projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Allow setting of L2CAP ERTM via socket option
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
af05b30b 43#include <linux/uaccess.h>
1da177e4
LT		 44#include <net/sock.h>
45
46#include <asm/system.h>
1da177e4
LT		 47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
44dd46de
MH		 53#define VERSION "2.14"
54
55static int enable_ertm = 0;
f0709e03 56
47ec1dcd 57static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 58static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 59
90ddc4f0 60static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 61
62static struct bt_sock_list l2cap_sk_list = {
d5fb2962 63 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 64};
65
1da177e4
LT		 66static void __l2cap_sock_close(struct sock *sk, int reason);
67static void l2cap_sock_close(struct sock *sk);
68static void l2cap_sock_kill(struct sock *sk);
69
70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
72
73/* ---- L2CAP timers ---- */
74static void l2cap_sock_timeout(unsigned long arg)
75{
76 struct sock *sk = (struct sock *) arg;
b1235d79 77 int reason;
1da177e4
LT		 78
79 BT_DBG("sock %p state %d", sk, sk->sk_state);
80
81 bh_lock_sock(sk);
b1235d79 82
f62e4323
MH		 83 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
84 reason = ECONNREFUSED;
85 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 86 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 87 reason = ECONNREFUSED;
88 else
89 reason = ETIMEDOUT;
90
91 __l2cap_sock_close(sk, reason);
92
1da177e4
LT		 93 bh_unlock_sock(sk);
94
95 l2cap_sock_kill(sk);
96 sock_put(sk);
97}
98
99static void l2cap_sock_set_timer(struct sock *sk, long timeout)
100{
101 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
102 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
103}
104
105static void l2cap_sock_clear_timer(struct sock *sk)
106{
107 BT_DBG("sock %p state %d", sk, sk->sk_state);
108 sk_stop_timer(sk, &sk->sk_timer);
109}
110
0139418c
MH		 111/* ---- L2CAP channels ---- */
112static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
113{
114 struct sock *s;
115 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
116 if (l2cap_pi(s)->dcid == cid)
117 break;
118 }
119 return s;
120}
121
122static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
123{
124 struct sock *s;
125 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
126 if (l2cap_pi(s)->scid == cid)
127 break;
128 }
129 return s;
130}
131
132/* Find channel with given SCID.
133 * Returns locked socket */
134static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
135{
136 struct sock *s;
137 read_lock(&l->lock);
138 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 139 if (s)
140 bh_lock_sock(s);
0139418c
MH		 141 read_unlock(&l->lock);
142 return s;
143}
144
145static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
146{
147 struct sock *s;
148 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
149 if (l2cap_pi(s)->ident == ident)
150 break;
151 }
152 return s;
153}
154
155static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
156{
157 struct sock *s;
158 read_lock(&l->lock);
159 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 160 if (s)
161 bh_lock_sock(s);
0139418c
MH		 162 read_unlock(&l->lock);
163 return s;
164}
165
166static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 171 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
178static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
179{
180 sock_hold(sk);
181
182 if (l->head)
183 l2cap_pi(l->head)->prev_c = sk;
184
185 l2cap_pi(sk)->next_c = l->head;
186 l2cap_pi(sk)->prev_c = NULL;
187 l->head = sk;
188}
189
190static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
191{
192 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
193
fd1278d7 194 write_lock_bh(&l->lock);
0139418c
MH		 195 if (sk == l->head)
196 l->head = next;
197
198 if (next)
199 l2cap_pi(next)->prev_c = prev;
200 if (prev)
201 l2cap_pi(prev)->next_c = next;
fd1278d7 202 write_unlock_bh(&l->lock);
0139418c
MH		 203
204 __sock_put(sk);
205}
206
207static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
208{
209 struct l2cap_chan_list *l = &conn->chan_list;
210
af05b30b
GP		 211 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
212 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 213
2950f21a
MH		 214 conn->disc_reason = 0x13;
215
0139418c
MH		 216 l2cap_pi(sk)->conn = conn;
217
218 if (sk->sk_type == SOCK_SEQPACKET) {
219 /* Alloc CID for connection-oriented socket */
220 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
221 } else if (sk->sk_type == SOCK_DGRAM) {
222 /* Connectionless socket */
8db4dc46
GP		 223 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
224 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 225 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
226 } else {
227 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 228 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
229 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 230 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
231 }
232
233 __l2cap_chan_link(l, sk);
234
235 if (parent)
236 bt_accept_enqueue(parent, sk);
237}
238
8e87d142 239/* Delete channel.
0139418c
MH		 240 * Must be called on the locked socket. */
241static void l2cap_chan_del(struct sock *sk, int err)
242{
243 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
244 struct sock *parent = bt_sk(sk)->parent;
245
246 l2cap_sock_clear_timer(sk);
247
248 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
249
8e87d142 250 if (conn) {
0139418c
MH		 251 /* Unlink from channel list */
252 l2cap_chan_unlink(&conn->chan_list, sk);
253 l2cap_pi(sk)->conn = NULL;
254 hci_conn_put(conn->hcon);
255 }
256
b1235d79 257 sk->sk_state = BT_CLOSED;
0139418c
MH		 258 sock_set_flag(sk, SOCK_ZAPPED);
259
260 if (err)
261 sk->sk_err = err;
262
263 if (parent) {
264 bt_accept_unlink(sk);
265 parent->sk_data_ready(parent, 0);
266 } else
267 sk->sk_state_change(sk);
268}
269
79d554a6 270/* Service level security */
2af6b9d5 271static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 272{
273 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 274 __u8 auth_type;
275
00ae4af9
MH		 276 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
277 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
278 auth_type = HCI_AT_NO_BONDING_MITM;
279 else
af05b30b 280 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 281
282 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
283 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
284 } else {
285 switch (l2cap_pi(sk)->sec_level) {
286 case BT_SECURITY_HIGH:
287 auth_type = HCI_AT_GENERAL_BONDING_MITM;
288 break;
289 case BT_SECURITY_MEDIUM:
290 auth_type = HCI_AT_GENERAL_BONDING;
291 break;
292 default:
293 auth_type = HCI_AT_NO_BONDING;
294 break;
295 }
0684e5f9 296 }
79d554a6 297
0684e5f9
MH		 298 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
299 auth_type);
79d554a6
MH		 300}
301
4e8402a3
MH		 302static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
303{
304 u8 id;
305
306 /* Get next available identificator.
307 * 1 - 128 are used by kernel.
308 * 129 - 199 are reserved.
309 * 200 - 254 are used by utilities like l2ping, etc.
310 */
311
312 spin_lock_bh(&conn->lock);
313
314 if (++conn->tx_ident > 128)
315 conn->tx_ident = 1;
316
317 id = conn->tx_ident;
318
319 spin_unlock_bh(&conn->lock);
320
321 return id;
322}
323
324static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
325{
326 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
327
328 BT_DBG("code 0x%2.2x", code);
329
330 if (!skb)
331 return -ENOMEM;
332
333 return hci_send_acl(conn->hcon, skb, 0);
334}
335
79d554a6
MH		 336static void l2cap_do_start(struct sock *sk)
337{
338 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
339
340 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 341 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
342 return;
343
2af6b9d5 344 if (l2cap_check_security(sk)) {
b1235d79
MH		 345 struct l2cap_conn_req req;
346 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
347 req.psm = l2cap_pi(sk)->psm;
79d554a6 348
b1235d79 349 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 350
b1235d79 351 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 352 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 353 }
79d554a6
MH		 354 } else {
355 struct l2cap_info_req req;
356 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
357
358 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
359 conn->info_ident = l2cap_get_ident(conn);
360
361 mod_timer(&conn->info_timer, jiffies +
362 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
363
364 l2cap_send_cmd(conn, conn->info_ident,
365 L2CAP_INFO_REQ, sizeof(req), &req);
366 }
367}
368
1da177e4 369/* ---- L2CAP connections ---- */
4e8402a3
MH		 370static void l2cap_conn_start(struct l2cap_conn *conn)
371{
372 struct l2cap_chan_list *l = &conn->chan_list;
373 struct sock *sk;
374
375 BT_DBG("conn %p", conn);
376
377 read_lock(&l->lock);
378
379 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
380 bh_lock_sock(sk);
381
382 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 383 bh_unlock_sock(sk);
384 continue;
385 }
386
387 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 388 if (l2cap_check_security(sk)) {
b1235d79
MH		 389 struct l2cap_conn_req req;
390 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
391 req.psm = l2cap_pi(sk)->psm;
79d554a6 392
b1235d79 393 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 394
b1235d79 395 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 396 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 397 }
79d554a6
MH		 398 } else if (sk->sk_state == BT_CONNECT2) {
399 struct l2cap_conn_rsp rsp;
400 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
401 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
402
2af6b9d5 403 if (l2cap_check_security(sk)) {
f66dc81f
MH		 404 if (bt_sk(sk)->defer_setup) {
405 struct sock *parent = bt_sk(sk)->parent;
