projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Don't enforce authentication for L2CAP PSM 1 and 3
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
1da177e4
LT		 43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
5f9018af 53#define VERSION "2.12"
f0709e03
MH		 54
55static u32 l2cap_feat_mask = 0x0000;
1da177e4 56
90ddc4f0 57static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 58
59static struct bt_sock_list l2cap_sk_list = {
d5fb2962 60 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 61};
62
1da177e4
LT		 63static void __l2cap_sock_close(struct sock *sk, int reason);
64static void l2cap_sock_close(struct sock *sk);
65static void l2cap_sock_kill(struct sock *sk);
66
67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
69
70/* ---- L2CAP timers ---- */
71static void l2cap_sock_timeout(unsigned long arg)
72{
73 struct sock *sk = (struct sock *) arg;
b1235d79 74 int reason;
1da177e4
LT		 75
76 BT_DBG("sock %p state %d", sk, sk->sk_state);
77
78 bh_lock_sock(sk);
b1235d79 79
f62e4323
MH		 80 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
81 reason = ECONNREFUSED;
82 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 83 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 84 reason = ECONNREFUSED;
85 else
86 reason = ETIMEDOUT;
87
88 __l2cap_sock_close(sk, reason);
89
1da177e4
LT		 90 bh_unlock_sock(sk);
91
92 l2cap_sock_kill(sk);
93 sock_put(sk);
94}
95
96static void l2cap_sock_set_timer(struct sock *sk, long timeout)
97{
98 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
99 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
100}
101
102static void l2cap_sock_clear_timer(struct sock *sk)
103{
104 BT_DBG("sock %p state %d", sk, sk->sk_state);
105 sk_stop_timer(sk, &sk->sk_timer);
106}
107
0139418c
MH		 108/* ---- L2CAP channels ---- */
109static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
110{
111 struct sock *s;
112 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
113 if (l2cap_pi(s)->dcid == cid)
114 break;
115 }
116 return s;
117}
118
119static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
120{
121 struct sock *s;
122 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
123 if (l2cap_pi(s)->scid == cid)
124 break;
125 }
126 return s;
127}
128
129/* Find channel with given SCID.
130 * Returns locked socket */
131static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 read_lock(&l->lock);
135 s = __l2cap_get_chan_by_scid(l, cid);
136 if (s) bh_lock_sock(s);
137 read_unlock(&l->lock);
138 return s;
139}
140
141static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
142{
143 struct sock *s;
144 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
145 if (l2cap_pi(s)->ident == ident)
146 break;
147 }
148 return s;
149}
150
151static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
152{
153 struct sock *s;
154 read_lock(&l->lock);
155 s = __l2cap_get_chan_by_ident(l, ident);
156 if (s) bh_lock_sock(s);
157 read_unlock(&l->lock);
158 return s;
159}
160
161static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
162{
163 u16 cid = 0x0040;
164
165 for (; cid < 0xffff; cid++) {
166 if(!__l2cap_get_chan_by_scid(l, cid))
167 return cid;
168 }
169
170 return 0;
171}
172
173static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
174{
175 sock_hold(sk);
176
177 if (l->head)
178 l2cap_pi(l->head)->prev_c = sk;
179
180 l2cap_pi(sk)->next_c = l->head;
181 l2cap_pi(sk)->prev_c = NULL;
182 l->head = sk;
183}
184
185static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
186{
187 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
188
fd1278d7 189 write_lock_bh(&l->lock);
0139418c
MH		 190 if (sk == l->head)
191 l->head = next;
192
193 if (next)
194 l2cap_pi(next)->prev_c = prev;
195 if (prev)
196 l2cap_pi(prev)->next_c = next;
fd1278d7 197 write_unlock_bh(&l->lock);
0139418c
MH		 198
199 __sock_put(sk);
200}
201
202static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
203{
204 struct l2cap_chan_list *l = &conn->chan_list;
205
206 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
207
208 l2cap_pi(sk)->conn = conn;
209
210 if (sk->sk_type == SOCK_SEQPACKET) {
211 /* Alloc CID for connection-oriented socket */
212 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
213 } else if (sk->sk_type == SOCK_DGRAM) {
214 /* Connectionless socket */
215 l2cap_pi(sk)->scid = 0x0002;
216 l2cap_pi(sk)->dcid = 0x0002;
217 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
218 } else {
219 /* Raw socket can send/recv signalling messages only */
220 l2cap_pi(sk)->scid = 0x0001;
221 l2cap_pi(sk)->dcid = 0x0001;
222 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
223 }
224
225 __l2cap_chan_link(l, sk);
226
227 if (parent)
228 bt_accept_enqueue(parent, sk);
229}
230
8e87d142 231/* Delete channel.
0139418c
MH		 232 * Must be called on the locked socket. */
233static void l2cap_chan_del(struct sock *sk, int err)
234{
235 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
236 struct sock *parent = bt_sk(sk)->parent;
237
238 l2cap_sock_clear_timer(sk);
239
240 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
241
8e87d142 242 if (conn) {
0139418c
MH		 243 /* Unlink from channel list */
244 l2cap_chan_unlink(&conn->chan_list, sk);
245 l2cap_pi(sk)->conn = NULL;
246 hci_conn_put(conn->hcon);
247 }
248
b1235d79 249 sk->sk_state = BT_CLOSED;
0139418c
MH		 250 sock_set_flag(sk, SOCK_ZAPPED);
251
252 if (err)
253 sk->sk_err = err;
254
255 if (parent) {
256 bt_accept_unlink(sk);
257 parent->sk_data_ready(parent, 0);
258 } else
259 sk->sk_state_change(sk);
260}
261
79d554a6 262/* Service level security */
2af6b9d5 263static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 264{
265 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 266 __u8 auth_type;
267
268 switch (l2cap_pi(sk)->sec_level) {
269 case BT_SECURITY_HIGH:
270 auth_type = HCI_AT_GENERAL_BONDING_MITM;
271 break;
272 case BT_SECURITY_MEDIUM:
273 auth_type = HCI_AT_GENERAL_BONDING;
274 break;
275 default:
276 auth_type = HCI_AT_NO_BONDING;
277 break;
278 }
79d554a6 279
0684e5f9
MH		 280 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
281 auth_type);
79d554a6
MH		 282}
283
4e8402a3
MH		 284static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
285{
286 u8 id;
287
288 /* Get next available identificator.
289 * 1 - 128 are used by kernel.
290 * 129 - 199 are reserved.
291 * 200 - 254 are used by utilities like l2ping, etc.
292 */
293
294 spin_lock_bh(&conn->lock);
295
296 if (++conn->tx_ident > 128)
297 conn->tx_ident = 1;
298
299 id = conn->tx_ident;
300
301 spin_unlock_bh(&conn->lock);
302
303 return id;
304}
305
306static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
307{
308 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
309
310 BT_DBG("code 0x%2.2x", code);
311
312 if (!skb)
313 return -ENOMEM;
314
315 return hci_send_acl(conn->hcon, skb, 0);
316}
317
79d554a6
MH		 318static void l2cap_do_start(struct sock *sk)
319{
320 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
321
322 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 323 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
324 return;
325
2af6b9d5 326 if (l2cap_check_security(sk)) {
b1235d79
MH		 327 struct l2cap_conn_req req;
328 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
329 req.psm = l2cap_pi(sk)->psm;
79d554a6 330
b1235d79 331 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 332
b1235d79 333 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 334 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 335 }
79d554a6
MH		 336 } else {
337 struct l2cap_info_req req;
338 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
339
340 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
341 conn->info_ident = l2cap_get_ident(conn);
342
343 mod_timer(&conn->info_timer, jiffies +
344 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
345
346 l2cap_send_cmd(conn, conn->info_ident,
347 L2CAP_INFO_REQ, sizeof(req), &req);
348 }
349}
350
1da177e4 351/* ---- L2CAP connections ---- */
4e8402a3
MH		 352static void l2cap_conn_start(struct l2cap_conn *conn)
353{
354 struct l2cap_chan_list *l = &conn->chan_list;
355 struct sock *sk;
356
357 BT_DBG("conn %p", conn);
358
359 read_lock(&l->lock);
360
361 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
362 bh_lock_sock(sk);
363
364 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 365 bh_unlock_sock(sk);
366 continue;
367 }
368
369 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 370 if (l2cap_check_security(sk)) {
b1235d79
MH		 371 struct l2cap_conn_req req;
372 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
373 req.psm = l2cap_pi(sk)->psm;
79d554a6 374
b1235d79 375 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 376
b1235d79 377 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 378 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 379 }
79d554a6
MH		 380 } else if (sk->sk_state == BT_CONNECT2) {
381 struct l2cap_conn_rsp rsp;
382 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
383 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
384
2af6b9d5 385 if (l2cap_check_security(sk)) {
f66dc81f
MH		 386 if (bt_sk(sk)->defer_setup) {
387 struct sock *parent = bt_sk(sk)->parent;
388 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
389 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
390 parent->sk_data_ready(parent, 0);
391
392 } else {
393 sk->sk_state = BT_CONFIG;
