]> bbs.cooldavid.org Git - net-next-2.6.git/blame - net/bluetooth/l2cap.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add basic constants for L2CAP ERTM support and use them
[net-next-2.6.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
af05b30b 43#include <linux/uaccess.h>
1da177e4
LT		 44#include <net/sock.h>
45
46#include <asm/system.h>
1da177e4
LT		 47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
e1027a7c 53#define VERSION "2.13"
f0709e03 54
47ec1dcd 55static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 56static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 57
90ddc4f0 58static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 59
60static struct bt_sock_list l2cap_sk_list = {
d5fb2962 61 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 62};
63
1da177e4
LT		 64static void __l2cap_sock_close(struct sock *sk, int reason);
65static void l2cap_sock_close(struct sock *sk);
66static void l2cap_sock_kill(struct sock *sk);
67
68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70
71/* ---- L2CAP timers ---- */
72static void l2cap_sock_timeout(unsigned long arg)
73{
74 struct sock *sk = (struct sock *) arg;
b1235d79 75 int reason;
1da177e4
LT		 76
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78
79 bh_lock_sock(sk);
b1235d79 80
f62e4323
MH		 81 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
82 reason = ECONNREFUSED;
83 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 84 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 85 reason = ECONNREFUSED;
86 else
87 reason = ETIMEDOUT;
88
89 __l2cap_sock_close(sk, reason);
90
1da177e4
LT		 91 bh_unlock_sock(sk);
92
93 l2cap_sock_kill(sk);
94 sock_put(sk);
95}
96
97static void l2cap_sock_set_timer(struct sock *sk, long timeout)
98{
99 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
100 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
101}
102
103static void l2cap_sock_clear_timer(struct sock *sk)
104{
105 BT_DBG("sock %p state %d", sk, sk->sk_state);
106 sk_stop_timer(sk, &sk->sk_timer);
107}
108
0139418c
MH		 109/* ---- L2CAP channels ---- */
110static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
111{
112 struct sock *s;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
114 if (l2cap_pi(s)->dcid == cid)
115 break;
116 }
117 return s;
118}
119
120static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
121{
122 struct sock *s;
123 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
124 if (l2cap_pi(s)->scid == cid)
125 break;
126 }
127 return s;
128}
129
130/* Find channel with given SCID.
131 * Returns locked socket */
132static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
133{
134 struct sock *s;
135 read_lock(&l->lock);
136 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 137 if (s)
138 bh_lock_sock(s);
0139418c
MH		 139 read_unlock(&l->lock);
140 return s;
141}
142
143static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
144{
145 struct sock *s;
146 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
147 if (l2cap_pi(s)->ident == ident)
148 break;
149 }
150 return s;
151}
152
153static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
154{
155 struct sock *s;
156 read_lock(&l->lock);
157 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 158 if (s)
159 bh_lock_sock(s);
0139418c
MH		 160 read_unlock(&l->lock);
161 return s;
162}
163
164static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
165{
8db4dc46 166 u16 cid = L2CAP_CID_DYN_START;
0139418c 167
8db4dc46 168 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 169 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 170 return cid;
171 }
172
173 return 0;
174}
175
176static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
177{
178 sock_hold(sk);
179
180 if (l->head)
181 l2cap_pi(l->head)->prev_c = sk;
182
183 l2cap_pi(sk)->next_c = l->head;
184 l2cap_pi(sk)->prev_c = NULL;
185 l->head = sk;
186}
187
188static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
189{
190 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
191
fd1278d7 192 write_lock_bh(&l->lock);
0139418c
MH		 193 if (sk == l->head)
194 l->head = next;
195
196 if (next)
197 l2cap_pi(next)->prev_c = prev;
198 if (prev)
199 l2cap_pi(prev)->next_c = next;
fd1278d7 200 write_unlock_bh(&l->lock);
0139418c
MH		 201
202 __sock_put(sk);
203}
204
205static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
206{
207 struct l2cap_chan_list *l = &conn->chan_list;
208
af05b30b
GP		 209 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
210 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 211
2950f21a
MH		 212 conn->disc_reason = 0x13;
213
0139418c
MH		 214 l2cap_pi(sk)->conn = conn;
215
216 if (sk->sk_type == SOCK_SEQPACKET) {
217 /* Alloc CID for connection-oriented socket */
218 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
219 } else if (sk->sk_type == SOCK_DGRAM) {
220 /* Connectionless socket */
8db4dc46
GP		 221 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
222 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 223 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
224 } else {
225 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 226 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
227 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 228 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
229 }
230
231 __l2cap_chan_link(l, sk);
232
233 if (parent)
234 bt_accept_enqueue(parent, sk);
235}
236
8e87d142 237/* Delete channel.
0139418c
MH		 238 * Must be called on the locked socket. */
239static void l2cap_chan_del(struct sock *sk, int err)
240{
241 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
242 struct sock *parent = bt_sk(sk)->parent;
243
244 l2cap_sock_clear_timer(sk);
245
246 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
247
8e87d142 248 if (conn) {
0139418c
MH		 249 /* Unlink from channel list */
250 l2cap_chan_unlink(&conn->chan_list, sk);
251 l2cap_pi(sk)->conn = NULL;
252 hci_conn_put(conn->hcon);
253 }
254
b1235d79 255 sk->sk_state = BT_CLOSED;
0139418c
MH		 256 sock_set_flag(sk, SOCK_ZAPPED);
257
258 if (err)
259 sk->sk_err = err;
260
261 if (parent) {
262 bt_accept_unlink(sk);
263 parent->sk_data_ready(parent, 0);
264 } else
265 sk->sk_state_change(sk);
266}
267
79d554a6 268/* Service level security */
2af6b9d5 269static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 270{
271 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 272 __u8 auth_type;
273
00ae4af9
MH		 274 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
275 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
276 auth_type = HCI_AT_NO_BONDING_MITM;
277 else
af05b30b 278 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 279
280 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
281 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
282 } else {
283 switch (l2cap_pi(sk)->sec_level) {
284 case BT_SECURITY_HIGH:
285 auth_type = HCI_AT_GENERAL_BONDING_MITM;
286 break;
287 case BT_SECURITY_MEDIUM:
288 auth_type = HCI_AT_GENERAL_BONDING;
289 break;
290 default:
291 auth_type = HCI_AT_NO_BONDING;
292 break;
293 }
0684e5f9 294 }
79d554a6 295
0684e5f9
MH		 296 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
297 auth_type);
79d554a6
MH		 298}
299
4e8402a3
MH		 300static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
301{
302 u8 id;
303
304 /* Get next available identificator.
305 * 1 - 128 are used by kernel.
306 * 129 - 199 are reserved.
307 * 200 - 254 are used by utilities like l2ping, etc.
308 */
309
310 spin_lock_bh(&conn->lock);
311
312 if (++conn->tx_ident > 128)
313 conn->tx_ident = 1;
314
315 id = conn->tx_ident;
316
317 spin_unlock_bh(&conn->lock);
318
319 return id;
320}
321
322static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
323{
324 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
325
326 BT_DBG("code 0x%2.2x", code);
327
328 if (!skb)
329 return -ENOMEM;
330
331 return hci_send_acl(conn->hcon, skb, 0);
332}
333
79d554a6
MH		 334static void l2cap_do_start(struct sock *sk)
335{
336 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
337
338 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 339 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
340 return;
341
2af6b9d5 342 if (l2cap_check_security(sk)) {
b1235d79
MH		 343 struct l2cap_conn_req req;
344 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
345 req.psm = l2cap_pi(sk)->psm;
79d554a6 346
b1235d79 347 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 348
b1235d79 349 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 350 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 351 }
79d554a6
MH		 352 } else {
353 struct l2cap_info_req req;
354 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
355
356 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
357 conn->info_ident = l2cap_get_ident(conn);
358
359 mod_timer(&conn->info_timer, jiffies +
360 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
361
362 l2cap_send_cmd(conn, conn->info_ident,
363 L2CAP_INFO_REQ, sizeof(req), &req);
364 }
365}
366
1da177e4 367/* ---- L2CAP connections ---- */
4e8402a3
MH		 368static void l2cap_conn_start(struct l2cap_conn *conn)
369{
370 struct l2cap_chan_list *l = &conn->chan_list;
371 struct sock *sk;
372
373 BT_DBG("conn %p", conn);
374
375 read_lock(&l->lock);
376
377 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
378 bh_lock_sock(sk);
379
380 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 381 bh_unlock_sock(sk);
382 continue;
383 }
384
385 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 386 if (l2cap_check_security(sk)) {
b1235d79
MH		 387 struct l2cap_conn_req req;
388 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
389 req.psm = l2cap_pi(sk)->psm;
79d554a6 390
b1235d79 391 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 392
b1235d79 393 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 394 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 395 }
79d554a6