406 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
407 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
408 parent->sk_data_ready(parent, 0);
409
410 } else {
411 sk->sk_state = BT_CONFIG;
412 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
413 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
414 }
79d554a6
MH		 415 } else {
416 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
417 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
418 }
419
420 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
421 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 422 }
423
424 bh_unlock_sock(sk);
425 }
426
427 read_unlock(&l->lock);
428}
429
430static void l2cap_conn_ready(struct l2cap_conn *conn)
431{
79d554a6
MH		 432 struct l2cap_chan_list *l = &conn->chan_list;
433 struct sock *sk;
4e8402a3 434
79d554a6 435 BT_DBG("conn %p", conn);
4e8402a3 436
79d554a6 437 read_lock(&l->lock);
4e8402a3 438
79d554a6
MH		 439 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
440 bh_lock_sock(sk);
4e8402a3 441
79d554a6
MH		 442 if (sk->sk_type != SOCK_SEQPACKET) {
443 l2cap_sock_clear_timer(sk);
444 sk->sk_state = BT_CONNECTED;
445 sk->sk_state_change(sk);
446 } else if (sk->sk_state == BT_CONNECT)
447 l2cap_do_start(sk);
4e8402a3 448
79d554a6 449 bh_unlock_sock(sk);
4e8402a3 450 }
79d554a6
MH		 451
452 read_unlock(&l->lock);
4e8402a3
MH		 453}
454
455/* Notify sockets that we cannot guaranty reliability anymore */
456static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
457{
458 struct l2cap_chan_list *l = &conn->chan_list;
459 struct sock *sk;
460
461 BT_DBG("conn %p", conn);
462
463 read_lock(&l->lock);
464
465 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 466 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 467 sk->sk_err = err;
468 }
469
470 read_unlock(&l->lock);
471}
472
473static void l2cap_info_timeout(unsigned long arg)
474{
475 struct l2cap_conn *conn = (void *) arg;
476
984947dc 477 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 478 conn->info_ident = 0;
984947dc 479
4e8402a3
MH		 480 l2cap_conn_start(conn);
481}
482
1da177e4
LT		 483static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
484{
0139418c 485 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 486
0139418c 487 if (conn || status)
1da177e4
LT		 488 return conn;
489
0139418c
MH		 490 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
491 if (!conn)
1da177e4 492 return NULL;
1da177e4
LT		 493
494 hcon->l2cap_data = conn;
495 conn->hcon = hcon;
496
0139418c
MH		 497 BT_DBG("hcon %p conn %p", hcon, conn);
498
1da177e4
LT		 499 conn->mtu = hcon->hdev->acl_mtu;
500 conn->src = &hcon->hdev->bdaddr;
501 conn->dst = &hcon->dst;
502
4e8402a3
MH		 503 conn->feat_mask = 0;
504
b1235d79
MH		 505 setup_timer(&conn->info_timer, l2cap_info_timeout,
506 (unsigned long) conn);
4e8402a3 507
1da177e4
LT		 508 spin_lock_init(&conn->lock);
509 rwlock_init(&conn->chan_list.lock);
510
2950f21a
MH		 511 conn->disc_reason = 0x13;
512
1da177e4
LT		 513 return conn;
514}
515
0139418c 516static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 517{
0139418c 518 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 519 struct sock *sk;
520
0139418c
MH		 521 if (!conn)
522 return;
1da177e4
LT		 523
524 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
525
7585b97a 526 kfree_skb(conn->rx_skb);
1da177e4
LT		 527
528 /* Kill channels */
529 while ((sk = conn->chan_list.head)) {
530 bh_lock_sock(sk);
531 l2cap_chan_del(sk, err);
532 bh_unlock_sock(sk);
533 l2cap_sock_kill(sk);
534 }
535
8e8440f5
DY		 536 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
537 del_timer_sync(&conn->info_timer);
3ab22731 538
1da177e4
LT		 539 hcon->l2cap_data = NULL;
540 kfree(conn);
1da177e4
LT		 541}
542
543static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
544{
545 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 546 write_lock_bh(&l->lock);
1da177e4 547 __l2cap_chan_add(conn, sk, parent);
fd1278d7 548 write_unlock_bh(&l->lock);
1da177e4
LT		 549}
550
1da177e4 551/* ---- Socket interface ---- */
8e036fc3 552static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 553{
554 struct sock *sk;
555 struct hlist_node *node;
556 sk_for_each(sk, node, &l2cap_sk_list.head)
557 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
558 goto found;
559 sk = NULL;
560found:
561 return sk;
562}
563
564/* Find socket with psm and source bdaddr.
565 * Returns closest match.
566 */
8e036fc3 567static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 568{
569 struct sock *sk = NULL, *sk1 = NULL;
570 struct hlist_node *node;
571
572 sk_for_each(sk, node, &l2cap_sk_list.head) {
573 if (state && sk->sk_state != state)
574 continue;
575
576 if (l2cap_pi(sk)->psm == psm) {
577 /* Exact match. */
578 if (!bacmp(&bt_sk(sk)->src, src))
579 break;
580
581 /* Closest match */
582 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
583 sk1 = sk;
584 }
585 }
586 return node ? sk : sk1;
587}
588
589/* Find socket with given address (psm, src).
590 * Returns locked socket */
8e036fc3 591static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 592{
593 struct sock *s;
594 read_lock(&l2cap_sk_list.lock);
595 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 596 if (s)
597 bh_lock_sock(s);
1da177e4
LT		 598 read_unlock(&l2cap_sk_list.lock);
599 return s;
600}
601
602static void l2cap_sock_destruct(struct sock *sk)
603{
604 BT_DBG("sk %p", sk);
605
606 skb_queue_purge(&sk->sk_receive_queue);
607 skb_queue_purge(&sk->sk_write_queue);
608}
609
610static void l2cap_sock_cleanup_listen(struct sock *parent)
611{
612 struct sock *sk;
613
614 BT_DBG("parent %p", parent);
615
616 /* Close not yet accepted channels */
617 while ((sk = bt_accept_dequeue(parent, NULL)))
618 l2cap_sock_close(sk);
619
b1235d79 620 parent->sk_state = BT_CLOSED;
1da177e4
LT		 621 sock_set_flag(parent, SOCK_ZAPPED);
622}
623
624/* Kill socket (only if zapped and orphan)
625 * Must be called on unlocked socket.
626 */
627static void l2cap_sock_kill(struct sock *sk)
628{
629 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
630 return;
631
632 BT_DBG("sk %p state %d", sk, sk->sk_state);
633
634 /* Kill poor orphan */
635 bt_sock_unlink(&l2cap_sk_list, sk);
636 sock_set_flag(sk, SOCK_DEAD);
637 sock_put(sk);
638}
639
640static void __l2cap_sock_close(struct sock *sk, int reason)
641{
642 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
643
644 switch (sk->sk_state) {
645 case BT_LISTEN:
646 l2cap_sock_cleanup_listen(sk);
647 break;
648
649 case BT_CONNECTED:
650 case BT_CONFIG:
1da177e4
LT		 651 if (sk->sk_type == SOCK_SEQPACKET) {
652 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
653 struct l2cap_disconn_req req;
654
655 sk->sk_state = BT_DISCONN;
656 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
657
aca3192c
YH		 658 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
659 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 660 l2cap_send_cmd(conn, l2cap_get_ident(conn),
661 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 662 } else
1da177e4 663 l2cap_chan_del(sk, reason);
1da177e4
LT		 664 break;
665
f66dc81f
MH		 666 case BT_CONNECT2:
667 if (sk->sk_type == SOCK_SEQPACKET) {
668 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
669 struct l2cap_conn_rsp rsp;
670 __u16 result;
671
672 if (bt_sk(sk)->defer_setup)
673 result = L2CAP_CR_SEC_BLOCK;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
678 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
679 rsp.result = cpu_to_le16(result);
680 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
681 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
682 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
683 } else
684 l2cap_chan_del(sk, reason);
685 break;
686
1da177e4
LT		 687 case BT_CONNECT:
688 case BT_DISCONN:
689 l2cap_chan_del(sk, reason);
690 break;
691
692 default:
693 sock_set_flag(sk, SOCK_ZAPPED);
694 break;
695 }
696}
697
698/* Must be called on unlocked socket. */
699static void l2cap_sock_close(struct sock *sk)
700{
701 l2cap_sock_clear_timer(sk);
702 lock_sock(sk);
703 __l2cap_sock_close(sk, ECONNRESET);
704 release_sock(sk);
705 l2cap_sock_kill(sk);
706}
707
708static void l2cap_sock_init(struct sock *sk, struct sock *parent)
709{
710 struct l2cap_pinfo *pi = l2cap_pi(sk);
711
712 BT_DBG("sk %p", sk);
713
714 if (parent) {
715 sk->sk_type = parent->sk_type;
f66dc81f
MH		 716 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
717
1da177e4
LT		 718 pi->imtu = l2cap_pi(parent)->imtu;
719 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 720 pi->mode = l2cap_pi(parent)->mode;
721 pi->fcs = l2cap_pi(parent)->fcs;
2af6b9d5
MH		 722 pi->sec_level = l2cap_pi(parent)->sec_level;
723 pi->role_switch = l2cap_pi(parent)->role_switch;
724 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 725 } else {
726 pi->imtu = L2CAP_DEFAULT_MTU;
727 pi->omtu = 0;
c6b03cf9
MH		 728 pi->mode = L2CAP_MODE_BASIC;
729 pi->fcs = L2CAP_FCS_CRC16;
2af6b9d5
MH		 730 pi->sec_level = BT_SECURITY_LOW;
731 pi->role_switch = 0;
732 pi->force_reliable = 0;
1da177e4
LT		 733 }
734
735 /* Default config options */
5dee9e7c 736 pi->conf_len = 0;
1da177e4
LT		 737 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
738}
739
740static struct proto l2cap_proto = {
741 .name = "L2CAP",
742 .owner = THIS_MODULE,
743 .obj_size = sizeof(struct l2cap_pinfo)
744};
745
1b8d7ae4 746static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 747{
748 struct sock *sk;
749
6257ff21 750 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 751 if (!sk)
752 return NULL;
753
754 sock_init_data(sock, sk);
755 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
756
757 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 758 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 759
760 sock_reset_flag(sk, SOCK_ZAPPED);
761
762 sk->sk_protocol = proto;
b1235d79 763 sk->sk_state = BT_OPEN;
1da177e4 764
b1235d79 765 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 766
767 bt_sock_link(&l2cap_sk_list, sk);
768 return sk;
769}
770
