aboutsummaryrefslogtreecommitdiff
path: root/net/bluetooth
diff options
context:
space:
mode:
authorLinus Torvalds2012-06-28 11:20:31 -0700
committerLinus Torvalds2012-06-28 11:20:31 -0700
commitf3747e2f2cea74264e1f8031b94d413b426d0436 (patch)
tree5d0a1e68456827483fd931d28abc4b9de9cbdb1d /net/bluetooth
parent47b514cd476db2eca066a2ad31501b079d6c9cce (diff)
parenta969dd139cc2f2bccdcb11894f0695517cf84d4d (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking update from David Miller: 1) Pairing and deadlock fixes in bluetooth from Johan Hedberg. 2) Add device IDs for AR3011 and AR3012 bluetooth chips. From Giancarlo Formicuccia and Marek Vasut. 3) Fix wireless regulatory deadlock, from Eliad Peller. 4) Fix full TX ring panic in bnx2x driver, from Eric Dumazet. 5) Revert the two commits that added skb_orphan_try(), it causes erratic bonding behavior with UDP clients and the gains it used to give are mostly no longer happening due to how BQL works. From Eric Dumazet. 6) It took two tries, but Thomas Graf fixed a problem wherein we registered ipv6 routing procfs files before their backend data were initialized properly. 7) Fix max GSO size setting in be2net, from Sarveshwar Bandi. 8) PHY device id mask is wrong for KSZ9021 and KS8001 chips, fix from Jason Wang. 9) Fix use of stale SKB data pointer after skb_linearize() call in batman-adv, from Antonio Quartulli. 10) Fix memory leak in IXGBE due to missing __GFP_COMP, from Alexander Duyck. 11) Fix probing of Gobi devices in qmi_wwan usbnet driver, from Bjørn Mork. 12) Fix suspend/resume and open failure handling in usbnet from Ming Lei. 13) Attempt to fix device r8169 hangs for certain chips, from Francois Romieu. 14) Fix advancement of RX dirty pointer in some situations in sh_eth driver, from Yoshihiro Shimoda. 15) Attempt to fix restart of IPV6 routing table dumps when there is an intervening table update. From Eric Dumazet. 16) Respect security_inet_conn_request() return value in ipv6 TCP. From Neal Cardwell. 17) Add another iPAD device ID to ipheth driver, from Davide Gerhard. 18) Fix access to freed SKB in l2tp_eth_dev_xmit(), and fix l2tp lockdep splats, from Eric Dumazet. 19) Make sure all bridge devices, regardless of whether they were created via netlink or ioctls, have their rtnetlink ops hooked up. From Thomas Graf and Stephen Hemminger. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (81 commits) 9p: fix min_t() casting in p9pdu_vwritef() can: flexcan: use be32_to_cpup to handle the value of dt entry xen/netfront: teardown the device before unregistering it. bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2) vhost: use USER_DS in vhost_worker thread ixgbe: Do not pad FCoE frames as this can cause issues with FCoE DDP net: l2tp_eth: use LLTX to avoid LOCKDEP splats mac802154: add missed braces net: l2tp_eth: fix l2tp_eth_dev_xmit race net/mlx4_en: Release QP range in free_resources net/mlx4: Use single completion vector after NOP failure net/mlx4_en: Set correct port parameters during device initialization ipheth: add support for iPad caif-hsi: Add missing return in error path caif-hsi: Bugfix - Piggyback'ed embedded CAIF frame lost caif: Clear shutdown mask to zero at reconnect. tcp: heed result of security_inet_conn_request() in tcp_v6_conn_request() ipv6: fib: fix fib dump restart batman-adv: fix race condition in TT full-table replacement batman-adv: only drop packets of known wifi clients ...
