projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Ask upper layers for HCI disconnect reason
[linux-2.6-block.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
1da177e4
LT		 43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
e1027a7c 53#define VERSION "2.13"
f0709e03 54
e1027a7c
MH		 55static u32 l2cap_feat_mask = 0x0080;
56static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 57
90ddc4f0 58static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 59
60static struct bt_sock_list l2cap_sk_list = {
d5fb2962 61 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 62};
63
1da177e4
LT		 64static void __l2cap_sock_close(struct sock *sk, int reason);
65static void l2cap_sock_close(struct sock *sk);
66static void l2cap_sock_kill(struct sock *sk);
67
68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70
71/* ---- L2CAP timers ---- */
72static void l2cap_sock_timeout(unsigned long arg)
73{
74 struct sock *sk = (struct sock *) arg;
b1235d79 75 int reason;
1da177e4
LT		 76
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78
79 bh_lock_sock(sk);
b1235d79 80
f62e4323
MH		 81 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
82 reason = ECONNREFUSED;
83 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 84 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 85 reason = ECONNREFUSED;
86 else
87 reason = ETIMEDOUT;
88
89 __l2cap_sock_close(sk, reason);
90
1da177e4
LT		 91 bh_unlock_sock(sk);
92
93 l2cap_sock_kill(sk);
94 sock_put(sk);
95}
96
97static void l2cap_sock_set_timer(struct sock *sk, long timeout)
98{
99 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
100 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
101}
102
103static void l2cap_sock_clear_timer(struct sock *sk)
104{
105 BT_DBG("sock %p state %d", sk, sk->sk_state);
106 sk_stop_timer(sk, &sk->sk_timer);
107}
108
0139418c
MH		 109/* ---- L2CAP channels ---- */
110static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
111{
112 struct sock *s;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
114 if (l2cap_pi(s)->dcid == cid)
115 break;
116 }
117 return s;
118}
119
120static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
121{
122 struct sock *s;
123 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
124 if (l2cap_pi(s)->scid == cid)
125 break;
126 }
127 return s;
128}
129
130/* Find channel with given SCID.
131 * Returns locked socket */
132static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
133{
134 struct sock *s;
135 read_lock(&l->lock);
136 s = __l2cap_get_chan_by_scid(l, cid);
137 if (s) bh_lock_sock(s);
138 read_unlock(&l->lock);
139 return s;
140}
141
142static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
143{
144 struct sock *s;
145 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
146 if (l2cap_pi(s)->ident == ident)
147 break;
148 }
149 return s;
150}
151
152static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
153{
154 struct sock *s;
155 read_lock(&l->lock);
156 s = __l2cap_get_chan_by_ident(l, ident);
157 if (s) bh_lock_sock(s);
158 read_unlock(&l->lock);
159 return s;
160}
161
162static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
163{
164 u16 cid = 0x0040;
165
166 for (; cid < 0xffff; cid++) {
167 if(!__l2cap_get_chan_by_scid(l, cid))
168 return cid;
169 }
170
171 return 0;
172}
173
174static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
175{
176 sock_hold(sk);
177
178 if (l->head)
179 l2cap_pi(l->head)->prev_c = sk;
180
181 l2cap_pi(sk)->next_c = l->head;
182 l2cap_pi(sk)->prev_c = NULL;
183 l->head = sk;
184}
185
186static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
187{
188 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
189
fd1278d7 190 write_lock_bh(&l->lock);
0139418c
MH		 191 if (sk == l->head)
192 l->head = next;
193
194 if (next)
195 l2cap_pi(next)->prev_c = prev;
196 if (prev)
197 l2cap_pi(prev)->next_c = next;
fd1278d7 198 write_unlock_bh(&l->lock);
0139418c
MH		 199
200 __sock_put(sk);
201}
202
203static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
204{
205 struct l2cap_chan_list *l = &conn->chan_list;
206
207 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
208
2950f21a
MH		 209 conn->disc_reason = 0x13;
210
0139418c
MH		 211 l2cap_pi(sk)->conn = conn;
212
213 if (sk->sk_type == SOCK_SEQPACKET) {
214 /* Alloc CID for connection-oriented socket */
215 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
216 } else if (sk->sk_type == SOCK_DGRAM) {
217 /* Connectionless socket */
218 l2cap_pi(sk)->scid = 0x0002;
219 l2cap_pi(sk)->dcid = 0x0002;
220 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
221 } else {
222 /* Raw socket can send/recv signalling messages only */
223 l2cap_pi(sk)->scid = 0x0001;
224 l2cap_pi(sk)->dcid = 0x0001;
225 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
226 }
227
228 __l2cap_chan_link(l, sk);
229
230 if (parent)
231 bt_accept_enqueue(parent, sk);
232}
233
8e87d142 234/* Delete channel.
0139418c
MH		 235 * Must be called on the locked socket. */
236static void l2cap_chan_del(struct sock *sk, int err)
237{
238 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
239 struct sock *parent = bt_sk(sk)->parent;
240
241 l2cap_sock_clear_timer(sk);
242
243 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
244
8e87d142 245 if (conn) {
0139418c
MH		 246 /* Unlink from channel list */
247 l2cap_chan_unlink(&conn->chan_list, sk);
248 l2cap_pi(sk)->conn = NULL;
249 hci_conn_put(conn->hcon);
250 }
251
b1235d79 252 sk->sk_state = BT_CLOSED;
0139418c
MH		 253 sock_set_flag(sk, SOCK_ZAPPED);
254
255 if (err)
256 sk->sk_err = err;
257
258 if (parent) {
259 bt_accept_unlink(sk);
260 parent->sk_data_ready(parent, 0);
261 } else
262 sk->sk_state_change(sk);
263}
264
79d554a6 265/* Service level security */
2af6b9d5 266static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 267{
268 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 269 __u8 auth_type;
270
271 switch (l2cap_pi(sk)->sec_level) {
272 case BT_SECURITY_HIGH:
273 auth_type = HCI_AT_GENERAL_BONDING_MITM;
274 break;
275 case BT_SECURITY_MEDIUM:
276 auth_type = HCI_AT_GENERAL_BONDING;
277 break;
278 default:
279 auth_type = HCI_AT_NO_BONDING;
280 break;
281 }
79d554a6 282
0684e5f9
MH		 283 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
284 auth_type);
79d554a6
MH		 285}
286
4e8402a3
MH		 287static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
288{
289 u8 id;
290
291 /* Get next available identificator.
292 * 1 - 128 are used by kernel.
293 * 129 - 199 are reserved.
294 * 200 - 254 are used by utilities like l2ping, etc.
295 */
296
297 spin_lock_bh(&conn->lock);
298
299 if (++conn->tx_ident > 128)
300 conn->tx_ident = 1;
301
302 id = conn->tx_ident;
303
304 spin_unlock_bh(&conn->lock);
305
306 return id;
307}
308
309static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
310{
311 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
312
313 BT_DBG("code 0x%2.2x", code);
314
315 if (!skb)
316 return -ENOMEM;
317
318 return hci_send_acl(conn->hcon, skb, 0);
319}
320
79d554a6
MH		 321static void l2cap_do_start(struct sock *sk)
322{
323 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
324
325 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 326 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
327 return;
328
2af6b9d5 329 if (l2cap_check_security(sk)) {
b1235d79
MH		 330 struct l2cap_conn_req req;
331 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
332 req.psm = l2cap_pi(sk)->psm;
79d554a6 333
b1235d79 334 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 335
b1235d79 336 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 337 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 338 }
79d554a6
MH		 339 } else {
340 struct l2cap_info_req req;
341 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
342
343 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
344 conn->info_ident = l2cap_get_ident(conn);
345
346 mod_timer(&conn->info_timer, jiffies +
347 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
348
349 l2cap_send_cmd(conn, conn->info_ident,
350 L2CAP_INFO_REQ, sizeof(req), &req);
351 }
352}
353
1da177e4 354/* ---- L2CAP connections ---- */
4e8402a3
MH		 355static void l2cap_conn_start(struct l2cap_conn *conn)
356{
357 struct l2cap_chan_list *l = &conn->chan_list;
358 struct sock *sk;
359
360 BT_DBG("conn %p", conn);
361
362 read_lock(&l->lock);
363
364 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
365 bh_lock_sock(sk);
366
367 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 368 bh_unlock_sock(sk);
369 continue;
370 }
371
372 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 373 if (l2cap_check_security(sk)) {
b1235d79
MH		 374 struct l2cap_conn_req req;
375 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
376 req.psm = l2cap_pi(sk)->psm;
79d554a6 377
b1235d79 378 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 379
b1235d79 380 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 381 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 382 }
79d554a6
MH		 383 } else if (sk->sk_state == BT_CONNECT2) {
384 struct l2cap_conn_rsp rsp;
385 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
386 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
387
2af6b9d5 388 if (l2cap_check_security(sk)) {
f66dc81f
MH		 389 if (bt_sk(sk)->defer_setup) {
390 struct sock *parent = bt_sk(sk)->parent;
391 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
392 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
393 parent->sk_data_ready(parent, 0);
394
395 } else {
396 sk->sk_state = BT_CONFIG;
397 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