394 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
395 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
396 }
79d554a6
MH		 397 } else {
398 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
399 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
400 }
401
402 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
403 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 404 }
405
406 bh_unlock_sock(sk);
407 }
408
409 read_unlock(&l->lock);
410}
411
412static void l2cap_conn_ready(struct l2cap_conn *conn)
413{
79d554a6
MH		 414 struct l2cap_chan_list *l = &conn->chan_list;
415 struct sock *sk;
4e8402a3 416
79d554a6 417 BT_DBG("conn %p", conn);
4e8402a3 418
79d554a6 419 read_lock(&l->lock);
4e8402a3 420
79d554a6
MH		 421 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
422 bh_lock_sock(sk);
4e8402a3 423
79d554a6
MH		 424 if (sk->sk_type != SOCK_SEQPACKET) {
425 l2cap_sock_clear_timer(sk);
426 sk->sk_state = BT_CONNECTED;
427 sk->sk_state_change(sk);
428 } else if (sk->sk_state == BT_CONNECT)
429 l2cap_do_start(sk);
4e8402a3 430
79d554a6 431 bh_unlock_sock(sk);
4e8402a3 432 }
79d554a6
MH		 433
434 read_unlock(&l->lock);
4e8402a3
MH		 435}
436
437/* Notify sockets that we cannot guaranty reliability anymore */
438static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
439{
440 struct l2cap_chan_list *l = &conn->chan_list;
441 struct sock *sk;
442
443 BT_DBG("conn %p", conn);
444
445 read_lock(&l->lock);
446
447 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 448 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 449 sk->sk_err = err;
450 }
451
452 read_unlock(&l->lock);
453}
454
455static void l2cap_info_timeout(unsigned long arg)
456{
457 struct l2cap_conn *conn = (void *) arg;
458
459 conn->info_ident = 0;
460
984947dc
MH		 461 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
462
4e8402a3
MH		 463 l2cap_conn_start(conn);
464}
465
1da177e4
LT		 466static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
467{
0139418c 468 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 469
0139418c 470 if (conn || status)
1da177e4
LT		 471 return conn;
472
0139418c
MH		 473 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
474 if (!conn)
1da177e4 475 return NULL;
1da177e4
LT		 476
477 hcon->l2cap_data = conn;
478 conn->hcon = hcon;
479
0139418c
MH		 480 BT_DBG("hcon %p conn %p", hcon, conn);
481
1da177e4
LT		 482 conn->mtu = hcon->hdev->acl_mtu;
483 conn->src = &hcon->hdev->bdaddr;
484 conn->dst = &hcon->dst;
485
4e8402a3
MH		 486 conn->feat_mask = 0;
487
b1235d79
MH		 488 setup_timer(&conn->info_timer, l2cap_info_timeout,
489 (unsigned long) conn);
4e8402a3 490
1da177e4
LT		 491 spin_lock_init(&conn->lock);
492 rwlock_init(&conn->chan_list.lock);
493
1da177e4
LT		 494 return conn;
495}
496
0139418c 497static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 498{
0139418c 499 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 500 struct sock *sk;
501
0139418c
MH		 502 if (!conn)
503 return;
1da177e4
LT		 504
505 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
506
507 if (conn->rx_skb)
508 kfree_skb(conn->rx_skb);
509
510 /* Kill channels */
511 while ((sk = conn->chan_list.head)) {
512 bh_lock_sock(sk);
513 l2cap_chan_del(sk, err);
514 bh_unlock_sock(sk);
515 l2cap_sock_kill(sk);
516 }
517
8e8440f5
DY		 518 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
519 del_timer_sync(&conn->info_timer);
3ab22731 520
1da177e4
LT		 521 hcon->l2cap_data = NULL;
522 kfree(conn);
1da177e4
LT		 523}
524
525static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
526{
527 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 528 write_lock_bh(&l->lock);
1da177e4 529 __l2cap_chan_add(conn, sk, parent);
fd1278d7 530 write_unlock_bh(&l->lock);
1da177e4
LT		 531}
532
1da177e4 533/* ---- Socket interface ---- */
8e036fc3 534static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 535{
536 struct sock *sk;
537 struct hlist_node *node;
538 sk_for_each(sk, node, &l2cap_sk_list.head)
539 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
540 goto found;
541 sk = NULL;
542found:
543 return sk;
544}
545
546/* Find socket with psm and source bdaddr.
547 * Returns closest match.
548 */
8e036fc3 549static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 550{
551 struct sock *sk = NULL, *sk1 = NULL;
552 struct hlist_node *node;
553
554 sk_for_each(sk, node, &l2cap_sk_list.head) {
555 if (state && sk->sk_state != state)
556 continue;
557
558 if (l2cap_pi(sk)->psm == psm) {
559 /* Exact match. */
560 if (!bacmp(&bt_sk(sk)->src, src))
561 break;
562
563 /* Closest match */
564 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
565 sk1 = sk;
566 }
567 }
568 return node ? sk : sk1;
569}
570
571/* Find socket with given address (psm, src).
572 * Returns locked socket */
8e036fc3 573static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 574{
575 struct sock *s;
576 read_lock(&l2cap_sk_list.lock);
577 s = __l2cap_get_sock_by_psm(state, psm, src);
578 if (s) bh_lock_sock(s);
579 read_unlock(&l2cap_sk_list.lock);
580 return s;
581}
582
583static void l2cap_sock_destruct(struct sock *sk)
584{
585 BT_DBG("sk %p", sk);
586
587 skb_queue_purge(&sk->sk_receive_queue);
588 skb_queue_purge(&sk->sk_write_queue);
589}
590
591static void l2cap_sock_cleanup_listen(struct sock *parent)
592{
593 struct sock *sk;
594
595 BT_DBG("parent %p", parent);
596
597 /* Close not yet accepted channels */
598 while ((sk = bt_accept_dequeue(parent, NULL)))
599 l2cap_sock_close(sk);
600
b1235d79 601 parent->sk_state = BT_CLOSED;
1da177e4
LT		 602 sock_set_flag(parent, SOCK_ZAPPED);
603}
604
605/* Kill socket (only if zapped and orphan)
606 * Must be called on unlocked socket.
607 */
608static void l2cap_sock_kill(struct sock *sk)
609{
610 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
611 return;
612
613 BT_DBG("sk %p state %d", sk, sk->sk_state);
614
615 /* Kill poor orphan */
616 bt_sock_unlink(&l2cap_sk_list, sk);
617 sock_set_flag(sk, SOCK_DEAD);
618 sock_put(sk);
619}
620
621static void __l2cap_sock_close(struct sock *sk, int reason)
622{
623 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
624
625 switch (sk->sk_state) {
626 case BT_LISTEN:
627 l2cap_sock_cleanup_listen(sk);
628 break;
629
630 case BT_CONNECTED:
631 case BT_CONFIG:
1da177e4
LT		 632 if (sk->sk_type == SOCK_SEQPACKET) {
633 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
634 struct l2cap_disconn_req req;
635
636 sk->sk_state = BT_DISCONN;
637 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
638
aca3192c
YH		 639 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
640 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 641 l2cap_send_cmd(conn, l2cap_get_ident(conn),
642 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 643 } else
1da177e4 644 l2cap_chan_del(sk, reason);
1da177e4
LT		 645 break;
646
f66dc81f
MH		 647 case BT_CONNECT2:
648 if (sk->sk_type == SOCK_SEQPACKET) {
649 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
650 struct l2cap_conn_rsp rsp;
651 __u16 result;
652
653 if (bt_sk(sk)->defer_setup)
654 result = L2CAP_CR_SEC_BLOCK;
655 else
656 result = L2CAP_CR_BAD_PSM;
657
658 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
659 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
660 rsp.result = cpu_to_le16(result);
661 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
662 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
663 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
664 } else
665 l2cap_chan_del(sk, reason);
666 break;
667
1da177e4
LT		 668 case BT_CONNECT:
669 case BT_DISCONN:
670 l2cap_chan_del(sk, reason);
671 break;
672
673 default:
674 sock_set_flag(sk, SOCK_ZAPPED);
675 break;
676 }
677}
678
679/* Must be called on unlocked socket. */
680static void l2cap_sock_close(struct sock *sk)
681{
682 l2cap_sock_clear_timer(sk);
683 lock_sock(sk);
684 __l2cap_sock_close(sk, ECONNRESET);
685 release_sock(sk);
686 l2cap_sock_kill(sk);
687}
688
689static void l2cap_sock_init(struct sock *sk, struct sock *parent)
690{
691 struct l2cap_pinfo *pi = l2cap_pi(sk);
692
693 BT_DBG("sk %p", sk);
694
695 if (parent) {
696 sk->sk_type = parent->sk_type;
f66dc81f
MH		 697 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
698
1da177e4
LT		 699 pi->imtu = l2cap_pi(parent)->imtu;
700 pi->omtu = l2cap_pi(parent)->omtu;
2af6b9d5
MH		 701 pi->sec_level = l2cap_pi(parent)->sec_level;
702 pi->role_switch = l2cap_pi(parent)->role_switch;
703 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 704 } else {
705 pi->imtu = L2CAP_DEFAULT_MTU;
706 pi->omtu = 0;
2af6b9d5
MH		 707 pi->sec_level = BT_SECURITY_LOW;
708 pi->role_switch = 0;
709 pi->force_reliable = 0;
1da177e4
LT		 710 }
711
712 /* Default config options */
5dee9e7c 713 pi->conf_len = 0;
1da177e4
LT		 714 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
715}
716
717static struct proto l2cap_proto = {
718 .name = "L2CAP",
719 .owner = THIS_MODULE,
720 .obj_size = sizeof(struct l2cap_pinfo)
721};
722
1b8d7ae4 723static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 724{
725 struct sock *sk;
726
6257ff21 727 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 728 if (!sk)
729 return NULL;
730
731 sock_init_data(sock, sk);
732 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
733
734 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 735 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 736
