]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/bluetooth/l2cap.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add CID field to L2CAP socket address structure
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
1da177e4
LT		 43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
e1027a7c 53#define VERSION "2.13"
f0709e03 54
e1027a7c
MH		 55static u32 l2cap_feat_mask = 0x0080;
56static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 57
90ddc4f0 58static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 59
60static struct bt_sock_list l2cap_sk_list = {
d5fb2962 61 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 62};
63
1da177e4
LT		 64static void __l2cap_sock_close(struct sock *sk, int reason);
65static void l2cap_sock_close(struct sock *sk);
66static void l2cap_sock_kill(struct sock *sk);
67
68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70
71/* ---- L2CAP timers ---- */
72static void l2cap_sock_timeout(unsigned long arg)
73{
74 struct sock *sk = (struct sock *) arg;
b1235d79 75 int reason;
1da177e4
LT		 76
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78
79 bh_lock_sock(sk);
b1235d79 80
f62e4323
MH		 81 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
82 reason = ECONNREFUSED;
83 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 84 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 85 reason = ECONNREFUSED;
86 else
87 reason = ETIMEDOUT;
88
89 __l2cap_sock_close(sk, reason);
90
1da177e4
LT		 91 bh_unlock_sock(sk);
92
93 l2cap_sock_kill(sk);
94 sock_put(sk);
95}
96
97static void l2cap_sock_set_timer(struct sock *sk, long timeout)
98{
99 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
100 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
101}
102
103static void l2cap_sock_clear_timer(struct sock *sk)
104{
105 BT_DBG("sock %p state %d", sk, sk->sk_state);
106 sk_stop_timer(sk, &sk->sk_timer);
107}
108
0139418c
MH		 109/* ---- L2CAP channels ---- */
110static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
111{
112 struct sock *s;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
114 if (l2cap_pi(s)->dcid == cid)
115 break;
116 }
117 return s;
118}
119
120static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
121{
122 struct sock *s;
123 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
124 if (l2cap_pi(s)->scid == cid)
125 break;
126 }
127 return s;
128}
129
130/* Find channel with given SCID.
131 * Returns locked socket */
132static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
133{
134 struct sock *s;
135 read_lock(&l->lock);
136 s = __l2cap_get_chan_by_scid(l, cid);
137 if (s) bh_lock_sock(s);
138 read_unlock(&l->lock);
139 return s;
140}
141
142static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
143{
144 struct sock *s;
145 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
146 if (l2cap_pi(s)->ident == ident)
147 break;
148 }
149 return s;
150}
151
152static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
153{
154 struct sock *s;
155 read_lock(&l->lock);
156 s = __l2cap_get_chan_by_ident(l, ident);
157 if (s) bh_lock_sock(s);
158 read_unlock(&l->lock);
159 return s;
160}
161
162static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
163{
164 u16 cid = 0x0040;
165
166 for (; cid < 0xffff; cid++) {
167 if(!__l2cap_get_chan_by_scid(l, cid))
168 return cid;
169 }
170
171 return 0;
172}
173
174static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
175{
176 sock_hold(sk);
177
178 if (l->head)
179 l2cap_pi(l->head)->prev_c = sk;
180
181 l2cap_pi(sk)->next_c = l->head;
182 l2cap_pi(sk)->prev_c = NULL;
183 l->head = sk;
184}
185
186static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
187{
188 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
189
fd1278d7 190 write_lock_bh(&l->lock);
0139418c
MH		 191 if (sk == l->head)
192 l->head = next;
193
194 if (next)
195 l2cap_pi(next)->prev_c = prev;
196 if (prev)
197 l2cap_pi(prev)->next_c = next;
fd1278d7 198 write_unlock_bh(&l->lock);
0139418c
MH		 199
200 __sock_put(sk);
201}
202
203static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
204{
205 struct l2cap_chan_list *l = &conn->chan_list;
206
207 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
208
209 l2cap_pi(sk)->conn = conn;
210
211 if (sk->sk_type == SOCK_SEQPACKET) {
212 /* Alloc CID for connection-oriented socket */
213 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
214 } else if (sk->sk_type == SOCK_DGRAM) {
215 /* Connectionless socket */
216 l2cap_pi(sk)->scid = 0x0002;
217 l2cap_pi(sk)->dcid = 0x0002;
218 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
219 } else {
220 /* Raw socket can send/recv signalling messages only */
221 l2cap_pi(sk)->scid = 0x0001;
222 l2cap_pi(sk)->dcid = 0x0001;
223 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
224 }
225
226 __l2cap_chan_link(l, sk);
227
228 if (parent)
229 bt_accept_enqueue(parent, sk);
230}
231
8e87d142 232/* Delete channel.
0139418c
MH		 233 * Must be called on the locked socket. */
234static void l2cap_chan_del(struct sock *sk, int err)
235{
236 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
237 struct sock *parent = bt_sk(sk)->parent;
238
239 l2cap_sock_clear_timer(sk);
240
241 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
242
8e87d142 243 if (conn) {
0139418c
MH		 244 /* Unlink from channel list */
245 l2cap_chan_unlink(&conn->chan_list, sk);
246 l2cap_pi(sk)->conn = NULL;
247 hci_conn_put(conn->hcon);
248 }
249
b1235d79 250 sk->sk_state = BT_CLOSED;
0139418c
MH		 251 sock_set_flag(sk, SOCK_ZAPPED);
252
253 if (err)
254 sk->sk_err = err;
255
256 if (parent) {
257 bt_accept_unlink(sk);
258 parent->sk_data_ready(parent, 0);
259 } else
260 sk->sk_state_change(sk);
261}
262
79d554a6 263/* Service level security */
2af6b9d5 264static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 265{
266 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 267 __u8 auth_type;
268
269 switch (l2cap_pi(sk)->sec_level) {
270 case BT_SECURITY_HIGH:
271 auth_type = HCI_AT_GENERAL_BONDING_MITM;
272 break;
273 case BT_SECURITY_MEDIUM:
274 auth_type = HCI_AT_GENERAL_BONDING;
275 break;
276 default:
277 auth_type = HCI_AT_NO_BONDING;
278 break;
279 }
79d554a6 280
0684e5f9
MH		 281 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
282 auth_type);
79d554a6
MH		 283}
284
4e8402a3
MH		 285static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
286{
287 u8 id;
288
289 /* Get next available identificator.
290 * 1 - 128 are used by kernel.
291 * 129 - 199 are reserved.
292 * 200 - 254 are used by utilities like l2ping, etc.
293 */
294
295 spin_lock_bh(&conn->lock);
296
297 if (++conn->tx_ident > 128)
298 conn->tx_ident = 1;
299
300 id = conn->tx_ident;
301
302 spin_unlock_bh(&conn->lock);
303
304 return id;
305}
306
307static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
308{
309 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
310
311 BT_DBG("code 0x%2.2x", code);
312
313 if (!skb)
314 return -ENOMEM;
315
316 return hci_send_acl(conn->hcon, skb, 0);
317}
318
79d554a6
MH		 319static void l2cap_do_start(struct sock *sk)
320{
321 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
322
323 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 324 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
325 return;
326
2af6b9d5 327 if (l2cap_check_security(sk)) {
b1235d79
MH		 328 struct l2cap_conn_req req;
329 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
330 req.psm = l2cap_pi(sk)->psm;
79d554a6 331
b1235d79 332 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 333
b1235d79 334 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 335 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 336 }
79d554a6
MH		 337 } else {
338 struct l2cap_info_req req;
339 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
340
341 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
342 conn->info_ident = l2cap_get_ident(conn);
343
344 mod_timer(&conn->info_timer, jiffies +
345 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
346
347 l2cap_send_cmd(conn, conn->info_ident,
348 L2CAP_INFO_REQ, sizeof(req), &req);
349 }
350}
351
1da177e4 352/* ---- L2CAP connections ---- */
4e8402a3
MH		 353static void l2cap_conn_start(struct l2cap_conn *conn)
354{
355 struct l2cap_chan_list *l = &conn->chan_list;
356 struct sock *sk;
357
358 BT_DBG("conn %p", conn);
359
360 read_lock(&l->lock);
361
362 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
363 bh_lock_sock(sk);
364
365 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 366 bh_unlock_sock(sk);
367 continue;
368 }
369
370 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 371 if (l2cap_check_security(sk)) {
b1235d79
MH		 372 struct l2cap_conn_req req;
373 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
374 req.psm = l2cap_pi(sk)->psm;
79d554a6 375
b1235d79 376 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 377
b1235d79 378 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 379 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 380 }
79d554a6
MH		 381 } else if (sk->sk_state == BT_CONNECT2) {
382 struct l2cap_conn_rsp rsp;
383 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
384 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
385
2af6b9d5 386 if (l2cap_check_security(sk)) {
f66dc81f
MH		 387 if (bt_sk(sk)->defer_setup) {
388 struct sock *parent = bt_sk(sk)->parent;
389 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
390 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
391 parent->sk_data_ready(parent, 0);
392
393 } else {
394 sk->sk_state = BT_CONFIG;
395 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
