1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27#include <linux/module.h>
28
29#include <linux/types.h>
30#include <linux/capability.h>
31#include <linux/errno.h>
32#include <linux/kernel.h>
33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
41#include <linux/list.h>
42#include <linux/device.h>
43#include <net/sock.h>
44
45#include <asm/system.h>
46#include <asm/uaccess.h>
47#include <asm/unaligned.h>
48
49#include <net/bluetooth/bluetooth.h>
50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h>
52
53#define VERSION "2.13"
54
55static u32 l2cap_feat_mask = 0x0080;
56static u8 l2cap_fixed_chan[8] = { 0x02, };
57
58static const struct proto_ops l2cap_sock_ops;
59
60static struct bt_sock_list l2cap_sk_list = {
61 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
62};
63
64static void __l2cap_sock_close(struct sock *sk, int reason);
65static void l2cap_sock_close(struct sock *sk);
66static void l2cap_sock_kill(struct sock *sk);
67
68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70
71
72static void l2cap_sock_timeout(unsigned long arg)
73{
74 struct sock *sk = (struct sock *) arg;
75 int reason;
76
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78
79 bh_lock_sock(sk);
80
81 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
82 reason = ECONNREFUSED;
83 else if (sk->sk_state == BT_CONNECT &&
84 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
85 reason = ECONNREFUSED;
86 else
87 reason = ETIMEDOUT;
88
89 __l2cap_sock_close(sk, reason);
90
91 bh_unlock_sock(sk);
92
93 l2cap_sock_kill(sk);
94 sock_put(sk);
95}
96
97static void l2cap_sock_set_timer(struct sock *sk, long timeout)
98{
99 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
100 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
101}
102
103static void l2cap_sock_clear_timer(struct sock *sk)
104{
105 BT_DBG("sock %p state %d", sk, sk->sk_state);
106 sk_stop_timer(sk, &sk->sk_timer);
107}
108
109
110static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
111{
112 struct sock *s;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
114 if (l2cap_pi(s)->dcid == cid)
115 break;
116 }
117 return s;
118}
119
120static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
121{
122 struct sock *s;
123 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
124 if (l2cap_pi(s)->scid == cid)
125 break;
126 }
127 return s;
128}
129
130
131
132static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
133{
134 struct sock *s;
135 read_lock(&l->lock);
136 s = __l2cap_get_chan_by_scid(l, cid);
137 if (s) bh_lock_sock(s);
138 read_unlock(&l->lock);
139 return s;
140}
141
142static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
143{
144 struct sock *s;
145 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
146 if (l2cap_pi(s)->ident == ident)
147 break;
148 }
149 return s;
150}
151
152static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
153{
154 struct sock *s;
155 read_lock(&l->lock);
156 s = __l2cap_get_chan_by_ident(l, ident);
157 if (s) bh_lock_sock(s);
158 read_unlock(&l->lock);
159 return s;
160}
161
162static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
163{
164 u16 cid = 0x0040;
165
166 for (; cid < 0xffff; cid++) {
167 if(!__l2cap_get_chan_by_scid(l, cid))
168 return cid;
169 }
170
171 return 0;
172}
173
174static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
175{
176 sock_hold(sk);
177
178 if (l->head)
179 l2cap_pi(l->head)->prev_c = sk;
180
181 l2cap_pi(sk)->next_c = l->head;
182 l2cap_pi(sk)->prev_c = NULL;
183 l->head = sk;
184}
185
186static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
187{
188 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
189
190 write_lock_bh(&l->lock);
191 if (sk == l->head)
192 l->head = next;
193
194 if (next)
195 l2cap_pi(next)->prev_c = prev;
196 if (prev)
197 l2cap_pi(prev)->next_c = next;
198 write_unlock_bh(&l->lock);
199
200 __sock_put(sk);
201}
202
203static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
204{
205 struct l2cap_chan_list *l = &conn->chan_list;
206
207 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
208
209 conn->disc_reason = 0x13;
210
211 l2cap_pi(sk)->conn = conn;
212
213 if (sk->sk_type == SOCK_SEQPACKET) {
214
215 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
216 } else if (sk->sk_type == SOCK_DGRAM) {
217
218 l2cap_pi(sk)->scid = 0x0002;
219 l2cap_pi(sk)->dcid = 0x0002;
220 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
221 } else {
222
223 l2cap_pi(sk)->scid = 0x0001;
224 l2cap_pi(sk)->dcid = 0x0001;
225 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
226 }
227
228 __l2cap_chan_link(l, sk);
229
230 if (parent)
231 bt_accept_enqueue(parent, sk);
232}
233
234
235
236static void l2cap_chan_del(struct sock *sk, int err)
237{
238 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
239 struct sock *parent = bt_sk(sk)->parent;
240
241 l2cap_sock_clear_timer(sk);
242
243 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
244
245 if (conn) {
246
247 l2cap_chan_unlink(&conn->chan_list, sk);
248 l2cap_pi(sk)->conn = NULL;
249 hci_conn_put(conn->hcon);
250 }
251
252 sk->sk_state = BT_CLOSED;
253 sock_set_flag(sk, SOCK_ZAPPED);
254
255 if (err)
256 sk->sk_err = err;
257
258 if (parent) {
259 bt_accept_unlink(sk);
260 parent->sk_data_ready(parent, 0);
261 } else
262 sk->sk_state_change(sk);
263}
264
265
266static inline int l2cap_check_security(struct sock *sk)
267{
268 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
269 __u8 auth_type;
270
271 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
272 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
273 auth_type = HCI_AT_NO_BONDING_MITM;
274 else
275 auth_type = HCI_AT_NO_BONDING;
276
277 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
278 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
279 } else {
280 switch (l2cap_pi(sk)->sec_level) {
281 case BT_SECURITY_HIGH:
282 auth_type = HCI_AT_GENERAL_BONDING_MITM;
283 break;
284 case BT_SECURITY_MEDIUM:
285 auth_type = HCI_AT_GENERAL_BONDING;
286 break;
287 default:
288 auth_type = HCI_AT_NO_BONDING;
289 break;
290 }
291 }
292
293 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
294 auth_type);
295}
296
297static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
298{
299 u8 id;
300
301
302
303
304
305
306
307 spin_lock_bh(&conn->lock);
308
309 if (++conn->tx_ident > 128)
310 conn->tx_ident = 1;
311
312 id = conn->tx_ident;
313
314 spin_unlock_bh(&conn->lock);
315
316 return id;
317}
318
319static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
320{
321 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
322
323 BT_DBG("code 0x%2.2x", code);
324
325 if (!skb)
326 return -ENOMEM;
327
328 return hci_send_acl(conn->hcon, skb, 0);
329}
330
331static void l2cap_do_start(struct sock *sk)
332{
333 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
334
335 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
336 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
337 return;
338
339 if (l2cap_check_security(sk)) {
340 struct l2cap_conn_req req;
341 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
342 req.psm = l2cap_pi(sk)->psm;
343
344 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
345
346 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
347 L2CAP_CONN_REQ, sizeof(req), &req);
348 }
349 } else {
350 struct l2cap_info_req req;
351 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
352
353 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
354 conn->info_ident = l2cap_get_ident(conn);
355
356 mod_timer(&conn->info_timer, jiffies +
357 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
358
359 l2cap_send_cmd(conn, conn->info_ident,
360 L2CAP_INFO_REQ, sizeof(req), &req);
361 }
362}
363
364
365static void l2cap_conn_start(struct l2cap_conn *conn)
366{
367 struct l2cap_chan_list *l = &conn->chan_list;
368 struct sock *sk;
369
370 BT_DBG("conn %p", conn);
371
372 read_lock(&l->lock);
373
374 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
375 bh_lock_sock(sk);
376
377 if (sk->sk_type != SOCK_SEQPACKET) {
378 bh_unlock_sock(sk);
379 continue;
380 }
381
382 if (sk->sk_state == BT_CONNECT) {
383 if (l2cap_check_security(sk)) {
384 struct l2cap_conn_req req;
385 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