MH		 396 } else if (sk->sk_state == BT_CONNECT2) {
397 struct l2cap_conn_rsp rsp;
398 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
399 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
400
2af6b9d5 401 if (l2cap_check_security(sk)) {
f66dc81f
MH		 402 if (bt_sk(sk)->defer_setup) {
403 struct sock *parent = bt_sk(sk)->parent;
404 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
405 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
406 parent->sk_data_ready(parent, 0);
407
408 } else {
409 sk->sk_state = BT_CONFIG;
410 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
411 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
412 }
79d554a6
MH		 413 } else {
414 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
415 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
416 }
417
418 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
419 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 420 }
421
422 bh_unlock_sock(sk);
423 }
424
425 read_unlock(&l->lock);
426}
427
428static void l2cap_conn_ready(struct l2cap_conn *conn)
429{
79d554a6
MH		 430 struct l2cap_chan_list *l = &conn->chan_list;
431 struct sock *sk;
4e8402a3 432
79d554a6 433 BT_DBG("conn %p", conn);
4e8402a3 434
79d554a6 435 read_lock(&l->lock);
4e8402a3 436
79d554a6
MH		 437 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
438 bh_lock_sock(sk);
4e8402a3 439
79d554a6
MH		 440 if (sk->sk_type != SOCK_SEQPACKET) {
441 l2cap_sock_clear_timer(sk);
442 sk->sk_state = BT_CONNECTED;
443 sk->sk_state_change(sk);
444 } else if (sk->sk_state == BT_CONNECT)
445 l2cap_do_start(sk);
4e8402a3 446
79d554a6 447 bh_unlock_sock(sk);
4e8402a3 448 }
79d554a6
MH		 449
450 read_unlock(&l->lock);
4e8402a3
MH		 451}
452
453/* Notify sockets that we cannot guaranty reliability anymore */
454static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
455{
456 struct l2cap_chan_list *l = &conn->chan_list;
457 struct sock *sk;
458
459 BT_DBG("conn %p", conn);
460
461 read_lock(&l->lock);
462
463 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 464 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 465 sk->sk_err = err;
466 }
467
468 read_unlock(&l->lock);
469}
470
471static void l2cap_info_timeout(unsigned long arg)
472{
473 struct l2cap_conn *conn = (void *) arg;
474
984947dc 475 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 476 conn->info_ident = 0;
984947dc 477
4e8402a3
MH		 478 l2cap_conn_start(conn);
479}
480
1da177e4
LT		 481static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
482{
0139418c 483 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 484
0139418c 485 if (conn || status)
1da177e4
LT		 486 return conn;
487
0139418c
MH		 488 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
489 if (!conn)
1da177e4 490 return NULL;
1da177e4
LT		 491
492 hcon->l2cap_data = conn;
493 conn->hcon = hcon;
494
0139418c
MH		 495 BT_DBG("hcon %p conn %p", hcon, conn);
496
1da177e4
LT		 497 conn->mtu = hcon->hdev->acl_mtu;
498 conn->src = &hcon->hdev->bdaddr;
499 conn->dst = &hcon->dst;
500
4e8402a3
MH		 501 conn->feat_mask = 0;
502
b1235d79
MH		 503 setup_timer(&conn->info_timer, l2cap_info_timeout,
504 (unsigned long) conn);
4e8402a3 505
1da177e4
LT		 506 spin_lock_init(&conn->lock);
507 rwlock_init(&conn->chan_list.lock);
508
2950f21a
MH		 509 conn->disc_reason = 0x13;
510
1da177e4
LT		 511 return conn;
512}
513
0139418c 514static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 515{
0139418c 516 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 517 struct sock *sk;
518
0139418c
MH		 519 if (!conn)
520 return;
1da177e4
LT		 521
522 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
523
7585b97a 524 kfree_skb(conn->rx_skb);
1da177e4
LT		 525
526 /* Kill channels */
527 while ((sk = conn->chan_list.head)) {
528 bh_lock_sock(sk);
529 l2cap_chan_del(sk, err);
530 bh_unlock_sock(sk);
531 l2cap_sock_kill(sk);
532 }
533
8e8440f5
DY		 534 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
535 del_timer_sync(&conn->info_timer);
3ab22731 536
1da177e4
LT		 537 hcon->l2cap_data = NULL;
538 kfree(conn);
1da177e4
LT		 539}
540
541static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
542{
543 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 544 write_lock_bh(&l->lock);
1da177e4 545 __l2cap_chan_add(conn, sk, parent);
fd1278d7 546 write_unlock_bh(&l->lock);
1da177e4
LT		 547}
548
1da177e4 549/* ---- Socket interface ---- */
8e036fc3 550static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 551{
552 struct sock *sk;
553 struct hlist_node *node;
554 sk_for_each(sk, node, &l2cap_sk_list.head)
555 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
556 goto found;
557 sk = NULL;
558found:
559 return sk;
560}
561
562/* Find socket with psm and source bdaddr.
563 * Returns closest match.
564 */
8e036fc3 565static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 566{
567 struct sock *sk = NULL, *sk1 = NULL;
568 struct hlist_node *node;
569
570 sk_for_each(sk, node, &l2cap_sk_list.head) {
571 if (state && sk->sk_state != state)
572 continue;
573
574 if (l2cap_pi(sk)->psm == psm) {
575 /* Exact match. */
576 if (!bacmp(&bt_sk(sk)->src, src))
577 break;
578
579 /* Closest match */
580 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
581 sk1 = sk;
582 }
583 }
584 return node ? sk : sk1;
585}
586
587/* Find socket with given address (psm, src).
588 * Returns locked socket */
8e036fc3 589static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 590{
591 struct sock *s;
592 read_lock(&l2cap_sk_list.lock);
593 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 594 if (s)
595 bh_lock_sock(s);
1da177e4
LT		 596 read_unlock(&l2cap_sk_list.lock);
597 return s;
598}
599
600static void l2cap_sock_destruct(struct sock *sk)
601{
602 BT_DBG("sk %p", sk);
603
604 skb_queue_purge(&sk->sk_receive_queue);
605 skb_queue_purge(&sk->sk_write_queue);
606}
607
608static void l2cap_sock_cleanup_listen(struct sock *parent)
609{
610 struct sock *sk;
611
612 BT_DBG("parent %p", parent);
613
614 /* Close not yet accepted channels */
615 while ((sk = bt_accept_dequeue(parent, NULL)))
616 l2cap_sock_close(sk);
617
b1235d79 618 parent->sk_state = BT_CLOSED;
1da177e4
LT		 619 sock_set_flag(parent, SOCK_ZAPPED);
620}
621
622/* Kill socket (only if zapped and orphan)
623 * Must be called on unlocked socket.
624 */
625static void l2cap_sock_kill(struct sock *sk)
626{
627 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
628 return;
629
630 BT_DBG("sk %p state %d", sk, sk->sk_state);
631
632 /* Kill poor orphan */
633 bt_sock_unlink(&l2cap_sk_list, sk);
634 sock_set_flag(sk, SOCK_DEAD);
635 sock_put(sk);
636}
637
638static void __l2cap_sock_close(struct sock *sk, int reason)
639{
640 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
641
642 switch (sk->sk_state) {
643 case BT_LISTEN:
644 l2cap_sock_cleanup_listen(sk);
645 break;
646
647 case BT_CONNECTED:
648 case BT_CONFIG:
1da177e4
LT		 649 if (sk->sk_type == SOCK_SEQPACKET) {
650 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
651 struct l2cap_disconn_req req;
652
653 sk->sk_state = BT_DISCONN;
654 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
655
aca3192c
YH		 656 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
657 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 658 l2cap_send_cmd(conn, l2cap_get_ident(conn),
659 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 660 } else
1da177e4 661 l2cap_chan_del(sk, reason);
1da177e4
LT		 662 break;
663
f66dc81f
MH		 664 case BT_CONNECT2:
665 if (sk->sk_type == SOCK_SEQPACKET) {
666 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
667 struct l2cap_conn_rsp rsp;
668 __u16 result;
669
670 if (bt_sk(sk)->defer_setup)
671 result = L2CAP_CR_SEC_BLOCK;
672 else
673 result = L2CAP_CR_BAD_PSM;
674
675 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
676 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
677 rsp.result = cpu_to_le16(result);
678 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
679 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
680 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681 } else
682 l2cap_chan_del(sk, reason);
683 break;
684
1da177e4
LT		 685 case BT_CONNECT:
686 case BT_DISCONN:
687 l2cap_chan_del(sk, reason);
688 break;
689
690 default:
691 sock_set_flag(sk, SOCK_ZAPPED);
692 break;
693 }
694}
695
696/* Must be called on unlocked socket. */
697static void l2cap_sock_close(struct sock *sk)
698{
699 l2cap_sock_clear_timer(sk);
700 lock_sock(sk);
701 __l2cap_sock_close(sk, ECONNRESET);
702 release_sock(sk);
703 l2cap_sock_kill(sk);
704}
705
706static void l2cap_sock_init(struct sock *sk, struct sock *parent)
707{
708 struct l2cap_pinfo *pi = l2cap_pi(sk);
709
710 BT_DBG("sk %p", sk);
711
712 if (parent) {
713 sk->sk_type = parent->sk_type;
f66dc81f
MH		 714 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
715
1da177e4
LT		 716 pi->imtu = l2cap_pi(parent)->imtu;
717 pi->omtu = l2cap_pi(parent)->omtu;
2af6b9d5
MH		 718 pi->sec_level = l2cap_pi(parent)->sec_level;
719 pi->role_switch = l2cap_pi(parent)->role_switch;
720 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 721 } else {
722 pi->imtu = L2CAP_DEFAULT_MTU;
723 pi->omtu = 0;
2af6b9d5
MH		 724 pi->sec_level = BT_SECURITY_LOW;
725 pi->role_switch = 0;
726 pi->force_reliable = 0;
1da177e4
LT		 727 }
728
729 /* Default config options */
5dee9e7c 730 pi->conf_len = 0;
1da177e4
LT		 731 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
732}
733
734static struct proto l2cap_proto = {
735 .name = "L2CAP",
736 .owner = THIS_MODULE,
737 .obj_size = sizeof(struct l2cap_pinfo)
738};
739
1b8d7ae4 740static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 741{
742 struct sock *sk;
743
6257ff21 744 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 745 if (!sk)
746 return NULL;
747
748 sock_init_data(sock, sk);
749 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
750