737 sock_reset_flag(sk, SOCK_ZAPPED);
738
739 sk->sk_protocol = proto;
b1235d79 740 sk->sk_state = BT_OPEN;
1da177e4 741
b1235d79 742 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 743
744 bt_sock_link(&l2cap_sk_list, sk);
745 return sk;
746}
747
1b8d7ae4 748static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 749{
750 struct sock *sk;
751
752 BT_DBG("sock %p", sock);
753
754 sock->state = SS_UNCONNECTED;
755
756 if (sock->type != SOCK_SEQPACKET &&
757 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
758 return -ESOCKTNOSUPPORT;
759
760 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
761 return -EPERM;
762
763 sock->ops = &l2cap_sock_ops;
764
1b8d7ae4 765 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 766 if (!sk)
767 return -ENOMEM;
768
769 l2cap_sock_init(sk, NULL);
770 return 0;
771}
772
773static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
774{
775 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
776 struct sock *sk = sock->sk;
777 int err = 0;
778
779 BT_DBG("sk %p, %s %d", sk, batostr(&la->l2_bdaddr), la->l2_psm);
780
781 if (!addr || addr->sa_family != AF_BLUETOOTH)
782 return -EINVAL;
783
784 lock_sock(sk);
785
786 if (sk->sk_state != BT_OPEN) {
787 err = -EBADFD;
788 goto done;
789 }
790
8e036fc3 791 if (la->l2_psm && btohs(la->l2_psm) < 0x1001 &&
847641d7
MH		 792 !capable(CAP_NET_BIND_SERVICE)) {
793 err = -EACCES;
794 goto done;
795 }
8e87d142 796
1da177e4
LT		 797 write_lock_bh(&l2cap_sk_list.lock);
798
799 if (la->l2_psm && __l2cap_get_sock_by_addr(la->l2_psm, &la->l2_bdaddr)) {
800 err = -EADDRINUSE;
801 } else {
802 /* Save source address */
803 bacpy(&bt_sk(sk)->src, &la->l2_bdaddr);
804 l2cap_pi(sk)->psm = la->l2_psm;
805 l2cap_pi(sk)->sport = la->l2_psm;
806 sk->sk_state = BT_BOUND;
2af6b9d5 807
435fef20 808 if (btohs(la->l2_psm) == 0x0001 || btohs(la->l2_psm) == 0x0003)
2af6b9d5 809 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 810 }
811
812 write_unlock_bh(&l2cap_sk_list.lock);
813
814done:
815 release_sock(sk);
816 return err;
817}
818
819static int l2cap_do_connect(struct sock *sk)
820{
821 bdaddr_t *src = &bt_sk(sk)->src;
822 bdaddr_t *dst = &bt_sk(sk)->dst;
823 struct l2cap_conn *conn;
824 struct hci_conn *hcon;
825 struct hci_dev *hdev;
09ab6f4c 826 __u8 auth_type;
1da177e4
LT		 827 int err = 0;
828
829 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst), l2cap_pi(sk)->psm);
830
831 if (!(hdev = hci_get_route(dst, src)))
832 return -EHOSTUNREACH;
833
834 hci_dev_lock_bh(hdev);
835
836 err = -ENOMEM;
837
8c1b2355 838 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 839 switch (l2cap_pi(sk)->sec_level) {
840 case BT_SECURITY_HIGH:
8c1b2355 841 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 842 break;
843 case BT_SECURITY_MEDIUM:
8c1b2355 844 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 845 break;
846 default:
09ab6f4c 847 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 848 break;
849 }
8c1b2355 850 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 851 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 852 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 853 else
8c1b2355 854 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 855
856 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
857 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 858 } else {
2af6b9d5
MH		 859 switch (l2cap_pi(sk)->sec_level) {
860 case BT_SECURITY_HIGH:
8c1b2355 861 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 862 break;
863 case BT_SECURITY_MEDIUM:
09ab6f4c 864 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 865 break;
866 default:
8c1b2355 867 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 868 break;
869 }
09ab6f4c
MH		 870 }
871
2af6b9d5
MH		 872 hcon = hci_connect(hdev, ACL_LINK, dst,
873 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 874 if (!hcon)
875 goto done;
876
877 conn = l2cap_conn_add(hcon, 0);
878 if (!conn) {
879 hci_conn_put(hcon);
880 goto done;
881 }
882
883 err = 0;
884
885 /* Update source addr of the socket */
886 bacpy(src, conn->src);
887
888 l2cap_chan_add(conn, sk, NULL);
889
890 sk->sk_state = BT_CONNECT;
891 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
892
893 if (hcon->state == BT_CONNECTED) {
79d554a6 894 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 895 l2cap_sock_clear_timer(sk);
896 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 897 } else
898 l2cap_do_start(sk);
1da177e4
LT		 899 }
900
901done:
902 hci_dev_unlock_bh(hdev);
903 hci_dev_put(hdev);
904 return err;
905}
906
907static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
908{
909 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
910 struct sock *sk = sock->sk;
911 int err = 0;
912
913 lock_sock(sk);
914
915 BT_DBG("sk %p", sk);
916
917 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_l2)) {
918 err = -EINVAL;
919 goto done;
920 }
921
922 if (sk->sk_type == SOCK_SEQPACKET && !la->l2_psm) {
923 err = -EINVAL;
924 goto done;
925 }
926
927 switch(sk->sk_state) {
928 case BT_CONNECT:
929 case BT_CONNECT2:
930 case BT_CONFIG:
931 /* Already connecting */
932 goto wait;
933
934 case BT_CONNECTED:
935 /* Already connected */
936 goto done;
937
938 case BT_OPEN:
939 case BT_BOUND:
940 /* Can connect */
941 break;
942
943 default:
944 err = -EBADFD;
945 goto done;
946 }
947
948 /* Set destination address and psm */
949 bacpy(&bt_sk(sk)->dst, &la->l2_bdaddr);
950 l2cap_pi(sk)->psm = la->l2_psm;
951
952 if ((err = l2cap_do_connect(sk)))
953 goto done;
954
955wait:
956 err = bt_sock_wait_state(sk, BT_CONNECTED,
957 sock_sndtimeo(sk, flags & O_NONBLOCK));
958done:
959 release_sock(sk);
960 return err;
961}
962
963static int l2cap_sock_listen(struct socket *sock, int backlog)
964{
965 struct sock *sk = sock->sk;
966 int err = 0;
967
968 BT_DBG("sk %p backlog %d", sk, backlog);
969
970 lock_sock(sk);
971
972 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
973 err = -EBADFD;
974 goto done;
975 }
976
977 if (!l2cap_pi(sk)->psm) {
978 bdaddr_t *src = &bt_sk(sk)->src;
979 u16 psm;
980
981 err = -EINVAL;
982
983 write_lock_bh(&l2cap_sk_list.lock);
984
985 for (psm = 0x1001; psm < 0x1100; psm += 2)
6dc0c208 986 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1da177e4
LT		 987 l2cap_pi(sk)->psm = htobs(psm);
988 l2cap_pi(sk)->sport = htobs(psm);
989 err = 0;
990 break;
991 }
992
993 write_unlock_bh(&l2cap_sk_list.lock);
994
995 if (err < 0)
996 goto done;
997 }
998
999 sk->sk_max_ack_backlog = backlog;
1000 sk->sk_ack_backlog = 0;
1001 sk->sk_state = BT_LISTEN;
1002
1003done:
1004 release_sock(sk);
1005 return err;
1006}
1007
1008static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1009{
1010 DECLARE_WAITQUEUE(wait, current);
1011 struct sock *sk = sock->sk, *nsk;
1012 long timeo;
1013 int err = 0;
1014
fcc70d5f 1015 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1016
1017 if (sk->sk_state != BT_LISTEN) {
1018 err = -EBADFD;
1019 goto done;
1020 }
1021
1022 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1023
1024 BT_DBG("sk %p timeo %ld", sk, timeo);
1025
1026 /* Wait for an incoming connection. (wake-one). */
1027 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1028 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1029 set_current_state(TASK_INTERRUPTIBLE);
1030 if (!timeo) {
1031 err = -EAGAIN;
1032 break;
1033 }
1034
1035 release_sock(sk);
1036 timeo = schedule_timeout(timeo);
fcc70d5f 1037 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1038
1039 if (sk->sk_state != BT_LISTEN) {
1040 err = -EBADFD;
1041 break;
1042 }
1043
1044 if (signal_pending(current)) {
1045 err = sock_intr_errno(timeo);
1046 break;
1047 }
1048 }
1049 set_current_state(TASK_RUNNING);
1050 remove_wait_queue(sk->sk_sleep, &wait);
1051
1052 if (err)
1053 goto done;
1054
1055 newsock->state = SS_CONNECTED;
1056
1057 BT_DBG("new socket %p", nsk);
1058
1059done:
1060 release_sock(sk);
1061 return err;
1062}
1063
1064static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1065{
1066 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1067 struct sock *sk = sock->sk;
1068
1069 BT_DBG("sock %p, sk %p", sock, sk);
1070
1071 addr->sa_family = AF_BLUETOOTH;
1072 *len = sizeof(struct sockaddr_l2);
1073
1074 if (peer)
1075 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1076 else
1077 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1078
1079 la->l2_psm = l2cap_pi(sk)->psm;
1080 return 0;
1081}
1082
1083static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1084{
1085 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1086 struct sk_buff *skb, **frag;
1087 int err, hlen, count, sent=0;
1088 struct l2cap_hdr *lh;
1089
1090 BT_DBG("sk %p len %d", sk, len);
1091
1092 /* First fragment (with L2CAP header) */
1093 if (sk->sk_type == SOCK_DGRAM)
1094 hlen = L2CAP_HDR_SIZE + 2;
1095 else
1096 hlen = L2CAP_HDR_SIZE;
1097
1098 count = min_t(unsigned int, (conn->mtu - hlen), len);
1099
1100 skb = bt_skb_send_alloc(sk, hlen + count,
1101 msg->msg_flags & MSG_DONTWAIT, &err);
1102 if (!skb)
1103 return err;
1104
1105 /* Create L2CAP header */
1106 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1107 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1108 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1109
1110 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1111 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1112
1113 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1114 err = -EFAULT;