386 req.psm = l2cap_pi(sk)->psm;
387
388 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
389
390 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
391 L2CAP_CONN_REQ, sizeof(req), &req);
392 }
393 } else if (sk->sk_state == BT_CONNECT2) {
394 struct l2cap_conn_rsp rsp;
395 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
396 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
397
398 if (l2cap_check_security(sk)) {
399 if (bt_sk(sk)->defer_setup) {
400 struct sock *parent = bt_sk(sk)->parent;
401 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
402 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
403 parent->sk_data_ready(parent, 0);
404
405 } else {
406 sk->sk_state = BT_CONFIG;
407 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
408 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
409 }
410 } else {
411 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
412 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
413 }
414
415 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
416 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
417 }
418
419 bh_unlock_sock(sk);
420 }
421
422 read_unlock(&l->lock);
423}
424
425static void l2cap_conn_ready(struct l2cap_conn *conn)
426{
427 struct l2cap_chan_list *l = &conn->chan_list;
428 struct sock *sk;
429
430 BT_DBG("conn %p", conn);
431
432 read_lock(&l->lock);
433
434 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
435 bh_lock_sock(sk);
436
437 if (sk->sk_type != SOCK_SEQPACKET) {
438 l2cap_sock_clear_timer(sk);
439 sk->sk_state = BT_CONNECTED;
440 sk->sk_state_change(sk);
441 } else if (sk->sk_state == BT_CONNECT)
442 l2cap_do_start(sk);
443
444 bh_unlock_sock(sk);
445 }
446
447 read_unlock(&l->lock);
448}
449
450
451static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
452{
453 struct l2cap_chan_list *l = &conn->chan_list;
454 struct sock *sk;
455
456 BT_DBG("conn %p", conn);
457
458 read_lock(&l->lock);
459
460 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
461 if (l2cap_pi(sk)->force_reliable)
462 sk->sk_err = err;
463 }
464
465 read_unlock(&l->lock);
466}
467
468static void l2cap_info_timeout(unsigned long arg)
469{
470 struct l2cap_conn *conn = (void *) arg;
471
472 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
473 conn->info_ident = 0;
474
475 l2cap_conn_start(conn);
476}
477
478static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
479{
480 struct l2cap_conn *conn = hcon->l2cap_data;
481
482 if (conn || status)
483 return conn;
484
485 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
486 if (!conn)
487 return NULL;
488
489 hcon->l2cap_data = conn;
490 conn->hcon = hcon;
491
492 BT_DBG("hcon %p conn %p", hcon, conn);
493
494 conn->mtu = hcon->hdev->acl_mtu;
495 conn->src = &hcon->hdev->bdaddr;
496 conn->dst = &hcon->dst;
497
498 conn->feat_mask = 0;
499
500 setup_timer(&conn->info_timer, l2cap_info_timeout,
501 (unsigned long) conn);
502
503 spin_lock_init(&conn->lock);
504 rwlock_init(&conn->chan_list.lock);
505
506 conn->disc_reason = 0x13;
507
508 return conn;
509}
510
511static void l2cap_conn_del(struct hci_conn *hcon, int err)
512{
513 struct l2cap_conn *conn = hcon->l2cap_data;
514 struct sock *sk;
515
516 if (!conn)
517 return;
518
519 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
520
521 kfree_skb(conn->rx_skb);
522
523
524 while ((sk = conn->chan_list.head)) {
525 bh_lock_sock(sk);
526 l2cap_chan_del(sk, err);
527 bh_unlock_sock(sk);
528 l2cap_sock_kill(sk);
529 }
530
531 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
532 del_timer_sync(&conn->info_timer);
533
534 hcon->l2cap_data = NULL;
535 kfree(conn);
536}
537
538static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
539{
540 struct l2cap_chan_list *l = &conn->chan_list;
541 write_lock_bh(&l->lock);
542 __l2cap_chan_add(conn, sk, parent);
543 write_unlock_bh(&l->lock);
544}
545
546
547static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
548{
549 struct sock *sk;
550 struct hlist_node *node;
551 sk_for_each(sk, node, &l2cap_sk_list.head)
552 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
553 goto found;
554 sk = NULL;
555found:
556 return sk;
557}
558
559
560
561
562static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
563{
564 struct sock *sk = NULL, *sk1 = NULL;
565 struct hlist_node *node;
566
567 sk_for_each(sk, node, &l2cap_sk_list.head) {
568 if (state && sk->sk_state != state)
569 continue;
570
571 if (l2cap_pi(sk)->psm == psm) {
572
573 if (!bacmp(&bt_sk(sk)->src, src))
574 break;
575
576
577 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
578 sk1 = sk;
579 }
580 }
581 return node ? sk : sk1;
582}
583
584
585
586static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
587{
588 struct sock *s;
589 read_lock(&l2cap_sk_list.lock);
590 s = __l2cap_get_sock_by_psm(state, psm, src);
591 if (s) bh_lock_sock(s);
592 read_unlock(&l2cap_sk_list.lock);
593 return s;
594}
595
596static void l2cap_sock_destruct(struct sock *sk)
597{
598 BT_DBG("sk %p", sk);
599
600 skb_queue_purge(&sk->sk_receive_queue);
601 skb_queue_purge(&sk->sk_write_queue);
602}
603
604static void l2cap_sock_cleanup_listen(struct sock *parent)
605{
606 struct sock *sk;
607
608 BT_DBG("parent %p", parent);
609
610
611 while ((sk = bt_accept_dequeue(parent, NULL)))
612 l2cap_sock_close(sk);
613
614 parent->sk_state = BT_CLOSED;
615 sock_set_flag(parent, SOCK_ZAPPED);
616}
617
618
619
620
621static void l2cap_sock_kill(struct sock *sk)
622{
623 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
624 return;
625
626 BT_DBG("sk %p state %d", sk, sk->sk_state);
627
628
629 bt_sock_unlink(&l2cap_sk_list, sk);
630 sock_set_flag(sk, SOCK_DEAD);
631 sock_put(sk);
632}
633
634static void __l2cap_sock_close(struct sock *sk, int reason)
635{
636 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
637
638 switch (sk->sk_state) {
639 case BT_LISTEN:
640 l2cap_sock_cleanup_listen(sk);
641 break;
642
643 case BT_CONNECTED:
644 case BT_CONFIG:
645 if (sk->sk_type == SOCK_SEQPACKET) {
646 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
647 struct l2cap_disconn_req req;
648
649 sk->sk_state = BT_DISCONN;
650 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
651
652 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
653 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
654 l2cap_send_cmd(conn, l2cap_get_ident(conn),
655 L2CAP_DISCONN_REQ, sizeof(req), &req);
656 } else
657 l2cap_chan_del(sk, reason);
658 break;
659
660 case BT_CONNECT2:
661 if (sk->sk_type == SOCK_SEQPACKET) {
662 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
663 struct l2cap_conn_rsp rsp;
664 __u16 result;
665
666 if (bt_sk(sk)->defer_setup)
667 result = L2CAP_CR_SEC_BLOCK;
668 else
669 result = L2CAP_CR_BAD_PSM;
670
671 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
672 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
673 rsp.result = cpu_to_le16(result);
674 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
675 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
676 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
677 } else
678 l2cap_chan_del(sk, reason);
679 break;
680
681 case BT_CONNECT:
682 case BT_DISCONN:
683 l2cap_chan_del(sk, reason);
684 break;
685
686 default:
687 sock_set_flag(sk, SOCK_ZAPPED);
688 break;
689 }
690}
691
692
693static void l2cap_sock_close(struct sock *sk)
694{
695 l2cap_sock_clear_timer(sk);
696 lock_sock(sk);
697 __l2cap_sock_close(sk, ECONNRESET);
698 release_sock(sk);
699 l2cap_sock_kill(sk);
700}
701
702static void l2cap_sock_init(struct sock *sk, struct sock *parent)
703{
704 struct l2cap_pinfo *pi = l2cap_pi(sk);
705
706 BT_DBG("sk %p", sk);
707
708 if (parent) {
709 sk->sk_type = parent->sk_type;
710 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
711
712 pi->imtu = l2cap_pi(parent)->imtu;
713 pi->omtu = l2cap_pi(parent)->omtu;
714 pi->sec_level = l2cap_pi(parent)->sec_level;
715 pi->role_switch = l2cap_pi(parent)->role_switch;
716 pi->force_reliable = l2cap_pi(parent)->force_reliable;
717 } else {
718 pi->imtu = L2CAP_DEFAULT_MTU;
719 pi->omtu = 0;
720 pi->sec_level = BT_SECURITY_LOW;
721 pi->role_switch = 0;
722 pi->force_reliable = 0;
723 }
724
725
726 pi->conf_len = 0;