751 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 752 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 753
754 sock_reset_flag(sk, SOCK_ZAPPED);
755
756 sk->sk_protocol = proto;
b1235d79 757 sk->sk_state = BT_OPEN;
1da177e4 758
b1235d79 759 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 760
761 bt_sock_link(&l2cap_sk_list, sk);
762 return sk;
763}
764
1b8d7ae4 765static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 766{
767 struct sock *sk;
768
769 BT_DBG("sock %p", sock);
770
771 sock->state = SS_UNCONNECTED;
772
773 if (sock->type != SOCK_SEQPACKET &&
774 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
775 return -ESOCKTNOSUPPORT;
776
777 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
778 return -EPERM;
779
780 sock->ops = &l2cap_sock_ops;
781
1b8d7ae4 782 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 783 if (!sk)
784 return -ENOMEM;
785
786 l2cap_sock_init(sk, NULL);
787 return 0;
788}
789
f29972de 790static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 791{
1da177e4 792 struct sock *sk = sock->sk;
f29972de
MH		 793 struct sockaddr_l2 la;
794 int len, err = 0;
1da177e4 795
f29972de 796 BT_DBG("sk %p", sk);
1da177e4
LT		 797
798 if (!addr || addr->sa_family != AF_BLUETOOTH)
799 return -EINVAL;
800
f29972de
MH		 801 memset(&la, 0, sizeof(la));
802 len = min_t(unsigned int, sizeof(la), alen);
803 memcpy(&la, addr, len);
804
2a517ca6
MH		 805 if (la.l2_cid)
806 return -EINVAL;
807
1da177e4
LT		 808 lock_sock(sk);
809
810 if (sk->sk_state != BT_OPEN) {
811 err = -EBADFD;
812 goto done;
813 }
814
f29972de 815 if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
847641d7
MH		 816 !capable(CAP_NET_BIND_SERVICE)) {
817 err = -EACCES;
818 goto done;
819 }
8e87d142 820
1da177e4
LT		 821 write_lock_bh(&l2cap_sk_list.lock);
822
f29972de 823 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 824 err = -EADDRINUSE;
825 } else {
826 /* Save source address */
f29972de
MH		 827 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
828 l2cap_pi(sk)->psm = la.l2_psm;
829 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 830 sk->sk_state = BT_BOUND;
2af6b9d5 831
f29972de 832 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
2af6b9d5 833 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 834 }
835
836 write_unlock_bh(&l2cap_sk_list.lock);
837
838done:
839 release_sock(sk);
840 return err;
841}
842
843static int l2cap_do_connect(struct sock *sk)
844{
845 bdaddr_t *src = &bt_sk(sk)->src;
846 bdaddr_t *dst = &bt_sk(sk)->dst;
847 struct l2cap_conn *conn;
848 struct hci_conn *hcon;
849 struct hci_dev *hdev;
09ab6f4c 850 __u8 auth_type;
44d0e48e 851 int err;
1da177e4 852
f29972de
MH		 853 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
854 l2cap_pi(sk)->psm);
1da177e4 855
af05b30b
GP		 856 hdev = hci_get_route(dst, src);
857 if (!hdev)
1da177e4
LT		 858 return -EHOSTUNREACH;
859
860 hci_dev_lock_bh(hdev);
861
862 err = -ENOMEM;
863
8c1b2355 864 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 865 switch (l2cap_pi(sk)->sec_level) {
866 case BT_SECURITY_HIGH:
8c1b2355 867 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 868 break;
869 case BT_SECURITY_MEDIUM:
8c1b2355 870 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 871 break;
872 default:
09ab6f4c 873 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 874 break;
875 }
8c1b2355 876 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 877 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 878 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 879 else
8c1b2355 880 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 881
882 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
883 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 884 } else {
2af6b9d5
MH		 885 switch (l2cap_pi(sk)->sec_level) {
886 case BT_SECURITY_HIGH:
8c1b2355 887 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 888 break;
889 case BT_SECURITY_MEDIUM:
09ab6f4c 890 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 891 break;
892 default:
8c1b2355 893 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 894 break;
895 }
09ab6f4c
MH		 896 }
897
2af6b9d5
MH		 898 hcon = hci_connect(hdev, ACL_LINK, dst,
899 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 900 if (!hcon)
901 goto done;
902
903 conn = l2cap_conn_add(hcon, 0);
904 if (!conn) {
905 hci_conn_put(hcon);
906 goto done;
907 }
908
909 err = 0;
910
911 /* Update source addr of the socket */
912 bacpy(src, conn->src);
913
914 l2cap_chan_add(conn, sk, NULL);
915
916 sk->sk_state = BT_CONNECT;
917 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
918
919 if (hcon->state == BT_CONNECTED) {
79d554a6 920 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 921 l2cap_sock_clear_timer(sk);
922 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 923 } else
924 l2cap_do_start(sk);
1da177e4
LT		 925 }
926
927done:
928 hci_dev_unlock_bh(hdev);
929 hci_dev_put(hdev);
930 return err;
931}
932
933static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
934{
1da177e4 935 struct sock *sk = sock->sk;
f29972de
MH		 936 struct sockaddr_l2 la;
937 int len, err = 0;
1da177e4 938
1da177e4
LT		 939 BT_DBG("sk %p", sk);
940
2a517ca6
MH		 941 if (!addr || addr->sa_family != AF_BLUETOOTH)
942 return -EINVAL;
1da177e4 943
f29972de
MH		 944 memset(&la, 0, sizeof(la));
945 len = min_t(unsigned int, sizeof(la), alen);
946 memcpy(&la, addr, len);
947
2a517ca6
MH		 948 if (la.l2_cid)
949 return -EINVAL;
950
951 lock_sock(sk);
952
f29972de 953 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 954 err = -EINVAL;
955 goto done;
956 }
957
af05b30b 958 switch (sk->sk_state) {
1da177e4
LT		 959 case BT_CONNECT:
960 case BT_CONNECT2:
961 case BT_CONFIG:
962 /* Already connecting */
963 goto wait;
964
965 case BT_CONNECTED:
966 /* Already connected */
967 goto done;
968
969 case BT_OPEN:
970 case BT_BOUND:
971 /* Can connect */
972 break;
973
974 default:
975 err = -EBADFD;
976 goto done;
977 }
978
979 /* Set destination address and psm */
f29972de
MH		 980 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
981 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 982
af05b30b
GP		 983 err = l2cap_do_connect(sk);
984 if (err)
1da177e4
LT		 985 goto done;
986
987wait:
988 err = bt_sock_wait_state(sk, BT_CONNECTED,
989 sock_sndtimeo(sk, flags & O_NONBLOCK));
990done:
991 release_sock(sk);
992 return err;
993}
994
995static int l2cap_sock_listen(struct socket *sock, int backlog)
996{
997 struct sock *sk = sock->sk;
998 int err = 0;
999
1000 BT_DBG("sk %p backlog %d", sk, backlog);
1001
1002 lock_sock(sk);
1003
1004 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1005 err = -EBADFD;
1006 goto done;
1007 }
1008
1009 if (!l2cap_pi(sk)->psm) {
1010 bdaddr_t *src = &bt_sk(sk)->src;
1011 u16 psm;
1012
1013 err = -EINVAL;
1014
1015 write_lock_bh(&l2cap_sk_list.lock);
1016
1017 for (psm = 0x1001; psm < 0x1100; psm += 2)
6dc0c208 1018 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1da177e4
LT		 1019 l2cap_pi(sk)->psm = htobs(psm);
1020 l2cap_pi(sk)->sport = htobs(psm);
1021 err = 0;
1022 break;
1023 }
1024
1025 write_unlock_bh(&l2cap_sk_list.lock);
1026
1027 if (err < 0)
1028 goto done;
1029 }
1030
1031 sk->sk_max_ack_backlog = backlog;
1032 sk->sk_ack_backlog = 0;
1033 sk->sk_state = BT_LISTEN;
1034
1035done:
1036 release_sock(sk);
1037 return err;
1038}
1039
1040static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1041{
1042 DECLARE_WAITQUEUE(wait, current);
1043 struct sock *sk = sock->sk, *nsk;
1044 long timeo;
1045 int err = 0;
1046
fcc70d5f 1047 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1048
1049 if (sk->sk_state != BT_LISTEN) {
1050 err = -EBADFD;
1051 goto done;
1052 }
1053
1054 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1055
1056 BT_DBG("sk %p timeo %ld", sk, timeo);
1057
1058 /* Wait for an incoming connection. (wake-one). */
1059 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1060 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1061 set_current_state(TASK_INTERRUPTIBLE);
1062 if (!timeo) {
1063 err = -EAGAIN;
1064 break;
1065 }
1066
1067 release_sock(sk);
1068 timeo = schedule_timeout(timeo);
fcc70d5f 1069 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1070
1071 if (sk->sk_state != BT_LISTEN) {
1072 err = -EBADFD;
1073 break;
1074 }
1075
1076 if (signal_pending(current)) {
1077 err = sock_intr_errno(timeo);
1078 break;
1079 }
1080 }
1081 set_current_state(TASK_RUNNING);
1082 remove_wait_queue(sk->sk_sleep, &wait);
1083
1084 if (err)
1085 goto done;
1086
1087 newsock->state = SS_CONNECTED;
1088
1089 BT_DBG("new socket %p", nsk);
1090
1091done:
1092 release_sock(sk);
1093 return err;
1094}
1095
1096static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1097{
1098 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1099 struct sock *sk = sock->sk;
1100
1101 BT_DBG("sock %p, sk %p", sock, sk);
1102
1103 addr->sa_family = AF_BLUETOOTH;
1104 *len = sizeof(struct sockaddr_l2);
1105
f29972de
MH		 1106 if (peer) {
1107 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1108 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
f29972de
MH		 1109 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1110 } else {
1111 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1112 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
f29972de
MH		 1113 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1114 }
1da177e4 1115
1da177e4
LT		 1116 return 0;
1117}
1118
1119static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1120{
1121 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1122 struct sk_buff *skb, **frag;
af05b30b 1123 int err, hlen, count, sent = 0;
1da177e4
LT		 1124 struct l2cap_hdr *lh;
1125
1126 BT_DBG("sk %p len %d", sk, len);
1127
1128 /* First fragment (with L2CAP header) */
1129 if (sk->sk_type == SOCK_DGRAM)
1130 hlen = L2CAP_HDR_SIZE + 2;
1131 else
1132 hlen = L2CAP_HDR_SIZE;
1133
1134 count = min_t(unsigned int, (conn->mtu - hlen), len);
1135
1136 skb = bt_skb_send_alloc(sk, hlen + count,