398 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
399 }
79d554a6
MH		 400 } else {
401 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
402 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
403 }
404
405 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
406 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 407 }
408
409 bh_unlock_sock(sk);
410 }
411
412 read_unlock(&l->lock);
413}
414
415static void l2cap_conn_ready(struct l2cap_conn *conn)
416{
79d554a6
MH		 417 struct l2cap_chan_list *l = &conn->chan_list;
418 struct sock *sk;
4e8402a3 419
79d554a6 420 BT_DBG("conn %p", conn);
4e8402a3 421
79d554a6 422 read_lock(&l->lock);
4e8402a3 423
79d554a6
MH		 424 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
425 bh_lock_sock(sk);
4e8402a3 426
79d554a6
MH		 427 if (sk->sk_type != SOCK_SEQPACKET) {
428 l2cap_sock_clear_timer(sk);
429 sk->sk_state = BT_CONNECTED;
430 sk->sk_state_change(sk);
431 } else if (sk->sk_state == BT_CONNECT)
432 l2cap_do_start(sk);
4e8402a3 433
79d554a6 434 bh_unlock_sock(sk);
4e8402a3 435 }
79d554a6
MH		 436
437 read_unlock(&l->lock);
4e8402a3
MH		 438}
439
440/* Notify sockets that we cannot guaranty reliability anymore */
441static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
442{
443 struct l2cap_chan_list *l = &conn->chan_list;
444 struct sock *sk;
445
446 BT_DBG("conn %p", conn);
447
448 read_lock(&l->lock);
449
450 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 451 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 452 sk->sk_err = err;
453 }
454
455 read_unlock(&l->lock);
456}
457
458static void l2cap_info_timeout(unsigned long arg)
459{
460 struct l2cap_conn *conn = (void *) arg;
461
984947dc 462 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 463 conn->info_ident = 0;
984947dc 464
4e8402a3
MH		 465 l2cap_conn_start(conn);
466}
467
1da177e4
LT		 468static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
469{
0139418c 470 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 471
0139418c 472 if (conn || status)
1da177e4
LT		 473 return conn;
474
0139418c
MH		 475 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
476 if (!conn)
1da177e4 477 return NULL;
1da177e4
LT		 478
479 hcon->l2cap_data = conn;
480 conn->hcon = hcon;
481
0139418c
MH		 482 BT_DBG("hcon %p conn %p", hcon, conn);
483
1da177e4
LT		 484 conn->mtu = hcon->hdev->acl_mtu;
485 conn->src = &hcon->hdev->bdaddr;
486 conn->dst = &hcon->dst;
487
4e8402a3
MH		 488 conn->feat_mask = 0;
489
b1235d79
MH		 490 setup_timer(&conn->info_timer, l2cap_info_timeout,
491 (unsigned long) conn);
4e8402a3 492
1da177e4
LT		 493 spin_lock_init(&conn->lock);
494 rwlock_init(&conn->chan_list.lock);
495
2950f21a
MH		 496 conn->disc_reason = 0x13;
497
1da177e4
LT		 498 return conn;
499}
500
0139418c 501static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 502{
0139418c 503 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 504 struct sock *sk;
505
0139418c
MH		 506 if (!conn)
507 return;
1da177e4
LT		 508
509 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
510
511 if (conn->rx_skb)
512 kfree_skb(conn->rx_skb);
513
514 /* Kill channels */
515 while ((sk = conn->chan_list.head)) {
516 bh_lock_sock(sk);
517 l2cap_chan_del(sk, err);
518 bh_unlock_sock(sk);
519 l2cap_sock_kill(sk);
520 }
521
8e8440f5
DY		 522 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
523 del_timer_sync(&conn->info_timer);
3ab22731 524
1da177e4
LT		 525 hcon->l2cap_data = NULL;
526 kfree(conn);
1da177e4
LT		 527}
528
529static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
530{
531 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 532 write_lock_bh(&l->lock);
1da177e4 533 __l2cap_chan_add(conn, sk, parent);
fd1278d7 534 write_unlock_bh(&l->lock);
1da177e4
LT		 535}
536
1da177e4 537/* ---- Socket interface ---- */
8e036fc3 538static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 539{
540 struct sock *sk;
541 struct hlist_node *node;
542 sk_for_each(sk, node, &l2cap_sk_list.head)
543 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
544 goto found;
545 sk = NULL;
546found:
547 return sk;
548}
549
550/* Find socket with psm and source bdaddr.
551 * Returns closest match.
552 */
8e036fc3 553static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 554{
555 struct sock *sk = NULL, *sk1 = NULL;
556 struct hlist_node *node;
557
558 sk_for_each(sk, node, &l2cap_sk_list.head) {
559 if (state && sk->sk_state != state)
560 continue;
561
562 if (l2cap_pi(sk)->psm == psm) {
563 /* Exact match. */
564 if (!bacmp(&bt_sk(sk)->src, src))
565 break;
566
567 /* Closest match */
568 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
569 sk1 = sk;
570 }
571 }
572 return node ? sk : sk1;
573}
574
575/* Find socket with given address (psm, src).
576 * Returns locked socket */
8e036fc3 577static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 578{
579 struct sock *s;
580 read_lock(&l2cap_sk_list.lock);
581 s = __l2cap_get_sock_by_psm(state, psm, src);
582 if (s) bh_lock_sock(s);
583 read_unlock(&l2cap_sk_list.lock);
584 return s;
585}
586
587static void l2cap_sock_destruct(struct sock *sk)
588{
589 BT_DBG("sk %p", sk);
590
591 skb_queue_purge(&sk->sk_receive_queue);
592 skb_queue_purge(&sk->sk_write_queue);
593}
594
595static void l2cap_sock_cleanup_listen(struct sock *parent)
596{
597 struct sock *sk;
598
599 BT_DBG("parent %p", parent);
600
601 /* Close not yet accepted channels */
602 while ((sk = bt_accept_dequeue(parent, NULL)))
603 l2cap_sock_close(sk);
604
b1235d79 605 parent->sk_state = BT_CLOSED;
1da177e4
LT		 606 sock_set_flag(parent, SOCK_ZAPPED);
607}
608
609/* Kill socket (only if zapped and orphan)
610 * Must be called on unlocked socket.
611 */
612static void l2cap_sock_kill(struct sock *sk)
613{
614 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
615 return;
616
617 BT_DBG("sk %p state %d", sk, sk->sk_state);
618
619 /* Kill poor orphan */
620 bt_sock_unlink(&l2cap_sk_list, sk);
621 sock_set_flag(sk, SOCK_DEAD);
622 sock_put(sk);
623}
624
625static void __l2cap_sock_close(struct sock *sk, int reason)
626{
627 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
628
629 switch (sk->sk_state) {
630 case BT_LISTEN:
631 l2cap_sock_cleanup_listen(sk);
632 break;
633
634 case BT_CONNECTED:
635 case BT_CONFIG:
1da177e4
LT		 636 if (sk->sk_type == SOCK_SEQPACKET) {
637 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
638 struct l2cap_disconn_req req;
639
640 sk->sk_state = BT_DISCONN;
641 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
642
aca3192c
YH		 643 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
644 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 645 l2cap_send_cmd(conn, l2cap_get_ident(conn),
646 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 647 } else
1da177e4 648 l2cap_chan_del(sk, reason);
1da177e4
LT		 649 break;
650
f66dc81f
MH		 651 case BT_CONNECT2:
652 if (sk->sk_type == SOCK_SEQPACKET) {
653 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
654 struct l2cap_conn_rsp rsp;
655 __u16 result;
656
657 if (bt_sk(sk)->defer_setup)
658 result = L2CAP_CR_SEC_BLOCK;
659 else
660 result = L2CAP_CR_BAD_PSM;
661
662 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
663 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
664 rsp.result = cpu_to_le16(result);
665 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
666 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
667 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
668 } else
669 l2cap_chan_del(sk, reason);
670 break;
671
1da177e4
LT		 672 case BT_CONNECT:
673 case BT_DISCONN:
674 l2cap_chan_del(sk, reason);
675 break;
676
677 default:
678 sock_set_flag(sk, SOCK_ZAPPED);
679 break;
680 }
681}
682
683/* Must be called on unlocked socket. */
684static void l2cap_sock_close(struct sock *sk)
685{
686 l2cap_sock_clear_timer(sk);
687 lock_sock(sk);
688 __l2cap_sock_close(sk, ECONNRESET);
689 release_sock(sk);
690 l2cap_sock_kill(sk);
691}
692
693static void l2cap_sock_init(struct sock *sk, struct sock *parent)
694{
695 struct l2cap_pinfo *pi = l2cap_pi(sk);
696
697 BT_DBG("sk %p", sk);
698
699 if (parent) {
700 sk->sk_type = parent->sk_type;
f66dc81f
MH		 701 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
702
1da177e4
LT		 703 pi->imtu = l2cap_pi(parent)->imtu;
704 pi->omtu = l2cap_pi(parent)->omtu;
2af6b9d5
MH		 705 pi->sec_level = l2cap_pi(parent)->sec_level;
706 pi->role_switch = l2cap_pi(parent)->role_switch;
707 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 708 } else {
709 pi->imtu = L2CAP_DEFAULT_MTU;
710 pi->omtu = 0;
2af6b9d5
MH		 711 pi->sec_level = BT_SECURITY_LOW;
712 pi->role_switch = 0;
713 pi->force_reliable = 0;
1da177e4
LT		 714 }
715
716 /* Default config options */
5dee9e7c 717 pi->conf_len = 0;
1da177e4
LT		 718 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
719}
720
721static struct proto l2cap_proto = {
722 .name = "L2CAP",
723 .owner = THIS_MODULE,
724 .obj_size = sizeof(struct l2cap_pinfo)
725};
726
1b8d7ae4 727static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 728{
729 struct sock *sk;
730
6257ff21 731 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 732 if (!sk)
733 return NULL;
734
735 sock_init_data(sock, sk);
736 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
737
738 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 739 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 740
741 sock_reset_flag(sk, SOCK_ZAPPED);
742
743 sk->sk_protocol = proto;
b1235d79 744 sk->sk_state = BT_OPEN;
1da177e4 745
b1235d79 746 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 747
748 bt_sock_link(&l2cap_sk_list, sk);
749 return sk;
750}
751