727 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
728}
729
730static struct proto l2cap_proto = {
731 .name = "L2CAP",
732 .owner = THIS_MODULE,
733 .obj_size = sizeof(struct l2cap_pinfo)
734};
735
736static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
737{
738 struct sock *sk;
739
740 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
741 if (!sk)
742 return NULL;
743
744 sock_init_data(sock, sk);
745 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
746
747 sk->sk_destruct = l2cap_sock_destruct;
748 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
749
750 sock_reset_flag(sk, SOCK_ZAPPED);
751
752 sk->sk_protocol = proto;
753 sk->sk_state = BT_OPEN;
754
755 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
756
757 bt_sock_link(&l2cap_sk_list, sk);
758 return sk;
759}
760
761static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
762{
763 struct sock *sk;
764
765 BT_DBG("sock %p", sock);
766
767 sock->state = SS_UNCONNECTED;
768
769 if (sock->type != SOCK_SEQPACKET &&
770 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
771 return -ESOCKTNOSUPPORT;
772
773 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
774 return -EPERM;
775
776 sock->ops = &l2cap_sock_ops;
777
778 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
779 if (!sk)
780 return -ENOMEM;
781
782 l2cap_sock_init(sk, NULL);
783 return 0;
784}
785
786static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
787{
788 struct sock *sk = sock->sk;
789 struct sockaddr_l2 la;
790 int len, err = 0;
791
792 BT_DBG("sk %p", sk);
793
794 if (!addr || addr->sa_family != AF_BLUETOOTH)
795 return -EINVAL;
796
797 memset(&la, 0, sizeof(la));
798 len = min_t(unsigned int, sizeof(la), alen);
799 memcpy(&la, addr, len);
800
801 if (la.l2_cid)
802 return -EINVAL;
803
804 lock_sock(sk);
805
806 if (sk->sk_state != BT_OPEN) {
807 err = -EBADFD;
808 goto done;
809 }
810
811 if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
812 !capable(CAP_NET_BIND_SERVICE)) {
813 err = -EACCES;
814 goto done;
815 }
816
817 write_lock_bh(&l2cap_sk_list.lock);
818
819 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
820 err = -EADDRINUSE;
821 } else {
822
823 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
824 l2cap_pi(sk)->psm = la.l2_psm;
825 l2cap_pi(sk)->sport = la.l2_psm;
826 sk->sk_state = BT_BOUND;
827
828 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
829 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
830 }
831
832 write_unlock_bh(&l2cap_sk_list.lock);
833
834done:
835 release_sock(sk);
836 return err;
837}
838
839static int l2cap_do_connect(struct sock *sk)
840{
841 bdaddr_t *src = &bt_sk(sk)->src;
842 bdaddr_t *dst = &bt_sk(sk)->dst;
843 struct l2cap_conn *conn;
844 struct hci_conn *hcon;
845 struct hci_dev *hdev;
846 __u8 auth_type;
847 int err = 0;
848
849 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
850 l2cap_pi(sk)->psm);
851
852 if (!(hdev = hci_get_route(dst, src)))
853 return -EHOSTUNREACH;
854
855 hci_dev_lock_bh(hdev);
856
857 err = -ENOMEM;
858
859 if (sk->sk_type == SOCK_RAW) {
860 switch (l2cap_pi(sk)->sec_level) {
861 case BT_SECURITY_HIGH:
862 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
863 break;
864 case BT_SECURITY_MEDIUM:
865 auth_type = HCI_AT_DEDICATED_BONDING;
866 break;
867 default:
868 auth_type = HCI_AT_NO_BONDING;
869 break;
870 }
871 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
872 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
873 auth_type = HCI_AT_NO_BONDING_MITM;
874 else
875 auth_type = HCI_AT_NO_BONDING;
876
877 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
878 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
879 } else {
880 switch (l2cap_pi(sk)->sec_level) {
881 case BT_SECURITY_HIGH:
882 auth_type = HCI_AT_GENERAL_BONDING_MITM;
883 break;
884 case BT_SECURITY_MEDIUM:
885 auth_type = HCI_AT_GENERAL_BONDING;
886 break;
887 default:
888 auth_type = HCI_AT_NO_BONDING;
889 break;
890 }
891 }
892
893 hcon = hci_connect(hdev, ACL_LINK, dst,
894 l2cap_pi(sk)->sec_level, auth_type);
895 if (!hcon)
896 goto done;
897
898 conn = l2cap_conn_add(hcon, 0);
899 if (!conn) {
900 hci_conn_put(hcon);
901 goto done;
902 }
903
904 err = 0;
905
906
907 bacpy(src, conn->src);
908
909 l2cap_chan_add(conn, sk, NULL);
910
911 sk->sk_state = BT_CONNECT;
912 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
913
914 if (hcon->state == BT_CONNECTED) {
915 if (sk->sk_type != SOCK_SEQPACKET) {
916 l2cap_sock_clear_timer(sk);
917 sk->sk_state = BT_CONNECTED;
918 } else
919 l2cap_do_start(sk);
920 }
921
922done:
923 hci_dev_unlock_bh(hdev);
924 hci_dev_put(hdev);
925 return err;
926}
927
928static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
929{
930 struct sock *sk = sock->sk;
931 struct sockaddr_l2 la;
932 int len, err = 0;
933
934 BT_DBG("sk %p", sk);
935
936 if (!addr || addr->sa_family != AF_BLUETOOTH)
937 return -EINVAL;
938
939 memset(&la, 0, sizeof(la));
940 len = min_t(unsigned int, sizeof(la), alen);
941 memcpy(&la, addr, len);
942
943 if (la.l2_cid)
944 return -EINVAL;
945
946 lock_sock(sk);
947
948 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
949 err = -EINVAL;
950 goto done;
951 }
952
953 switch(sk->sk_state) {
954 case BT_CONNECT:
955 case BT_CONNECT2:
956 case BT_CONFIG:
957
958 goto wait;
959
960 case BT_CONNECTED:
961
962 goto done;
963
964 case BT_OPEN:
965 case BT_BOUND:
966
967 break;
968
969 default:
970 err = -EBADFD;
971 goto done;
972 }
973
974
975 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
976 l2cap_pi(sk)->psm = la.l2_psm;
977
978 if ((err = l2cap_do_connect(sk)))
979 goto done;
980
981wait:
982 err = bt_sock_wait_state(sk, BT_CONNECTED,
983 sock_sndtimeo(sk, flags & O_NONBLOCK));
984done:
985 release_sock(sk);
986 return err;
987}
988
989static int l2cap_sock_listen(struct socket *sock, int backlog)
990{
991 struct sock *sk = sock->sk;
992 int err = 0;
993
994 BT_DBG("sk %p backlog %d", sk, backlog);
995
996 lock_sock(sk);
997
998 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
999 err = -EBADFD;
1000 goto done;
1001 }
1002
1003 if (!l2cap_pi(sk)->psm) {
1004 bdaddr_t *src = &bt_sk(sk)->src;
1005 u16 psm;
1006
1007 err = -EINVAL;
1008
1009 write_lock_bh(&l2cap_sk_list.lock);
1010
1011 for (psm = 0x1001; psm < 0x1100; psm += 2)
1012 if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1013 l2cap_pi(sk)->psm = htobs(psm);
1014 l2cap_pi(sk)->sport = htobs(psm);
1015 err = 0;
1016 break;
1017 }
1018
1019 write_unlock_bh(&l2cap_sk_list.lock);
1020
1021 if (err < 0)
1022 goto done;
1023 }
1024
1025 sk->sk_max_ack_backlog = backlog;
1026 sk->sk_ack_backlog = 0;
1027 sk->sk_state = BT_LISTEN;
1028
1029done:
1030 release_sock(sk);
1031 return err;
1032}
1033
1034static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1035{
1036 DECLARE_WAITQUEUE(wait, current);
1037 struct sock *sk = sock->sk, *nsk;
1038 long timeo;
1039 int err = 0;
1040
1041 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1042
1043 if (sk->sk_state != BT_LISTEN) {
1044 err = -EBADFD;
1045 goto done;
1046 }
1047
1048 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1049
1050 BT_DBG("sk %p timeo %ld", sk, timeo);
1051
1052
1053 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1054 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1055 set_current_state(TASK_INTERRUPTIBLE);
1056 if (!timeo) {
1057 err = -EAGAIN;
1058 break;
1059 }
1060
1061 release_sock(sk);
1062 timeo = schedule_timeout(timeo);
1063 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1064
1065 if (sk->sk_state != BT_LISTEN) {
1066 err = -EBADFD;
1067 break;
1068 }
1069
1070 if (signal_pending(current)) {
1071 err = sock_intr_errno(timeo);
1072 break;
1073 }
1074 }
1075 set_current_state(TASK_RUNNING);
1076 remove_wait_queue(sk->sk_sleep, &wait);
1077
1078 if (err)
1079 goto done;
1080
1081 newsock->state = SS_CONNECTED;
1082
1083 BT_DBG("new socket %p", nsk);
1084
1085done:
1086 release_sock(sk);
1087 return err;
1088}
1089
1090static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1091{
1092 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1093 struct sock *sk = sock->sk;
1094
1095 BT_DBG("sock %p, sk %p", sock, sk);
1096
1097 addr->sa_family = AF_BLUETOOTH;
1098 *len = sizeof(struct sockaddr_l2);
1099
1100 if (peer) {