1137 msg->msg_flags & MSG_DONTWAIT, &err);
1138 if (!skb)
1139 return err;
1140
1141 /* Create L2CAP header */
1142 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1143 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1144 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1145
1146 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1147 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1148
1149 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1150 err = -EFAULT;
1151 goto fail;
1152 }
1153
1154 sent += count;
1155 len -= count;
1156
1157 /* Continuation fragments (no L2CAP header) */
1158 frag = &skb_shinfo(skb)->frag_list;
1159 while (len) {
1160 count = min_t(unsigned int, conn->mtu, len);
1161
1162 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1163 if (!*frag)
1164 goto fail;
8e87d142 1165
1da177e4
LT		 1166 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1167 err = -EFAULT;
1168 goto fail;
1169 }
1170
1171 sent += count;
1172 len -= count;
1173
1174 frag = &(*frag)->next;
1175 }
af05b30b
GP		 1176 err = hci_send_acl(conn->hcon, skb, 0);
1177 if (err < 0)
1da177e4
LT		 1178 goto fail;
1179
1180 return sent;
1181
1182fail:
1183 kfree_skb(skb);
1184 return err;
1185}
1186
1187static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1188{
1189 struct sock *sk = sock->sk;
1190 int err = 0;
1191
1192 BT_DBG("sock %p, sk %p", sock, sk);
1193
c1cbe4b7
BL		 1194 err = sock_error(sk);
1195 if (err)
1196 return err;
1da177e4
LT		 1197
1198 if (msg->msg_flags & MSG_OOB)
1199 return -EOPNOTSUPP;
1200
1201 /* Check outgoing MTU */
1202 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1203 return -EINVAL;
1204
1205 lock_sock(sk);
1206
1207 if (sk->sk_state == BT_CONNECTED)
1208 err = l2cap_do_send(sk, msg, len);
1209 else
1210 err = -ENOTCONN;
1211
1212 release_sock(sk);
1213 return err;
1214}
1215
f66dc81f
MH		 1216static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1217{
1218 struct sock *sk = sock->sk;
1219
1220 lock_sock(sk);
1221
1222 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1223 struct l2cap_conn_rsp rsp;
1224
1225 sk->sk_state = BT_CONFIG;
1226
1227 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1228 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1229 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1230 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1231 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1232 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1233
1234 release_sock(sk);
1235 return 0;
1236 }
1237
1238 release_sock(sk);
1239
1240 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1241}
1242
d58daf42 1243static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1244{
1245 struct sock *sk = sock->sk;
1246 struct l2cap_options opts;
f29972de 1247 int len, err = 0;
1da177e4
LT		 1248 u32 opt;
1249
1250 BT_DBG("sk %p", sk);
1251
1252 lock_sock(sk);
1253
1254 switch (optname) {
1255 case L2CAP_OPTIONS:
0878b666
MH		 1256 opts.imtu = l2cap_pi(sk)->imtu;
1257 opts.omtu = l2cap_pi(sk)->omtu;
1258 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1259 opts.mode = L2CAP_MODE_BASIC;
0878b666 1260
1da177e4
LT		 1261 len = min_t(unsigned int, sizeof(opts), optlen);
1262 if (copy_from_user((char *) &opts, optval, len)) {
1263 err = -EFAULT;
1264 break;
1265 }
0878b666 1266
1da177e4
LT		 1267 l2cap_pi(sk)->imtu = opts.imtu;
1268 l2cap_pi(sk)->omtu = opts.omtu;
1269 break;
1270
1271 case L2CAP_LM:
1272 if (get_user(opt, (u32 __user *) optval)) {
1273 err = -EFAULT;
1274 break;
1275 }
1276
2af6b9d5
MH		 1277 if (opt & L2CAP_LM_AUTH)
1278 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1279 if (opt & L2CAP_LM_ENCRYPT)
1280 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1281 if (opt & L2CAP_LM_SECURE)
1282 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1283
1284 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1285 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1286 break;
1287
1288 default:
1289 err = -ENOPROTOOPT;
1290 break;
1291 }
1292
1293 release_sock(sk);
1294 return err;
1295}
1296
d58daf42
MH		 1297static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1298{
1299 struct sock *sk = sock->sk;
2af6b9d5
MH		 1300 struct bt_security sec;
1301 int len, err = 0;
f66dc81f 1302 u32 opt;
d58daf42
MH		 1303
1304 BT_DBG("sk %p", sk);
1305
1306 if (level == SOL_L2CAP)
1307 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1308
0588d94f
MH		 1309 if (level != SOL_BLUETOOTH)
1310 return -ENOPROTOOPT;
1311
d58daf42
MH		 1312 lock_sock(sk);
1313
1314 switch (optname) {
2af6b9d5 1315 case BT_SECURITY:
2526d3d8 1316 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1317 err = -EINVAL;
1318 break;
1319 }
1320
2af6b9d5
MH		 1321 sec.level = BT_SECURITY_LOW;
1322
1323 len = min_t(unsigned int, sizeof(sec), optlen);
1324 if (copy_from_user((char *) &sec, optval, len)) {
1325 err = -EFAULT;
1326 break;
1327 }
1328
1329 if (sec.level < BT_SECURITY_LOW ||
1330 sec.level > BT_SECURITY_HIGH) {
1331 err = -EINVAL;
1332 break;
1333 }
1334
1335 l2cap_pi(sk)->sec_level = sec.level;
1336 break;
1337
f66dc81f
MH		 1338 case BT_DEFER_SETUP:
1339 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1340 err = -EINVAL;
1341 break;
1342 }
1343
1344 if (get_user(opt, (u32 __user *) optval)) {
1345 err = -EFAULT;
1346 break;
1347 }
1348
1349 bt_sk(sk)->defer_setup = opt;
1350 break;
1351
d58daf42
MH		 1352 default:
1353 err = -ENOPROTOOPT;
1354 break;
1355 }
1356
1357 release_sock(sk);
1358 return err;
1359}
1360
1361static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1362{
1363 struct sock *sk = sock->sk;
1364 struct l2cap_options opts;
1365 struct l2cap_conninfo cinfo;
1366 int len, err = 0;
2af6b9d5 1367 u32 opt;
1da177e4
LT		 1368
1369 BT_DBG("sk %p", sk);
1370
1371 if (get_user(len, optlen))
1372 return -EFAULT;
1373
1374 lock_sock(sk);
1375
1376 switch (optname) {
1377 case L2CAP_OPTIONS:
1378 opts.imtu = l2cap_pi(sk)->imtu;
1379 opts.omtu = l2cap_pi(sk)->omtu;
1380 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1381 opts.mode = L2CAP_MODE_BASIC;
1da177e4
LT		 1382
1383 len = min_t(unsigned int, len, sizeof(opts));
1384 if (copy_to_user(optval, (char *) &opts, len))
1385 err = -EFAULT;
1386
1387 break;
1388
1389 case L2CAP_LM:
2af6b9d5
MH		 1390 switch (l2cap_pi(sk)->sec_level) {
1391 case BT_SECURITY_LOW:
1392 opt = L2CAP_LM_AUTH;
1393 break;
1394 case BT_SECURITY_MEDIUM:
1395 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1396 break;
1397 case BT_SECURITY_HIGH:
1398 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1399 L2CAP_LM_SECURE;
1400 break;
1401 default:
1402 opt = 0;
1403 break;
1404 }
1405
1406 if (l2cap_pi(sk)->role_switch)
1407 opt |= L2CAP_LM_MASTER;
1408
1409 if (l2cap_pi(sk)->force_reliable)
1410 opt |= L2CAP_LM_RELIABLE;
1411
1412 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1413 err = -EFAULT;
1414 break;
1415
1416 case L2CAP_CONNINFO:
f66dc81f
MH		 1417 if (sk->sk_state != BT_CONNECTED &&
1418 !(sk->sk_state == BT_CONNECT2 &&
1419 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1420 err = -ENOTCONN;
1421 break;
1422 }
1423
1424 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1425 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1426
1427 len = min_t(unsigned int, len, sizeof(cinfo));
1428 if (copy_to_user(optval, (char *) &cinfo, len))
1429 err = -EFAULT;
1430
1431 break;
1432
1433 default:
1434 err = -ENOPROTOOPT;
1435 break;
1436 }
1437
1438 release_sock(sk);
1439 return err;
1440}
1441
d58daf42
MH		 1442static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1443{
1444 struct sock *sk = sock->sk;
2af6b9d5 1445 struct bt_security sec;
d58daf42
MH		 1446 int len, err = 0;
1447
1448 BT_DBG("sk %p", sk);
1449
1450 if (level == SOL_L2CAP)
1451 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1452
0588d94f
MH		 1453 if (level != SOL_BLUETOOTH)
1454 return -ENOPROTOOPT;
1455
d58daf42
MH		 1456 if (get_user(len, optlen))
1457 return -EFAULT;
1458
1459 lock_sock(sk);
1460
1461 switch (optname) {
2af6b9d5 1462 case BT_SECURITY:
2526d3d8 1463 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1464 err = -EINVAL;
1465 break;
1466 }
1467
2af6b9d5
MH		 1468 sec.level = l2cap_pi(sk)->sec_level;
1469
1470 len = min_t(unsigned int, len, sizeof(sec));
1471 if (copy_to_user(optval, (char *) &sec, len))
1472 err = -EFAULT;
1473
1474 break;
1475
f66dc81f
MH		 1476 case BT_DEFER_SETUP:
1477 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1478 err = -EINVAL;
1479 break;
1480 }
1481
1482 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1483 err = -EFAULT;
1484
1485 break;
1486
d58daf42
MH		 1487 default:
1488 err = -ENOPROTOOPT;
1489 break;
1490 }
1491
1492 release_sock(sk);
1493 return err;
1494}
1495
1da177e4
LT		 1496static int l2cap_sock_shutdown(struct socket *sock, int how)
1497{
1498 struct sock *sk = sock->sk;
1499 int err = 0;
1500
1501 BT_DBG("sock %p, sk %p", sock, sk);
1502
1503 if (!sk)
1504 return 0;
1505
1506 lock_sock(sk);
1507 if (!sk->sk_shutdown) {
1508 sk->sk_shutdown = SHUTDOWN_MASK;
1509 l2cap_sock_clear_timer(sk);
1510 __l2cap_sock_close(sk, 0);
1511
1512 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1513 err = bt_sock_wait_state(sk, BT_CLOSED,
1514 sk->sk_lingertime);
1da177e4
LT		 1515 }
1516 release_sock(sk);
1517 return err;
1518}
1519
1520static int l2cap_sock_release(struct socket *sock)
1521{
1522 struct sock *sk = sock->sk;
1523 int err;
1524
1525 BT_DBG("sock %p, sk %p", sock, sk);
1526
1527 if (!sk)
1528 return 0;
1529
1530 err = l2cap_sock_shutdown(sock, 2);
1531
1532 sock_orphan(sk);
1533 l2cap_sock_kill(sk);
1534 return err;
1535}
1536
1da177e4
LT		 1537static void l2cap_chan_ready(struct sock *sk)
1538{
1539 struct sock *parent = bt_sk(sk)->parent;
1540
1541 BT_DBG("sk %p, parent %p", sk, parent);
1542
1543 l2cap_pi(sk)->conf_state = 0;
1544 l2cap_sock_clear_timer(sk);
1545
1546 if (!parent) {
1547 /* Outgoing channel.