1b8d7ae4 752static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 753{
754 struct sock *sk;
755
756 BT_DBG("sock %p", sock);
757
758 sock->state = SS_UNCONNECTED;
759
760 if (sock->type != SOCK_SEQPACKET &&
761 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
762 return -ESOCKTNOSUPPORT;
763
764 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
765 return -EPERM;
766
767 sock->ops = &l2cap_sock_ops;
768
1b8d7ae4 769 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 770 if (!sk)
771 return -ENOMEM;
772
773 l2cap_sock_init(sk, NULL);
774 return 0;
775}
776
f29972de 777static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 778{
1da177e4 779 struct sock *sk = sock->sk;
f29972de
MH		 780 struct sockaddr_l2 la;
781 int len, err = 0;
1da177e4 782
f29972de 783 BT_DBG("sk %p", sk);
1da177e4
LT		 784
785 if (!addr || addr->sa_family != AF_BLUETOOTH)
786 return -EINVAL;
787
f29972de
MH		 788 memset(&la, 0, sizeof(la));
789 len = min_t(unsigned int, sizeof(la), alen);
790 memcpy(&la, addr, len);
791
1da177e4
LT		 792 lock_sock(sk);
793
794 if (sk->sk_state != BT_OPEN) {
795 err = -EBADFD;
796 goto done;
797 }
798
f29972de 799 if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
847641d7
MH		 800 !capable(CAP_NET_BIND_SERVICE)) {
801 err = -EACCES;
802 goto done;
803 }
8e87d142 804
1da177e4
LT		 805 write_lock_bh(&l2cap_sk_list.lock);
806
f29972de 807 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 808 err = -EADDRINUSE;
809 } else {
810 /* Save source address */
f29972de
MH		 811 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
812 l2cap_pi(sk)->psm = la.l2_psm;
813 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 814 sk->sk_state = BT_BOUND;
2af6b9d5 815
f29972de 816 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
2af6b9d5 817 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 818 }
819
820 write_unlock_bh(&l2cap_sk_list.lock);
821
822done:
823 release_sock(sk);
824 return err;
825}
826
827static int l2cap_do_connect(struct sock *sk)
828{
829 bdaddr_t *src = &bt_sk(sk)->src;
830 bdaddr_t *dst = &bt_sk(sk)->dst;
831 struct l2cap_conn *conn;
832 struct hci_conn *hcon;
833 struct hci_dev *hdev;
09ab6f4c 834 __u8 auth_type;
1da177e4
LT		 835 int err = 0;
836
f29972de
MH		 837 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
838 l2cap_pi(sk)->psm);
1da177e4
LT		 839
840 if (!(hdev = hci_get_route(dst, src)))
841 return -EHOSTUNREACH;
842
843 hci_dev_lock_bh(hdev);
844
845 err = -ENOMEM;
846
8c1b2355 847 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 848 switch (l2cap_pi(sk)->sec_level) {
849 case BT_SECURITY_HIGH:
8c1b2355 850 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 851 break;
852 case BT_SECURITY_MEDIUM:
8c1b2355 853 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 854 break;
855 default:
09ab6f4c 856 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 857 break;
858 }
8c1b2355 859 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 860 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 861 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 862 else
8c1b2355 863 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 864
865 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
866 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 867 } else {
2af6b9d5
MH		 868 switch (l2cap_pi(sk)->sec_level) {
869 case BT_SECURITY_HIGH:
8c1b2355 870 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 871 break;
872 case BT_SECURITY_MEDIUM:
09ab6f4c 873 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 874 break;
875 default:
8c1b2355 876 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 877 break;
878 }
09ab6f4c
MH		 879 }
880
2af6b9d5
MH		 881 hcon = hci_connect(hdev, ACL_LINK, dst,
882 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 883 if (!hcon)
884 goto done;
885
886 conn = l2cap_conn_add(hcon, 0);
887 if (!conn) {
888 hci_conn_put(hcon);
889 goto done;
890 }
891
892 err = 0;
893
894 /* Update source addr of the socket */
895 bacpy(src, conn->src);
896
897 l2cap_chan_add(conn, sk, NULL);
898
899 sk->sk_state = BT_CONNECT;
900 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
901
902 if (hcon->state == BT_CONNECTED) {
79d554a6 903 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 904 l2cap_sock_clear_timer(sk);
905 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 906 } else
907 l2cap_do_start(sk);
1da177e4
LT		 908 }
909
910done:
911 hci_dev_unlock_bh(hdev);
912 hci_dev_put(hdev);
913 return err;
914}
915
916static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
917{
1da177e4 918 struct sock *sk = sock->sk;
f29972de
MH		 919 struct sockaddr_l2 la;
920 int len, err = 0;
1da177e4
LT		 921
922 lock_sock(sk);
923
924 BT_DBG("sk %p", sk);
925
f29972de 926 if (!addr || addr->sa_family != AF_BLUETOOTH) {
1da177e4
LT		 927 err = -EINVAL;
928 goto done;
929 }
930
f29972de
MH		 931 memset(&la, 0, sizeof(la));
932 len = min_t(unsigned int, sizeof(la), alen);
933 memcpy(&la, addr, len);
934
935 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 936 err = -EINVAL;
937 goto done;
938 }
939
940 switch(sk->sk_state) {
941 case BT_CONNECT:
942 case BT_CONNECT2:
943 case BT_CONFIG:
944 /* Already connecting */
945 goto wait;
946
947 case BT_CONNECTED:
948 /* Already connected */
949 goto done;
950
951 case BT_OPEN:
952 case BT_BOUND:
953 /* Can connect */
954 break;
955
956 default:
957 err = -EBADFD;
958 goto done;
959 }
960
961 /* Set destination address and psm */
f29972de
MH		 962 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
963 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4
LT		 964
965 if ((err = l2cap_do_connect(sk)))
966 goto done;
967
968wait:
969 err = bt_sock_wait_state(sk, BT_CONNECTED,
970 sock_sndtimeo(sk, flags & O_NONBLOCK));
971done:
972 release_sock(sk);
973 return err;
974}
975
976static int l2cap_sock_listen(struct socket *sock, int backlog)
977{
978 struct sock *sk = sock->sk;
979 int err = 0;
980
981 BT_DBG("sk %p backlog %d", sk, backlog);
982
983 lock_sock(sk);
984
985 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
986 err = -EBADFD;
987 goto done;
988 }
989
990 if (!l2cap_pi(sk)->psm) {
991 bdaddr_t *src = &bt_sk(sk)->src;
992 u16 psm;
993
994 err = -EINVAL;
995
996 write_lock_bh(&l2cap_sk_list.lock);
997
998 for (psm = 0x1001; psm < 0x1100; psm += 2)
6dc0c208 999 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1da177e4
LT		 1000 l2cap_pi(sk)->psm = htobs(psm);
1001 l2cap_pi(sk)->sport = htobs(psm);
1002 err = 0;
1003 break;
1004 }
1005
1006 write_unlock_bh(&l2cap_sk_list.lock);
1007
1008 if (err < 0)
1009 goto done;
1010 }
1011
1012 sk->sk_max_ack_backlog = backlog;
1013 sk->sk_ack_backlog = 0;
1014 sk->sk_state = BT_LISTEN;
1015
1016done:
1017 release_sock(sk);
1018 return err;
1019}
1020
1021static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1022{
1023 DECLARE_WAITQUEUE(wait, current);
1024 struct sock *sk = sock->sk, *nsk;
1025 long timeo;
1026 int err = 0;
1027
fcc70d5f 1028 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1029
1030 if (sk->sk_state != BT_LISTEN) {
1031 err = -EBADFD;
1032 goto done;
1033 }
1034
1035 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1036
1037 BT_DBG("sk %p timeo %ld", sk, timeo);
1038
1039 /* Wait for an incoming connection. (wake-one). */
1040 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1041 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1042 set_current_state(TASK_INTERRUPTIBLE);
1043 if (!timeo) {
1044 err = -EAGAIN;
1045 break;
1046 }
1047
1048 release_sock(sk);
1049 timeo = schedule_timeout(timeo);
fcc70d5f 1050 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1051
1052 if (sk->sk_state != BT_LISTEN) {
1053 err = -EBADFD;
1054 break;
1055 }
1056
1057 if (signal_pending(current)) {
1058 err = sock_intr_errno(timeo);
1059 break;
1060 }
1061 }
1062 set_current_state(TASK_RUNNING);
1063 remove_wait_queue(sk->sk_sleep, &wait);
1064
1065 if (err)
1066 goto done;
1067
1068 newsock->state = SS_CONNECTED;
1069
1070 BT_DBG("new socket %p", nsk);
1071
1072done:
1073 release_sock(sk);
1074 return err;
1075}
1076
1077static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1078{
1079 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1080 struct sock *sk = sock->sk;
1081
1082 BT_DBG("sock %p, sk %p", sock, sk);
1083
1084 addr->sa_family = AF_BLUETOOTH;
1085 *len = sizeof(struct sockaddr_l2);
1086
f29972de
MH		 1087 if (peer) {
1088 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1089 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
f29972de
MH		 1090 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1091 } else {
1092 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1093 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
f29972de
MH		 1094 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1095 }
1da177e4 1096
1da177e4
LT		 1097 return 0;
1098}
1099
1100static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1101{
1102 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1103 struct sk_buff *skb, **frag;
1104 int err, hlen, count, sent=0;
1105 struct l2cap_hdr *lh;
1106
1107 BT_DBG("sk %p len %d", sk, len);
1108
1109 /* First fragment (with L2CAP header) */
1110 if (sk->sk_type == SOCK_DGRAM)
1111 hlen = L2CAP_HDR_SIZE + 2;
1112 else
1113 hlen = L2CAP_HDR_SIZE;
1114
1115 count = min_t(unsigned int, (conn->mtu - hlen), len);
1116
1117 skb = bt_skb_send_alloc(sk, hlen + count,
1118 msg->msg_flags & MSG_DONTWAIT, &err);
1119 if (!skb)
1120 return err;
1121
1122 /* Create L2CAP header */
1123 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1124 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1125 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1126
