linux/net/bluetooth/l2cap.c
<<
>>
Prefs
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth L2CAP core and sockets. */
  26
  27#include <linux/module.h>
  28
  29#include <linux/types.h>
  30#include <linux/capability.h>
  31#include <linux/errno.h>
  32#include <linux/kernel.h>
  33#include <linux/sched.h>
  34#include <linux/slab.h>
  35#include <linux/poll.h>
  36#include <linux/fcntl.h>
  37#include <linux/init.h>
  38#include <linux/interrupt.h>
  39#include <linux/socket.h>
  40#include <linux/skbuff.h>
  41#include <linux/list.h>
  42#include <linux/device.h>
  43#include <net/sock.h>
  44
  45#include <asm/system.h>
  46#include <asm/uaccess.h>
  47#include <asm/unaligned.h>
  48
  49#include <net/bluetooth/bluetooth.h>
  50#include <net/bluetooth/hci_core.h>
  51#include <net/bluetooth/l2cap.h>
  52
  53#define VERSION "2.13"
  54
  55static u32 l2cap_feat_mask = 0x0080;
  56static u8 l2cap_fixed_chan[8] = { 0x02, };
  57
  58static const struct proto_ops l2cap_sock_ops;
  59
  60static struct bt_sock_list l2cap_sk_list = {
  61        .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
  62};
  63
  64static void __l2cap_sock_close(struct sock *sk, int reason);
  65static void l2cap_sock_close(struct sock *sk);
  66static void l2cap_sock_kill(struct sock *sk);
  67
  68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
  69                                u8 code, u8 ident, u16 dlen, void *data);
  70
  71/* ---- L2CAP timers ---- */
  72static void l2cap_sock_timeout(unsigned long arg)
  73{
  74        struct sock *sk = (struct sock *) arg;
  75        int reason;
  76
  77        BT_DBG("sock %p state %d", sk, sk->sk_state);
  78
  79        bh_lock_sock(sk);
  80
  81        if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
  82                reason = ECONNREFUSED;
  83        else if (sk->sk_state == BT_CONNECT &&
  84                                l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
  85                reason = ECONNREFUSED;
  86        else
  87                reason = ETIMEDOUT;
  88
  89        __l2cap_sock_close(sk, reason);
  90
  91        bh_unlock_sock(sk);
  92
  93        l2cap_sock_kill(sk);
  94        sock_put(sk);
  95}
  96
  97static void l2cap_sock_set_timer(struct sock *sk, long timeout)
  98{
  99        BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
 100        sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
 101}
 102
 103static void l2cap_sock_clear_timer(struct sock *sk)
 104{
 105        BT_DBG("sock %p state %d", sk, sk->sk_state);
 106        sk_stop_timer(sk, &sk->sk_timer);
 107}
 108
 109/* ---- L2CAP channels ---- */
 110static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
 111{
 112        struct sock *s;
 113        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
 114                if (l2cap_pi(s)->dcid == cid)
 115                        break;
 116        }
 117        return s;
 118}
 119
 120static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
 121{
 122        struct sock *s;
 123        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
 124                if (l2cap_pi(s)->scid == cid)
 125                        break;
 126        }
 127        return s;
 128}
 129
 130/* Find channel with given SCID.
 131 * Returns locked socket */
 132static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
 133{
 134        struct sock *s;
 135        read_lock(&l->lock);
 136        s = __l2cap_get_chan_by_scid(l, cid);
 137        if (s) bh_lock_sock(s);
 138        read_unlock(&l->lock);
 139        return s;
 140}
 141
 142static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
 143{
 144        struct sock *s;
 145        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
 146                if (l2cap_pi(s)->ident == ident)
 147                        break;
 148        }
 149        return s;
 150}
 151
 152static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
 153{
 154        struct sock *s;
 155        read_lock(&l->lock);
 156        s = __l2cap_get_chan_by_ident(l, ident);
 157        if (s) bh_lock_sock(s);
 158        read_unlock(&l->lock);
 159        return s;
 160}
 161
 162static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
 163{
 164        u16 cid = 0x0040;
 165
 166        for (; cid < 0xffff; cid++) {
 167                if(!__l2cap_get_chan_by_scid(l, cid))
 168                        return cid;
 169        }
 170
 171        return 0;
 172}
 173
 174static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
 175{
 176        sock_hold(sk);
 177
 178        if (l->head)
 179                l2cap_pi(l->head)->prev_c = sk;
 180
 181        l2cap_pi(sk)->next_c = l->head;
 182        l2cap_pi(sk)->prev_c = NULL;
 183        l->head = sk;
 184}
 185
 186static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
 187{
 188        struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
 189
 190        write_lock_bh(&l->lock);
 191        if (sk == l->head)
 192                l->head = next;
 193
 194        if (next)
 195                l2cap_pi(next)->prev_c = prev;
 196        if (prev)
 197                l2cap_pi(prev)->next_c = next;
 198        write_unlock_bh(&l->lock);
 199
 200        __sock_put(sk);
 201}
 202
 203static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
 204{
 205        struct l2cap_chan_list *l = &conn->chan_list;
 206
 207        BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
 208
 209        conn->disc_reason = 0x13;
 210
 211        l2cap_pi(sk)->conn = conn;
 212
 213        if (sk->sk_type == SOCK_SEQPACKET) {
 214                /* Alloc CID for connection-oriented socket */
 215                l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
 216        } else if (sk->sk_type == SOCK_DGRAM) {
 217                /* Connectionless socket */
 218                l2cap_pi(sk)->scid = 0x0002;
 219                l2cap_pi(sk)->dcid = 0x0002;
 220                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
 221        } else {
 222                /* Raw socket can send/recv signalling messages only */
 223                l2cap_pi(sk)->scid = 0x0001;
 224                l2cap_pi(sk)->dcid = 0x0001;
 225                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
 226        }
 227
 228        __l2cap_chan_link(l, sk);
 229
 230        if (parent)
 231                bt_accept_enqueue(parent, sk);
 232}
 233
 234/* Delete channel.
 235 * Must be called on the locked socket. */
 236static void l2cap_chan_del(struct sock *sk, int err)
 237{
 238        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
 239        struct sock *parent = bt_sk(sk)->parent;
 240
 241        l2cap_sock_clear_timer(sk);
 242
 243        BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
 244
 245        if (conn) {
 246                /* Unlink from channel list */
 247                l2cap_chan_unlink(&conn->chan_list, sk);
 248                l2cap_pi(sk)->conn = NULL;
 249                hci_conn_put(conn->hcon);
 250        }
 251
 252        sk->sk_state = BT_CLOSED;
 253        sock_set_flag(sk, SOCK_ZAPPED);
 254
 255        if (err)
 256                sk->sk_err = err;
 257
 258        if (parent) {
 259                bt_accept_unlink(sk);
 260                parent->sk_data_ready(parent, 0);
 261        } else
 262                sk->sk_state_change(sk);
 263}
 264
 265/* Service level security */
 266static inline int l2cap_check_security(struct sock *sk)
 267{
 268        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
 269        __u8 auth_type;
 270
 271        if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
 272                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
 273                        auth_type = HCI_AT_NO_BONDING_MITM;
 274                else
 275                        auth_type = HCI_AT_NO_BONDING;
 276
 277                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
 278                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
 279        } else {
 280                switch (l2cap_pi(sk)->sec_level) {
 281                case BT_SECURITY_HIGH:
 282                        auth_type = HCI_AT_GENERAL_BONDING_MITM;
 283                        break;
 284                case BT_SECURITY_MEDIUM:
 285                        auth_type = HCI_AT_GENERAL_BONDING;
 286                        break;
 287                default:
 288                        auth_type = HCI_AT_NO_BONDING;
 289                        break;
 290                }
 291        }
 292
 293        return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
 294                                                                auth_type);
 295}
 296
 297static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
 298{
 299        u8 id;
 300
 301        /* Get next available identificator.
 302         *    1 - 128 are used by kernel.
 303         *  129 - 199 are reserved.
 304         *  200 - 254 are used by utilities like l2ping, etc.