1b8d7ae4 771static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 772{
773 struct sock *sk;
774
775 BT_DBG("sock %p", sock);
776
777 sock->state = SS_UNCONNECTED;
778
779 if (sock->type != SOCK_SEQPACKET &&
780 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
781 return -ESOCKTNOSUPPORT;
782
783 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
784 return -EPERM;
785
786 sock->ops = &l2cap_sock_ops;
787
1b8d7ae4 788 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 789 if (!sk)
790 return -ENOMEM;
791
792 l2cap_sock_init(sk, NULL);
793 return 0;
794}
795
f29972de 796static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 797{
1da177e4 798 struct sock *sk = sock->sk;
f29972de
MH		 799 struct sockaddr_l2 la;
800 int len, err = 0;
1da177e4 801
f29972de 802 BT_DBG("sk %p", sk);
1da177e4
LT		 803
804 if (!addr || addr->sa_family != AF_BLUETOOTH)
805 return -EINVAL;
806
f29972de
MH		 807 memset(&la, 0, sizeof(la));
808 len = min_t(unsigned int, sizeof(la), alen);
809 memcpy(&la, addr, len);
810
2a517ca6
MH		 811 if (la.l2_cid)
812 return -EINVAL;
813
1da177e4
LT		 814 lock_sock(sk);
815
816 if (sk->sk_state != BT_OPEN) {
817 err = -EBADFD;
818 goto done;
819 }
820
b4324b5d 821 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 822 !capable(CAP_NET_BIND_SERVICE)) {
823 err = -EACCES;
824 goto done;
825 }
8e87d142 826
1da177e4
LT		 827 write_lock_bh(&l2cap_sk_list.lock);
828
f29972de 829 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 830 err = -EADDRINUSE;
831 } else {
832 /* Save source address */
f29972de
MH		 833 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
834 l2cap_pi(sk)->psm = la.l2_psm;
835 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 836 sk->sk_state = BT_BOUND;
2af6b9d5 837
b4324b5d
MH		 838 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
839 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 840 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 841 }
842
843 write_unlock_bh(&l2cap_sk_list.lock);
844
845done:
846 release_sock(sk);
847 return err;
848}
849
850static int l2cap_do_connect(struct sock *sk)
851{
852 bdaddr_t *src = &bt_sk(sk)->src;
853 bdaddr_t *dst = &bt_sk(sk)->dst;
854 struct l2cap_conn *conn;
855 struct hci_conn *hcon;
856 struct hci_dev *hdev;
09ab6f4c 857 __u8 auth_type;
44d0e48e 858 int err;
1da177e4 859
f29972de
MH		 860 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
861 l2cap_pi(sk)->psm);
1da177e4 862
af05b30b
GP		 863 hdev = hci_get_route(dst, src);
864 if (!hdev)
1da177e4
LT		 865 return -EHOSTUNREACH;
866
867 hci_dev_lock_bh(hdev);
868
869 err = -ENOMEM;
870
8c1b2355 871 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 872 switch (l2cap_pi(sk)->sec_level) {
873 case BT_SECURITY_HIGH:
8c1b2355 874 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 875 break;
876 case BT_SECURITY_MEDIUM:
8c1b2355 877 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 878 break;
879 default:
09ab6f4c 880 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 881 break;
882 }
8c1b2355 883 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 884 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 885 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 886 else
8c1b2355 887 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 888
889 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
890 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 891 } else {
2af6b9d5
MH		 892 switch (l2cap_pi(sk)->sec_level) {
893 case BT_SECURITY_HIGH:
8c1b2355 894 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 895 break;
896 case BT_SECURITY_MEDIUM:
09ab6f4c 897 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 898 break;
899 default:
8c1b2355 900 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 901 break;
902 }
09ab6f4c
MH		 903 }
904
2af6b9d5
MH		 905 hcon = hci_connect(hdev, ACL_LINK, dst,
906 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 907 if (!hcon)
908 goto done;
909
910 conn = l2cap_conn_add(hcon, 0);
911 if (!conn) {
912 hci_conn_put(hcon);
913 goto done;
914 }
915
916 err = 0;
917
918 /* Update source addr of the socket */
919 bacpy(src, conn->src);
920
921 l2cap_chan_add(conn, sk, NULL);
922
923 sk->sk_state = BT_CONNECT;
924 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
925
926 if (hcon->state == BT_CONNECTED) {
79d554a6 927 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 928 l2cap_sock_clear_timer(sk);
929 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 930 } else
931 l2cap_do_start(sk);
1da177e4
LT		 932 }
933
934done:
935 hci_dev_unlock_bh(hdev);
936 hci_dev_put(hdev);
937 return err;
938}
939
940static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
941{
1da177e4 942 struct sock *sk = sock->sk;
f29972de
MH		 943 struct sockaddr_l2 la;
944 int len, err = 0;
1da177e4 945
1da177e4
LT		 946 BT_DBG("sk %p", sk);
947
2a517ca6
MH		 948 if (!addr || addr->sa_family != AF_BLUETOOTH)
949 return -EINVAL;
1da177e4 950
f29972de
MH		 951 memset(&la, 0, sizeof(la));
952 len = min_t(unsigned int, sizeof(la), alen);
953 memcpy(&la, addr, len);
954
2a517ca6
MH		 955 if (la.l2_cid)
956 return -EINVAL;
957
958 lock_sock(sk);
959
f29972de 960 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 961 err = -EINVAL;
962 goto done;
963 }
964
c6b03cf9
MH		 965 switch (l2cap_pi(sk)->mode) {
966 case L2CAP_MODE_BASIC:
967 break;
968 case L2CAP_MODE_ERTM:
969 if (enable_ertm)
970 break;
971 /* fall through */
972 default:
973 err = -ENOTSUPP;
974 goto done;
975 }
976
af05b30b 977 switch (sk->sk_state) {
1da177e4
LT		 978 case BT_CONNECT:
979 case BT_CONNECT2:
980 case BT_CONFIG:
981 /* Already connecting */
982 goto wait;
983
984 case BT_CONNECTED:
985 /* Already connected */
986 goto done;
987
988 case BT_OPEN:
989 case BT_BOUND:
990 /* Can connect */
991 break;
992
993 default:
994 err = -EBADFD;
995 goto done;
996 }
997
998 /* Set destination address and psm */
f29972de
MH		 999 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1000 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1001
af05b30b
GP		 1002 err = l2cap_do_connect(sk);
1003 if (err)
1da177e4
LT		 1004 goto done;
1005
1006wait:
1007 err = bt_sock_wait_state(sk, BT_CONNECTED,
1008 sock_sndtimeo(sk, flags & O_NONBLOCK));
1009done:
1010 release_sock(sk);
1011 return err;
1012}
1013
1014static int l2cap_sock_listen(struct socket *sock, int backlog)
1015{
1016 struct sock *sk = sock->sk;
1017 int err = 0;
1018
1019 BT_DBG("sk %p backlog %d", sk, backlog);
1020
1021 lock_sock(sk);
1022
1023 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1024 err = -EBADFD;
1025 goto done;
1026 }
1027
c6b03cf9
MH		 1028 switch (l2cap_pi(sk)->mode) {
1029 case L2CAP_MODE_BASIC:
1030 break;
1031 case L2CAP_MODE_ERTM:
1032 if (enable_ertm)
1033 break;
1034 /* fall through */
1035 default:
1036 err = -ENOTSUPP;
1037 goto done;
1038 }
1039
1da177e4
LT		 1040 if (!l2cap_pi(sk)->psm) {
1041 bdaddr_t *src = &bt_sk(sk)->src;
1042 u16 psm;
1043
1044 err = -EINVAL;
1045
1046 write_lock_bh(&l2cap_sk_list.lock);
1047
1048 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1049 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1050 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1051 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1052 err = 0;
1053 break;
1054 }
1055
1056 write_unlock_bh(&l2cap_sk_list.lock);
1057
1058 if (err < 0)
1059 goto done;
1060 }
1061
1062 sk->sk_max_ack_backlog = backlog;
1063 sk->sk_ack_backlog = 0;
1064 sk->sk_state = BT_LISTEN;
1065
1066done:
1067 release_sock(sk);
1068 return err;
1069}
1070
1071static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1072{
1073 DECLARE_WAITQUEUE(wait, current);
1074 struct sock *sk = sock->sk, *nsk;
1075 long timeo;
1076 int err = 0;
1077
fcc70d5f 1078 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1079
1080 if (sk->sk_state != BT_LISTEN) {
1081 err = -EBADFD;
1082 goto done;
1083 }
1084
1085 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1086
1087 BT_DBG("sk %p timeo %ld", sk, timeo);
1088
1089 /* Wait for an incoming connection. (wake-one). */
1090 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1091 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1092 set_current_state(TASK_INTERRUPTIBLE);
1093 if (!timeo) {
1094 err = -EAGAIN;
1095 break;
1096 }
1097
1098 release_sock(sk);
1099 timeo = schedule_timeout(timeo);
fcc70d5f 1100 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1101
1102 if (sk->sk_state != BT_LISTEN) {
1103 err = -EBADFD;
1104 break;
1105 }
1106
1107 if (signal_pending(current)) {
1108 err = sock_intr_errno(timeo);
1109 break;
1110 }
1111 }
1112 set_current_state(TASK_RUNNING);
1113 remove_wait_queue(sk->sk_sleep, &wait);
1114
1115 if (err)
1116 goto done;
1117
1118 newsock->state = SS_CONNECTED;
1119
1120 BT_DBG("new socket %p", nsk);
1121
1122done:
1123 release_sock(sk);
1124 return err;
1125}
1126
1127static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1128{
1129 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1130 struct sock *sk = sock->sk;
1131
1132 BT_DBG("sock %p, sk %p", sock, sk);
1133
1134 addr->sa_family = AF_BLUETOOTH;
1135 *len = sizeof(struct sockaddr_l2);
1136
f29972de
MH		 1137 if (peer) {
1138 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1139 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1140 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1141 } else {
1142 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1143 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1144 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1145 }
1da177e4 1146
1da177e4
LT		 1147 return 0;
1148}
1149
1150static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1151{
1152 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1153 struct sk_buff *skb, **frag;
af05b30b 1154 int err, hlen, count, sent = 0;
1da177e4
LT		 1155 struct l2cap_hdr *lh;
1156
1157 BT_DBG("sk %p len %d", sk, len);
1158
1159 /* First fragment (with L2CAP header) */
1160 if (sk->sk_type == SOCK_DGRAM)
1161 hlen = L2CAP_HDR_SIZE + 2;
1162 else
1163 hlen = L2CAP_HDR_SIZE;
1164