396 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
397 }
79d554a6
MH		 398 } else {
399 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
400 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
401 }
402
403 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
404 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 405 }
406
407 bh_unlock_sock(sk);
408 }
409
410 read_unlock(&l->lock);
411}
412
413static void l2cap_conn_ready(struct l2cap_conn *conn)
414{
79d554a6
MH		 415 struct l2cap_chan_list *l = &conn->chan_list;
416 struct sock *sk;
4e8402a3 417
79d554a6 418 BT_DBG("conn %p", conn);
4e8402a3 419
79d554a6 420 read_lock(&l->lock);
4e8402a3 421
79d554a6
MH		 422 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
423 bh_lock_sock(sk);
4e8402a3 424
79d554a6
MH		 425 if (sk->sk_type != SOCK_SEQPACKET) {
426 l2cap_sock_clear_timer(sk);
427 sk->sk_state = BT_CONNECTED;
428 sk->sk_state_change(sk);
429 } else if (sk->sk_state == BT_CONNECT)
430 l2cap_do_start(sk);
4e8402a3 431
79d554a6 432 bh_unlock_sock(sk);
4e8402a3 433 }
79d554a6
MH		 434
435 read_unlock(&l->lock);
4e8402a3
MH		 436}
437
438/* Notify sockets that we cannot guaranty reliability anymore */
439static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
440{
441 struct l2cap_chan_list *l = &conn->chan_list;
442 struct sock *sk;
443
444 BT_DBG("conn %p", conn);
445
446 read_lock(&l->lock);
447
448 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 449 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 450 sk->sk_err = err;
451 }
452
453 read_unlock(&l->lock);
454}
455
456static void l2cap_info_timeout(unsigned long arg)
457{
458 struct l2cap_conn *conn = (void *) arg;
459
984947dc 460 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 461 conn->info_ident = 0;
984947dc 462
4e8402a3
MH		 463 l2cap_conn_start(conn);
464}
465
1da177e4
LT		 466static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
467{
0139418c 468 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 469
0139418c 470 if (conn || status)
1da177e4
LT		 471 return conn;
472
0139418c
MH		 473 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
474 if (!conn)
1da177e4 475 return NULL;
1da177e4
LT		 476
477 hcon->l2cap_data = conn;
478 conn->hcon = hcon;
479
0139418c
MH		 480 BT_DBG("hcon %p conn %p", hcon, conn);
481
1da177e4
LT		 482 conn->mtu = hcon->hdev->acl_mtu;
483 conn->src = &hcon->hdev->bdaddr;
484 conn->dst = &hcon->dst;
485
4e8402a3
MH		 486 conn->feat_mask = 0;
487
b1235d79
MH		 488 setup_timer(&conn->info_timer, l2cap_info_timeout,
489 (unsigned long) conn);
4e8402a3 490
1da177e4
LT		 491 spin_lock_init(&conn->lock);
492 rwlock_init(&conn->chan_list.lock);
493
1da177e4
LT		 494 return conn;
495}
496
0139418c 497static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 498{
0139418c 499 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 500 struct sock *sk;
501
0139418c
MH		 502 if (!conn)
503 return;
1da177e4
LT		 504
505 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
506
507 if (conn->rx_skb)
508 kfree_skb(conn->rx_skb);
509
510 /* Kill channels */
511 while ((sk = conn->chan_list.head)) {
512 bh_lock_sock(sk);
513 l2cap_chan_del(sk, err);
514 bh_unlock_sock(sk);
515 l2cap_sock_kill(sk);
516 }
517
8e8440f5
DY		 518 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
519 del_timer_sync(&conn->info_timer);
3ab22731 520
1da177e4
LT		 521 hcon->l2cap_data = NULL;
522 kfree(conn);
1da177e4
LT		 523}
524
525static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
526{
527 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 528 write_lock_bh(&l->lock);
1da177e4 529 __l2cap_chan_add(conn, sk, parent);
fd1278d7 530 write_unlock_bh(&l->lock);
1da177e4
LT		 531}
532
1da177e4 533/* ---- Socket interface ---- */
8e036fc3 534static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 535{
536 struct sock *sk;
537 struct hlist_node *node;
538 sk_for_each(sk, node, &l2cap_sk_list.head)
539 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
540 goto found;
541 sk = NULL;
542found:
543 return sk;
544}
545
546/* Find socket with psm and source bdaddr.
547 * Returns closest match.
548 */
8e036fc3 549static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 550{
551 struct sock *sk = NULL, *sk1 = NULL;
552 struct hlist_node *node;
553
554 sk_for_each(sk, node, &l2cap_sk_list.head) {
555 if (state && sk->sk_state != state)
556 continue;
557
558 if (l2cap_pi(sk)->psm == psm) {
559 /* Exact match. */
560 if (!bacmp(&bt_sk(sk)->src, src))
561 break;
562
563 /* Closest match */
564 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
565 sk1 = sk;
566 }
567 }
568 return node ? sk : sk1;
569}
570
571/* Find socket with given address (psm, src).
572 * Returns locked socket */
8e036fc3 573static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 574{
575 struct sock *s;
576 read_lock(&l2cap_sk_list.lock);
577 s = __l2cap_get_sock_by_psm(state, psm, src);
578 if (s) bh_lock_sock(s);
579 read_unlock(&l2cap_sk_list.lock);
580 return s;
581}
582
583static void l2cap_sock_destruct(struct sock *sk)
584{
585 BT_DBG("sk %p", sk);
586
587 skb_queue_purge(&sk->sk_receive_queue);
588 skb_queue_purge(&sk->sk_write_queue);
589}
590
591static void l2cap_sock_cleanup_listen(struct sock *parent)
592{
593 struct sock *sk;
594
595 BT_DBG("parent %p", parent);
596
597 /* Close not yet accepted channels */
598 while ((sk = bt_accept_dequeue(parent, NULL)))
599 l2cap_sock_close(sk);
600
b1235d79 601 parent->sk_state = BT_CLOSED;
1da177e4
LT		 602 sock_set_flag(parent, SOCK_ZAPPED);
603}
604
605/* Kill socket (only if zapped and orphan)
606 * Must be called on unlocked socket.
607 */
608static void l2cap_sock_kill(struct sock *sk)
609{
610 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
611 return;
612
613 BT_DBG("sk %p state %d", sk, sk->sk_state);
614
615 /* Kill poor orphan */
616 bt_sock_unlink(&l2cap_sk_list, sk);
617 sock_set_flag(sk, SOCK_DEAD);
618 sock_put(sk);
619}
620
621static void __l2cap_sock_close(struct sock *sk, int reason)
622{
623 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
624
625 switch (sk->sk_state) {
626 case BT_LISTEN:
627 l2cap_sock_cleanup_listen(sk);
628 break;
629
630 case BT_CONNECTED:
631 case BT_CONFIG:
1da177e4
LT		 632 if (sk->sk_type == SOCK_SEQPACKET) {
633 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
634 struct l2cap_disconn_req req;
635
636 sk->sk_state = BT_DISCONN;
637 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
638
aca3192c
YH		 639 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
640 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 641 l2cap_send_cmd(conn, l2cap_get_ident(conn),
642 L2CAP_DISCONN_REQ, sizeof(req), &req);
b1235d79 643 } else
1da177e4 644 l2cap_chan_del(sk, reason);
1da177e4
LT		 645 break;
646
f66dc81f
MH		 647 case BT_CONNECT2:
648 if (sk->sk_type == SOCK_SEQPACKET) {
649 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
650 struct l2cap_conn_rsp rsp;
651 __u16 result;
652
653 if (bt_sk(sk)->defer_setup)
654 result = L2CAP_CR_SEC_BLOCK;
655 else
656 result = L2CAP_CR_BAD_PSM;
657
658 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
659 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
660 rsp.result = cpu_to_le16(result);
661 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
662 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
663 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
664 } else
665 l2cap_chan_del(sk, reason);
666 break;
667
1da177e4
LT		 668 case BT_CONNECT:
669 case BT_DISCONN:
670 l2cap_chan_del(sk, reason);
671 break;
672
673 default:
674 sock_set_flag(sk, SOCK_ZAPPED);
675 break;
676 }
677}
678
679/* Must be called on unlocked socket. */
680static void l2cap_sock_close(struct sock *sk)
681{
682 l2cap_sock_clear_timer(sk);
683 lock_sock(sk);
684 __l2cap_sock_close(sk, ECONNRESET);
685 release_sock(sk);
686 l2cap_sock_kill(sk);
687}
688
689static void l2cap_sock_init(struct sock *sk, struct sock *parent)
690{
691 struct l2cap_pinfo *pi = l2cap_pi(sk);
692
693 BT_DBG("sk %p", sk);
694
695 if (parent) {
696 sk->sk_type = parent->sk_type;
f66dc81f
MH		 697 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
698
1da177e4
LT		 699 pi->imtu = l2cap_pi(parent)->imtu;
700 pi->omtu = l2cap_pi(parent)->omtu;
2af6b9d5
MH		 701 pi->sec_level = l2cap_pi(parent)->sec_level;
702 pi->role_switch = l2cap_pi(parent)->role_switch;
703 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 704 } else {
705 pi->imtu = L2CAP_DEFAULT_MTU;
706 pi->omtu = 0;
2af6b9d5
MH		 707 pi->sec_level = BT_SECURITY_LOW;
708 pi->role_switch = 0;
709 pi->force_reliable = 0;
1da177e4
LT		 710 }
711
712 /* Default config options */
5dee9e7c 713 pi->conf_len = 0;
1da177e4
LT		 714 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
715}
716
717static struct proto l2cap_proto = {
718 .name = "L2CAP",
719 .owner = THIS_MODULE,
720 .obj_size = sizeof(struct l2cap_pinfo)
721};
722
1b8d7ae4 723static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 724{
725 struct sock *sk;
726
6257ff21 727 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 728 if (!sk)
729 return NULL;
730
731 sock_init_data(sock, sk);
732 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
733
734 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 735 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 736
737 sock_reset_flag(sk, SOCK_ZAPPED);
738
739 sk->sk_protocol = proto;
b1235d79 740 sk->sk_state = BT_OPEN;
1da177e4 741
b1235d79 742 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 743
744 bt_sock_link(&l2cap_sk_list, sk);
745 return sk;
746}
747
1b8d7ae4 748static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 749{