1101 la->l2_psm = l2cap_pi(sk)->psm;
1102 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1103 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1104 } else {
1105 la->l2_psm = l2cap_pi(sk)->sport;
1106 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1107 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1108 }
1109
1110 return 0;
1111}
1112
1113static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1114{
1115 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1116 struct sk_buff *skb, **frag;
1117 int err, hlen, count, sent=0;
1118 struct l2cap_hdr *lh;
1119
1120 BT_DBG("sk %p len %d", sk, len);
1121
1122
1123 if (sk->sk_type == SOCK_DGRAM)
1124 hlen = L2CAP_HDR_SIZE + 2;
1125 else
1126 hlen = L2CAP_HDR_SIZE;
1127
1128 count = min_t(unsigned int, (conn->mtu - hlen), len);
1129
1130 skb = bt_skb_send_alloc(sk, hlen + count,
1131 msg->msg_flags & MSG_DONTWAIT, &err);
1132 if (!skb)
1133 return err;
1134
1135
1136 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1137 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1138 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1139
1140 if (sk->sk_type == SOCK_DGRAM)
1141 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1142
1143 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1144 err = -EFAULT;
1145 goto fail;
1146 }
1147
1148 sent += count;
1149 len -= count;
1150
1151
1152 frag = &skb_shinfo(skb)->frag_list;
1153 while (len) {
1154 count = min_t(unsigned int, conn->mtu, len);
1155
1156 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1157 if (!*frag)
1158 goto fail;
1159
1160 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1161 err = -EFAULT;
1162 goto fail;
1163 }
1164
1165 sent += count;
1166 len -= count;
1167
1168 frag = &(*frag)->next;
1169 }
1170
1171 if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1172 goto fail;
1173
1174 return sent;
1175
1176fail:
1177 kfree_skb(skb);
1178 return err;
1179}
1180
1181static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1182{
1183 struct sock *sk = sock->sk;
1184 int err = 0;
1185
1186 BT_DBG("sock %p, sk %p", sock, sk);
1187
1188 err = sock_error(sk);
1189 if (err)
1190 return err;
1191
1192 if (msg->msg_flags & MSG_OOB)
1193 return -EOPNOTSUPP;
1194
1195
1196 if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1197 return -EINVAL;
1198
1199 lock_sock(sk);
1200
1201 if (sk->sk_state == BT_CONNECTED)
1202 err = l2cap_do_send(sk, msg, len);
1203 else
1204 err = -ENOTCONN;
1205
1206 release_sock(sk);
1207 return err;
1208}
1209
1210static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1211{
1212 struct sock *sk = sock->sk;
1213
1214 lock_sock(sk);
1215
1216 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1217 struct l2cap_conn_rsp rsp;
1218
1219 sk->sk_state = BT_CONFIG;
1220
1221 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1222 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1223 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1224 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1225 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1226 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1227
1228 release_sock(sk);
1229 return 0;
1230 }
1231
1232 release_sock(sk);
1233
1234 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1235}
1236
1237static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1238{
1239 struct sock *sk = sock->sk;
1240 struct l2cap_options opts;
1241 int len, err = 0;
1242 u32 opt;
1243
1244 BT_DBG("sk %p", sk);
1245
1246 lock_sock(sk);
1247
1248 switch (optname) {
1249 case L2CAP_OPTIONS:
1250 opts.imtu = l2cap_pi(sk)->imtu;
1251 opts.omtu = l2cap_pi(sk)->omtu;
1252 opts.flush_to = l2cap_pi(sk)->flush_to;
1253 opts.mode = L2CAP_MODE_BASIC;
1254
1255 len = min_t(unsigned int, sizeof(opts), optlen);
1256 if (copy_from_user((char *) &opts, optval, len)) {
1257 err = -EFAULT;
1258 break;
1259 }
1260
1261 l2cap_pi(sk)->imtu = opts.imtu;
1262 l2cap_pi(sk)->omtu = opts.omtu;
1263 break;
1264
1265 case L2CAP_LM:
1266 if (get_user(opt, (u32 __user *) optval)) {
1267 err = -EFAULT;
1268 break;
1269 }
1270
1271 if (opt & L2CAP_LM_AUTH)
1272 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1273 if (opt & L2CAP_LM_ENCRYPT)
1274 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1275 if (opt & L2CAP_LM_SECURE)
1276 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1277
1278 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1279 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1280 break;
1281
1282 default:
1283 err = -ENOPROTOOPT;
1284 break;
1285 }
1286
1287 release_sock(sk);
1288 return err;
1289}
1290
1291static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1292{
1293 struct sock *sk = sock->sk;
1294 struct bt_security sec;
1295 int len, err = 0;
1296 u32 opt;
1297
1298 BT_DBG("sk %p", sk);
1299
1300 if (level == SOL_L2CAP)
1301 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1302
1303 if (level != SOL_BLUETOOTH)
1304 return -ENOPROTOOPT;
1305
1306 lock_sock(sk);
1307
1308 switch (optname) {
1309 case BT_SECURITY:
1310 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1311 err = -EINVAL;
1312 break;
1313 }
1314
1315 sec.level = BT_SECURITY_LOW;
1316
1317 len = min_t(unsigned int, sizeof(sec), optlen);
1318 if (copy_from_user((char *) &sec, optval, len)) {
1319 err = -EFAULT;
1320 break;
1321 }
1322
1323 if (sec.level < BT_SECURITY_LOW ||
1324 sec.level > BT_SECURITY_HIGH) {
1325 err = -EINVAL;
1326 break;
1327 }
1328
1329 l2cap_pi(sk)->sec_level = sec.level;
1330 break;
1331
1332 case BT_DEFER_SETUP:
1333 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1334 err = -EINVAL;
1335 break;
1336 }
1337
1338 if (get_user(opt, (u32 __user *) optval)) {
1339 err = -EFAULT;
1340 break;
1341 }
1342
1343 bt_sk(sk)->defer_setup = opt;
1344 break;
1345
1346 default:
1347 err = -ENOPROTOOPT;
1348 break;
1349 }
1350
1351 release_sock(sk);
1352 return err;
1353}
1354
1355static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1356{
1357 struct sock *sk = sock->sk;
1358 struct l2cap_options opts;
1359 struct l2cap_conninfo cinfo;
1360 int len, err = 0;
1361 u32 opt;
1362
1363 BT_DBG("sk %p", sk);
1364
1365 if (get_user(len, optlen))
1366 return -EFAULT;
1367
1368 lock_sock(sk);
1369
1370 switch (optname) {
1371 case L2CAP_OPTIONS:
1372 opts.imtu = l2cap_pi(sk)->imtu;
1373 opts.omtu = l2cap_pi(sk)->omtu;
1374 opts.flush_to = l2cap_pi(sk)->flush_to;
1375 opts.mode = L2CAP_MODE_BASIC;
1376
1377 len = min_t(unsigned int, len, sizeof(opts));
1378 if (copy_to_user(optval, (char *) &opts, len))
1379 err = -EFAULT;
1380
1381 break;
1382
1383 case L2CAP_LM:
1384 switch (l2cap_pi(sk)->sec_level) {
1385 case BT_SECURITY_LOW:
1386 opt = L2CAP_LM_AUTH;
1387 break;
1388 case BT_SECURITY_MEDIUM:
1389 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1390 break;
1391 case BT_SECURITY_HIGH:
1392 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1393 L2CAP_LM_SECURE;
1394 break;
1395 default:
1396 opt = 0;
1397 break;
1398 }
1399
1400 if (l2cap_pi(sk)->role_switch)
1401 opt |= L2CAP_LM_MASTER;
1402
1403 if (l2cap_pi(sk)->force_reliable)
1404 opt |= L2CAP_LM_RELIABLE;
1405
1406 if (put_user(opt, (u32 __user *) optval))
1407 err = -EFAULT;
1408 break;
1409
1410 case L2CAP_CONNINFO:
1411 if (sk->sk_state != BT_CONNECTED &&
1412 !(sk->sk_state == BT_CONNECT2 &&
1413 bt_sk(sk)->defer_setup)) {
1414 err = -ENOTCONN;
1415 break;
1416 }
1417
1418 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1419 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1420
1421 len = min_t(unsigned int, len, sizeof(cinfo));
1422 if (copy_to_user(optval, (char *) &cinfo, len))
1423 err = -EFAULT;
1424
1425 break;
1426
1427 default:
1428 err = -ENOPROTOOPT;
1429 break;
1430 }
1431
1432 release_sock(sk);
1433 return err;
1434}
1435
1436static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1437{
1438 struct sock *sk = sock->sk;
1439 struct bt_security sec;
1440 int len, err = 0;
1441
1442 BT_DBG("sk %p", sk);
1443
1444 if (level == SOL_L2CAP)
1445 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1446
1447 if (level != SOL_BLUETOOTH)
1448 return -ENOPROTOOPT;
1449
1450 if (get_user(len, optlen))
1451 return -EFAULT;
1452
1453 lock_sock(sk);
1454
1455 switch (optname) {