1127 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1128 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1129
1130 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1131 err = -EFAULT;
1132 goto fail;
1133 }
1134
1135 sent += count;
1136 len -= count;
1137
1138 /* Continuation fragments (no L2CAP header) */
1139 frag = &skb_shinfo(skb)->frag_list;
1140 while (len) {
1141 count = min_t(unsigned int, conn->mtu, len);
1142
1143 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1144 if (!*frag)
1145 goto fail;
8e87d142 1146
1da177e4
LT		 1147 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1148 err = -EFAULT;
1149 goto fail;
1150 }
1151
1152 sent += count;
1153 len -= count;
1154
1155 frag = &(*frag)->next;
1156 }
1157
1158 if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1159 goto fail;
1160
1161 return sent;
1162
1163fail:
1164 kfree_skb(skb);
1165 return err;
1166}
1167
1168static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1169{
1170 struct sock *sk = sock->sk;
1171 int err = 0;
1172
1173 BT_DBG("sock %p, sk %p", sock, sk);
1174
c1cbe4b7
BL		 1175 err = sock_error(sk);
1176 if (err)
1177 return err;
1da177e4
LT		 1178
1179 if (msg->msg_flags & MSG_OOB)
1180 return -EOPNOTSUPP;
1181
1182 /* Check outgoing MTU */
1183 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1184 return -EINVAL;
1185
1186 lock_sock(sk);
1187
1188 if (sk->sk_state == BT_CONNECTED)
1189 err = l2cap_do_send(sk, msg, len);
1190 else
1191 err = -ENOTCONN;
1192
1193 release_sock(sk);
1194 return err;
1195}
1196
f66dc81f
MH		 1197static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1198{
1199 struct sock *sk = sock->sk;
1200
1201 lock_sock(sk);
1202
1203 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1204 struct l2cap_conn_rsp rsp;
1205
1206 sk->sk_state = BT_CONFIG;
1207
1208 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1209 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1210 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1211 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1212 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1213 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1214
1215 release_sock(sk);
1216 return 0;
1217 }
1218
1219 release_sock(sk);
1220
1221 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1222}
1223
d58daf42 1224static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1225{
1226 struct sock *sk = sock->sk;
1227 struct l2cap_options opts;
f29972de 1228 int len, err = 0;
1da177e4
LT		 1229 u32 opt;
1230
1231 BT_DBG("sk %p", sk);
1232
1233 lock_sock(sk);
1234
1235 switch (optname) {
1236 case L2CAP_OPTIONS:
0878b666
MH		 1237 opts.imtu = l2cap_pi(sk)->imtu;
1238 opts.omtu = l2cap_pi(sk)->omtu;
1239 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1240 opts.mode = L2CAP_MODE_BASIC;
0878b666 1241
1da177e4
LT		 1242 len = min_t(unsigned int, sizeof(opts), optlen);
1243 if (copy_from_user((char *) &opts, optval, len)) {
1244 err = -EFAULT;
1245 break;
1246 }
0878b666 1247
1da177e4
LT		 1248 l2cap_pi(sk)->imtu = opts.imtu;
1249 l2cap_pi(sk)->omtu = opts.omtu;
1250 break;
1251
1252 case L2CAP_LM:
1253 if (get_user(opt, (u32 __user *) optval)) {
1254 err = -EFAULT;
1255 break;
1256 }
1257
2af6b9d5
MH		 1258 if (opt & L2CAP_LM_AUTH)
1259 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1260 if (opt & L2CAP_LM_ENCRYPT)
1261 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1262 if (opt & L2CAP_LM_SECURE)
1263 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1264
1265 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1266 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1267 break;
1268
1269 default:
1270 err = -ENOPROTOOPT;
1271 break;
1272 }
1273
1274 release_sock(sk);
1275 return err;
1276}
1277
d58daf42
MH		 1278static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1279{
1280 struct sock *sk = sock->sk;
2af6b9d5
MH		 1281 struct bt_security sec;
1282 int len, err = 0;
f66dc81f 1283 u32 opt;
d58daf42
MH		 1284
1285 BT_DBG("sk %p", sk);
1286
1287 if (level == SOL_L2CAP)
1288 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1289
0588d94f
MH		 1290 if (level != SOL_BLUETOOTH)
1291 return -ENOPROTOOPT;
1292
d58daf42
MH		 1293 lock_sock(sk);
1294
1295 switch (optname) {
2af6b9d5 1296 case BT_SECURITY:
0588d94f
MH		 1297 if (sk->sk_type != SOCK_SEQPACKET) {
1298 err = -EINVAL;
1299 break;
1300 }
1301
2af6b9d5
MH		 1302 sec.level = BT_SECURITY_LOW;
1303
1304 len = min_t(unsigned int, sizeof(sec), optlen);
1305 if (copy_from_user((char *) &sec, optval, len)) {
1306 err = -EFAULT;
1307 break;
1308 }
1309
1310 if (sec.level < BT_SECURITY_LOW ||
1311 sec.level > BT_SECURITY_HIGH) {
1312 err = -EINVAL;
1313 break;
1314 }
1315
1316 l2cap_pi(sk)->sec_level = sec.level;
1317 break;
1318
f66dc81f
MH		 1319 case BT_DEFER_SETUP:
1320 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1321 err = -EINVAL;
1322 break;
1323 }
1324
1325 if (get_user(opt, (u32 __user *) optval)) {
1326 err = -EFAULT;
1327 break;
1328 }
1329
1330 bt_sk(sk)->defer_setup = opt;
1331 break;
1332
d58daf42
MH		 1333 default:
1334 err = -ENOPROTOOPT;
1335 break;
1336 }
1337
1338 release_sock(sk);
1339 return err;
1340}
1341
1342static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1343{
1344 struct sock *sk = sock->sk;
1345 struct l2cap_options opts;
1346 struct l2cap_conninfo cinfo;
1347 int len, err = 0;
2af6b9d5 1348 u32 opt;
1da177e4
LT		 1349
1350 BT_DBG("sk %p", sk);
1351
1352 if (get_user(len, optlen))
1353 return -EFAULT;
1354
1355 lock_sock(sk);
1356
1357 switch (optname) {
1358 case L2CAP_OPTIONS:
1359 opts.imtu = l2cap_pi(sk)->imtu;
1360 opts.omtu = l2cap_pi(sk)->omtu;
1361 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1362 opts.mode = L2CAP_MODE_BASIC;
1da177e4
LT		 1363
1364 len = min_t(unsigned int, len, sizeof(opts));
1365 if (copy_to_user(optval, (char *) &opts, len))
1366 err = -EFAULT;
1367
1368 break;
1369
1370 case L2CAP_LM:
2af6b9d5
MH		 1371 switch (l2cap_pi(sk)->sec_level) {
1372 case BT_SECURITY_LOW:
1373 opt = L2CAP_LM_AUTH;
1374 break;
1375 case BT_SECURITY_MEDIUM:
1376 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1377 break;
1378 case BT_SECURITY_HIGH:
1379 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1380 L2CAP_LM_SECURE;
1381 break;
1382 default:
1383 opt = 0;
1384 break;
1385 }
1386
1387 if (l2cap_pi(sk)->role_switch)
1388 opt |= L2CAP_LM_MASTER;
1389
1390 if (l2cap_pi(sk)->force_reliable)
1391 opt |= L2CAP_LM_RELIABLE;
1392
1393 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1394 err = -EFAULT;
1395 break;
1396
1397 case L2CAP_CONNINFO:
f66dc81f
MH		 1398 if (sk->sk_state != BT_CONNECTED &&
1399 !(sk->sk_state == BT_CONNECT2 &&
1400 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1401 err = -ENOTCONN;
1402 break;
1403 }
1404
1405 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1406 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1407
1408 len = min_t(unsigned int, len, sizeof(cinfo));
1409 if (copy_to_user(optval, (char *) &cinfo, len))
1410 err = -EFAULT;
1411
1412 break;
1413
1414 default:
1415 err = -ENOPROTOOPT;
1416 break;
1417 }
1418
1419 release_sock(sk);
1420 return err;
1421}
1422
d58daf42
MH		 1423static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1424{
1425 struct sock *sk = sock->sk;
2af6b9d5 1426 struct bt_security sec;
d58daf42
MH		 1427 int len, err = 0;
1428
1429 BT_DBG("sk %p", sk);
1430
1431 if (level == SOL_L2CAP)
1432 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1433
0588d94f
MH		 1434 if (level != SOL_BLUETOOTH)
1435 return -ENOPROTOOPT;
1436
d58daf42
MH		 1437 if (get_user(len, optlen))
1438 return -EFAULT;
1439
1440 lock_sock(sk);
1441
1442 switch (optname) {
2af6b9d5 1443 case BT_SECURITY:
0588d94f
MH		 1444 if (sk->sk_type != SOCK_SEQPACKET) {
1445 err = -EINVAL;
1446 break;
1447 }
1448
2af6b9d5
MH		 1449 sec.level = l2cap_pi(sk)->sec_level;
1450
1451 len = min_t(unsigned int, len, sizeof(sec));
1452 if (copy_to_user(optval, (char *) &sec, len))
1453 err = -EFAULT;
1454
1455 break;
1456
f66dc81f
MH		 1457 case BT_DEFER_SETUP:
1458 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1459 err = -EINVAL;
1460 break;
1461 }
1462
1463 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1464 err = -EFAULT;
1465
1466 break;
1467
d58daf42
MH		 1468 default:
1469 err = -ENOPROTOOPT;
1470 break;
1471 }
1472
1473 release_sock(sk);
1474 return err;
1475}
1476
1da177e4
LT		 1477static int l2cap_sock_shutdown(struct socket *sock, int how)
1478{
1479 struct sock *sk = sock->sk;
1480 int err = 0;
1481
1482 BT_DBG("sock %p, sk %p", sock, sk);
1483
1484 if (!sk)
1485 return 0;
1486
1487 lock_sock(sk);
1488 if (!sk->sk_shutdown) {
1489 sk->sk_shutdown = SHUTDOWN_MASK;
1490 l2cap_sock_clear_timer(sk);
1491 __l2cap_sock_close(sk, 0);
1492
1493 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1494 err = bt_sock_wait_state(sk, BT_CLOSED,
1495 sk->sk_lingertime);
1da177e4
LT		 1496 }
1497 release_sock(sk);
1498 return err;
1499}
1500
1501static int l2cap_sock_release(struct socket *sock)
1502{
1503 struct sock *sk = sock->sk;
1504 int err;
1505
1506 BT_DBG("sock %p, sk %p", sock, sk);
1507
1508 if (!sk)
1509 return 0;
1510
1511 err = l2cap_sock_shutdown(sock, 2);
1512
1513 sock_orphan(sk);
1514 l2cap_sock_kill(sk);
1515 return err;
1516}
1517
1da177e4
LT		 1518static void l2cap_chan_ready(struct sock *sk)
1519{
1520 struct sock *parent = bt_sk(sk)->parent;
1521
1522 BT_DBG("sk %p, parent %p", sk, parent);
1523
1524 l2cap_pi(sk)->conf_state = 0;
1525 l2cap_sock_clear_timer(sk);
1526
1527 if (!parent) {
1528 /* Outgoing channel.