 305         */
 306
 307        spin_lock_bh(&conn->lock);
 308
 309        if (++conn->tx_ident > 128)
 310                conn->tx_ident = 1;
 311
 312        id = conn->tx_ident;
 313
 314        spin_unlock_bh(&conn->lock);
 315
 316        return id;
 317}
 318
 319static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
 320{
 321        struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
 322
 323        BT_DBG("code 0x%2.2x", code);
 324
 325        if (!skb)
 326                return -ENOMEM;
 327
 328        return hci_send_acl(conn->hcon, skb, 0);
 329}
 330
 331static void l2cap_do_start(struct sock *sk)
 332{
 333        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
 334
 335        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
 336                if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
 337                        return;
 338
 339                if (l2cap_check_security(sk)) {
 340                        struct l2cap_conn_req req;
 341                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
 342                        req.psm  = l2cap_pi(sk)->psm;
 343
 344                        l2cap_pi(sk)->ident = l2cap_get_ident(conn);
 345
 346                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 347                                        L2CAP_CONN_REQ, sizeof(req), &req);
 348                }
 349        } else {
 350                struct l2cap_info_req req;
 351                req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
 352
 353                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
 354                conn->info_ident = l2cap_get_ident(conn);
 355
 356                mod_timer(&conn->info_timer, jiffies +
 357                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
 358
 359                l2cap_send_cmd(conn, conn->info_ident,
 360                                        L2CAP_INFO_REQ, sizeof(req), &req);
 361        }
 362}
 363
 364/* ---- L2CAP connections ---- */
 365static void l2cap_conn_start(struct l2cap_conn *conn)
 366{
 367        struct l2cap_chan_list *l = &conn->chan_list;
 368        struct sock *sk;
 369
 370        BT_DBG("conn %p", conn);
 371
 372        read_lock(&l->lock);
 373
 374        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
 375                bh_lock_sock(sk);
 376
 377                if (sk->sk_type != SOCK_SEQPACKET) {
 378                        bh_unlock_sock(sk);
 379                        continue;
 380                }
 381
 382                if (sk->sk_state == BT_CONNECT) {
 383                        if (l2cap_check_security(sk)) {
 384                                struct l2cap_conn_req req;
 385                                req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
 386                                req.psm  = l2cap_pi(sk)->psm;
 387
 388                                l2cap_pi(sk)->ident = l2cap_get_ident(conn);
 389
 390                                l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 391                                        L2CAP_CONN_REQ, sizeof(req), &req);
 392                        }
 393                } else if (sk->sk_state == BT_CONNECT2) {
 394                        struct l2cap_conn_rsp rsp;
 395                        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
 396                        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
 397
 398                        if (l2cap_check_security(sk)) {
 399                                if (bt_sk(sk)->defer_setup) {
 400                                        struct sock *parent = bt_sk(sk)->parent;
 401                                        rsp.result = cpu_to_le16(L2CAP_CR_PEND);
 402                                        rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
 403                                        parent->sk_data_ready(parent, 0);
 404
 405                                } else {
 406                                        sk->sk_state = BT_CONFIG;
 407                                        rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
 408                                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
 409                                }
 410                        } else {
 411                                rsp.result = cpu_to_le16(L2CAP_CR_PEND);
 412                                rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
 413                        }
 414
 415                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 416                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
 417                }
 418
 419                bh_unlock_sock(sk);
 420        }
 421
 422        read_unlock(&l->lock);
 423}
 424
 425static void l2cap_conn_ready(struct l2cap_conn *conn)
 426{
 427        struct l2cap_chan_list *l = &conn->chan_list;
 428        struct sock *sk;
 429
 430        BT_DBG("conn %p", conn);
 431
 432        read_lock(&l->lock);
 433
 434        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
 435                bh_lock_sock(sk);
 436
 437                if (sk->sk_type != SOCK_SEQPACKET) {
 438                        l2cap_sock_clear_timer(sk);
 439                        sk->sk_state = BT_CONNECTED;
 440                        sk->sk_state_change(sk);
 441                } else if (sk->sk_state == BT_CONNECT)
 442                        l2cap_do_start(sk);
 443
 444                bh_unlock_sock(sk);
 445        }
 446
 447        read_unlock(&l->lock);
 448}
 449
 450/* Notify sockets that we cannot guaranty reliability anymore */
 451static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
 452{
 453        struct l2cap_chan_list *l = &conn->chan_list;
 454        struct sock *sk;
 455
 456        BT_DBG("conn %p", conn);
 457
 458        read_lock(&l->lock);
 459
 460        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
 461                if (l2cap_pi(sk)->force_reliable)
 462                        sk->sk_err = err;
 463        }
 464
 465        read_unlock(&l->lock);
 466}
 467
 468static void l2cap_info_timeout(unsigned long arg)
 469{
 470        struct l2cap_conn *conn = (void *) arg;
 471
 472        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
 473        conn->info_ident = 0;
 474
 475        l2cap_conn_start(conn);
 476}
 477
 478static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
 479{
 480        struct l2cap_conn *conn = hcon->l2cap_data;
 481
 482        if (conn || status)
 483                return conn;
 484
 485        conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
 486        if (!conn)
 487                return NULL;
 488
 489        hcon->l2cap_data = conn;
 490        conn->hcon = hcon;
 491
 492        BT_DBG("hcon %p conn %p", hcon, conn);
 493
 494        conn->mtu = hcon->hdev->acl_mtu;
 495        conn->src = &hcon->hdev->bdaddr;
 496        conn->dst = &hcon->dst;
 497
 498        conn->feat_mask = 0;
 499
 500        setup_timer(&conn->info_timer, l2cap_info_timeout,
 501                                                (unsigned long) conn);
 502
 503        spin_lock_init(&conn->lock);
 504        rwlock_init(&conn->chan_list.lock);
 505
 506        conn->disc_reason = 0x13;
 507
 508        return conn;
 509}
 510
 511static void l2cap_conn_del(struct hci_conn *hcon, int err)
 512{
 513        struct l2cap_conn *conn = hcon->l2cap_data;
 514        struct sock *sk;
 515
 516        if (!conn)
 517                return;
 518
 519        BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
 520
 521        kfree_skb(conn->rx_skb);
 522
 523        /* Kill channels */
 524        while ((sk = conn->chan_list.head)) {
 525                bh_lock_sock(sk);
 526                l2cap_chan_del(sk, err);
 527                bh_unlock_sock(sk);
 528                l2cap_sock_kill(sk);
 529        }
 530
 531        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
 532                del_timer_sync(&conn->info_timer);
 533
 534        hcon->l2cap_data = NULL;
 535        kfree(conn);
 536}
 537
 538static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
 539{
 540        struct l2cap_chan_list *l = &conn->chan_list;
 541        write_lock_bh(&l->lock);
 542        __l2cap_chan_add(conn, sk, parent);
 543        write_unlock_bh(&l->lock);
 544}
 545
 546/* ---- Socket interface ---- */
 547static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
 548{
 549        struct sock *sk;
 550        struct hlist_node *node;
 551        sk_for_each(sk, node, &l2cap_sk_list.head)
 552                if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
 553                        goto found;
 554        sk = NULL;
 555found:
 556        return sk;
 557}
 558
 559/* Find socket with psm and source bdaddr.
 560 * Returns closest match.
 561 */
 562static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
 563{
 564        struct sock *sk = NULL, *sk1 = NULL;
 565        struct hlist_node *node;
 566
 567        sk_for_each(sk, node, &l2cap_sk_list.head) {
 568                if (state && sk->sk_state != state)
 569                        continue;
 570
 571                if (l2cap_pi(sk)->psm == psm) {
 572                        /* Exact match. */
 573                        if (!bacmp(&bt_sk(sk)->src, src))
 574                                break;
 575
 576                        /* Closest match */
 577                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
 578                                sk1 = sk;
 579                }
 580        }
 581        return node ? sk : sk1;
 582}
 583
 584/* Find socket with given address (psm, src).
 585 * Returns locked socket */
 586static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
 587{
 588        struct sock *s;
 589        read_lock(&l2cap_sk_list.lock);
 590        s = __l2cap_get_sock_by_psm(state, psm, src);
 591        if (s) bh_lock_sock(s);
 592        read_unlock(&l2cap_sk_list.lock);
 593        return s;
 594}
 595
 596static void l2cap_sock_destruct(struct sock *sk)
 597{
 598        BT_DBG("sk %p", sk);
 599
 600        skb_queue_purge(&sk->sk_receive_queue);
 601        skb_queue_purge(&sk->sk_write_queue);
 602}
 603
 604static void l2cap_sock_cleanup_listen(struct sock *parent)
 605{
 606        struct sock *sk;
 607
 608        BT_DBG("parent %p", parent);
 609
 610        /* Close not yet accepted channels */
 611        while ((sk = bt_accept_dequeue(parent, NULL)))
 612                l2cap_sock_close(sk);
 613
 614        parent->sk_state = BT_CLOSED;
 615        sock_set_flag(parent, SOCK_ZAPPED);
 616}
 617
 618/* Kill socket (only if zapped and orphan)
 619 * Must be called on unlocked socket.
