Bluetooth: Add basic constants for L2CAP ERTM support and use them
[pandora-kernel.git] / net / bluetooth / l2cap.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth L2CAP core and sockets. */
26
27 #include <linux/module.h>
28
29 #include <linux/types.h>
30 #include <linux/capability.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/uaccess.h>
44 #include <net/sock.h>
45
46 #include <asm/system.h>
47 #include <asm/unaligned.h>
48
49 #include <net/bluetooth/bluetooth.h>
50 #include <net/bluetooth/hci_core.h>
51 #include <net/bluetooth/l2cap.h>
52
53 #define VERSION "2.13"
54
55 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
56 static u8 l2cap_fixed_chan[8] = { 0x02, };
57
58 static const struct proto_ops l2cap_sock_ops;
59
60 static struct bt_sock_list l2cap_sk_list = {
61         .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
62 };
63
64 static void __l2cap_sock_close(struct sock *sk, int reason);
65 static void l2cap_sock_close(struct sock *sk);
66 static void l2cap_sock_kill(struct sock *sk);
67
68 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69                                 u8 code, u8 ident, u16 dlen, void *data);
70
71 /* ---- L2CAP timers ---- */
72 static void l2cap_sock_timeout(unsigned long arg)
73 {
74         struct sock *sk = (struct sock *) arg;
75         int reason;
76
77         BT_DBG("sock %p state %d", sk, sk->sk_state);
78
79         bh_lock_sock(sk);
80
81         if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
82                 reason = ECONNREFUSED;
83         else if (sk->sk_state == BT_CONNECT &&
84                                 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
85                 reason = ECONNREFUSED;
86         else
87                 reason = ETIMEDOUT;
88
89         __l2cap_sock_close(sk, reason);
90
91         bh_unlock_sock(sk);
92
93         l2cap_sock_kill(sk);
94         sock_put(sk);
95 }
96
97 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
98 {
99         BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
100         sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
101 }
102
103 static void l2cap_sock_clear_timer(struct sock *sk)
104 {
105         BT_DBG("sock %p state %d", sk, sk->sk_state);
106         sk_stop_timer(sk, &sk->sk_timer);
107 }
108
109 /* ---- L2CAP channels ---- */
110 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
111 {
112         struct sock *s;
113         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
114                 if (l2cap_pi(s)->dcid == cid)
115                         break;
116         }
117         return s;
118 }
119
120 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
121 {
122         struct sock *s;
123         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
124                 if (l2cap_pi(s)->scid == cid)
125                         break;
126         }
127         return s;
128 }
129
130 /* Find channel with given SCID.
131  * Returns locked socket */
132 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
133 {
134         struct sock *s;
135         read_lock(&l->lock);
136         s = __l2cap_get_chan_by_scid(l, cid);
137         if (s)
138                 bh_lock_sock(s);
139         read_unlock(&l->lock);
140         return s;
141 }
142
143 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
144 {
145         struct sock *s;
146         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
147                 if (l2cap_pi(s)->ident == ident)
148                         break;
149         }
150         return s;
151 }
152
153 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
154 {
155         struct sock *s;
156         read_lock(&l->lock);
157         s = __l2cap_get_chan_by_ident(l, ident);
158         if (s)
159                 bh_lock_sock(s);
160         read_unlock(&l->lock);
161         return s;
162 }
163
164 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
165 {
166         u16 cid = L2CAP_CID_DYN_START;
167
168         for (; cid < L2CAP_CID_DYN_END; cid++) {
169                 if (!__l2cap_get_chan_by_scid(l, cid))
170                         return cid;
171         }
172
173         return 0;
174 }
175
176 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
177 {
178         sock_hold(sk);
179
180         if (l->head)
181                 l2cap_pi(l->head)->prev_c = sk;
182
183         l2cap_pi(sk)->next_c = l->head;
184         l2cap_pi(sk)->prev_c = NULL;
185         l->head = sk;
186 }
187
188 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
189 {
190         struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
191
192         write_lock_bh(&l->lock);
193         if (sk == l->head)
194                 l->head = next;
195
196         if (next)
197                 l2cap_pi(next)->prev_c = prev;
198         if (prev)
199                 l2cap_pi(prev)->next_c = next;
200         write_unlock_bh(&l->lock);
201
202         __sock_put(sk);
203 }
204
205 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
206 {
207         struct l2cap_chan_list *l = &conn->chan_list;
208
209         BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
210                         l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
211
212         conn->disc_reason = 0x13;
213
214         l2cap_pi(sk)->conn = conn;
215
216         if (sk->sk_type == SOCK_SEQPACKET) {
217                 /* Alloc CID for connection-oriented socket */
218                 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
219         } else if (sk->sk_type == SOCK_DGRAM) {
220                 /* Connectionless socket */
221                 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
222                 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
223                 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
224         } else {
225                 /* Raw socket can send/recv signalling messages only */
226                 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
227                 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
228                 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
229         }
230
231         __l2cap_chan_link(l, sk);
232
233         if (parent)
234                 bt_accept_enqueue(parent, sk);
235 }
236
237 /* Delete channel.
238  * Must be called on the locked socket. */
239 static void l2cap_chan_del(struct sock *sk, int err)
240 {
241         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
242         struct sock *parent = bt_sk(sk)->parent;
243
244         l2cap_sock_clear_timer(sk);
245
246         BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
247
248         if (conn) {
249                 /* Unlink from channel list */
250                 l2cap_chan_unlink(&conn->chan_list, sk);
251                 l2cap_pi(sk)->conn = NULL;
252                 hci_conn_put(conn->hcon);
253         }
254
255         sk->sk_state = BT_CLOSED;
256         sock_set_flag(sk, SOCK_ZAPPED);
257
258         if (err)
259                 sk->sk_err = err;
260
261         if (parent) {
262                 bt_accept_unlink(sk);
263                 parent->sk_data_ready(parent, 0);
264         } else
265                 sk->sk_state_change(sk);
266 }
267
268 /* Service level security */
269 static inline int l2cap_check_security(struct sock *sk)
270 {
271         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
272         __u8 auth_type;
273
274         if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
275                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
276                         auth_type = HCI_AT_NO_BONDING_MITM;
277                 else
278                         auth_type = HCI_AT_NO_BONDING;
279
280                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
281                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
282         } else {
283                 switch (l2cap_pi(sk)->sec_level) {
284                 case BT_SECURITY_HIGH:
285                         auth_type = HCI_AT_GENERAL_BONDING_MITM;
286                         break;
287                 case BT_SECURITY_MEDIUM:
288                         auth_type = HCI_AT_GENERAL_BONDING;
289                         break;
290                 default:
291                         auth_type = HCI_AT_NO_BONDING;
292                         break;
293                 }
294         }
295
296         return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
297                                                                 auth_type);
298 }
299
300 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
301 {
302         u8 id;
303
304         /* Get next available identificator.
305          *    1 - 128 are used by kernel.
306          *  129 - 199 are reserved.
307          *  200 - 254 are used by utilities like l2ping, etc.