1529 * Wake up socket sleeping on connect.
1530 */
1531 sk->sk_state = BT_CONNECTED;
1532 sk->sk_state_change(sk);
1533 } else {
1534 /* Incoming channel.
1535 * Wake up socket sleeping on accept.
1536 */
1537 parent->sk_data_ready(parent, 0);
1538 }
1539}
1540
1541/* Copy frame to all raw sockets on that connection */
1542static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1543{
1544 struct l2cap_chan_list *l = &conn->chan_list;
1545 struct sk_buff *nskb;
1546 struct sock * sk;
1547
1548 BT_DBG("conn %p", conn);
1549
1550 read_lock(&l->lock);
1551 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1552 if (sk->sk_type != SOCK_RAW)
1553 continue;
1554
1555 /* Don't send frame to the socket it came from */
1556 if (skb->sk == sk)
1557 continue;
1558
1559 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1560 continue;
1561
1562 if (sock_queue_rcv_skb(sk, nskb))
1563 kfree_skb(nskb);
1564 }
1565 read_unlock(&l->lock);
1566}
1567
1568/* ---- L2CAP signalling commands ---- */
1569static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1570 u8 code, u8 ident, u16 dlen, void *data)
1571{
1572 struct sk_buff *skb, **frag;
1573 struct l2cap_cmd_hdr *cmd;
1574 struct l2cap_hdr *lh;
1575 int len, count;
1576
1577 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1578
1579 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1580 count = min_t(unsigned int, conn->mtu, len);
1581
1582 skb = bt_skb_alloc(count, GFP_ATOMIC);
1583 if (!skb)
1584 return NULL;
1585
1586 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1587 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1588 lh->cid = cpu_to_le16(0x0001);
1da177e4
LT		 1589
1590 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1591 cmd->code = code;
1592 cmd->ident = ident;
aca3192c 1593 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1594
1595 if (dlen) {
1596 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1597 memcpy(skb_put(skb, count), data, count);
1598 data += count;
1599 }
1600
1601 len -= skb->len;
1602
1603 /* Continuation fragments (no L2CAP header) */
1604 frag = &skb_shinfo(skb)->frag_list;
1605 while (len) {
1606 count = min_t(unsigned int, conn->mtu, len);
1607
1608 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1609 if (!*frag)
1610 goto fail;
1611
1612 memcpy(skb_put(*frag, count), data, count);
1613
1614 len -= count;
1615 data += count;
1616
1617 frag = &(*frag)->next;
1618 }
1619
1620 return skb;
1621
1622fail:
1623 kfree_skb(skb);
1624 return NULL;
1625}
1626
1627static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1628{
1629 struct l2cap_conf_opt *opt = *ptr;
1630 int len;
1631
1632 len = L2CAP_CONF_OPT_SIZE + opt->len;
1633 *ptr += len;
1634
1635 *type = opt->type;
1636 *olen = opt->len;
1637
1638 switch (opt->len) {
1639 case 1:
1640 *val = *((u8 *) opt->val);
1641 break;
1642
1643 case 2:
861d6882 1644 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1645 break;
1646
1647 case 4:
861d6882 1648 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1649 break;
1650
1651 default:
1652 *val = (unsigned long) opt->val;
1653 break;
1654 }
1655
1656 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1657 return len;
1658}
1659
1da177e4
LT		 1660static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1661{
1662 struct l2cap_conf_opt *opt = *ptr;
1663
1664 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1665
1666 opt->type = type;
1667 opt->len = len;
1668
1669 switch (len) {
1670 case 1:
1671 *((u8 *) opt->val) = val;
1672 break;
1673
1674 case 2:
8e036fc3 1675 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1676 break;
1677
1678 case 4:
8e036fc3 1679 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1680 break;
1681
1682 default:
1683 memcpy(opt->val, (void *) val, len);
1684 break;
1685 }
1686
1687 *ptr += L2CAP_CONF_OPT_SIZE + len;
1688}
1689
1690static int l2cap_build_conf_req(struct sock *sk, void *data)
1691{
1692 struct l2cap_pinfo *pi = l2cap_pi(sk);
1693 struct l2cap_conf_req *req = data;
1694 void *ptr = req->data;
1695
1696 BT_DBG("sk %p", sk);
1697
1698 if (pi->imtu != L2CAP_DEFAULT_MTU)
1699 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1700
1701 /* FIXME: Need actual value of the flush timeout */
1702 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1703 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1704
aca3192c
YH		 1705 req->dcid = cpu_to_le16(pi->dcid);
1706 req->flags = cpu_to_le16(0);
1da177e4
LT		 1707
1708 return ptr - data;
1709}
1710
5dee9e7c 1711static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1712{
1713 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1714 struct l2cap_conf_rsp *rsp = data;
1715 void *ptr = rsp->data;
1716 void *req = pi->conf_req;
1717 int len = pi->conf_len;
1718 int type, hint, olen;
1719 unsigned long val;
6464f35f 1720 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1721 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1722 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1723
5dee9e7c 1724 BT_DBG("sk %p", sk);
820ae1b8 1725
5dee9e7c
MH		 1726 while (len >= L2CAP_CONF_OPT_SIZE) {
1727 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1728
5dee9e7c
MH		 1729 hint = type & 0x80;
1730 type &= 0x7f;
1731
1732 switch (type) {
1733 case L2CAP_CONF_MTU:
861d6882 1734 mtu = val;
5dee9e7c
MH		 1735 break;
1736
1737 case L2CAP_CONF_FLUSH_TO:
1738 pi->flush_to = val;
1739 break;
1740
1741 case L2CAP_CONF_QOS:
1742 break;
1743
6464f35f
MH		 1744 case L2CAP_CONF_RFC:
1745 if (olen == sizeof(rfc))
1746 memcpy(&rfc, (void *) val, olen);
1747 break;
1748
5dee9e7c
MH		 1749 default:
1750 if (hint)
1751 break;
1752
1753 result = L2CAP_CONF_UNKNOWN;
1754 *((u8 *) ptr++) = type;
1755 break;
1756 }
1757 }
1758
1759 if (result == L2CAP_CONF_SUCCESS) {
1760 /* Configure output options and let the other side know
1761 * which ones we don't like. */
1762
6464f35f
MH		 1763 if (rfc.mode == L2CAP_MODE_BASIC) {
1764 if (mtu < pi->omtu)
1765 result = L2CAP_CONF_UNACCEPT;
1766 else {
1767 pi->omtu = mtu;
1768 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1769 }
1770
1771 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1772 } else {
5dee9e7c 1773 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1774
6464f35f
MH		 1775 memset(&rfc, 0, sizeof(rfc));
1776 rfc.mode = L2CAP_MODE_BASIC;
1777
1778 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1779 sizeof(rfc), (unsigned long) &rfc);
1780 }
5dee9e7c
MH		 1781 }
1782
1783 rsp->scid = cpu_to_le16(pi->dcid);
1784 rsp->result = cpu_to_le16(result);
1785 rsp->flags = cpu_to_le16(0x0000);
1786
1787 return ptr - data;
1da177e4
LT		 1788}
1789
5dee9e7c 1790static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1791{
1792 struct l2cap_conf_rsp *rsp = data;
1793 void *ptr = rsp->data;
1da177e4 1794
5dee9e7c 1795 BT_DBG("sk %p", sk);
1da177e4 1796
aca3192c 1797 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1798 rsp->result = cpu_to_le16(result);
aca3192c 1799 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1800
1801 return ptr - data;
1802}
1803
4e8402a3
MH		 1804static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1805{
1806 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1807
1808 if (rej->reason != 0x0000)
1809 return 0;
1810
1811 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1812 cmd->ident == conn->info_ident) {
4e8402a3 1813 del_timer(&conn->info_timer);
984947dc
MH		 1814
1815 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1816 conn->info_ident = 0;
984947dc 1817
4e8402a3
MH		 1818 l2cap_conn_start(conn);
1819 }
1820
1821 return 0;
1822}
1823
1da177e4
LT		 1824static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1825{
1826 struct l2cap_chan_list *list = &conn->chan_list;
1827 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1828 struct l2cap_conn_rsp rsp;
1829 struct sock *sk, *parent;
e7c29cb1 1830 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1831
1832 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1833 __le16 psm = req->psm;
1da177e4
LT		 1834
1835 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1836
1837 /* Check if we have socket listening on psm */
1838 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1839 if (!parent) {
1840 result = L2CAP_CR_BAD_PSM;
1841 goto sendresp;
1842 }
1843
e7c29cb1
MH		 1844 /* Check if the ACL is secure enough (if not SDP) */
1845 if (psm != cpu_to_le16(0x0001) &&
1846 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 1847 conn->disc_reason = 0x05;
e7c29cb1
MH		 1848 result = L2CAP_CR_SEC_BLOCK;
1849 goto response;
1850 }
1851
1da177e4
LT		 1852 result = L2CAP_CR_NO_MEM;
1853
1854 /* Check for backlog size */
1855 if (sk_acceptq_is_full(parent)) {
8e87d142 1856 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1857 goto response;
1858 }
1859
3b1e0a65 1860 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1861 if (!sk)
1862 goto response;
