projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix race condition with L2CAP information request
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
1da177e4
LT		 43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
5f9018af 53#define VERSION "2.12"
f0709e03
MH		 54
55static u32 l2cap_feat_mask = 0x0000;
1da177e4 56
90ddc4f0 57static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 58
59static struct bt_sock_list l2cap_sk_list = {
d5fb2962 60 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 61};
62
1da177e4
LT		 63static void __l2cap_sock_close(struct sock *sk, int reason);
64static void l2cap_sock_close(struct sock *sk);
65static void l2cap_sock_kill(struct sock *sk);
66
67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
69
70/* ---- L2CAP timers ---- */
71static void l2cap_sock_timeout(unsigned long arg)
72{
73 struct sock *sk = (struct sock *) arg;
b1235d79 74 int reason;
1da177e4
LT		 75
76 BT_DBG("sock %p state %d", sk, sk->sk_state);
77
78 bh_lock_sock(sk);
b1235d79 79
f62e4323
MH		 80 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
81 reason = ECONNREFUSED;
82 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 83 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 84 reason = ECONNREFUSED;
85 else
86 reason = ETIMEDOUT;
87
88 __l2cap_sock_close(sk, reason);
89
1da177e4
LT		 90 bh_unlock_sock(sk);
91
92 l2cap_sock_kill(sk);
93 sock_put(sk);
94}
95
96static void l2cap_sock_set_timer(struct sock *sk, long timeout)
97{
98 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
99 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
100}
101
102static void l2cap_sock_clear_timer(struct sock *sk)
103{
104 BT_DBG("sock %p state %d", sk, sk->sk_state);
105 sk_stop_timer(sk, &sk->sk_timer);
106}
107
0139418c
MH		 108/* ---- L2CAP channels ---- */
109static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
110{
111 struct sock *s;
112 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
113 if (l2cap_pi(s)->dcid == cid)
114 break;
115 }
116 return s;
117}
118
119static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
120{
121 struct sock *s;
122 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
123 if (l2cap_pi(s)->scid == cid)
124 break;
125 }
126 return s;
127}
128
129/* Find channel with given SCID.
130 * Returns locked socket */
131static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 read_lock(&l->lock);
135 s = __l2cap_get_chan_by_scid(l, cid);
136 if (s) bh_lock_sock(s);
137 read_unlock(&l->lock);
138 return s;
139}
140
141static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
142{
143 struct sock *s;
144 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
145 if (l2cap_pi(s)->ident == ident)
146 break;
147 }
148 return s;
149}
150
151static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
152{
153 struct sock *s;
154 read_lock(&l->lock);
155 s = __l2cap_get_chan_by_ident(l, ident);
156 if (s) bh_lock_sock(s);
157 read_unlock(&l->lock);
158 return s;
159}
160
161static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
162{
163 u16 cid = 0x0040;
164
165 for (; cid < 0xffff; cid++) {
166 if(!__l2cap_get_chan_by_scid(l, cid))
167 return cid;
168 }
169
170 return 0;
171}
172
173static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
174{
175 sock_hold(sk);
176
177 if (l->head)
178 l2cap_pi(l->head)->prev_c = sk;
179
180 l2cap_pi(sk)->next_c = l->head;
181 l2cap_pi(sk)->prev_c = NULL;
182 l->head = sk;
183}
184
185static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
186{
187 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
188
fd1278d7 189 write_lock_bh(&l->lock);
0139418c
MH		 190 if (sk == l->head)
191 l->head = next;
192
193 if (next)
194 l2cap_pi(next)->prev_c = prev;
195 if (prev)
196 l2cap_pi(prev)->next_c = next;
fd1278d7 197 write_unlock_bh(&l->lock);
0139418c
MH		 198
199 __sock_put(sk);
200}
201
202static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
203{
204 struct l2cap_chan_list *l = &conn->chan_list;
205
206 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
207
208 l2cap_pi(sk)->conn = conn;
209
210 if (sk->sk_type == SOCK_SEQPACKET) {
211 /* Alloc CID for connection-oriented socket */
212 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
213 } else if (sk->sk_type == SOCK_DGRAM) {
214 /* Connectionless socket */
215 l2cap_pi(sk)->scid = 0x0002;
216 l2cap_pi(sk)->dcid = 0x0002;
217 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
218 } else {
219 /* Raw socket can send/recv signalling messages only */
220 l2cap_pi(sk)->scid = 0x0001;
221 l2cap_pi(sk)->dcid = 0x0001;
222 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
223 }
224
225 __l2cap_chan_link(l, sk);
226
227 if (parent)
228 bt_accept_enqueue(parent, sk);
229}
230
8e87d142 231/* Delete channel.
0139418c
MH		 232 * Must be called on the locked socket. */
233static void l2cap_chan_del(struct sock *sk, int err)
234{
235 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
236 struct sock *parent = bt_sk(sk)->parent;
237
238 l2cap_sock_clear_timer(sk);
239
240 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
241
8e87d142 242 if (conn) {
0139418c
MH		 243 /* Unlink from channel list */
244 l2cap_chan_unlink(&conn->chan_list, sk);
245 l2cap_pi(sk)->conn = NULL;
246 hci_conn_put(conn->hcon);
247 }
248
b1235d79 249 sk->sk_state = BT_CLOSED;
0139418c
MH		 250 sock_set_flag(sk, SOCK_ZAPPED);
251
252 if (err)
253 sk->sk_err = err;
254
255 if (parent) {
256 bt_accept_unlink(sk);
257 parent->sk_data_ready(parent, 0);
258 } else
259 sk->sk_state_change(sk);
260}
261
79d554a6 262/* Service level security */
2af6b9d5 263static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 264{
265 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 266 __u8 auth_type;
267
268 switch (l2cap_pi(sk)->sec_level) {
269 case BT_SECURITY_HIGH:
270 auth_type = HCI_AT_GENERAL_BONDING_MITM;
271 break;
272 case BT_SECURITY_MEDIUM:
273 auth_type = HCI_AT_GENERAL_BONDING;
274 break;
275 default:
276 auth_type = HCI_AT_NO_BONDING;
277 break;
278 }
79d554a6 279
0684e5f9
MH		 280 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
281 auth_type);
79d554a6
MH		 282}
283
4e8402a3
MH		 284static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
285{
286 u8 id;
287
288 /* Get next available identificator.
289 * 1 - 128 are used by kernel.
290 * 129 - 199 are reserved.
291 * 200 - 254 are used by utilities like l2ping, etc.
292 */
293
294 spin_lock_bh(&conn->lock);
295
296 if (++conn->tx_ident > 128)
297 conn->tx_ident = 1;
298
299 id = conn->tx_ident;
300
301 spin_unlock_bh(&conn->lock);
302
303 return id;
304}
305
306static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
307{
308 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
309
310 BT_DBG("code 0x%2.2x", code);
311
312 if (!skb)
313 return -ENOMEM;
314
315 return hci_send_acl(conn->hcon, skb, 0);
316}
317
79d554a6
MH		 318static void l2cap_do_start(struct sock *sk)
319{
320 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
321
322 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 323 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
324 return;
325
2af6b9d5 326 if (l2cap_check_security(sk)) {
b1235d79
MH		 327 struct l2cap_conn_req req;
328 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
329 req.psm = l2cap_pi(sk)->psm;
79d554a6 330
b1235d79 331 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 332
b1235d79 333 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 334 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 335 }
79d554a6
MH		 336 } else {
337 struct l2cap_info_req req;
338 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
339
340 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
341 conn->info_ident = l2cap_get_ident(conn);
342
343 mod_timer(&conn->info_timer, jiffies +
344 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
345
346 l2cap_send_cmd(conn, conn->info_ident,
347 L2CAP_INFO_REQ, sizeof(req), &req);
348 }
349}
350
1da177e4 351/* ---- L2CAP connections ---- */
4e8402a3
MH		 352static void l2cap_conn_start(struct l2cap_conn *conn)
353{
354 struct l2cap_chan_list *l = &conn->chan_list;
355 struct sock *sk;
356
357 BT_DBG("conn %p", conn);
358
359 read_lock(&l->lock);
360
361 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
362 bh_lock_sock(sk);
363
364 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 365 bh_unlock_sock(sk);
366 continue;
367 }
368
369 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 370 if (l2cap_check_security(sk)) {
b1235d79
MH		 371 struct l2cap_conn_req req;
372 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
373 req.psm = l2cap_pi(sk)->psm;
79d554a6 374
b1235d79 375 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 376
b1235d79 377 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 378 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 379 }
79d554a6
MH		 380 } else if (sk->sk_state == BT_CONNECT2) {
381 struct l2cap_conn_rsp rsp;
382 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
383 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
384
2af6b9d5 385 if (l2cap_check_security(sk)) {
f66dc81f
MH		 386 if (bt_sk(sk)->defer_setup) {
387 struct sock *parent = bt_sk(sk)->parent;
388 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
389 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
390 parent->sk_data_ready(parent, 0);
391