750 struct sock *sk;
751
752 BT_DBG("sock %p", sock);
753
754 sock->state = SS_UNCONNECTED;
755
756 if (sock->type != SOCK_SEQPACKET &&
757 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
758 return -ESOCKTNOSUPPORT;
759
760 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
761 return -EPERM;
762
763 sock->ops = &l2cap_sock_ops;
764
1b8d7ae4 765 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 766 if (!sk)
767 return -ENOMEM;
768
769 l2cap_sock_init(sk, NULL);
770 return 0;
771}
772
f29972de 773static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 774{
1da177e4 775 struct sock *sk = sock->sk;
f29972de
MH		 776 struct sockaddr_l2 la;
777 int len, err = 0;
1da177e4 778
f29972de 779 BT_DBG("sk %p", sk);
1da177e4
LT		 780
781 if (!addr || addr->sa_family != AF_BLUETOOTH)
782 return -EINVAL;
783
f29972de
MH		 784 memset(&la, 0, sizeof(la));
785 len = min_t(unsigned int, sizeof(la), alen);
786 memcpy(&la, addr, len);
787
1da177e4
LT		 788 lock_sock(sk);
789
790 if (sk->sk_state != BT_OPEN) {
791 err = -EBADFD;
792 goto done;
793 }
794
f29972de 795 if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
847641d7
MH		 796 !capable(CAP_NET_BIND_SERVICE)) {
797 err = -EACCES;
798 goto done;
799 }
8e87d142 800
1da177e4
LT		 801 write_lock_bh(&l2cap_sk_list.lock);
802
f29972de 803 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 804 err = -EADDRINUSE;
805 } else {
806 /* Save source address */
f29972de
MH		 807 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
808 l2cap_pi(sk)->psm = la.l2_psm;
809 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 810 sk->sk_state = BT_BOUND;
2af6b9d5 811
f29972de 812 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
2af6b9d5 813 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 814 }
815
816 write_unlock_bh(&l2cap_sk_list.lock);
817
818done:
819 release_sock(sk);
820 return err;
821}
822
823static int l2cap_do_connect(struct sock *sk)
824{
825 bdaddr_t *src = &bt_sk(sk)->src;
826 bdaddr_t *dst = &bt_sk(sk)->dst;
827 struct l2cap_conn *conn;
828 struct hci_conn *hcon;
829 struct hci_dev *hdev;
09ab6f4c 830 __u8 auth_type;
1da177e4
LT		 831 int err = 0;
832
f29972de
MH		 833 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
834 l2cap_pi(sk)->psm);
1da177e4
LT		 835
836 if (!(hdev = hci_get_route(dst, src)))
837 return -EHOSTUNREACH;
838
839 hci_dev_lock_bh(hdev);
840
841 err = -ENOMEM;
842
8c1b2355 843 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 844 switch (l2cap_pi(sk)->sec_level) {
845 case BT_SECURITY_HIGH:
8c1b2355 846 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 847 break;
848 case BT_SECURITY_MEDIUM:
8c1b2355 849 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 850 break;
851 default:
09ab6f4c 852 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 853 break;
854 }
8c1b2355 855 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 856 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 857 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 858 else
8c1b2355 859 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 860
861 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
862 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 863 } else {
2af6b9d5
MH		 864 switch (l2cap_pi(sk)->sec_level) {
865 case BT_SECURITY_HIGH:
8c1b2355 866 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 867 break;
868 case BT_SECURITY_MEDIUM:
09ab6f4c 869 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 870 break;
871 default:
8c1b2355 872 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 873 break;
874 }
09ab6f4c
MH		 875 }
876
2af6b9d5
MH		 877 hcon = hci_connect(hdev, ACL_LINK, dst,
878 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 879 if (!hcon)
880 goto done;
881
882 conn = l2cap_conn_add(hcon, 0);
883 if (!conn) {
884 hci_conn_put(hcon);
885 goto done;
886 }
887
888 err = 0;
889
890 /* Update source addr of the socket */
891 bacpy(src, conn->src);
892
893 l2cap_chan_add(conn, sk, NULL);
894
895 sk->sk_state = BT_CONNECT;
896 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
897
898 if (hcon->state == BT_CONNECTED) {
79d554a6 899 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 900 l2cap_sock_clear_timer(sk);
901 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 902 } else
903 l2cap_do_start(sk);
1da177e4
LT		 904 }
905
906done:
907 hci_dev_unlock_bh(hdev);
908 hci_dev_put(hdev);
909 return err;
910}
911
912static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
913{
1da177e4 914 struct sock *sk = sock->sk;
f29972de
MH		 915 struct sockaddr_l2 la;
916 int len, err = 0;
1da177e4
LT		 917
918 lock_sock(sk);
919
920 BT_DBG("sk %p", sk);
921
f29972de 922 if (!addr || addr->sa_family != AF_BLUETOOTH) {
1da177e4
LT		 923 err = -EINVAL;
924 goto done;
925 }
926
f29972de
MH		 927 memset(&la, 0, sizeof(la));
928 len = min_t(unsigned int, sizeof(la), alen);
929 memcpy(&la, addr, len);
930
931 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 932 err = -EINVAL;
933 goto done;
934 }
935
936 switch(sk->sk_state) {
937 case BT_CONNECT:
938 case BT_CONNECT2:
939 case BT_CONFIG:
940 /* Already connecting */
941 goto wait;
942
943 case BT_CONNECTED:
944 /* Already connected */
945 goto done;
946
947 case BT_OPEN:
948 case BT_BOUND:
949 /* Can connect */
950 break;
951
952 default:
953 err = -EBADFD;
954 goto done;
955 }
956
957 /* Set destination address and psm */
f29972de
MH		 958 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
959 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4
LT		 960
961 if ((err = l2cap_do_connect(sk)))
962 goto done;
963
964wait:
965 err = bt_sock_wait_state(sk, BT_CONNECTED,
966 sock_sndtimeo(sk, flags & O_NONBLOCK));
967done:
968 release_sock(sk);
969 return err;
970}
971
972static int l2cap_sock_listen(struct socket *sock, int backlog)
973{
974 struct sock *sk = sock->sk;
975 int err = 0;
976
977 BT_DBG("sk %p backlog %d", sk, backlog);
978
979 lock_sock(sk);
980
981 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
982 err = -EBADFD;
983 goto done;
984 }
985
986 if (!l2cap_pi(sk)->psm) {
987 bdaddr_t *src = &bt_sk(sk)->src;
988 u16 psm;
989
990 err = -EINVAL;
991
992 write_lock_bh(&l2cap_sk_list.lock);
993
994 for (psm = 0x1001; psm < 0x1100; psm += 2)
6dc0c208 995 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1da177e4
LT		 996 l2cap_pi(sk)->psm = htobs(psm);
997 l2cap_pi(sk)->sport = htobs(psm);
998 err = 0;
999 break;
1000 }
1001
1002 write_unlock_bh(&l2cap_sk_list.lock);
1003
1004 if (err < 0)
1005 goto done;
1006 }
1007
1008 sk->sk_max_ack_backlog = backlog;
1009 sk->sk_ack_backlog = 0;
1010 sk->sk_state = BT_LISTEN;
1011
1012done:
1013 release_sock(sk);
1014 return err;
1015}
1016
1017static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1018{
1019 DECLARE_WAITQUEUE(wait, current);
1020 struct sock *sk = sock->sk, *nsk;
1021 long timeo;
1022 int err = 0;
1023
fcc70d5f 1024 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1025
1026 if (sk->sk_state != BT_LISTEN) {
1027 err = -EBADFD;
1028 goto done;
1029 }
1030
1031 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1032
1033 BT_DBG("sk %p timeo %ld", sk, timeo);
1034
1035 /* Wait for an incoming connection. (wake-one). */
1036 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1037 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1038 set_current_state(TASK_INTERRUPTIBLE);
1039 if (!timeo) {
1040 err = -EAGAIN;
1041 break;
1042 }
1043
1044 release_sock(sk);
1045 timeo = schedule_timeout(timeo);
fcc70d5f 1046 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1047
1048 if (sk->sk_state != BT_LISTEN) {
1049 err = -EBADFD;
1050 break;
1051 }
1052
1053 if (signal_pending(current)) {
1054 err = sock_intr_errno(timeo);
1055 break;
1056 }
1057 }
1058 set_current_state(TASK_RUNNING);
1059 remove_wait_queue(sk->sk_sleep, &wait);
1060
1061 if (err)
1062 goto done;
1063
1064 newsock->state = SS_CONNECTED;
1065
1066 BT_DBG("new socket %p", nsk);
1067
1068done:
1069 release_sock(sk);
1070 return err;
1071}
1072
1073static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1074{
1075 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1076 struct sock *sk = sock->sk;
1077
1078 BT_DBG("sock %p, sk %p", sock, sk);
1079
1080 addr->sa_family = AF_BLUETOOTH;
1081 *len = sizeof(struct sockaddr_l2);
1082
f29972de
MH		 1083 if (peer) {
1084 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1085 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
f29972de
MH		 1086 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1087 } else {
1088 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1089 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
f29972de
MH		 1090 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1091 }
1da177e4 1092
1da177e4
LT		 1093 return 0;
1094}
1095
1096static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1097{
1098 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1099 struct sk_buff *skb, **frag;
1100 int err, hlen, count, sent=0;
1101 struct l2cap_hdr *lh;
1102
1103 BT_DBG("sk %p len %d", sk, len);
1104
1105 /* First fragment (with L2CAP header) */
1106 if (sk->sk_type == SOCK_DGRAM)
1107 hlen = L2CAP_HDR_SIZE + 2;
1108 else
1109 hlen = L2CAP_HDR_SIZE;
1110
1111 count = min_t(unsigned int, (conn->mtu - hlen), len);
1112
1113 skb = bt_skb_send_alloc(sk, hlen + count,
1114 msg->msg_flags & MSG_DONTWAIT, &err);
1115 if (!skb)
1116 return err;
1117
1118 /* Create L2CAP header */
1119 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1120 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1121 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1da177e4