1863
fd1278d7 1864 write_lock_bh(&list->lock);
1da177e4
LT		 1865
1866 /* Check if we already have channel with that dcid */
1867 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1868 write_unlock_bh(&list->lock);
1da177e4
LT		 1869 sock_set_flag(sk, SOCK_ZAPPED);
1870 l2cap_sock_kill(sk);
1871 goto response;
1872 }
1873
1874 hci_conn_hold(conn->hcon);
1875
1876 l2cap_sock_init(sk, parent);
1877 bacpy(&bt_sk(sk)->src, conn->src);
1878 bacpy(&bt_sk(sk)->dst, conn->dst);
1879 l2cap_pi(sk)->psm = psm;
1880 l2cap_pi(sk)->dcid = scid;
1881
1882 __l2cap_chan_add(conn, sk, parent);
1883 dcid = l2cap_pi(sk)->scid;
1884
1885 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1886
1da177e4
LT		 1887 l2cap_pi(sk)->ident = cmd->ident;
1888
984947dc 1889 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1890 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1891 if (bt_sk(sk)->defer_setup) {
1892 sk->sk_state = BT_CONNECT2;
1893 result = L2CAP_CR_PEND;
1894 status = L2CAP_CS_AUTHOR_PEND;
1895 parent->sk_data_ready(parent, 0);
1896 } else {
1897 sk->sk_state = BT_CONFIG;
1898 result = L2CAP_CR_SUCCESS;
1899 status = L2CAP_CS_NO_INFO;
1900 }
79d554a6
MH		 1901 } else {
1902 sk->sk_state = BT_CONNECT2;
1903 result = L2CAP_CR_PEND;
1904 status = L2CAP_CS_AUTHEN_PEND;
1905 }
1906 } else {
1907 sk->sk_state = BT_CONNECT2;
1908 result = L2CAP_CR_PEND;
1909 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1910 }
1911
fd1278d7 1912 write_unlock_bh(&list->lock);
1da177e4
LT		 1913
1914response:
1915 bh_unlock_sock(parent);
1916
1917sendresp:
aca3192c
YH		 1918 rsp.scid = cpu_to_le16(scid);
1919 rsp.dcid = cpu_to_le16(dcid);
1920 rsp.result = cpu_to_le16(result);
1921 rsp.status = cpu_to_le16(status);
1da177e4 1922 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1923
1924 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1925 struct l2cap_info_req info;
1926 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1927
1928 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1929 conn->info_ident = l2cap_get_ident(conn);
1930
1931 mod_timer(&conn->info_timer, jiffies +
1932 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1933
1934 l2cap_send_cmd(conn, conn->info_ident,
1935 L2CAP_INFO_REQ, sizeof(info), &info);
1936 }
1937
1da177e4
LT		 1938 return 0;
1939}
1940
1941static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1942{
1943 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1944 u16 scid, dcid, result, status;
1945 struct sock *sk;
1946 u8 req[128];
1947
1948 scid = __le16_to_cpu(rsp->scid);
1949 dcid = __le16_to_cpu(rsp->dcid);
1950 result = __le16_to_cpu(rsp->result);
1951 status = __le16_to_cpu(rsp->status);
1952
1953 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1954
1955 if (scid) {
1956 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1957 return 0;
1958 } else {
1959 if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1960 return 0;
1961 }
1962
1963 switch (result) {
1964 case L2CAP_CR_SUCCESS:
1965 sk->sk_state = BT_CONFIG;
1966 l2cap_pi(sk)->ident = 0;
1967 l2cap_pi(sk)->dcid = dcid;
1968 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1969
6a8d3010
MH		 1970 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1971
1da177e4
LT		 1972 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1973 l2cap_build_conf_req(sk, req), req);
1974 break;
1975
1976 case L2CAP_CR_PEND:
6a8d3010 1977 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 1978 break;
1979
1980 default:
1981 l2cap_chan_del(sk, ECONNREFUSED);
1982 break;
1983 }
1984
1985 bh_unlock_sock(sk);
1986 return 0;
1987}
1988
88219a0f 1989static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 1990{
1991 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
1992 u16 dcid, flags;
1993 u8 rsp[64];
1994 struct sock *sk;
5dee9e7c 1995 int len;
1da177e4
LT		 1996
1997 dcid = __le16_to_cpu(req->dcid);
1998 flags = __le16_to_cpu(req->flags);
1999
2000 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2001
2002 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2003 return -ENOENT;
2004
354f60a9
MH		 2005 if (sk->sk_state == BT_DISCONN)
2006 goto unlock;
2007
5dee9e7c 2008 /* Reject if config buffer is too small. */
88219a0f 2009 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2010 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2011 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2012 l2cap_build_conf_rsp(sk, rsp,
2013 L2CAP_CONF_REJECT, flags), rsp);
2014 goto unlock;
2015 }
2016
2017 /* Store config. */
2018 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2019 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2020
2021 if (flags & 0x0001) {
2022 /* Incomplete config. Send empty response. */
2023 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2024 l2cap_build_conf_rsp(sk, rsp,
2025 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2026 goto unlock;
2027 }
2028
2029 /* Complete config. */
5dee9e7c
MH		 2030 len = l2cap_parse_conf_req(sk, rsp);
2031 if (len < 0)
1da177e4
LT		 2032 goto unlock;
2033
5dee9e7c
MH		 2034 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2035
5dee9e7c
MH		 2036 /* Reset config buffer. */
2037 l2cap_pi(sk)->conf_len = 0;
2038
876d9484
MH		 2039 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2040 goto unlock;
2041
1da177e4
LT		 2042 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2043 sk->sk_state = BT_CONNECTED;
2044 l2cap_chan_ready(sk);
876d9484
MH		 2045 goto unlock;
2046 }
2047
2048 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2049 u8 buf[64];
1da177e4 2050 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2051 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2052 }
2053
2054unlock:
2055 bh_unlock_sock(sk);
2056 return 0;
2057}
2058
2059static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2060{
2061 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2062 u16 scid, flags, result;
2063 struct sock *sk;
2064
2065 scid = __le16_to_cpu(rsp->scid);
2066 flags = __le16_to_cpu(rsp->flags);
2067 result = __le16_to_cpu(rsp->result);
2068
2069 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2070
2071 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2072 return 0;
2073
2074 switch (result) {
2075 case L2CAP_CONF_SUCCESS:
2076 break;
2077
2078 case L2CAP_CONF_UNACCEPT:
2079 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2080 char req[128];
2081 /* It does not make sense to adjust L2CAP parameters
2082 * that are currently defined in the spec. We simply
2083 * resend config request that we sent earlier. It is
2084 * stupid, but it helps qualification testing which
2085 * expects at least some response from us. */
2086 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2087 l2cap_build_conf_req(sk, req), req);
2088 goto done;
2089 }
2090
8e87d142 2091 default:
1da177e4 2092 sk->sk_state = BT_DISCONN;
b1235d79 2093 sk->sk_err = ECONNRESET;
1da177e4
LT		 2094 l2cap_sock_set_timer(sk, HZ * 5);
2095 {
2096 struct l2cap_disconn_req req;
aca3192c
YH		 2097 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2098 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2099 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2100 L2CAP_DISCONN_REQ, sizeof(req), &req);
2101 }
2102 goto done;
2103 }
2104
2105 if (flags & 0x01)
2106 goto done;
2107
1da177e4
LT		 2108 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2109
2110 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2111 sk->sk_state = BT_CONNECTED;
2112 l2cap_chan_ready(sk);
2113 }
2114
2115done:
2116 bh_unlock_sock(sk);
2117 return 0;
2118}
2119
2120static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2121{
2122 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2123 struct l2cap_disconn_rsp rsp;
2124 u16 dcid, scid;
2125 struct sock *sk;
2126
2127 scid = __le16_to_cpu(req->scid);
2128 dcid = __le16_to_cpu(req->dcid);
2129
2130 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2131
2132 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2133 return 0;
2134
aca3192c
YH		 2135 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2136 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2137 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2138
2139 sk->sk_shutdown = SHUTDOWN_MASK;
2140
2141 l2cap_chan_del(sk, ECONNRESET);
2142 bh_unlock_sock(sk);
2143
2144 l2cap_sock_kill(sk);
2145 return 0;
2146}
2147
2148static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2149{
2150 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2151 u16 dcid, scid;
2152 struct sock *sk;
2153
2154 scid = __le16_to_cpu(rsp->scid);
2155 dcid = __le16_to_cpu(rsp->dcid);
2156
2157 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2158
2159 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2160 return 0;
2161
2162 l2cap_chan_del(sk, 0);
2163 bh_unlock_sock(sk);
2164
2165 l2cap_sock_kill(sk);
2166 return 0;
2167}
2168