392 } else {
393 sk->sk_state = BT_CONFIG;
394 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
395 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
396 }
79d554a6
MH		 397 } else {
398 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
399 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
400 }
401
402 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
403 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 404 }
405
406 bh_unlock_sock(sk);
407 }
408
409 read_unlock(&l->lock);
410}
411
412static void l2cap_conn_ready(struct l2cap_conn *conn)
413{
79d554a6
MH		 414 struct l2cap_chan_list *l = &conn->chan_list;
415 struct sock *sk;
4e8402a3 416
79d554a6 417 BT_DBG("conn %p", conn);
4e8402a3 418
79d554a6 419 read_lock(&l->lock);
4e8402a3 420
79d554a6
MH		 421 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
422 bh_lock_sock(sk);
4e8402a3 423
79d554a6
MH		 424 if (sk->sk_type != SOCK_SEQPACKET) {
425 l2cap_sock_clear_timer(sk);
426 sk->sk_state = BT_CONNECTED;
427 sk->sk_state_change(sk);
428 } else if (sk->sk_state == BT_CONNECT)
429 l2cap_do_start(sk);
4e8402a3 430
79d554a6 431 bh_unlock_sock(sk);
4e8402a3 432 }
79d554a6
MH		 433
434 read_unlock(&l->lock);
4e8402a3
MH		 435}
436
437/* Notify sockets that we cannot guaranty reliability anymore */
438static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
439{
440 struct l2cap_chan_list *l = &conn->chan_list;
441 struct sock *sk;
442
443 BT_DBG("conn %p", conn);
444
445 read_lock(&l->lock);
446
447 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 448 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 449 sk->sk_err = err;
450 }
451
452 read_unlock(&l->lock);
453}
454
455static void l2cap_info_timeout(unsigned long arg)
456{
457 struct l2cap_conn *conn = (void *) arg;
458
459 conn->info_ident = 0;
460
984947dc
MH		 461 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
462
4e8402a3
MH		 463 l2cap_conn_start(conn);
464}
465
1da177e4
LT		 466static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
467{
0139418c 468 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 469
0139418c 470 if (conn || status)
1da177e4
LT		 471 return conn;
472
0139418c
MH		 473 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
474 if (!conn)
1da177e4 475 return NULL;
1da177e4
LT		 476
477 hcon->l2cap_data = conn;
478 conn->hcon = hcon;
479
0139418c
MH		 480 BT_DBG("hcon %p conn %p", hcon, conn);
481
1da177e4
LT		 482 conn->mtu = hcon->hdev->acl_mtu;
483 conn->src = &hcon->hdev->bdaddr;
484 conn->dst = &hcon->dst;
485
4e8402a3
MH		 486 conn->feat_mask = 0;
487
b1235d79
MH		 488 setup_timer(&conn->info_timer, l2cap_info_timeout,
489 (unsigned long) conn);
4e8402a3 490
1da177e4
LT		 491 spin_lock_init(&conn->lock);
492 rwlock_init(&conn->chan_list.lock);
493
1da177e4
LT		 494 return conn;
495}
496
0139418c 497static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 498{
0139418c 499 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 500 struct sock *sk;
501
0139418c
MH		 502 if (!conn)
503 return;
1da177e4
LT		 504
505 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
506
507 if (conn->rx_skb)
508 kfree_skb(conn->rx_skb);
509
510 /* Kill channels */
511 while ((sk = conn->chan_list.head)) {
512 bh_lock_sock(sk);
513 l2cap_chan_del(sk, err);
514 bh_unlock_sock(sk);
515 l2cap_sock_kill(sk);
516 }
517
8e8440f5
DY		 518 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
519 del_timer_sync(&conn->info_timer);
3ab22731 520
1da177e4
LT		 521 hcon->l2cap_data = NULL;
522 kfree(conn);
1da177e4
LT		 523}
524
525static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
526{
527 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 528 write_lock_bh(&l->lock);
1da177e4 529 __l2cap_chan_add(conn, sk, parent);
fd1278d7 530 write_unlock_bh(&l->lock);
1da177e4
LT		 531}
532
1da177e4 533/* ---- Socket interface ---- */
8e036fc3 534static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 535{
536 struct sock *sk;
537 struct hlist_node *node;
538 sk_for_each(sk, node, &l2cap_sk_list.head)
539 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
540 goto found;
541 sk = NULL;
542found:
543 return sk;
544}
545
546/* Find socket with psm and source bdaddr.
547 * Returns closest match.
548 */
8e036fc3 549static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 550{
551 struct sock *sk = NULL, *sk1 = NULL;
552 struct hlist_node *node;
553
554 sk_for_each(sk, node, &l2cap_sk_list.head) {
555 if (state && sk->sk_state != state)
556 continue;
557
558 if (l2cap_pi(sk)->psm == psm) {
559 /* Exact match. */
560 if (!bacmp(&bt_sk(sk)->src, src))
561 break;
562
563 /* Closest match */
564 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
565 sk1 = sk;
566 }
567 }
568 return node ? sk : sk1;
569}
570
571/* Find socket with given address (psm, src).
572 * Returns locked socket */
8e036fc3 573static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 574{
575 struct sock *s;
576 read_lock(&l2cap_sk_list.lock);
577 s = __l2cap_get_sock_by_psm(state, psm, src);
578 if (s) bh_lock_sock(s);
579 read_unlock(&l2cap_sk_list.lock);
580 return s;
581}
582
583static void l2cap_sock_destruct(struct sock *sk)
584{
585 BT_DBG("sk %p", sk);
586
587 skb_queue_purge(&sk->sk_receive_queue);
588 skb_queue_purge(&sk->sk_write_queue);
589}
590
591static void l2cap_sock_cleanup_listen(struct sock *parent)
592{
593 struct sock *sk;
594
595 BT_DBG("parent %p", parent);
596
597 /* Close not yet accepted channels */
598 while ((sk = bt_accept_dequeue(parent, NULL)))
599 l2cap_sock_close(sk);
600
b1235d79 601 parent->sk_state = BT_CLOSED;
1da177e4
LT		 602 sock_set_flag(parent, SOCK_ZAPPED);
603}
604
605/* Kill socket (only if zapped and orphan)
606 * Must be called on unlocked socket.
607 */
608static void l2cap_sock_kill(struct sock *sk)
609{
610 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
611 return;
612
613 BT_DBG("sk %p state %d", sk, sk->sk_state);
614
615 /* Kill poor orphan */
616 bt_sock_unlink(&l2cap_sk_list, sk);
617 sock_set_flag(sk, SOCK_DEAD);
618 sock_put(sk);
619}
620
621static void __l2cap_sock_close(struct sock *sk, int reason)
622{
623 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
624
625 switch (sk->sk_state) {
626 case BT_LISTEN:
627 l2cap_sock_cleanup_listen(sk);
628 break;
629
630 case BT_CONNECTED:
631 case BT_CONFIG:
1da177e4
LT		 632 if (sk->sk_type == SOCK_SEQPACKET) {
633 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
634 struct l2cap_disconn_req req;
635
636 sk->sk_state = BT_DISCONN;
637 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
638
aca3192c
YH		 639 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
640 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 641 l2cap_send_cmd(conn, l2cap_get_ident(conn),
642 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 643 } else
1da177e4 644 l2cap_chan_del(sk, reason);
1da177e4
LT		 645 break;
646
f66dc81f
MH		 647 case BT_CONNECT2:
648 if (sk->sk_type == SOCK_SEQPACKET) {
649 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
650 struct l2cap_conn_rsp rsp;
651 __u16 result;
652
653 if (bt_sk(sk)->defer_setup)
654 result = L2CAP_CR_SEC_BLOCK;
655 else
656 result = L2CAP_CR_BAD_PSM;
657
658 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
659 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
660 rsp.result = cpu_to_le16(result);
661 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
662 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
663 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
664 } else
665 l2cap_chan_del(sk, reason);
666 break;
667
1da177e4
LT		 668 case BT_CONNECT:
669 case BT_DISCONN:
670 l2cap_chan_del(sk, reason);
671 break;
672
673 default:
674 sock_set_flag(sk, SOCK_ZAPPED);
675 break;
676 }
677}
678
679/* Must be called on unlocked socket. */
680static void l2cap_sock_close(struct sock *sk)
681{
682 l2cap_sock_clear_timer(sk);
683 lock_sock(sk);
684 __l2cap_sock_close(sk, ECONNRESET);
685 release_sock(sk);
686 l2cap_sock_kill(sk);
687}
688
689static void l2cap_sock_init(struct sock *sk, struct sock *parent)
690{
691 struct l2cap_pinfo *pi = l2cap_pi(sk);
692
693 BT_DBG("sk %p", sk);
694
695 if (parent) {
696 sk->sk_type = parent->sk_type;
f66dc81f
MH		 697 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
698
1da177e4
LT		 699 pi->imtu = l2cap_pi(parent)->imtu;
700 pi->omtu = l2cap_pi(parent)->omtu;
2af6b9d5
MH		 701 pi->sec_level = l2cap_pi(parent)->sec_level;
702 pi->role_switch = l2cap_pi(parent)->role_switch;
703 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 704 } else {
705 pi->imtu = L2CAP_DEFAULT_MTU;
706 pi->omtu = 0;
2af6b9d5
MH		 707 pi->sec_level = BT_SECURITY_LOW;
708 pi->role_switch = 0;
709 pi->force_reliable = 0;
1da177e4
LT		 710 }
711
712 /* Default config options */
5dee9e7c 713 pi->conf_len = 0;
1da177e4
LT		 714 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
715}
716
717static struct proto l2cap_proto = {
718 .name = "L2CAP",
719 .owner = THIS_MODULE,
720 .obj_size = sizeof(struct l2cap_pinfo)
721};
722
1b8d7ae4 723static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 724{
725 struct sock *sk;
726
6257ff21 727 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 728 if (!sk)
729 return NULL;
730
731 sock_init_data(sock, sk);
732 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
733