1548 * Wake up socket sleeping on connect.
1549 */
1550 sk->sk_state = BT_CONNECTED;
1551 sk->sk_state_change(sk);
1552 } else {
1553 /* Incoming channel.
1554 * Wake up socket sleeping on accept.
1555 */
1556 parent->sk_data_ready(parent, 0);
1557 }
1558}
1559
1560/* Copy frame to all raw sockets on that connection */
1561static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1562{
1563 struct l2cap_chan_list *l = &conn->chan_list;
1564 struct sk_buff *nskb;
af05b30b 1565 struct sock *sk;
1da177e4
LT		 1566
1567 BT_DBG("conn %p", conn);
1568
1569 read_lock(&l->lock);
1570 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1571 if (sk->sk_type != SOCK_RAW)
1572 continue;
1573
1574 /* Don't send frame to the socket it came from */
1575 if (skb->sk == sk)
1576 continue;
af05b30b
GP		 1577 nskb = skb_clone(skb, GFP_ATOMIC);
1578 if (!nskb)
1da177e4
LT		 1579 continue;
1580
1581 if (sock_queue_rcv_skb(sk, nskb))
1582 kfree_skb(nskb);
1583 }
1584 read_unlock(&l->lock);
1585}
1586
1587/* ---- L2CAP signalling commands ---- */
1588static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1589 u8 code, u8 ident, u16 dlen, void *data)
1590{
1591 struct sk_buff *skb, **frag;
1592 struct l2cap_cmd_hdr *cmd;
1593 struct l2cap_hdr *lh;
1594 int len, count;
1595
af05b30b
GP		 1596 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1597 conn, code, ident, dlen);
1da177e4
LT		 1598
1599 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1600 count = min_t(unsigned int, conn->mtu, len);
1601
1602 skb = bt_skb_alloc(count, GFP_ATOMIC);
1603 if (!skb)
1604 return NULL;
1605
1606 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1607 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 1608 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1609
1610 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1611 cmd->code = code;
1612 cmd->ident = ident;
aca3192c 1613 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1614
1615 if (dlen) {
1616 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1617 memcpy(skb_put(skb, count), data, count);
1618 data += count;
1619 }
1620
1621 len -= skb->len;
1622
1623 /* Continuation fragments (no L2CAP header) */
1624 frag = &skb_shinfo(skb)->frag_list;
1625 while (len) {
1626 count = min_t(unsigned int, conn->mtu, len);
1627
1628 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1629 if (!*frag)
1630 goto fail;
1631
1632 memcpy(skb_put(*frag, count), data, count);
1633
1634 len -= count;
1635 data += count;
1636
1637 frag = &(*frag)->next;
1638 }
1639
1640 return skb;
1641
1642fail:
1643 kfree_skb(skb);
1644 return NULL;
1645}
1646
1647static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1648{
1649 struct l2cap_conf_opt *opt = *ptr;
1650 int len;
1651
1652 len = L2CAP_CONF_OPT_SIZE + opt->len;
1653 *ptr += len;
1654
1655 *type = opt->type;
1656 *olen = opt->len;
1657
1658 switch (opt->len) {
1659 case 1:
1660 *val = *((u8 *) opt->val);
1661 break;
1662
1663 case 2:
861d6882 1664 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1665 break;
1666
1667 case 4:
861d6882 1668 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1669 break;
1670
1671 default:
1672 *val = (unsigned long) opt->val;
1673 break;
1674 }
1675
1676 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1677 return len;
1678}
1679
1da177e4
LT		 1680static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1681{
1682 struct l2cap_conf_opt *opt = *ptr;
1683
1684 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1685
1686 opt->type = type;
1687 opt->len = len;
1688
1689 switch (len) {
1690 case 1:
1691 *((u8 *) opt->val) = val;
1692 break;
1693
1694 case 2:
8e036fc3 1695 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1696 break;
1697
1698 case 4:
8e036fc3 1699 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1700 break;
1701
1702 default:
1703 memcpy(opt->val, (void *) val, len);
1704 break;
1705 }
1706
1707 *ptr += L2CAP_CONF_OPT_SIZE + len;
1708}
1709
1710static int l2cap_build_conf_req(struct sock *sk, void *data)
1711{
1712 struct l2cap_pinfo *pi = l2cap_pi(sk);
1713 struct l2cap_conf_req *req = data;
1714 void *ptr = req->data;
1715
1716 BT_DBG("sk %p", sk);
1717
1718 if (pi->imtu != L2CAP_DEFAULT_MTU)
1719 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1720
1721 /* FIXME: Need actual value of the flush timeout */
1722 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1723 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1724
aca3192c
YH		 1725 req->dcid = cpu_to_le16(pi->dcid);
1726 req->flags = cpu_to_le16(0);
1da177e4
LT		 1727
1728 return ptr - data;
1729}
1730
5dee9e7c 1731static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1732{
1733 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1734 struct l2cap_conf_rsp *rsp = data;
1735 void *ptr = rsp->data;
1736 void *req = pi->conf_req;
1737 int len = pi->conf_len;
1738 int type, hint, olen;
1739 unsigned long val;
6464f35f 1740 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1741 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1742 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1743
5dee9e7c 1744 BT_DBG("sk %p", sk);
820ae1b8 1745
5dee9e7c
MH		 1746 while (len >= L2CAP_CONF_OPT_SIZE) {
1747 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1748
589d2746 1749 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1750 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1751
1752 switch (type) {
1753 case L2CAP_CONF_MTU:
861d6882 1754 mtu = val;
5dee9e7c
MH		 1755 break;
1756
1757 case L2CAP_CONF_FLUSH_TO:
1758 pi->flush_to = val;
1759 break;
1760
1761 case L2CAP_CONF_QOS:
1762 break;
1763
6464f35f
MH		 1764 case L2CAP_CONF_RFC:
1765 if (olen == sizeof(rfc))
1766 memcpy(&rfc, (void *) val, olen);
1767 break;
1768
5dee9e7c
MH		 1769 default:
1770 if (hint)
1771 break;
1772
1773 result = L2CAP_CONF_UNKNOWN;
1774 *((u8 *) ptr++) = type;
1775 break;
1776 }
1777 }
1778
1779 if (result == L2CAP_CONF_SUCCESS) {
1780 /* Configure output options and let the other side know
1781 * which ones we don't like. */
1782
6464f35f
MH		 1783 if (rfc.mode == L2CAP_MODE_BASIC) {
1784 if (mtu < pi->omtu)
1785 result = L2CAP_CONF_UNACCEPT;
1786 else {
1787 pi->omtu = mtu;
1788 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1789 }
1790
1791 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1792 } else {
5dee9e7c 1793 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1794
6464f35f
MH		 1795 memset(&rfc, 0, sizeof(rfc));
1796 rfc.mode = L2CAP_MODE_BASIC;
1797
1798 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1799 sizeof(rfc), (unsigned long) &rfc);
1800 }
5dee9e7c
MH		 1801 }
1802
1803 rsp->scid = cpu_to_le16(pi->dcid);
1804 rsp->result = cpu_to_le16(result);
1805 rsp->flags = cpu_to_le16(0x0000);
1806
1807 return ptr - data;
1da177e4
LT		 1808}
1809
5dee9e7c 1810static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1811{
1812 struct l2cap_conf_rsp *rsp = data;
1813 void *ptr = rsp->data;
1da177e4 1814
5dee9e7c 1815 BT_DBG("sk %p", sk);
1da177e4 1816
aca3192c 1817 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1818 rsp->result = cpu_to_le16(result);
aca3192c 1819 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1820
1821 return ptr - data;
1822}
1823
4e8402a3
MH		 1824static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1825{
1826 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1827
1828 if (rej->reason != 0x0000)
1829 return 0;
1830
1831 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1832 cmd->ident == conn->info_ident) {
4e8402a3 1833 del_timer(&conn->info_timer);
984947dc
MH		 1834
1835 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1836 conn->info_ident = 0;
984947dc 1837
4e8402a3
MH		 1838 l2cap_conn_start(conn);
1839 }
1840
1841 return 0;
1842}
1843
1da177e4
LT		 1844static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1845{
1846 struct l2cap_chan_list *list = &conn->chan_list;
1847 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1848 struct l2cap_conn_rsp rsp;
1849 struct sock *sk, *parent;
e7c29cb1 1850 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1851
1852 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1853 __le16 psm = req->psm;
1da177e4
LT		 1854
1855 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1856
1857 /* Check if we have socket listening on psm */
1858 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1859 if (!parent) {
1860 result = L2CAP_CR_BAD_PSM;
1861 goto sendresp;
1862 }
1863
e7c29cb1
MH		 1864 /* Check if the ACL is secure enough (if not SDP) */
1865 if (psm != cpu_to_le16(0x0001) &&
1866 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 1867 conn->disc_reason = 0x05;
e7c29cb1
MH		 1868 result = L2CAP_CR_SEC_BLOCK;
1869 goto response;
1870 }
1871
1da177e4
LT		 1872 result = L2CAP_CR_NO_MEM;
1873
1874 /* Check for backlog size */
1875 if (sk_acceptq_is_full(parent)) {
8e87d142 1876 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1877 goto response;
1878 }
1879
3b1e0a65 1880 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1881 if (!sk)