2169static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2170{
2171 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2172 u16 type;
2173
2174 type = __le16_to_cpu(req->type);
2175
2176 BT_DBG("type 0x%4.4x", type);
2177
f0709e03
MH		 2178 if (type == L2CAP_IT_FEAT_MASK) {
2179 u8 buf[8];
2180 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2181 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2182 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2183 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2184 l2cap_send_cmd(conn, cmd->ident,
2185 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2186 } else if (type == L2CAP_IT_FIXED_CHAN) {
2187 u8 buf[12];
2188 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2189 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2190 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2191 memcpy(buf + 4, l2cap_fixed_chan, 8);
2192 l2cap_send_cmd(conn, cmd->ident,
2193 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2194 } else {
2195 struct l2cap_info_rsp rsp;
2196 rsp.type = cpu_to_le16(type);
2197 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2198 l2cap_send_cmd(conn, cmd->ident,
2199 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2200 }
1da177e4
LT		 2201
2202 return 0;
2203}
2204
2205static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2206{
2207 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2208 u16 type, result;
2209
2210 type = __le16_to_cpu(rsp->type);
2211 result = __le16_to_cpu(rsp->result);
2212
2213 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2214
4e8402a3
MH		 2215 del_timer(&conn->info_timer);
2216
984947dc 2217 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2218 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2219
e1027a7c
MH		 2220 if (conn->feat_mask & 0x0080) {
2221 struct l2cap_info_req req;
2222 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2223
2224 conn->info_ident = l2cap_get_ident(conn);
2225
2226 l2cap_send_cmd(conn, conn->info_ident,
2227 L2CAP_INFO_REQ, sizeof(req), &req);
2228 } else {
2229 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2230 conn->info_ident = 0;
2231
2232 l2cap_conn_start(conn);
2233 }
2234 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2235 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2236 conn->info_ident = 0;
984947dc
MH		 2237
2238 l2cap_conn_start(conn);
2239 }
4e8402a3 2240
1da177e4
LT		 2241 return 0;
2242}
2243
2244static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2245{
2246 u8 *data = skb->data;
2247 int len = skb->len;
2248 struct l2cap_cmd_hdr cmd;
2249 int err = 0;
2250
2251 l2cap_raw_recv(conn, skb);
2252
2253 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2254 u16 cmd_len;
1da177e4
LT		 2255 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2256 data += L2CAP_CMD_HDR_SIZE;
2257 len -= L2CAP_CMD_HDR_SIZE;
2258
88219a0f 2259 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2260
88219a0f 2261 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2262
88219a0f 2263 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2264 BT_DBG("corrupted command");
2265 break;
2266 }
2267
2268 switch (cmd.code) {
2269 case L2CAP_COMMAND_REJ:
4e8402a3 2270 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2271 break;
2272
2273 case L2CAP_CONN_REQ:
2274 err = l2cap_connect_req(conn, &cmd, data);
2275 break;
2276
2277 case L2CAP_CONN_RSP:
2278 err = l2cap_connect_rsp(conn, &cmd, data);
2279 break;
2280
2281 case L2CAP_CONF_REQ:
88219a0f 2282 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2283 break;
2284
2285 case L2CAP_CONF_RSP:
2286 err = l2cap_config_rsp(conn, &cmd, data);
2287 break;
2288
2289 case L2CAP_DISCONN_REQ:
2290 err = l2cap_disconnect_req(conn, &cmd, data);
2291 break;
2292
2293 case L2CAP_DISCONN_RSP:
2294 err = l2cap_disconnect_rsp(conn, &cmd, data);
2295 break;
2296
2297 case L2CAP_ECHO_REQ:
88219a0f 2298 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2299 break;
2300
2301 case L2CAP_ECHO_RSP:
2302 break;
2303
2304 case L2CAP_INFO_REQ:
2305 err = l2cap_information_req(conn, &cmd, data);
2306 break;
2307
2308 case L2CAP_INFO_RSP:
2309 err = l2cap_information_rsp(conn, &cmd, data);
2310 break;
2311
2312 default:
2313 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2314 err = -EINVAL;
2315 break;
2316 }
2317
2318 if (err) {
2319 struct l2cap_cmd_rej rej;
2320 BT_DBG("error %d", err);
2321
2322 /* FIXME: Map err to a valid reason */
aca3192c 2323 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2324 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2325 }
2326
88219a0f
AV		 2327 data += cmd_len;
2328 len -= cmd_len;
1da177e4
LT		 2329 }
2330
2331 kfree_skb(skb);
2332}
2333
2334static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2335{
2336 struct sock *sk;
2337
2338 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2339 if (!sk) {
2340 BT_DBG("unknown cid 0x%4.4x", cid);
2341 goto drop;
2342 }
2343
2344 BT_DBG("sk %p, len %d", sk, skb->len);
2345
2346 if (sk->sk_state != BT_CONNECTED)
2347 goto drop;
2348
2349 if (l2cap_pi(sk)->imtu < skb->len)
2350 goto drop;
2351
2352 /* If socket recv buffers overflows we drop data here
2353 * which is *bad* because L2CAP has to be reliable.
2354 * But we don't have any other choice. L2CAP doesn't
2355 * provide flow control mechanism. */
2356
2357 if (!sock_queue_rcv_skb(sk, skb))
2358 goto done;
2359
2360drop:
2361 kfree_skb(skb);
2362
2363done:
0139418c
MH		 2364 if (sk)
2365 bh_unlock_sock(sk);
2366
1da177e4
LT		 2367 return 0;
2368}
2369
8e036fc3 2370static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2371{
2372 struct sock *sk;
2373
2374 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2375 if (!sk)
2376 goto drop;
2377
2378 BT_DBG("sk %p, len %d", sk, skb->len);
2379
2380 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2381 goto drop;
2382
2383 if (l2cap_pi(sk)->imtu < skb->len)
2384 goto drop;
2385
2386 if (!sock_queue_rcv_skb(sk, skb))
2387 goto done;
2388
2389drop:
2390 kfree_skb(skb);
2391
2392done:
2393 if (sk) bh_unlock_sock(sk);
2394 return 0;
2395}
2396
2397static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2398{
2399 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2400 u16 cid, len;
2401 __le16 psm;
1da177e4
LT		 2402
2403 skb_pull(skb, L2CAP_HDR_SIZE);
2404 cid = __le16_to_cpu(lh->cid);
2405 len = __le16_to_cpu(lh->len);
2406
2407 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2408
2409 switch (cid) {
2410 case 0x0001:
2411 l2cap_sig_channel(conn, skb);
2412 break;
2413
2414 case 0x0002:
8e036fc3 2415 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2416 skb_pull(skb, 2);
2417 l2cap_conless_channel(conn, psm, skb);
2418 break;
2419
2420 default:
2421 l2cap_data_channel(conn, cid, skb);
2422 break;
2423 }
2424}
2425
2426/* ---- L2CAP interface with lower layer (HCI) ---- */
2427
2428static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2429{
2430 int exact = 0, lm1 = 0, lm2 = 0;
2431 register struct sock *sk;
2432 struct hlist_node *node;
2433
2434 if (type != ACL_LINK)
2435 return 0;
2436
2437 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2438
2439 /* Find listening sockets and check their link_mode */
2440 read_lock(&l2cap_sk_list.lock);
2441 sk_for_each(sk, node, &l2cap_sk_list.head) {
2442 if (sk->sk_state != BT_LISTEN)
2443 continue;
2444
2445 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2446 lm1 |= HCI_LM_ACCEPT;
2447 if (l2cap_pi(sk)->role_switch)
2448 lm1 |= HCI_LM_MASTER;
1da177e4 2449 exact++;
2af6b9d5
MH		 2450 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2451 lm2 |= HCI_LM_ACCEPT;
2452 if (l2cap_pi(sk)->role_switch)
2453 lm2 |= HCI_LM_MASTER;
2454 }
1da177e4
LT		 2455 }
2456 read_unlock(&l2cap_sk_list.lock);
2457
2458 return exact ? lm1 : lm2;
2459}
2460
2461static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2462{
0139418c
MH		 2463 struct l2cap_conn *conn;
2464
1da177e4
LT		 2465 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2466
2467 if (hcon->type != ACL_LINK)
2468 return 0;
2469
2470 if (!status) {
1da177e4
LT		 2471 conn = l2cap_conn_add(hcon, status);
2472 if (conn)
2473 l2cap_conn_ready(conn);
0139418c 2474 } else
1da177e4
LT		 2475 l2cap_conn_del(hcon, bt_err(status));
2476
2477 return 0;
2478}
2479
2950f21a
MH		 2480static int l2cap_disconn_ind(struct hci_conn *hcon)
2481{
2482 struct l2cap_conn *conn = hcon->l2cap_data;
2483
2484 BT_DBG("hcon %p", hcon);
2485
2486 if (hcon->type != ACL_LINK || !conn)
2487 return 0x13;
2488
2489 return conn->disc_reason;
2490}
2491
2492static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 2493{
2494 BT_DBG("hcon %p reason %d", hcon, reason);
2495
2496 if (hcon->type != ACL_LINK)
2497 return 0;
2498
2499 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2500
1da177e4
LT		 2501 return 0;
2502}
2503
f62e4323
MH		 2504static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2505{