 620 */
 621static void l2cap_sock_kill(struct sock *sk)
 622{
 623        if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
 624                return;
 625
 626        BT_DBG("sk %p state %d", sk, sk->sk_state);
 627
 628        /* Kill poor orphan */
 629        bt_sock_unlink(&l2cap_sk_list, sk);
 630        sock_set_flag(sk, SOCK_DEAD);
 631        sock_put(sk);
 632}
 633
 634static void __l2cap_sock_close(struct sock *sk, int reason)
 635{
 636        BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
 637
 638        switch (sk->sk_state) {
 639        case BT_LISTEN:
 640                l2cap_sock_cleanup_listen(sk);
 641                break;
 642
 643        case BT_CONNECTED:
 644        case BT_CONFIG:
 645                if (sk->sk_type == SOCK_SEQPACKET) {
 646                        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
 647                        struct l2cap_disconn_req req;
 648
 649                        sk->sk_state = BT_DISCONN;
 650                        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
 651
 652                        req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
 653                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
 654                        l2cap_send_cmd(conn, l2cap_get_ident(conn),
 655                                        L2CAP_DISCONN_REQ, sizeof(req), &req);
 656                } else
 657                        l2cap_chan_del(sk, reason);
 658                break;
 659
 660        case BT_CONNECT2:
 661                if (sk->sk_type == SOCK_SEQPACKET) {
 662                        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
 663                        struct l2cap_conn_rsp rsp;
 664                        __u16 result;
 665
 666                        if (bt_sk(sk)->defer_setup)
 667                                result = L2CAP_CR_SEC_BLOCK;
 668                        else
 669                                result = L2CAP_CR_BAD_PSM;
 670
 671                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
 672                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
 673                        rsp.result = cpu_to_le16(result);
 674                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
 675                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
 676                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
 677                } else
 678                        l2cap_chan_del(sk, reason);
 679                break;
 680
 681        case BT_CONNECT:
 682        case BT_DISCONN:
 683                l2cap_chan_del(sk, reason);
 684                break;
 685
 686        default:
 687                sock_set_flag(sk, SOCK_ZAPPED);
 688                break;
 689        }
 690}
 691
 692/* Must be called on unlocked socket. */
 693static void l2cap_sock_close(struct sock *sk)
 694{
 695        l2cap_sock_clear_timer(sk);
 696        lock_sock(sk);
 697        __l2cap_sock_close(sk, ECONNRESET);
 698        release_sock(sk);
 699        l2cap_sock_kill(sk);
 700}
 701
 702static void l2cap_sock_init(struct sock *sk, struct sock *parent)
 703{
 704        struct l2cap_pinfo *pi = l2cap_pi(sk);
 705
 706        BT_DBG("sk %p", sk);
 707
 708        if (parent) {
 709                sk->sk_type = parent->sk_type;
 710                bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
 711
 712                pi->imtu = l2cap_pi(parent)->imtu;
 713                pi->omtu = l2cap_pi(parent)->omtu;
 714                pi->sec_level = l2cap_pi(parent)->sec_level;
 715                pi->role_switch = l2cap_pi(parent)->role_switch;
 716                pi->force_reliable = l2cap_pi(parent)->force_reliable;
 717        } else {
 718                pi->imtu = L2CAP_DEFAULT_MTU;
 719                pi->omtu = 0;
 720                pi->sec_level = BT_SECURITY_LOW;
 721                pi->role_switch = 0;
 722                pi->force_reliable = 0;
 723        }
 724
 725        /* Default config options */
 726        pi->conf_len = 0;
 727        pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
 728}
 729
 730static struct proto l2cap_proto = {
 731        .name           = "L2CAP",
 732        .owner          = THIS_MODULE,
 733        .obj_size       = sizeof(struct l2cap_pinfo)
 734};
 735
 736static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
 737{
 738        struct sock *sk;
 739
 740        sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
 741        if (!sk)
 742                return NULL;
 743
 744        sock_init_data(sock, sk);
 745        INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
 746
 747        sk->sk_destruct = l2cap_sock_destruct;
 748        sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
 749
 750        sock_reset_flag(sk, SOCK_ZAPPED);
 751
 752        sk->sk_protocol = proto;
 753        sk->sk_state = BT_OPEN;
 754
 755        setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
 756
 757        bt_sock_link(&l2cap_sk_list, sk);
 758        return sk;
 759}
 760
 761static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
 762{
 763        struct sock *sk;
 764
 765        BT_DBG("sock %p", sock);
 766
 767        sock->state = SS_UNCONNECTED;
 768
 769        if (sock->type != SOCK_SEQPACKET &&
 770                        sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
 771                return -ESOCKTNOSUPPORT;
 772
 773        if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
 774                return -EPERM;
 775
 776        sock->ops = &l2cap_sock_ops;
 777
 778        sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
 779        if (!sk)
 780                return -ENOMEM;
 781
 782        l2cap_sock_init(sk, NULL);
 783        return 0;
 784}
 785
 786static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 787{
 788        struct sock *sk = sock->sk;
 789        struct sockaddr_l2 la;
 790        int len, err = 0;
 791
 792        BT_DBG("sk %p", sk);
 793
 794        if (!addr || addr->sa_family != AF_BLUETOOTH)
 795                return -EINVAL;
 796
 797        memset(&la, 0, sizeof(la));
 798        len = min_t(unsigned int, sizeof(la), alen);
 799        memcpy(&la, addr, len);
 800
 801        if (la.l2_cid)
 802                return -EINVAL;
 803
 804        lock_sock(sk);
 805
 806        if (sk->sk_state != BT_OPEN) {
 807                err = -EBADFD;
 808                goto done;
 809        }
 810
 811        if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
 812                                !capable(CAP_NET_BIND_SERVICE)) {
 813                err = -EACCES;
 814                goto done;
 815        }
 816
 817        write_lock_bh(&l2cap_sk_list.lock);
 818
 819        if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
 820                err = -EADDRINUSE;
 821        } else {
 822                /* Save source address */
 823                bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
 824                l2cap_pi(sk)->psm   = la.l2_psm;
 825                l2cap_pi(sk)->sport = la.l2_psm;
 826                sk->sk_state = BT_BOUND;
 827
 828                if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
 829                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
 830        }
 831
 832        write_unlock_bh(&l2cap_sk_list.lock);
 833
 834done:
 835        release_sock(sk);
 836        return err;
 837}
 838
 839static int l2cap_do_connect(struct sock *sk)
 840{
 841        bdaddr_t *src = &bt_sk(sk)->src;
 842        bdaddr_t *dst = &bt_sk(sk)->dst;
 843        struct l2cap_conn *conn;
 844        struct hci_conn *hcon;
 845        struct hci_dev *hdev;
 846        __u8 auth_type;
 847        int err = 0;
 848
 849        BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
 850                                                        l2cap_pi(sk)->psm);
 851
 852        if (!(hdev = hci_get_route(dst, src)))
 853                return -EHOSTUNREACH;
 854
 855        hci_dev_lock_bh(hdev);
 856
 857        err = -ENOMEM;
 858
 859        if (sk->sk_type == SOCK_RAW) {
 860                switch (l2cap_pi(sk)->sec_level) {
 861                case BT_SECURITY_HIGH:
 862                        auth_type = HCI_AT_DEDICATED_BONDING_MITM;
 863                        break;
 864                case BT_SECURITY_MEDIUM:
 865                        auth_type = HCI_AT_DEDICATED_BONDING;
 866                        break;
 867                default:
 868                        auth_type = HCI_AT_NO_BONDING;
 869                        break;
 870                }
 871        } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
 872                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
 873                        auth_type = HCI_AT_NO_BONDING_MITM;
 874                else
 875                        auth_type = HCI_AT_NO_BONDING;
 876
 877                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
 878                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
 879        } else {
 880                switch (l2cap_pi(sk)->sec_level) {
 881                case BT_SECURITY_HIGH:
 882                        auth_type = HCI_AT_GENERAL_BONDING_MITM;
 883                        break;
 884                case BT_SECURITY_MEDIUM:
 885                        auth_type = HCI_AT_GENERAL_BONDING;
 886                        break;
 887                default:
 888                        auth_type = HCI_AT_NO_BONDING;
 889                        break;
 890                }
 891        }
 892
 893        hcon = hci_connect(hdev, ACL_LINK, dst,
 894                                        l2cap_pi(sk)->sec_level, auth_type);
 895        if (!hcon)
 896                goto done;
 897
 898        conn = l2cap_conn_add(hcon, 0);
 899        if (!conn) {
 900                hci_conn_put(hcon);
 901                goto done;
 902        }
 903
 904        err = 0;
 905
 906        /* Update source addr of the socket */
 907        bacpy(src, conn->src);
 908
 909        l2cap_chan_add(conn, sk, NULL);
 910
 911        sk->sk_state = BT_CONNECT;
 912        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
 913
 914        if (hcon->state == BT_CONNECTED) {
 915                if (sk->sk_type != SOCK_SEQPACKET) {
 916                        l2cap_sock_clear_timer(sk);
 917                        sk->sk_state = BT_CONNECTED;
 918                } else
 919                        l2cap_do_start(sk);
 920        }
 921
 922done:
 923        hci_dev_unlock_bh(hdev);
 924        hci_dev_put(hdev);
 925        return err;
 926}
 927
 928static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
 929{
 930        struct sock *sk = sock->sk;
 931        struct sockaddr_l2 la;
 932        int len, err = 0;
 933
 934        BT_DBG("sk %p", sk);
 935
 936        if (!addr || addr->sa_family != AF_BLUETOOTH)
 937                return -EINVAL;
 938
 939        memset(&la, 0, sizeof(la));
 940        len = min_t(unsigned int, sizeof(la), alen);
 941        memcpy(&la, addr, len);
 942
 943        if (la.l2_cid)
 944                return -EINVAL;
 945
 946        lock_sock(sk);
 947
 948        if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
 949                err = -EINVAL;
 950                goto done;
 951        }
 952
 953        switch(sk->sk_state) {
 954        case BT_CONNECT:
 955        case BT_CONNECT2:
 956        case BT_CONFIG:
 957                /* Already connecting */
 958                goto wait;
 959
 960        case BT_CONNECTED:
 961                /* Already connected */
 962                goto done;
 963
 964        case BT_OPEN:
 965        case BT_BOUND:
 966                /* Can connect */
 967                break;
 968
 969        default:
 970                err = -EBADFD;
 971                goto done;
 972        }
 973
 974        /* Set destination address and psm */
 975        bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
 976        l2cap_pi(sk)->psm = la.l2_psm;
 977
 978        if ((err = l2cap_do_connect(sk)))
 979                goto done;
 980
 981wait:
 982        err = bt_sock_wait_state(sk, BT_CONNECTED,
 983                        sock_sndtimeo(sk, flags & O_NONBLOCK));
 984done:
 985        release_sock(sk);
 986        return err;
 987}
 988
 989static int l2cap_sock_listen(struct socket *sock, int backlog)
 990{
 991        struct sock *sk = sock->sk;
 992        int err = 0;