1882 goto response;
1883
fd1278d7 1884 write_lock_bh(&list->lock);
1da177e4
LT		 1885
1886 /* Check if we already have channel with that dcid */
1887 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1888 write_unlock_bh(&list->lock);
1da177e4
LT		 1889 sock_set_flag(sk, SOCK_ZAPPED);
1890 l2cap_sock_kill(sk);
1891 goto response;
1892 }
1893
1894 hci_conn_hold(conn->hcon);
1895
1896 l2cap_sock_init(sk, parent);
1897 bacpy(&bt_sk(sk)->src, conn->src);
1898 bacpy(&bt_sk(sk)->dst, conn->dst);
1899 l2cap_pi(sk)->psm = psm;
1900 l2cap_pi(sk)->dcid = scid;
1901
1902 __l2cap_chan_add(conn, sk, parent);
1903 dcid = l2cap_pi(sk)->scid;
1904
1905 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1906
1da177e4
LT		 1907 l2cap_pi(sk)->ident = cmd->ident;
1908
984947dc 1909 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1910 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1911 if (bt_sk(sk)->defer_setup) {
1912 sk->sk_state = BT_CONNECT2;
1913 result = L2CAP_CR_PEND;
1914 status = L2CAP_CS_AUTHOR_PEND;
1915 parent->sk_data_ready(parent, 0);
1916 } else {
1917 sk->sk_state = BT_CONFIG;
1918 result = L2CAP_CR_SUCCESS;
1919 status = L2CAP_CS_NO_INFO;
1920 }
79d554a6
MH		 1921 } else {
1922 sk->sk_state = BT_CONNECT2;
1923 result = L2CAP_CR_PEND;
1924 status = L2CAP_CS_AUTHEN_PEND;
1925 }
1926 } else {
1927 sk->sk_state = BT_CONNECT2;
1928 result = L2CAP_CR_PEND;
1929 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1930 }
1931
fd1278d7 1932 write_unlock_bh(&list->lock);
1da177e4
LT		 1933
1934response:
1935 bh_unlock_sock(parent);
1936
1937sendresp:
aca3192c
YH		 1938 rsp.scid = cpu_to_le16(scid);
1939 rsp.dcid = cpu_to_le16(dcid);
1940 rsp.result = cpu_to_le16(result);
1941 rsp.status = cpu_to_le16(status);
1da177e4 1942 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1943
1944 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1945 struct l2cap_info_req info;
1946 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1947
1948 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1949 conn->info_ident = l2cap_get_ident(conn);
1950
1951 mod_timer(&conn->info_timer, jiffies +
1952 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1953
1954 l2cap_send_cmd(conn, conn->info_ident,
1955 L2CAP_INFO_REQ, sizeof(info), &info);
1956 }
1957
1da177e4
LT		 1958 return 0;
1959}
1960
1961static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1962{
1963 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1964 u16 scid, dcid, result, status;
1965 struct sock *sk;
1966 u8 req[128];
1967
1968 scid = __le16_to_cpu(rsp->scid);
1969 dcid = __le16_to_cpu(rsp->dcid);
1970 result = __le16_to_cpu(rsp->result);
1971 status = __le16_to_cpu(rsp->status);
1972
1973 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1974
1975 if (scid) {
af05b30b
GP		 1976 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
1977 if (!sk)
1da177e4
LT		 1978 return 0;
1979 } else {
af05b30b
GP		 1980 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
1981 if (!sk)
1da177e4
LT		 1982 return 0;
1983 }
1984
1985 switch (result) {
1986 case L2CAP_CR_SUCCESS:
1987 sk->sk_state = BT_CONFIG;
1988 l2cap_pi(sk)->ident = 0;
1989 l2cap_pi(sk)->dcid = dcid;
1990 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1991
6a8d3010
MH		 1992 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1993
1da177e4
LT		 1994 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1995 l2cap_build_conf_req(sk, req), req);
1996 break;
1997
1998 case L2CAP_CR_PEND:
6a8d3010 1999 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2000 break;
2001
2002 default:
2003 l2cap_chan_del(sk, ECONNREFUSED);
2004 break;
2005 }
2006
2007 bh_unlock_sock(sk);
2008 return 0;
2009}
2010
88219a0f 2011static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2012{
2013 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2014 u16 dcid, flags;
2015 u8 rsp[64];
2016 struct sock *sk;
5dee9e7c 2017 int len;
1da177e4
LT		 2018
2019 dcid = __le16_to_cpu(req->dcid);
2020 flags = __le16_to_cpu(req->flags);
2021
2022 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2023
af05b30b
GP		 2024 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2025 if (!sk)
1da177e4
LT		 2026 return -ENOENT;
2027
354f60a9
MH		 2028 if (sk->sk_state == BT_DISCONN)
2029 goto unlock;
2030
5dee9e7c 2031 /* Reject if config buffer is too small. */
88219a0f 2032 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2033 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2034 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2035 l2cap_build_conf_rsp(sk, rsp,
2036 L2CAP_CONF_REJECT, flags), rsp);
2037 goto unlock;
2038 }
2039
2040 /* Store config. */
2041 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2042 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2043
2044 if (flags & 0x0001) {
2045 /* Incomplete config. Send empty response. */
2046 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2047 l2cap_build_conf_rsp(sk, rsp,
2048 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2049 goto unlock;
2050 }
2051
2052 /* Complete config. */
5dee9e7c
MH		 2053 len = l2cap_parse_conf_req(sk, rsp);
2054 if (len < 0)
1da177e4
LT		 2055 goto unlock;
2056
5dee9e7c
MH		 2057 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2058
5dee9e7c
MH		 2059 /* Reset config buffer. */
2060 l2cap_pi(sk)->conf_len = 0;
2061
876d9484
MH		 2062 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2063 goto unlock;
2064
1da177e4
LT		 2065 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2066 sk->sk_state = BT_CONNECTED;
2067 l2cap_chan_ready(sk);
876d9484
MH		 2068 goto unlock;
2069 }
2070
2071 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2072 u8 buf[64];
1da177e4 2073 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2074 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2075 }
2076
2077unlock:
2078 bh_unlock_sock(sk);
2079 return 0;
2080}
2081
2082static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2083{
2084 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2085 u16 scid, flags, result;
2086 struct sock *sk;
2087
2088 scid = __le16_to_cpu(rsp->scid);
2089 flags = __le16_to_cpu(rsp->flags);
2090 result = __le16_to_cpu(rsp->result);
2091
af05b30b
GP		 2092 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2093 scid, flags, result);
1da177e4 2094
af05b30b
GP		 2095 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2096 if (!sk)
1da177e4
LT		 2097 return 0;
2098
2099 switch (result) {
2100 case L2CAP_CONF_SUCCESS:
2101 break;
2102
2103 case L2CAP_CONF_UNACCEPT:
2104 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2105 char req[128];
2106 /* It does not make sense to adjust L2CAP parameters
2107 * that are currently defined in the spec. We simply
2108 * resend config request that we sent earlier. It is
2109 * stupid, but it helps qualification testing which
2110 * expects at least some response from us. */
2111 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2112 l2cap_build_conf_req(sk, req), req);
2113 goto done;
2114 }
2115
8e87d142 2116 default:
1da177e4 2117 sk->sk_state = BT_DISCONN;
b1235d79 2118 sk->sk_err = ECONNRESET;
1da177e4
LT		 2119 l2cap_sock_set_timer(sk, HZ * 5);
2120 {
2121 struct l2cap_disconn_req req;
aca3192c
YH		 2122 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2123 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2124 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2125 L2CAP_DISCONN_REQ, sizeof(req), &req);
2126 }
2127 goto done;
2128 }
2129
2130 if (flags & 0x01)
2131 goto done;
2132
1da177e4
LT		 2133 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2134
2135 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2136 sk->sk_state = BT_CONNECTED;
2137 l2cap_chan_ready(sk);
2138 }
2139
2140done:
2141 bh_unlock_sock(sk);
2142 return 0;
2143}
2144
2145static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2146{
2147 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2148 struct l2cap_disconn_rsp rsp;
2149 u16 dcid, scid;
2150 struct sock *sk;
2151
2152 scid = __le16_to_cpu(req->scid);
2153 dcid = __le16_to_cpu(req->dcid);
2154
2155 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2156
af05b30b
GP		 2157 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2158 if (!sk)
1da177e4
LT		 2159 return 0;
2160
aca3192c
YH		 2161 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2162 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2163 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2164
2165 sk->sk_shutdown = SHUTDOWN_MASK;
2166
2167 l2cap_chan_del(sk, ECONNRESET);
2168 bh_unlock_sock(sk);
2169
2170 l2cap_sock_kill(sk);
2171 return 0;
2172}
2173
2174static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2175{
2176 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2177 u16 dcid, scid;
2178 struct sock *sk;
2179
2180 scid = __le16_to_cpu(rsp->scid);
2181 dcid = __le16_to_cpu(rsp->dcid);
2182
2183 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2184
af05b30b
GP		 2185 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2186 if (!sk)