LT		 1122
1123 if (sk->sk_type == SOCK_DGRAM)
8e036fc3 1124 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1da177e4
LT		 1125
1126 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1127 err = -EFAULT;
1128 goto fail;
1129 }
1130
1131 sent += count;
1132 len -= count;
1133
1134 /* Continuation fragments (no L2CAP header) */
1135 frag = &skb_shinfo(skb)->frag_list;
1136 while (len) {
1137 count = min_t(unsigned int, conn->mtu, len);
1138
1139 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1140 if (!*frag)
1141 goto fail;
8e87d142 1142
1da177e4
LT		 1143 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1144 err = -EFAULT;
1145 goto fail;
1146 }
1147
1148 sent += count;
1149 len -= count;
1150
1151 frag = &(*frag)->next;
1152 }
1153
1154 if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1155 goto fail;
1156
1157 return sent;
1158
1159fail:
1160 kfree_skb(skb);
1161 return err;
1162}
1163
1164static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1165{
1166 struct sock *sk = sock->sk;
1167 int err = 0;
1168
1169 BT_DBG("sock %p, sk %p", sock, sk);
1170
c1cbe4b7
BL		 1171 err = sock_error(sk);
1172 if (err)
1173 return err;
1da177e4
LT		 1174
1175 if (msg->msg_flags & MSG_OOB)
1176 return -EOPNOTSUPP;
1177
1178 /* Check outgoing MTU */
1179 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1180 return -EINVAL;
1181
1182 lock_sock(sk);
1183
1184 if (sk->sk_state == BT_CONNECTED)
1185 err = l2cap_do_send(sk, msg, len);
1186 else
1187 err = -ENOTCONN;
1188
1189 release_sock(sk);
1190 return err;
1191}
1192
f66dc81f
MH		 1193static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1194{
1195 struct sock *sk = sock->sk;
1196
1197 lock_sock(sk);
1198
1199 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1200 struct l2cap_conn_rsp rsp;
1201
1202 sk->sk_state = BT_CONFIG;
1203
1204 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1205 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1206 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1207 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1208 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1209 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1210
1211 release_sock(sk);
1212 return 0;
1213 }
1214
1215 release_sock(sk);
1216
1217 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1218}
1219
d58daf42 1220static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1221{
1222 struct sock *sk = sock->sk;
1223 struct l2cap_options opts;
f29972de 1224 int len, err = 0;
1da177e4
LT		 1225 u32 opt;
1226
1227 BT_DBG("sk %p", sk);
1228
1229 lock_sock(sk);
1230
1231 switch (optname) {
1232 case L2CAP_OPTIONS:
0878b666
MH		 1233 opts.imtu = l2cap_pi(sk)->imtu;
1234 opts.omtu = l2cap_pi(sk)->omtu;
1235 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1236 opts.mode = L2CAP_MODE_BASIC;
0878b666 1237
1da177e4
LT		 1238 len = min_t(unsigned int, sizeof(opts), optlen);
1239 if (copy_from_user((char *) &opts, optval, len)) {
1240 err = -EFAULT;
1241 break;
1242 }
0878b666 1243
1da177e4
LT		 1244 l2cap_pi(sk)->imtu = opts.imtu;
1245 l2cap_pi(sk)->omtu = opts.omtu;
1246 break;
1247
1248 case L2CAP_LM:
1249 if (get_user(opt, (u32 __user *) optval)) {
1250 err = -EFAULT;
1251 break;
1252 }
1253
2af6b9d5
MH		 1254 if (opt & L2CAP_LM_AUTH)
1255 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1256 if (opt & L2CAP_LM_ENCRYPT)
1257 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1258 if (opt & L2CAP_LM_SECURE)
1259 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1260
1261 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1262 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1263 break;
1264
1265 default:
1266 err = -ENOPROTOOPT;
1267 break;
1268 }
1269
1270 release_sock(sk);
1271 return err;
1272}
1273
d58daf42
MH		 1274static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1275{
1276 struct sock *sk = sock->sk;
2af6b9d5
MH		 1277 struct bt_security sec;
1278 int len, err = 0;
f66dc81f 1279 u32 opt;
d58daf42
MH		 1280
1281 BT_DBG("sk %p", sk);
1282
1283 if (level == SOL_L2CAP)
1284 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1285
0588d94f
MH		 1286 if (level != SOL_BLUETOOTH)
1287 return -ENOPROTOOPT;
1288
d58daf42
MH		 1289 lock_sock(sk);
1290
1291 switch (optname) {
2af6b9d5 1292 case BT_SECURITY:
0588d94f
MH		 1293 if (sk->sk_type != SOCK_SEQPACKET) {
1294 err = -EINVAL;
1295 break;
1296 }
1297
2af6b9d5
MH		 1298 sec.level = BT_SECURITY_LOW;
1299
1300 len = min_t(unsigned int, sizeof(sec), optlen);
1301 if (copy_from_user((char *) &sec, optval, len)) {
1302 err = -EFAULT;
1303 break;
1304 }
1305
1306 if (sec.level < BT_SECURITY_LOW ||
1307 sec.level > BT_SECURITY_HIGH) {
1308 err = -EINVAL;
1309 break;
1310 }
1311
1312 l2cap_pi(sk)->sec_level = sec.level;
1313 break;
1314
f66dc81f
MH		 1315 case BT_DEFER_SETUP:
1316 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1317 err = -EINVAL;
1318 break;
1319 }
1320
1321 if (get_user(opt, (u32 __user *) optval)) {
1322 err = -EFAULT;
1323 break;
1324 }
1325
1326 bt_sk(sk)->defer_setup = opt;
1327 break;
1328
d58daf42
MH		 1329 default:
1330 err = -ENOPROTOOPT;
1331 break;
1332 }
1333
1334 release_sock(sk);
1335 return err;
1336}
1337
1338static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1339{
1340 struct sock *sk = sock->sk;
1341 struct l2cap_options opts;
1342 struct l2cap_conninfo cinfo;
1343 int len, err = 0;
2af6b9d5 1344 u32 opt;
1da177e4
LT		 1345
1346 BT_DBG("sk %p", sk);
1347
1348 if (get_user(len, optlen))
1349 return -EFAULT;
1350
1351 lock_sock(sk);
1352
1353 switch (optname) {
1354 case L2CAP_OPTIONS:
1355 opts.imtu = l2cap_pi(sk)->imtu;
1356 opts.omtu = l2cap_pi(sk)->omtu;
1357 opts.flush_to = l2cap_pi(sk)->flush_to;
6464f35f 1358 opts.mode = L2CAP_MODE_BASIC;
1da177e4
LT		 1359
1360 len = min_t(unsigned int, len, sizeof(opts));
1361 if (copy_to_user(optval, (char *) &opts, len))
1362 err = -EFAULT;
1363
1364 break;
1365
1366 case L2CAP_LM:
2af6b9d5
MH		 1367 switch (l2cap_pi(sk)->sec_level) {
1368 case BT_SECURITY_LOW:
1369 opt = L2CAP_LM_AUTH;
1370 break;
1371 case BT_SECURITY_MEDIUM:
1372 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1373 break;
1374 case BT_SECURITY_HIGH:
1375 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1376 L2CAP_LM_SECURE;
1377 break;
1378 default:
1379 opt = 0;
1380 break;
1381 }
1382
1383 if (l2cap_pi(sk)->role_switch)
1384 opt |= L2CAP_LM_MASTER;
1385
1386 if (l2cap_pi(sk)->force_reliable)
1387 opt |= L2CAP_LM_RELIABLE;
1388
1389 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1390 err = -EFAULT;
1391 break;
1392
1393 case L2CAP_CONNINFO:
f66dc81f
MH		 1394 if (sk->sk_state != BT_CONNECTED &&
1395 !(sk->sk_state == BT_CONNECT2 &&
1396 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1397 err = -ENOTCONN;
1398 break;
1399 }
1400
1401 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1402 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1403
1404 len = min_t(unsigned int, len, sizeof(cinfo));
1405 if (copy_to_user(optval, (char *) &cinfo, len))
1406 err = -EFAULT;
1407
1408 break;
1409
1410 default:
1411 err = -ENOPROTOOPT;
1412 break;
1413 }
1414
1415 release_sock(sk);
1416 return err;
1417}
1418
d58daf42
MH		 1419static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1420{
1421 struct sock *sk = sock->sk;
2af6b9d5 1422 struct bt_security sec;
d58daf42
MH		 1423 int len, err = 0;
1424
1425 BT_DBG("sk %p", sk);
1426
1427 if (level == SOL_L2CAP)
1428 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1429
0588d94f
MH		 1430 if (level != SOL_BLUETOOTH)
1431 return -ENOPROTOOPT;
1432
d58daf42
MH		 1433 if (get_user(len, optlen))
1434 return -EFAULT;
1435
1436 lock_sock(sk);
1437
1438 switch (optname) {
2af6b9d5 1439 case BT_SECURITY:
0588d94f
MH		 1440 if (sk->sk_type != SOCK_SEQPACKET) {
1441 err = -EINVAL;
1442 break;
1443 }
1444
2af6b9d5
MH		 1445 sec.level = l2cap_pi(sk)->sec_level;
1446
1447 len = min_t(unsigned int, len, sizeof(sec));
1448 if (copy_to_user(optval, (char *) &sec, len))
1449 err = -EFAULT;
1450
1451 break;
1452
f66dc81f
MH		 1453 case BT_DEFER_SETUP:
1454 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1455 err = -EINVAL;
1456 break;
1457 }
1458
1459 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1460 err = -EFAULT;
1461
1462 break;
1463
d58daf42
MH		 1464 default:
1465 err = -ENOPROTOOPT;
1466 break;
1467 }
1468
1469 release_sock(sk);
1470 return err;
1471}
1472
1da177e4
LT		 1473static int l2cap_sock_shutdown(struct socket *sock, int how)
1474{
1475 struct sock *sk = sock->sk;
1476 int err = 0;
1477
1478 BT_DBG("sock %p, sk %p", sock, sk);
1479
1480 if (!sk)
1481 return 0;
1482
1483 lock_sock(sk);
1484 if (!sk->sk_shutdown) {
1485 sk->sk_shutdown = SHUTDOWN_MASK;
1486 l2cap_sock_clear_timer(sk);
1487 __l2cap_sock_close(sk, 0);
1488
1489 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1490 err = bt_sock_wait_state(sk, BT_CLOSED,
1491 sk->sk_lingertime);
1da177e4
LT		 1492 }
1493 release_sock(sk);
1494 return err;
1495}
1496
1497static int l2cap_sock_release(struct socket *sock)
1498{
1499 struct sock *sk = sock->sk;
1500 int err;
1501
1502 BT_DBG("sock %p, sk %p", sock, sk);
1503
1504 if (!sk)
1505 return 0;
1506
1507 err = l2cap_sock_shutdown(sock, 2);
1508
1509 sock_orphan(sk);
1510 l2cap_sock_kill(sk);
1511 return err;
1512}
1513
1da177e4
LT		 1514static void l2cap_chan_ready(struct sock *sk)
1515{
1516 struct sock *parent = bt_sk(sk)->parent;
1517
1518 BT_DBG("sk %p, parent %p", sk, parent);
1519
1520 l2cap_pi(sk)->conf_state = 0;
1521 l2cap_sock_clear_timer(sk);
1522
1523 if (!parent) {
1524 /* Outgoing channel.