1165 count = min_t(unsigned int, (conn->mtu - hlen), len);
1166
1167 skb = bt_skb_send_alloc(sk, hlen + count,
1168 msg->msg_flags & MSG_DONTWAIT, &err);
1169 if (!skb)
1170 return err;
1171
1172 /* Create L2CAP header */
1173 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1174 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1175 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1176
1177 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1178 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1179
1180 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1181 err = -EFAULT;
1182 goto fail;
1183 }
1184
1185 sent += count;
1186 len -= count;
1187
1188 /* Continuation fragments (no L2CAP header) */
1189 frag = &skb_shinfo(skb)->frag_list;
1190 while (len) {
1191 count = min_t(unsigned int, conn->mtu, len);
1192
1193 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1194 if (!*frag)
1195 goto fail;
8e87d142 1196
1da177e4
LT		 1197 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1198 err = -EFAULT;
1199 goto fail;
1200 }
1201
1202 sent += count;
1203 len -= count;
1204
1205 frag = &(*frag)->next;
1206 }
af05b30b
GP		 1207 err = hci_send_acl(conn->hcon, skb, 0);
1208 if (err < 0)
1da177e4
LT		 1209 goto fail;
1210
1211 return sent;
1212
1213fail:
1214 kfree_skb(skb);
1215 return err;
1216}
1217
1218static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1219{
1220 struct sock *sk = sock->sk;
1221 int err = 0;
1222
1223 BT_DBG("sock %p, sk %p", sock, sk);
1224
c1cbe4b7
BL		 1225 err = sock_error(sk);
1226 if (err)
1227 return err;
1da177e4
LT		 1228
1229 if (msg->msg_flags & MSG_OOB)
1230 return -EOPNOTSUPP;
1231
1232 /* Check outgoing MTU */
1233 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1234 return -EINVAL;
1235
1236 lock_sock(sk);
1237
1238 if (sk->sk_state == BT_CONNECTED)
1239 err = l2cap_do_send(sk, msg, len);
1240 else
1241 err = -ENOTCONN;
1242
1243 release_sock(sk);
1244 return err;
1245}
1246
f66dc81f
MH		 1247static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1248{
1249 struct sock *sk = sock->sk;
1250
1251 lock_sock(sk);
1252
1253 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1254 struct l2cap_conn_rsp rsp;
1255
1256 sk->sk_state = BT_CONFIG;
1257
1258 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1259 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1260 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1261 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1262 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1263 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1264
1265 release_sock(sk);
1266 return 0;
1267 }
1268
1269 release_sock(sk);
1270
1271 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1272}
1273
d58daf42 1274static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1275{
1276 struct sock *sk = sock->sk;
1277 struct l2cap_options opts;
f29972de 1278 int len, err = 0;
1da177e4
LT		 1279 u32 opt;
1280
1281 BT_DBG("sk %p", sk);
1282
1283 lock_sock(sk);
1284
1285 switch (optname) {
1286 case L2CAP_OPTIONS:
0878b666
MH		 1287 opts.imtu = l2cap_pi(sk)->imtu;
1288 opts.omtu = l2cap_pi(sk)->omtu;
1289 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1290 opts.mode = l2cap_pi(sk)->mode;
0878b666 1291
1da177e4
LT		 1292 len = min_t(unsigned int, sizeof(opts), optlen);
1293 if (copy_from_user((char *) &opts, optval, len)) {
1294 err = -EFAULT;
1295 break;
1296 }
0878b666 1297
c6b03cf9
MH		 1298 l2cap_pi(sk)->imtu = opts.imtu;
1299 l2cap_pi(sk)->omtu = opts.omtu;
1300 l2cap_pi(sk)->mode = opts.mode;
1da177e4
LT		 1301 break;
1302
1303 case L2CAP_LM:
1304 if (get_user(opt, (u32 __user *) optval)) {
1305 err = -EFAULT;
1306 break;
1307 }
1308
2af6b9d5
MH		 1309 if (opt & L2CAP_LM_AUTH)
1310 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1311 if (opt & L2CAP_LM_ENCRYPT)
1312 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1313 if (opt & L2CAP_LM_SECURE)
1314 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1315
1316 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1317 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1318 break;
1319
1320 default:
1321 err = -ENOPROTOOPT;
1322 break;
1323 }
1324
1325 release_sock(sk);
1326 return err;
1327}
1328
d58daf42
MH		 1329static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1330{
1331 struct sock *sk = sock->sk;
2af6b9d5
MH		 1332 struct bt_security sec;
1333 int len, err = 0;
f66dc81f 1334 u32 opt;
d58daf42
MH		 1335
1336 BT_DBG("sk %p", sk);
1337
1338 if (level == SOL_L2CAP)
1339 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1340
0588d94f
MH		 1341 if (level != SOL_BLUETOOTH)
1342 return -ENOPROTOOPT;
1343
d58daf42
MH		 1344 lock_sock(sk);
1345
1346 switch (optname) {
2af6b9d5 1347 case BT_SECURITY:
2526d3d8 1348 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1349 err = -EINVAL;
1350 break;
1351 }
1352
2af6b9d5
MH		 1353 sec.level = BT_SECURITY_LOW;
1354
1355 len = min_t(unsigned int, sizeof(sec), optlen);
1356 if (copy_from_user((char *) &sec, optval, len)) {
1357 err = -EFAULT;
1358 break;
1359 }
1360
1361 if (sec.level < BT_SECURITY_LOW ||
1362 sec.level > BT_SECURITY_HIGH) {
1363 err = -EINVAL;
1364 break;
1365 }
1366
1367 l2cap_pi(sk)->sec_level = sec.level;
1368 break;
1369
f66dc81f
MH		 1370 case BT_DEFER_SETUP:
1371 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1372 err = -EINVAL;
1373 break;
1374 }
1375
1376 if (get_user(opt, (u32 __user *) optval)) {
1377 err = -EFAULT;
1378 break;
1379 }
1380
1381 bt_sk(sk)->defer_setup = opt;
1382 break;
1383
d58daf42
MH		 1384 default:
1385 err = -ENOPROTOOPT;
1386 break;
1387 }
1388
1389 release_sock(sk);
1390 return err;
1391}
1392
1393static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1394{
1395 struct sock *sk = sock->sk;
1396 struct l2cap_options opts;
1397 struct l2cap_conninfo cinfo;
1398 int len, err = 0;
2af6b9d5 1399 u32 opt;
1da177e4
LT		 1400
1401 BT_DBG("sk %p", sk);
1402
1403 if (get_user(len, optlen))
1404 return -EFAULT;
1405
1406 lock_sock(sk);
1407
1408 switch (optname) {
1409 case L2CAP_OPTIONS:
1410 opts.imtu = l2cap_pi(sk)->imtu;
1411 opts.omtu = l2cap_pi(sk)->omtu;
1412 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1413 opts.mode = l2cap_pi(sk)->mode;
1da177e4
LT		 1414
1415 len = min_t(unsigned int, len, sizeof(opts));
1416 if (copy_to_user(optval, (char *) &opts, len))
1417 err = -EFAULT;
1418
1419 break;
1420
1421 case L2CAP_LM:
2af6b9d5
MH		 1422 switch (l2cap_pi(sk)->sec_level) {
1423 case BT_SECURITY_LOW:
1424 opt = L2CAP_LM_AUTH;
1425 break;
1426 case BT_SECURITY_MEDIUM:
1427 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1428 break;
1429 case BT_SECURITY_HIGH:
1430 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1431 L2CAP_LM_SECURE;
1432 break;
1433 default:
1434 opt = 0;
1435 break;
1436 }
1437
1438 if (l2cap_pi(sk)->role_switch)
1439 opt |= L2CAP_LM_MASTER;
1440
1441 if (l2cap_pi(sk)->force_reliable)
1442 opt |= L2CAP_LM_RELIABLE;
1443
1444 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1445 err = -EFAULT;
1446 break;
1447
1448 case L2CAP_CONNINFO:
f66dc81f
MH		 1449 if (sk->sk_state != BT_CONNECTED &&
1450 !(sk->sk_state == BT_CONNECT2 &&
1451 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1452 err = -ENOTCONN;
1453 break;
1454 }
1455
1456 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1457 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1458
1459 len = min_t(unsigned int, len, sizeof(cinfo));
1460 if (copy_to_user(optval, (char *) &cinfo, len))
1461 err = -EFAULT;
1462
1463 break;
1464
1465 default:
1466 err = -ENOPROTOOPT;
1467 break;
1468 }
1469
1470 release_sock(sk);
1471 return err;
1472}
1473
d58daf42
MH		 1474static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1475{
1476 struct sock *sk = sock->sk;
2af6b9d5 1477 struct bt_security sec;
d58daf42
MH		 1478 int len, err = 0;
1479
1480 BT_DBG("sk %p", sk);
1481
1482 if (level == SOL_L2CAP)
1483 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1484
0588d94f
MH		 1485 if (level != SOL_BLUETOOTH)
1486 return -ENOPROTOOPT;
1487
d58daf42
MH		 1488 if (get_user(len, optlen))
1489 return -EFAULT;
1490
1491 lock_sock(sk);
1492
1493 switch (optname) {
2af6b9d5 1494 case BT_SECURITY:
2526d3d8 1495 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1496 err = -EINVAL;
1497 break;
1498 }
1499
2af6b9d5
MH		 1500 sec.level = l2cap_pi(sk)->sec_level;
1501
1502 len = min_t(unsigned int, len, sizeof(sec));
1503 if (copy_to_user(optval, (char *) &sec, len))
1504 err = -EFAULT;
1505
1506 break;
1507
f66dc81f
MH		 1508 case BT_DEFER_SETUP:
1509 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1510 err = -EINVAL;
1511 break;
1512 }
1513
1514 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1515 err = -EFAULT;
1516
1517 break;
1518
d58daf42
MH		 1519 default:
1520 err = -ENOPROTOOPT;
1521 break;
1522 }
1523
1524 release_sock(sk);
1525 return err;
1526}
1527
1da177e4
LT		 1528static int l2cap_sock_shutdown(struct socket *sock, int how)
1529{
1530 struct sock *sk = sock->sk;
1531 int err = 0;
1532
1533 BT_DBG("sock %p, sk %p", sock, sk);
1534
1535 if (!sk)
1536 return 0;
1537
1538 lock_sock(sk);
1539 if (!sk->sk_shutdown) {
1540 sk->sk_shutdown = SHUTDOWN_MASK;
1541 l2cap_sock_clear_timer(sk);
1542 __l2cap_sock_close(sk, 0);
1543
1544 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1545 err = bt_sock_wait_state(sk, BT_CLOSED,
1546 sk->sk_lingertime);
1da177e4
LT		 1547 }
1548 release_sock(sk);
1549 return err;
1550}
1551
1552static int l2cap_sock_release(struct socket *sock)
1553{
1554 struct sock *sk = sock->sk;
1555 int err;
1556
1557 BT_DBG("sock %p, sk %p", sock, sk);
1558
1559 if (!sk)
1560 return 0;
1561
1562 err = l2cap_sock_shutdown(sock, 2);
1563
1564 sock_orphan(sk);
1565 l2cap_sock_kill(sk);
1566 return err;
1567}
1568
1da177e4
LT		 1569static void l2cap_chan_ready(struct sock *sk)
1570{
1571 struct sock *parent = bt_sk(sk)->parent;
1572
1573 BT_DBG("sk %p, parent %p", sk, parent);
1574
1575 l2cap_pi(sk)->conf_state = 0;
1576 l2cap_sock_clear_timer(sk);
1577
1578 if (!parent) {
1579 /* Outgoing channel.
