5341 5341 + u8 link_type, u8 addr_type, u32 value, 5330 5342 u8 confirm_hint) 5331 5343 { 5332 5344 struct mgmt_ev_user_confirm_request ev; ··· 5336 5348 bacpy(&ev.addr.bdaddr, bdaddr); 5337 5349 ev.addr.type = link_to_bdaddr(link_type, addr_type); 5338 5350 ev.confirm_hint = confirm_hint; 5339 5339 - ev.value = value; 5351 5351 + ev.value = cpu_to_le32(value); 5340 5352 5341 5353 return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev), 5342 5354 NULL);

+2 -1

net/bluetooth/rfcomm/sock.c

reviewed

··· 534 534 535 535 BT_DBG("sock %p, sk %p", sock, sk); 536 536 537 537 - if (peer && sk->sk_state != BT_CONNECTED) 537 537 + if (peer && sk->sk_state != BT_CONNECTED && 538 538 + sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 538 539 return -ENOTCONN; 539 540 540 541 memset(sa, 0, sizeof(*sa));

+35 -52

net/bluetooth/smp.c

reviewed

··· 387 387 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM) 388 388 method = JUST_WORKS; 389 389 390 390 + /* Don't confirm locally initiated pairing attempts */ 391 391 + if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 392 392 + &smp->smp_flags)) 393 393 + method = JUST_WORKS; 394 394 + 390 395 /* If Just Works, Continue with Zero TK */ 391 396 if (method == JUST_WORKS) { 392 397 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); ··· 427 422 if (method == REQ_PASSKEY) 428 423 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 429 424 hcon->type, hcon->dst_type); 425 425 + else if (method == JUST_CFM) 426 426 + ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 427 427 + hcon->type, hcon->dst_type, 428 428 + passkey, 1); 430 429 else 431 430 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 432 431 hcon->type, hcon->dst_type, 433 433 - cpu_to_le32(passkey), 0); 432 432 + passkey, 0); 434 433 435 434 hci_dev_unlock(hcon->hdev); 436 435 ··· 556 547 smp_failure(conn, reason); 557 548 } 558 549 559 559 - static void smp_reencrypt(struct work_struct *work) 560 560 - { 561 561 - struct smp_chan *smp = container_of(work, struct smp_chan, 562 562 - reencrypt.work); 563 563 - struct l2cap_conn *conn = smp->conn; 564 564 - struct hci_conn *hcon = conn->hcon; 565 565 - struct smp_ltk *ltk = smp->ltk; 566 566 - 567 567 - BT_DBG(""); 568 568 - 569 569 - hci_le_start_enc(hcon, ltk->ediv, ltk->rand, ltk->val); 570 570 - hcon->enc_key_size = ltk->enc_size; 571 571 - } 572 572 - 573 550 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 574 551 { 575 552 struct smp_chan *smp; ··· 566 571 567 572 INIT_WORK(&smp->confirm, confirm_work); 568 573 INIT_WORK(&smp->random, random_work); 569 569 - INIT_DELAYED_WORK(&smp->reencrypt, smp_reencrypt); 570 574 571 575 smp->conn = conn; 572 576 conn->smp_chan = smp; ··· 582 588 bool complete; 583 589 584 590 BUG_ON(!smp); 585 585 - 586 586 - cancel_delayed_work_sync(&smp->reencrypt); 587 591 588 592 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 589 593 mgmt_smp_complete(conn->hcon, complete); ··· 703 711 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 704 712 if (ret) 705 713 return SMP_UNSPECIFIED; 714 714 + 715 715 + clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 706 716 707 717 return 0; 708 718 } ··· 861 867 862 868 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 863 869 870 870 + clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 871 871 + 864 872 return 0; 865 873 } 866 874 ··· 880 884 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 881 885 { 882 886 struct l2cap_conn *conn = hcon->l2cap_data; 883 883 - struct smp_chan *smp = conn->smp_chan; 887 887 + struct smp_chan *smp; 884 888 __u8 authreq; 885 889 886 890 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 891 891 + 892 892 + /* This may be NULL if there's an unexpected disconnection */ 893 893 + if (!conn) 894 894 + return 1; 887 895 888 896 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) 889 897 return 1; ··· 