734 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 735 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 736
737 sock_reset_flag(sk, SOCK_ZAPPED);
738
739 sk->sk_protocol = proto;
b1235d79 740 sk->sk_state = BT_OPEN;
1da177e4 741
b1235d79 742 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 743
744 bt_sock_link(&l2cap_sk_list, sk);
745 return sk;
746}
747
1b8d7ae4 748static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 749{
750 struct sock *sk;
751
752 BT_DBG("sock %p", sock);
753
754 sock->state = SS_UNCONNECTED;
755
756 if (sock->type != SOCK_SEQPACKET &&
757 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
758 return -ESOCKTNOSUPPORT;
759
760 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
761 return -EPERM;
762
763 sock->ops = &l2cap_sock_ops;
764
1b8d7ae4 765 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 766 if (!sk)
767 return -ENOMEM;
768
769 l2cap_sock_init(sk, NULL);
770 return 0;
771}
772
773static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
774{
775 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
776 struct sock *sk = sock->sk;
777 int err = 0;
778
779 BT_DBG("sk %p, %s %d", sk, batostr(&la->l2_bdaddr), la->l2_psm);
780
781 if (!addr || addr->sa_family != AF_BLUETOOTH)
782 return -EINVAL;
783
784 lock_sock(sk);
785
786 if (sk->sk_state != BT_OPEN) {
787 err = -EBADFD;
788 goto done;
789 }
790
8e036fc3 791 if (la->l2_psm && btohs(la->l2_psm) < 0x1001 &&
847641d7
MH		 792 !capable(CAP_NET_BIND_SERVICE)) {
793 err = -EACCES;
794 goto done;
795 }
8e87d142 796
1da177e4
LT		 797 write_lock_bh(&l2cap_sk_list.lock);
798
799 if (la->l2_psm && __l2cap_get_sock_by_addr(la->l2_psm, &la->l2_bdaddr)) {
800 err = -EADDRINUSE;
801 } else {
802 /* Save source address */
803 bacpy(&bt_sk(sk)->src, &la->l2_bdaddr);
804 l2cap_pi(sk)->psm = la->l2_psm;
805 l2cap_pi(sk)->sport = la->l2_psm;
806 sk->sk_state = BT_BOUND;
2af6b9d5
MH		 807
808 if (btohs(la->l2_psm) == 0x0001)
809 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 810 }
811
812 write_unlock_bh(&l2cap_sk_list.lock);
813
814done:
815 release_sock(sk);
816 return err;
817}
818
819static int l2cap_do_connect(struct sock *sk)
820{
821 bdaddr_t *src = &bt_sk(sk)->src;
822 bdaddr_t *dst = &bt_sk(sk)->dst;
823 struct l2cap_conn *conn;
824 struct hci_conn *hcon;
825 struct hci_dev *hdev;
09ab6f4c 826 __u8 auth_type;
1da177e4
LT		 827 int err = 0;
828
829 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst), l2cap_pi(sk)->psm);
830
831 if (!(hdev = hci_get_route(dst, src)))
832 return -EHOSTUNREACH;
833
834 hci_dev_lock_bh(hdev);
835
836 err = -ENOMEM;
837
8c1b2355 838 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 839 switch (l2cap_pi(sk)->sec_level) {
840 case BT_SECURITY_HIGH:
8c1b2355 841 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 842 break;
843 case BT_SECURITY_MEDIUM:
8c1b2355 844 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 845 break;
846 default:
09ab6f4c 847 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 848 break;
849 }
8c1b2355 850 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 851 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 852 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 853 else
8c1b2355
MH		 854 auth_type = HCI_AT_NO_BONDING;
855 } else {
2af6b9d5
MH		 856 switch (l2cap_pi(sk)->sec_level) {
857 case BT_SECURITY_HIGH:
8c1b2355 858 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 859 break;
860 case BT_SECURITY_MEDIUM:
09ab6f4c 861 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 862 break;
863 default:
8c1b2355 864 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 865 break;
866 }
09ab6f4c
MH		 867 }
868
2af6b9d5
MH		 869 hcon = hci_connect(hdev, ACL_LINK, dst,
870 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 871 if (!hcon)
872 goto done;
873
874 conn = l2cap_conn_add(hcon, 0);
875 if (!conn) {
876 hci_conn_put(hcon);
877 goto done;
878 }
879
880 err = 0;
881
882 /* Update source addr of the socket */
883 bacpy(src, conn->src);
884
885 l2cap_chan_add(conn, sk, NULL);
886
887 sk->sk_state = BT_CONNECT;
888 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
889
890 if (hcon->state == BT_CONNECTED) {
79d554a6 891 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 892 l2cap_sock_clear_timer(sk);
893 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 894 } else
895 l2cap_do_start(sk);
1da177e4
LT		 896 }
897
898done:
899 hci_dev_unlock_bh(hdev);
900 hci_dev_put(hdev);
901 return err;
902}
903
904static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
905{
906 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
907 struct sock *sk = sock->sk;
908 int err = 0;
909
910 lock_sock(sk);
911
912 BT_DBG("sk %p", sk);
913
914 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_l2)) {
915 err = -EINVAL;
916 goto done;
917 }
918
919 if (sk->sk_type == SOCK_SEQPACKET && !la->l2_psm) {
920 err = -EINVAL;
921 goto done;
922 }
923
924 switch(sk->sk_state) {
925 case BT_CONNECT:
926 case BT_CONNECT2:
927 case BT_CONFIG:
928 /* Already connecting */
929 goto wait;
930
931 case BT_CONNECTED:
932 /* Already connected */
933 goto done;
934
935 case BT_OPEN:
936 case BT_BOUND:
937 /* Can connect */
938 break;
939
940 default:
941 err = -EBADFD;
942 goto done;
943 }
944
945 /* Set destination address and psm */
946 bacpy(&bt_sk(sk)->dst, &la->l2_bdaddr);
947 l2cap_pi(sk)->psm = la->l2_psm;
948
949 if ((err = l2cap_do_connect(sk)))
950 goto done;
951
952wait:
953 err = bt_sock_wait_state(sk, BT_CONNECTED,
954 sock_sndtimeo(sk, flags & O_NONBLOCK));
955done:
956 release_sock(sk);
957 return err;
958}
959
960static int l2cap_sock_listen(struct socket *sock, int backlog)
961{
962 struct sock *sk = sock->sk;
963 int err = 0;
964
965 BT_DBG("sk %p backlog %d", sk, backlog);
966
967 lock_sock(sk);
968
969 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
970 err = -EBADFD;
971 goto done;
972 }
973
974 if (!l2cap_pi(sk)->psm) {
975 bdaddr_t *src = &bt_sk(sk)->src;
976 u16 psm;
977
978 err = -EINVAL;
979
980 write_lock_bh(&l2cap_sk_list.lock);
981
982 for (psm = 0x1001; psm < 0x1100; psm += 2)
6dc0c208 983 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1da177e4
LT		 984 l2cap_pi(sk)->psm = htobs(psm);
985 l2cap_pi(sk)->sport = htobs(psm);
986 err = 0;
987 break;
988 }
989
990 write_unlock_bh(&l2cap_sk_list.lock);
991
992 if (err < 0)
993 goto done;
994 }
995
996 sk->sk_max_ack_backlog = backlog;
997 sk->sk_ack_backlog = 0;
998 sk->sk_state = BT_LISTEN;
999
1000done:
1001 release_sock(sk);
1002 return err;
1003}
1004
1005static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1006{
1007 DECLARE_WAITQUEUE(wait, current);
1008 struct sock *sk = sock->sk, *nsk;
1009 long timeo;
1010 int err = 0;
1011
fcc70d5f 1012 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1013
1014 if (sk->sk_state != BT_LISTEN) {
1015 err = -EBADFD;
1016 goto done;
1017 }
1018
1019 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1020
1021 BT_DBG("sk %p timeo %ld", sk, timeo);
1022
1023 /* Wait for an incoming connection. (wake-one). */
1024 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1025 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1026 set_current_state(TASK_INTERRUPTIBLE);
1027 if (!timeo) {
1028 err = -EAGAIN;
1029 break;
1030 }
1031
1032 release_sock(sk);
1033 timeo = schedule_timeout(timeo);
fcc70d5f 1034 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1035
1036 if (sk->sk_state != BT_LISTEN) {
1037 err = -EBADFD;
1038 break;
1039 }
1040
1041 if (signal_pending(current)) {
1042 err = sock_intr_errno(timeo);
1043 break;
1044 }
1045 }
1046 set_current_state(TASK_RUNNING);
1047 remove_wait_queue(sk->sk_sleep, &wait);
1048
1049 if (err)
1050 goto done;
1051
1052 newsock->state = SS_CONNECTED;
1053
1054 BT_DBG("new socket %p", nsk);
1055
1056done:
1057 release_sock(sk);
1058 return err;
1059}
1060
1061static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1062{
1063 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1064 struct sock *sk = sock->sk;
1065
1066 BT_DBG("sock %p, sk %p", sock, sk);
1067
1068 addr->sa_family = AF_BLUETOOTH;
1069 *len = sizeof(struct sockaddr_l2);
1070
1071 if (peer)
1072 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1073 else
1074 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1075
1076 la->l2_psm = l2cap_pi(sk)->psm;
1077 return 0;
1078}
1079
1080static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1081{
1082 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1083 struct sk_buff *skb, **frag;
1084 int err, hlen, count, sent=0;
1085 struct l2cap_hdr *lh;
1086
1087 BT_DBG("sk %p len %d", sk, len);
1088
1089 /* First fragment (with L2CAP header) */
1090 if (sk->sk_type == SOCK_DGRAM)
1091 hlen = L2CAP_HDR_SIZE + 2;
1092 else
1093 hlen = L2CAP_HDR_SIZE;
1094
1095 count = min_t(unsigned int, (conn->mtu - hlen), len);
1096
1097 skb = bt_skb_send_alloc(sk, hlen + count,
1098 msg->msg_flags & MSG_DONTWAIT, &err);
1099 if (!skb)
1100 return err;
1101
1102 /* Create L2CAP header */
1103 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1104 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1105 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1106
1107 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1108 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1109
1110 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1111 err = -EFAULT;
1112 goto fail;