1580 * Wake up socket sleeping on connect.
1581 */
1582 sk->sk_state = BT_CONNECTED;
1583 sk->sk_state_change(sk);
1584 } else {
1585 /* Incoming channel.
1586 * Wake up socket sleeping on accept.
1587 */
1588 parent->sk_data_ready(parent, 0);
1589 }
1590}
1591
1592/* Copy frame to all raw sockets on that connection */
1593static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1594{
1595 struct l2cap_chan_list *l = &conn->chan_list;
1596 struct sk_buff *nskb;
af05b30b 1597 struct sock *sk;
1da177e4
LT		 1598
1599 BT_DBG("conn %p", conn);
1600
1601 read_lock(&l->lock);
1602 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1603 if (sk->sk_type != SOCK_RAW)
1604 continue;
1605
1606 /* Don't send frame to the socket it came from */
1607 if (skb->sk == sk)
1608 continue;
af05b30b
GP		 1609 nskb = skb_clone(skb, GFP_ATOMIC);
1610 if (!nskb)
1da177e4
LT		 1611 continue;
1612
1613 if (sock_queue_rcv_skb(sk, nskb))
1614 kfree_skb(nskb);
1615 }
1616 read_unlock(&l->lock);
1617}
1618
1619/* ---- L2CAP signalling commands ---- */
1620static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1621 u8 code, u8 ident, u16 dlen, void *data)
1622{
1623 struct sk_buff *skb, **frag;
1624 struct l2cap_cmd_hdr *cmd;
1625 struct l2cap_hdr *lh;
1626 int len, count;
1627
af05b30b
GP		 1628 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1629 conn, code, ident, dlen);
1da177e4
LT		 1630
1631 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1632 count = min_t(unsigned int, conn->mtu, len);
1633
1634 skb = bt_skb_alloc(count, GFP_ATOMIC);
1635 if (!skb)
1636 return NULL;
1637
1638 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1639 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 1640 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1641
1642 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1643 cmd->code = code;
1644 cmd->ident = ident;
aca3192c 1645 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1646
1647 if (dlen) {
1648 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1649 memcpy(skb_put(skb, count), data, count);
1650 data += count;
1651 }
1652
1653 len -= skb->len;
1654
1655 /* Continuation fragments (no L2CAP header) */
1656 frag = &skb_shinfo(skb)->frag_list;
1657 while (len) {
1658 count = min_t(unsigned int, conn->mtu, len);
1659
1660 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1661 if (!*frag)
1662 goto fail;
1663
1664 memcpy(skb_put(*frag, count), data, count);
1665
1666 len -= count;
1667 data += count;
1668
1669 frag = &(*frag)->next;
1670 }
1671
1672 return skb;
1673
1674fail:
1675 kfree_skb(skb);
1676 return NULL;
1677}
1678
1679static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1680{
1681 struct l2cap_conf_opt *opt = *ptr;
1682 int len;
1683
1684 len = L2CAP_CONF_OPT_SIZE + opt->len;
1685 *ptr += len;
1686
1687 *type = opt->type;
1688 *olen = opt->len;
1689
1690 switch (opt->len) {
1691 case 1:
1692 *val = *((u8 *) opt->val);
1693 break;
1694
1695 case 2:
861d6882 1696 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1697 break;
1698
1699 case 4:
861d6882 1700 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1701 break;
1702
1703 default:
1704 *val = (unsigned long) opt->val;
1705 break;
1706 }
1707
1708 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1709 return len;
1710}
1711
1da177e4
LT		 1712static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1713{
1714 struct l2cap_conf_opt *opt = *ptr;
1715
1716 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1717
1718 opt->type = type;
1719 opt->len = len;
1720
1721 switch (len) {
1722 case 1:
1723 *((u8 *) opt->val) = val;
1724 break;
1725
1726 case 2:
8e036fc3 1727 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1728 break;
1729
1730 case 4:
8e036fc3 1731 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1732 break;
1733
1734 default:
1735 memcpy(opt->val, (void *) val, len);
1736 break;
1737 }
1738
1739 *ptr += L2CAP_CONF_OPT_SIZE + len;
1740}
1741
1742static int l2cap_build_conf_req(struct sock *sk, void *data)
1743{
1744 struct l2cap_pinfo *pi = l2cap_pi(sk);
1745 struct l2cap_conf_req *req = data;
1746 void *ptr = req->data;
1747
1748 BT_DBG("sk %p", sk);
1749
1750 if (pi->imtu != L2CAP_DEFAULT_MTU)
1751 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1752
1753 /* FIXME: Need actual value of the flush timeout */
1754 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1755 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1756
aca3192c
YH		 1757 req->dcid = cpu_to_le16(pi->dcid);
1758 req->flags = cpu_to_le16(0);
1da177e4
LT		 1759
1760 return ptr - data;
1761}
1762
5dee9e7c 1763static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1764{
1765 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1766 struct l2cap_conf_rsp *rsp = data;
1767 void *ptr = rsp->data;
1768 void *req = pi->conf_req;
1769 int len = pi->conf_len;
1770 int type, hint, olen;
1771 unsigned long val;
6464f35f 1772 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1773 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1774 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1775
5dee9e7c 1776 BT_DBG("sk %p", sk);
820ae1b8 1777
5dee9e7c
MH		 1778 while (len >= L2CAP_CONF_OPT_SIZE) {
1779 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1780
589d2746 1781 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1782 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1783
1784 switch (type) {
1785 case L2CAP_CONF_MTU:
861d6882 1786 mtu = val;
5dee9e7c
MH		 1787 break;
1788
1789 case L2CAP_CONF_FLUSH_TO:
1790 pi->flush_to = val;
1791 break;
1792
1793 case L2CAP_CONF_QOS:
1794 break;
1795
6464f35f
MH		 1796 case L2CAP_CONF_RFC:
1797 if (olen == sizeof(rfc))
1798 memcpy(&rfc, (void *) val, olen);
1799 break;
1800
5dee9e7c
MH		 1801 default:
1802 if (hint)
1803 break;
1804
1805 result = L2CAP_CONF_UNKNOWN;
1806 *((u8 *) ptr++) = type;
1807 break;
1808 }
1809 }
1810
1811 if (result == L2CAP_CONF_SUCCESS) {
1812 /* Configure output options and let the other side know
1813 * which ones we don't like. */
1814
6464f35f
MH		 1815 if (rfc.mode == L2CAP_MODE_BASIC) {
1816 if (mtu < pi->omtu)
1817 result = L2CAP_CONF_UNACCEPT;
1818 else {
1819 pi->omtu = mtu;
1820 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1821 }
1822
1823 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1824 } else {
5dee9e7c 1825 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1826
6464f35f
MH		 1827 memset(&rfc, 0, sizeof(rfc));
1828 rfc.mode = L2CAP_MODE_BASIC;
1829
1830 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1831 sizeof(rfc), (unsigned long) &rfc);
1832 }
5dee9e7c
MH		 1833 }
1834
1835 rsp->scid = cpu_to_le16(pi->dcid);
1836 rsp->result = cpu_to_le16(result);
1837 rsp->flags = cpu_to_le16(0x0000);
1838
1839 return ptr - data;
1da177e4
LT		 1840}
1841
5dee9e7c 1842static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1843{
1844 struct l2cap_conf_rsp *rsp = data;
1845 void *ptr = rsp->data;
1da177e4 1846
5dee9e7c 1847 BT_DBG("sk %p", sk);
1da177e4 1848
aca3192c 1849 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1850 rsp->result = cpu_to_le16(result);
aca3192c 1851 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1852
1853 return ptr - data;
1854}
1855
4e8402a3
MH		 1856static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1857{
1858 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1859
1860 if (rej->reason != 0x0000)
1861 return 0;
1862
1863 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1864 cmd->ident == conn->info_ident) {
4e8402a3 1865 del_timer(&conn->info_timer);
984947dc
MH		 1866
1867 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1868 conn->info_ident = 0;
984947dc 1869
4e8402a3
MH		 1870 l2cap_conn_start(conn);
1871 }
1872
1873 return 0;
1874}
1875
1da177e4
LT		 1876static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1877{
1878 struct l2cap_chan_list *list = &conn->chan_list;
1879 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1880 struct l2cap_conn_rsp rsp;
1881 struct sock *sk, *parent;
e7c29cb1 1882 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1883
1884 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1885 __le16 psm = req->psm;
1da177e4
LT		 1886
1887 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1888
1889 /* Check if we have socket listening on psm */
1890 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1891 if (!parent) {
1892 result = L2CAP_CR_BAD_PSM;
1893 goto sendresp;
1894 }
1895
e7c29cb1
MH		 1896 /* Check if the ACL is secure enough (if not SDP) */
1897 if (psm != cpu_to_le16(0x0001) &&
1898 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 1899 conn->disc_reason = 0x05;
e7c29cb1
MH		 1900 result = L2CAP_CR_SEC_BLOCK;
1901 goto response;
1902 }
1903
1da177e4
LT		 1904 result = L2CAP_CR_NO_MEM;
1905
1906 /* Check for backlog size */
1907 if (sk_acceptq_is_full(parent)) {
8e87d142 1908 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1909 goto response;
1910 }
1911
3b1e0a65 1912 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1913 if (!sk)
1914 goto response;
1915