308          */
309
310         spin_lock_bh(&conn->lock);
311
312         if (++conn->tx_ident > 128)
313                 conn->tx_ident = 1;
314
315         id = conn->tx_ident;
316
317         spin_unlock_bh(&conn->lock);
318
319         return id;
320 }
321
322 static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
323 {
324         struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
325
326         BT_DBG("code 0x%2.2x", code);
327
328         if (!skb)
329                 return -ENOMEM;
330
331         return hci_send_acl(conn->hcon, skb, 0);
332 }
333
334 static void l2cap_do_start(struct sock *sk)
335 {
336         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
337
338         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
339                 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
340                         return;
341
342                 if (l2cap_check_security(sk)) {
343                         struct l2cap_conn_req req;
344                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
345                         req.psm  = l2cap_pi(sk)->psm;
346
347                         l2cap_pi(sk)->ident = l2cap_get_ident(conn);
348
349                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
350                                         L2CAP_CONN_REQ, sizeof(req), &req);
351                 }
352         } else {
353                 struct l2cap_info_req req;
354                 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
355
356                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
357                 conn->info_ident = l2cap_get_ident(conn);
358
359                 mod_timer(&conn->info_timer, jiffies +
360                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
361
362                 l2cap_send_cmd(conn, conn->info_ident,
363                                         L2CAP_INFO_REQ, sizeof(req), &req);
364         }
365 }
366
367 /* ---- L2CAP connections ---- */
368 static void l2cap_conn_start(struct l2cap_conn *conn)
369 {
370         struct l2cap_chan_list *l = &conn->chan_list;
371         struct sock *sk;
372
373         BT_DBG("conn %p", conn);
374
375         read_lock(&l->lock);
376
377         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
378                 bh_lock_sock(sk);
379
380                 if (sk->sk_type != SOCK_SEQPACKET) {
381                         bh_unlock_sock(sk);
382                         continue;
383                 }
384
385                 if (sk->sk_state == BT_CONNECT) {
386                         if (l2cap_check_security(sk)) {
387                                 struct l2cap_conn_req req;
388                                 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
389                                 req.psm  = l2cap_pi(sk)->psm;
390
391                                 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
392
393                                 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
394                                         L2CAP_CONN_REQ, sizeof(req), &req);
395                         }
396                 } else if (sk->sk_state == BT_CONNECT2) {
397                         struct l2cap_conn_rsp rsp;
398                         rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
399                         rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
400
401                         if (l2cap_check_security(sk)) {
402                                 if (bt_sk(sk)->defer_setup) {
403                                         struct sock *parent = bt_sk(sk)->parent;
404                                         rsp.result = cpu_to_le16(L2CAP_CR_PEND);
405                                         rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
406                                         parent->sk_data_ready(parent, 0);
407
408                                 } else {
409                                         sk->sk_state = BT_CONFIG;
410                                         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
411                                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
412                                 }
413                         } else {
414                                 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
415                                 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
416                         }
417
418                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
419                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
420                 }
421
422                 bh_unlock_sock(sk);
423         }
424
425         read_unlock(&l->lock);
426 }
427
428 static void l2cap_conn_ready(struct l2cap_conn *conn)
429 {
430         struct l2cap_chan_list *l = &conn->chan_list;
431         struct sock *sk;
432
433         BT_DBG("conn %p", conn);
434
435         read_lock(&l->lock);
436
437         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
438                 bh_lock_sock(sk);
439
440                 if (sk->sk_type != SOCK_SEQPACKET) {
441                         l2cap_sock_clear_timer(sk);
442                         sk->sk_state = BT_CONNECTED;
443                         sk->sk_state_change(sk);
444                 } else if (sk->sk_state == BT_CONNECT)
445                         l2cap_do_start(sk);
446
447                 bh_unlock_sock(sk);
448         }
449
450         read_unlock(&l->lock);
451 }
452
453 /* Notify sockets that we cannot guaranty reliability anymore */
454 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
455 {
456         struct l2cap_chan_list *l = &conn->chan_list;
457         struct sock *sk;
458
459         BT_DBG("conn %p", conn);
460
461         read_lock(&l->lock);
462
463         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
464                 if (l2cap_pi(sk)->force_reliable)
465                         sk->sk_err = err;
466         }
467
468         read_unlock(&l->lock);
469 }
470
471 static void l2cap_info_timeout(unsigned long arg)
472 {
473         struct l2cap_conn *conn = (void *) arg;
474
475         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
476         conn->info_ident = 0;
477
478         l2cap_conn_start(conn);
479 }
480
481 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
482 {
483         struct l2cap_conn *conn = hcon->l2cap_data;
484
485         if (conn || status)
486                 return conn;
487
488         conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
489         if (!conn)
490                 return NULL;
491
492         hcon->l2cap_data = conn;
493         conn->hcon = hcon;
494
495         BT_DBG("hcon %p conn %p", hcon, conn);
496
497         conn->mtu = hcon->hdev->acl_mtu;
498         conn->src = &hcon->hdev->bdaddr;
499         conn->dst = &hcon->dst;
500
501         conn->feat_mask = 0;
502
503         setup_timer(&conn->info_timer, l2cap_info_timeout,
504                                                 (unsigned long) conn);
505
506         spin_lock_init(&conn->lock);
507         rwlock_init(&conn->chan_list.lock);
508
509         conn->disc_reason = 0x13;
510
511         return conn;
512 }
513
514 static void l2cap_conn_del(struct hci_conn *hcon, int err)
515 {
516         struct l2cap_conn *conn = hcon->l2cap_data;
517         struct sock *sk;
518
519         if (!conn)
520                 return;
521
522         BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
523
524         kfree_skb(conn->rx_skb);
525
526         /* Kill channels */
527         while ((sk = conn->chan_list.head)) {
528                 bh_lock_sock(sk);
529                 l2cap_chan_del(sk, err);
530                 bh_unlock_sock(sk);
531                 l2cap_sock_kill(sk);
532         }
533
534         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
535                 del_timer_sync(&conn->info_timer);
536
537         hcon->l2cap_data = NULL;
538         kfree(conn);
539 }
540
541 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
542 {
543         struct l2cap_chan_list *l = &conn->chan_list;
544         write_lock_bh(&l->lock);
545         __l2cap_chan_add(conn, sk, parent);
546         write_unlock_bh(&l->lock);
547 }
548
549 /* ---- Socket interface ---- */
550 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
551 {
552         struct sock *sk;
553         struct hlist_node *node;
554         sk_for_each(sk, node, &l2cap_sk_list.head)
555                 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
556                         goto found;
557         sk = NULL;
558 found:
559         return sk;
560 }
561
562 /* Find socket with psm and source bdaddr.
563  * Returns closest match.
564  */
565 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
566 {
567         struct sock *sk = NULL, *sk1 = NULL;
568         struct hlist_node *node;
569
570         sk_for_each(sk, node, &l2cap_sk_list.head) {
571                 if (state && sk->sk_state != state)
572                         continue;
573
574                 if (l2cap_pi(sk)->psm == psm) {
575                         /* Exact match. */
576                         if (!bacmp(&bt_sk(sk)->src, src))
577                                 break;
578
579                         /* Closest match */
580                         if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
581                                 sk1 = sk;
582                 }
583         }
584         return node ? sk : sk1;
585 }
586
587 /* Find socket with given address (psm, src).
588  * Returns locked socket */
589 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
590 {
591         struct sock *s;
592         read_lock(&l2cap_sk_list.lock);
593         s = __l2cap_get_sock_by_psm(state, psm, src);
594         if (s)
595                 bh_lock_sock(s);
596         read_unlock(&l2cap_sk_list.lock);
597         return s;
598 }
599
600 static void l2cap_sock_destruct(struct sock *sk)
601 {
602         BT_DBG("sk %p", sk);
603
604         skb_queue_purge(&sk->sk_receive_queue);
605         skb_queue_purge(&sk->sk_write_queue);
606 }
607
608 static void l2cap_sock_cleanup_listen(struct sock *parent)
609 {
610         struct sock *sk;
611
612         BT_DBG("parent %p", parent);
613
614         /* Close not yet accepted channels */
615         while ((sk = bt_accept_dequeue(parent, NULL)))
616                 l2cap_sock_close(sk);
617
618         parent->sk_state = BT_CLOSED;
619         sock_set_flag(parent, SOCK_ZAPPED);
620 }
621
622 /* Kill socket (only if zapped and orphan)
623  * Must be called on unlocked socket.
624  */
625 static void l2cap_sock_kill(struct sock *sk)
626 {
627         if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
628                 return;
629
630         BT_DBG("sk %p state %d", sk, sk->sk_state);
631
632         /* Kill poor orphan */
633         bt_sock_unlink(&l2cap_sk_list, sk);
634         sock_set_flag(sk, SOCK_DEAD);
635         sock_put(sk);
636 }
637
638 static void __l2cap_sock_close(struct sock *sk, int reason)
639 {
640         BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
641
642         switch (sk->sk_state) {
643         case BT_LISTEN:
644                 l2cap_sock_cleanup_listen(sk);
645                 break;
646
647         case BT_CONNECTED:
648         case BT_CONFIG:
649                 if (sk->sk_type == SOCK_SEQPACKET) {
650                         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
651                         struct l2cap_disconn_req req;
652
653                         sk->sk_state = BT_DISCONN;
654                         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
655
656                         req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
657                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
658                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
659                                         L2CAP_DISCONN_REQ, sizeof(req), &req);
660                 } else
661                         l2cap_chan_del(sk, reason);
662                 break;
663
664         case BT_CONNECT2:
665                 if (sk->sk_type == SOCK_SEQPACKET) {
666                         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
667                         struct l2cap_conn_rsp rsp;
668                         __u16 result;
669
670                         if (bt_sk(sk)->defer_setup)
671                                 result = L2CAP_CR_SEC_BLOCK;
672                         else
673                                 result = L2CAP_CR_BAD_PSM;
674
675                         rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
676                         rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
677                         rsp.result = cpu_to_le16(result);
678                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
679                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
680                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681                 } else
682                         l2cap_chan_del(sk, reason);
683                 break;
684
685         case BT_CONNECT:
686         case BT_DISCONN:
687                 l2cap_chan_del(sk, reason);
688                 break;
689
690         default:
691                 sock_set_flag(sk, SOCK_ZAPPED);
692                 break;
693         }
694 }
695
696 /* Must be called on unlocked socket. */
697 static void l2cap_sock_close(struct sock *sk)
698 {
699         l2cap_sock_clear_timer(sk);
700         lock_sock(sk);
701         __l2cap_sock_close(sk, ECONNRESET);