255c7601
MH		 2506 if (sk->sk_type != SOCK_SEQPACKET)
2507 return;
2508
f62e4323
MH		 2509 if (encrypt == 0x00) {
2510 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2511 l2cap_sock_clear_timer(sk);
2512 l2cap_sock_set_timer(sk, HZ * 5);
2513 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2514 __l2cap_sock_close(sk, ECONNREFUSED);
2515 } else {
2516 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2517 l2cap_sock_clear_timer(sk);
2518 }
2519}
2520
8c1b2355 2521static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2522{
2523 struct l2cap_chan_list *l;
0139418c 2524 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2525 struct sock *sk;
1da177e4 2526
0139418c 2527 if (!conn)
1da177e4 2528 return 0;
0139418c 2529
1da177e4
LT		 2530 l = &conn->chan_list;
2531
2532 BT_DBG("conn %p", conn);
2533
2534 read_lock(&l->lock);
2535
2536 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2537 bh_lock_sock(sk);
2538
6a8d3010
MH		 2539 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2540 bh_unlock_sock(sk);
2541 continue;
2542 }
2543
f62e4323 2544 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2545 sk->sk_state == BT_CONFIG)) {
f62e4323 2546 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2547 bh_unlock_sock(sk);
2548 continue;
2549 }
2550
b1235d79
MH		 2551 if (sk->sk_state == BT_CONNECT) {
2552 if (!status) {
2553 struct l2cap_conn_req req;
2554 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2555 req.psm = l2cap_pi(sk)->psm;
1da177e4 2556
b1235d79 2557 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2558
b1235d79
MH		 2559 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2560 L2CAP_CONN_REQ, sizeof(req), &req);
2561 } else {
2562 l2cap_sock_clear_timer(sk);
2563 l2cap_sock_set_timer(sk, HZ / 10);
2564 }
2565 } else if (sk->sk_state == BT_CONNECT2) {
2566 struct l2cap_conn_rsp rsp;
2567 __u16 result;
1da177e4 2568
b1235d79
MH		 2569 if (!status) {
2570 sk->sk_state = BT_CONFIG;
2571 result = L2CAP_CR_SUCCESS;
2572 } else {
2573 sk->sk_state = BT_DISCONN;
2574 l2cap_sock_set_timer(sk, HZ / 10);
2575 result = L2CAP_CR_SEC_BLOCK;
2576 }
2577
2578 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2579 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2580 rsp.result = cpu_to_le16(result);
e7c29cb1 2581 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2582 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2583 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2584 }
1da177e4
LT		 2585
2586 bh_unlock_sock(sk);
2587 }
2588
2589 read_unlock(&l->lock);
b1235d79 2590
1da177e4
LT		 2591 return 0;
2592}
2593
2594static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2595{
2596 struct l2cap_conn *conn = hcon->l2cap_data;
2597
2598 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2599 goto drop;
2600
2601 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2602
2603 if (flags & ACL_START) {
2604 struct l2cap_hdr *hdr;
2605 int len;
2606
2607 if (conn->rx_len) {
2608 BT_ERR("Unexpected start frame (len %d)", skb->len);
2609 kfree_skb(conn->rx_skb);
2610 conn->rx_skb = NULL;
2611 conn->rx_len = 0;
2612 l2cap_conn_unreliable(conn, ECOMM);
2613 }
2614
2615 if (skb->len < 2) {
2616 BT_ERR("Frame is too short (len %d)", skb->len);
2617 l2cap_conn_unreliable(conn, ECOMM);
2618 goto drop;
2619 }
2620
2621 hdr = (struct l2cap_hdr *) skb->data;
2622 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2623
2624 if (len == skb->len) {
2625 /* Complete frame received */
2626 l2cap_recv_frame(conn, skb);
2627 return 0;
2628 }
2629
2630 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2631
2632 if (skb->len > len) {
2633 BT_ERR("Frame is too long (len %d, expected len %d)",
2634 skb->len, len);
2635 l2cap_conn_unreliable(conn, ECOMM);
2636 goto drop;
2637 }
2638
2639 /* Allocate skb for the complete frame (with header) */
2640 if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2641 goto drop;
2642
d626f62b 2643 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2644 skb->len);
1da177e4
LT		 2645 conn->rx_len = len - skb->len;
2646 } else {
2647 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2648
2649 if (!conn->rx_len) {
2650 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2651 l2cap_conn_unreliable(conn, ECOMM);
2652 goto drop;
2653 }
2654
2655 if (skb->len > conn->rx_len) {
2656 BT_ERR("Fragment is too long (len %d, expected %d)",
2657 skb->len, conn->rx_len);
2658 kfree_skb(conn->rx_skb);
2659 conn->rx_skb = NULL;
2660 conn->rx_len = 0;
2661 l2cap_conn_unreliable(conn, ECOMM);
2662 goto drop;
2663 }
2664
d626f62b 2665 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2666 skb->len);
1da177e4
LT		 2667 conn->rx_len -= skb->len;
2668
2669 if (!conn->rx_len) {
2670 /* Complete frame received */
2671 l2cap_recv_frame(conn, conn->rx_skb);
2672 conn->rx_skb = NULL;
2673 }
2674 }
2675
2676drop:
2677 kfree_skb(skb);
2678 return 0;
2679}
2680
be9d1227 2681static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2682{
2683 struct sock *sk;
2684 struct hlist_node *node;
be9d1227 2685 char *str = buf;
1da177e4
LT		 2686
2687 read_lock_bh(&l2cap_sk_list.lock);
2688
be9d1227
MH		 2689 sk_for_each(sk, node, &l2cap_sk_list.head) {
2690 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2691
2af6b9d5 2692 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2693 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
73863976 2694 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2af6b9d5 2695 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2696 }
1da177e4 2697
1da177e4 2698 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2699
be9d1227 2700 return (str - buf);
1da177e4
LT		 2701}
2702
be9d1227 2703static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2704
90ddc4f0 2705static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2706 .family = PF_BLUETOOTH,
2707 .owner = THIS_MODULE,
2708 .release = l2cap_sock_release,
2709 .bind = l2cap_sock_bind,
2710 .connect = l2cap_sock_connect,
2711 .listen = l2cap_sock_listen,
2712 .accept = l2cap_sock_accept,
2713 .getname = l2cap_sock_getname,
2714 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2715 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2716 .poll = bt_sock_poll,
3241ad82 2717 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2718 .mmap = sock_no_mmap,
2719 .socketpair = sock_no_socketpair,
1da177e4
LT		 2720 .shutdown = l2cap_sock_shutdown,
2721 .setsockopt = l2cap_sock_setsockopt,
2722 .getsockopt = l2cap_sock_getsockopt
2723};
2724
2725static struct net_proto_family l2cap_sock_family_ops = {
2726 .family = PF_BLUETOOTH,
2727 .owner = THIS_MODULE,
2728 .create = l2cap_sock_create,
2729};
2730
2731static struct hci_proto l2cap_hci_proto = {
2732 .name = "L2CAP",
2733 .id = HCI_PROTO_L2CAP,
2734 .connect_ind = l2cap_connect_ind,
2735 .connect_cfm = l2cap_connect_cfm,
2736 .disconn_ind = l2cap_disconn_ind,
2950f21a 2737 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 2738 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2739 .recv_acldata = l2cap_recv_acldata
2740};
2741
2742static int __init l2cap_init(void)
2743{
2744 int err;
be9d1227 2745
1da177e4
LT		 2746 err = proto_register(&l2cap_proto, 0);
2747 if (err < 0)
2748 return err;
2749
2750 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2751 if (err < 0) {
2752 BT_ERR("L2CAP socket registration failed");
2753 goto error;
2754 }
2755
2756 err = hci_register_proto(&l2cap_hci_proto);
2757 if (err < 0) {
2758 BT_ERR("L2CAP protocol registration failed");
2759 bt_sock_unregister(BTPROTO_L2CAP);
2760 goto error;
2761 }
2762
df5c37ea
MH		 2763 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2764 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2765
2766 BT_INFO("L2CAP ver %s", VERSION);
2767 BT_INFO("L2CAP socket layer initialized");
2768
2769 return 0;
2770
2771error:
2772 proto_unregister(&l2cap_proto);
2773 return err;
2774}
2775
2776static void __exit l2cap_exit(void)
2777{
a91f2e39 2778 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2779
2780 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2781 BT_ERR("L2CAP socket unregistration failed");
2782
2783 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2784 BT_ERR("L2CAP protocol unregistration failed");
2785
2786 proto_unregister(&l2cap_proto);
2787}
2788
2789void l2cap_load(void)
2790{
2791 /* Dummy function to trigger automatic L2CAP module loading by
2792 * other modules that use L2CAP sockets but don't use any other
2793 * symbols from it. */
2794 return;
2795}
2796EXPORT_SYMBOL(l2cap_load);
2797
2798module_init(l2cap_init);
2799module_exit(l2cap_exit);
2800
63fbd24e 2801MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2802MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2803MODULE_VERSION(VERSION);
2804MODULE_LICENSE("GPL");
2805MODULE_ALIAS("bt-proto-0");
Linux 6.x block layer and io_uring tree(s)