 993
 994        BT_DBG("sk %p backlog %d", sk, backlog);
 995
 996        lock_sock(sk);
 997
 998        if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
 999                err = -EBADFD;
1000                goto done;
1001        }
1002
1003        if (!l2cap_pi(sk)->psm) {
1004                bdaddr_t *src = &bt_sk(sk)->src;
1005                u16 psm;
1006
1007                err = -EINVAL;
1008
1009                write_lock_bh(&l2cap_sk_list.lock);
1010
1011                for (psm = 0x1001; psm < 0x1100; psm += 2)
1012                        if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1013                                l2cap_pi(sk)->psm   = htobs(psm);
1014                                l2cap_pi(sk)->sport = htobs(psm);
1015                                err = 0;
1016                                break;
1017                        }
1018
1019                write_unlock_bh(&l2cap_sk_list.lock);
1020
1021                if (err < 0)
1022                        goto done;
1023        }
1024
1025        sk->sk_max_ack_backlog = backlog;
1026        sk->sk_ack_backlog = 0;
1027        sk->sk_state = BT_LISTEN;
1028
1029done:
1030        release_sock(sk);
1031        return err;
1032}
1033
1034static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1035{
1036        DECLARE_WAITQUEUE(wait, current);
1037        struct sock *sk = sock->sk, *nsk;
1038        long timeo;
1039        int err = 0;
1040
1041        lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1042
1043        if (sk->sk_state != BT_LISTEN) {
1044                err = -EBADFD;
1045                goto done;
1046        }
1047
1048        timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1049
1050        BT_DBG("sk %p timeo %ld", sk, timeo);
1051
1052        /* Wait for an incoming connection. (wake-one). */
1053        add_wait_queue_exclusive(sk->sk_sleep, &wait);
1054        while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1055                set_current_state(TASK_INTERRUPTIBLE);
1056                if (!timeo) {
1057                        err = -EAGAIN;
1058                        break;
1059                }
1060
1061                release_sock(sk);
1062                timeo = schedule_timeout(timeo);
1063                lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1064
1065                if (sk->sk_state != BT_LISTEN) {
1066                        err = -EBADFD;
1067                        break;
1068                }
1069
1070                if (signal_pending(current)) {
1071                        err = sock_intr_errno(timeo);
1072                        break;
1073                }
1074        }
1075        set_current_state(TASK_RUNNING);
1076        remove_wait_queue(sk->sk_sleep, &wait);
1077
1078        if (err)
1079                goto done;
1080
1081        newsock->state = SS_CONNECTED;
1082
1083        BT_DBG("new socket %p", nsk);
1084
1085done:
1086        release_sock(sk);
1087        return err;
1088}
1089
1090static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1091{
1092        struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1093        struct sock *sk = sock->sk;
1094
1095        BT_DBG("sock %p, sk %p", sock, sk);
1096
1097        addr->sa_family = AF_BLUETOOTH;
1098        *len = sizeof(struct sockaddr_l2);
1099
1100        if (peer) {
1101                la->l2_psm = l2cap_pi(sk)->psm;
1102                bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1103                la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1104        } else {
1105                la->l2_psm = l2cap_pi(sk)->sport;
1106                bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1107                la->l2_cid = htobs(l2cap_pi(sk)->scid);
1108        }
1109
1110        return 0;
1111}
1112
1113static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1114{
1115        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1116        struct sk_buff *skb, **frag;
1117        int err, hlen, count, sent=0;
1118        struct l2cap_hdr *lh;
1119
1120        BT_DBG("sk %p len %d", sk, len);
1121
1122        /* First fragment (with L2CAP header) */
1123        if (sk->sk_type == SOCK_DGRAM)
1124                hlen = L2CAP_HDR_SIZE + 2;
1125        else
1126                hlen = L2CAP_HDR_SIZE;
1127
1128        count = min_t(unsigned int, (conn->mtu - hlen), len);
1129
1130        skb = bt_skb_send_alloc(sk, hlen + count,
1131                        msg->msg_flags & MSG_DONTWAIT, &err);
1132        if (!skb)
1133                return err;
1134
1135        /* Create L2CAP header */
1136        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1137        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1138        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1139
1140        if (sk->sk_type == SOCK_DGRAM)
1141                put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1142
1143        if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1144                err = -EFAULT;
1145                goto fail;
1146        }
1147
1148        sent += count;
1149        len  -= count;
1150
1151        /* Continuation fragments (no L2CAP header) */
1152        frag = &skb_shinfo(skb)->frag_list;
1153        while (len) {
1154                count = min_t(unsigned int, conn->mtu, len);
1155
1156                *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1157                if (!*frag)
1158                        goto fail;
1159
1160                if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1161                        err = -EFAULT;
1162                        goto fail;
1163                }
1164
1165                sent += count;
1166                len  -= count;
1167
1168                frag = &(*frag)->next;
1169        }
1170
1171        if ((err = hci_send_acl(conn->hcon, skb, 0)) < 0)
1172                goto fail;
1173
1174        return sent;
1175
1176fail:
1177        kfree_skb(skb);
1178        return err;
1179}
1180
1181static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1182{
1183        struct sock *sk = sock->sk;
1184        int err = 0;
1185
1186        BT_DBG("sock %p, sk %p", sock, sk);
1187
1188        err = sock_error(sk);
1189        if (err)
1190                return err;
1191
1192        if (msg->msg_flags & MSG_OOB)
1193                return -EOPNOTSUPP;
1194
1195        /* Check outgoing MTU */
1196        if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1197                return -EINVAL;
1198
1199        lock_sock(sk);
1200
1201        if (sk->sk_state == BT_CONNECTED)
1202                err = l2cap_do_send(sk, msg, len);
1203        else
1204                err = -ENOTCONN;
1205
1206        release_sock(sk);
1207        return err;
1208}
1209
1210static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1211{
1212        struct sock *sk = sock->sk;
1213
1214        lock_sock(sk);
1215
1216        if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1217                struct l2cap_conn_rsp rsp;
1218
1219                sk->sk_state = BT_CONFIG;
1220
1221                rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1222                rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
1223                rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1224                rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1225                l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1226                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1227
1228                release_sock(sk);
1229                return 0;
1230        }
1231
1232        release_sock(sk);
1233
1234        return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1235}
1236
1237static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1238{
1239        struct sock *sk = sock->sk;
1240        struct l2cap_options opts;
1241        int len, err = 0;
1242        u32 opt;
1243
1244        BT_DBG("sk %p", sk);
1245
1246        lock_sock(sk);
1247
1248        switch (optname) {
1249        case L2CAP_OPTIONS:
1250                opts.imtu     = l2cap_pi(sk)->imtu;
1251                opts.omtu     = l2cap_pi(sk)->omtu;
1252                opts.flush_to = l2cap_pi(sk)->flush_to;
1253                opts.mode     = L2CAP_MODE_BASIC;
1254
1255                len = min_t(unsigned int, sizeof(opts), optlen);
1256                if (copy_from_user((char *) &opts, optval, len)) {
1257                        err = -EFAULT;
1258                        break;
1259                }
1260
1261                l2cap_pi(sk)->imtu  = opts.imtu;
1262                l2cap_pi(sk)->omtu  = opts.omtu;
1263                break;
1264
1265        case L2CAP_LM:
1266                if (get_user(opt, (u32 __user *) optval)) {
1267                        err = -EFAULT;
1268                        break;
1269                }
1270
1271                if (opt & L2CAP_LM_AUTH)
1272                        l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1273                if (opt & L2CAP_LM_ENCRYPT)
1274                        l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1275                if (opt & L2CAP_LM_SECURE)
1276                        l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1277
1278                l2cap_pi(sk)->role_switch    = (opt & L2CAP_LM_MASTER);
1279                l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1280                break;
1281
1282        default:
1283                err = -ENOPROTOOPT;
1284                break;
1285        }
1286
1287        release_sock(sk);
1288        return err;
1289}
1290
1291static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1292{
1293        struct sock *sk = sock->sk;
1294        struct bt_security sec;
1295        int len, err = 0;
1296        u32 opt;
1297
1298        BT_DBG("sk %p", sk);
1299
1300        if (level == SOL_L2CAP)
1301                return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1302
1303        if (level != SOL_BLUETOOTH)
1304                return -ENOPROTOOPT;
1305
1306        lock_sock(sk);
1307
1308        switch (optname) {
1309        case BT_SECURITY:
1310                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1311                        err = -EINVAL;
1312                        break;
1313                }
1314
1315                sec.level = BT_SECURITY_LOW;
1316
1317                len = min_t(unsigned int, sizeof(sec), optlen);
1318                if (copy_from_user((char *) &sec, optval, len)) {
1319                        err = -EFAULT;
1320                        break;
1321                }
1322
1323                if (sec.level < BT_SECURITY_LOW ||
1324                                        sec.level > BT_SECURITY_HIGH) {
1325                        err = -EINVAL;
1326                        break;
1327                }
1328
1329                l2cap_pi(sk)->sec_level = sec.level;
1330                break;
1331
1332        case BT_DEFER_SETUP:
1333                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1334                        err = -EINVAL;
1335                        break;
1336                }
1337
1338                if (get_user(opt, (u32 __user *) optval)) {
1339                        err = -EFAULT;
1340                        break;
1341                }
1342
1343                bt_sk(sk)->defer_setup = opt;
1344                break;
1345
1346        default:
1347                err = -ENOPROTOOPT;
1348                break;
1349        }
1350
1351        release_sock(sk);
1352        return err;
1353}
1354
1355static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1356{
1357        struct sock *sk = sock->sk;
1358        struct l2cap_options opts;
1359        struct l2cap_conninfo cinfo;
1360        int len, err = 0;
1361        u32 opt;
1362
1363        BT_DBG("sk %p", sk);
1364
1365        if (get_user(len, optlen))
1366                return -EFAULT;
1367
1368        lock_sock(sk);
1369
1370        switch (optname) {
1371        case L2CAP_OPTIONS:
1372                opts.imtu     = l2cap_pi(sk)->imtu;
1373                opts.omtu     = l2cap_pi(sk)->omtu;
1374                opts.flush_to = l2cap_pi(sk)->flush_to;
1375                opts.mode     = L2CAP_MODE_BASIC;
1376
1377                len = min_t(unsigned int, len, sizeof(opts));
1378                if (copy_to_user(optval, (char *) &opts, len))
1379                        err = -EFAULT;