927 927 cp.auth_req = authreq; 928 928 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 929 929 } 930 930 + 931 931 + set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 930 932 931 933 done: 932 934 hcon->pending_sec_level = sec_level; ··· 1059 1057 1060 1058 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 1061 1059 smp->id_addr_type, smp->irk, &rpa); 1062 1062 - 1063 1063 - /* Track the connection based on the Identity Address from now on */ 1064 1064 - bacpy(&hcon->dst, &smp->id_addr); 1065 1065 - hcon->dst_type = smp->id_addr_type; 1066 1066 - 1067 1067 - l2cap_conn_update_id_addr(hcon); 1068 1060 1069 1061 smp_distribute_keys(conn); 1070 1062 ··· 1210 1214 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1211 1215 bool persistent; 1212 1216 1213 1213 - if (smp->remote_irk) 1217 1217 + if (smp->remote_irk) { 1214 1218 mgmt_new_irk(hdev, smp->remote_irk); 1219 1219 + /* Now that user space can be considered to know the 1220 1220 + * identity address track the connection based on it 1221 1221 + * from now on. 1222 1222 + */ 1223 1223 + bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1224 1224 + hcon->dst_type = smp->remote_irk->addr_type; 1225 1225 + l2cap_conn_update_id_addr(hcon); 1226 1226 + } 1215 1227 1216 1228 /* The LTKs and CSRKs should be persistent only if both sides 1217 1229 * had the bonding bit set in their authentication requests. ··· 1257 1253 struct smp_chan *smp = conn->smp_chan; 1258 1254 struct hci_conn *hcon = conn->hcon; 1259 1255 struct hci_dev *hdev = hcon->hdev; 1260 1260 - bool ltk_encrypt; 1261 1256 __u8 *keydist; 1262 1257 1263 1258 BT_DBG("conn %p", conn); ··· 1356 1353 if ((smp->remote_key_dist & 0x07)) 1357 1354 return 0; 1358 1355 1359 1359 - /* Check if we should try to re-encrypt the link with the LTK. 1360 1360 - * SMP_FLAG_LTK_ENCRYPT flag is used to track whether we've 1361 1361 - * already tried this (in which case we shouldn't try again). 1362 1362 - * 1363 1363 - * The request will trigger an encryption key refresh event 1364 1364 - * which will cause a call to auth_cfm and eventually lead to 1365 1365 - * l2cap_core.c calling this smp_distribute_keys function again 1366 1366 - * and thereby completing the process. 1367 1367 - */ 1368 1368 - if (smp->ltk) 1369 1369 - ltk_encrypt = !test_and_set_bit(SMP_FLAG_LTK_ENCRYPT, 1370 1370 - &smp->smp_flags); 1371 1371 - else 1372 1372 - ltk_encrypt = false; 1356 1356 + clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1357 1357 + cancel_delayed_work_sync(&conn->security_timer); 1358 1358 + set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 1359 1359 + smp_notify_keys(conn); 1373 1360 1374 1374 - /* Re-encrypt the link with LTK if possible */ 1375 1375 - if (ltk_encrypt && hcon->out) { 1376 1376 - queue_delayed_work(hdev->req_workqueue, &smp->reencrypt, 1377 1377 - SMP_REENCRYPT_TIMEOUT); 1378 1378 - } else { 1379 1379 - clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1380 1380 - cancel_delayed_work_sync(&conn->security_timer); 1381 1381 - set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 1382 1382 - smp_notify_keys(conn); 1383 1383 - smp_chan_destroy(conn); 1384 1384 - } 1361 1361 + smp_chan_destroy(conn); 1385 1362 1386 1363 return 0; 1387 1364 }

+2 -5

net/bluetooth/smp.h

reviewed

··· 118 118 #define SMP_FLAG_TK_VALID 1 119 119 #define SMP_FLAG_CFM_PENDING 2 120 120 #define SMP_FLAG_MITM_AUTH 3 121 121 - #define SMP_FLAG_LTK_ENCRYPT 4 122 122 - #define SMP_FLAG_COMPLETE 5 123 123 - 124 124 - #define SMP_REENCRYPT_TIMEOUT msecs_to_jiffies(500) 121 121 + #define SMP_FLAG_COMPLETE 4 122 122 + #define SMP_FLAG_INITIATOR 5 125 123 126 124 struct smp_chan { 127 125 struct l2cap_conn *conn; ··· 142 144 unsigned long smp_flags; 143 145 struct work_struct confirm; 144 146 struct work_struct random; 145 145 - struct delayed_work reencrypt; 146 147 }; 147 148 148 149 /* SMP Commands */