1456 case BT_SECURITY:
1457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1458 err = -EINVAL;
1459 break;
1460 }
1461
1462 sec.level = l2cap_pi(sk)->sec_level;
1463
1464 len = min_t(unsigned int, len, sizeof(sec));
1465 if (copy_to_user(optval, (char *) &sec, len))
1466 err = -EFAULT;
1467
1468 break;
1469
1470 case BT_DEFER_SETUP:
1471 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1472 err = -EINVAL;
1473 break;
1474 }
1475
1476 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1477 err = -EFAULT;
1478
1479 break;
1480
1481 default:
1482 err = -ENOPROTOOPT;
1483 break;
1484 }
1485
1486 release_sock(sk);
1487 return err;
1488}
1489
1490static int l2cap_sock_shutdown(struct socket *sock, int how)
1491{
1492 struct sock *sk = sock->sk;
1493 int err = 0;
1494
1495 BT_DBG("sock %p, sk %p", sock, sk);
1496
1497 if (!sk)
1498 return 0;
1499
1500 lock_sock(sk);
1501 if (!sk->sk_shutdown) {
1502 sk->sk_shutdown = SHUTDOWN_MASK;
1503 l2cap_sock_clear_timer(sk);
1504 __l2cap_sock_close(sk, 0);
1505
1506 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1507 err = bt_sock_wait_state(sk, BT_CLOSED,
1508 sk->sk_lingertime);
1509 }
1510 release_sock(sk);
1511 return err;
1512}
1513
1514static int l2cap_sock_release(struct socket *sock)
1515{
1516 struct sock *sk = sock->sk;
1517 int err;
1518
1519 BT_DBG("sock %p, sk %p", sock, sk);
1520
1521 if (!sk)
1522 return 0;
1523
1524 err = l2cap_sock_shutdown(sock, 2);
1525
1526 sock_orphan(sk);
1527 l2cap_sock_kill(sk);
1528 return err;
1529}
1530
1531static void l2cap_chan_ready(struct sock *sk)
1532{
1533 struct sock *parent = bt_sk(sk)->parent;
1534
1535 BT_DBG("sk %p, parent %p", sk, parent);
1536
1537 l2cap_pi(sk)->conf_state = 0;
1538 l2cap_sock_clear_timer(sk);
1539
1540 if (!parent) {
1541
1542
1543
1544 sk->sk_state = BT_CONNECTED;
1545 sk->sk_state_change(sk);
1546 } else {
1547
1548
1549
1550 parent->sk_data_ready(parent, 0);
1551 }
1552}
1553
1554
1555static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1556{
1557 struct l2cap_chan_list *l = &conn->chan_list;
1558 struct sk_buff *nskb;
1559 struct sock * sk;
1560
1561 BT_DBG("conn %p", conn);
1562
1563 read_lock(&l->lock);
1564 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1565 if (sk->sk_type != SOCK_RAW)
1566 continue;
1567
1568
1569 if (skb->sk == sk)
1570 continue;
1571
1572 if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1573 continue;
1574
1575 if (sock_queue_rcv_skb(sk, nskb))
1576 kfree_skb(nskb);
1577 }
1578 read_unlock(&l->lock);
1579}
1580
1581
1582static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1583 u8 code, u8 ident, u16 dlen, void *data)
1584{
1585 struct sk_buff *skb, **frag;
1586 struct l2cap_cmd_hdr *cmd;
1587 struct l2cap_hdr *lh;
1588 int len, count;
1589
1590 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1591
1592 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1593 count = min_t(unsigned int, conn->mtu, len);
1594
1595 skb = bt_skb_alloc(count, GFP_ATOMIC);
1596 if (!skb)
1597 return NULL;
1598
1599 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1600 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1601 lh->cid = cpu_to_le16(0x0001);
1602
1603 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1604 cmd->code = code;
1605 cmd->ident = ident;
1606 cmd->len = cpu_to_le16(dlen);
1607
1608 if (dlen) {
1609 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1610 memcpy(skb_put(skb, count), data, count);
1611 data += count;
1612 }
1613
1614 len -= skb->len;
1615
1616
1617 frag = &skb_shinfo(skb)->frag_list;
1618 while (len) {
1619 count = min_t(unsigned int, conn->mtu, len);
1620
1621 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1622 if (!*frag)
1623 goto fail;
1624
1625 memcpy(skb_put(*frag, count), data, count);
1626
1627 len -= count;
1628 data += count;
1629
1630 frag = &(*frag)->next;
1631 }
1632
1633 return skb;
1634
1635fail:
1636 kfree_skb(skb);
1637 return NULL;
1638}
1639
1640static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1641{
1642 struct l2cap_conf_opt *opt = *ptr;
1643 int len;
1644
1645 len = L2CAP_CONF_OPT_SIZE + opt->len;
1646 *ptr += len;
1647
1648 *type = opt->type;
1649 *olen = opt->len;
1650
1651 switch (opt->len) {
1652 case 1:
1653 *val = *((u8 *) opt->val);
1654 break;
1655
1656 case 2:
1657 *val = __le16_to_cpu(*((__le16 *) opt->val));
1658 break;
1659
1660 case 4:
1661 *val = __le32_to_cpu(*((__le32 *) opt->val));
1662 break;
1663
1664 default:
1665 *val = (unsigned long) opt->val;
1666 break;
1667 }
1668
1669 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1670 return len;
1671}
1672
1673static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1674{
1675 struct l2cap_conf_opt *opt = *ptr;
1676
1677 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1678
1679 opt->type = type;
1680 opt->len = len;
1681
1682 switch (len) {
1683 case 1:
1684 *((u8 *) opt->val) = val;
1685 break;
1686
1687 case 2:
1688 *((__le16 *) opt->val) = cpu_to_le16(val);
1689 break;
1690
1691 case 4:
1692 *((__le32 *) opt->val) = cpu_to_le32(val);
1693 break;
1694
1695 default:
1696 memcpy(opt->val, (void *) val, len);
1697 break;
1698 }
1699
1700 *ptr += L2CAP_CONF_OPT_SIZE + len;
1701}
1702
1703static int l2cap_build_conf_req(struct sock *sk, void *data)
1704{
1705 struct l2cap_pinfo *pi = l2cap_pi(sk);
1706 struct l2cap_conf_req *req = data;
1707 void *ptr = req->data;
1708
1709 BT_DBG("sk %p", sk);
1710
1711 if (pi->imtu != L2CAP_DEFAULT_MTU)
1712 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1713
1714
1715
1716
1717
1718 req->dcid = cpu_to_le16(pi->dcid);
1719 req->flags = cpu_to_le16(0);
1720
1721 return ptr - data;
1722}
1723
1724static int l2cap_parse_conf_req(struct sock *sk, void *data)
1725{
1726 struct l2cap_pinfo *pi = l2cap_pi(sk);
1727 struct l2cap_conf_rsp *rsp = data;
1728 void *ptr = rsp->data;
1729 void *req = pi->conf_req;
1730 int len = pi->conf_len;
1731 int type, hint, olen;
1732 unsigned long val;
1733 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1734 u16 mtu = L2CAP_DEFAULT_MTU;
1735 u16 result = L2CAP_CONF_SUCCESS;
1736
1737 BT_DBG("sk %p", sk);
1738
1739 while (len >= L2CAP_CONF_OPT_SIZE) {
1740 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1741
1742 hint = type & 0x80;
1743 type &= 0x7f;
1744
1745 switch (type) {
1746 case L2CAP_CONF_MTU:
1747 mtu = val;
1748 break;
1749
1750 case L2CAP_CONF_FLUSH_TO:
1751 pi->flush_to = val;
1752 break;
1753
1754 case L2CAP_CONF_QOS:
1755 break;
1756
1757 case L2CAP_CONF_RFC:
1758 if (olen == sizeof(rfc))
1759 memcpy(&rfc, (void *) val, olen);
1760 break;
1761
1762 default:
1763 if (hint)
1764 break;
1765
1766 result = L2CAP_CONF_UNKNOWN;
1767 *((u8 *) ptr++) = type;
1768 break;
1769 }
1770 }
1771
1772 if (result == L2CAP_CONF_SUCCESS) {
1773
1774
1775
1776 if (rfc.mode == L2CAP_MODE_BASIC) {
1777 if (mtu < pi->omtu)
1778 result = L2CAP_CONF_UNACCEPT;
1779 else {
1780 pi->omtu = mtu;
1781 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1782 }
1783
1784 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1785 } else {
1786 result = L2CAP_CONF_UNACCEPT;
1787
1788 memset(&rfc, 0, sizeof(rfc));
1789 rfc.mode = L2CAP_MODE_BASIC;
1790
1791 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1792 sizeof(rfc), (unsigned long) &rfc);
1793 }
1794 }
1795
1796 rsp->scid = cpu_to_le16(pi->dcid);
1797 rsp->result = cpu_to_le16(result);
1798 rsp->flags = cpu_to_le16(0x0000);
1799
1800 return ptr - data;
1801}
1802
1803static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1804{
1805 struct l2cap_conf_rsp *rsp = data;
1806 void *ptr = rsp->data;
1807
1808 BT_DBG("sk %p", sk);
1809
1810 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1811 rsp->result = cpu_to_le16(result);
1812 rsp->flags = cpu_to_le16(flags);
1813
1814 return ptr - data;
1815}
1816
1817static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1818{
1819 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1820
1821 if (rej->reason != 0x0000)
1822 return 0;
1823
1824 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1825 cmd->ident == conn->info_ident) {
1826 del_timer(&conn->info_timer);
1827
1828 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1829 conn->info_ident = 0;
1830
1831 l2cap_conn_start(conn);