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/hci_event.c48
-rw-r--r--net/bluetooth/l2cap_core.c21
-rw-r--r--net/bluetooth/mgmt.c20
-rw-r--r--net/bluetooth/smp.c11
4 files changed, 88 insertions, 12 deletions
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4eefb7f65cf6..94ad124a4ea3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3043,6 +3043,50 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
hci_dev_unlock(hdev);
}
+static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
+ struct sk_buff *skb)
+{
+ struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
+ struct hci_conn *conn;
+
+ BT_DBG("%s status %u handle %u", hdev->name, ev->status,
+ __le16_to_cpu(ev->handle));
+
+ hci_dev_lock(hdev);
+
+ conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
+ if (!conn)
+ goto unlock;
+
+ if (!ev->status)
+ conn->sec_level = conn->pending_sec_level;
+
+ clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
+
+ if (ev->status && conn->state == BT_CONNECTED) {
+ hci_acl_disconn(conn, HCI_ERROR_AUTH_FAILURE);
+ hci_conn_put(conn);
+ goto unlock;
+ }
+
+ if (conn->state == BT_CONFIG) {
+ if (!ev->status)
+ conn->state = BT_CONNECTED;
+
+ hci_proto_connect_cfm(conn, ev->status);
+ hci_conn_put(conn);
+ } else {
+ hci_auth_cfm(conn, ev->status);
+
+ hci_conn_hold(conn);
+ conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+ hci_conn_put(conn);
+ }
+
+unlock:
+ hci_dev_unlock(hdev);
+}
+
static inline u8 hci_get_auth_req(struct hci_conn *conn)
{
/* If remote requests dedicated bonding follow that lead */
@@ -3559,6 +3603,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
hci_extended_inquiry_result_evt(hdev, skb);
break;
+ case HCI_EV_KEY_REFRESH_COMPLETE:
+ hci_key_refresh_complete_evt(hdev, skb);
+ break;
+
case HCI_EV_IO_CAPA_REQUEST:
hci_io_capa_request_evt(hdev, skb);
break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 24f144b72a96..4554e80d16a3 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1295,7 +1295,12 @@ static void security_timeout(struct work_struct *work)
struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
security_timer.work);
- l2cap_conn_del(conn->hcon, ETIMEDOUT);
+ BT_DBG("conn %p", conn);
+
+ if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+ smp_chan_destroy(conn);
+ l2cap_conn_del(conn->hcon, ETIMEDOUT);
+ }
}
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
@@ -2910,12 +2915,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
while (len >= L2CAP_CONF_OPT_SIZE) {
len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- switch (type) {
- case L2CAP_CONF_RFC:
- if (olen == sizeof(rfc))
- memcpy(&rfc, (void *)val, olen);
- goto done;
- }
+ if (type != L2CAP_CONF_RFC)
+ continue;
+
+ if (olen != sizeof(rfc))
+ break;
+
+ memcpy(&rfc, (void *)val, olen);
+ goto done;
}
/* Use sane default values in case a misbehaving remote device
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 25d220776079..3e5e3362ea00 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1598,7 +1598,7 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
else
conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
- if (!conn) {
+ if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
err = cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,
MGMT_STATUS_NOT_CONNECTED);
goto failed;
@@ -1873,6 +1873,22 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
pairing_complete(cmd, mgmt_status(status));
}
+static void le_connect_complete_cb(struct hci_conn *conn, u8 status)
+{
+ struct pending_cmd *cmd;
+
+ BT_DBG("status %u", status);
+
+ if (!status)
+ return;
+
+ cmd = find_pairing(conn);
+ if (!cmd)
+ BT_DBG("Unable to find a pending command");
+ else
+ pairing_complete(cmd, mgmt_status(status));
+}
+
static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
u16 len)
{
@@ -1934,6 +1950,8 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
/* For LE, just connecting isn't a proof that the pairing finished */
if (cp->addr.type == BDADDR_BREDR)
conn->connect_cfm_cb = pairing_complete_cb;
+ else
+ conn->connect_cfm_cb = le_connect_complete_cb;
conn->security_cfm_cb = pairing_complete_cb;
conn->disconn_cfm_cb = pairing_complete_cb;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6fc7c4708f3e..37df4e9b3896 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -648,7 +648,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
- ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability);
+ ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
if (ret)
return SMP_UNSPECIFIED;
@@ -703,7 +703,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
return 0;
}
-static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
+static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
{
struct smp_ltk *key;
struct hci_conn *hcon = conn->hcon;
@@ -712,6 +712,9 @@ static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
if (!key)
return 0;
+ if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
+ return 0;
+
if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
return 1;
@@ -732,7 +735,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
- if (smp_ltk_encrypt(conn))
+ if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
return 0;
if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
@@ -771,7 +774,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
return 1;
if (hcon->link_mode & HCI_LM_MASTER)
- if (smp_ltk_encrypt(conn))
+ if (smp_ltk_encrypt(conn, sec_level))
goto done;
if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))