702         release_sock(sk);
703         l2cap_sock_kill(sk);
704 }
705
706 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
707 {
708         struct l2cap_pinfo *pi = l2cap_pi(sk);
709
710         BT_DBG("sk %p", sk);
711
712         if (parent) {
713                 sk->sk_type = parent->sk_type;
714                 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
715
716                 pi->imtu = l2cap_pi(parent)->imtu;
717                 pi->omtu = l2cap_pi(parent)->omtu;
718                 pi->sec_level = l2cap_pi(parent)->sec_level;
719                 pi->role_switch = l2cap_pi(parent)->role_switch;
720                 pi->force_reliable = l2cap_pi(parent)->force_reliable;
721         } else {
722                 pi->imtu = L2CAP_DEFAULT_MTU;
723                 pi->omtu = 0;
724                 pi->sec_level = BT_SECURITY_LOW;
725                 pi->role_switch = 0;
726                 pi->force_reliable = 0;
727         }
728
729         /* Default config options */
730         pi->conf_len = 0;
731         pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
732 }
733
734 static struct proto l2cap_proto = {
735         .name           = "L2CAP",
736         .owner          = THIS_MODULE,
737         .obj_size       = sizeof(struct l2cap_pinfo)
738 };
739
740 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
741 {
742         struct sock *sk;
743
744         sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
745         if (!sk)
746                 return NULL;
747
748         sock_init_data(sock, sk);
749         INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
750
751         sk->sk_destruct = l2cap_sock_destruct;
752         sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
753
754         sock_reset_flag(sk, SOCK_ZAPPED);
755
756         sk->sk_protocol = proto;
757         sk->sk_state = BT_OPEN;
758
759         setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
760
761         bt_sock_link(&l2cap_sk_list, sk);
762         return sk;
763 }
764
765 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
766 {
767         struct sock *sk;
768
769         BT_DBG("sock %p", sock);
770
771         sock->state = SS_UNCONNECTED;
772
773         if (sock->type != SOCK_SEQPACKET &&
774                         sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
775                 return -ESOCKTNOSUPPORT;
776
777         if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
778                 return -EPERM;
779
780         sock->ops = &l2cap_sock_ops;
781
782         sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
783         if (!sk)
784                 return -ENOMEM;
785
786         l2cap_sock_init(sk, NULL);
787         return 0;
788 }
789
790 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
791 {
792         struct sock *sk = sock->sk;
793         struct sockaddr_l2 la;
794         int len, err = 0;
795
796         BT_DBG("sk %p", sk);
797
798         if (!addr || addr->sa_family != AF_BLUETOOTH)
799                 return -EINVAL;
800
801         memset(&la, 0, sizeof(la));
802         len = min_t(unsigned int, sizeof(la), alen);
803         memcpy(&la, addr, len);
804
805         if (la.l2_cid)
806                 return -EINVAL;
807
808         lock_sock(sk);
809
810         if (sk->sk_state != BT_OPEN) {
811                 err = -EBADFD;
812                 goto done;
813         }
814
815         if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
816                                 !capable(CAP_NET_BIND_SERVICE)) {
817                 err = -EACCES;
818                 goto done;
819         }
820
821         write_lock_bh(&l2cap_sk_list.lock);
822
823         if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
824                 err = -EADDRINUSE;
825         } else {
826                 /* Save source address */
827                 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
828                 l2cap_pi(sk)->psm   = la.l2_psm;
829                 l2cap_pi(sk)->sport = la.l2_psm;
830                 sk->sk_state = BT_BOUND;
831
832                 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
833                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
834         }
835
836         write_unlock_bh(&l2cap_sk_list.lock);
837
838 done:
839         release_sock(sk);
840         return err;
841 }
842
843 static int l2cap_do_connect(struct sock *sk)
844 {
845         bdaddr_t *src = &bt_sk(sk)->src;
846         bdaddr_t *dst = &bt_sk(sk)->dst;
847         struct l2cap_conn *conn;
848         struct hci_conn *hcon;
849         struct hci_dev *hdev;
850         __u8 auth_type;
851         int err;
852
853         BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
854                                                         l2cap_pi(sk)->psm);
855
856         hdev = hci_get_route(dst, src);
857         if (!hdev)
858                 return -EHOSTUNREACH;
859
860         hci_dev_lock_bh(hdev);
861
862         err = -ENOMEM;
863
864         if (sk->sk_type == SOCK_RAW) {
865                 switch (l2cap_pi(sk)->sec_level) {
866                 case BT_SECURITY_HIGH:
867                         auth_type = HCI_AT_DEDICATED_BONDING_MITM;
868                         break;
869                 case BT_SECURITY_MEDIUM:
870                         auth_type = HCI_AT_DEDICATED_BONDING;
871                         break;
872                 default:
873                         auth_type = HCI_AT_NO_BONDING;
874                         break;
875                 }
876         } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
877                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
878                         auth_type = HCI_AT_NO_BONDING_MITM;
879                 else
880                         auth_type = HCI_AT_NO_BONDING;
881
882                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
883                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
884         } else {
885                 switch (l2cap_pi(sk)->sec_level) {
886                 case BT_SECURITY_HIGH:
887                         auth_type = HCI_AT_GENERAL_BONDING_MITM;
888                         break;
889                 case BT_SECURITY_MEDIUM:
890                         auth_type = HCI_AT_GENERAL_BONDING;
891                         break;
892                 default:
893                         auth_type = HCI_AT_NO_BONDING;
894                         break;
895                 }
896         }
897
898         hcon = hci_connect(hdev, ACL_LINK, dst,
899                                         l2cap_pi(sk)->sec_level, auth_type);
900         if (!hcon)
901                 goto done;
902
903         conn = l2cap_conn_add(hcon, 0);
904         if (!conn) {
905                 hci_conn_put(hcon);
906                 goto done;
907         }
908
909         err = 0;
910
911         /* Update source addr of the socket */
912         bacpy(src, conn->src);
913
914         l2cap_chan_add(conn, sk, NULL);
915
916         sk->sk_state = BT_CONNECT;
917         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
918
919         if (hcon->state == BT_CONNECTED) {
920                 if (sk->sk_type != SOCK_SEQPACKET) {
921                         l2cap_sock_clear_timer(sk);
922                         sk->sk_state = BT_CONNECTED;
923                 } else
924                         l2cap_do_start(sk);
925         }
926
927 done:
928         hci_dev_unlock_bh(hdev);
929         hci_dev_put(hdev);
930         return err;
931 }
932
933 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
934 {
935         struct sock *sk = sock->sk;
936         struct sockaddr_l2 la;
937         int len, err = 0;
938
939         BT_DBG("sk %p", sk);
940
941         if (!addr || addr->sa_family != AF_BLUETOOTH)
942                 return -EINVAL;
943
944         memset(&la, 0, sizeof(la));
945         len = min_t(unsigned int, sizeof(la), alen);
946         memcpy(&la, addr, len);
947
948         if (la.l2_cid)
949                 return -EINVAL;
950
951         lock_sock(sk);
952
953         if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
954                 err = -EINVAL;
955                 goto done;
956         }
957
958         switch (sk->sk_state) {
959         case BT_CONNECT:
960         case BT_CONNECT2:
961         case BT_CONFIG:
962                 /* Already connecting */
963                 goto wait;
964
965         case BT_CONNECTED:
966                 /* Already connected */
967                 goto done;
968
969         case BT_OPEN:
970         case BT_BOUND:
971                 /* Can connect */
972                 break;
973
974         default:
975                 err = -EBADFD;
976                 goto done;
977         }
978
979         /* Set destination address and psm */
980         bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
981         l2cap_pi(sk)->psm = la.l2_psm;
982
983         err = l2cap_do_connect(sk);
984         if (err)
985                 goto done;
986
987 wait:
988         err = bt_sock_wait_state(sk, BT_CONNECTED,
989                         sock_sndtimeo(sk, flags & O_NONBLOCK));
990 done:
991         release_sock(sk);
992         return err;
993 }
994
995 static int l2cap_sock_listen(struct socket *sock, int backlog)
996 {
997         struct sock *sk = sock->sk;
998         int err = 0;
999
1000         BT_DBG("sk %p backlog %d", sk, backlog);
1001
1002         lock_sock(sk);
1003
1004         if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1005                 err = -EBADFD;
1006                 goto done;
1007         }
1008
1009         if (!l2cap_pi(sk)->psm) {
1010                 bdaddr_t *src = &bt_sk(sk)->src;
1011                 u16 psm;
1012
1013                 err = -EINVAL;
1014
1015                 write_lock_bh(&l2cap_sk_list.lock);
1016
1017                 for (psm = 0x1001; psm < 0x1100; psm += 2)
1018                         if (!__l2cap_get_sock_by_addr(htobs(psm), src)) {
1019                                 l2cap_pi(sk)->psm   = htobs(psm);
1020                                 l2cap_pi(sk)->sport = htobs(psm);
1021                                 err = 0;
1022                                 break;
1023                         }
1024
1025                 write_unlock_bh(&l2cap_sk_list.lock);
1026
1027                 if (err < 0)
1028                         goto done;
1029         }
1030
1031         sk->sk_max_ack_backlog = backlog;
1032         sk->sk_ack_backlog = 0;
1033         sk->sk_state = BT_LISTEN;
1034
1035 done:
1036         release_sock(sk);
1037         return err;
1038 }
1039
1040 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1041 {
1042         DECLARE_WAITQUEUE(wait, current);
1043         struct sock *sk = sock->sk, *nsk;
1044         long timeo;
1045         int err = 0;
1046
1047         lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1048
1049         if (sk->sk_state != BT_LISTEN) {
1050                 err = -EBADFD;
1051                 goto done;
1052         }
1053
1054         timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1055
1056         BT_DBG("sk %p timeo %ld", sk, timeo);
1057
1058         /* Wait for an incoming connection. (wake-one). */
1059         add_wait_queue_exclusive(sk->sk_sleep, &wait);
1060         while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1061                 set_current_state(TASK_INTERRUPTIBLE);
1062                 if (!timeo) {
1063                         err = -EAGAIN;
1064                         break;
1065                 }
1066
1067                 release_sock(sk);
1068                 timeo = schedule_timeout(timeo);
1069                 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1070
1071                 if (sk->sk_state != BT_LISTEN) {
1072                         err = -EBADFD;
1073                         break;
1074                 }
1075
1076                 if (signal_pending(current)) {
1077                         err = sock_intr_errno(timeo);
1078                         break;
1079                 }
1080         }
1081         set_current_state(TASK_RUNNING);
1082         remove_wait_queue(sk->sk_sleep, &wait);
1083
1084         if (err)
1085                 goto done;
1086
1087         newsock->state = SS_CONNECTED;
1088
1089         BT_DBG("new socket %p", nsk);
1090
1091 done:
1092         release_sock(sk);
1093         return err;
1094 }
1095
1096 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1097 {
1098         struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1099         struct sock *sk = sock->sk;
1100
1101         BT_DBG("sock %p, sk %p", sock, sk);
1102
1103         addr->sa_family = AF_BLUETOOTH;
1104         *len = sizeof(struct sockaddr_l2);
1105
1106         if (peer) {
1107                 la->l2_psm = l2cap_pi(sk)->psm;
1108                 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1109                 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1110         } else {
1111                 la->l2_psm = l2cap_pi(sk)->sport;
1112                 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1113                 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1114         }
1115
1116         return 0;
1117 }
1118
1119 static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1120 {
1121         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1122         struct sk_buff *skb, **frag;
1123         int err, hlen, count, sent = 0;
1124         struct l2cap_hdr *lh;
1125
1126         BT_DBG("sk %p len %d", sk, len);
1127
1128         /* First fragment (with L2CAP header) */