1525 * Wake up socket sleeping on connect.
1526 */
1527 sk->sk_state = BT_CONNECTED;
1528 sk->sk_state_change(sk);
1529 } else {
1530 /* Incoming channel.
1531 * Wake up socket sleeping on accept.
1532 */
1533 parent->sk_data_ready(parent, 0);
1534 }
1535}
1536
1537/* Copy frame to all raw sockets on that connection */
1538static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1539{
1540 struct l2cap_chan_list *l = &conn->chan_list;
1541 struct sk_buff *nskb;
1542 struct sock * sk;
1543
1544 BT_DBG("conn %p", conn);
1545
1546 read_lock(&l->lock);
1547 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1548 if (sk->sk_type != SOCK_RAW)
1549 continue;
1550
1551 /* Don't send frame to the socket it came from */
1552 if (skb->sk == sk)
1553 continue;
1554
1555 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1556 continue;
1557
1558 if (sock_queue_rcv_skb(sk, nskb))
1559 kfree_skb(nskb);
1560 }
1561 read_unlock(&l->lock);
1562}
1563
1564/* ---- L2CAP signalling commands ---- */
1565static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1566 u8 code, u8 ident, u16 dlen, void *data)
1567{
1568 struct sk_buff *skb, **frag;
1569 struct l2cap_cmd_hdr *cmd;
1570 struct l2cap_hdr *lh;
1571 int len, count;
1572
1573 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1574
1575 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1576 count = min_t(unsigned int, conn->mtu, len);
1577
1578 skb = bt_skb_alloc(count, GFP_ATOMIC);
1579 if (!skb)
1580 return NULL;
1581
1582 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c
YH		 1583 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1584 lh->cid = cpu_to_le16(0x0001);
1da177e4
LT		 1585
1586 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1587 cmd->code = code;
1588 cmd->ident = ident;
aca3192c 1589 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1590
1591 if (dlen) {
1592 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1593 memcpy(skb_put(skb, count), data, count);
1594 data += count;
1595 }
1596
1597 len -= skb->len;
1598
1599 /* Continuation fragments (no L2CAP header) */
1600 frag = &skb_shinfo(skb)->frag_list;
1601 while (len) {
1602 count = min_t(unsigned int, conn->mtu, len);
1603
1604 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1605 if (!*frag)
1606 goto fail;
1607
1608 memcpy(skb_put(*frag, count), data, count);
1609
1610 len -= count;
1611 data += count;
1612
1613 frag = &(*frag)->next;
1614 }
1615
1616 return skb;
1617
1618fail:
1619 kfree_skb(skb);
1620 return NULL;
1621}
1622
1623static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1624{
1625 struct l2cap_conf_opt *opt = *ptr;
1626 int len;
1627
1628 len = L2CAP_CONF_OPT_SIZE + opt->len;
1629 *ptr += len;
1630
1631 *type = opt->type;
1632 *olen = opt->len;
1633
1634 switch (opt->len) {
1635 case 1:
1636 *val = *((u8 *) opt->val);
1637 break;
1638
1639 case 2:
861d6882 1640 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 1641 break;
1642
1643 case 4:
861d6882 1644 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 1645 break;
1646
1647 default:
1648 *val = (unsigned long) opt->val;
1649 break;
1650 }
1651
1652 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1653 return len;
1654}
1655
1da177e4
LT		 1656static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1657{
1658 struct l2cap_conf_opt *opt = *ptr;
1659
1660 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1661
1662 opt->type = type;
1663 opt->len = len;
1664
1665 switch (len) {
1666 case 1:
1667 *((u8 *) opt->val) = val;
1668 break;
1669
1670 case 2:
8e036fc3 1671 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 1672 break;
1673
1674 case 4:
8e036fc3 1675 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 1676 break;
1677
1678 default:
1679 memcpy(opt->val, (void *) val, len);
1680 break;
1681 }
1682
1683 *ptr += L2CAP_CONF_OPT_SIZE + len;
1684}
1685
1686static int l2cap_build_conf_req(struct sock *sk, void *data)
1687{
1688 struct l2cap_pinfo *pi = l2cap_pi(sk);
1689 struct l2cap_conf_req *req = data;
1690 void *ptr = req->data;
1691
1692 BT_DBG("sk %p", sk);
1693
1694 if (pi->imtu != L2CAP_DEFAULT_MTU)
1695 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1696
1697 /* FIXME: Need actual value of the flush timeout */
1698 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1699 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1700
aca3192c
YH		 1701 req->dcid = cpu_to_le16(pi->dcid);
1702 req->flags = cpu_to_le16(0);
1da177e4
LT		 1703
1704 return ptr - data;
1705}
1706
5dee9e7c 1707static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1708{
1709 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1710 struct l2cap_conf_rsp *rsp = data;
1711 void *ptr = rsp->data;
1712 void *req = pi->conf_req;
1713 int len = pi->conf_len;
1714 int type, hint, olen;
1715 unsigned long val;
6464f35f 1716 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1717 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1718 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1719
5dee9e7c 1720 BT_DBG("sk %p", sk);
820ae1b8 1721
5dee9e7c
MH		 1722 while (len >= L2CAP_CONF_OPT_SIZE) {
1723 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1724
5dee9e7c
MH		 1725 hint = type & 0x80;
1726 type &= 0x7f;
1727
1728 switch (type) {
1729 case L2CAP_CONF_MTU:
861d6882 1730 mtu = val;
5dee9e7c
MH		 1731 break;
1732
1733 case L2CAP_CONF_FLUSH_TO:
1734 pi->flush_to = val;
1735 break;
1736
1737 case L2CAP_CONF_QOS:
1738 break;
1739
6464f35f
MH		 1740 case L2CAP_CONF_RFC:
1741 if (olen == sizeof(rfc))
1742 memcpy(&rfc, (void *) val, olen);
1743 break;
1744
5dee9e7c
MH		 1745 default:
1746 if (hint)
1747 break;
1748
1749 result = L2CAP_CONF_UNKNOWN;
1750 *((u8 *) ptr++) = type;
1751 break;
1752 }
1753 }
1754
1755 if (result == L2CAP_CONF_SUCCESS) {
1756 /* Configure output options and let the other side know
1757 * which ones we don't like. */
1758
6464f35f
MH		 1759 if (rfc.mode == L2CAP_MODE_BASIC) {
1760 if (mtu < pi->omtu)
1761 result = L2CAP_CONF_UNACCEPT;
1762 else {
1763 pi->omtu = mtu;
1764 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1765 }
1766
1767 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1768 } else {
5dee9e7c 1769 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1770
6464f35f
MH		 1771 memset(&rfc, 0, sizeof(rfc));
1772 rfc.mode = L2CAP_MODE_BASIC;
1773
1774 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1775 sizeof(rfc), (unsigned long) &rfc);
1776 }
5dee9e7c
MH		 1777 }
1778
1779 rsp->scid = cpu_to_le16(pi->dcid);
1780 rsp->result = cpu_to_le16(result);
1781 rsp->flags = cpu_to_le16(0x0000);
1782
1783 return ptr - data;
1da177e4
LT		 1784}
1785
5dee9e7c 1786static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1787{
1788 struct l2cap_conf_rsp *rsp = data;
1789 void *ptr = rsp->data;
1da177e4 1790
5dee9e7c 1791 BT_DBG("sk %p", sk);
1da177e4 1792
aca3192c 1793 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1794 rsp->result = cpu_to_le16(result);
aca3192c 1795 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1796
1797 return ptr - data;
1798}
1799
4e8402a3
MH		 1800static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1801{
1802 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1803
1804 if (rej->reason != 0x0000)
1805 return 0;
1806
1807 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1808 cmd->ident == conn->info_ident) {
4e8402a3 1809 del_timer(&conn->info_timer);
984947dc
MH		 1810
1811 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1812 conn->info_ident = 0;
984947dc 1813
4e8402a3
MH		 1814 l2cap_conn_start(conn);
1815 }
1816
1817 return 0;
1818}
1819
1da177e4
LT		 1820static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1821{
1822 struct l2cap_chan_list *list = &conn->chan_list;
1823 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1824 struct l2cap_conn_rsp rsp;
1825 struct sock *sk, *parent;
e7c29cb1 1826 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1827
1828 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1829 __le16 psm = req->psm;
1da177e4
LT		 1830
1831 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1832
1833 /* Check if we have socket listening on psm */
1834 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1835 if (!parent) {
1836 result = L2CAP_CR_BAD_PSM;
1837 goto sendresp;
1838 }
1839
e7c29cb1
MH		 1840 /* Check if the ACL is secure enough (if not SDP) */
1841 if (psm != cpu_to_le16(0x0001) &&
1842 !hci_conn_check_link_mode(conn->hcon)) {
1843 result = L2CAP_CR_SEC_BLOCK;
1844 goto response;
1845 }
1846
1da177e4
LT		 1847 result = L2CAP_CR_NO_MEM;
1848
1849 /* Check for backlog size */
1850 if (sk_acceptq_is_full(parent)) {
8e87d142 1851 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1852 goto response;
1853 }
1854
3b1e0a65 1855 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1856 if (!sk)