1113 }
1114
1115 sent += count;
1116 len -= count;
1117
1118 /* Continuation fragments (no L2CAP header) */
1119 frag = &skb_shinfo(skb)->frag_list;
1120 while (len) {
1121 count = min_t(unsigned int, conn->mtu, len);
1122
1123 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1124 if (!*frag)
1125 goto fail;
8e87d142 1126
1da177e4
LT		 1127 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1128 err = -EFAULT;
1129 goto fail;
1130 }
1131
1132 sent += count;
1133 len -= count;
1134
1135 frag = &(*frag)->next;
1136 }
1137
1138 if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1139 goto fail;
1140
1141 return sent;
1142
1143fail:
1144 kfree_skb(skb);
1145 return err;
1146}
1147
1148static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1149{
1150 struct sock *sk = sock->sk;
1151 int err = 0;
1152
1153 BT_DBG("sock %p, sk %p", sock, sk);
1154
c1cbe4b7
BL		 1155 err = sock_error(sk);
1156 if (err)
1157 return err;
1da177e4
LT		 1158
1159 if (msg->msg_flags & MSG_OOB)
1160 return -EOPNOTSUPP;
1161
1162 /* Check outgoing MTU */
1163 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1164 return -EINVAL;
1165
1166 lock_sock(sk);
1167
1168 if (sk->sk_state == BT_CONNECTED)
1169 err = l2cap_do_send(sk, msg, len);
1170 else
1171 err = -ENOTCONN;
1172
1173 release_sock(sk);
1174 return err;
1175}
1176
f66dc81f
MH		 1177static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1178{
1179 struct sock *sk = sock->sk;
1180
1181 lock_sock(sk);
1182
1183 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1184 struct l2cap_conn_rsp rsp;
1185
1186 sk->sk_state = BT_CONFIG;
1187
1188 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1189 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1190 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1191 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1192 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1193 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1194
1195 release_sock(sk);
1196 return 0;
1197 }
1198
1199 release_sock(sk);
1200
1201 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1202}
1203
d58daf42 1204static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1205{
1206 struct sock *sk = sock->sk;
1207 struct l2cap_options opts;
1208 int err = 0, len;
1209 u32 opt;
1210
1211 BT_DBG("sk %p", sk);
1212
1213 lock_sock(sk);
1214
1215 switch (optname) {
1216 case L2CAP_OPTIONS:
0878b666
MH		 1217 opts.imtu = l2cap_pi(sk)->imtu;
1218 opts.omtu = l2cap_pi(sk)->omtu;
1219 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1220 opts.mode = L2CAP_MODE_BASIC;
0878b666 1221
1da177e4
LT		 1222 len = min_t(unsigned int, sizeof(opts), optlen);
1223 if (copy_from_user((char *) &opts, optval, len)) {
1224 err = -EFAULT;
1225 break;
1226 }
0878b666 1227
1da177e4
LT		 1228 l2cap_pi(sk)->imtu = opts.imtu;
1229 l2cap_pi(sk)->omtu = opts.omtu;
1230 break;
1231
1232 case L2CAP_LM:
1233 if (get_user(opt, (u32 __user *) optval)) {
1234 err = -EFAULT;
1235 break;
1236 }
1237
2af6b9d5
MH		 1238 if (opt & L2CAP_LM_AUTH)
1239 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1240 if (opt & L2CAP_LM_ENCRYPT)
1241 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1242 if (opt & L2CAP_LM_SECURE)
1243 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1244
1245 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1246 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1247 break;
1248
1249 default:
1250 err = -ENOPROTOOPT;
1251 break;
1252 }
1253
1254 release_sock(sk);
1255 return err;
1256}
1257
d58daf42
MH		 1258static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1259{
1260 struct sock *sk = sock->sk;
2af6b9d5
MH		 1261 struct bt_security sec;
1262 int len, err = 0;
f66dc81f 1263 u32 opt;
d58daf42
MH		 1264
1265 BT_DBG("sk %p", sk);
1266
1267 if (level == SOL_L2CAP)
1268 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1269
0588d94f
MH		 1270 if (level != SOL_BLUETOOTH)
1271 return -ENOPROTOOPT;
1272
d58daf42
MH		 1273 lock_sock(sk);
1274
1275 switch (optname) {
2af6b9d5 1276 case BT_SECURITY:
0588d94f
MH		 1277 if (sk->sk_type != SOCK_SEQPACKET) {
1278 err = -EINVAL;
1279 break;
1280 }
1281
2af6b9d5
MH		 1282 sec.level = BT_SECURITY_LOW;
1283
1284 len = min_t(unsigned int, sizeof(sec), optlen);
1285 if (copy_from_user((char *) &sec, optval, len)) {
1286 err = -EFAULT;
1287 break;
1288 }
1289
1290 if (sec.level < BT_SECURITY_LOW ||
1291 sec.level > BT_SECURITY_HIGH) {
1292 err = -EINVAL;
1293 break;
1294 }
1295
1296 l2cap_pi(sk)->sec_level = sec.level;
1297 break;
1298
f66dc81f
MH		 1299 case BT_DEFER_SETUP:
1300 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1301 err = -EINVAL;
1302 break;
1303 }
1304
1305 if (get_user(opt, (u32 __user *) optval)) {
1306 err = -EFAULT;
1307 break;
1308 }
1309
1310 bt_sk(sk)->defer_setup = opt;
1311 break;
1312
d58daf42
MH		 1313 default:
1314 err = -ENOPROTOOPT;
1315 break;
1316 }
1317
1318 release_sock(sk);
1319 return err;
1320}
1321
1322static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1323{
1324 struct sock *sk = sock->sk;
1325 struct l2cap_options opts;
1326 struct l2cap_conninfo cinfo;
1327 int len, err = 0;
2af6b9d5 1328 u32 opt;
1da177e4
LT		 1329
1330 BT_DBG("sk %p", sk);
1331
1332 if (get_user(len, optlen))
1333 return -EFAULT;
1334
1335 lock_sock(sk);
1336
1337 switch (optname) {
1338 case L2CAP_OPTIONS:
1339 opts.imtu = l2cap_pi(sk)->imtu;
1340 opts.omtu = l2cap_pi(sk)->omtu;
1341 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1342 opts.mode = L2CAP_MODE_BASIC;
1da177e4
LT		 1343
1344 len = min_t(unsigned int, len, sizeof(opts));
1345 if (copy_to_user(optval, (char *) &opts, len))
1346 err = -EFAULT;
1347
1348 break;
1349
1350 case L2CAP_LM:
2af6b9d5
MH		 1351 switch (l2cap_pi(sk)->sec_level) {
1352 case BT_SECURITY_LOW:
1353 opt = L2CAP_LM_AUTH;
1354 break;
1355 case BT_SECURITY_MEDIUM:
1356 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1357 break;
1358 case BT_SECURITY_HIGH:
1359 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1360 L2CAP_LM_SECURE;
1361 break;
1362 default:
1363 opt = 0;
1364 break;
1365 }
1366
1367 if (l2cap_pi(sk)->role_switch)
1368 opt |= L2CAP_LM_MASTER;
1369
1370 if (l2cap_pi(sk)->force_reliable)
1371 opt |= L2CAP_LM_RELIABLE;
1372
1373 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1374 err = -EFAULT;
1375 break;
1376
1377 case L2CAP_CONNINFO:
f66dc81f
MH		 1378 if (sk->sk_state != BT_CONNECTED &&
1379 !(sk->sk_state == BT_CONNECT2 &&
1380 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1381 err = -ENOTCONN;
1382 break;
1383 }
1384
1385 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1386 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1387
1388 len = min_t(unsigned int, len, sizeof(cinfo));
1389 if (copy_to_user(optval, (char *) &cinfo, len))
1390 err = -EFAULT;
1391
1392 break;
1393
1394 default:
1395 err = -ENOPROTOOPT;
1396 break;
1397 }
1398
1399 release_sock(sk);
1400 return err;
1401}
1402
d58daf42
MH		 1403static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1404{
1405 struct sock *sk = sock->sk;
2af6b9d5 1406 struct bt_security sec;
d58daf42
MH		 1407 int len, err = 0;
1408
1409 BT_DBG("sk %p", sk);
1410
1411 if (level == SOL_L2CAP)
1412 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1413
0588d94f
MH		 1414 if (level != SOL_BLUETOOTH)
1415 return -ENOPROTOOPT;
1416
d58daf42
MH		 1417 if (get_user(len, optlen))
1418 return -EFAULT;
1419
1420 lock_sock(sk);
1421
1422 switch (optname) {
2af6b9d5 1423 case BT_SECURITY:
0588d94f
MH		 1424 if (sk->sk_type != SOCK_SEQPACKET) {
1425 err = -EINVAL;
1426 break;
1427 }
1428
2af6b9d5
MH		 1429 sec.level = l2cap_pi(sk)->sec_level;
1430
1431 len = min_t(unsigned int, len, sizeof(sec));
1432 if (copy_to_user(optval, (char *) &sec, len))
1433 err = -EFAULT;
1434
1435 break;
1436
f66dc81f
MH		 1437 case BT_DEFER_SETUP:
1438 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1439 err = -EINVAL;
1440 break;
1441 }
1442
1443 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1444 err = -EFAULT;
1445
1446 break;
1447
d58daf42
MH		 1448 default:
1449 err = -ENOPROTOOPT;
1450 break;
1451 }
1452
1453 release_sock(sk);
1454 return err;
1455}
1456
1da177e4
LT		 1457static int l2cap_sock_shutdown(struct socket *sock, int how)
1458{
1459 struct sock *sk = sock->sk;
1460 int err = 0;
1461
1462 BT_DBG("sock %p, sk %p", sock, sk);
1463
1464 if (!sk)
1465 return 0;
1466
1467 lock_sock(sk);
1468 if (!sk->sk_shutdown) {
1469 sk->sk_shutdown = SHUTDOWN_MASK;
1470 l2cap_sock_clear_timer(sk);
1471 __l2cap_sock_close(sk, 0);
1472
1473 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1474 err = bt_sock_wait_state(sk, BT_CLOSED,
1475 sk->sk_lingertime);
1da177e4
LT		 1476 }
1477 release_sock(sk);
1478 return err;
1479}
1480
1481static int l2cap_sock_release(struct socket *sock)
1482{
1483 struct sock *sk = sock->sk;
1484 int err;
1485
1486 BT_DBG("sock %p, sk %p", sock, sk);
1487
1488 if (!sk)
1489 return 0;
1490
1491 err = l2cap_sock_shutdown(sock, 2);
1492
1493 sock_orphan(sk);
1494 l2cap_sock_kill(sk);
1495 return err;
1496}
1497
1da177e4
LT		 1498static void l2cap_chan_ready(struct sock *sk)
1499{
1500 struct sock *parent = bt_sk(sk)->parent;
1501
1502 BT_DBG("sk %p, parent %p", sk, parent);
1503
1504 l2cap_pi(sk)->conf_state = 0;
1505 l2cap_sock_clear_timer(sk);
1506
1507 if (!parent) {
1508 /* Outgoing channel.