1380
1381                break;
1382
1383        case L2CAP_LM:
1384                switch (l2cap_pi(sk)->sec_level) {
1385                case BT_SECURITY_LOW:
1386                        opt = L2CAP_LM_AUTH;
1387                        break;
1388                case BT_SECURITY_MEDIUM:
1389                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1390                        break;
1391                case BT_SECURITY_HIGH:
1392                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1393                                                        L2CAP_LM_SECURE;
1394                        break;
1395                default:
1396                        opt = 0;
1397                        break;
1398                }
1399
1400                if (l2cap_pi(sk)->role_switch)
1401                        opt |= L2CAP_LM_MASTER;
1402
1403                if (l2cap_pi(sk)->force_reliable)
1404                        opt |= L2CAP_LM_RELIABLE;
1405
1406                if (put_user(opt, (u32 __user *) optval))
1407                        err = -EFAULT;
1408                break;
1409
1410        case L2CAP_CONNINFO:
1411                if (sk->sk_state != BT_CONNECTED &&
1412                                        !(sk->sk_state == BT_CONNECT2 &&
1413                                                bt_sk(sk)->defer_setup)) {
1414                        err = -ENOTCONN;
1415                        break;
1416                }
1417
1418                cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1419                memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1420
1421                len = min_t(unsigned int, len, sizeof(cinfo));
1422                if (copy_to_user(optval, (char *) &cinfo, len))
1423                        err = -EFAULT;
1424
1425                break;
1426
1427        default:
1428                err = -ENOPROTOOPT;
1429                break;
1430        }
1431
1432        release_sock(sk);
1433        return err;
1434}
1435
1436static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1437{
1438        struct sock *sk = sock->sk;
1439        struct bt_security sec;
1440        int len, err = 0;
1441
1442        BT_DBG("sk %p", sk);
1443
1444        if (level == SOL_L2CAP)
1445                return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1446
1447        if (level != SOL_BLUETOOTH)
1448                return -ENOPROTOOPT;
1449
1450        if (get_user(len, optlen))
1451                return -EFAULT;
1452
1453        lock_sock(sk);
1454
1455        switch (optname) {
1456        case BT_SECURITY:
1457                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1458                        err = -EINVAL;
1459                        break;
1460                }
1461
1462                sec.level = l2cap_pi(sk)->sec_level;
1463
1464                len = min_t(unsigned int, len, sizeof(sec));
1465                if (copy_to_user(optval, (char *) &sec, len))
1466                        err = -EFAULT;
1467
1468                break;
1469
1470        case BT_DEFER_SETUP:
1471                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1472                        err = -EINVAL;
1473                        break;
1474                }
1475
1476                if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1477                        err = -EFAULT;
1478
1479                break;
1480
1481        default:
1482                err = -ENOPROTOOPT;
1483                break;
1484        }
1485
1486        release_sock(sk);
1487        return err;
1488}
1489
1490static int l2cap_sock_shutdown(struct socket *sock, int how)
1491{
1492        struct sock *sk = sock->sk;
1493        int err = 0;
1494
1495        BT_DBG("sock %p, sk %p", sock, sk);
1496
1497        if (!sk)
1498                return 0;
1499
1500        lock_sock(sk);
1501        if (!sk->sk_shutdown) {
1502                sk->sk_shutdown = SHUTDOWN_MASK;
1503                l2cap_sock_clear_timer(sk);
1504                __l2cap_sock_close(sk, 0);
1505
1506                if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1507                        err = bt_sock_wait_state(sk, BT_CLOSED,
1508                                                        sk->sk_lingertime);
1509        }
1510        release_sock(sk);
1511        return err;
1512}
1513
1514static int l2cap_sock_release(struct socket *sock)
1515{
1516        struct sock *sk = sock->sk;
1517        int err;
1518
1519        BT_DBG("sock %p, sk %p", sock, sk);
1520
1521        if (!sk)
1522                return 0;
1523
1524        err = l2cap_sock_shutdown(sock, 2);
1525
1526        sock_orphan(sk);
1527        l2cap_sock_kill(sk);
1528        return err;
1529}
1530
1531static void l2cap_chan_ready(struct sock *sk)
1532{
1533        struct sock *parent = bt_sk(sk)->parent;
1534
1535        BT_DBG("sk %p, parent %p", sk, parent);
1536
1537        l2cap_pi(sk)->conf_state = 0;
1538        l2cap_sock_clear_timer(sk);
1539
1540        if (!parent) {
1541                /* Outgoing channel.
1542                 * Wake up socket sleeping on connect.
1543                 */
1544                sk->sk_state = BT_CONNECTED;
1545                sk->sk_state_change(sk);
1546        } else {
1547                /* Incoming channel.
1548                 * Wake up socket sleeping on accept.
1549                 */
1550                parent->sk_data_ready(parent, 0);
1551        }
1552}
1553
1554/* Copy frame to all raw sockets on that connection */
1555static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1556{
1557        struct l2cap_chan_list *l = &conn->chan_list;
1558        struct sk_buff *nskb;
1559        struct sock * sk;
1560
1561        BT_DBG("conn %p", conn);
1562
1563        read_lock(&l->lock);
1564        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1565                if (sk->sk_type != SOCK_RAW)
1566                        continue;
1567
1568                /* Don't send frame to the socket it came from */
1569                if (skb->sk == sk)
1570                        continue;
1571
1572                if (!(nskb = skb_clone(skb, GFP_ATOMIC)))
1573                        continue;
1574
1575                if (sock_queue_rcv_skb(sk, nskb))
1576                        kfree_skb(nskb);
1577        }
1578        read_unlock(&l->lock);
1579}
1580
1581/* ---- L2CAP signalling commands ---- */
1582static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1583                                u8 code, u8 ident, u16 dlen, void *data)
1584{
1585        struct sk_buff *skb, **frag;
1586        struct l2cap_cmd_hdr *cmd;
1587        struct l2cap_hdr *lh;
1588        int len, count;
1589
1590        BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", conn, code, ident, dlen);
1591
1592        len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1593        count = min_t(unsigned int, conn->mtu, len);
1594
1595        skb = bt_skb_alloc(count, GFP_ATOMIC);
1596        if (!skb)
1597                return NULL;
1598
1599        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1600        lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1601        lh->cid = cpu_to_le16(0x0001);
1602
1603        cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1604        cmd->code  = code;
1605        cmd->ident = ident;
1606        cmd->len   = cpu_to_le16(dlen);
1607
1608        if (dlen) {
1609                count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1610                memcpy(skb_put(skb, count), data, count);
1611                data += count;
1612        }
1613
1614        len -= skb->len;
1615
1616        /* Continuation fragments (no L2CAP header) */
1617        frag = &skb_shinfo(skb)->frag_list;
1618        while (len) {
1619                count = min_t(unsigned int, conn->mtu, len);
1620
1621                *frag = bt_skb_alloc(count, GFP_ATOMIC);
1622                if (!*frag)
1623                        goto fail;
1624
1625                memcpy(skb_put(*frag, count), data, count);
1626
1627                len  -= count;
1628                data += count;
1629
1630                frag = &(*frag)->next;
1631        }
1632
1633        return skb;
1634
1635fail:
1636        kfree_skb(skb);
1637        return NULL;
1638}
1639
1640static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1641{
1642        struct l2cap_conf_opt *opt = *ptr;
1643        int len;
1644
1645        len = L2CAP_CONF_OPT_SIZE + opt->len;
1646        *ptr += len;
1647
1648        *type = opt->type;
1649        *olen = opt->len;
1650
1651        switch (opt->len) {
1652        case 1:
1653                *val = *((u8 *) opt->val);
1654                break;
1655
1656        case 2:
1657                *val = __le16_to_cpu(*((__le16 *) opt->val));
1658                break;
1659
1660        case 4:
1661                *val = __le32_to_cpu(*((__le32 *) opt->val));
1662                break;
1663
1664        default:
1665                *val = (unsigned long) opt->val;
1666                break;
1667        }
1668
1669        BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1670        return len;
1671}
1672
1673static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1674{
1675        struct l2cap_conf_opt *opt = *ptr;
1676
1677        BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1678
1679        opt->type = type;
1680        opt->len  = len;
1681
1682        switch (len) {
1683        case 1:
1684                *((u8 *) opt->val)  = val;
1685                break;
1686
1687        case 2:
1688                *((__le16 *) opt->val) = cpu_to_le16(val);
1689                break;
1690
1691        case 4:
1692                *((__le32 *) opt->val) = cpu_to_le32(val);
1693                break;
1694
1695        default:
1696                memcpy(opt->val, (void *) val, len);
1697                break;
1698        }
1699
1700        *ptr += L2CAP_CONF_OPT_SIZE + len;
1701}
1702
1703static int l2cap_build_conf_req(struct sock *sk, void *data)
1704{
1705        struct l2cap_pinfo *pi = l2cap_pi(sk);
1706        struct l2cap_conf_req *req = data;
1707        void *ptr = req->data;
1708
1709        BT_DBG("sk %p", sk);
1710
1711        if (pi->imtu != L2CAP_DEFAULT_MTU)
1712                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1713
1714        /* FIXME: Need actual value of the flush timeout */
1715        //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1716        //   l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1717
1718        req->dcid  = cpu_to_le16(pi->dcid);
1719        req->flags = cpu_to_le16(0);
1720
1721        return ptr - data;
1722}
1723
1724static int l2cap_parse_conf_req(struct sock *sk, void *data)
1725{
1726        struct l2cap_pinfo *pi = l2cap_pi(sk);
1727        struct l2cap_conf_rsp *rsp = data;
1728        void *ptr = rsp->data;
1729        void *req = pi->conf_req;
1730        int len = pi->conf_len;
1731        int type, hint, olen;
1732        unsigned long val;
1733        struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1734        u16 mtu = L2CAP_DEFAULT_MTU;
1735        u16 result = L2CAP_CONF_SUCCESS;
1736
1737        BT_DBG("sk %p", sk);
1738
1739        while (len >= L2CAP_CONF_OPT_SIZE) {
1740                len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1741
1742                hint  = type & 0x80;
1743                type &= 0x7f;
1744
1745                switch (type) {
1746                case L2CAP_CONF_MTU:
1747                        mtu = val;
1748                        break;
1749
1750                case L2CAP_CONF_FLUSH_TO:
1751                        pi->flush_to = val;
1752                        break;
1753
1754                case L2CAP_CONF_QOS:
1755                        break;
1756
1757                case L2CAP_CONF_RFC:
1758                        if (olen == sizeof(rfc))
1759                                memcpy(&rfc, (void *) val, olen);
1760                        break;
1761
1762                default:
1763                        if (hint)
1764                                break;
1765
1766                        result = L2CAP_CONF_UNKNOWN;
1767                        *((u8 *) ptr++) = type;
1768                        break;
1769                }
1770        }
1771
1772        if (result == L2CAP_CONF_SUCCESS) {
1773                /* Configure output options and let the other side know
1774                 * which ones we don't like. */
1775