1129         if (sk->sk_type == SOCK_DGRAM)
1130                 hlen = L2CAP_HDR_SIZE + 2;
1131         else
1132                 hlen = L2CAP_HDR_SIZE;
1133
1134         count = min_t(unsigned int, (conn->mtu - hlen), len);
1135
1136         skb = bt_skb_send_alloc(sk, hlen + count,
1137                         msg->msg_flags & MSG_DONTWAIT, &err);
1138         if (!skb)
1139                 return err;
1140
1141         /* Create L2CAP header */
1142         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1143         lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1144         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1145
1146         if (sk->sk_type == SOCK_DGRAM)
1147                 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1148
1149         if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1150                 err = -EFAULT;
1151                 goto fail;
1152         }
1153
1154         sent += count;
1155         len  -= count;
1156
1157         /* Continuation fragments (no L2CAP header) */
1158         frag = &skb_shinfo(skb)->frag_list;
1159         while (len) {
1160                 count = min_t(unsigned int, conn->mtu, len);
1161
1162                 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1163                 if (!*frag)
1164                         goto fail;
1165
1166                 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1167                         err = -EFAULT;
1168                         goto fail;
1169                 }
1170
1171                 sent += count;
1172                 len  -= count;
1173
1174                 frag = &(*frag)->next;
1175         }
1176         err = hci_send_acl(conn->hcon, skb, 0);
1177         if (err < 0)
1178                 goto fail;
1179
1180         return sent;
1181
1182 fail:
1183         kfree_skb(skb);
1184         return err;
1185 }
1186
1187 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1188 {
1189         struct sock *sk = sock->sk;
1190         int err = 0;
1191
1192         BT_DBG("sock %p, sk %p", sock, sk);
1193
1194         err = sock_error(sk);
1195         if (err)
1196                 return err;
1197
1198         if (msg->msg_flags & MSG_OOB)
1199                 return -EOPNOTSUPP;
1200
1201         /* Check outgoing MTU */
1202         if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1203                 return -EINVAL;
1204
1205         lock_sock(sk);
1206
1207         if (sk->sk_state == BT_CONNECTED)
1208                 err = l2cap_do_send(sk, msg, len);
1209         else
1210                 err = -ENOTCONN;
1211
1212         release_sock(sk);
1213         return err;
1214 }
1215
1216 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1217 {
1218         struct sock *sk = sock->sk;
1219
1220         lock_sock(sk);
1221
1222         if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1223                 struct l2cap_conn_rsp rsp;
1224
1225                 sk->sk_state = BT_CONFIG;
1226
1227                 rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1228                 rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
1229                 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1230                 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1231                 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1232                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1233
1234                 release_sock(sk);
1235                 return 0;
1236         }
1237
1238         release_sock(sk);
1239
1240         return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1241 }
1242
1243 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1244 {
1245         struct sock *sk = sock->sk;
1246         struct l2cap_options opts;
1247         int len, err = 0;
1248         u32 opt;
1249
1250         BT_DBG("sk %p", sk);
1251
1252         lock_sock(sk);
1253
1254         switch (optname) {
1255         case L2CAP_OPTIONS:
1256                 opts.imtu     = l2cap_pi(sk)->imtu;
1257                 opts.omtu     = l2cap_pi(sk)->omtu;
1258                 opts.flush_to = l2cap_pi(sk)->flush_to;
1259                 opts.mode     = L2CAP_MODE_BASIC;
1260
1261                 len = min_t(unsigned int, sizeof(opts), optlen);
1262                 if (copy_from_user((char *) &opts, optval, len)) {
1263                         err = -EFAULT;
1264                         break;
1265                 }
1266
1267                 l2cap_pi(sk)->imtu  = opts.imtu;
1268                 l2cap_pi(sk)->omtu  = opts.omtu;
1269                 break;
1270
1271         case L2CAP_LM:
1272                 if (get_user(opt, (u32 __user *) optval)) {
1273                         err = -EFAULT;
1274                         break;
1275                 }
1276
1277                 if (opt & L2CAP_LM_AUTH)
1278                         l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1279                 if (opt & L2CAP_LM_ENCRYPT)
1280                         l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1281                 if (opt & L2CAP_LM_SECURE)
1282                         l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1283
1284                 l2cap_pi(sk)->role_switch    = (opt & L2CAP_LM_MASTER);
1285                 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1286                 break;
1287
1288         default:
1289                 err = -ENOPROTOOPT;
1290                 break;
1291         }
1292
1293         release_sock(sk);
1294         return err;
1295 }
1296
1297 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1298 {
1299         struct sock *sk = sock->sk;
1300         struct bt_security sec;
1301         int len, err = 0;
1302         u32 opt;
1303
1304         BT_DBG("sk %p", sk);
1305
1306         if (level == SOL_L2CAP)
1307                 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1308
1309         if (level != SOL_BLUETOOTH)
1310                 return -ENOPROTOOPT;
1311
1312         lock_sock(sk);
1313
1314         switch (optname) {
1315         case BT_SECURITY:
1316                 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1317                         err = -EINVAL;
1318                         break;
1319                 }
1320
1321                 sec.level = BT_SECURITY_LOW;
1322
1323                 len = min_t(unsigned int, sizeof(sec), optlen);
1324                 if (copy_from_user((char *) &sec, optval, len)) {
1325                         err = -EFAULT;
1326                         break;
1327                 }
1328
1329                 if (sec.level < BT_SECURITY_LOW ||
1330                                         sec.level > BT_SECURITY_HIGH) {
1331                         err = -EINVAL;
1332                         break;
1333                 }
1334
1335                 l2cap_pi(sk)->sec_level = sec.level;
1336                 break;
1337
1338         case BT_DEFER_SETUP:
1339                 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1340                         err = -EINVAL;
1341                         break;
1342                 }
1343
1344                 if (get_user(opt, (u32 __user *) optval)) {
1345                         err = -EFAULT;
1346                         break;
1347                 }
1348
1349                 bt_sk(sk)->defer_setup = opt;
1350                 break;
1351
1352         default:
1353                 err = -ENOPROTOOPT;
1354                 break;
1355         }
1356
1357         release_sock(sk);
1358         return err;
1359 }
1360
1361 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1362 {
1363         struct sock *sk = sock->sk;
1364         struct l2cap_options opts;
1365         struct l2cap_conninfo cinfo;
1366         int len, err = 0;
1367         u32 opt;
1368
1369         BT_DBG("sk %p", sk);
1370
1371         if (get_user(len, optlen))
1372                 return -EFAULT;
1373
1374         lock_sock(sk);
1375
1376         switch (optname) {
1377         case L2CAP_OPTIONS:
1378                 opts.imtu     = l2cap_pi(sk)->imtu;
1379                 opts.omtu     = l2cap_pi(sk)->omtu;
1380                 opts.flush_to = l2cap_pi(sk)->flush_to;
1381                 opts.mode     = L2CAP_MODE_BASIC;
1382
1383                 len = min_t(unsigned int, len, sizeof(opts));
1384                 if (copy_to_user(optval, (char *) &opts, len))
1385                         err = -EFAULT;
1386
1387                 break;
1388
1389         case L2CAP_LM:
1390                 switch (l2cap_pi(sk)->sec_level) {
1391                 case BT_SECURITY_LOW:
1392                         opt = L2CAP_LM_AUTH;
1393                         break;
1394                 case BT_SECURITY_MEDIUM:
1395                         opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1396                         break;
1397                 case BT_SECURITY_HIGH:
1398                         opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1399                                                         L2CAP_LM_SECURE;
1400                         break;
1401                 default:
1402                         opt = 0;
1403                         break;
1404                 }
1405
1406                 if (l2cap_pi(sk)->role_switch)
1407                         opt |= L2CAP_LM_MASTER;
1408
1409                 if (l2cap_pi(sk)->force_reliable)
1410                         opt |= L2CAP_LM_RELIABLE;
1411
1412                 if (put_user(opt, (u32 __user *) optval))
1413                         err = -EFAULT;
1414                 break;
1415
1416         case L2CAP_CONNINFO:
1417                 if (sk->sk_state != BT_CONNECTED &&
1418                                         !(sk->sk_state == BT_CONNECT2 &&
1419                                                 bt_sk(sk)->defer_setup)) {
1420                         err = -ENOTCONN;
1421                         break;
1422                 }
1423
1424                 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1425                 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1426
1427                 len = min_t(unsigned int, len, sizeof(cinfo));
1428                 if (copy_to_user(optval, (char *) &cinfo, len))
1429                         err = -EFAULT;
1430
1431                 break;
1432
1433         default:
1434                 err = -ENOPROTOOPT;
1435                 break;
1436         }
1437
1438         release_sock(sk);
1439         return err;
1440 }
1441
1442 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1443 {
1444         struct sock *sk = sock->sk;
1445         struct bt_security sec;
1446         int len, err = 0;
1447
1448         BT_DBG("sk %p", sk);
1449
1450         if (level == SOL_L2CAP)
1451                 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1452
1453         if (level != SOL_BLUETOOTH)
1454                 return -ENOPROTOOPT;
1455
1456         if (get_user(len, optlen))
1457                 return -EFAULT;
1458
1459         lock_sock(sk);
1460
1461         switch (optname) {
1462         case BT_SECURITY:
1463                 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1464                         err = -EINVAL;
1465                         break;
1466                 }
1467
1468                 sec.level = l2cap_pi(sk)->sec_level;
1469
1470                 len = min_t(unsigned int, len, sizeof(sec));
1471                 if (copy_to_user(optval, (char *) &sec, len))
1472                         err = -EFAULT;
1473
1474                 break;
1475
1476         case BT_DEFER_SETUP:
1477                 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1478                         err = -EINVAL;
1479                         break;
1480                 }
1481
1482                 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1483                         err = -EFAULT;
1484
1485                 break;
1486
1487         default:
1488                 err = -ENOPROTOOPT;
1489                 break;
1490         }
1491
1492         release_sock(sk);
1493         return err;
1494 }
1495
1496 static int l2cap_sock_shutdown(struct socket *sock, int how)
1497 {
1498         struct sock *sk = sock->sk;
1499         int err = 0;
1500
1501         BT_DBG("sock %p, sk %p", sock, sk);
1502
1503         if (!sk)
1504                 return 0;
1505
1506         lock_sock(sk);
1507         if (!sk->sk_shutdown) {
1508                 sk->sk_shutdown = SHUTDOWN_MASK;
1509                 l2cap_sock_clear_timer(sk);
1510                 __l2cap_sock_close(sk, 0);
1511
1512                 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1513                         err = bt_sock_wait_state(sk, BT_CLOSED,
1514                                                         sk->sk_lingertime);
1515         }
1516         release_sock(sk);
1517         return err;
1518 }
1519
1520 static int l2cap_sock_release(struct socket *sock)
1521 {
1522         struct sock *sk = sock->sk;
1523         int err;
1524
1525         BT_DBG("sock %p, sk %p", sock, sk);
1526
1527         if (!sk)
1528                 return 0;
1529
1530         err = l2cap_sock_shutdown(sock, 2);
1531
1532         sock_orphan(sk);
1533         l2cap_sock_kill(sk);
1534         return err;
1535 }
1536
1537 static void l2cap_chan_ready(struct sock *sk)
1538 {
1539         struct sock *parent = bt_sk(sk)->parent;
1540
1541         BT_DBG("sk %p, parent %p", sk, parent);
1542
1543         l2cap_pi(sk)->conf_state = 0;
1544         l2cap_sock_clear_timer(sk);
1545
1546         if (!parent) {
1547                 /* Outgoing channel.