1da177e4
LT		 2187 return 0;
2188
2189 l2cap_chan_del(sk, 0);
2190 bh_unlock_sock(sk);
2191
2192 l2cap_sock_kill(sk);
2193 return 0;
2194}
2195
2196static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2197{
2198 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2199 u16 type;
2200
2201 type = __le16_to_cpu(req->type);
2202
2203 BT_DBG("type 0x%4.4x", type);
2204
f0709e03
MH		 2205 if (type == L2CAP_IT_FEAT_MASK) {
2206 u8 buf[8];
2207 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2208 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2209 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2210 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2211 l2cap_send_cmd(conn, cmd->ident,
2212 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2213 } else if (type == L2CAP_IT_FIXED_CHAN) {
2214 u8 buf[12];
2215 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2216 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2217 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2218 memcpy(buf + 4, l2cap_fixed_chan, 8);
2219 l2cap_send_cmd(conn, cmd->ident,
2220 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2221 } else {
2222 struct l2cap_info_rsp rsp;
2223 rsp.type = cpu_to_le16(type);
2224 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2225 l2cap_send_cmd(conn, cmd->ident,
2226 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2227 }
1da177e4
LT		 2228
2229 return 0;
2230}
2231
2232static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2233{
2234 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2235 u16 type, result;
2236
2237 type = __le16_to_cpu(rsp->type);
2238 result = __le16_to_cpu(rsp->result);
2239
2240 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2241
4e8402a3
MH		 2242 del_timer(&conn->info_timer);
2243
984947dc 2244 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2245 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2246
47ec1dcd 2247 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2248 struct l2cap_info_req req;
2249 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2250
2251 conn->info_ident = l2cap_get_ident(conn);
2252
2253 l2cap_send_cmd(conn, conn->info_ident,
2254 L2CAP_INFO_REQ, sizeof(req), &req);
2255 } else {
2256 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2257 conn->info_ident = 0;
2258
2259 l2cap_conn_start(conn);
2260 }
2261 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2262 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2263 conn->info_ident = 0;
984947dc
MH		 2264
2265 l2cap_conn_start(conn);
2266 }
4e8402a3 2267
1da177e4
LT		 2268 return 0;
2269}
2270
2271static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2272{
2273 u8 *data = skb->data;
2274 int len = skb->len;
2275 struct l2cap_cmd_hdr cmd;
2276 int err = 0;
2277
2278 l2cap_raw_recv(conn, skb);
2279
2280 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2281 u16 cmd_len;
1da177e4
LT		 2282 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2283 data += L2CAP_CMD_HDR_SIZE;
2284 len -= L2CAP_CMD_HDR_SIZE;
2285
88219a0f 2286 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2287
88219a0f 2288 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2289
88219a0f 2290 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2291 BT_DBG("corrupted command");
2292 break;
2293 }
2294
2295 switch (cmd.code) {
2296 case L2CAP_COMMAND_REJ:
4e8402a3 2297 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2298 break;
2299
2300 case L2CAP_CONN_REQ:
2301 err = l2cap_connect_req(conn, &cmd, data);
2302 break;
2303
2304 case L2CAP_CONN_RSP:
2305 err = l2cap_connect_rsp(conn, &cmd, data);
2306 break;
2307
2308 case L2CAP_CONF_REQ:
88219a0f 2309 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2310 break;
2311
2312 case L2CAP_CONF_RSP:
2313 err = l2cap_config_rsp(conn, &cmd, data);
2314 break;
2315
2316 case L2CAP_DISCONN_REQ:
2317 err = l2cap_disconnect_req(conn, &cmd, data);
2318 break;
2319
2320 case L2CAP_DISCONN_RSP:
2321 err = l2cap_disconnect_rsp(conn, &cmd, data);
2322 break;
2323
2324 case L2CAP_ECHO_REQ:
88219a0f 2325 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2326 break;
2327
2328 case L2CAP_ECHO_RSP:
2329 break;
2330
2331 case L2CAP_INFO_REQ:
2332 err = l2cap_information_req(conn, &cmd, data);
2333 break;
2334
2335 case L2CAP_INFO_RSP:
2336 err = l2cap_information_rsp(conn, &cmd, data);
2337 break;
2338
2339 default:
2340 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2341 err = -EINVAL;
2342 break;
2343 }
2344
2345 if (err) {
2346 struct l2cap_cmd_rej rej;
2347 BT_DBG("error %d", err);
2348
2349 /* FIXME: Map err to a valid reason */
aca3192c 2350 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2351 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2352 }
2353
88219a0f
AV		 2354 data += cmd_len;
2355 len -= cmd_len;
1da177e4
LT		 2356 }
2357
2358 kfree_skb(skb);
2359}
2360
2361static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2362{
2363 struct sock *sk;
2364
2365 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2366 if (!sk) {
2367 BT_DBG("unknown cid 0x%4.4x", cid);
2368 goto drop;
2369 }
2370
2371 BT_DBG("sk %p, len %d", sk, skb->len);
2372
2373 if (sk->sk_state != BT_CONNECTED)
2374 goto drop;
2375
2376 if (l2cap_pi(sk)->imtu < skb->len)
2377 goto drop;
2378
2379 /* If socket recv buffers overflows we drop data here
2380 * which is *bad* because L2CAP has to be reliable.
2381 * But we don't have any other choice. L2CAP doesn't
2382 * provide flow control mechanism. */
2383
2384 if (!sock_queue_rcv_skb(sk, skb))
2385 goto done;
2386
2387drop:
2388 kfree_skb(skb);
2389
2390done:
0139418c
MH		 2391 if (sk)
2392 bh_unlock_sock(sk);
2393
1da177e4
LT		 2394 return 0;
2395}
2396
8e036fc3 2397static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2398{
2399 struct sock *sk;
2400
2401 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2402 if (!sk)
2403 goto drop;
2404
2405 BT_DBG("sk %p, len %d", sk, skb->len);
2406
2407 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2408 goto drop;
2409
2410 if (l2cap_pi(sk)->imtu < skb->len)
2411 goto drop;
2412
2413 if (!sock_queue_rcv_skb(sk, skb))
2414 goto done;
2415
2416drop:
2417 kfree_skb(skb);
2418
2419done:
af05b30b
GP		 2420 if (sk)
2421 bh_unlock_sock(sk);
1da177e4
LT		 2422 return 0;
2423}
2424
2425static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2426{
2427 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2428 u16 cid, len;
2429 __le16 psm;
1da177e4
LT		 2430
2431 skb_pull(skb, L2CAP_HDR_SIZE);
2432 cid = __le16_to_cpu(lh->cid);
2433 len = __le16_to_cpu(lh->len);
2434
2435 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2436
2437 switch (cid) {
8db4dc46 2438 case L2CAP_CID_SIGNALING:
1da177e4
LT		 2439 l2cap_sig_channel(conn, skb);
2440 break;
2441
8db4dc46 2442 case L2CAP_CID_CONN_LESS:
8e036fc3 2443 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2444 skb_pull(skb, 2);
2445 l2cap_conless_channel(conn, psm, skb);
2446 break;
2447
2448 default:
2449 l2cap_data_channel(conn, cid, skb);
2450 break;
2451 }
2452}
2453
2454/* ---- L2CAP interface with lower layer (HCI) ---- */
2455
2456static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2457{
2458 int exact = 0, lm1 = 0, lm2 = 0;
2459 register struct sock *sk;
2460 struct hlist_node *node;
2461
2462 if (type != ACL_LINK)
2463 return 0;
2464
2465 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2466
2467 /* Find listening sockets and check their link_mode */
2468 read_lock(&l2cap_sk_list.lock);
2469 sk_for_each(sk, node, &l2cap_sk_list.head) {
2470 if (sk->sk_state != BT_LISTEN)
2471 continue;
2472
2473 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2474 lm1 |= HCI_LM_ACCEPT;
2475 if (l2cap_pi(sk)->role_switch)
2476 lm1 |= HCI_LM_MASTER;
1da177e4 2477 exact++;
2af6b9d5
MH		 2478 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2479 lm2 |= HCI_LM_ACCEPT;
2480 if (l2cap_pi(sk)->role_switch)
2481 lm2 |= HCI_LM_MASTER;
2482 }
1da177e4
LT		 2483 }
2484 read_unlock(&l2cap_sk_list.lock);
2485
2486 return exact ? lm1 : lm2;
2487}
2488
2489static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2490{
0139418c
MH		 2491 struct l2cap_conn *conn;
2492
1da177e4
LT		 2493 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2494
2495 if (hcon->type != ACL_LINK)
2496 return 0;
2497
2498 if (!status) {
1da177e4
LT		 2499 conn = l2cap_conn_add(hcon, status);
2500 if (conn)
2501 l2cap_conn_ready(conn);
0139418c 2502 } else
1da177e4
LT		 2503 l2cap_conn_del(hcon, bt_err(status));
2504
2505 return 0;
2506}
2507
2950f21a
MH		 2508static int l2cap_disconn_ind(struct hci_conn *hcon)
2509{
2510 struct l2cap_conn *conn = hcon->l2cap_data;
2511
2512 BT_DBG("hcon %p", hcon);
2513
2514 if (hcon->type != ACL_LINK || !conn)
2515 return 0x13;
2516
2517 return conn->disc_reason;
2518}
2519
2520static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 2521{
2522 BT_DBG("hcon %p reason %d", hcon, reason);
2523
2524 if (hcon->type != ACL_LINK)
2525 return 0;
2526
2527 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2528