1115 goto fail;
1116 }
1117
1118 sent += count;
1119 len -= count;
1120
1121 /* Continuation fragments (no L2CAP header) */
1122 frag = &skb_shinfo(skb)->frag_list;
1123 while (len) {
1124 count = min_t(unsigned int, conn->mtu, len);
1125
1126 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1127 if (!*frag)
1128 goto fail;
8e87d142 1129
1da177e4
LT		 1130 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1131 err = -EFAULT;
1132 goto fail;
1133 }
1134
1135 sent += count;
1136 len -= count;
1137
1138 frag = &(*frag)->next;
1139 }
1140
1141 if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1142 goto fail;
1143
1144 return sent;
1145
1146fail:
1147 kfree_skb(skb);
1148 return err;
1149}
1150
1151static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1152{
1153 struct sock *sk = sock->sk;
1154 int err = 0;
1155
1156 BT_DBG("sock %p, sk %p", sock, sk);
1157
c1cbe4b7
BL		 1158 err = sock_error(sk);
1159 if (err)
1160 return err;
1da177e4
LT		 1161
1162 if (msg->msg_flags & MSG_OOB)
1163 return -EOPNOTSUPP;
1164
1165 /* Check outgoing MTU */
1166 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1167 return -EINVAL;
1168
1169 lock_sock(sk);
1170
1171 if (sk->sk_state == BT_CONNECTED)
1172 err = l2cap_do_send(sk, msg, len);
1173 else
1174 err = -ENOTCONN;
1175
1176 release_sock(sk);
1177 return err;
1178}
1179
f66dc81f
MH		 1180static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1181{
1182 struct sock *sk = sock->sk;
1183
1184 lock_sock(sk);
1185
1186 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1187 struct l2cap_conn_rsp rsp;
1188
1189 sk->sk_state = BT_CONFIG;
1190
1191 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1192 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1193 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1194 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1195 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1196 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1197
1198 release_sock(sk);
1199 return 0;
1200 }
1201
1202 release_sock(sk);
1203
1204 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1205}
1206
d58daf42 1207static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1208{
1209 struct sock *sk = sock->sk;
1210 struct l2cap_options opts;
1211 int err = 0, len;
1212 u32 opt;
1213
1214 BT_DBG("sk %p", sk);
1215
1216 lock_sock(sk);
1217
1218 switch (optname) {
1219 case L2CAP_OPTIONS:
0878b666
MH		 1220 opts.imtu = l2cap_pi(sk)->imtu;
1221 opts.omtu = l2cap_pi(sk)->omtu;
1222 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1223 opts.mode = L2CAP_MODE_BASIC;
0878b666 1224
1da177e4
LT		 1225 len = min_t(unsigned int, sizeof(opts), optlen);
1226 if (copy_from_user((char *) &opts, optval, len)) {
1227 err = -EFAULT;
1228 break;
1229 }
0878b666 1230
1da177e4
LT		 1231 l2cap_pi(sk)->imtu = opts.imtu;
1232 l2cap_pi(sk)->omtu = opts.omtu;
1233 break;
1234
1235 case L2CAP_LM:
1236 if (get_user(opt, (u32 __user *) optval)) {
1237 err = -EFAULT;
1238 break;
1239 }
1240
2af6b9d5
MH		 1241 if (opt & L2CAP_LM_AUTH)
1242 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1243 if (opt & L2CAP_LM_ENCRYPT)
1244 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1245 if (opt & L2CAP_LM_SECURE)
1246 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1247
1248 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1249 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1250 break;
1251
1252 default:
1253 err = -ENOPROTOOPT;
1254 break;
1255 }
1256
1257 release_sock(sk);
1258 return err;
1259}
1260
d58daf42
MH		 1261static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1262{
1263 struct sock *sk = sock->sk;
2af6b9d5
MH		 1264 struct bt_security sec;
1265 int len, err = 0;
f66dc81f 1266 u32 opt;
d58daf42
MH		 1267
1268 BT_DBG("sk %p", sk);
1269
1270 if (level == SOL_L2CAP)
1271 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1272
0588d94f
MH		 1273 if (level != SOL_BLUETOOTH)
1274 return -ENOPROTOOPT;
1275
d58daf42
MH		 1276 lock_sock(sk);
1277
1278 switch (optname) {
2af6b9d5 1279 case BT_SECURITY:
0588d94f
MH		 1280 if (sk->sk_type != SOCK_SEQPACKET) {
1281 err = -EINVAL;
1282 break;
1283 }
1284
2af6b9d5
MH		 1285 sec.level = BT_SECURITY_LOW;
1286
1287 len = min_t(unsigned int, sizeof(sec), optlen);
1288 if (copy_from_user((char *) &sec, optval, len)) {
1289 err = -EFAULT;
1290 break;
1291 }
1292
1293 if (sec.level < BT_SECURITY_LOW ||
1294 sec.level > BT_SECURITY_HIGH) {
1295 err = -EINVAL;
1296 break;
1297 }
1298
1299 l2cap_pi(sk)->sec_level = sec.level;
1300 break;
1301
f66dc81f
MH		 1302 case BT_DEFER_SETUP:
1303 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1304 err = -EINVAL;
1305 break;
1306 }
1307
1308 if (get_user(opt, (u32 __user *) optval)) {
1309 err = -EFAULT;
1310 break;
1311 }
1312
1313 bt_sk(sk)->defer_setup = opt;
1314 break;
1315
d58daf42
MH		 1316 default:
1317 err = -ENOPROTOOPT;
1318 break;
1319 }
1320
1321 release_sock(sk);
1322 return err;
1323}
1324
1325static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1326{
1327 struct sock *sk = sock->sk;
1328 struct l2cap_options opts;
1329 struct l2cap_conninfo cinfo;
1330 int len, err = 0;
2af6b9d5 1331 u32 opt;
1da177e4
LT		 1332
1333 BT_DBG("sk %p", sk);
1334
1335 if (get_user(len, optlen))
1336 return -EFAULT;
1337
1338 lock_sock(sk);
1339
1340 switch (optname) {
1341 case L2CAP_OPTIONS:
1342 opts.imtu = l2cap_pi(sk)->imtu;
1343 opts.omtu = l2cap_pi(sk)->omtu;
1344 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1345 opts.mode = L2CAP_MODE_BASIC;
1da177e4
LT		 1346
1347 len = min_t(unsigned int, len, sizeof(opts));
1348 if (copy_to_user(optval, (char *) &opts, len))
1349 err = -EFAULT;
1350
1351 break;
1352
1353 case L2CAP_LM:
2af6b9d5
MH		 1354 switch (l2cap_pi(sk)->sec_level) {
1355 case BT_SECURITY_LOW:
1356 opt = L2CAP_LM_AUTH;
1357 break;
1358 case BT_SECURITY_MEDIUM:
1359 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1360 break;
1361 case BT_SECURITY_HIGH:
1362 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1363 L2CAP_LM_SECURE;
1364 break;
1365 default:
1366 opt = 0;
1367 break;
1368 }
1369
1370 if (l2cap_pi(sk)->role_switch)
1371 opt |= L2CAP_LM_MASTER;
1372
1373 if (l2cap_pi(sk)->force_reliable)
1374 opt |= L2CAP_LM_RELIABLE;
1375
1376 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1377 err = -EFAULT;
1378 break;
1379
1380 case L2CAP_CONNINFO:
f66dc81f
MH		 1381 if (sk->sk_state != BT_CONNECTED &&
1382 !(sk->sk_state == BT_CONNECT2 &&
1383 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1384 err = -ENOTCONN;
1385 break;
1386 }
1387
1388 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1389 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1390
1391 len = min_t(unsigned int, len, sizeof(cinfo));
1392 if (copy_to_user(optval, (char *) &cinfo, len))
1393 err = -EFAULT;
1394
1395 break;
1396
1397 default:
1398 err = -ENOPROTOOPT;
1399 break;
1400 }
1401
1402 release_sock(sk);
1403 return err;
1404}
1405
d58daf42
MH		 1406static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1407{
1408 struct sock *sk = sock->sk;
2af6b9d5 1409 struct bt_security sec;
d58daf42
MH		 1410 int len, err = 0;
1411
1412 BT_DBG("sk %p", sk);
1413
1414 if (level == SOL_L2CAP)
1415 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1416
0588d94f
MH		 1417 if (level != SOL_BLUETOOTH)
1418 return -ENOPROTOOPT;
1419
d58daf42
MH		 1420 if (get_user(len, optlen))
1421 return -EFAULT;
1422
1423 lock_sock(sk);
1424
1425 switch (optname) {
2af6b9d5 1426 case BT_SECURITY:
0588d94f
MH		 1427 if (sk->sk_type != SOCK_SEQPACKET) {
1428 err = -EINVAL;
1429 break;
1430 }
1431
2af6b9d5
MH		 1432 sec.level = l2cap_pi(sk)->sec_level;
1433
1434 len = min_t(unsigned int, len, sizeof(sec));
1435 if (copy_to_user(optval, (char *) &sec, len))
1436 err = -EFAULT;
1437
1438 break;
1439
f66dc81f
MH		 1440 case BT_DEFER_SETUP:
1441 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1442 err = -EINVAL;
1443 break;
1444 }
1445
1446 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1447 err = -EFAULT;
1448
1449 break;
1450
d58daf42
MH		 1451 default:
1452 err = -ENOPROTOOPT;
1453 break;
1454 }
1455
1456 release_sock(sk);
1457 return err;
1458}
1459
1da177e4
LT		 1460static int l2cap_sock_shutdown(struct socket *sock, int how)
1461{
1462 struct sock *sk = sock->sk;
1463 int err = 0;
1464
1465 BT_DBG("sock %p, sk %p", sock, sk);
1466
1467 if (!sk)
1468 return 0;
1469
1470 lock_sock(sk);
1471 if (!sk->sk_shutdown) {
1472 sk->sk_shutdown = SHUTDOWN_MASK;
1473 l2cap_sock_clear_timer(sk);
1474 __l2cap_sock_close(sk, 0);
1475
1476 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1477 err = bt_sock_wait_state(sk, BT_CLOSED,
1478 sk->sk_lingertime);
1da177e4
LT		 1479 }
1480 release_sock(sk);
1481 return err;
1482}
1483
1484static int l2cap_sock_release(struct socket *sock)
1485{
1486 struct sock *sk = sock->sk;
1487 int err;
1488
1489 BT_DBG("sock %p, sk %p", sock, sk);
1490
1491 if (!sk)
1492 return 0;
1493
1494 err = l2cap_sock_shutdown(sock, 2);
1495
1496 sock_orphan(sk);
1497 l2cap_sock_kill(sk);
1498 return err;
1499}
1500
1da177e4
LT		 1501static void l2cap_chan_ready(struct sock *sk)
1502{
1503 struct sock *parent = bt_sk(sk)->parent;
1504
1505 BT_DBG("sk %p, parent %p", sk, parent);
1506
1507 l2cap_pi(sk)->conf_state = 0;
1508 l2cap_sock_clear_timer(sk);
1509
1510 if (!parent) {
1511 /* Outgoing channel.