fd1278d7 1916 write_lock_bh(&list->lock);
1da177e4
LT		 1917
1918 /* Check if we already have channel with that dcid */
1919 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1920 write_unlock_bh(&list->lock);
1da177e4
LT		 1921 sock_set_flag(sk, SOCK_ZAPPED);
1922 l2cap_sock_kill(sk);
1923 goto response;
1924 }
1925
1926 hci_conn_hold(conn->hcon);
1927
1928 l2cap_sock_init(sk, parent);
1929 bacpy(&bt_sk(sk)->src, conn->src);
1930 bacpy(&bt_sk(sk)->dst, conn->dst);
1931 l2cap_pi(sk)->psm = psm;
1932 l2cap_pi(sk)->dcid = scid;
1933
1934 __l2cap_chan_add(conn, sk, parent);
1935 dcid = l2cap_pi(sk)->scid;
1936
1937 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1938
1da177e4
LT		 1939 l2cap_pi(sk)->ident = cmd->ident;
1940
984947dc 1941 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1942 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1943 if (bt_sk(sk)->defer_setup) {
1944 sk->sk_state = BT_CONNECT2;
1945 result = L2CAP_CR_PEND;
1946 status = L2CAP_CS_AUTHOR_PEND;
1947 parent->sk_data_ready(parent, 0);
1948 } else {
1949 sk->sk_state = BT_CONFIG;
1950 result = L2CAP_CR_SUCCESS;
1951 status = L2CAP_CS_NO_INFO;
1952 }
79d554a6
MH		 1953 } else {
1954 sk->sk_state = BT_CONNECT2;
1955 result = L2CAP_CR_PEND;
1956 status = L2CAP_CS_AUTHEN_PEND;
1957 }
1958 } else {
1959 sk->sk_state = BT_CONNECT2;
1960 result = L2CAP_CR_PEND;
1961 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1962 }
1963
fd1278d7 1964 write_unlock_bh(&list->lock);
1da177e4
LT		 1965
1966response:
1967 bh_unlock_sock(parent);
1968
1969sendresp:
aca3192c
YH		 1970 rsp.scid = cpu_to_le16(scid);
1971 rsp.dcid = cpu_to_le16(dcid);
1972 rsp.result = cpu_to_le16(result);
1973 rsp.status = cpu_to_le16(status);
1da177e4 1974 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1975
1976 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1977 struct l2cap_info_req info;
1978 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1979
1980 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1981 conn->info_ident = l2cap_get_ident(conn);
1982
1983 mod_timer(&conn->info_timer, jiffies +
1984 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1985
1986 l2cap_send_cmd(conn, conn->info_ident,
1987 L2CAP_INFO_REQ, sizeof(info), &info);
1988 }
1989
1da177e4
LT		 1990 return 0;
1991}
1992
1993static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1994{
1995 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1996 u16 scid, dcid, result, status;
1997 struct sock *sk;
1998 u8 req[128];
1999
2000 scid = __le16_to_cpu(rsp->scid);
2001 dcid = __le16_to_cpu(rsp->dcid);
2002 result = __le16_to_cpu(rsp->result);
2003 status = __le16_to_cpu(rsp->status);
2004
2005 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2006
2007 if (scid) {
af05b30b
GP		 2008 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2009 if (!sk)
1da177e4
LT		 2010 return 0;
2011 } else {
af05b30b
GP		 2012 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2013 if (!sk)
1da177e4
LT		 2014 return 0;
2015 }
2016
2017 switch (result) {
2018 case L2CAP_CR_SUCCESS:
2019 sk->sk_state = BT_CONFIG;
2020 l2cap_pi(sk)->ident = 0;
2021 l2cap_pi(sk)->dcid = dcid;
2022 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2023
6a8d3010
MH		 2024 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2025
1da177e4
LT		 2026 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2027 l2cap_build_conf_req(sk, req), req);
2028 break;
2029
2030 case L2CAP_CR_PEND:
6a8d3010 2031 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2032 break;
2033
2034 default:
2035 l2cap_chan_del(sk, ECONNREFUSED);
2036 break;
2037 }
2038
2039 bh_unlock_sock(sk);
2040 return 0;
2041}
2042
88219a0f 2043static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2044{
2045 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2046 u16 dcid, flags;
2047 u8 rsp[64];
2048 struct sock *sk;
5dee9e7c 2049 int len;
1da177e4
LT		 2050
2051 dcid = __le16_to_cpu(req->dcid);
2052 flags = __le16_to_cpu(req->flags);
2053
2054 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2055
af05b30b
GP		 2056 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2057 if (!sk)
1da177e4
LT		 2058 return -ENOENT;
2059
354f60a9
MH		 2060 if (sk->sk_state == BT_DISCONN)
2061 goto unlock;
2062
5dee9e7c 2063 /* Reject if config buffer is too small. */
88219a0f 2064 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2065 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2066 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2067 l2cap_build_conf_rsp(sk, rsp,
2068 L2CAP_CONF_REJECT, flags), rsp);
2069 goto unlock;
2070 }
2071
2072 /* Store config. */
2073 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2074 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2075
2076 if (flags & 0x0001) {
2077 /* Incomplete config. Send empty response. */
2078 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2079 l2cap_build_conf_rsp(sk, rsp,
2080 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2081 goto unlock;
2082 }
2083
2084 /* Complete config. */
5dee9e7c
MH		 2085 len = l2cap_parse_conf_req(sk, rsp);
2086 if (len < 0)
1da177e4
LT		 2087 goto unlock;
2088
5dee9e7c
MH		 2089 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2090
5dee9e7c
MH		 2091 /* Reset config buffer. */
2092 l2cap_pi(sk)->conf_len = 0;
2093
876d9484
MH		 2094 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2095 goto unlock;
2096
1da177e4
LT		 2097 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2098 sk->sk_state = BT_CONNECTED;
2099 l2cap_chan_ready(sk);
876d9484
MH		 2100 goto unlock;
2101 }
2102
2103 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2104 u8 buf[64];
1da177e4 2105 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2106 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2107 }
2108
2109unlock:
2110 bh_unlock_sock(sk);
2111 return 0;
2112}
2113
2114static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2115{
2116 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2117 u16 scid, flags, result;
2118 struct sock *sk;
2119
2120 scid = __le16_to_cpu(rsp->scid);
2121 flags = __le16_to_cpu(rsp->flags);
2122 result = __le16_to_cpu(rsp->result);
2123
af05b30b
GP		 2124 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2125 scid, flags, result);
1da177e4 2126
af05b30b
GP		 2127 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2128 if (!sk)
1da177e4
LT		 2129 return 0;
2130
2131 switch (result) {
2132 case L2CAP_CONF_SUCCESS:
2133 break;
2134
2135 case L2CAP_CONF_UNACCEPT:
2136 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2137 char req[128];
2138 /* It does not make sense to adjust L2CAP parameters
2139 * that are currently defined in the spec. We simply
2140 * resend config request that we sent earlier. It is
2141 * stupid, but it helps qualification testing which
2142 * expects at least some response from us. */
2143 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2144 l2cap_build_conf_req(sk, req), req);
2145 goto done;
2146 }
2147
8e87d142 2148 default:
1da177e4 2149 sk->sk_state = BT_DISCONN;
b1235d79 2150 sk->sk_err = ECONNRESET;
1da177e4
LT		 2151 l2cap_sock_set_timer(sk, HZ * 5);
2152 {
2153 struct l2cap_disconn_req req;
aca3192c
YH		 2154 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2155 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2156 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2157 L2CAP_DISCONN_REQ, sizeof(req), &req);
2158 }
2159 goto done;
2160 }
2161
2162 if (flags & 0x01)
2163 goto done;
2164
1da177e4
LT		 2165 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2166
2167 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2168 sk->sk_state = BT_CONNECTED;
2169 l2cap_chan_ready(sk);
2170 }
2171
2172done:
2173 bh_unlock_sock(sk);
2174 return 0;
2175}
2176
2177static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2178{
2179 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2180 struct l2cap_disconn_rsp rsp;
2181 u16 dcid, scid;
2182 struct sock *sk;
2183
2184 scid = __le16_to_cpu(req->scid);
2185 dcid = __le16_to_cpu(req->dcid);
2186
2187 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2188
af05b30b
GP		 2189 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2190 if (!sk)
1da177e4
LT		 2191 return 0;
2192
aca3192c
YH		 2193 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2194 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2195 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2196
2197 sk->sk_shutdown = SHUTDOWN_MASK;
2198
2199 l2cap_chan_del(sk, ECONNRESET);
2200 bh_unlock_sock(sk);
2201
2202 l2cap_sock_kill(sk);
2203 return 0;
2204}
2205
2206static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2207{
2208 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2209 u16 dcid, scid;
2210 struct sock *sk;
2211
2212 scid = __le16_to_cpu(rsp->scid);
2213 dcid = __le16_to_cpu(rsp->dcid);
2214
2215 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2216
af05b30b
GP		 2217 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2218 if (!sk)
1da177e4
LT		 2219 return 0;
2220
2221 l2cap_chan_del(sk, 0);
2222 bh_unlock_sock(sk);
2223