1da177e4
LT		 2529 return 0;
2530}
2531
f62e4323
MH		 2532static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2533{
255c7601
MH		 2534 if (sk->sk_type != SOCK_SEQPACKET)
2535 return;
2536
f62e4323
MH		 2537 if (encrypt == 0x00) {
2538 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2539 l2cap_sock_clear_timer(sk);
2540 l2cap_sock_set_timer(sk, HZ * 5);
2541 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2542 __l2cap_sock_close(sk, ECONNREFUSED);
2543 } else {
2544 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2545 l2cap_sock_clear_timer(sk);
2546 }
2547}
2548
8c1b2355 2549static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2550{
2551 struct l2cap_chan_list *l;
0139418c 2552 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2553 struct sock *sk;
1da177e4 2554
0139418c 2555 if (!conn)
1da177e4 2556 return 0;
0139418c 2557
1da177e4
LT		 2558 l = &conn->chan_list;
2559
2560 BT_DBG("conn %p", conn);
2561
2562 read_lock(&l->lock);
2563
2564 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2565 bh_lock_sock(sk);
2566
6a8d3010
MH		 2567 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2568 bh_unlock_sock(sk);
2569 continue;
2570 }
2571
f62e4323 2572 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2573 sk->sk_state == BT_CONFIG)) {
f62e4323 2574 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2575 bh_unlock_sock(sk);
2576 continue;
2577 }
2578
b1235d79
MH		 2579 if (sk->sk_state == BT_CONNECT) {
2580 if (!status) {
2581 struct l2cap_conn_req req;
2582 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2583 req.psm = l2cap_pi(sk)->psm;
1da177e4 2584
b1235d79 2585 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2586
b1235d79
MH		 2587 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2588 L2CAP_CONN_REQ, sizeof(req), &req);
2589 } else {
2590 l2cap_sock_clear_timer(sk);
2591 l2cap_sock_set_timer(sk, HZ / 10);
2592 }
2593 } else if (sk->sk_state == BT_CONNECT2) {
2594 struct l2cap_conn_rsp rsp;
2595 __u16 result;
1da177e4 2596
b1235d79
MH		 2597 if (!status) {
2598 sk->sk_state = BT_CONFIG;
2599 result = L2CAP_CR_SUCCESS;
2600 } else {
2601 sk->sk_state = BT_DISCONN;
2602 l2cap_sock_set_timer(sk, HZ / 10);
2603 result = L2CAP_CR_SEC_BLOCK;
2604 }
2605
2606 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2607 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2608 rsp.result = cpu_to_le16(result);
e7c29cb1 2609 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2610 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2611 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2612 }
1da177e4
LT		 2613
2614 bh_unlock_sock(sk);
2615 }
2616
2617 read_unlock(&l->lock);
b1235d79 2618
1da177e4
LT		 2619 return 0;
2620}
2621
2622static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2623{
2624 struct l2cap_conn *conn = hcon->l2cap_data;
2625
2626 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2627 goto drop;
2628
2629 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2630
2631 if (flags & ACL_START) {
2632 struct l2cap_hdr *hdr;
2633 int len;
2634
2635 if (conn->rx_len) {
2636 BT_ERR("Unexpected start frame (len %d)", skb->len);
2637 kfree_skb(conn->rx_skb);
2638 conn->rx_skb = NULL;
2639 conn->rx_len = 0;
2640 l2cap_conn_unreliable(conn, ECOMM);
2641 }
2642
2643 if (skb->len < 2) {
2644 BT_ERR("Frame is too short (len %d)", skb->len);
2645 l2cap_conn_unreliable(conn, ECOMM);
2646 goto drop;
2647 }
2648
2649 hdr = (struct l2cap_hdr *) skb->data;
2650 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2651
2652 if (len == skb->len) {
2653 /* Complete frame received */
2654 l2cap_recv_frame(conn, skb);
2655 return 0;
2656 }
2657
2658 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2659
2660 if (skb->len > len) {
2661 BT_ERR("Frame is too long (len %d, expected len %d)",
2662 skb->len, len);
2663 l2cap_conn_unreliable(conn, ECOMM);
2664 goto drop;
2665 }
2666
2667 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 2668 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
2669 if (!conn->rx_skb)
1da177e4
LT		 2670 goto drop;
2671
d626f62b 2672 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2673 skb->len);
1da177e4
LT		 2674 conn->rx_len = len - skb->len;
2675 } else {
2676 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2677
2678 if (!conn->rx_len) {
2679 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2680 l2cap_conn_unreliable(conn, ECOMM);
2681 goto drop;
2682 }
2683
2684 if (skb->len > conn->rx_len) {
2685 BT_ERR("Fragment is too long (len %d, expected %d)",
2686 skb->len, conn->rx_len);
2687 kfree_skb(conn->rx_skb);
2688 conn->rx_skb = NULL;
2689 conn->rx_len = 0;
2690 l2cap_conn_unreliable(conn, ECOMM);
2691 goto drop;
2692 }
2693
d626f62b 2694 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2695 skb->len);
1da177e4
LT		 2696 conn->rx_len -= skb->len;
2697
2698 if (!conn->rx_len) {
2699 /* Complete frame received */
2700 l2cap_recv_frame(conn, conn->rx_skb);
2701 conn->rx_skb = NULL;
2702 }
2703 }
2704
2705drop:
2706 kfree_skb(skb);
2707 return 0;
2708}
2709
be9d1227 2710static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2711{
2712 struct sock *sk;
2713 struct hlist_node *node;
be9d1227 2714 char *str = buf;
1da177e4
LT		 2715
2716 read_lock_bh(&l2cap_sk_list.lock);
2717
be9d1227
MH		 2718 sk_for_each(sk, node, &l2cap_sk_list.head) {
2719 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2720
2af6b9d5 2721 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2722 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
73863976 2723 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2af6b9d5 2724 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2725 }
1da177e4 2726
1da177e4 2727 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2728
af05b30b 2729 return str - buf;
1da177e4
LT		 2730}
2731
be9d1227 2732static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2733
90ddc4f0 2734static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2735 .family = PF_BLUETOOTH,
2736 .owner = THIS_MODULE,
2737 .release = l2cap_sock_release,
2738 .bind = l2cap_sock_bind,
2739 .connect = l2cap_sock_connect,
2740 .listen = l2cap_sock_listen,
2741 .accept = l2cap_sock_accept,
2742 .getname = l2cap_sock_getname,
2743 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2744 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2745 .poll = bt_sock_poll,
3241ad82 2746 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2747 .mmap = sock_no_mmap,
2748 .socketpair = sock_no_socketpair,
1da177e4
LT		 2749 .shutdown = l2cap_sock_shutdown,
2750 .setsockopt = l2cap_sock_setsockopt,
2751 .getsockopt = l2cap_sock_getsockopt
2752};
2753
2754static struct net_proto_family l2cap_sock_family_ops = {
2755 .family = PF_BLUETOOTH,
2756 .owner = THIS_MODULE,
2757 .create = l2cap_sock_create,
2758};
2759
2760static struct hci_proto l2cap_hci_proto = {
2761 .name = "L2CAP",
2762 .id = HCI_PROTO_L2CAP,
2763 .connect_ind = l2cap_connect_ind,
2764 .connect_cfm = l2cap_connect_cfm,
2765 .disconn_ind = l2cap_disconn_ind,
2950f21a 2766 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 2767 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2768 .recv_acldata = l2cap_recv_acldata
2769};
2770
2771static int __init l2cap_init(void)
2772{
2773 int err;
be9d1227 2774
1da177e4
LT		 2775 err = proto_register(&l2cap_proto, 0);
2776 if (err < 0)
2777 return err;
2778
2779 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2780 if (err < 0) {
2781 BT_ERR("L2CAP socket registration failed");
2782 goto error;
2783 }
2784
2785 err = hci_register_proto(&l2cap_hci_proto);
2786 if (err < 0) {
2787 BT_ERR("L2CAP protocol registration failed");
2788 bt_sock_unregister(BTPROTO_L2CAP);
2789 goto error;
2790 }
2791
df5c37ea
MH		 2792 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2793 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2794
2795 BT_INFO("L2CAP ver %s", VERSION);
2796 BT_INFO("L2CAP socket layer initialized");
2797
2798 return 0;
2799
2800error:
2801 proto_unregister(&l2cap_proto);
2802 return err;
2803}
2804
2805static void __exit l2cap_exit(void)
2806{
a91f2e39 2807 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2808
2809 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2810 BT_ERR("L2CAP socket unregistration failed");
2811
2812 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2813 BT_ERR("L2CAP protocol unregistration failed");
2814
2815 proto_unregister(&l2cap_proto);
2816}
2817
2818void l2cap_load(void)
2819{
2820 /* Dummy function to trigger automatic L2CAP module loading by
2821 * other modules that use L2CAP sockets but don't use any other
2822 * symbols from it. */
2823 return;
2824}
2825EXPORT_SYMBOL(l2cap_load);
2826
2827module_init(l2cap_init);
2828module_exit(l2cap_exit);
2829
63fbd24e 2830MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2831MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2832MODULE_VERSION(VERSION);
2833MODULE_LICENSE("GPL");
2834MODULE_ALIAS("bt-proto-0");
Clone of davem's net-next-2.6 tree