1832 }
1833
1834 return 0;
1835}
1836
1837static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1838{
1839 struct l2cap_chan_list *list = &conn->chan_list;
1840 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1841 struct l2cap_conn_rsp rsp;
1842 struct sock *sk, *parent;
1843 int result, status = L2CAP_CS_NO_INFO;
1844
1845 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
1846 __le16 psm = req->psm;
1847
1848 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1849
1850
1851 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1852 if (!parent) {
1853 result = L2CAP_CR_BAD_PSM;
1854 goto sendresp;
1855 }
1856
1857
1858 if (psm != cpu_to_le16(0x0001) &&
1859 !hci_conn_check_link_mode(conn->hcon)) {
1860 conn->disc_reason = 0x05;
1861 result = L2CAP_CR_SEC_BLOCK;
1862 goto response;
1863 }
1864
1865 result = L2CAP_CR_NO_MEM;
1866
1867
1868 if (sk_acceptq_is_full(parent)) {
1869 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1870 goto response;
1871 }
1872
1873 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1874 if (!sk)
1875 goto response;
1876
1877 write_lock_bh(&list->lock);
1878
1879
1880 if (__l2cap_get_chan_by_dcid(list, scid)) {
1881 write_unlock_bh(&list->lock);
1882 sock_set_flag(sk, SOCK_ZAPPED);
1883 l2cap_sock_kill(sk);
1884 goto response;
1885 }
1886
1887 hci_conn_hold(conn->hcon);
1888
1889 l2cap_sock_init(sk, parent);
1890 bacpy(&bt_sk(sk)->src, conn->src);
1891 bacpy(&bt_sk(sk)->dst, conn->dst);
1892 l2cap_pi(sk)->psm = psm;
1893 l2cap_pi(sk)->dcid = scid;
1894
1895 __l2cap_chan_add(conn, sk, parent);
1896 dcid = l2cap_pi(sk)->scid;
1897
1898 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1899
1900 l2cap_pi(sk)->ident = cmd->ident;
1901
1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
1903 if (l2cap_check_security(sk)) {
1904 if (bt_sk(sk)->defer_setup) {
1905 sk->sk_state = BT_CONNECT2;
1906 result = L2CAP_CR_PEND;
1907 status = L2CAP_CS_AUTHOR_PEND;
1908 parent->sk_data_ready(parent, 0);
1909 } else {
1910 sk->sk_state = BT_CONFIG;
1911 result = L2CAP_CR_SUCCESS;
1912 status = L2CAP_CS_NO_INFO;
1913 }
1914 } else {
1915 sk->sk_state = BT_CONNECT2;
1916 result = L2CAP_CR_PEND;
1917 status = L2CAP_CS_AUTHEN_PEND;
1918 }
1919 } else {
1920 sk->sk_state = BT_CONNECT2;
1921 result = L2CAP_CR_PEND;
1922 status = L2CAP_CS_NO_INFO;
1923 }
1924
1925 write_unlock_bh(&list->lock);
1926
1927response:
1928 bh_unlock_sock(parent);
1929
1930sendresp:
1931 rsp.scid = cpu_to_le16(scid);
1932 rsp.dcid = cpu_to_le16(dcid);
1933 rsp.result = cpu_to_le16(result);
1934 rsp.status = cpu_to_le16(status);
1935 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1936
1937 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1938 struct l2cap_info_req info;
1939 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1940
1941 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1942 conn->info_ident = l2cap_get_ident(conn);
1943
1944 mod_timer(&conn->info_timer, jiffies +
1945 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1946
1947 l2cap_send_cmd(conn, conn->info_ident,
1948 L2CAP_INFO_REQ, sizeof(info), &info);
1949 }
1950
1951 return 0;
1952}
1953
1954static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1955{
1956 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1957 u16 scid, dcid, result, status;
1958 struct sock *sk;
1959 u8 req[128];
1960
1961 scid = __le16_to_cpu(rsp->scid);
1962 dcid = __le16_to_cpu(rsp->dcid);
1963 result = __le16_to_cpu(rsp->result);
1964 status = __le16_to_cpu(rsp->status);
1965
1966 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1967
1968 if (scid) {
1969 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1970 return 0;
1971 } else {
1972 if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1973 return 0;
1974 }
1975
1976 switch (result) {
1977 case L2CAP_CR_SUCCESS:
1978 sk->sk_state = BT_CONFIG;
1979 l2cap_pi(sk)->ident = 0;
1980 l2cap_pi(sk)->dcid = dcid;
1981 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1982
1983 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1984
1985 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1986 l2cap_build_conf_req(sk, req), req);
1987 break;
1988
1989 case L2CAP_CR_PEND:
1990 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1991 break;
1992
1993 default:
1994 l2cap_chan_del(sk, ECONNREFUSED);
1995 break;
1996 }
1997
1998 bh_unlock_sock(sk);
1999 return 0;
2000}
2001
2002static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2003{
2004 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2005 u16 dcid, flags;
2006 u8 rsp[64];
2007 struct sock *sk;
2008 int len;
2009
2010 dcid = __le16_to_cpu(req->dcid);
2011 flags = __le16_to_cpu(req->flags);
2012
2013 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2014
2015 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2016 return -ENOENT;
2017
2018 if (sk->sk_state == BT_DISCONN)
2019 goto unlock;
2020
2021
2022 len = cmd_len - sizeof(*req);
2023 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2024 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2025 l2cap_build_conf_rsp(sk, rsp,
2026 L2CAP_CONF_REJECT, flags), rsp);
2027 goto unlock;
2028 }
2029
2030
2031 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2032 l2cap_pi(sk)->conf_len += len;
2033
2034 if (flags & 0x0001) {
2035
2036 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2037 l2cap_build_conf_rsp(sk, rsp,
2038 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2039 goto unlock;
2040 }
2041
2042
2043 len = l2cap_parse_conf_req(sk, rsp);
2044 if (len < 0)
2045 goto unlock;
2046
2047 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2048
2049
2050 l2cap_pi(sk)->conf_len = 0;
2051
2052 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2053 goto unlock;
2054
2055 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2056 sk->sk_state = BT_CONNECTED;
2057 l2cap_chan_ready(sk);
2058 goto unlock;
2059 }
2060
2061 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2062 u8 buf[64];
2063 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2064 l2cap_build_conf_req(sk, buf), buf);
2065 }
2066
2067unlock:
2068 bh_unlock_sock(sk);
2069 return 0;
2070}
2071
2072static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2073{
2074 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2075 u16 scid, flags, result;
2076 struct sock *sk;
2077
2078 scid = __le16_to_cpu(rsp->scid);
2079 flags = __le16_to_cpu(rsp->flags);
2080 result = __le16_to_cpu(rsp->result);
2081
2082 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2083
2084 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2085 return 0;
2086
2087 switch (result) {
2088 case L2CAP_CONF_SUCCESS:
2089 break;
2090
2091 case L2CAP_CONF_UNACCEPT:
2092 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2093 char req[128];
2094
2095
2096
2097
2098
2099 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2100 l2cap_build_conf_req(sk, req), req);
2101 goto done;
2102 }
2103
2104 default:
2105 sk->sk_state = BT_DISCONN;
2106 sk->sk_err = ECONNRESET;
2107 l2cap_sock_set_timer(sk, HZ * 5);
2108 {
2109 struct l2cap_disconn_req req;
2110 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2111 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2112 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2113 L2CAP_DISCONN_REQ, sizeof(req), &req);
2114 }
2115 goto done;
2116 }
2117
2118 if (flags & 0x01)
2119 goto done;
2120
2121 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2122
2123 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2124 sk->sk_state = BT_CONNECTED;
2125 l2cap_chan_ready(sk);
2126 }
2127
2128done:
2129 bh_unlock_sock(sk);
2130 return 0;
2131}
2132
2133static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2134{
2135 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2136 struct l2cap_disconn_rsp rsp;
2137 u16 dcid, scid;
2138 struct sock *sk;
2139
2140 scid = __le16_to_cpu(req->scid);
2141 dcid = __le16_to_cpu(req->dcid);
2142
2143 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2144
2145 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2146 return 0;
2147
2148 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2149 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2150 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2151