1857 goto response;
1858
fd1278d7 1859 write_lock_bh(&list->lock);
1da177e4
LT		 1860
1861 /* Check if we already have channel with that dcid */
1862 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1863 write_unlock_bh(&list->lock);
1da177e4
LT		 1864 sock_set_flag(sk, SOCK_ZAPPED);
1865 l2cap_sock_kill(sk);
1866 goto response;
1867 }
1868
1869 hci_conn_hold(conn->hcon);
1870
1871 l2cap_sock_init(sk, parent);
1872 bacpy(&bt_sk(sk)->src, conn->src);
1873 bacpy(&bt_sk(sk)->dst, conn->dst);
1874 l2cap_pi(sk)->psm = psm;
1875 l2cap_pi(sk)->dcid = scid;
1876
1877 __l2cap_chan_add(conn, sk, parent);
1878 dcid = l2cap_pi(sk)->scid;
1879
1880 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1881
1da177e4
LT		 1882 l2cap_pi(sk)->ident = cmd->ident;
1883
984947dc 1884 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1885 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1886 if (bt_sk(sk)->defer_setup) {
1887 sk->sk_state = BT_CONNECT2;
1888 result = L2CAP_CR_PEND;
1889 status = L2CAP_CS_AUTHOR_PEND;
1890 parent->sk_data_ready(parent, 0);
1891 } else {
1892 sk->sk_state = BT_CONFIG;
1893 result = L2CAP_CR_SUCCESS;
1894 status = L2CAP_CS_NO_INFO;
1895 }
79d554a6
MH		 1896 } else {
1897 sk->sk_state = BT_CONNECT2;
1898 result = L2CAP_CR_PEND;
1899 status = L2CAP_CS_AUTHEN_PEND;
1900 }
1901 } else {
1902 sk->sk_state = BT_CONNECT2;
1903 result = L2CAP_CR_PEND;
1904 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1905 }
1906
fd1278d7 1907 write_unlock_bh(&list->lock);
1da177e4
LT		 1908
1909response:
1910 bh_unlock_sock(parent);
1911
1912sendresp:
aca3192c
YH		 1913 rsp.scid = cpu_to_le16(scid);
1914 rsp.dcid = cpu_to_le16(dcid);
1915 rsp.result = cpu_to_le16(result);
1916 rsp.status = cpu_to_le16(status);
1da177e4 1917 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1918
1919 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1920 struct l2cap_info_req info;
1921 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1922
1923 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1924 conn->info_ident = l2cap_get_ident(conn);
1925
1926 mod_timer(&conn->info_timer, jiffies +
1927 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1928
1929 l2cap_send_cmd(conn, conn->info_ident,
1930 L2CAP_INFO_REQ, sizeof(info), &info);
1931 }
1932
1da177e4
LT		 1933 return 0;
1934}
1935
1936static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1937{
1938 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1939 u16 scid, dcid, result, status;
1940 struct sock *sk;
1941 u8 req[128];
1942
1943 scid = __le16_to_cpu(rsp->scid);
1944 dcid = __le16_to_cpu(rsp->dcid);
1945 result = __le16_to_cpu(rsp->result);
1946 status = __le16_to_cpu(rsp->status);
1947
1948 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1949
1950 if (scid) {
1951 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1952 return 0;
1953 } else {
1954 if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1955 return 0;
1956 }
1957
1958 switch (result) {
1959 case L2CAP_CR_SUCCESS:
1960 sk->sk_state = BT_CONFIG;
1961 l2cap_pi(sk)->ident = 0;
1962 l2cap_pi(sk)->dcid = dcid;
1963 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1964
6a8d3010
MH		 1965 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1966
1da177e4
LT		 1967 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1968 l2cap_build_conf_req(sk, req), req);
1969 break;
1970
1971 case L2CAP_CR_PEND:
6a8d3010 1972 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 1973 break;
1974
1975 default:
1976 l2cap_chan_del(sk, ECONNREFUSED);
1977 break;
1978 }
1979
1980 bh_unlock_sock(sk);
1981 return 0;
1982}
1983
88219a0f 1984static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 1985{
1986 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
1987 u16 dcid, flags;
1988 u8 rsp[64];
1989 struct sock *sk;
5dee9e7c 1990 int len;
1da177e4
LT		 1991
1992 dcid = __le16_to_cpu(req->dcid);
1993 flags = __le16_to_cpu(req->flags);
1994
1995 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
1996
1997 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
1998 return -ENOENT;
1999
354f60a9
MH		 2000 if (sk->sk_state == BT_DISCONN)
2001 goto unlock;
2002
5dee9e7c 2003 /* Reject if config buffer is too small. */
88219a0f 2004 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2005 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2006 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2007 l2cap_build_conf_rsp(sk, rsp,
2008 L2CAP_CONF_REJECT, flags), rsp);
2009 goto unlock;
2010 }
2011
2012 /* Store config. */
2013 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2014 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2015
2016 if (flags & 0x0001) {
2017 /* Incomplete config. Send empty response. */
2018 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2019 l2cap_build_conf_rsp(sk, rsp,
2020 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2021 goto unlock;
2022 }
2023
2024 /* Complete config. */
5dee9e7c
MH		 2025 len = l2cap_parse_conf_req(sk, rsp);
2026 if (len < 0)
1da177e4
LT		 2027 goto unlock;
2028
5dee9e7c
MH		 2029 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2030
5dee9e7c
MH		 2031 /* Reset config buffer. */
2032 l2cap_pi(sk)->conf_len = 0;
2033
876d9484
MH		 2034 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2035 goto unlock;
2036
1da177e4
LT		 2037 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2038 sk->sk_state = BT_CONNECTED;
2039 l2cap_chan_ready(sk);
876d9484
MH		 2040 goto unlock;
2041 }
2042
2043 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2044 u8 buf[64];
1da177e4 2045 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2046 l2cap_build_conf_req(sk, buf), buf);
1da177e4
LT		 2047 }
2048
2049unlock:
2050 bh_unlock_sock(sk);
2051 return 0;
2052}
2053
2054static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2055{
2056 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2057 u16 scid, flags, result;
2058 struct sock *sk;
2059
2060 scid = __le16_to_cpu(rsp->scid);
2061 flags = __le16_to_cpu(rsp->flags);
2062 result = __le16_to_cpu(rsp->result);
2063
2064 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2065
2066 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2067 return 0;
2068
2069 switch (result) {
2070 case L2CAP_CONF_SUCCESS:
2071 break;
2072
2073 case L2CAP_CONF_UNACCEPT:
2074 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2075 char req[128];
2076 /* It does not make sense to adjust L2CAP parameters
2077 * that are currently defined in the spec. We simply
2078 * resend config request that we sent earlier. It is
2079 * stupid, but it helps qualification testing which
2080 * expects at least some response from us. */
2081 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2082 l2cap_build_conf_req(sk, req), req);
2083 goto done;
2084 }
2085
8e87d142 2086 default:
1da177e4 2087 sk->sk_state = BT_DISCONN;
b1235d79 2088 sk->sk_err = ECONNRESET;
1da177e4
LT		 2089 l2cap_sock_set_timer(sk, HZ * 5);
2090 {
2091 struct l2cap_disconn_req req;
aca3192c
YH		 2092 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2093 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
1da177e4
LT		 2094 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2095 L2CAP_DISCONN_REQ, sizeof(req), &req);
2096 }
2097 goto done;
2098 }
2099
2100 if (flags & 0x01)
2101 goto done;
2102
1da177e4
LT		 2103 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2104
2105 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2106 sk->sk_state = BT_CONNECTED;
2107 l2cap_chan_ready(sk);
2108 }
2109
2110done:
2111 bh_unlock_sock(sk);
2112 return 0;
2113}
2114
2115static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2116{
2117 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2118 struct l2cap_disconn_rsp rsp;
2119 u16 dcid, scid;
2120 struct sock *sk;
2121
2122 scid = __le16_to_cpu(req->scid);
2123 dcid = __le16_to_cpu(req->dcid);
2124
2125 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2126
2127 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2128 return 0;
2129
aca3192c
YH		 2130 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2131 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2132 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2133
2134 sk->sk_shutdown = SHUTDOWN_MASK;
2135
2136 l2cap_chan_del(sk, ECONNRESET);
2137 bh_unlock_sock(sk);
2138
2139 l2cap_sock_kill(sk);
2140 return 0;
2141}
2142
2143static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2144{
2145 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2146 u16 dcid, scid;
2147 struct sock *sk;
2148
2149 scid = __le16_to_cpu(rsp->scid);
2150 dcid = __le16_to_cpu(rsp->dcid);
2151
2152 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2153
2154 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2155 return 0;