2224 l2cap_sock_kill(sk);
2225 return 0;
2226}
2227
2228static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2229{
2230 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2231 u16 type;
2232
2233 type = __le16_to_cpu(req->type);
2234
2235 BT_DBG("type 0x%4.4x", type);
2236
f0709e03
MH		 2237 if (type == L2CAP_IT_FEAT_MASK) {
2238 u8 buf[8];
44dd46de 2239 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2240 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2241 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2242 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de
MH		 2243 if (enable_ertm)
2244 feat_mask |= L2CAP_FEAT_ERTM;
2245 put_unaligned(cpu_to_le32(feat_mask), (__le32 *) rsp->data);
f0709e03
MH		 2246 l2cap_send_cmd(conn, cmd->ident,
2247 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2248 } else if (type == L2CAP_IT_FIXED_CHAN) {
2249 u8 buf[12];
2250 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2251 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2252 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2253 memcpy(buf + 4, l2cap_fixed_chan, 8);
2254 l2cap_send_cmd(conn, cmd->ident,
2255 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2256 } else {
2257 struct l2cap_info_rsp rsp;
2258 rsp.type = cpu_to_le16(type);
2259 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2260 l2cap_send_cmd(conn, cmd->ident,
2261 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2262 }
1da177e4
LT		 2263
2264 return 0;
2265}
2266
2267static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2268{
2269 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2270 u16 type, result;
2271
2272 type = __le16_to_cpu(rsp->type);
2273 result = __le16_to_cpu(rsp->result);
2274
2275 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2276
4e8402a3
MH		 2277 del_timer(&conn->info_timer);
2278
984947dc 2279 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2280 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2281
47ec1dcd 2282 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2283 struct l2cap_info_req req;
2284 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2285
2286 conn->info_ident = l2cap_get_ident(conn);
2287
2288 l2cap_send_cmd(conn, conn->info_ident,
2289 L2CAP_INFO_REQ, sizeof(req), &req);
2290 } else {
2291 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2292 conn->info_ident = 0;
2293
2294 l2cap_conn_start(conn);
2295 }
2296 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2298 conn->info_ident = 0;
984947dc
MH		 2299
2300 l2cap_conn_start(conn);
2301 }
4e8402a3 2302
1da177e4
LT		 2303 return 0;
2304}
2305
2306static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2307{
2308 u8 *data = skb->data;
2309 int len = skb->len;
2310 struct l2cap_cmd_hdr cmd;
2311 int err = 0;
2312
2313 l2cap_raw_recv(conn, skb);
2314
2315 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2316 u16 cmd_len;
1da177e4
LT		 2317 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2318 data += L2CAP_CMD_HDR_SIZE;
2319 len -= L2CAP_CMD_HDR_SIZE;
2320
88219a0f 2321 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2322
88219a0f 2323 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2324
88219a0f 2325 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2326 BT_DBG("corrupted command");
2327 break;
2328 }
2329
2330 switch (cmd.code) {
2331 case L2CAP_COMMAND_REJ:
4e8402a3 2332 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2333 break;
2334
2335 case L2CAP_CONN_REQ:
2336 err = l2cap_connect_req(conn, &cmd, data);
2337 break;
2338
2339 case L2CAP_CONN_RSP:
2340 err = l2cap_connect_rsp(conn, &cmd, data);
2341 break;
2342
2343 case L2CAP_CONF_REQ:
88219a0f 2344 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2345 break;
2346
2347 case L2CAP_CONF_RSP:
2348 err = l2cap_config_rsp(conn, &cmd, data);
2349 break;
2350
2351 case L2CAP_DISCONN_REQ:
2352 err = l2cap_disconnect_req(conn, &cmd, data);
2353 break;
2354
2355 case L2CAP_DISCONN_RSP:
2356 err = l2cap_disconnect_rsp(conn, &cmd, data);
2357 break;
2358
2359 case L2CAP_ECHO_REQ:
88219a0f 2360 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2361 break;
2362
2363 case L2CAP_ECHO_RSP:
2364 break;
2365
2366 case L2CAP_INFO_REQ:
2367 err = l2cap_information_req(conn, &cmd, data);
2368 break;
2369
2370 case L2CAP_INFO_RSP:
2371 err = l2cap_information_rsp(conn, &cmd, data);
2372 break;
2373
2374 default:
2375 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2376 err = -EINVAL;
2377 break;
2378 }
2379
2380 if (err) {
2381 struct l2cap_cmd_rej rej;
2382 BT_DBG("error %d", err);
2383
2384 /* FIXME: Map err to a valid reason */
aca3192c 2385 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2386 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2387 }
2388
88219a0f
AV		 2389 data += cmd_len;
2390 len -= cmd_len;
1da177e4
LT		 2391 }
2392
2393 kfree_skb(skb);
2394}
2395
2396static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2397{
2398 struct sock *sk;
2399
2400 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2401 if (!sk) {
2402 BT_DBG("unknown cid 0x%4.4x", cid);
2403 goto drop;
2404 }
2405
2406 BT_DBG("sk %p, len %d", sk, skb->len);
2407
2408 if (sk->sk_state != BT_CONNECTED)
2409 goto drop;
2410
2411 if (l2cap_pi(sk)->imtu < skb->len)
2412 goto drop;
2413
2414 /* If socket recv buffers overflows we drop data here
2415 * which is *bad* because L2CAP has to be reliable.
2416 * But we don't have any other choice. L2CAP doesn't
2417 * provide flow control mechanism. */
2418
2419 if (!sock_queue_rcv_skb(sk, skb))
2420 goto done;
2421
2422drop:
2423 kfree_skb(skb);
2424
2425done:
0139418c
MH		 2426 if (sk)
2427 bh_unlock_sock(sk);
2428
1da177e4
LT		 2429 return 0;
2430}
2431
8e036fc3 2432static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2433{
2434 struct sock *sk;
2435
2436 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2437 if (!sk)
2438 goto drop;
2439
2440 BT_DBG("sk %p, len %d", sk, skb->len);
2441
2442 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2443 goto drop;
2444
2445 if (l2cap_pi(sk)->imtu < skb->len)
2446 goto drop;
2447
2448 if (!sock_queue_rcv_skb(sk, skb))
2449 goto done;
2450
2451drop:
2452 kfree_skb(skb);
2453
2454done:
af05b30b
GP		 2455 if (sk)
2456 bh_unlock_sock(sk);
1da177e4
LT		 2457 return 0;
2458}
2459
2460static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2461{
2462 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2463 u16 cid, len;
2464 __le16 psm;
1da177e4
LT		 2465
2466 skb_pull(skb, L2CAP_HDR_SIZE);
2467 cid = __le16_to_cpu(lh->cid);
2468 len = __le16_to_cpu(lh->len);
2469
2470 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2471
2472 switch (cid) {
8db4dc46 2473 case L2CAP_CID_SIGNALING:
1da177e4
LT		 2474 l2cap_sig_channel(conn, skb);
2475 break;
2476
8db4dc46 2477 case L2CAP_CID_CONN_LESS:
8e036fc3 2478 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2479 skb_pull(skb, 2);
2480 l2cap_conless_channel(conn, psm, skb);
2481 break;
2482
2483 default:
2484 l2cap_data_channel(conn, cid, skb);
2485 break;
2486 }
2487}
2488
2489/* ---- L2CAP interface with lower layer (HCI) ---- */
2490
2491static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2492{
2493 int exact = 0, lm1 = 0, lm2 = 0;
2494 register struct sock *sk;
2495 struct hlist_node *node;
2496
2497 if (type != ACL_LINK)
2498 return 0;
2499
2500 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2501
2502 /* Find listening sockets and check their link_mode */
2503 read_lock(&l2cap_sk_list.lock);
2504 sk_for_each(sk, node, &l2cap_sk_list.head) {
2505 if (sk->sk_state != BT_LISTEN)
2506 continue;
2507
2508 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2509 lm1 |= HCI_LM_ACCEPT;
2510 if (l2cap_pi(sk)->role_switch)
2511 lm1 |= HCI_LM_MASTER;
1da177e4 2512 exact++;
2af6b9d5
MH		 2513 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2514 lm2 |= HCI_LM_ACCEPT;
2515 if (l2cap_pi(sk)->role_switch)
2516 lm2 |= HCI_LM_MASTER;
2517 }
1da177e4
LT		 2518 }
2519 read_unlock(&l2cap_sk_list.lock);
2520
2521 return exact ? lm1 : lm2;
2522}
2523
2524static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2525{
0139418c
MH		 2526 struct l2cap_conn *conn;
2527
1da177e4
LT		 2528 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2529
2530 if (hcon->type != ACL_LINK)
2531 return 0;
2532
2533 if (!status) {
1da177e4
LT		 2534 conn = l2cap_conn_add(hcon, status);
2535 if (conn)
2536 l2cap_conn_ready(conn);
0139418c 2537 } else
1da177e4
LT		 2538 l2cap_conn_del(hcon, bt_err(status));
2539
2540 return 0;
2541}
2542
2950f21a
MH		 2543static int l2cap_disconn_ind(struct hci_conn *hcon)
2544{
2545 struct l2cap_conn *conn = hcon->l2cap_data;
2546
2547 BT_DBG("hcon %p", hcon);
2548
2549 if (hcon->type != ACL_LINK || !conn)
2550 return 0x13;
2551
2552 return conn->disc_reason;
2553}
2554
2555static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 2556{
2557 BT_DBG("hcon %p reason %d", hcon, reason);
2558
2559 if (hcon->type != ACL_LINK)
2560 return 0;
2561
2562 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2563
1da177e4
LT		 2564 return 0;
2565}
2566