1509 * Wake up socket sleeping on connect.
1510 */
1511 sk->sk_state = BT_CONNECTED;
1512 sk->sk_state_change(sk);
1513 } else {
1514 /* Incoming channel.
1515 * Wake up socket sleeping on accept.
1516 */
1517 parent->sk_data_ready(parent, 0);
1518 }
1519}
1520
1521/* Copy frame to all raw sockets on that connection */
1522static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1523{
1524 struct l2cap_chan_list *l = &conn->chan_list;
1525 struct sk_buff *nskb;
1526 struct sock * sk;
1527
1528 BT_DBG("conn %p", conn);
1529
1530 read_lock(&l->lock);
1531 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1532 if (sk->sk_type != SOCK_RAW)
1533 continue;
1534
1535 /* Don't send frame to the socket it came from */
1536 if (skb->sk == sk)
1537 continue;
1538
1539 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1540 continue;
1541
1542 if (sock_queue_rcv_skb(sk, nskb))
1543 kfree_skb(nskb);
1544 }
1545 read_unlock(&l->lock);
1546}
1547
1548/* ---- L2CAP signalling commands ---- */
1549static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1550 u8 code, u8 ident, u16 dlen, void *data)
1551{
1552 struct sk_buff *skb, **frag;
1553 struct l2cap_cmd_hdr *cmd;
1554 struct l2cap_hdr *lh;
1555 int len, count;
1556
1557 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1558
1559 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1560 count = min_t(unsigned int, conn->mtu, len);
1561
1562 skb = bt_skb_alloc(count, GFP_ATOMIC);
1563 if (!skb)
1564 return NULL;
1565
1566 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1567 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1568 lh->cid = cpu_to_le16(0x0001);
1da177e4
LT		 1569
1570 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1571 cmd->code = code;
1572 cmd->ident = ident;
aca3192c 1573 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1574
1575 if (dlen) {
1576 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1577 memcpy(skb_put(skb, count), data, count);
1578 data += count;
1579 }
1580
1581 len -= skb->len;
1582
1583 /* Continuation fragments (no L2CAP header) */
1584 frag = &skb_shinfo(skb)->frag_list;
1585 while (len) {
1586 count = min_t(unsigned int, conn->mtu, len);
1587
1588 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1589 if (!*frag)
1590 goto fail;
1591
1592 memcpy(skb_put(*frag, count), data, count);
1593
1594 len -= count;
1595 data += count;
1596
1597 frag = &(*frag)->next;
1598 }
1599
1600 return skb;
1601
1602fail:
1603 kfree_skb(skb);
1604 return NULL;
1605}
1606
1607static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1608{
1609 struct l2cap_conf_opt *opt = *ptr;
1610 int len;
1611
1612 len = L2CAP_CONF_OPT_SIZE + opt->len;
1613 *ptr += len;
1614
1615 *type = opt->type;
1616 *olen = opt->len;
1617
1618 switch (opt->len) {
1619 case 1:
1620 *val = *((u8 *) opt->val);
1621 break;
1622
1623 case 2:
861d6882 1624 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1625 break;
1626
1627 case 4:
861d6882 1628 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1629 break;
1630
1631 default:
1632 *val = (unsigned long) opt->val;
1633 break;
1634 }
1635
1636 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1637 return len;
1638}
1639
1da177e4
LT		 1640static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1641{
1642 struct l2cap_conf_opt *opt = *ptr;
1643
1644 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1645
1646 opt->type = type;
1647 opt->len = len;
1648
1649 switch (len) {
1650 case 1:
1651 *((u8 *) opt->val) = val;
1652 break;
1653
1654 case 2:
8e036fc3 1655 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1656 break;
1657
1658 case 4:
8e036fc3 1659 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1660 break;
1661
1662 default:
1663 memcpy(opt->val, (void *) val, len);
1664 break;
1665 }
1666
1667 *ptr += L2CAP_CONF_OPT_SIZE + len;
1668}
1669
1670static int l2cap_build_conf_req(struct sock *sk, void *data)
1671{
1672 struct l2cap_pinfo *pi = l2cap_pi(sk);
1673 struct l2cap_conf_req *req = data;
1674 void *ptr = req->data;
1675
1676 BT_DBG("sk %p", sk);
1677
1678 if (pi->imtu != L2CAP_DEFAULT_MTU)
1679 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1680
1681 /* FIXME: Need actual value of the flush timeout */
1682 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1683 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1684
aca3192c
YH		 1685 req->dcid = cpu_to_le16(pi->dcid);
1686 req->flags = cpu_to_le16(0);
1da177e4
LT		 1687
1688 return ptr - data;
1689}
1690
5dee9e7c 1691static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1692{
1693 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1694 struct l2cap_conf_rsp *rsp = data;
1695 void *ptr = rsp->data;
1696 void *req = pi->conf_req;
1697 int len = pi->conf_len;
1698 int type, hint, olen;
1699 unsigned long val;
6464f35f 1700 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1701 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1702 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1703
5dee9e7c 1704 BT_DBG("sk %p", sk);
820ae1b8 1705
5dee9e7c
MH		 1706 while (len >= L2CAP_CONF_OPT_SIZE) {
1707 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1708
5dee9e7c
MH		 1709 hint = type & 0x80;
1710 type &= 0x7f;
1711
1712 switch (type) {
1713 case L2CAP_CONF_MTU:
861d6882 1714 mtu = val;
5dee9e7c
MH		 1715 break;
1716
1717 case L2CAP_CONF_FLUSH_TO:
1718 pi->flush_to = val;
1719 break;
1720
1721 case L2CAP_CONF_QOS:
1722 break;
1723
6464f35f
MH		 1724 case L2CAP_CONF_RFC:
1725 if (olen == sizeof(rfc))
1726 memcpy(&rfc, (void *) val, olen);
1727 break;
1728
5dee9e7c
MH		 1729 default:
1730 if (hint)
1731 break;
1732
1733 result = L2CAP_CONF_UNKNOWN;
1734 *((u8 *) ptr++) = type;
1735 break;
1736 }
1737 }
1738
1739 if (result == L2CAP_CONF_SUCCESS) {
1740 /* Configure output options and let the other side know
1741 * which ones we don't like. */
1742
6464f35f
MH		 1743 if (rfc.mode == L2CAP_MODE_BASIC) {
1744 if (mtu < pi->omtu)
1745 result = L2CAP_CONF_UNACCEPT;
1746 else {
1747 pi->omtu = mtu;
1748 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1749 }
1750
1751 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1752 } else {
5dee9e7c 1753 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1754
6464f35f
MH		 1755 memset(&rfc, 0, sizeof(rfc));
1756 rfc.mode = L2CAP_MODE_BASIC;
1757
1758 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1759 sizeof(rfc), (unsigned long) &rfc);
1760 }
5dee9e7c
MH		 1761 }
1762
1763 rsp->scid = cpu_to_le16(pi->dcid);
1764 rsp->result = cpu_to_le16(result);
1765 rsp->flags = cpu_to_le16(0x0000);
1766
1767 return ptr - data;
1da177e4
LT		 1768}
1769
5dee9e7c 1770static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1771{
1772 struct l2cap_conf_rsp *rsp = data;
1773 void *ptr = rsp->data;
1da177e4 1774
5dee9e7c 1775 BT_DBG("sk %p", sk);
1da177e4 1776
aca3192c 1777 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1778 rsp->result = cpu_to_le16(result);
aca3192c 1779 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1780
1781 return ptr - data;
1782}
1783
4e8402a3
MH		 1784static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1785{
1786 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1787
1788 if (rej->reason != 0x0000)
1789 return 0;
1790
1791 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1792 cmd->ident == conn->info_ident) {
1793 conn->info_ident = 0;
1794 del_timer(&conn->info_timer);
984947dc
MH		 1795
1796 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1797
4e8402a3
MH		 1798 l2cap_conn_start(conn);
1799 }
1800
1801 return 0;
1802}
1803
1da177e4
LT		 1804static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1805{
1806 struct l2cap_chan_list *list = &conn->chan_list;
1807 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1808 struct l2cap_conn_rsp rsp;
1809 struct sock *sk, *parent;
e7c29cb1 1810 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1811
1812 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1813 __le16 psm = req->psm;
1da177e4
LT		 1814
1815 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1816
1817 /* Check if we have socket listening on psm */
1818 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1819 if (!parent) {
1820 result = L2CAP_CR_BAD_PSM;
1821 goto sendresp;
1822 }
1823
e7c29cb1
MH		 1824 /* Check if the ACL is secure enough (if not SDP) */
1825 if (psm != cpu_to_le16(0x0001) &&
1826 !hci_conn_check_link_mode(conn->hcon)) {
1827 result = L2CAP_CR_SEC_BLOCK;
1828 goto response;
1829 }
1830