2156
2157 l2cap_chan_del(sk, 0);
2158 bh_unlock_sock(sk);
2159
2160 l2cap_sock_kill(sk);
2161 return 0;
2162}
2163
2164static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2165{
2166 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2167 u16 type;
2168
2169 type = __le16_to_cpu(req->type);
2170
2171 BT_DBG("type 0x%4.4x", type);
2172
f0709e03
MH		 2173 if (type == L2CAP_IT_FEAT_MASK) {
2174 u8 buf[8];
2175 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2176 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2177 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2178 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2179 l2cap_send_cmd(conn, cmd->ident,
2180 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2181 } else if (type == L2CAP_IT_FIXED_CHAN) {
2182 u8 buf[12];
2183 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2184 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2185 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2186 memcpy(buf + 4, l2cap_fixed_chan, 8);
2187 l2cap_send_cmd(conn, cmd->ident,
2188 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2189 } else {
2190 struct l2cap_info_rsp rsp;
2191 rsp.type = cpu_to_le16(type);
2192 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2193 l2cap_send_cmd(conn, cmd->ident,
2194 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2195 }
1da177e4
LT		 2196
2197 return 0;
2198}
2199
2200static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2201{
2202 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2203 u16 type, result;
2204
2205 type = __le16_to_cpu(rsp->type);
2206 result = __le16_to_cpu(rsp->result);
2207
2208 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2209
4e8402a3
MH		 2210 del_timer(&conn->info_timer);
2211
984947dc 2212 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2213 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2214
e1027a7c
MH		 2215 if (conn->feat_mask & 0x0080) {
2216 struct l2cap_info_req req;
2217 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2218
2219 conn->info_ident = l2cap_get_ident(conn);
2220
2221 l2cap_send_cmd(conn, conn->info_ident,
2222 L2CAP_INFO_REQ, sizeof(req), &req);
2223 } else {
2224 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2225 conn->info_ident = 0;
2226
2227 l2cap_conn_start(conn);
2228 }
2229 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2230 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2231 conn->info_ident = 0;
984947dc
MH		 2232
2233 l2cap_conn_start(conn);
2234 }
4e8402a3 2235
1da177e4
LT		 2236 return 0;
2237}
2238
2239static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2240{
2241 u8 *data = skb->data;
2242 int len = skb->len;
2243 struct l2cap_cmd_hdr cmd;
2244 int err = 0;
2245
2246 l2cap_raw_recv(conn, skb);
2247
2248 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2249 u16 cmd_len;
1da177e4
LT		 2250 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2251 data += L2CAP_CMD_HDR_SIZE;
2252 len -= L2CAP_CMD_HDR_SIZE;
2253
88219a0f 2254 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2255
88219a0f 2256 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2257
88219a0f 2258 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2259 BT_DBG("corrupted command");
2260 break;
2261 }
2262
2263 switch (cmd.code) {
2264 case L2CAP_COMMAND_REJ:
4e8402a3 2265 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2266 break;
2267
2268 case L2CAP_CONN_REQ:
2269 err = l2cap_connect_req(conn, &cmd, data);
2270 break;
2271
2272 case L2CAP_CONN_RSP:
2273 err = l2cap_connect_rsp(conn, &cmd, data);
2274 break;
2275
2276 case L2CAP_CONF_REQ:
88219a0f 2277 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2278 break;
2279
2280 case L2CAP_CONF_RSP:
2281 err = l2cap_config_rsp(conn, &cmd, data);
2282 break;
2283
2284 case L2CAP_DISCONN_REQ:
2285 err = l2cap_disconnect_req(conn, &cmd, data);
2286 break;
2287
2288 case L2CAP_DISCONN_RSP:
2289 err = l2cap_disconnect_rsp(conn, &cmd, data);
2290 break;
2291
2292 case L2CAP_ECHO_REQ:
88219a0f 2293 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2294 break;
2295
2296 case L2CAP_ECHO_RSP:
2297 break;
2298
2299 case L2CAP_INFO_REQ:
2300 err = l2cap_information_req(conn, &cmd, data);
2301 break;
2302
2303 case L2CAP_INFO_RSP:
2304 err = l2cap_information_rsp(conn, &cmd, data);
2305 break;
2306
2307 default:
2308 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2309 err = -EINVAL;
2310 break;
2311 }
2312
2313 if (err) {
2314 struct l2cap_cmd_rej rej;
2315 BT_DBG("error %d", err);
2316
2317 /* FIXME: Map err to a valid reason */
aca3192c 2318 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2319 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2320 }
2321
88219a0f
AV		 2322 data += cmd_len;
2323 len -= cmd_len;
1da177e4
LT		 2324 }
2325
2326 kfree_skb(skb);
2327}
2328
2329static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2330{
2331 struct sock *sk;
2332
2333 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2334 if (!sk) {
2335 BT_DBG("unknown cid 0x%4.4x", cid);
2336 goto drop;
2337 }
2338
2339 BT_DBG("sk %p, len %d", sk, skb->len);
2340
2341 if (sk->sk_state != BT_CONNECTED)
2342 goto drop;
2343
2344 if (l2cap_pi(sk)->imtu < skb->len)
2345 goto drop;
2346
2347 /* If socket recv buffers overflows we drop data here
2348 * which is *bad* because L2CAP has to be reliable.
2349 * But we don't have any other choice. L2CAP doesn't
2350 * provide flow control mechanism. */
2351
2352 if (!sock_queue_rcv_skb(sk, skb))
2353 goto done;
2354
2355drop:
2356 kfree_skb(skb);
2357
2358done:
0139418c
MH		 2359 if (sk)
2360 bh_unlock_sock(sk);
2361
1da177e4
LT		 2362 return 0;
2363}
2364
8e036fc3 2365static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 2366{
2367 struct sock *sk;
2368
2369 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2370 if (!sk)
2371 goto drop;
2372
2373 BT_DBG("sk %p, len %d", sk, skb->len);
2374
2375 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2376 goto drop;
2377
2378 if (l2cap_pi(sk)->imtu < skb->len)
2379 goto drop;
2380
2381 if (!sock_queue_rcv_skb(sk, skb))
2382 goto done;
2383
2384drop:
2385 kfree_skb(skb);
2386
2387done:
2388 if (sk) bh_unlock_sock(sk);
2389 return 0;
2390}
2391
2392static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2393{
2394 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 2395 u16 cid, len;
2396 __le16 psm;
1da177e4
LT		 2397
2398 skb_pull(skb, L2CAP_HDR_SIZE);
2399 cid = __le16_to_cpu(lh->cid);
2400 len = __le16_to_cpu(lh->len);
2401
2402 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2403
2404 switch (cid) {
2405 case 0x0001:
2406 l2cap_sig_channel(conn, skb);
2407 break;
2408
2409 case 0x0002:
8e036fc3 2410 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 2411 skb_pull(skb, 2);
2412 l2cap_conless_channel(conn, psm, skb);
2413 break;
2414
2415 default:
2416 l2cap_data_channel(conn, cid, skb);
2417 break;
2418 }
2419}
2420
2421/* ---- L2CAP interface with lower layer (HCI) ---- */
2422
2423static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2424{
2425 int exact = 0, lm1 = 0, lm2 = 0;
2426 register struct sock *sk;
2427 struct hlist_node *node;
2428
2429 if (type != ACL_LINK)
2430 return 0;
2431
2432 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2433
2434 /* Find listening sockets and check their link_mode */
2435 read_lock(&l2cap_sk_list.lock);
2436 sk_for_each(sk, node, &l2cap_sk_list.head) {
2437 if (sk->sk_state != BT_LISTEN)
2438 continue;
2439
2440 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 2441 lm1 |= HCI_LM_ACCEPT;
2442 if (l2cap_pi(sk)->role_switch)
2443 lm1 |= HCI_LM_MASTER;
1da177e4 2444 exact++;
2af6b9d5
MH		 2445 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2446 lm2 |= HCI_LM_ACCEPT;
2447 if (l2cap_pi(sk)->role_switch)
2448 lm2 |= HCI_LM_MASTER;
2449 }
1da177e4
LT		 2450 }
2451 read_unlock(&l2cap_sk_list.lock);
2452
2453 return exact ? lm1 : lm2;
2454}
2455
2456static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2457{
0139418c
MH		 2458 struct l2cap_conn *conn;
2459
1da177e4
LT		 2460 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2461
2462 if (hcon->type != ACL_LINK)
2463 return 0;
2464
2465 if (!status) {
1da177e4
LT		 2466 conn = l2cap_conn_add(hcon, status);
2467 if (conn)
2468 l2cap_conn_ready(conn);
0139418c 2469 } else
1da177e4
LT		 2470 l2cap_conn_del(hcon, bt_err(status));
2471
2472 return 0;
2473}
2474
2475static int l2cap_disconn_ind(struct hci_conn *hcon, u8 reason)
2476{
2477 BT_DBG("hcon %p reason %d", hcon, reason);
2478
2479 if (hcon->type != ACL_LINK)
2480 return 0;
2481
2482 l2cap_conn_del(hcon, bt_err(reason));
0139418c 2483
1da177e4
LT		 2484 return 0;
2485}
2486
f62e4323
MH		 2487static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2488{