f62e4323
MH		 2567static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2568{
255c7601
MH		 2569 if (sk->sk_type != SOCK_SEQPACKET)
2570 return;
2571
f62e4323
MH		 2572 if (encrypt == 0x00) {
2573 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2574 l2cap_sock_clear_timer(sk);
2575 l2cap_sock_set_timer(sk, HZ * 5);
2576 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2577 __l2cap_sock_close(sk, ECONNREFUSED);
2578 } else {
2579 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2580 l2cap_sock_clear_timer(sk);
2581 }
2582}
2583
8c1b2355 2584static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2585{
2586 struct l2cap_chan_list *l;
0139418c 2587 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2588 struct sock *sk;
1da177e4 2589
0139418c 2590 if (!conn)
1da177e4 2591 return 0;
0139418c 2592
1da177e4
LT		 2593 l = &conn->chan_list;
2594
2595 BT_DBG("conn %p", conn);
2596
2597 read_lock(&l->lock);
2598
2599 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2600 bh_lock_sock(sk);
2601
6a8d3010
MH		 2602 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2603 bh_unlock_sock(sk);
2604 continue;
2605 }
2606
f62e4323 2607 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2608 sk->sk_state == BT_CONFIG)) {
f62e4323 2609 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2610 bh_unlock_sock(sk);
2611 continue;
2612 }
2613
b1235d79
MH		 2614 if (sk->sk_state == BT_CONNECT) {
2615 if (!status) {
2616 struct l2cap_conn_req req;
2617 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2618 req.psm = l2cap_pi(sk)->psm;
1da177e4 2619
b1235d79 2620 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2621
b1235d79
MH		 2622 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2623 L2CAP_CONN_REQ, sizeof(req), &req);
2624 } else {
2625 l2cap_sock_clear_timer(sk);
2626 l2cap_sock_set_timer(sk, HZ / 10);
2627 }
2628 } else if (sk->sk_state == BT_CONNECT2) {
2629 struct l2cap_conn_rsp rsp;
2630 __u16 result;
1da177e4 2631
b1235d79
MH		 2632 if (!status) {
2633 sk->sk_state = BT_CONFIG;
2634 result = L2CAP_CR_SUCCESS;
2635 } else {
2636 sk->sk_state = BT_DISCONN;
2637 l2cap_sock_set_timer(sk, HZ / 10);
2638 result = L2CAP_CR_SEC_BLOCK;
2639 }
2640
2641 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2642 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2643 rsp.result = cpu_to_le16(result);
e7c29cb1 2644 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2645 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2646 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2647 }
1da177e4
LT		 2648
2649 bh_unlock_sock(sk);
2650 }
2651
2652 read_unlock(&l->lock);
b1235d79 2653
1da177e4
LT		 2654 return 0;
2655}
2656
2657static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2658{
2659 struct l2cap_conn *conn = hcon->l2cap_data;
2660
2661 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2662 goto drop;
2663
2664 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2665
2666 if (flags & ACL_START) {
2667 struct l2cap_hdr *hdr;
2668 int len;
2669
2670 if (conn->rx_len) {
2671 BT_ERR("Unexpected start frame (len %d)", skb->len);
2672 kfree_skb(conn->rx_skb);
2673 conn->rx_skb = NULL;
2674 conn->rx_len = 0;
2675 l2cap_conn_unreliable(conn, ECOMM);
2676 }
2677
2678 if (skb->len < 2) {
2679 BT_ERR("Frame is too short (len %d)", skb->len);
2680 l2cap_conn_unreliable(conn, ECOMM);
2681 goto drop;
2682 }
2683
2684 hdr = (struct l2cap_hdr *) skb->data;
2685 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2686
2687 if (len == skb->len) {
2688 /* Complete frame received */
2689 l2cap_recv_frame(conn, skb);
2690 return 0;
2691 }
2692
2693 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2694
2695 if (skb->len > len) {
2696 BT_ERR("Frame is too long (len %d, expected len %d)",
2697 skb->len, len);
2698 l2cap_conn_unreliable(conn, ECOMM);
2699 goto drop;
2700 }
2701
2702 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 2703 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
2704 if (!conn->rx_skb)
1da177e4
LT		 2705 goto drop;
2706
d626f62b 2707 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2708 skb->len);
1da177e4
LT		 2709 conn->rx_len = len - skb->len;
2710 } else {
2711 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2712
2713 if (!conn->rx_len) {
2714 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2715 l2cap_conn_unreliable(conn, ECOMM);
2716 goto drop;
2717 }
2718
2719 if (skb->len > conn->rx_len) {
2720 BT_ERR("Fragment is too long (len %d, expected %d)",
2721 skb->len, conn->rx_len);
2722 kfree_skb(conn->rx_skb);
2723 conn->rx_skb = NULL;
2724 conn->rx_len = 0;
2725 l2cap_conn_unreliable(conn, ECOMM);
2726 goto drop;
2727 }
2728
d626f62b 2729 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2730 skb->len);
1da177e4
LT		 2731 conn->rx_len -= skb->len;
2732
2733 if (!conn->rx_len) {
2734 /* Complete frame received */
2735 l2cap_recv_frame(conn, conn->rx_skb);
2736 conn->rx_skb = NULL;
2737 }
2738 }
2739
2740drop:
2741 kfree_skb(skb);
2742 return 0;
2743}
2744
be9d1227 2745static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2746{
2747 struct sock *sk;
2748 struct hlist_node *node;
be9d1227 2749 char *str = buf;
1da177e4
LT		 2750
2751 read_lock_bh(&l2cap_sk_list.lock);
2752
be9d1227
MH		 2753 sk_for_each(sk, node, &l2cap_sk_list.head) {
2754 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2755
2af6b9d5 2756 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2757 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
b4324b5d
MH		 2758 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
2759 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2760 }
1da177e4 2761
1da177e4 2762 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2763
af05b30b 2764 return str - buf;
1da177e4
LT		 2765}
2766
be9d1227 2767static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2768
90ddc4f0 2769static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2770 .family = PF_BLUETOOTH,
2771 .owner = THIS_MODULE,
2772 .release = l2cap_sock_release,
2773 .bind = l2cap_sock_bind,
2774 .connect = l2cap_sock_connect,
2775 .listen = l2cap_sock_listen,
2776 .accept = l2cap_sock_accept,
2777 .getname = l2cap_sock_getname,
2778 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2779 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2780 .poll = bt_sock_poll,
3241ad82 2781 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2782 .mmap = sock_no_mmap,
2783 .socketpair = sock_no_socketpair,
1da177e4
LT		 2784 .shutdown = l2cap_sock_shutdown,
2785 .setsockopt = l2cap_sock_setsockopt,
2786 .getsockopt = l2cap_sock_getsockopt
2787};
2788
2789static struct net_proto_family l2cap_sock_family_ops = {
2790 .family = PF_BLUETOOTH,
2791 .owner = THIS_MODULE,
2792 .create = l2cap_sock_create,
2793};
2794
2795static struct hci_proto l2cap_hci_proto = {
2796 .name = "L2CAP",
2797 .id = HCI_PROTO_L2CAP,
2798 .connect_ind = l2cap_connect_ind,
2799 .connect_cfm = l2cap_connect_cfm,
2800 .disconn_ind = l2cap_disconn_ind,
2950f21a 2801 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 2802 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2803 .recv_acldata = l2cap_recv_acldata
2804};
2805
2806static int __init l2cap_init(void)
2807{
2808 int err;
be9d1227 2809
1da177e4
LT		 2810 err = proto_register(&l2cap_proto, 0);
2811 if (err < 0)
2812 return err;
2813
2814 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2815 if (err < 0) {
2816 BT_ERR("L2CAP socket registration failed");
2817 goto error;
2818 }
2819
2820 err = hci_register_proto(&l2cap_hci_proto);
2821 if (err < 0) {
2822 BT_ERR("L2CAP protocol registration failed");
2823 bt_sock_unregister(BTPROTO_L2CAP);
2824 goto error;
2825 }
2826
df5c37ea
MH		 2827 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2828 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2829
2830 BT_INFO("L2CAP ver %s", VERSION);
2831 BT_INFO("L2CAP socket layer initialized");
2832
2833 return 0;
2834
2835error:
2836 proto_unregister(&l2cap_proto);
2837 return err;
2838}
2839
2840static void __exit l2cap_exit(void)
2841{
a91f2e39 2842 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2843
2844 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2845 BT_ERR("L2CAP socket unregistration failed");
2846
2847 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2848 BT_ERR("L2CAP protocol unregistration failed");
2849
2850 proto_unregister(&l2cap_proto);
2851}
2852
2853void l2cap_load(void)
2854{
2855 /* Dummy function to trigger automatic L2CAP module loading by
2856 * other modules that use L2CAP sockets but don't use any other
2857 * symbols from it. */
2858 return;
2859}
2860EXPORT_SYMBOL(l2cap_load);
2861
2862module_init(l2cap_init);
2863module_exit(l2cap_exit);
2864
44dd46de
MH		 2865module_param(enable_ertm, bool, 0644);
2866MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
2867
63fbd24e 2868MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2869MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2870MODULE_VERSION(VERSION);
2871MODULE_LICENSE("GPL");
2872MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)