1548                  * Wake up socket sleeping on connect.
1549                  */
1550                 sk->sk_state = BT_CONNECTED;
1551                 sk->sk_state_change(sk);
1552         } else {
1553                 /* Incoming channel.
1554                  * Wake up socket sleeping on accept.
1555                  */
1556                 parent->sk_data_ready(parent, 0);
1557         }
1558 }
1559
1560 /* Copy frame to all raw sockets on that connection */
1561 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1562 {
1563         struct l2cap_chan_list *l = &conn->chan_list;
1564         struct sk_buff *nskb;
1565         struct sock *sk;
1566
1567         BT_DBG("conn %p", conn);
1568
1569         read_lock(&l->lock);
1570         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1571                 if (sk->sk_type != SOCK_RAW)
1572                         continue;
1573
1574                 /* Don't send frame to the socket it came from */
1575                 if (skb->sk == sk)
1576                         continue;
1577                 nskb = skb_clone(skb, GFP_ATOMIC);
1578                 if (!nskb)
1579                         continue;
1580
1581                 if (sock_queue_rcv_skb(sk, nskb))
1582                         kfree_skb(nskb);
1583         }
1584         read_unlock(&l->lock);
1585 }
1586
1587 /* ---- L2CAP signalling commands ---- */
1588 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1589                                 u8 code, u8 ident, u16 dlen, void *data)
1590 {
1591         struct sk_buff *skb, **frag;
1592         struct l2cap_cmd_hdr *cmd;
1593         struct l2cap_hdr *lh;
1594         int len, count;
1595
1596         BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1597                         conn, code, ident, dlen);
1598
1599         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1600         count = min_t(unsigned int, conn->mtu, len);
1601
1602         skb = bt_skb_alloc(count, GFP_ATOMIC);
1603         if (!skb)
1604                 return NULL;
1605
1606         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1607         lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1608         lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1609
1610         cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1611         cmd->code  = code;
1612         cmd->ident = ident;
1613         cmd->len   = cpu_to_le16(dlen);
1614
1615         if (dlen) {
1616                 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1617                 memcpy(skb_put(skb, count), data, count);
1618                 data += count;
1619         }
1620
1621         len -= skb->len;
1622
1623         /* Continuation fragments (no L2CAP header) */
1624         frag = &skb_shinfo(skb)->frag_list;
1625         while (len) {
1626                 count = min_t(unsigned int, conn->mtu, len);
1627
1628                 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1629                 if (!*frag)
1630                         goto fail;
1631
1632                 memcpy(skb_put(*frag, count), data, count);
1633
1634                 len  -= count;
1635                 data += count;
1636
1637                 frag = &(*frag)->next;
1638         }
1639
1640         return skb;
1641
1642 fail:
1643         kfree_skb(skb);
1644         return NULL;
1645 }
1646
1647 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1648 {
1649         struct l2cap_conf_opt *opt = *ptr;
1650         int len;
1651
1652         len = L2CAP_CONF_OPT_SIZE + opt->len;
1653         *ptr += len;
1654
1655         *type = opt->type;
1656         *olen = opt->len;
1657
1658         switch (opt->len) {
1659         case 1:
1660                 *val = *((u8 *) opt->val);
1661                 break;
1662
1663         case 2:
1664                 *val = __le16_to_cpu(*((__le16 *) opt->val));
1665                 break;
1666
1667         case 4:
1668                 *val = __le32_to_cpu(*((__le32 *) opt->val));
1669                 break;
1670
1671         default:
1672                 *val = (unsigned long) opt->val;
1673                 break;
1674         }
1675
1676         BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1677         return len;
1678 }
1679
1680 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1681 {
1682         struct l2cap_conf_opt *opt = *ptr;
1683
1684         BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1685
1686         opt->type = type;
1687         opt->len  = len;
1688
1689         switch (len) {
1690         case 1:
1691                 *((u8 *) opt->val)  = val;
1692                 break;
1693
1694         case 2:
1695                 *((__le16 *) opt->val) = cpu_to_le16(val);
1696                 break;
1697
1698         case 4:
1699                 *((__le32 *) opt->val) = cpu_to_le32(val);
1700                 break;
1701
1702         default:
1703                 memcpy(opt->val, (void *) val, len);
1704                 break;
1705         }
1706
1707         *ptr += L2CAP_CONF_OPT_SIZE + len;
1708 }
1709
1710 static int l2cap_build_conf_req(struct sock *sk, void *data)
1711 {
1712         struct l2cap_pinfo *pi = l2cap_pi(sk);
1713         struct l2cap_conf_req *req = data;
1714         void *ptr = req->data;
1715
1716         BT_DBG("sk %p", sk);
1717
1718         if (pi->imtu != L2CAP_DEFAULT_MTU)
1719                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1720
1721         /* FIXME: Need actual value of the flush timeout */
1722         //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1723         //   l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1724
1725         req->dcid  = cpu_to_le16(pi->dcid);
1726         req->flags = cpu_to_le16(0);
1727
1728         return ptr - data;
1729 }
1730
1731 static int l2cap_parse_conf_req(struct sock *sk, void *data)
1732 {
1733         struct l2cap_pinfo *pi = l2cap_pi(sk);
1734         struct l2cap_conf_rsp *rsp = data;
1735         void *ptr = rsp->data;
1736         void *req = pi->conf_req;
1737         int len = pi->conf_len;
1738         int type, hint, olen;
1739         unsigned long val;
1740         struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1741         u16 mtu = L2CAP_DEFAULT_MTU;
1742         u16 result = L2CAP_CONF_SUCCESS;
1743
1744         BT_DBG("sk %p", sk);
1745
1746         while (len >= L2CAP_CONF_OPT_SIZE) {
1747                 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1748
1749                 hint  = type & L2CAP_CONF_HINT;
1750                 type &= L2CAP_CONF_MASK;
1751
1752                 switch (type) {
1753                 case L2CAP_CONF_MTU:
1754                         mtu = val;
1755                         break;
1756
1757                 case L2CAP_CONF_FLUSH_TO:
1758                         pi->flush_to = val;
1759                         break;
1760
1761                 case L2CAP_CONF_QOS:
1762                         break;
1763
1764                 case L2CAP_CONF_RFC:
1765                         if (olen == sizeof(rfc))
1766                                 memcpy(&rfc, (void *) val, olen);
1767                         break;
1768
1769                 default:
1770                         if (hint)
1771                                 break;
1772
1773                         result = L2CAP_CONF_UNKNOWN;
1774                         *((u8 *) ptr++) = type;
1775                         break;
1776                 }
1777         }
1778
1779         if (result == L2CAP_CONF_SUCCESS) {
1780                 /* Configure output options and let the other side know
1781                  * which ones we don't like. */
1782
1783                 if (rfc.mode == L2CAP_MODE_BASIC) {
1784                         if (mtu < pi->omtu)
1785                                 result = L2CAP_CONF_UNACCEPT;
1786                         else {
1787                                 pi->omtu = mtu;
1788                                 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1789                         }
1790
1791                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1792                 } else {
1793                         result = L2CAP_CONF_UNACCEPT;
1794
1795                         memset(&rfc, 0, sizeof(rfc));
1796                         rfc.mode = L2CAP_MODE_BASIC;
1797
1798                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1799                                                 sizeof(rfc), (unsigned long) &rfc);
1800                 }
1801         }
1802
1803         rsp->scid   = cpu_to_le16(pi->dcid);
1804         rsp->result = cpu_to_le16(result);
1805         rsp->flags  = cpu_to_le16(0x0000);
1806
1807         return ptr - data;
1808 }
1809
1810 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1811 {
1812         struct l2cap_conf_rsp *rsp = data;
1813         void *ptr = rsp->data;
1814
1815         BT_DBG("sk %p", sk);
1816
1817         rsp->scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1818         rsp->result = cpu_to_le16(result);
1819         rsp->flags  = cpu_to_le16(flags);
1820
1821         return ptr - data;
1822 }
1823
1824 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1825 {
1826         struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1827
1828         if (rej->reason != 0x0000)
1829                 return 0;
1830
1831         if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1832                                         cmd->ident == conn->info_ident) {
1833                 del_timer(&conn->info_timer);
1834
1835                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1836                 conn->info_ident = 0;
1837
1838                 l2cap_conn_start(conn);
1839         }
1840
1841         return 0;
1842 }
1843
1844 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1845 {
1846         struct l2cap_chan_list *list = &conn->chan_list;
1847         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1848         struct l2cap_conn_rsp rsp;
1849         struct sock *sk, *parent;
1850         int result, status = L2CAP_CS_NO_INFO;
1851
1852         u16 dcid = 0, scid = __le16_to_cpu(req->scid);
1853         __le16 psm = req->psm;
1854
1855         BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1856
1857         /* Check if we have socket listening on psm */
1858         parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1859         if (!parent) {
1860                 result = L2CAP_CR_BAD_PSM;
1861                 goto sendresp;
1862         }
1863
1864         /* Check if the ACL is secure enough (if not SDP) */
1865         if (psm != cpu_to_le16(0x0001) &&
1866                                 !hci_conn_check_link_mode(conn->hcon)) {
1867                 conn->disc_reason = 0x05;
1868                 result = L2CAP_CR_SEC_BLOCK;
1869                 goto response;
1870         }
1871
1872         result = L2CAP_CR_NO_MEM;
1873
1874         /* Check for backlog size */
1875         if (sk_acceptq_is_full(parent)) {
1876                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1877                 goto response;
1878         }
1879
1880         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1881         if (!sk)
1882                 goto response;
1883
1884         write_lock_bh(&list->lock);
1885
1886         /* Check if we already have channel with that dcid */
1887         if (__l2cap_get_chan_by_dcid(list, scid)) {
1888                 write_unlock_bh(&list->lock);