1512 * Wake up socket sleeping on connect.
1513 */
1514 sk->sk_state = BT_CONNECTED;
1515 sk->sk_state_change(sk);
1516 } else {
1517 /* Incoming channel.
1518 * Wake up socket sleeping on accept.
1519 */
1520 parent->sk_data_ready(parent, 0);
1521 }
1522}
1523
1524/* Copy frame to all raw sockets on that connection */
1525static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1526{
1527 struct l2cap_chan_list *l = &conn->chan_list;
1528 struct sk_buff *nskb;
1529 struct sock * sk;
1530
1531 BT_DBG("conn %p", conn);
1532
1533 read_lock(&l->lock);
1534 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1535 if (sk->sk_type != SOCK_RAW)
1536 continue;
1537
1538 /* Don't send frame to the socket it came from */
1539 if (skb->sk == sk)
1540 continue;
1541
1542 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1543 continue;
1544
1545 if (sock_queue_rcv_skb(sk, nskb))
1546 kfree_skb(nskb);
1547 }
1548 read_unlock(&l->lock);
1549}
1550
1551/* ---- L2CAP signalling commands ---- */
1552static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1553 u8 code, u8 ident, u16 dlen, void *data)
1554{
1555 struct sk_buff *skb, **frag;
1556 struct l2cap_cmd_hdr *cmd;
1557 struct l2cap_hdr *lh;
1558 int len, count;
1559
1560 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1561
1562 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1563 count = min_t(unsigned int, conn->mtu, len);
1564
1565 skb = bt_skb_alloc(count, GFP_ATOMIC);
1566 if (!skb)
1567 return NULL;
1568
1569 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1570 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1571 lh->cid = cpu_to_le16(0x0001);
1da177e4
LT		 1572
1573 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1574 cmd->code = code;
1575 cmd->ident = ident;
aca3192c 1576 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1577
1578 if (dlen) {
1579 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1580 memcpy(skb_put(skb, count), data, count);
1581 data += count;
1582 }
1583
1584 len -= skb->len;
1585
1586 /* Continuation fragments (no L2CAP header) */
1587 frag = &skb_shinfo(skb)->frag_list;
1588 while (len) {
1589 count = min_t(unsigned int, conn->mtu, len);
1590
1591 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1592 if (!*frag)
1593 goto fail;
1594
1595 memcpy(skb_put(*frag, count), data, count);
1596
1597 len -= count;
1598 data += count;
1599
1600 frag = &(*frag)->next;
1601 }
1602
1603 return skb;
1604
1605fail:
1606 kfree_skb(skb);
1607 return NULL;
1608}
1609
1610static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1611{
1612 struct l2cap_conf_opt *opt = *ptr;
1613 int len;
1614
1615 len = L2CAP_CONF_OPT_SIZE + opt->len;
1616 *ptr += len;
1617
1618 *type = opt->type;
1619 *olen = opt->len;
1620
1621 switch (opt->len) {
1622 case 1:
1623 *val = *((u8 *) opt->val);
1624 break;
1625
1626 case 2:
861d6882 1627 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1628 break;
1629
1630 case 4:
861d6882 1631 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1632 break;
1633
1634 default:
1635 *val = (unsigned long) opt->val;
1636 break;
1637 }
1638
1639 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1640 return len;
1641}
1642
1da177e4
LT		 1643static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1644{
1645 struct l2cap_conf_opt *opt = *ptr;
1646
1647 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1648
1649 opt->type = type;
1650 opt->len = len;
1651
1652 switch (len) {
1653 case 1:
1654 *((u8 *) opt->val) = val;
1655 break;
1656
1657 case 2:
8e036fc3 1658 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1659 break;
1660
1661 case 4:
8e036fc3 1662 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1663 break;
1664
1665 default:
1666 memcpy(opt->val, (void *) val, len);
1667 break;
1668 }
1669
1670 *ptr += L2CAP_CONF_OPT_SIZE + len;
1671}
1672
1673static int l2cap_build_conf_req(struct sock *sk, void *data)
1674{
1675 struct l2cap_pinfo *pi = l2cap_pi(sk);
1676 struct l2cap_conf_req *req = data;
1677 void *ptr = req->data;
1678
1679 BT_DBG("sk %p", sk);
1680
1681 if (pi->imtu != L2CAP_DEFAULT_MTU)
1682 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1683
1684 /* FIXME: Need actual value of the flush timeout */
1685 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1686 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1687
aca3192c
YH		 1688 req->dcid = cpu_to_le16(pi->dcid);
1689 req->flags = cpu_to_le16(0);
1da177e4
LT		 1690
1691 return ptr - data;
1692}
1693
5dee9e7c 1694static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1695{
1696 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1697 struct l2cap_conf_rsp *rsp = data;
1698 void *ptr = rsp->data;
1699 void *req = pi->conf_req;
1700 int len = pi->conf_len;
1701 int type, hint, olen;
1702 unsigned long val;
6464f35f 1703 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1704 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1705 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1706
5dee9e7c 1707 BT_DBG("sk %p", sk);
820ae1b8 1708
5dee9e7c
MH		 1709 while (len >= L2CAP_CONF_OPT_SIZE) {
1710 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1711
5dee9e7c
MH		 1712 hint = type & 0x80;
1713 type &= 0x7f;
1714
1715 switch (type) {
1716 case L2CAP_CONF_MTU:
861d6882 1717 mtu = val;
5dee9e7c
MH		 1718 break;
1719
1720 case L2CAP_CONF_FLUSH_TO:
1721 pi->flush_to = val;
1722 break;
1723
1724 case L2CAP_CONF_QOS:
1725 break;
1726
6464f35f
MH		 1727 case L2CAP_CONF_RFC:
1728 if (olen == sizeof(rfc))
1729 memcpy(&rfc, (void *) val, olen);
1730 break;
1731
5dee9e7c
MH		 1732 default:
1733 if (hint)
1734 break;
1735
1736 result = L2CAP_CONF_UNKNOWN;
1737 *((u8 *) ptr++) = type;
1738 break;
1739 }
1740 }
1741
1742 if (result == L2CAP_CONF_SUCCESS) {
1743 /* Configure output options and let the other side know
1744 * which ones we don't like. */
1745
6464f35f
MH		 1746 if (rfc.mode == L2CAP_MODE_BASIC) {
1747 if (mtu < pi->omtu)
1748 result = L2CAP_CONF_UNACCEPT;
1749 else {
1750 pi->omtu = mtu;
1751 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1752 }
1753
1754 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1755 } else {
5dee9e7c 1756 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1757
6464f35f
MH		 1758 memset(&rfc, 0, sizeof(rfc));
1759 rfc.mode = L2CAP_MODE_BASIC;
1760
1761 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1762 sizeof(rfc), (unsigned long) &rfc);
1763 }
5dee9e7c
MH		 1764 }
1765
1766 rsp->scid = cpu_to_le16(pi->dcid);
1767 rsp->result = cpu_to_le16(result);
1768 rsp->flags = cpu_to_le16(0x0000);
1769
1770 return ptr - data;
1da177e4
LT		 1771}
1772
5dee9e7c 1773static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1774{
1775 struct l2cap_conf_rsp *rsp = data;
1776 void *ptr = rsp->data;
1da177e4 1777
5dee9e7c 1778 BT_DBG("sk %p", sk);
1da177e4 1779
aca3192c 1780 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1781 rsp->result = cpu_to_le16(result);
aca3192c 1782 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1783
1784 return ptr - data;
1785}
1786
4e8402a3
MH		 1787static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1788{
1789 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1790
1791 if (rej->reason != 0x0000)
1792 return 0;
1793
1794 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1795 cmd->ident == conn->info_ident) {
1796 conn->info_ident = 0;
1797 del_timer(&conn->info_timer);
984947dc
MH		 1798
1799 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1800
4e8402a3
MH		 1801 l2cap_conn_start(conn);
1802 }
1803
1804 return 0;
1805}
1806
1da177e4
LT		 1807static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1808{
1809 struct l2cap_chan_list *list = &conn->chan_list;
1810 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1811 struct l2cap_conn_rsp rsp;
1812 struct sock *sk, *parent;
e7c29cb1 1813 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1814
1815 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1816 __le16 psm = req->psm;
1da177e4
LT		 1817
1818 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1819
1820 /* Check if we have socket listening on psm */
1821 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1822 if (!parent) {
1823 result = L2CAP_CR_BAD_PSM;
1824 goto sendresp;
1825 }
1826
e7c29cb1
MH		 1827 /* Check if the ACL is secure enough (if not SDP) */
1828 if (psm != cpu_to_le16(0x0001) &&
1829 !hci_conn_check_link_mode(conn->hcon)) {
1830 result = L2CAP_CR_SEC_BLOCK;
1831 goto response;
1832 }
1833
1da177e4
LT		 1834 result = L2CAP_CR_NO_MEM;
1835
1836 /* Check for backlog size */