2152 sk->sk_shutdown = SHUTDOWN_MASK;
2153
2154 l2cap_chan_del(sk, ECONNRESET);
2155 bh_unlock_sock(sk);
2156
2157 l2cap_sock_kill(sk);
2158 return 0;
2159}
2160
2161static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2162{
2163 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2164 u16 dcid, scid;
2165 struct sock *sk;
2166
2167 scid = __le16_to_cpu(rsp->scid);
2168 dcid = __le16_to_cpu(rsp->dcid);
2169
2170 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2171
2172 if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2173 return 0;
2174
2175 l2cap_chan_del(sk, 0);
2176 bh_unlock_sock(sk);
2177
2178 l2cap_sock_kill(sk);
2179 return 0;
2180}
2181
2182static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2183{
2184 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2185 u16 type;
2186
2187 type = __le16_to_cpu(req->type);
2188
2189 BT_DBG("type 0x%4.4x", type);
2190
2191 if (type == L2CAP_IT_FEAT_MASK) {
2192 u8 buf[8];
2193 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2194 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2195 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2196 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2197 l2cap_send_cmd(conn, cmd->ident,
2198 L2CAP_INFO_RSP, sizeof(buf), buf);
2199 } else if (type == L2CAP_IT_FIXED_CHAN) {
2200 u8 buf[12];
2201 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2202 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2203 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2204 memcpy(buf + 4, l2cap_fixed_chan, 8);
2205 l2cap_send_cmd(conn, cmd->ident,
2206 L2CAP_INFO_RSP, sizeof(buf), buf);
2207 } else {
2208 struct l2cap_info_rsp rsp;
2209 rsp.type = cpu_to_le16(type);
2210 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2211 l2cap_send_cmd(conn, cmd->ident,
2212 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2213 }
2214
2215 return 0;
2216}
2217
2218static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2219{
2220 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2221 u16 type, result;
2222
2223 type = __le16_to_cpu(rsp->type);
2224 result = __le16_to_cpu(rsp->result);
2225
2226 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2227
2228 del_timer(&conn->info_timer);
2229
2230 if (type == L2CAP_IT_FEAT_MASK) {
2231 conn->feat_mask = get_unaligned_le32(rsp->data);
2232
2233 if (conn->feat_mask & 0x0080) {
2234 struct l2cap_info_req req;
2235 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2236
2237 conn->info_ident = l2cap_get_ident(conn);
2238
2239 l2cap_send_cmd(conn, conn->info_ident,
2240 L2CAP_INFO_REQ, sizeof(req), &req);
2241 } else {
2242 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2243 conn->info_ident = 0;
2244
2245 l2cap_conn_start(conn);
2246 }
2247 } else if (type == L2CAP_IT_FIXED_CHAN) {
2248 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2249 conn->info_ident = 0;
2250
2251 l2cap_conn_start(conn);
2252 }
2253
2254 return 0;
2255}
2256
2257static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2258{
2259 u8 *data = skb->data;
2260 int len = skb->len;
2261 struct l2cap_cmd_hdr cmd;
2262 int err = 0;
2263
2264 l2cap_raw_recv(conn, skb);
2265
2266 while (len >= L2CAP_CMD_HDR_SIZE) {
2267 u16 cmd_len;
2268 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2269 data += L2CAP_CMD_HDR_SIZE;
2270 len -= L2CAP_CMD_HDR_SIZE;
2271
2272 cmd_len = le16_to_cpu(cmd.len);
2273
2274 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
2275
2276 if (cmd_len > len || !cmd.ident) {
2277 BT_DBG("corrupted command");
2278 break;
2279 }
2280
2281 switch (cmd.code) {
2282 case L2CAP_COMMAND_REJ:
2283 l2cap_command_rej(conn, &cmd, data);
2284 break;
2285
2286 case L2CAP_CONN_REQ:
2287 err = l2cap_connect_req(conn, &cmd, data);
2288 break;
2289
2290 case L2CAP_CONN_RSP:
2291 err = l2cap_connect_rsp(conn, &cmd, data);
2292 break;
2293
2294 case L2CAP_CONF_REQ:
2295 err = l2cap_config_req(conn, &cmd, cmd_len, data);
2296 break;
2297
2298 case L2CAP_CONF_RSP:
2299 err = l2cap_config_rsp(conn, &cmd, data);
2300 break;
2301
2302 case L2CAP_DISCONN_REQ:
2303 err = l2cap_disconnect_req(conn, &cmd, data);
2304 break;
2305
2306 case L2CAP_DISCONN_RSP:
2307 err = l2cap_disconnect_rsp(conn, &cmd, data);
2308 break;
2309
2310 case L2CAP_ECHO_REQ:
2311 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
2312 break;
2313
2314 case L2CAP_ECHO_RSP:
2315 break;
2316
2317 case L2CAP_INFO_REQ:
2318 err = l2cap_information_req(conn, &cmd, data);
2319 break;
2320
2321 case L2CAP_INFO_RSP:
2322 err = l2cap_information_rsp(conn, &cmd, data);
2323 break;
2324
2325 default:
2326 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2327 err = -EINVAL;
2328 break;
2329 }
2330
2331 if (err) {
2332 struct l2cap_cmd_rej rej;
2333 BT_DBG("error %d", err);
2334
2335
2336 rej.reason = cpu_to_le16(0);
2337 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2338 }
2339
2340 data += cmd_len;
2341 len -= cmd_len;
2342 }
2343
2344 kfree_skb(skb);
2345}
2346
2347static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2348{
2349 struct sock *sk;
2350
2351 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2352 if (!sk) {
2353 BT_DBG("unknown cid 0x%4.4x", cid);
2354 goto drop;
2355 }
2356
2357 BT_DBG("sk %p, len %d", sk, skb->len);
2358
2359 if (sk->sk_state != BT_CONNECTED)
2360 goto drop;
2361
2362 if (l2cap_pi(sk)->imtu < skb->len)
2363 goto drop;
2364
2365
2366
2367
2368
2369
2370 if (!sock_queue_rcv_skb(sk, skb))
2371 goto done;
2372
2373drop:
2374 kfree_skb(skb);
2375
2376done:
2377 if (sk)
2378 bh_unlock_sock(sk);
2379
2380 return 0;
2381}
2382
2383static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
2384{
2385 struct sock *sk;
2386
2387 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2388 if (!sk)
2389 goto drop;
2390
2391 BT_DBG("sk %p, len %d", sk, skb->len);
2392
2393 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2394 goto drop;
2395
2396 if (l2cap_pi(sk)->imtu < skb->len)
2397 goto drop;
2398
2399 if (!sock_queue_rcv_skb(sk, skb))
2400 goto done;
2401
2402drop:
2403 kfree_skb(skb);
2404
2405done:
2406 if (sk) bh_unlock_sock(sk);
2407 return 0;
2408}
2409
2410static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2411{
2412 struct l2cap_hdr *lh = (void *) skb->data;
2413 u16 cid, len;
2414 __le16 psm;
2415
2416 skb_pull(skb, L2CAP_HDR_SIZE);
2417 cid = __le16_to_cpu(lh->cid);
2418 len = __le16_to_cpu(lh->len);
2419
2420 BT_DBG("len %d, cid 0x%4.4x", len, cid);
2421
2422 switch (cid) {
2423 case 0x0001:
2424 l2cap_sig_channel(conn, skb);
2425 break;
2426
2427 case 0x0002:
2428 psm = get_unaligned((__le16 *) skb->data);
2429 skb_pull(skb, 2);
2430 l2cap_conless_channel(conn, psm, skb);
2431 break;
2432
2433 default:
2434 l2cap_data_channel(conn, cid, skb);
2435 break;
2436 }
2437}
2438
2439
2440
2441static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2442{
2443 int exact = 0, lm1 = 0, lm2 = 0;
2444 register struct sock *sk;
2445 struct hlist_node *node;
2446
2447 if (type != ACL_LINK)
2448 return 0;
2449
2450 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2451
2452
2453 read_lock(&l2cap_sk_list.lock);
2454 sk_for_each(sk, node, &l2cap_sk_list.head) {
2455 if (sk->sk_state != BT_LISTEN)
2456 continue;
2457
2458 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2459 lm1 |= HCI_LM_ACCEPT;
2460 if (l2cap_pi(sk)->role_switch)
2461 lm1 |= HCI_LM_MASTER;
2462 exact++;
2463 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2464 lm2 |= HCI_LM_ACCEPT;
2465 if (l2cap_pi(sk)->role_switch)
2466 lm2 |= HCI_LM_MASTER;
2467 }
2468 }
2469 read_unlock(&l2cap_sk_list.lock);
2470
2471 return exact ? lm1 : lm2;
2472}
2473
2474static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2475{
2476 struct l2cap_conn *conn;
2477
2478 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2479
2480 if (hcon->type != ACL_LINK)
2481 return 0;
2482
2483 if (!status) {
2484 conn = l2cap_conn_add(hcon, status);
2485 if (conn)
2486 l2cap_conn_ready(conn);
2487 } else
2488 l2cap_conn_del(hcon, bt_err(status));
2489
2490 return 0;
2491}
2492
2493static int l2cap_disconn_ind(struct hci_conn *hcon)
2494{
2495 struct l2cap_conn *conn = hcon->l2cap_data;
2496
2497 BT_DBG("hcon %p", hcon);
2498
2499 if (hcon->type != ACL_LINK || !conn)