1889                 sock_set_flag(sk, SOCK_ZAPPED);
1890                 l2cap_sock_kill(sk);
1891                 goto response;
1892         }
1893
1894         hci_conn_hold(conn->hcon);
1895
1896         l2cap_sock_init(sk, parent);
1897         bacpy(&bt_sk(sk)->src, conn->src);
1898         bacpy(&bt_sk(sk)->dst, conn->dst);
1899         l2cap_pi(sk)->psm  = psm;
1900         l2cap_pi(sk)->dcid = scid;
1901
1902         __l2cap_chan_add(conn, sk, parent);
1903         dcid = l2cap_pi(sk)->scid;
1904
1905         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1906
1907         l2cap_pi(sk)->ident = cmd->ident;
1908
1909         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
1910                 if (l2cap_check_security(sk)) {
1911                         if (bt_sk(sk)->defer_setup) {
1912                                 sk->sk_state = BT_CONNECT2;
1913                                 result = L2CAP_CR_PEND;
1914                                 status = L2CAP_CS_AUTHOR_PEND;
1915                                 parent->sk_data_ready(parent, 0);
1916                         } else {
1917                                 sk->sk_state = BT_CONFIG;
1918                                 result = L2CAP_CR_SUCCESS;
1919                                 status = L2CAP_CS_NO_INFO;
1920                         }
1921                 } else {
1922                         sk->sk_state = BT_CONNECT2;
1923                         result = L2CAP_CR_PEND;
1924                         status = L2CAP_CS_AUTHEN_PEND;
1925                 }
1926         } else {
1927                 sk->sk_state = BT_CONNECT2;
1928                 result = L2CAP_CR_PEND;
1929                 status = L2CAP_CS_NO_INFO;
1930         }
1931
1932         write_unlock_bh(&list->lock);
1933
1934 response:
1935         bh_unlock_sock(parent);
1936
1937 sendresp:
1938         rsp.scid   = cpu_to_le16(scid);
1939         rsp.dcid   = cpu_to_le16(dcid);
1940         rsp.result = cpu_to_le16(result);
1941         rsp.status = cpu_to_le16(status);
1942         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1943
1944         if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1945                 struct l2cap_info_req info;
1946                 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1947
1948                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1949                 conn->info_ident = l2cap_get_ident(conn);
1950
1951                 mod_timer(&conn->info_timer, jiffies +
1952                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1953
1954                 l2cap_send_cmd(conn, conn->info_ident,
1955                                         L2CAP_INFO_REQ, sizeof(info), &info);
1956         }
1957
1958         return 0;
1959 }
1960
1961 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1962 {
1963         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1964         u16 scid, dcid, result, status;
1965         struct sock *sk;
1966         u8 req[128];
1967
1968         scid   = __le16_to_cpu(rsp->scid);
1969         dcid   = __le16_to_cpu(rsp->dcid);
1970         result = __le16_to_cpu(rsp->result);
1971         status = __le16_to_cpu(rsp->status);
1972
1973         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
1974
1975         if (scid) {
1976                 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
1977                 if (!sk)
1978                         return 0;
1979         } else {
1980                 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
1981                 if (!sk)
1982                         return 0;
1983         }
1984
1985         switch (result) {
1986         case L2CAP_CR_SUCCESS:
1987                 sk->sk_state = BT_CONFIG;
1988                 l2cap_pi(sk)->ident = 0;
1989                 l2cap_pi(sk)->dcid = dcid;
1990                 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1991
1992                 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1993
1994                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1995                                         l2cap_build_conf_req(sk, req), req);
1996                 break;
1997
1998         case L2CAP_CR_PEND:
1999                 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
2000                 break;
2001
2002         default:
2003                 l2cap_chan_del(sk, ECONNREFUSED);
2004                 break;
2005         }
2006
2007         bh_unlock_sock(sk);
2008         return 0;
2009 }
2010
2011 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2012 {
2013         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2014         u16 dcid, flags;
2015         u8 rsp[64];
2016         struct sock *sk;
2017         int len;
2018
2019         dcid  = __le16_to_cpu(req->dcid);
2020         flags = __le16_to_cpu(req->flags);
2021
2022         BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2023
2024         sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2025         if (!sk)
2026                 return -ENOENT;
2027
2028         if (sk->sk_state == BT_DISCONN)
2029                 goto unlock;
2030
2031         /* Reject if config buffer is too small. */
2032         len = cmd_len - sizeof(*req);
2033         if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2034                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2035                                 l2cap_build_conf_rsp(sk, rsp,
2036                                         L2CAP_CONF_REJECT, flags), rsp);
2037                 goto unlock;
2038         }
2039
2040         /* Store config. */
2041         memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2042         l2cap_pi(sk)->conf_len += len;
2043
2044         if (flags & 0x0001) {
2045                 /* Incomplete config. Send empty response. */
2046                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2047                                 l2cap_build_conf_rsp(sk, rsp,
2048                                         L2CAP_CONF_SUCCESS, 0x0001), rsp);
2049                 goto unlock;
2050         }
2051
2052         /* Complete config. */
2053         len = l2cap_parse_conf_req(sk, rsp);
2054         if (len < 0)
2055                 goto unlock;
2056
2057         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2058
2059         /* Reset config buffer. */
2060         l2cap_pi(sk)->conf_len = 0;
2061
2062         if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2063                 goto unlock;
2064
2065         if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2066                 sk->sk_state = BT_CONNECTED;
2067                 l2cap_chan_ready(sk);
2068                 goto unlock;
2069         }
2070
2071         if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2072                 u8 buf[64];
2073                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2074                                         l2cap_build_conf_req(sk, buf), buf);
2075         }
2076
2077 unlock:
2078         bh_unlock_sock(sk);
2079         return 0;
2080 }
2081
2082 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2083 {
2084         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2085         u16 scid, flags, result;
2086         struct sock *sk;
2087
2088         scid   = __le16_to_cpu(rsp->scid);
2089         flags  = __le16_to_cpu(rsp->flags);
2090         result = __le16_to_cpu(rsp->result);
2091
2092         BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2093                         scid, flags, result);
2094
2095         sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2096         if (!sk)
2097                 return 0;
2098
2099         switch (result) {
2100         case L2CAP_CONF_SUCCESS:
2101                 break;
2102
2103         case L2CAP_CONF_UNACCEPT:
2104                 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2105                         char req[128];
2106                         /* It does not make sense to adjust L2CAP parameters
2107                          * that are currently defined in the spec. We simply
2108                          * resend config request that we sent earlier. It is
2109                          * stupid, but it helps qualification testing which
2110                          * expects at least some response from us. */
2111                         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2112                                                 l2cap_build_conf_req(sk, req), req);
2113                         goto done;
2114                 }
2115
2116         default:
2117                 sk->sk_state = BT_DISCONN;
2118                 sk->sk_err = ECONNRESET;
2119                 l2cap_sock_set_timer(sk, HZ * 5);
2120                 {
2121                         struct l2cap_disconn_req req;
2122                         req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2123                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2124                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
2125                                         L2CAP_DISCONN_REQ, sizeof(req), &req);
2126                 }
2127                 goto done;
2128         }
2129
2130         if (flags & 0x01)
2131                 goto done;
2132
2133         l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2134
2135         if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2136                 sk->sk_state = BT_CONNECTED;
2137                 l2cap_chan_ready(sk);
2138         }
2139
2140 done:
2141         bh_unlock_sock(sk);
2142         return 0;
2143 }
2144
2145 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2146 {
2147         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2148         struct l2cap_disconn_rsp rsp;
2149         u16 dcid, scid;
2150         struct sock *sk;
2151
2152         scid = __le16_to_cpu(req->scid);
2153         dcid = __le16_to_cpu(req->dcid);
2154
2155         BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2156
2157         sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2158         if (!sk)
2159                 return 0;
2160
2161         rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2162         rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2163         l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2164
2165         sk->sk_shutdown = SHUTDOWN_MASK;
2166
2167         l2cap_chan_del(sk, ECONNRESET);
2168         bh_unlock_sock(sk);
2169
2170         l2cap_sock_kill(sk);
2171         return 0;
2172 }
2173
2174 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2175 {
2176         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2177         u16 dcid, scid;
2178         struct sock *sk;
2179
2180         scid = __le16_to_cpu(rsp->scid);
2181         dcid = __le16_to_cpu(rsp->dcid);
2182
2183         BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2184
2185         sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2186         if (!sk)
2187                 return 0;
2188
2189         l2cap_chan_del(sk, 0);
2190         bh_unlock_sock(sk);
2191
2192         l2cap_sock_kill(sk);
2193         return 0;
2194 }
2195
2196 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2197 {
2198         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2199         u16 type;
2200
2201         type = __le16_to_cpu(req->type);
2202
2203         BT_DBG("type 0x%4.4x", type);
2204