1837 if (sk_acceptq_is_full(parent)) {
8e87d142 1838 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1839 goto response;
1840 }
1841
3b1e0a65 1842 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1843 if (!sk)
1844 goto response;
1845
fd1278d7 1846 write_lock_bh(&list->lock);
1da177e4
LT		 1847
1848 /* Check if we already have channel with that dcid */
1849 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1850 write_unlock_bh(&list->lock);
1da177e4
LT		 1851 sock_set_flag(sk, SOCK_ZAPPED);
1852 l2cap_sock_kill(sk);
1853 goto response;
1854 }
1855
1856 hci_conn_hold(conn->hcon);
1857
1858 l2cap_sock_init(sk, parent);
1859 bacpy(&bt_sk(sk)->src, conn->src);
1860 bacpy(&bt_sk(sk)->dst, conn->dst);
1861 l2cap_pi(sk)->psm = psm;
1862 l2cap_pi(sk)->dcid = scid;
1863
1864 __l2cap_chan_add(conn, sk, parent);
1865 dcid = l2cap_pi(sk)->scid;
1866
1867 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1868
1da177e4
LT		 1869 l2cap_pi(sk)->ident = cmd->ident;
1870
984947dc 1871 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1872 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1873 if (bt_sk(sk)->defer_setup) {
1874 sk->sk_state = BT_CONNECT2;
1875 result = L2CAP_CR_PEND;
1876 status = L2CAP_CS_AUTHOR_PEND;
1877 parent->sk_data_ready(parent, 0);
1878 } else {
1879 sk->sk_state = BT_CONFIG;
1880 result = L2CAP_CR_SUCCESS;
1881 status = L2CAP_CS_NO_INFO;
1882 }
79d554a6
MH		 1883 } else {
1884 sk->sk_state = BT_CONNECT2;
1885 result = L2CAP_CR_PEND;
1886 status = L2CAP_CS_AUTHEN_PEND;
1887 }
1888 } else {
1889 sk->sk_state = BT_CONNECT2;
1890 result = L2CAP_CR_PEND;
1891 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1892 }
1893
fd1278d7 1894 write_unlock_bh(&list->lock);
1da177e4
LT		 1895
1896response:
1897 bh_unlock_sock(parent);
1898
1899sendresp:
aca3192c
YH		 1900 rsp.scid = cpu_to_le16(scid);
1901 rsp.dcid = cpu_to_le16(dcid);
1902 rsp.result = cpu_to_le16(result);
1903 rsp.status = cpu_to_le16(status);
1da177e4 1904 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1905
1906 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1907 struct l2cap_info_req info;
1908 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1909
1910 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1911 conn->info_ident = l2cap_get_ident(conn);
1912
1913 mod_timer(&conn->info_timer, jiffies +
1914 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1915
1916 l2cap_send_cmd(conn, conn->info_ident,
1917 L2CAP_INFO_REQ, sizeof(info), &info);
1918 }
1919
1da177e4
LT		 1920 return 0;
1921}
1922
1923static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1924{
1925 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1926 u16 scid, dcid, result, status;
1927 struct sock *sk;
1928 u8 req[128];
1929
1930 scid = __le16_to_cpu(rsp->scid);
1931 dcid = __le16_to_cpu(rsp->dcid);
1932 result = __le16_to_cpu(rsp->result);
1933 status = __le16_to_cpu(rsp->status);
1934
1935 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1936
1937 if (scid) {
1938 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1939 return 0;
1940 } else {
1941 if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1942 return 0;
1943 }
1944
1945 switch (result) {
1946 case L2CAP_CR_SUCCESS:
1947 sk->sk_state = BT_CONFIG;
1948 l2cap_pi(sk)->ident = 0;
1949 l2cap_pi(sk)->dcid = dcid;
1950 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1951
6a8d3010
MH		 1952 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1953
1da177e4
LT		 1954 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1955 l2cap_build_conf_req(sk, req), req);
1956 break;
1957
1958 case L2CAP_CR_PEND:
6a8d3010 1959 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 1960 break;
1961
1962 default:
1963 l2cap_chan_del(sk, ECONNREFUSED);
1964 break;
1965 }
1966
1967 bh_unlock_sock(sk);
1968 return 0;
1969}
1970
88219a0f 1971static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 1972{
1973 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
1974 u16 dcid, flags;
1975 u8 rsp[64];
1976 struct sock *sk;
5dee9e7c 1977 int len;
1da177e4
LT		 1978
1979 dcid = __le16_to_cpu(req->dcid);
1980 flags = __le16_to_cpu(req->flags);
1981
1982 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
1983
1984 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
1985 return -ENOENT;
1986
354f60a9
MH		 1987 if (sk->sk_state == BT_DISCONN)
1988 goto unlock;
1989
5dee9e7c 1990 /* Reject if config buffer is too small. */
88219a0f 1991 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 1992 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
1993 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
1994 l2cap_build_conf_rsp(sk, rsp,
1995 L2CAP_CONF_REJECT, flags), rsp);
1996 goto unlock;
1997 }
1998
1999 /* Store config. */
2000 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2001 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2002
2003 if (flags & 0x0001) {
2004 /* Incomplete config. Send empty response. */
2005 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2006 l2cap_build_conf_rsp(sk, rsp,
2007 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2008 goto unlock;
2009 }
2010
2011 /* Complete config. */
5dee9e7c
MH		 2012 len = l2cap_parse_conf_req(sk, rsp);
2013 if (len < 0)
1da177e4
LT		 2014 goto unlock;
2015
5dee9e7c
MH		 2016 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2017
5dee9e7c
MH		 2018 /* Reset config buffer. */
2019 l2cap_pi(sk)->conf_len = 0;
2020
876d9484
MH		 2021 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2022 goto unlock;
2023
1da177e4
LT		 2024 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2025 sk->sk_state = BT_CONNECTED;
2026 l2cap_chan_ready(sk);
876d9484
MH		 2027 goto unlock;
2028 }
2029
2030 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2031 u8 buf[64];
1da177e4 2032 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2033 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2034 }
2035
2036unlock:
2037 bh_unlock_sock(sk);
2038 return 0;
2039}
2040
2041static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2042{
2043 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2044 u16 scid, flags, result;
2045 struct sock *sk;
2046
2047 scid = __le16_to_cpu(rsp->scid);
2048 flags = __le16_to_cpu(rsp->flags);
2049 result = __le16_to_cpu(rsp->result);
2050
2051 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2052
2053 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2054 return 0;
2055
2056 switch (result) {
2057 case L2CAP_CONF_SUCCESS:
2058 break;
2059
2060 case L2CAP_CONF_UNACCEPT:
2061 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2062 char req[128];
2063 /* It does not make sense to adjust L2CAP parameters
2064 * that are currently defined in the spec. We simply
2065 * resend config request that we sent earlier. It is
2066 * stupid, but it helps qualification testing which
2067 * expects at least some response from us. */
2068 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2069 l2cap_build_conf_req(sk, req), req);
2070 goto done;
2071 }
2072
8e87d142 2073 default:
1da177e4 2074 sk->sk_state = BT_DISCONN;
b1235d79 2075 sk->sk_err = ECONNRESET;
1da177e4
LT		 2076 l2cap_sock_set_timer(sk, HZ * 5);
2077 {
2078 struct l2cap_disconn_req req;
aca3192c
YH		 2079 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2080 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2081 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2082 L2CAP_DISCONN_REQ, sizeof(req), &req);
2083 }
2084 goto done;
2085 }
2086
2087 if (flags & 0x01)
2088 goto done;
2089
1da177e4
LT		 2090 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2091
2092 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2093 sk->sk_state = BT_CONNECTED;
2094 l2cap_chan_ready(sk);
2095 }
2096
2097done:
2098 bh_unlock_sock(sk);
2099 return 0;
2100}
2101
2102static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2103{
2104 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2105 struct l2cap_disconn_rsp rsp;
2106 u16 dcid, scid;
2107 struct sock *sk;
2108
2109 scid = __le16_to_cpu(req->scid);
2110 dcid = __le16_to_cpu(req->dcid);
2111
2112 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2113
2114 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2115 return 0;
2116
aca3192c
YH		 2117 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2118 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2119 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2120
2121 sk->sk_shutdown = SHUTDOWN_MASK;
2122
2123 l2cap_chan_del(sk, ECONNRESET);
2124 bh_unlock_sock(sk);
2125