1776                if (rfc.mode == L2CAP_MODE_BASIC) {
1777                        if (mtu < pi->omtu)
1778                                result = L2CAP_CONF_UNACCEPT;
1779                        else {
1780                                pi->omtu = mtu;
1781                                pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1782                        }
1783
1784                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1785                } else {
1786                        result = L2CAP_CONF_UNACCEPT;
1787
1788                        memset(&rfc, 0, sizeof(rfc));
1789                        rfc.mode = L2CAP_MODE_BASIC;
1790
1791                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1792                                                sizeof(rfc), (unsigned long) &rfc);
1793                }
1794        }
1795
1796        rsp->scid   = cpu_to_le16(pi->dcid);
1797        rsp->result = cpu_to_le16(result);
1798        rsp->flags  = cpu_to_le16(0x0000);
1799
1800        return ptr - data;
1801}
1802
1803static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1804{
1805        struct l2cap_conf_rsp *rsp = data;
1806        void *ptr = rsp->data;
1807
1808        BT_DBG("sk %p", sk);
1809
1810        rsp->scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1811        rsp->result = cpu_to_le16(result);
1812        rsp->flags  = cpu_to_le16(flags);
1813
1814        return ptr - data;
1815}
1816
1817static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1818{
1819        struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1820
1821        if (rej->reason != 0x0000)
1822                return 0;
1823
1824        if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1825                                        cmd->ident == conn->info_ident) {
1826                del_timer(&conn->info_timer);
1827
1828                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1829                conn->info_ident = 0;
1830
1831                l2cap_conn_start(conn);
1832        }
1833
1834        return 0;
1835}
1836
1837static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1838{
1839        struct l2cap_chan_list *list = &conn->chan_list;
1840        struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1841        struct l2cap_conn_rsp rsp;
1842        struct sock *sk, *parent;
1843        int result, status = L2CAP_CS_NO_INFO;
1844
1845        u16 dcid = 0, scid = __le16_to_cpu(req->scid);
1846        __le16 psm = req->psm;
1847
1848        BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1849
1850        /* Check if we have socket listening on psm */
1851        parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1852        if (!parent) {
1853                result = L2CAP_CR_BAD_PSM;
1854                goto sendresp;
1855        }
1856
1857        /* Check if the ACL is secure enough (if not SDP) */
1858        if (psm != cpu_to_le16(0x0001) &&
1859                                !hci_conn_check_link_mode(conn->hcon)) {
1860                conn->disc_reason = 0x05;
1861                result = L2CAP_CR_SEC_BLOCK;
1862                goto response;
1863        }
1864
1865        result = L2CAP_CR_NO_MEM;
1866
1867        /* Check for backlog size */
1868        if (sk_acceptq_is_full(parent)) {
1869                BT_DBG("backlog full %d", parent->sk_ack_backlog);
1870                goto response;
1871        }
1872
1873        sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1874        if (!sk)
1875                goto response;
1876
1877        write_lock_bh(&list->lock);
1878
1879        /* Check if we already have channel with that dcid */
1880        if (__l2cap_get_chan_by_dcid(list, scid)) {
1881                write_unlock_bh(&list->lock);
1882                sock_set_flag(sk, SOCK_ZAPPED);
1883                l2cap_sock_kill(sk);
1884                goto response;
1885        }
1886
1887        hci_conn_hold(conn->hcon);
1888
1889        l2cap_sock_init(sk, parent);
1890        bacpy(&bt_sk(sk)->src, conn->src);
1891        bacpy(&bt_sk(sk)->dst, conn->dst);
1892        l2cap_pi(sk)->psm  = psm;
1893        l2cap_pi(sk)->dcid = scid;
1894
1895        __l2cap_chan_add(conn, sk, parent);
1896        dcid = l2cap_pi(sk)->scid;
1897
1898        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1899
1900        l2cap_pi(sk)->ident = cmd->ident;
1901
1902        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
1903                if (l2cap_check_security(sk)) {
1904                        if (bt_sk(sk)->defer_setup) {
1905                                sk->sk_state = BT_CONNECT2;
1906                                result = L2CAP_CR_PEND;
1907                                status = L2CAP_CS_AUTHOR_PEND;
1908                                parent->sk_data_ready(parent, 0);
1909                        } else {
1910                                sk->sk_state = BT_CONFIG;
1911                                result = L2CAP_CR_SUCCESS;
1912                                status = L2CAP_CS_NO_INFO;
1913                        }
1914                } else {
1915                        sk->sk_state = BT_CONNECT2;
1916                        result = L2CAP_CR_PEND;
1917                        status = L2CAP_CS_AUTHEN_PEND;
1918                }
1919        } else {
1920                sk->sk_state = BT_CONNECT2;
1921                result = L2CAP_CR_PEND;
1922                status = L2CAP_CS_NO_INFO;
1923        }
1924
1925        write_unlock_bh(&list->lock);
1926
1927response:
1928        bh_unlock_sock(parent);
1929
1930sendresp:
1931        rsp.scid   = cpu_to_le16(scid);
1932        rsp.dcid   = cpu_to_le16(dcid);
1933        rsp.result = cpu_to_le16(result);
1934        rsp.status = cpu_to_le16(status);
1935        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1936
1937        if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1938                struct l2cap_info_req info;
1939                info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1940
1941                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1942                conn->info_ident = l2cap_get_ident(conn);
1943
1944                mod_timer(&conn->info_timer, jiffies +
1945                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1946
1947                l2cap_send_cmd(conn, conn->info_ident,
1948                                        L2CAP_INFO_REQ, sizeof(info), &info);
1949        }
1950
1951        return 0;
1952}
1953
1954static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1955{
1956        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1957        u16 scid, dcid, result, status;
1958        struct sock *sk;
1959        u8 req[128];
1960
1961        scid   = __le16_to_cpu(rsp->scid);
1962        dcid   = __le16_to_cpu(rsp->dcid);
1963        result = __le16_to_cpu(rsp->result);
1964        status = __le16_to_cpu(rsp->status);
1965
1966        BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1967
1968        if (scid) {
1969                if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
1970                        return 0;
1971        } else {
1972                if (!(sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident)))
1973                        return 0;
1974        }
1975
1976        switch (result) {
1977        case L2CAP_CR_SUCCESS:
1978                sk->sk_state = BT_CONFIG;
1979                l2cap_pi(sk)->ident = 0;
1980                l2cap_pi(sk)->dcid = dcid;
1981                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1982
1983                l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1984
1985                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1986                                        l2cap_build_conf_req(sk, req), req);
1987                break;
1988
1989        case L2CAP_CR_PEND:
1990                l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1991                break;
1992
1993        default:
1994                l2cap_chan_del(sk, ECONNREFUSED);
1995                break;
1996        }
1997
1998        bh_unlock_sock(sk);
1999        return 0;
2000}
2001
2002static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2003{
2004        struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2005        u16 dcid, flags;
2006        u8 rsp[64];
2007        struct sock *sk;
2008        int len;
2009
2010        dcid  = __le16_to_cpu(req->dcid);
2011        flags = __le16_to_cpu(req->flags);
2012
2013        BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2014
2015        if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2016                return -ENOENT;
2017
2018        if (sk->sk_state == BT_DISCONN)
2019                goto unlock;
2020
2021        /* Reject if config buffer is too small. */
2022        len = cmd_len - sizeof(*req);
2023        if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2024                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2025                                l2cap_build_conf_rsp(sk, rsp,
2026                                        L2CAP_CONF_REJECT, flags), rsp);
2027                goto unlock;
2028        }
2029
2030        /* Store config. */
2031        memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2032        l2cap_pi(sk)->conf_len += len;
2033
2034        if (flags & 0x0001) {
2035                /* Incomplete config. Send empty response. */
2036                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2037                                l2cap_build_conf_rsp(sk, rsp,
2038                                        L2CAP_CONF_SUCCESS, 0x0001), rsp);
2039                goto unlock;
2040        }
2041
2042        /* Complete config. */
2043        len = l2cap_parse_conf_req(sk, rsp);
2044        if (len < 0)
2045                goto unlock;
2046
2047        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2048
2049        /* Reset config buffer. */
2050        l2cap_pi(sk)->conf_len = 0;
2051
2052        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2053                goto unlock;
2054
2055        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2056                sk->sk_state = BT_CONNECTED;
2057                l2cap_chan_ready(sk);
2058                goto unlock;
2059        }
2060
2061        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2062                u8 buf[64];
2063                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2064                                        l2cap_build_conf_req(sk, buf), buf);
2065        }
2066
2067unlock:
2068        bh_unlock_sock(sk);
2069        return 0;
2070}
2071
2072static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2073{
2074        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2075        u16 scid, flags, result;
2076        struct sock *sk;
2077
2078        scid   = __le16_to_cpu(rsp->scid);
2079        flags  = __le16_to_cpu(rsp->flags);
2080        result = __le16_to_cpu(rsp->result);
2081
2082        BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", scid, flags, result);
2083
2084        if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2085                return 0;
2086
2087        switch (result) {
2088        case L2CAP_CONF_SUCCESS:
2089                break;
2090
2091        case L2CAP_CONF_UNACCEPT:
2092                if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2093                        char req[128];
2094                        /* It does not make sense to adjust L2CAP parameters
2095                         * that are currently defined in the spec. We simply
2096                         * resend config request that we sent earlier. It is
2097                         * stupid, but it helps qualification testing which
2098                         * expects at least some response from us. */
2099                        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2100                                                l2cap_build_conf_req(sk, req), req);
2101                        goto done;
2102                }
2103
2104        default:
2105                sk->sk_state = BT_DISCONN;
2106                sk->sk_err = ECONNRESET;
2107                l2cap_sock_set_timer(sk, HZ * 5);
2108                {
2109                        struct l2cap_disconn_req req;