1da177e4
LT		 1831 result = L2CAP_CR_NO_MEM;
1832
1833 /* Check for backlog size */
1834 if (sk_acceptq_is_full(parent)) {
8e87d142 1835 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1836 goto response;
1837 }
1838
3b1e0a65 1839 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1840 if (!sk)
1841 goto response;
1842
fd1278d7 1843 write_lock_bh(&list->lock);
1da177e4
LT		 1844
1845 /* Check if we already have channel with that dcid */
1846 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1847 write_unlock_bh(&list->lock);
1da177e4
LT		 1848 sock_set_flag(sk, SOCK_ZAPPED);
1849 l2cap_sock_kill(sk);
1850 goto response;
1851 }
1852
1853 hci_conn_hold(conn->hcon);
1854
1855 l2cap_sock_init(sk, parent);
1856 bacpy(&bt_sk(sk)->src, conn->src);
1857 bacpy(&bt_sk(sk)->dst, conn->dst);
1858 l2cap_pi(sk)->psm = psm;
1859 l2cap_pi(sk)->dcid = scid;
1860
1861 __l2cap_chan_add(conn, sk, parent);
1862 dcid = l2cap_pi(sk)->scid;
1863
1864 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1865
1da177e4
LT		 1866 l2cap_pi(sk)->ident = cmd->ident;
1867
984947dc 1868 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1869 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1870 if (bt_sk(sk)->defer_setup) {
1871 sk->sk_state = BT_CONNECT2;
1872 result = L2CAP_CR_PEND;
1873 status = L2CAP_CS_AUTHOR_PEND;
1874 parent->sk_data_ready(parent, 0);
1875 } else {
1876 sk->sk_state = BT_CONFIG;
1877 result = L2CAP_CR_SUCCESS;
1878 status = L2CAP_CS_NO_INFO;
1879 }
79d554a6
MH		 1880 } else {
1881 sk->sk_state = BT_CONNECT2;
1882 result = L2CAP_CR_PEND;
1883 status = L2CAP_CS_AUTHEN_PEND;
1884 }
1885 } else {
1886 sk->sk_state = BT_CONNECT2;
1887 result = L2CAP_CR_PEND;
1888 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1889 }
1890
fd1278d7 1891 write_unlock_bh(&list->lock);
1da177e4
LT		 1892
1893response:
1894 bh_unlock_sock(parent);
1895
1896sendresp:
aca3192c
YH		 1897 rsp.scid = cpu_to_le16(scid);
1898 rsp.dcid = cpu_to_le16(dcid);
1899 rsp.result = cpu_to_le16(result);
1900 rsp.status = cpu_to_le16(status);
1da177e4 1901 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1902
1903 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1904 struct l2cap_info_req info;
1905 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1906
1907 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1908 conn->info_ident = l2cap_get_ident(conn);
1909
1910 mod_timer(&conn->info_timer, jiffies +
1911 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1912
1913 l2cap_send_cmd(conn, conn->info_ident,
1914 L2CAP_INFO_REQ, sizeof(info), &info);
1915 }
1916
1da177e4
LT		 1917 return 0;
1918}
1919
1920static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1921{
1922 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1923 u16 scid, dcid, result, status;
1924 struct sock *sk;
1925 u8 req[128];
1926
1927 scid = __le16_to_cpu(rsp->scid);
1928 dcid = __le16_to_cpu(rsp->dcid);
1929 result = __le16_to_cpu(rsp->result);
1930 status = __le16_to_cpu(rsp->status);
1931
1932 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1933
1934 if (scid) {
1935 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1936 return 0;
1937 } else {
1938 if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1939 return 0;
1940 }
1941
1942 switch (result) {
1943 case L2CAP_CR_SUCCESS:
1944 sk->sk_state = BT_CONFIG;
1945 l2cap_pi(sk)->ident = 0;
1946 l2cap_pi(sk)->dcid = dcid;
1947 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1948
1949 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1950 l2cap_build_conf_req(sk, req), req);
1951 break;
1952
1953 case L2CAP_CR_PEND:
1954 break;
1955
1956 default:
1957 l2cap_chan_del(sk, ECONNREFUSED);
1958 break;
1959 }
1960
1961 bh_unlock_sock(sk);
1962 return 0;
1963}
1964
88219a0f 1965static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 1966{
1967 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
1968 u16 dcid, flags;
1969 u8 rsp[64];
1970 struct sock *sk;
5dee9e7c 1971 int len;
1da177e4
LT		 1972
1973 dcid = __le16_to_cpu(req->dcid);
1974 flags = __le16_to_cpu(req->flags);
1975
1976 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
1977
1978 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
1979 return -ENOENT;
1980
354f60a9
MH		 1981 if (sk->sk_state == BT_DISCONN)
1982 goto unlock;
1983
5dee9e7c 1984 /* Reject if config buffer is too small. */
88219a0f 1985 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 1986 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
1987 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
1988 l2cap_build_conf_rsp(sk, rsp,
1989 L2CAP_CONF_REJECT, flags), rsp);
1990 goto unlock;
1991 }
1992
1993 /* Store config. */
1994 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
1995 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 1996
1997 if (flags & 0x0001) {
1998 /* Incomplete config. Send empty response. */
1999 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2000 l2cap_build_conf_rsp(sk, rsp,
2001 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2002 goto unlock;
2003 }
2004
2005 /* Complete config. */
5dee9e7c
MH		 2006 len = l2cap_parse_conf_req(sk, rsp);
2007 if (len < 0)
1da177e4
LT		 2008 goto unlock;
2009
5dee9e7c
MH		 2010 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2011
5dee9e7c
MH		 2012 /* Reset config buffer. */
2013 l2cap_pi(sk)->conf_len = 0;
2014
876d9484
MH		 2015 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2016 goto unlock;
2017
1da177e4
LT		 2018 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2019 sk->sk_state = BT_CONNECTED;
2020 l2cap_chan_ready(sk);
876d9484
MH		 2021 goto unlock;
2022 }
2023
2024 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2025 u8 buf[64];
1da177e4 2026 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2027 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2028 }
2029
2030unlock:
2031 bh_unlock_sock(sk);
2032 return 0;
2033}
2034
2035static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2036{
2037 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2038 u16 scid, flags, result;
2039 struct sock *sk;
2040
2041 scid = __le16_to_cpu(rsp->scid);
2042 flags = __le16_to_cpu(rsp->flags);
2043 result = __le16_to_cpu(rsp->result);
2044
2045 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2046
2047 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2048 return 0;
2049
2050 switch (result) {
2051 case L2CAP_CONF_SUCCESS:
2052 break;
2053
2054 case L2CAP_CONF_UNACCEPT:
2055 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2056 char req[128];
2057 /* It does not make sense to adjust L2CAP parameters
2058 * that are currently defined in the spec. We simply
2059 * resend config request that we sent earlier. It is
2060 * stupid, but it helps qualification testing which
2061 * expects at least some response from us. */
2062 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2063 l2cap_build_conf_req(sk, req), req);
2064 goto done;
2065 }
2066
8e87d142 2067 default:
1da177e4 2068 sk->sk_state = BT_DISCONN;
b1235d79 2069 sk->sk_err = ECONNRESET;
1da177e4
LT		 2070 l2cap_sock_set_timer(sk, HZ * 5);
2071 {
2072 struct l2cap_disconn_req req;
aca3192c
YH		 2073 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2074 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2075 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2076 L2CAP_DISCONN_REQ, sizeof(req), &req);
2077 }
2078 goto done;
2079 }
2080
2081 if (flags & 0x01)
2082 goto done;
2083
1da177e4
LT		 2084 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2085
2086 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2087 sk->sk_state = BT_CONNECTED;
2088 l2cap_chan_ready(sk);
2089 }
2090
2091done:
2092 bh_unlock_sock(sk);
2093 return 0;
2094}
2095
2096static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2097{
2098 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2099 struct l2cap_disconn_rsp rsp;
2100 u16 dcid, scid;
2101 struct sock *sk;
2102
2103 scid = __le16_to_cpu(req->scid);
2104 dcid = __le16_to_cpu(req->dcid);
2105
2106 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2107
2108 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2109 return 0;
2110
aca3192c
YH		 2111 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2112 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2113 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2114
2115 sk->sk_shutdown = SHUTDOWN_MASK;
2116
2117 l2cap_chan_del(sk, ECONNRESET);
2118 bh_unlock_sock(sk);
2119
2120 l2cap_sock_kill(sk);