2500 return 0x13;
2501
2502 return conn->disc_reason;
2503}
2504
2505static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
2506{
2507 BT_DBG("hcon %p reason %d", hcon, reason);
2508
2509 if (hcon->type != ACL_LINK)
2510 return 0;
2511
2512 l2cap_conn_del(hcon, bt_err(reason));
2513
2514 return 0;
2515}
2516
2517static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2518{
2519 if (sk->sk_type != SOCK_SEQPACKET)
2520 return;
2521
2522 if (encrypt == 0x00) {
2523 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2524 l2cap_sock_clear_timer(sk);
2525 l2cap_sock_set_timer(sk, HZ * 5);
2526 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2527 __l2cap_sock_close(sk, ECONNREFUSED);
2528 } else {
2529 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2530 l2cap_sock_clear_timer(sk);
2531 }
2532}
2533
2534static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2535{
2536 struct l2cap_chan_list *l;
2537 struct l2cap_conn *conn = hcon->l2cap_data;
2538 struct sock *sk;
2539
2540 if (!conn)
2541 return 0;
2542
2543 l = &conn->chan_list;
2544
2545 BT_DBG("conn %p", conn);
2546
2547 read_lock(&l->lock);
2548
2549 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2550 bh_lock_sock(sk);
2551
2552 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2553 bh_unlock_sock(sk);
2554 continue;
2555 }
2556
2557 if (!status && (sk->sk_state == BT_CONNECTED ||
2558 sk->sk_state == BT_CONFIG)) {
2559 l2cap_check_encryption(sk, encrypt);
2560 bh_unlock_sock(sk);
2561 continue;
2562 }
2563
2564 if (sk->sk_state == BT_CONNECT) {
2565 if (!status) {
2566 struct l2cap_conn_req req;
2567 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2568 req.psm = l2cap_pi(sk)->psm;
2569
2570 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
2571
2572 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2573 L2CAP_CONN_REQ, sizeof(req), &req);
2574 } else {
2575 l2cap_sock_clear_timer(sk);
2576 l2cap_sock_set_timer(sk, HZ / 10);
2577 }
2578 } else if (sk->sk_state == BT_CONNECT2) {
2579 struct l2cap_conn_rsp rsp;
2580 __u16 result;
2581
2582 if (!status) {
2583 sk->sk_state = BT_CONFIG;
2584 result = L2CAP_CR_SUCCESS;
2585 } else {
2586 sk->sk_state = BT_DISCONN;
2587 l2cap_sock_set_timer(sk, HZ / 10);
2588 result = L2CAP_CR_SEC_BLOCK;
2589 }
2590
2591 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2592 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2593 rsp.result = cpu_to_le16(result);
2594 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2595 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2596 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2597 }
2598
2599 bh_unlock_sock(sk);
2600 }
2601
2602 read_unlock(&l->lock);
2603
2604 return 0;
2605}
2606
2607static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2608{
2609 struct l2cap_conn *conn = hcon->l2cap_data;
2610
2611 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2612 goto drop;
2613
2614 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2615
2616 if (flags & ACL_START) {
2617 struct l2cap_hdr *hdr;
2618 int len;
2619
2620 if (conn->rx_len) {
2621 BT_ERR("Unexpected start frame (len %d)", skb->len);
2622 kfree_skb(conn->rx_skb);
2623 conn->rx_skb = NULL;
2624 conn->rx_len = 0;
2625 l2cap_conn_unreliable(conn, ECOMM);
2626 }
2627
2628 if (skb->len < 2) {
2629 BT_ERR("Frame is too short (len %d)", skb->len);
2630 l2cap_conn_unreliable(conn, ECOMM);
2631 goto drop;
2632 }
2633
2634 hdr = (struct l2cap_hdr *) skb->data;
2635 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2636
2637 if (len == skb->len) {
2638
2639 l2cap_recv_frame(conn, skb);
2640 return 0;
2641 }
2642
2643 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2644
2645 if (skb->len > len) {
2646 BT_ERR("Frame is too long (len %d, expected len %d)",
2647 skb->len, len);
2648 l2cap_conn_unreliable(conn, ECOMM);
2649 goto drop;
2650 }
2651
2652
2653 if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2654 goto drop;
2655
2656 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2657 skb->len);
2658 conn->rx_len = len - skb->len;
2659 } else {
2660 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2661
2662 if (!conn->rx_len) {
2663 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2664 l2cap_conn_unreliable(conn, ECOMM);
2665 goto drop;
2666 }
2667
2668 if (skb->len > conn->rx_len) {
2669 BT_ERR("Fragment is too long (len %d, expected %d)",
2670 skb->len, conn->rx_len);
2671 kfree_skb(conn->rx_skb);
2672 conn->rx_skb = NULL;
2673 conn->rx_len = 0;
2674 l2cap_conn_unreliable(conn, ECOMM);
2675 goto drop;
2676 }
2677
2678 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2679 skb->len);
2680 conn->rx_len -= skb->len;
2681
2682 if (!conn->rx_len) {
2683
2684 l2cap_recv_frame(conn, conn->rx_skb);
2685 conn->rx_skb = NULL;
2686 }
2687 }
2688
2689drop:
2690 kfree_skb(skb);
2691 return 0;
2692}
2693
2694static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
2695{
2696 struct sock *sk;
2697 struct hlist_node *node;
2698 char *str = buf;
2699
2700 read_lock_bh(&l2cap_sk_list.lock);
2701
2702 sk_for_each(sk, node, &l2cap_sk_list.head) {
2703 struct l2cap_pinfo *pi = l2cap_pi(sk);
2704
2705 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
2706 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2707 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2708 pi->imtu, pi->omtu, pi->sec_level);
2709 }
2710
2711 read_unlock_bh(&l2cap_sk_list.lock);
2712
2713 return (str - buf);
2714}
2715
2716static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
2717
2718static const struct proto_ops l2cap_sock_ops = {
2719 .family = PF_BLUETOOTH,
2720 .owner = THIS_MODULE,
2721 .release = l2cap_sock_release,
2722 .bind = l2cap_sock_bind,
2723 .connect = l2cap_sock_connect,
2724 .listen = l2cap_sock_listen,
2725 .accept = l2cap_sock_accept,
2726 .getname = l2cap_sock_getname,
2727 .sendmsg = l2cap_sock_sendmsg,
2728 .recvmsg = l2cap_sock_recvmsg,
2729 .poll = bt_sock_poll,
2730 .ioctl = bt_sock_ioctl,
2731 .mmap = sock_no_mmap,
2732 .socketpair = sock_no_socketpair,
2733 .shutdown = l2cap_sock_shutdown,
2734 .setsockopt = l2cap_sock_setsockopt,
2735 .getsockopt = l2cap_sock_getsockopt
2736};
2737
2738static struct net_proto_family l2cap_sock_family_ops = {
2739 .family = PF_BLUETOOTH,
2740 .owner = THIS_MODULE,
2741 .create = l2cap_sock_create,
2742};
2743
2744static struct hci_proto l2cap_hci_proto = {
2745 .name = "L2CAP",
2746 .id = HCI_PROTO_L2CAP,
2747 .connect_ind = l2cap_connect_ind,
2748 .connect_cfm = l2cap_connect_cfm,
2749 .disconn_ind = l2cap_disconn_ind,
2750 .disconn_cfm = l2cap_disconn_cfm,
2751 .security_cfm = l2cap_security_cfm,
2752 .recv_acldata = l2cap_recv_acldata
2753};
2754
2755static int __init l2cap_init(void)
2756{
2757 int err;
2758
2759 err = proto_register(&l2cap_proto, 0);
2760 if (err < 0)
2761 return err;
2762
2763 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2764 if (err < 0) {
2765 BT_ERR("L2CAP socket registration failed");
2766 goto error;
2767 }
2768
2769 err = hci_register_proto(&l2cap_hci_proto);
2770 if (err < 0) {
2771 BT_ERR("L2CAP protocol registration failed");
2772 bt_sock_unregister(BTPROTO_L2CAP);
2773 goto error;
2774 }
2775
2776 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2777 BT_ERR("Failed to create L2CAP info file");
2778
2779 BT_INFO("L2CAP ver %s", VERSION);
2780 BT_INFO("L2CAP socket layer initialized");
2781
2782 return 0;
2783
2784error:
2785 proto_unregister(&l2cap_proto);
2786 return err;
2787}
2788
2789static void __exit l2cap_exit(void)
2790{
2791 class_remove_file(bt_class, &class_attr_l2cap);
2792
2793 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2794 BT_ERR("L2CAP socket unregistration failed");
2795
2796 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2797 BT_ERR("L2CAP protocol unregistration failed");
2798
2799 proto_unregister(&l2cap_proto);
2800}
2801
2802void l2cap_load(void)
2803{
2804
2805
2806
2807 return;
2808}
2809EXPORT_SYMBOL(l2cap_load);
2810
2811module_init(l2cap_init);
2812module_exit(l2cap_exit);
2813
2814MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2815MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2816MODULE_VERSION(VERSION);
2817MODULE_LICENSE("GPL");
2818MODULE_ALIAS("bt-proto-0");
2819