2205         if (type == L2CAP_IT_FEAT_MASK) {
2206                 u8 buf[8];
2207                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2208                 rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2209                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2210                 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
2211                 l2cap_send_cmd(conn, cmd->ident,
2212                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2213         } else if (type == L2CAP_IT_FIXED_CHAN) {
2214                 u8 buf[12];
2215                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2216                 rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2217                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2218                 memcpy(buf + 4, l2cap_fixed_chan, 8);
2219                 l2cap_send_cmd(conn, cmd->ident,
2220                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2221         } else {
2222                 struct l2cap_info_rsp rsp;
2223                 rsp.type   = cpu_to_le16(type);
2224                 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2225                 l2cap_send_cmd(conn, cmd->ident,
2226                                         L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2227         }
2228
2229         return 0;
2230 }
2231
2232 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2233 {
2234         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2235         u16 type, result;
2236
2237         type   = __le16_to_cpu(rsp->type);
2238         result = __le16_to_cpu(rsp->result);
2239
2240         BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2241
2242         del_timer(&conn->info_timer);
2243
2244         if (type == L2CAP_IT_FEAT_MASK) {
2245                 conn->feat_mask = get_unaligned_le32(rsp->data);
2246
2247                 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2248                         struct l2cap_info_req req;
2249                         req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2250
2251                         conn->info_ident = l2cap_get_ident(conn);
2252
2253                         l2cap_send_cmd(conn, conn->info_ident,
2254                                         L2CAP_INFO_REQ, sizeof(req), &req);
2255                 } else {
2256                         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2257                         conn->info_ident = 0;
2258
2259                         l2cap_conn_start(conn);
2260                 }
2261         } else if (type == L2CAP_IT_FIXED_CHAN) {
2262                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2263                 conn->info_ident = 0;
2264
2265                 l2cap_conn_start(conn);
2266         }
2267
2268         return 0;
2269 }
2270
2271 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2272 {
2273         u8 *data = skb->data;
2274         int len = skb->len;
2275         struct l2cap_cmd_hdr cmd;
2276         int err = 0;
2277
2278         l2cap_raw_recv(conn, skb);
2279
2280         while (len >= L2CAP_CMD_HDR_SIZE) {
2281                 u16 cmd_len;
2282                 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2283                 data += L2CAP_CMD_HDR_SIZE;
2284                 len  -= L2CAP_CMD_HDR_SIZE;
2285
2286                 cmd_len = le16_to_cpu(cmd.len);
2287
2288                 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
2289
2290                 if (cmd_len > len || !cmd.ident) {
2291                         BT_DBG("corrupted command");
2292                         break;
2293                 }
2294
2295                 switch (cmd.code) {
2296                 case L2CAP_COMMAND_REJ:
2297                         l2cap_command_rej(conn, &cmd, data);
2298                         break;
2299
2300                 case L2CAP_CONN_REQ:
2301                         err = l2cap_connect_req(conn, &cmd, data);
2302                         break;
2303
2304                 case L2CAP_CONN_RSP:
2305                         err = l2cap_connect_rsp(conn, &cmd, data);
2306                         break;
2307
2308                 case L2CAP_CONF_REQ:
2309                         err = l2cap_config_req(conn, &cmd, cmd_len, data);
2310                         break;
2311
2312                 case L2CAP_CONF_RSP:
2313                         err = l2cap_config_rsp(conn, &cmd, data);
2314                         break;
2315
2316                 case L2CAP_DISCONN_REQ:
2317                         err = l2cap_disconnect_req(conn, &cmd, data);
2318                         break;
2319
2320                 case L2CAP_DISCONN_RSP:
2321                         err = l2cap_disconnect_rsp(conn, &cmd, data);
2322                         break;
2323
2324                 case L2CAP_ECHO_REQ:
2325                         l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
2326                         break;
2327
2328                 case L2CAP_ECHO_RSP:
2329                         break;
2330
2331                 case L2CAP_INFO_REQ:
2332                         err = l2cap_information_req(conn, &cmd, data);
2333                         break;
2334
2335                 case L2CAP_INFO_RSP:
2336                         err = l2cap_information_rsp(conn, &cmd, data);
2337                         break;
2338
2339                 default:
2340                         BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2341                         err = -EINVAL;
2342                         break;
2343                 }
2344
2345                 if (err) {
2346                         struct l2cap_cmd_rej rej;
2347                         BT_DBG("error %d", err);
2348
2349                         /* FIXME: Map err to a valid reason */
2350                         rej.reason = cpu_to_le16(0);
2351                         l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2352                 }
2353
2354                 data += cmd_len;
2355                 len  -= cmd_len;
2356         }
2357
2358         kfree_skb(skb);
2359 }
2360
2361 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2362 {
2363         struct sock *sk;
2364
2365         sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2366         if (!sk) {
2367                 BT_DBG("unknown cid 0x%4.4x", cid);
2368                 goto drop;
2369         }
2370
2371         BT_DBG("sk %p, len %d", sk, skb->len);
2372
2373         if (sk->sk_state != BT_CONNECTED)
2374                 goto drop;
2375
2376         if (l2cap_pi(sk)->imtu < skb->len)
2377                 goto drop;
2378
2379         /* If socket recv buffers overflows we drop data here
2380          * which is *bad* because L2CAP has to be reliable.
2381          * But we don't have any other choice. L2CAP doesn't
2382          * provide flow control mechanism. */
2383
2384         if (!sock_queue_rcv_skb(sk, skb))
2385                 goto done;
2386
2387 drop:
2388         kfree_skb(skb);
2389
2390 done:
2391         if (sk)
2392                 bh_unlock_sock(sk);
2393
2394         return 0;
2395 }
2396
2397 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
2398 {
2399         struct sock *sk;
2400
2401         sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2402         if (!sk)
2403                 goto drop;
2404
2405         BT_DBG("sk %p, len %d", sk, skb->len);
2406
2407         if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2408                 goto drop;
2409
2410         if (l2cap_pi(sk)->imtu < skb->len)
2411                 goto drop;
2412
2413         if (!sock_queue_rcv_skb(sk, skb))
2414                 goto done;
2415
2416 drop:
2417         kfree_skb(skb);
2418
2419 done:
2420         if (sk)
2421                 bh_unlock_sock(sk);
2422         return 0;
2423 }
2424
2425 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2426 {
2427         struct l2cap_hdr *lh = (void *) skb->data;
2428         u16 cid, len;
2429         __le16 psm;
2430
2431         skb_pull(skb, L2CAP_HDR_SIZE);
2432         cid = __le16_to_cpu(lh->cid);
2433         len = __le16_to_cpu(lh->len);
2434
2435         BT_DBG("len %d, cid 0x%4.4x", len, cid);
2436
2437         switch (cid) {
2438         case L2CAP_CID_SIGNALING:
2439                 l2cap_sig_channel(conn, skb);
2440                 break;
2441
2442         case L2CAP_CID_CONN_LESS:
2443                 psm = get_unaligned((__le16 *) skb->data);
2444                 skb_pull(skb, 2);
2445                 l2cap_conless_channel(conn, psm, skb);
2446                 break;
2447
2448         default:
2449                 l2cap_data_channel(conn, cid, skb);
2450                 break;
2451         }
2452 }
2453
2454 /* ---- L2CAP interface with lower layer (HCI) ---- */
2455
2456 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2457 {
2458         int exact = 0, lm1 = 0, lm2 = 0;
2459         register struct sock *sk;
2460         struct hlist_node *node;
2461
2462         if (type != ACL_LINK)
2463                 return 0;
2464
2465         BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2466
2467         /* Find listening sockets and check their link_mode */
2468         read_lock(&l2cap_sk_list.lock);
2469         sk_for_each(sk, node, &l2cap_sk_list.head) {
2470                 if (sk->sk_state != BT_LISTEN)
2471                         continue;
2472
2473                 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2474                         lm1 |= HCI_LM_ACCEPT;
2475                         if (l2cap_pi(sk)->role_switch)
2476                                 lm1 |= HCI_LM_MASTER;
2477                         exact++;
2478                 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2479                         lm2 |= HCI_LM_ACCEPT;
2480                         if (l2cap_pi(sk)->role_switch)
2481                                 lm2 |= HCI_LM_MASTER;
2482                 }
2483         }
2484         read_unlock(&l2cap_sk_list.lock);
2485
2486         return exact ? lm1 : lm2;
2487 }
2488
2489 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2490 {
2491         struct l2cap_conn *conn;
2492
2493         BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2494
2495         if (hcon->type != ACL_LINK)
2496                 return 0;
2497
2498         if (!status) {
2499                 conn = l2cap_conn_add(hcon, status);
2500                 if (conn)
2501                         l2cap_conn_ready(conn);
2502         } else
2503                 l2cap_conn_del(hcon, bt_err(status));
2504
2505         return 0;
2506 }
2507
2508 static int l2cap_disconn_ind(struct hci_conn *hcon)
2509 {
2510         struct l2cap_conn *conn = hcon->l2cap_data;
2511
2512         BT_DBG("hcon %p", hcon);
2513
2514         if (hcon->type != ACL_LINK || !conn)
2515                 return 0x13;
2516
2517         return conn->disc_reason;
2518 }
2519
2520 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
2521 {
2522         BT_DBG("hcon %p reason %d", hcon, reason);
2523
2524         if (hcon->type != ACL_LINK)
2525                 return 0;
2526
2527         l2cap_conn_del(hcon, bt_err(reason));
2528
2529         return 0;
2530 }
2531
2532 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2533 {
2534         if (sk->sk_type != SOCK_SEQPACKET)
2535                 return;
2536
2537         if (encrypt == 0x00) {
2538                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2539                         l2cap_sock_clear_timer(sk);