2126 l2cap_sock_kill(sk);
2127 return 0;
2128}
2129
2130static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2131{
2132 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2133 u16 dcid, scid;
2134 struct sock *sk;
2135
2136 scid = __le16_to_cpu(rsp->scid);
2137 dcid = __le16_to_cpu(rsp->dcid);
2138
2139 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2140
2141 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2142 return 0;
2143
2144 l2cap_chan_del(sk, 0);
2145 bh_unlock_sock(sk);
2146
2147 l2cap_sock_kill(sk);
2148 return 0;
2149}
2150
2151static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2152{
2153 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2154 u16 type;
2155
2156 type = __le16_to_cpu(req->type);
2157
2158 BT_DBG("type 0x%4.4x", type);
2159
f0709e03
MH		 2160 if (type == L2CAP_IT_FEAT_MASK) {
2161 u8 buf[8];
2162 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2163 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2164 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2165 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2166 l2cap_send_cmd(conn, cmd->ident,
2167 L2CAP_INFO_RSP, sizeof(buf), buf);
2168 } else {
2169 struct l2cap_info_rsp rsp;
2170 rsp.type = cpu_to_le16(type);
2171 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2172 l2cap_send_cmd(conn, cmd->ident,
2173 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2174 }
1da177e4
LT		 2175
2176 return 0;
2177}
2178
2179static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2180{
2181 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2182 u16 type, result;
2183
2184 type = __le16_to_cpu(rsp->type);
2185 result = __le16_to_cpu(rsp->result);
2186
2187 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2188
4e8402a3
MH		 2189 conn->info_ident = 0;
2190
2191 del_timer(&conn->info_timer);
2192
984947dc 2193 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2194 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2195
984947dc
MH		 2196 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2197
2198 l2cap_conn_start(conn);
2199 }
4e8402a3 2200
1da177e4
LT		 2201 return 0;
2202}
2203
2204static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2205{
2206 u8 *data = skb->data;
2207 int len = skb->len;
2208 struct l2cap_cmd_hdr cmd;
2209 int err = 0;
2210
2211 l2cap_raw_recv(conn, skb);
2212
2213 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2214 u16 cmd_len;
1da177e4
LT		 2215 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2216 data += L2CAP_CMD_HDR_SIZE;
2217 len -= L2CAP_CMD_HDR_SIZE;
2218
88219a0f 2219 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2220
88219a0f 2221 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2222
88219a0f 2223 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2224 BT_DBG("corrupted command");
2225 break;
2226 }
2227
2228 switch (cmd.code) {
2229 case L2CAP_COMMAND_REJ:
4e8402a3 2230 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2231 break;
2232
2233 case L2CAP_CONN_REQ:
2234 err = l2cap_connect_req(conn, &cmd, data);
2235 break;
2236
2237 case L2CAP_CONN_RSP:
2238 err = l2cap_connect_rsp(conn, &cmd, data);
2239 break;
2240
2241 case L2CAP_CONF_REQ:
88219a0f 2242 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2243 break;
2244
2245 case L2CAP_CONF_RSP:
2246 err = l2cap_config_rsp(conn, &cmd, data);
2247 break;
2248
2249 case L2CAP_DISCONN_REQ:
2250 err = l2cap_disconnect_req(conn, &cmd, data);
2251 break;
2252
2253 case L2CAP_DISCONN_RSP:
2254 err = l2cap_disconnect_rsp(conn, &cmd, data);
2255 break;
2256
2257 case L2CAP_ECHO_REQ:
88219a0f 2258 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2259 break;
2260
2261 case L2CAP_ECHO_RSP:
2262 break;
2263
2264 case L2CAP_INFO_REQ:
2265 err = l2cap_information_req(conn, &cmd, data);
2266 break;
2267
2268 case L2CAP_INFO_RSP:
2269 err = l2cap_information_rsp(conn, &cmd, data);
2270 break;
2271
2272 default:
2273 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2274 err = -EINVAL;
2275 break;
2276 }
2277
2278 if (err) {
2279 struct l2cap_cmd_rej rej;
2280 BT_DBG("error %d", err);
2281
2282 /* FIXME: Map err to a valid reason */
aca3192c 2283 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2284 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2285 }
2286
88219a0f
AV		 2287 data += cmd_len;
2288 len -= cmd_len;
1da177e4
LT		 2289 }
2290
2291 kfree_skb(skb);
2292}
2293
2294static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2295{
2296 struct sock *sk;
2297
2298 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2299 if (!sk) {
2300 BT_DBG("unknown cid 0x%4.4x", cid);
2301 goto drop;
2302 }
2303
2304 BT_DBG("sk %p, len %d", sk, skb->len);
2305
2306 if (sk->sk_state != BT_CONNECTED)
2307 goto drop;
2308
2309 if (l2cap_pi(sk)->imtu < skb->len)
2310 goto drop;
2311
2312 /* If socket recv buffers overflows we drop data here
2313 * which is *bad* because L2CAP has to be reliable.
2314 * But we don't have any other choice. L2CAP doesn't
2315 * provide flow control mechanism. */
2316
2317 if (!sock_queue_rcv_skb(sk, skb))
2318 goto done;
2319
2320drop:
2321 kfree_skb(skb);
2322
2323done:
0139418c
MH		 2324 if (sk)
2325 bh_unlock_sock(sk);
2326
1da177e4
LT		 2327 return 0;
2328}
2329
8e036fc3 2330static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2331{
2332 struct sock *sk;
2333
2334 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2335 if (!sk)
2336 goto drop;
2337
2338 BT_DBG("sk %p, len %d", sk, skb->len);
2339
2340 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2341 goto drop;
2342
2343 if (l2cap_pi(sk)->imtu < skb->len)
2344 goto drop;
2345
2346 if (!sock_queue_rcv_skb(sk, skb))
2347 goto done;
2348
2349drop:
2350 kfree_skb(skb);
2351
2352done:
2353 if (sk) bh_unlock_sock(sk);
2354 return 0;
2355}
2356
2357static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2358{
2359 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2360 u16 cid, len;
2361 __le16 psm;
1da177e4
LT		 2362
2363 skb_pull(skb, L2CAP_HDR_SIZE);
2364 cid = __le16_to_cpu(lh->cid);
2365 len = __le16_to_cpu(lh->len);
2366
2367 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2368
2369 switch (cid) {
2370 case 0x0001:
2371 l2cap_sig_channel(conn, skb);
2372 break;
2373
2374 case 0x0002:
8e036fc3 2375 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2376 skb_pull(skb, 2);
2377 l2cap_conless_channel(conn, psm, skb);
2378 break;
2379
2380 default:
2381 l2cap_data_channel(conn, cid, skb);
2382 break;
2383 }
2384}
2385
2386/* ---- L2CAP interface with lower layer (HCI) ---- */
2387
2388static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2389{
2390 int exact = 0, lm1 = 0, lm2 = 0;
2391 register struct sock *sk;
2392 struct hlist_node *node;
2393
2394 if (type != ACL_LINK)
2395 return 0;
2396
2397 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2398
2399 /* Find listening sockets and check their link_mode */
2400 read_lock(&l2cap_sk_list.lock);
2401 sk_for_each(sk, node, &l2cap_sk_list.head) {
2402 if (sk->sk_state != BT_LISTEN)
2403 continue;
2404
2405 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2406 lm1 |= HCI_LM_ACCEPT;
2407 if (l2cap_pi(sk)->role_switch)
2408 lm1 |= HCI_LM_MASTER;
1da177e4 2409 exact++;
2af6b9d5
MH		 2410 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2411 lm2 |= HCI_LM_ACCEPT;
2412 if (l2cap_pi(sk)->role_switch)
2413 lm2 |= HCI_LM_MASTER;
2414 }
1da177e4
LT		 2415 }
2416 read_unlock(&l2cap_sk_list.lock);
2417
2418 return exact ? lm1 : lm2;
2419}
2420
2421static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2422{
0139418c
MH		 2423 struct l2cap_conn *conn;
2424
1da177e4
LT		 2425 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2426
2427 if (hcon->type != ACL_LINK)
2428 return 0;
2429
2430 if (!status) {
1da177e4
LT		 2431 conn = l2cap_conn_add(hcon, status);
2432 if (conn)
2433 l2cap_conn_ready(conn);
0139418c 2434 } else
1da177e4
LT		 2435 l2cap_conn_del(hcon, bt_err(status));
2436
2437 return 0;
2438}
2439
2440static int l2cap_disconn_ind(struct hci_conn *hcon, u8 reason)
2441{
2442 BT_DBG("hcon %p reason %d", hcon, reason);
2443
2444 if (hcon->type != ACL_LINK)
2445 return 0;
2446
2447 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2448
1da177e4
LT		 2449 return 0;
2450}
2451
f62e4323
MH		 2452static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2453{
255c7601
MH		 2454 if (sk->sk_type != SOCK_SEQPACKET)
2455 return;
2456
f62e4323
MH		 2457 if (encrypt == 0x00) {
2458 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2459 l2cap_sock_clear_timer(sk);
2460 l2cap_sock_set_timer(sk, HZ * 5);