255c7601
MH		 2489 if (sk->sk_type != SOCK_SEQPACKET)
2490 return;
2491
f62e4323
MH		 2492 if (encrypt == 0x00) {
2493 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2494 l2cap_sock_clear_timer(sk);
2495 l2cap_sock_set_timer(sk, HZ * 5);
2496 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2497 __l2cap_sock_close(sk, ECONNREFUSED);
2498 } else {
2499 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2500 l2cap_sock_clear_timer(sk);
2501 }
2502}
2503
8c1b2355 2504static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 2505{
2506 struct l2cap_chan_list *l;
0139418c 2507 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 2508 struct sock *sk;
1da177e4 2509
0139418c 2510 if (!conn)
1da177e4 2511 return 0;
0139418c 2512
1da177e4
LT		 2513 l = &conn->chan_list;
2514
2515 BT_DBG("conn %p", conn);
2516
2517 read_lock(&l->lock);
2518
2519 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2520 bh_lock_sock(sk);
2521
6a8d3010
MH		 2522 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2523 bh_unlock_sock(sk);
2524 continue;
2525 }
2526
f62e4323 2527 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 2528 sk->sk_state == BT_CONFIG)) {
f62e4323 2529 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 2530 bh_unlock_sock(sk);
2531 continue;
2532 }
2533
b1235d79
MH		 2534 if (sk->sk_state == BT_CONNECT) {
2535 if (!status) {
2536 struct l2cap_conn_req req;
2537 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2538 req.psm = l2cap_pi(sk)->psm;
1da177e4 2539
b1235d79 2540 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 2541
b1235d79
MH		 2542 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2543 L2CAP_CONN_REQ, sizeof(req), &req);
2544 } else {
2545 l2cap_sock_clear_timer(sk);
2546 l2cap_sock_set_timer(sk, HZ / 10);
2547 }
2548 } else if (sk->sk_state == BT_CONNECT2) {
2549 struct l2cap_conn_rsp rsp;
2550 __u16 result;
1da177e4 2551
b1235d79
MH		 2552 if (!status) {
2553 sk->sk_state = BT_CONFIG;
2554 result = L2CAP_CR_SUCCESS;
2555 } else {
2556 sk->sk_state = BT_DISCONN;
2557 l2cap_sock_set_timer(sk, HZ / 10);
2558 result = L2CAP_CR_SEC_BLOCK;
2559 }
2560
2561 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2562 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2563 rsp.result = cpu_to_le16(result);
e7c29cb1 2564 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 2565 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2566 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2567 }
1da177e4
LT		 2568
2569 bh_unlock_sock(sk);
2570 }
2571
2572 read_unlock(&l->lock);
b1235d79 2573
1da177e4
LT		 2574 return 0;
2575}
2576
2577static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2578{
2579 struct l2cap_conn *conn = hcon->l2cap_data;
2580
2581 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2582 goto drop;
2583
2584 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2585
2586 if (flags & ACL_START) {
2587 struct l2cap_hdr *hdr;
2588 int len;
2589
2590 if (conn->rx_len) {
2591 BT_ERR("Unexpected start frame (len %d)", skb->len);
2592 kfree_skb(conn->rx_skb);
2593 conn->rx_skb = NULL;
2594 conn->rx_len = 0;
2595 l2cap_conn_unreliable(conn, ECOMM);
2596 }
2597
2598 if (skb->len < 2) {
2599 BT_ERR("Frame is too short (len %d)", skb->len);
2600 l2cap_conn_unreliable(conn, ECOMM);
2601 goto drop;
2602 }
2603
2604 hdr = (struct l2cap_hdr *) skb->data;
2605 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2606
2607 if (len == skb->len) {
2608 /* Complete frame received */
2609 l2cap_recv_frame(conn, skb);
2610 return 0;
2611 }
2612
2613 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2614
2615 if (skb->len > len) {
2616 BT_ERR("Frame is too long (len %d, expected len %d)",
2617 skb->len, len);
2618 l2cap_conn_unreliable(conn, ECOMM);
2619 goto drop;
2620 }
2621
2622 /* Allocate skb for the complete frame (with header) */
2623 if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2624 goto drop;
2625
d626f62b 2626 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2627 skb->len);
1da177e4
LT		 2628 conn->rx_len = len - skb->len;
2629 } else {
2630 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2631
2632 if (!conn->rx_len) {
2633 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2634 l2cap_conn_unreliable(conn, ECOMM);
2635 goto drop;
2636 }
2637
2638 if (skb->len > conn->rx_len) {
2639 BT_ERR("Fragment is too long (len %d, expected %d)",
2640 skb->len, conn->rx_len);
2641 kfree_skb(conn->rx_skb);
2642 conn->rx_skb = NULL;
2643 conn->rx_len = 0;
2644 l2cap_conn_unreliable(conn, ECOMM);
2645 goto drop;
2646 }
2647
d626f62b 2648 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 2649 skb->len);
1da177e4
LT		 2650 conn->rx_len -= skb->len;
2651
2652 if (!conn->rx_len) {
2653 /* Complete frame received */
2654 l2cap_recv_frame(conn, conn->rx_skb);
2655 conn->rx_skb = NULL;
2656 }
2657 }
2658
2659drop:
2660 kfree_skb(skb);
2661 return 0;
2662}
2663
be9d1227 2664static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 2665{
2666 struct sock *sk;
2667 struct hlist_node *node;
be9d1227 2668 char *str = buf;
1da177e4
LT		 2669
2670 read_lock_bh(&l2cap_sk_list.lock);
2671
be9d1227
MH		 2672 sk_for_each(sk, node, &l2cap_sk_list.head) {
2673 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 2674
2af6b9d5 2675 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 2676 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
73863976 2677 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2af6b9d5 2678 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 2679 }
1da177e4 2680
1da177e4 2681 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 2682
be9d1227 2683 return (str - buf);
1da177e4
LT		 2684}
2685
be9d1227 2686static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 2687
90ddc4f0 2688static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 2689 .family = PF_BLUETOOTH,
2690 .owner = THIS_MODULE,
2691 .release = l2cap_sock_release,
2692 .bind = l2cap_sock_bind,
2693 .connect = l2cap_sock_connect,
2694 .listen = l2cap_sock_listen,
2695 .accept = l2cap_sock_accept,
2696 .getname = l2cap_sock_getname,
2697 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 2698 .recvmsg = l2cap_sock_recvmsg,
1da177e4 2699 .poll = bt_sock_poll,
3241ad82 2700 .ioctl = bt_sock_ioctl,
1da177e4
LT		 2701 .mmap = sock_no_mmap,
2702 .socketpair = sock_no_socketpair,
1da177e4
LT		 2703 .shutdown = l2cap_sock_shutdown,
2704 .setsockopt = l2cap_sock_setsockopt,
2705 .getsockopt = l2cap_sock_getsockopt
2706};
2707
2708static struct net_proto_family l2cap_sock_family_ops = {
2709 .family = PF_BLUETOOTH,
2710 .owner = THIS_MODULE,
2711 .create = l2cap_sock_create,
2712};
2713
2714static struct hci_proto l2cap_hci_proto = {
2715 .name = "L2CAP",
2716 .id = HCI_PROTO_L2CAP,
2717 .connect_ind = l2cap_connect_ind,
2718 .connect_cfm = l2cap_connect_cfm,
2719 .disconn_ind = l2cap_disconn_ind,
8c1b2355 2720 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 2721 .recv_acldata = l2cap_recv_acldata
2722};
2723
2724static int __init l2cap_init(void)
2725{
2726 int err;
be9d1227 2727
1da177e4
LT		 2728 err = proto_register(&l2cap_proto, 0);
2729 if (err < 0)
2730 return err;
2731
2732 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2733 if (err < 0) {
2734 BT_ERR("L2CAP socket registration failed");
2735 goto error;
2736 }
2737
2738 err = hci_register_proto(&l2cap_hci_proto);
2739 if (err < 0) {
2740 BT_ERR("L2CAP protocol registration failed");
2741 bt_sock_unregister(BTPROTO_L2CAP);
2742 goto error;
2743 }
2744
df5c37ea
MH		 2745 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2746 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 2747
2748 BT_INFO("L2CAP ver %s", VERSION);
2749 BT_INFO("L2CAP socket layer initialized");
2750
2751 return 0;
2752
2753error:
2754 proto_unregister(&l2cap_proto);
2755 return err;
2756}
2757
2758static void __exit l2cap_exit(void)
2759{
a91f2e39 2760 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 2761
2762 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2763 BT_ERR("L2CAP socket unregistration failed");
2764
2765 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2766 BT_ERR("L2CAP protocol unregistration failed");
2767
2768 proto_unregister(&l2cap_proto);
2769}
2770
2771void l2cap_load(void)
2772{
2773 /* Dummy function to trigger automatic L2CAP module loading by
2774 * other modules that use L2CAP sockets but don't use any other
2775 * symbols from it. */
2776 return;
2777}
2778EXPORT_SYMBOL(l2cap_load);
2779
2780module_init(l2cap_init);
2781module_exit(l2cap_exit);
2782
63fbd24e 2783MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2784MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2785MODULE_VERSION(VERSION);
2786MODULE_LICENSE("GPL");
2787MODULE_ALIAS("bt-proto-0");
Ubuntu Artful kernel mirror