2121 return 0;
2122}
2123
2124static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2125{
2126 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2127 u16 dcid, scid;
2128 struct sock *sk;
2129
2130 scid = __le16_to_cpu(rsp->scid);
2131 dcid = __le16_to_cpu(rsp->dcid);
2132
2133 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2134
2135 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2136 return 0;
2137
2138 l2cap_chan_del(sk, 0);
2139 bh_unlock_sock(sk);
2140
2141 l2cap_sock_kill(sk);
2142 return 0;
2143}
2144
2145static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2146{
2147 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2148 u16 type;
2149
2150 type = __le16_to_cpu(req->type);
2151
2152 BT_DBG("type 0x%4.4x", type);
2153
f0709e03
MH		 2154 if (type == L2CAP_IT_FEAT_MASK) {
2155 u8 buf[8];
2156 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2157 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2158 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2159 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2160 l2cap_send_cmd(conn, cmd->ident,
2161 L2CAP_INFO_RSP, sizeof(buf), buf);
2162 } else {
2163 struct l2cap_info_rsp rsp;
2164 rsp.type = cpu_to_le16(type);
2165 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2166 l2cap_send_cmd(conn, cmd->ident,
2167 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2168 }
1da177e4
LT		 2169
2170 return 0;
2171}
2172
2173static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2174{
2175 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2176 u16 type, result;
2177
2178 type = __le16_to_cpu(rsp->type);
2179 result = __le16_to_cpu(rsp->result);
2180
2181 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2182
4e8402a3
MH		 2183 conn->info_ident = 0;
2184
2185 del_timer(&conn->info_timer);
2186
984947dc 2187 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2188 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2189
984947dc
MH		 2190 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2191
2192 l2cap_conn_start(conn);
2193 }
4e8402a3 2194
1da177e4
LT		 2195 return 0;
2196}
2197
2198static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2199{
2200 u8 *data = skb->data;
2201 int len = skb->len;
2202 struct l2cap_cmd_hdr cmd;
2203 int err = 0;
2204
2205 l2cap_raw_recv(conn, skb);
2206
2207 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2208 u16 cmd_len;
1da177e4
LT		 2209 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2210 data += L2CAP_CMD_HDR_SIZE;
2211 len -= L2CAP_CMD_HDR_SIZE;
2212
88219a0f 2213 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2214
88219a0f 2215 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2216
88219a0f 2217 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2218 BT_DBG("corrupted command");
2219 break;
2220 }
2221
2222 switch (cmd.code) {
2223 case L2CAP_COMMAND_REJ:
4e8402a3 2224 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2225 break;
2226
2227 case L2CAP_CONN_REQ:
2228 err = l2cap_connect_req(conn, &cmd, data);
2229 break;
2230
2231 case L2CAP_CONN_RSP:
2232 err = l2cap_connect_rsp(conn, &cmd, data);
2233 break;
2234
2235 case L2CAP_CONF_REQ:
88219a0f 2236 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2237 break;
2238
2239 case L2CAP_CONF_RSP:
2240 err = l2cap_config_rsp(conn, &cmd, data);
2241 break;
2242
2243 case L2CAP_DISCONN_REQ:
2244 err = l2cap_disconnect_req(conn, &cmd, data);
2245 break;
2246
2247 case L2CAP_DISCONN_RSP:
2248 err = l2cap_disconnect_rsp(conn, &cmd, data);
2249 break;
2250
2251 case L2CAP_ECHO_REQ:
88219a0f 2252 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2253 break;
2254
2255 case L2CAP_ECHO_RSP:
2256 break;
2257
2258 case L2CAP_INFO_REQ:
2259 err = l2cap_information_req(conn, &cmd, data);
2260 break;
2261
2262 case L2CAP_INFO_RSP:
2263 err = l2cap_information_rsp(conn, &cmd, data);
2264 break;
2265
2266 default:
2267 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2268 err = -EINVAL;
2269 break;
2270 }
2271
2272 if (err) {
2273 struct l2cap_cmd_rej rej;
2274 BT_DBG("error %d", err);
2275
2276 /* FIXME: Map err to a valid reason */
aca3192c 2277 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2278 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2279 }
2280
88219a0f
AV		 2281 data += cmd_len;
2282 len -= cmd_len;
1da177e4
LT		 2283 }
2284
2285 kfree_skb(skb);
2286}
2287
2288static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2289{
2290 struct sock *sk;
2291
2292 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2293 if (!sk) {
2294 BT_DBG("unknown cid 0x%4.4x", cid);
2295 goto drop;
2296 }
2297
2298 BT_DBG("sk %p, len %d", sk, skb->len);
2299
2300 if (sk->sk_state != BT_CONNECTED)
2301 goto drop;
2302
2303 if (l2cap_pi(sk)->imtu < skb->len)
2304 goto drop;
2305
2306 /* If socket recv buffers overflows we drop data here
2307 * which is *bad* because L2CAP has to be reliable.
2308 * But we don't have any other choice. L2CAP doesn't
2309 * provide flow control mechanism. */
2310
2311 if (!sock_queue_rcv_skb(sk, skb))
2312 goto done;
2313
2314drop:
2315 kfree_skb(skb);
2316
2317done:
0139418c
MH		 2318 if (sk)
2319 bh_unlock_sock(sk);
2320
1da177e4
LT		 2321 return 0;
2322}
2323
8e036fc3 2324static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2325{
2326 struct sock *sk;
2327
2328 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2329 if (!sk)
2330 goto drop;
2331
2332 BT_DBG("sk %p, len %d", sk, skb->len);
2333
2334 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2335 goto drop;
2336
2337 if (l2cap_pi(sk)->imtu < skb->len)
2338 goto drop;
2339
2340 if (!sock_queue_rcv_skb(sk, skb))
2341 goto done;
2342
2343drop:
2344 kfree_skb(skb);
2345
2346done:
2347 if (sk) bh_unlock_sock(sk);
2348 return 0;
2349}
2350
2351static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2352{
2353 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2354 u16 cid, len;
2355 __le16 psm;
1da177e4
LT		 2356
2357 skb_pull(skb, L2CAP_HDR_SIZE);
2358 cid = __le16_to_cpu(lh->cid);
2359 len = __le16_to_cpu(lh->len);
2360
2361 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2362
2363 switch (cid) {
2364 case 0x0001:
2365 l2cap_sig_channel(conn, skb);
2366 break;
2367
2368 case 0x0002:
8e036fc3 2369 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2370 skb_pull(skb, 2);
2371 l2cap_conless_channel(conn, psm, skb);
2372 break;
2373
2374 default:
2375 l2cap_data_channel(conn, cid, skb);
2376 break;
2377 }
2378}
2379
2380/* ---- L2CAP interface with lower layer (HCI) ---- */
2381
2382static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2383{
2384 int exact = 0, lm1 = 0, lm2 = 0;
2385 register struct sock *sk;
2386 struct hlist_node *node;
2387
2388 if (type != ACL_LINK)
2389 return 0;
2390
2391 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2392
2393 /* Find listening sockets and check their link_mode */
2394 read_lock(&l2cap_sk_list.lock);
2395 sk_for_each(sk, node, &l2cap_sk_list.head) {
2396 if (sk->sk_state != BT_LISTEN)
2397 continue;
2398
2399 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2400 lm1 |= HCI_LM_ACCEPT;
2401 if (l2cap_pi(sk)->role_switch)
2402 lm1 |= HCI_LM_MASTER;
1da177e4 2403 exact++;
2af6b9d5
MH		 2404 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2405 lm2 |= HCI_LM_ACCEPT;
2406 if (l2cap_pi(sk)->role_switch)
2407 lm2 |= HCI_LM_MASTER;
2408 }
1da177e4
LT		 2409 }
2410 read_unlock(&l2cap_sk_list.lock);
2411
2412 return exact ? lm1 : lm2;
2413}
2414
2415static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2416{
0139418c
MH		 2417 struct l2cap_conn *conn;
2418
1da177e4
LT		 2419 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2420
2421 if (hcon->type != ACL_LINK)
2422 return 0;
2423
2424 if (!status) {
1da177e4
LT		 2425 conn = l2cap_conn_add(hcon, status);
2426 if (conn)
2427 l2cap_conn_ready(conn);
0139418c 2428 } else
1da177e4
LT		 2429 l2cap_conn_del(hcon, bt_err(status));
2430
2431 return 0;
2432}
2433
2434static int l2cap_disconn_ind(struct hci_conn *hcon, u8 reason)
2435{
2436 BT_DBG("hcon %p reason %d", hcon, reason);
2437
2438 if (hcon->type != ACL_LINK)
2439 return 0;
2440
2441 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2442
1da177e4
LT		 2443 return 0;
2444}
2445
f62e4323
MH		 2446static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2447{
255c7601
MH		 2448 if (sk->sk_type != SOCK_SEQPACKET)
2449 return;
2450
f62e4323
MH		 2451 if (encrypt == 0x00) {
2452 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2453 l2cap_sock_clear_timer(sk);