2110                        req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2111                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2112                        l2cap_send_cmd(conn, l2cap_get_ident(conn),
2113                                        L2CAP_DISCONN_REQ, sizeof(req), &req);
2114                }
2115                goto done;
2116        }
2117
2118        if (flags & 0x01)
2119                goto done;
2120
2121        l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2122
2123        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2124                sk->sk_state = BT_CONNECTED;
2125                l2cap_chan_ready(sk);
2126        }
2127
2128done:
2129        bh_unlock_sock(sk);
2130        return 0;
2131}
2132
2133static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2134{
2135        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2136        struct l2cap_disconn_rsp rsp;
2137        u16 dcid, scid;
2138        struct sock *sk;
2139
2140        scid = __le16_to_cpu(req->scid);
2141        dcid = __le16_to_cpu(req->dcid);
2142
2143        BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2144
2145        if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
2146                return 0;
2147
2148        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2149        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2150        l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2151
2152        sk->sk_shutdown = SHUTDOWN_MASK;
2153
2154        l2cap_chan_del(sk, ECONNRESET);
2155        bh_unlock_sock(sk);
2156
2157        l2cap_sock_kill(sk);
2158        return 0;
2159}
2160
2161static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2162{
2163        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2164        u16 dcid, scid;
2165        struct sock *sk;
2166
2167        scid = __le16_to_cpu(rsp->scid);
2168        dcid = __le16_to_cpu(rsp->dcid);
2169
2170        BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2171
2172        if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, scid)))
2173                return 0;
2174
2175        l2cap_chan_del(sk, 0);
2176        bh_unlock_sock(sk);
2177
2178        l2cap_sock_kill(sk);
2179        return 0;
2180}
2181
2182static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2183{
2184        struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2185        u16 type;
2186
2187        type = __le16_to_cpu(req->type);
2188
2189        BT_DBG("type 0x%4.4x", type);
2190
2191        if (type == L2CAP_IT_FEAT_MASK) {
2192                u8 buf[8];
2193                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2194                rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2195                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2196                put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2197                l2cap_send_cmd(conn, cmd->ident,
2198                                        L2CAP_INFO_RSP, sizeof(buf), buf);
2199        } else if (type == L2CAP_IT_FIXED_CHAN) {
2200                u8 buf[12];
2201                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2202                rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2203                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2204                memcpy(buf + 4, l2cap_fixed_chan, 8);
2205                l2cap_send_cmd(conn, cmd->ident,
2206                                        L2CAP_INFO_RSP, sizeof(buf), buf);
2207        } else {
2208                struct l2cap_info_rsp rsp;
2209                rsp.type   = cpu_to_le16(type);
2210                rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2211                l2cap_send_cmd(conn, cmd->ident,
2212                                        L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2213        }
2214
2215        return 0;
2216}
2217
2218static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2219{
2220        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2221        u16 type, result;
2222
2223        type   = __le16_to_cpu(rsp->type);
2224        result = __le16_to_cpu(rsp->result);
2225
2226        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2227
2228        del_timer(&conn->info_timer);
2229
2230        if (type == L2CAP_IT_FEAT_MASK) {
2231                conn->feat_mask = get_unaligned_le32(rsp->data);
2232
2233                if (conn->feat_mask & 0x0080) {
2234                        struct l2cap_info_req req;
2235                        req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2236
2237                        conn->info_ident = l2cap_get_ident(conn);
2238
2239                        l2cap_send_cmd(conn, conn->info_ident,
2240                                        L2CAP_INFO_REQ, sizeof(req), &req);
2241                } else {
2242                        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2243                        conn->info_ident = 0;
2244
2245                        l2cap_conn_start(conn);
2246                }
2247        } else if (type == L2CAP_IT_FIXED_CHAN) {
2248                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2249                conn->info_ident = 0;
2250
2251                l2cap_conn_start(conn);
2252        }
2253
2254        return 0;
2255}
2256
2257static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2258{
2259        u8 *data = skb->data;
2260        int len = skb->len;
2261        struct l2cap_cmd_hdr cmd;
2262        int err = 0;
2263
2264        l2cap_raw_recv(conn, skb);
2265
2266        while (len >= L2CAP_CMD_HDR_SIZE) {
2267                u16 cmd_len;
2268                memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2269                data += L2CAP_CMD_HDR_SIZE;
2270                len  -= L2CAP_CMD_HDR_SIZE;
2271
2272                cmd_len = le16_to_cpu(cmd.len);
2273
2274                BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
2275
2276                if (cmd_len > len || !cmd.ident) {
2277                        BT_DBG("corrupted command");
2278                        break;
2279                }
2280
2281                switch (cmd.code) {
2282                case L2CAP_COMMAND_REJ:
2283                        l2cap_command_rej(conn, &cmd, data);
2284                        break;
2285
2286                case L2CAP_CONN_REQ:
2287                        err = l2cap_connect_req(conn, &cmd, data);
2288                        break;
2289
2290                case L2CAP_CONN_RSP:
2291                        err = l2cap_connect_rsp(conn, &cmd, data);
2292                        break;
2293
2294                case L2CAP_CONF_REQ:
2295                        err = l2cap_config_req(conn, &cmd, cmd_len, data);
2296                        break;
2297
2298                case L2CAP_CONF_RSP:
2299                        err = l2cap_config_rsp(conn, &cmd, data);
2300                        break;
2301
2302                case L2CAP_DISCONN_REQ:
2303                        err = l2cap_disconnect_req(conn, &cmd, data);
2304                        break;
2305
2306                case L2CAP_DISCONN_RSP:
2307                        err = l2cap_disconnect_rsp(conn, &cmd, data);
2308                        break;
2309
2310                case L2CAP_ECHO_REQ:
2311                        l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
2312                        break;
2313
2314                case L2CAP_ECHO_RSP:
2315                        break;
2316
2317                case L2CAP_INFO_REQ:
2318                        err = l2cap_information_req(conn, &cmd, data);
2319                        break;
2320
2321                case L2CAP_INFO_RSP:
2322                        err = l2cap_information_rsp(conn, &cmd, data);
2323                        break;
2324
2325                default:
2326                        BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2327                        err = -EINVAL;
2328                        break;
2329                }
2330
2331                if (err) {
2332                        struct l2cap_cmd_rej rej;
2333                        BT_DBG("error %d", err);
2334
2335                        /* FIXME: Map err to a valid reason */
2336                        rej.reason = cpu_to_le16(0);
2337                        l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2338                }
2339
2340                data += cmd_len;
2341                len  -= cmd_len;
2342        }
2343
2344        kfree_skb(skb);
2345}
2346
2347static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2348{
2349        struct sock *sk;
2350
2351        sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2352        if (!sk) {
2353                BT_DBG("unknown cid 0x%4.4x", cid);
2354                goto drop;
2355        }
2356
2357        BT_DBG("sk %p, len %d", sk, skb->len);
2358
2359        if (sk->sk_state != BT_CONNECTED)
2360                goto drop;
2361
2362        if (l2cap_pi(sk)->imtu < skb->len)
2363                goto drop;
2364
2365        /* If socket recv buffers overflows we drop data here
2366         * which is *bad* because L2CAP has to be reliable.
2367         * But we don't have any other choice. L2CAP doesn't
2368         * provide flow control mechanism. */
2369
2370        if (!sock_queue_rcv_skb(sk, skb))
2371                goto done;
2372
2373drop:
2374        kfree_skb(skb);
2375
2376done:
2377        if (sk)
2378                bh_unlock_sock(sk);
2379
2380        return 0;
2381}
2382
2383static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
2384{
2385        struct sock *sk;
2386
2387        sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2388        if (!sk)
2389                goto drop;
2390
2391        BT_DBG("sk %p, len %d", sk, skb->len);
2392
2393        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2394                goto drop;
2395
2396        if (l2cap_pi(sk)->imtu < skb->len)
2397                goto drop;
2398
2399        if (!sock_queue_rcv_skb(sk, skb))
2400                goto done;
2401
2402drop:
2403        kfree_skb(skb);
2404
2405done:
2406        if (sk) bh_unlock_sock(sk);
2407        return 0;
2408}
2409
2410static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2411{
2412        struct l2cap_hdr *lh = (void *) skb->data;
2413        u16 cid, len;
2414        __le16 psm;
2415
2416        skb_pull(skb, L2CAP_HDR_SIZE);
2417        cid = __le16_to_cpu(lh->cid);
2418        len = __le16_to_cpu(lh->len);
2419
2420        BT_DBG("len %d, cid 0x%4.4x", len, cid);
2421
2422        switch (cid) {
2423        case 0x0001:
2424                l2cap_sig_channel(conn, skb);
2425                break;
2426
2427        case 0x0002:
2428                psm = get_unaligned((__le16 *) skb->data);
2429                skb_pull(skb, 2);
2430                l2cap_conless_channel(conn, psm, skb);
2431                break;
2432
2433        default:
2434                l2cap_data_channel(conn, cid, skb);
2435                break;
2436        }
2437}
2438
2439/* ---- L2CAP interface with lower layer (HCI) ---- */
2440
2441static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2442{
2443        int exact = 0, lm1 = 0, lm2 = 0;
2444        register struct sock *sk;
2445        struct hlist_node *node;
2446
2447        if (type != ACL_LINK)
2448                return 0;
2449
2450        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2451
2452        /* Find listening sockets and check their link_mode */
2453        read_lock(&l2cap_sk_list.lock);
2454        sk_for_each(sk, node, &l2cap_sk_list.head) {
2455                if (sk->sk_state != BT_LISTEN)
2456                        continue;
2457
2458                if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2459                        lm1 |= HCI_LM_ACCEPT;
2460                        if (l2cap_pi(sk)->role_switch)
2461                                lm1 |= HCI_LM_MASTER;
2462                        exact++;
2463                } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2464                        lm2 |= HCI_LM_ACCEPT;
2465                        if (l2cap_pi(sk)->role_switch)
2466                                lm2 |= HCI_LM_MASTER;
2467                }
2468        }
2469        read_unlock(&l2cap_sk_list.lock);
2470
2471        return exact ? lm1 : lm2;
2472}
2473
2474static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2475{
2476        struct l2cap_conn *conn;
2477
2478        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2479