2540                         l2cap_sock_set_timer(sk, HZ * 5);
2541                 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2542                         __l2cap_sock_close(sk, ECONNREFUSED);
2543         } else {
2544                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2545                         l2cap_sock_clear_timer(sk);
2546         }
2547 }
2548
2549 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2550 {
2551         struct l2cap_chan_list *l;
2552         struct l2cap_conn *conn = hcon->l2cap_data;
2553         struct sock *sk;
2554
2555         if (!conn)
2556                 return 0;
2557
2558         l = &conn->chan_list;
2559
2560         BT_DBG("conn %p", conn);
2561
2562         read_lock(&l->lock);
2563
2564         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2565                 bh_lock_sock(sk);
2566
2567                 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2568                         bh_unlock_sock(sk);
2569                         continue;
2570                 }
2571
2572                 if (!status && (sk->sk_state == BT_CONNECTED ||
2573                                                 sk->sk_state == BT_CONFIG)) {
2574                         l2cap_check_encryption(sk, encrypt);
2575                         bh_unlock_sock(sk);
2576                         continue;
2577                 }
2578
2579                 if (sk->sk_state == BT_CONNECT) {
2580                         if (!status) {
2581                                 struct l2cap_conn_req req;
2582                                 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2583                                 req.psm  = l2cap_pi(sk)->psm;
2584
2585                                 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
2586
2587                                 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2588                                         L2CAP_CONN_REQ, sizeof(req), &req);
2589                         } else {
2590                                 l2cap_sock_clear_timer(sk);
2591                                 l2cap_sock_set_timer(sk, HZ / 10);
2592                         }
2593                 } else if (sk->sk_state == BT_CONNECT2) {
2594                         struct l2cap_conn_rsp rsp;
2595                         __u16 result;
2596
2597                         if (!status) {
2598                                 sk->sk_state = BT_CONFIG;
2599                                 result = L2CAP_CR_SUCCESS;
2600                         } else {
2601                                 sk->sk_state = BT_DISCONN;
2602                                 l2cap_sock_set_timer(sk, HZ / 10);
2603                                 result = L2CAP_CR_SEC_BLOCK;
2604                         }
2605
2606                         rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
2607                         rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
2608                         rsp.result = cpu_to_le16(result);
2609                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2610                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2611                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2612                 }
2613
2614                 bh_unlock_sock(sk);
2615         }
2616
2617         read_unlock(&l->lock);
2618
2619         return 0;
2620 }
2621
2622 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2623 {
2624         struct l2cap_conn *conn = hcon->l2cap_data;
2625
2626         if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2627                 goto drop;
2628
2629         BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2630
2631         if (flags & ACL_START) {
2632                 struct l2cap_hdr *hdr;
2633                 int len;
2634
2635                 if (conn->rx_len) {
2636                         BT_ERR("Unexpected start frame (len %d)", skb->len);
2637                         kfree_skb(conn->rx_skb);
2638                         conn->rx_skb = NULL;
2639                         conn->rx_len = 0;
2640                         l2cap_conn_unreliable(conn, ECOMM);
2641                 }
2642
2643                 if (skb->len < 2) {
2644                         BT_ERR("Frame is too short (len %d)", skb->len);
2645                         l2cap_conn_unreliable(conn, ECOMM);
2646                         goto drop;
2647                 }
2648
2649                 hdr = (struct l2cap_hdr *) skb->data;
2650                 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2651
2652                 if (len == skb->len) {
2653                         /* Complete frame received */
2654                         l2cap_recv_frame(conn, skb);
2655                         return 0;
2656                 }
2657
2658                 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2659
2660                 if (skb->len > len) {
2661                         BT_ERR("Frame is too long (len %d, expected len %d)",
2662                                 skb->len, len);
2663                         l2cap_conn_unreliable(conn, ECOMM);
2664                         goto drop;
2665                 }
2666
2667                 /* Allocate skb for the complete frame (with header) */
2668                 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
2669                 if (!conn->rx_skb)
2670                         goto drop;
2671
2672                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2673                                                                 skb->len);
2674                 conn->rx_len = len - skb->len;
2675         } else {
2676                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2677
2678                 if (!conn->rx_len) {
2679                         BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2680                         l2cap_conn_unreliable(conn, ECOMM);
2681                         goto drop;
2682                 }
2683
2684                 if (skb->len > conn->rx_len) {
2685                         BT_ERR("Fragment is too long (len %d, expected %d)",
2686                                         skb->len, conn->rx_len);
2687                         kfree_skb(conn->rx_skb);
2688                         conn->rx_skb = NULL;
2689                         conn->rx_len = 0;
2690                         l2cap_conn_unreliable(conn, ECOMM);
2691                         goto drop;
2692                 }
2693
2694                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2695                                                                 skb->len);
2696                 conn->rx_len -= skb->len;
2697
2698                 if (!conn->rx_len) {
2699                         /* Complete frame received */
2700                         l2cap_recv_frame(conn, conn->rx_skb);
2701                         conn->rx_skb = NULL;
2702                 }
2703         }
2704
2705 drop:
2706         kfree_skb(skb);
2707         return 0;
2708 }
2709
2710 static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
2711 {
2712         struct sock *sk;
2713         struct hlist_node *node;
2714         char *str = buf;
2715
2716         read_lock_bh(&l2cap_sk_list.lock);
2717
2718         sk_for_each(sk, node, &l2cap_sk_list.head) {
2719                 struct l2cap_pinfo *pi = l2cap_pi(sk);
2720
2721                 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
2722                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2723                                 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2724                                 pi->imtu, pi->omtu, pi->sec_level);
2725         }
2726
2727         read_unlock_bh(&l2cap_sk_list.lock);
2728
2729         return str - buf;
2730 }
2731
2732 static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
2733
2734 static const struct proto_ops l2cap_sock_ops = {
2735         .family         = PF_BLUETOOTH,
2736         .owner          = THIS_MODULE,
2737         .release        = l2cap_sock_release,
2738         .bind           = l2cap_sock_bind,
2739         .connect        = l2cap_sock_connect,
2740         .listen         = l2cap_sock_listen,
2741         .accept         = l2cap_sock_accept,
2742         .getname        = l2cap_sock_getname,
2743         .sendmsg        = l2cap_sock_sendmsg,
2744         .recvmsg        = l2cap_sock_recvmsg,
2745         .poll           = bt_sock_poll,
2746         .ioctl          = bt_sock_ioctl,
2747         .mmap           = sock_no_mmap,
2748         .socketpair     = sock_no_socketpair,
2749         .shutdown       = l2cap_sock_shutdown,
2750         .setsockopt     = l2cap_sock_setsockopt,
2751         .getsockopt     = l2cap_sock_getsockopt
2752 };
2753
2754 static struct net_proto_family l2cap_sock_family_ops = {
2755         .family = PF_BLUETOOTH,
2756         .owner  = THIS_MODULE,
2757         .create = l2cap_sock_create,
2758 };
2759
2760 static struct hci_proto l2cap_hci_proto = {
2761         .name           = "L2CAP",
2762         .id             = HCI_PROTO_L2CAP,
2763         .connect_ind    = l2cap_connect_ind,
2764         .connect_cfm    = l2cap_connect_cfm,
2765         .disconn_ind    = l2cap_disconn_ind,
2766         .disconn_cfm    = l2cap_disconn_cfm,
2767         .security_cfm   = l2cap_security_cfm,
2768         .recv_acldata   = l2cap_recv_acldata
2769 };
2770
2771 static int __init l2cap_init(void)
2772 {
2773         int err;
2774
2775         err = proto_register(&l2cap_proto, 0);
2776         if (err < 0)
2777                 return err;
2778
2779         err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2780         if (err < 0) {
2781                 BT_ERR("L2CAP socket registration failed");
2782                 goto error;
2783         }
2784
2785         err = hci_register_proto(&l2cap_hci_proto);
2786         if (err < 0) {
2787                 BT_ERR("L2CAP protocol registration failed");
2788                 bt_sock_unregister(BTPROTO_L2CAP);
2789                 goto error;
2790         }
2791
2792         if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2793                 BT_ERR("Failed to create L2CAP info file");
2794
2795         BT_INFO("L2CAP ver %s", VERSION);
2796         BT_INFO("L2CAP socket layer initialized");
2797
2798         return 0;
2799
2800 error:
2801         proto_unregister(&l2cap_proto);
2802         return err;
2803 }
2804
2805 static void __exit l2cap_exit(void)
2806 {
2807         class_remove_file(bt_class, &class_attr_l2cap);
2808
2809         if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2810                 BT_ERR("L2CAP socket unregistration failed");
2811
2812         if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2813                 BT_ERR("L2CAP protocol unregistration failed");
2814
2815         proto_unregister(&l2cap_proto);
2816 }
2817
2818 void l2cap_load(void)
2819 {
2820         /* Dummy function to trigger automatic L2CAP module loading by
2821          * other modules that use L2CAP sockets but don't use any other
2822          * symbols from it. */
2823         return;
2824 }
2825 EXPORT_SYMBOL(l2cap_load);
2826
2827 module_init(l2cap_init);
2828 module_exit(l2cap_exit);
2829
2830 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2831 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2832 MODULE_VERSION(VERSION);
2833 MODULE_LICENSE("GPL");
2834 MODULE_ALIAS("bt-proto-0");