2461 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2462 __l2cap_sock_close(sk, ECONNREFUSED);
2463 } else {
2464 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2465 l2cap_sock_clear_timer(sk);
2466 }
2467}
2468
8c1b2355 2469static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2470{
2471 struct l2cap_chan_list *l;
0139418c 2472 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2473 struct sock *sk;
1da177e4 2474
0139418c 2475 if (!conn)
1da177e4 2476 return 0;
0139418c 2477
1da177e4
LT		 2478 l = &conn->chan_list;
2479
2480 BT_DBG("conn %p", conn);
2481
2482 read_lock(&l->lock);
2483
2484 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2485 bh_lock_sock(sk);
2486
6a8d3010
MH		 2487 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2488 bh_unlock_sock(sk);
2489 continue;
2490 }
2491
f62e4323 2492 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2493 sk->sk_state == BT_CONFIG)) {
f62e4323 2494 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2495 bh_unlock_sock(sk);
2496 continue;
2497 }
2498
b1235d79
MH		 2499 if (sk->sk_state == BT_CONNECT) {
2500 if (!status) {
2501 struct l2cap_conn_req req;
2502 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2503 req.psm = l2cap_pi(sk)->psm;
1da177e4 2504
b1235d79 2505 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2506
b1235d79
MH		 2507 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2508 L2CAP_CONN_REQ, sizeof(req), &req);
2509 } else {
2510 l2cap_sock_clear_timer(sk);
2511 l2cap_sock_set_timer(sk, HZ / 10);
2512 }
2513 } else if (sk->sk_state == BT_CONNECT2) {
2514 struct l2cap_conn_rsp rsp;
2515 __u16 result;
1da177e4 2516
b1235d79
MH		 2517 if (!status) {
2518 sk->sk_state = BT_CONFIG;
2519 result = L2CAP_CR_SUCCESS;
2520 } else {
2521 sk->sk_state = BT_DISCONN;
2522 l2cap_sock_set_timer(sk, HZ / 10);
2523 result = L2CAP_CR_SEC_BLOCK;
2524 }
2525
2526 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2527 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2528 rsp.result = cpu_to_le16(result);
e7c29cb1 2529 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2530 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2531 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2532 }
1da177e4
LT		 2533
2534 bh_unlock_sock(sk);
2535 }
2536
2537 read_unlock(&l->lock);
b1235d79 2538
1da177e4
LT		 2539 return 0;
2540}
2541
2542static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2543{
2544 struct l2cap_conn *conn = hcon->l2cap_data;
2545
2546 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2547 goto drop;
2548
2549 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2550
2551 if (flags & ACL_START) {
2552 struct l2cap_hdr *hdr;
2553 int len;
2554
2555 if (conn->rx_len) {
2556 BT_ERR("Unexpected start frame (len %d)", skb->len);
2557 kfree_skb(conn->rx_skb);
2558 conn->rx_skb = NULL;
2559 conn->rx_len = 0;
2560 l2cap_conn_unreliable(conn, ECOMM);
2561 }
2562
2563 if (skb->len < 2) {
2564 BT_ERR("Frame is too short (len %d)", skb->len);
2565 l2cap_conn_unreliable(conn, ECOMM);
2566 goto drop;
2567 }
2568
2569 hdr = (struct l2cap_hdr *) skb->data;
2570 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2571
2572 if (len == skb->len) {
2573 /* Complete frame received */
2574 l2cap_recv_frame(conn, skb);
2575 return 0;
2576 }
2577
2578 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2579
2580 if (skb->len > len) {
2581 BT_ERR("Frame is too long (len %d, expected len %d)",
2582 skb->len, len);
2583 l2cap_conn_unreliable(conn, ECOMM);
2584 goto drop;
2585 }
2586
2587 /* Allocate skb for the complete frame (with header) */
2588 if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2589 goto drop;
2590
d626f62b
ACM		 2591 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2592 skb->len);
1da177e4
LT		 2593 conn->rx_len = len - skb->len;
2594 } else {
2595 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2596
2597 if (!conn->rx_len) {
2598 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2599 l2cap_conn_unreliable(conn, ECOMM);
2600 goto drop;
2601 }
2602
2603 if (skb->len > conn->rx_len) {
2604 BT_ERR("Fragment is too long (len %d, expected %d)",
2605 skb->len, conn->rx_len);
2606 kfree_skb(conn->rx_skb);
2607 conn->rx_skb = NULL;
2608 conn->rx_len = 0;
2609 l2cap_conn_unreliable(conn, ECOMM);
2610 goto drop;
2611 }
2612
d626f62b
ACM		 2613 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2614 skb->len);
1da177e4
LT		 2615 conn->rx_len -= skb->len;
2616
2617 if (!conn->rx_len) {
2618 /* Complete frame received */
2619 l2cap_recv_frame(conn, conn->rx_skb);
2620 conn->rx_skb = NULL;
2621 }
2622 }
2623
2624drop:
2625 kfree_skb(skb);
2626 return 0;
2627}
2628
be9d1227 2629static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2630{
2631 struct sock *sk;
2632 struct hlist_node *node;
be9d1227 2633 char *str = buf;
1da177e4
LT		 2634
2635 read_lock_bh(&l2cap_sk_list.lock);
2636
be9d1227
MH		 2637 sk_for_each(sk, node, &l2cap_sk_list.head) {
2638 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2639
2af6b9d5 2640 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2641 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
73863976 2642 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2af6b9d5 2643 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2644 }
1da177e4 2645
1da177e4 2646 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2647
be9d1227 2648 return (str - buf);
1da177e4
LT		 2649}
2650
be9d1227 2651static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2652
90ddc4f0 2653static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2654 .family = PF_BLUETOOTH,
2655 .owner = THIS_MODULE,
2656 .release = l2cap_sock_release,
2657 .bind = l2cap_sock_bind,
2658 .connect = l2cap_sock_connect,
2659 .listen = l2cap_sock_listen,
2660 .accept = l2cap_sock_accept,
2661 .getname = l2cap_sock_getname,
2662 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2663 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2664 .poll = bt_sock_poll,
3241ad82 2665 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2666 .mmap = sock_no_mmap,
2667 .socketpair = sock_no_socketpair,
1da177e4
LT		 2668 .shutdown = l2cap_sock_shutdown,
2669 .setsockopt = l2cap_sock_setsockopt,
2670 .getsockopt = l2cap_sock_getsockopt
2671};
2672
2673static struct net_proto_family l2cap_sock_family_ops = {
2674 .family = PF_BLUETOOTH,
2675 .owner = THIS_MODULE,
2676 .create = l2cap_sock_create,
2677};
2678
2679static struct hci_proto l2cap_hci_proto = {
2680 .name = "L2CAP",
2681 .id = HCI_PROTO_L2CAP,
2682 .connect_ind = l2cap_connect_ind,
2683 .connect_cfm = l2cap_connect_cfm,
2684 .disconn_ind = l2cap_disconn_ind,
8c1b2355 2685 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2686 .recv_acldata = l2cap_recv_acldata
2687};
2688
2689static int __init l2cap_init(void)
2690{
2691 int err;
be9d1227 2692
1da177e4
LT		 2693 err = proto_register(&l2cap_proto, 0);
2694 if (err < 0)
2695 return err;
2696
2697 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2698 if (err < 0) {
2699 BT_ERR("L2CAP socket registration failed");
2700 goto error;
2701 }
2702
2703 err = hci_register_proto(&l2cap_hci_proto);
2704 if (err < 0) {
2705 BT_ERR("L2CAP protocol registration failed");
2706 bt_sock_unregister(BTPROTO_L2CAP);
2707 goto error;
2708 }
2709
df5c37ea
MH		 2710 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2711 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2712
2713 BT_INFO("L2CAP ver %s", VERSION);
2714 BT_INFO("L2CAP socket layer initialized");
2715
2716 return 0;
2717
2718error:
2719 proto_unregister(&l2cap_proto);
2720 return err;
2721}
2722
2723static void __exit l2cap_exit(void)
2724{
a91f2e39 2725 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2726
2727 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2728 BT_ERR("L2CAP socket unregistration failed");
2729
2730 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2731 BT_ERR("L2CAP protocol unregistration failed");
2732
2733 proto_unregister(&l2cap_proto);
2734}
2735
2736void l2cap_load(void)
2737{
2738 /* Dummy function to trigger automatic L2CAP module loading by
2739 * other modules that use L2CAP sockets but don't use any other
2740 * symbols from it. */
2741 return;
2742}
2743EXPORT_SYMBOL(l2cap_load);
2744
2745module_init(l2cap_init);
2746module_exit(l2cap_exit);
2747
63fbd24e 2748MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2749MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2750MODULE_VERSION(VERSION);
2751MODULE_LICENSE("GPL");
2752MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)