2480        if (hcon->type != ACL_LINK)
2481                return 0;
2482
2483        if (!status) {
2484                conn = l2cap_conn_add(hcon, status);
2485                if (conn)
2486                        l2cap_conn_ready(conn);
2487        } else
2488                l2cap_conn_del(hcon, bt_err(status));
2489
2490        return 0;
2491}
2492
2493static int l2cap_disconn_ind(struct hci_conn *hcon)
2494{
2495        struct l2cap_conn *conn = hcon->l2cap_data;
2496
2497        BT_DBG("hcon %p", hcon);
2498
2499        if (hcon->type != ACL_LINK || !conn)
2500                return 0x13;
2501
2502        return conn->disc_reason;
2503}
2504
2505static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
2506{
2507        BT_DBG("hcon %p reason %d", hcon, reason);
2508
2509        if (hcon->type != ACL_LINK)
2510                return 0;
2511
2512        l2cap_conn_del(hcon, bt_err(reason));
2513
2514        return 0;
2515}
2516
2517static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2518{
2519        if (sk->sk_type != SOCK_SEQPACKET)
2520                return;
2521
2522        if (encrypt == 0x00) {
2523                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2524                        l2cap_sock_clear_timer(sk);
2525                        l2cap_sock_set_timer(sk, HZ * 5);
2526                } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2527                        __l2cap_sock_close(sk, ECONNREFUSED);
2528        } else {
2529                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2530                        l2cap_sock_clear_timer(sk);
2531        }
2532}
2533
2534static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2535{
2536        struct l2cap_chan_list *l;
2537        struct l2cap_conn *conn = hcon->l2cap_data;
2538        struct sock *sk;
2539
2540        if (!conn)
2541                return 0;
2542
2543        l = &conn->chan_list;
2544
2545        BT_DBG("conn %p", conn);
2546
2547        read_lock(&l->lock);
2548
2549        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2550                bh_lock_sock(sk);
2551
2552                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2553                        bh_unlock_sock(sk);
2554                        continue;
2555                }
2556
2557                if (!status && (sk->sk_state == BT_CONNECTED ||
2558                                                sk->sk_state == BT_CONFIG)) {
2559                        l2cap_check_encryption(sk, encrypt);
2560                        bh_unlock_sock(sk);
2561                        continue;
2562                }
2563
2564                if (sk->sk_state == BT_CONNECT) {
2565                        if (!status) {
2566                                struct l2cap_conn_req req;
2567                                req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2568                                req.psm  = l2cap_pi(sk)->psm;
2569
2570                                l2cap_pi(sk)->ident = l2cap_get_ident(conn);
2571
2572                                l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2573                                        L2CAP_CONN_REQ, sizeof(req), &req);
2574                        } else {
2575                                l2cap_sock_clear_timer(sk);
2576                                l2cap_sock_set_timer(sk, HZ / 10);
2577                        }
2578                } else if (sk->sk_state == BT_CONNECT2) {
2579                        struct l2cap_conn_rsp rsp;
2580                        __u16 result;
2581
2582                        if (!status) {
2583                                sk->sk_state = BT_CONFIG;
2584                                result = L2CAP_CR_SUCCESS;
2585                        } else {
2586                                sk->sk_state = BT_DISCONN;
2587                                l2cap_sock_set_timer(sk, HZ / 10);
2588                                result = L2CAP_CR_SEC_BLOCK;
2589                        }
2590
2591                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
2592                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
2593                        rsp.result = cpu_to_le16(result);
2594                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2595                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2596                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2597                }
2598
2599                bh_unlock_sock(sk);
2600        }
2601
2602        read_unlock(&l->lock);
2603
2604        return 0;
2605}
2606
2607static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2608{
2609        struct l2cap_conn *conn = hcon->l2cap_data;
2610
2611        if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2612                goto drop;
2613
2614        BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2615
2616        if (flags & ACL_START) {
2617                struct l2cap_hdr *hdr;
2618                int len;
2619
2620                if (conn->rx_len) {
2621                        BT_ERR("Unexpected start frame (len %d)", skb->len);
2622                        kfree_skb(conn->rx_skb);
2623                        conn->rx_skb = NULL;
2624                        conn->rx_len = 0;
2625                        l2cap_conn_unreliable(conn, ECOMM);
2626                }
2627
2628                if (skb->len < 2) {
2629                        BT_ERR("Frame is too short (len %d)", skb->len);
2630                        l2cap_conn_unreliable(conn, ECOMM);
2631                        goto drop;
2632                }
2633
2634                hdr = (struct l2cap_hdr *) skb->data;
2635                len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2636
2637                if (len == skb->len) {
2638                        /* Complete frame received */
2639                        l2cap_recv_frame(conn, skb);
2640                        return 0;
2641                }
2642
2643                BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2644
2645                if (skb->len > len) {
2646                        BT_ERR("Frame is too long (len %d, expected len %d)",
2647                                skb->len, len);
2648                        l2cap_conn_unreliable(conn, ECOMM);
2649                        goto drop;
2650                }
2651
2652                /* Allocate skb for the complete frame (with header) */
2653                if (!(conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC)))
2654                        goto drop;
2655
2656                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2657                                                                skb->len);
2658                conn->rx_len = len - skb->len;
2659        } else {
2660                BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2661
2662                if (!conn->rx_len) {
2663                        BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2664                        l2cap_conn_unreliable(conn, ECOMM);
2665                        goto drop;
2666                }
2667
2668                if (skb->len > conn->rx_len) {
2669                        BT_ERR("Fragment is too long (len %d, expected %d)",
2670                                        skb->len, conn->rx_len);
2671                        kfree_skb(conn->rx_skb);
2672                        conn->rx_skb = NULL;
2673                        conn->rx_len = 0;
2674                        l2cap_conn_unreliable(conn, ECOMM);
2675                        goto drop;
2676                }
2677
2678                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2679                                                                skb->len);
2680                conn->rx_len -= skb->len;
2681
2682                if (!conn->rx_len) {
2683                        /* Complete frame received */
2684                        l2cap_recv_frame(conn, conn->rx_skb);
2685                        conn->rx_skb = NULL;
2686                }
2687        }
2688
2689drop:
2690        kfree_skb(skb);
2691        return 0;
2692}
2693
2694static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
2695{
2696        struct sock *sk;
2697        struct hlist_node *node;
2698        char *str = buf;
2699
2700        read_lock_bh(&l2cap_sk_list.lock);
2701
2702        sk_for_each(sk, node, &l2cap_sk_list.head) {
2703                struct l2cap_pinfo *pi = l2cap_pi(sk);
2704
2705                str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
2706                                batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2707                                sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2708                                pi->imtu, pi->omtu, pi->sec_level);
2709        }
2710
2711        read_unlock_bh(&l2cap_sk_list.lock);
2712
2713        return (str - buf);
2714}
2715
2716static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
2717
2718static const struct proto_ops l2cap_sock_ops = {
2719        .family         = PF_BLUETOOTH,
2720        .owner          = THIS_MODULE,
2721        .release        = l2cap_sock_release,
2722        .bind           = l2cap_sock_bind,
2723        .connect        = l2cap_sock_connect,
2724        .listen         = l2cap_sock_listen,
2725        .accept         = l2cap_sock_accept,
2726        .getname        = l2cap_sock_getname,
2727        .sendmsg        = l2cap_sock_sendmsg,
2728        .recvmsg        = l2cap_sock_recvmsg,
2729        .poll           = bt_sock_poll,
2730        .ioctl          = bt_sock_ioctl,
2731        .mmap           = sock_no_mmap,
2732        .socketpair     = sock_no_socketpair,
2733        .shutdown       = l2cap_sock_shutdown,
2734        .setsockopt     = l2cap_sock_setsockopt,
2735        .getsockopt     = l2cap_sock_getsockopt
2736};
2737
2738static struct net_proto_family l2cap_sock_family_ops = {
2739        .family = PF_BLUETOOTH,
2740        .owner  = THIS_MODULE,
2741        .create = l2cap_sock_create,
2742};
2743
2744static struct hci_proto l2cap_hci_proto = {
2745        .name           = "L2CAP",
2746        .id             = HCI_PROTO_L2CAP,
2747        .connect_ind    = l2cap_connect_ind,
2748        .connect_cfm    = l2cap_connect_cfm,
2749        .disconn_ind    = l2cap_disconn_ind,
2750        .disconn_cfm    = l2cap_disconn_cfm,
2751        .security_cfm   = l2cap_security_cfm,
2752        .recv_acldata   = l2cap_recv_acldata
2753};
2754
2755static int __init l2cap_init(void)
2756{
2757        int err;
2758
2759        err = proto_register(&l2cap_proto, 0);
2760        if (err < 0)
2761                return err;
2762
2763        err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2764        if (err < 0) {
2765                BT_ERR("L2CAP socket registration failed");
2766                goto error;
2767        }
2768
2769        err = hci_register_proto(&l2cap_hci_proto);
2770        if (err < 0) {
2771                BT_ERR("L2CAP protocol registration failed");
2772                bt_sock_unregister(BTPROTO_L2CAP);
2773                goto error;
2774        }
2775
2776        if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2777                BT_ERR("Failed to create L2CAP info file");
2778
2779        BT_INFO("L2CAP ver %s", VERSION);
2780        BT_INFO("L2CAP socket layer initialized");
2781
2782        return 0;
2783
2784error:
2785        proto_unregister(&l2cap_proto);
2786        return err;
2787}
2788
2789static void __exit l2cap_exit(void)
2790{
2791        class_remove_file(bt_class, &class_attr_l2cap);
2792
2793        if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2794                BT_ERR("L2CAP socket unregistration failed");
2795
2796        if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2797                BT_ERR("L2CAP protocol unregistration failed");
2798
2799        proto_unregister(&l2cap_proto);
2800}
2801
2802void l2cap_load(void)
2803{
2804        /* Dummy function to trigger automatic L2CAP module loading by
2805         * other modules that use L2CAP sockets but don't use any other
2806         * symbols from it. */
2807        return;
2808}
2809EXPORT_SYMBOL(l2cap_load);
2810
2811module_init(l2cap_init);
2812module_exit(l2cap_exit);
2813
2814MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2815MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2816MODULE_VERSION(VERSION);
2817MODULE_LICENSE("GPL");
2818MODULE_ALIAS("bt-proto-0");
2819