2454 l2cap_sock_set_timer(sk, HZ * 5);
2455 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2456 __l2cap_sock_close(sk, ECONNREFUSED);
2457 } else {
2458 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2459 l2cap_sock_clear_timer(sk);
2460 }
2461}
2462
8c1b2355 2463static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2464{
2465 struct l2cap_chan_list *l;
0139418c 2466 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2467 struct sock *sk;
1da177e4 2468
0139418c 2469 if (!conn)
1da177e4 2470 return 0;
0139418c 2471
1da177e4
LT		 2472 l = &conn->chan_list;
2473
2474 BT_DBG("conn %p", conn);
2475
2476 read_lock(&l->lock);
2477
2478 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2479 bh_lock_sock(sk);
2480
f62e4323 2481 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2482 sk->sk_state == BT_CONFIG)) {
f62e4323 2483 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2484 bh_unlock_sock(sk);
2485 continue;
2486 }
2487
b1235d79
MH		 2488 if (sk->sk_state == BT_CONNECT) {
2489 if (!status) {
2490 struct l2cap_conn_req req;
2491 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2492 req.psm = l2cap_pi(sk)->psm;
1da177e4 2493
b1235d79 2494 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2495
b1235d79
MH		 2496 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2497 L2CAP_CONN_REQ, sizeof(req), &req);
2498 } else {
2499 l2cap_sock_clear_timer(sk);
2500 l2cap_sock_set_timer(sk, HZ / 10);
2501 }
2502 } else if (sk->sk_state == BT_CONNECT2) {
2503 struct l2cap_conn_rsp rsp;
2504 __u16 result;
1da177e4 2505
b1235d79
MH		 2506 if (!status) {
2507 sk->sk_state = BT_CONFIG;
2508 result = L2CAP_CR_SUCCESS;
2509 } else {
2510 sk->sk_state = BT_DISCONN;
2511 l2cap_sock_set_timer(sk, HZ / 10);
2512 result = L2CAP_CR_SEC_BLOCK;
2513 }
2514
2515 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2516 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2517 rsp.result = cpu_to_le16(result);
e7c29cb1 2518 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2519 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2520 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2521 }
1da177e4
LT		 2522
2523 bh_unlock_sock(sk);
2524 }
2525
2526 read_unlock(&l->lock);
b1235d79 2527
1da177e4
LT		 2528 return 0;
2529}
2530
2531static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2532{
2533 struct l2cap_conn *conn = hcon->l2cap_data;
2534
2535 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2536 goto drop;
2537
2538 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2539
2540 if (flags & ACL_START) {
2541 struct l2cap_hdr *hdr;
2542 int len;
2543
2544 if (conn->rx_len) {
2545 BT_ERR("Unexpected start frame (len %d)", skb->len);
2546 kfree_skb(conn->rx_skb);
2547 conn->rx_skb = NULL;
2548 conn->rx_len = 0;
2549 l2cap_conn_unreliable(conn, ECOMM);
2550 }
2551
2552 if (skb->len < 2) {
2553 BT_ERR("Frame is too short (len %d)", skb->len);
2554 l2cap_conn_unreliable(conn, ECOMM);
2555 goto drop;
2556 }
2557
2558 hdr = (struct l2cap_hdr *) skb->data;
2559 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2560
2561 if (len == skb->len) {
2562 /* Complete frame received */
2563 l2cap_recv_frame(conn, skb);
2564 return 0;
2565 }
2566
2567 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2568
2569 if (skb->len > len) {
2570 BT_ERR("Frame is too long (len %d, expected len %d)",
2571 skb->len, len);
2572 l2cap_conn_unreliable(conn, ECOMM);
2573 goto drop;
2574 }
2575
2576 /* Allocate skb for the complete frame (with header) */
2577 if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2578 goto drop;
2579
d626f62b
ACM		 2580 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2581 skb->len);
1da177e4
LT		 2582 conn->rx_len = len - skb->len;
2583 } else {
2584 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2585
2586 if (!conn->rx_len) {
2587 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2588 l2cap_conn_unreliable(conn, ECOMM);
2589 goto drop;
2590 }
2591
2592 if (skb->len > conn->rx_len) {
2593 BT_ERR("Fragment is too long (len %d, expected %d)",
2594 skb->len, conn->rx_len);
2595 kfree_skb(conn->rx_skb);
2596 conn->rx_skb = NULL;
2597 conn->rx_len = 0;
2598 l2cap_conn_unreliable(conn, ECOMM);
2599 goto drop;
2600 }
2601
d626f62b
ACM		 2602 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2603 skb->len);
1da177e4
LT		 2604 conn->rx_len -= skb->len;
2605
2606 if (!conn->rx_len) {
2607 /* Complete frame received */
2608 l2cap_recv_frame(conn, conn->rx_skb);
2609 conn->rx_skb = NULL;
2610 }
2611 }
2612
2613drop:
2614 kfree_skb(skb);
2615 return 0;
2616}
2617
be9d1227 2618static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2619{
2620 struct sock *sk;
2621 struct hlist_node *node;
be9d1227 2622 char *str = buf;
1da177e4
LT		 2623
2624 read_lock_bh(&l2cap_sk_list.lock);
2625
be9d1227
MH		 2626 sk_for_each(sk, node, &l2cap_sk_list.head) {
2627 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2628
2af6b9d5 2629 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2630 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
73863976 2631 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2af6b9d5 2632 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2633 }
1da177e4 2634
1da177e4 2635 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2636
be9d1227 2637 return (str - buf);
1da177e4
LT		 2638}
2639
be9d1227 2640static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2641
90ddc4f0 2642static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2643 .family = PF_BLUETOOTH,
2644 .owner = THIS_MODULE,
2645 .release = l2cap_sock_release,
2646 .bind = l2cap_sock_bind,
2647 .connect = l2cap_sock_connect,
2648 .listen = l2cap_sock_listen,
2649 .accept = l2cap_sock_accept,
2650 .getname = l2cap_sock_getname,
2651 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2652 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2653 .poll = bt_sock_poll,
3241ad82 2654 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2655 .mmap = sock_no_mmap,
2656 .socketpair = sock_no_socketpair,
1da177e4
LT		 2657 .shutdown = l2cap_sock_shutdown,
2658 .setsockopt = l2cap_sock_setsockopt,
2659 .getsockopt = l2cap_sock_getsockopt
2660};
2661
2662static struct net_proto_family l2cap_sock_family_ops = {
2663 .family = PF_BLUETOOTH,
2664 .owner = THIS_MODULE,
2665 .create = l2cap_sock_create,
2666};
2667
2668static struct hci_proto l2cap_hci_proto = {
2669 .name = "L2CAP",
2670 .id = HCI_PROTO_L2CAP,
2671 .connect_ind = l2cap_connect_ind,
2672 .connect_cfm = l2cap_connect_cfm,
2673 .disconn_ind = l2cap_disconn_ind,
8c1b2355 2674 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2675 .recv_acldata = l2cap_recv_acldata
2676};
2677
2678static int __init l2cap_init(void)
2679{
2680 int err;
be9d1227 2681
1da177e4
LT		 2682 err = proto_register(&l2cap_proto, 0);
2683 if (err < 0)
2684 return err;
2685
2686 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2687 if (err < 0) {
2688 BT_ERR("L2CAP socket registration failed");
2689 goto error;
2690 }
2691
2692 err = hci_register_proto(&l2cap_hci_proto);
2693 if (err < 0) {
2694 BT_ERR("L2CAP protocol registration failed");
2695 bt_sock_unregister(BTPROTO_L2CAP);
2696 goto error;
2697 }
2698
df5c37ea
MH		 2699 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2700 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2701
2702 BT_INFO("L2CAP ver %s", VERSION);
2703 BT_INFO("L2CAP socket layer initialized");
2704
2705 return 0;
2706
2707error:
2708 proto_unregister(&l2cap_proto);
2709 return err;
2710}
2711
2712static void __exit l2cap_exit(void)
2713{
a91f2e39 2714 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2715
2716 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2717 BT_ERR("L2CAP socket unregistration failed");
2718
2719 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2720 BT_ERR("L2CAP protocol unregistration failed");
2721
2722 proto_unregister(&l2cap_proto);
2723}
2724
2725void l2cap_load(void)
2726{
2727 /* Dummy function to trigger automatic L2CAP module loading by
2728 * other modules that use L2CAP sockets but don't use any other
2729 * symbols from it. */
2730 return;
2731}
2732EXPORT_SYMBOL(l2cap_load);
2733
2734module_init(l2cap_init);
2735module_exit(l2cap_exit);
2736
63fbd24e 2737MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2738MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2739MODULE_VERSION(VERSION);
2740MODULE_LICENSE("GPL");
2741MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)