Bluetooth: Allow setting of L2CAP ERTM via socket option
[pandora-kernel.git] / net / bluetooth / l2cap.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth L2CAP core and sockets. */
26
27 #include <linux/module.h>
28
29 #include <linux/types.h>
30 #include <linux/capability.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/uaccess.h>
44 #include <net/sock.h>
45
46 #include <asm/system.h>
47 #include <asm/unaligned.h>
48
49 #include <net/bluetooth/bluetooth.h>
50 #include <net/bluetooth/hci_core.h>
51 #include <net/bluetooth/l2cap.h>
52
53 #define VERSION "2.14"
54
55 static int enable_ertm = 0;
56
57 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
58 static u8 l2cap_fixed_chan[8] = { 0x02, };
59
60 static const struct proto_ops l2cap_sock_ops;
61
62 static struct bt_sock_list l2cap_sk_list = {
63         .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
64 };
65
66 static void __l2cap_sock_close(struct sock *sk, int reason);
67 static void l2cap_sock_close(struct sock *sk);
68 static void l2cap_sock_kill(struct sock *sk);
69
70 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71                                 u8 code, u8 ident, u16 dlen, void *data);
72
73 /* ---- L2CAP timers ---- */
74 static void l2cap_sock_timeout(unsigned long arg)
75 {
76         struct sock *sk = (struct sock *) arg;
77         int reason;
78
79         BT_DBG("sock %p state %d", sk, sk->sk_state);
80
81         bh_lock_sock(sk);
82
83         if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
84                 reason = ECONNREFUSED;
85         else if (sk->sk_state == BT_CONNECT &&
86                                 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
87                 reason = ECONNREFUSED;
88         else
89                 reason = ETIMEDOUT;
90
91         __l2cap_sock_close(sk, reason);
92
93         bh_unlock_sock(sk);
94
95         l2cap_sock_kill(sk);
96         sock_put(sk);
97 }
98
99 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
100 {
101         BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
102         sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
103 }
104
105 static void l2cap_sock_clear_timer(struct sock *sk)
106 {
107         BT_DBG("sock %p state %d", sk, sk->sk_state);
108         sk_stop_timer(sk, &sk->sk_timer);
109 }
110
111 /* ---- L2CAP channels ---- */
112 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
113 {
114         struct sock *s;
115         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
116                 if (l2cap_pi(s)->dcid == cid)
117                         break;
118         }
119         return s;
120 }
121
122 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
123 {
124         struct sock *s;
125         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
126                 if (l2cap_pi(s)->scid == cid)
127                         break;
128         }
129         return s;
130 }
131
132 /* Find channel with given SCID.
133  * Returns locked socket */
134 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
135 {
136         struct sock *s;
137         read_lock(&l->lock);
138         s = __l2cap_get_chan_by_scid(l, cid);
139         if (s)
140                 bh_lock_sock(s);
141         read_unlock(&l->lock);
142         return s;
143 }
144
145 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
146 {
147         struct sock *s;
148         for (s = l->head; s; s = l2cap_pi(s)->next_c) {
149                 if (l2cap_pi(s)->ident == ident)
150                         break;
151         }
152         return s;
153 }
154
155 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
156 {
157         struct sock *s;
158         read_lock(&l->lock);
159         s = __l2cap_get_chan_by_ident(l, ident);
160         if (s)
161                 bh_lock_sock(s);
162         read_unlock(&l->lock);
163         return s;
164 }
165
166 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
167 {
168         u16 cid = L2CAP_CID_DYN_START;
169
170         for (; cid < L2CAP_CID_DYN_END; cid++) {
171                 if (!__l2cap_get_chan_by_scid(l, cid))
172                         return cid;
173         }
174
175         return 0;
176 }
177
178 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
179 {
180         sock_hold(sk);
181
182         if (l->head)
183                 l2cap_pi(l->head)->prev_c = sk;
184
185         l2cap_pi(sk)->next_c = l->head;
186         l2cap_pi(sk)->prev_c = NULL;
187         l->head = sk;
188 }
189
190 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
191 {
192         struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
193
194         write_lock_bh(&l->lock);
195         if (sk == l->head)
196                 l->head = next;
197
198         if (next)
199                 l2cap_pi(next)->prev_c = prev;
200         if (prev)
201                 l2cap_pi(prev)->next_c = next;
202         write_unlock_bh(&l->lock);
203
204         __sock_put(sk);
205 }
206
207 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
208 {
209         struct l2cap_chan_list *l = &conn->chan_list;
210
211         BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
212                         l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
213
214         conn->disc_reason = 0x13;
215
216         l2cap_pi(sk)->conn = conn;
217
218         if (sk->sk_type == SOCK_SEQPACKET) {
219                 /* Alloc CID for connection-oriented socket */
220                 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
221         } else if (sk->sk_type == SOCK_DGRAM) {
222                 /* Connectionless socket */
223                 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
224                 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
225                 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
226         } else {
227                 /* Raw socket can send/recv signalling messages only */
228                 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
229                 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
230                 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
231         }
232
233         __l2cap_chan_link(l, sk);
234
235         if (parent)
236                 bt_accept_enqueue(parent, sk);
237 }
238
239 /* Delete channel.
240  * Must be called on the locked socket. */
241 static void l2cap_chan_del(struct sock *sk, int err)
242 {
243         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
244         struct sock *parent = bt_sk(sk)->parent;
245
246         l2cap_sock_clear_timer(sk);
247
248         BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
249
250         if (conn) {
251                 /* Unlink from channel list */
252                 l2cap_chan_unlink(&conn->chan_list, sk);
253                 l2cap_pi(sk)->conn = NULL;
254                 hci_conn_put(conn->hcon);
255         }
256
257         sk->sk_state = BT_CLOSED;
258         sock_set_flag(sk, SOCK_ZAPPED);
259
260         if (err)
261                 sk->sk_err = err;
262
263         if (parent) {
264                 bt_accept_unlink(sk);
265                 parent->sk_data_ready(parent, 0);
266         } else
267                 sk->sk_state_change(sk);
268 }
269
270 /* Service level security */
271 static inline int l2cap_check_security(struct sock *sk)
272 {
273         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
274         __u8 auth_type;
275
276         if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
277                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
278                         auth_type = HCI_AT_NO_BONDING_MITM;
279                 else
280                         auth_type = HCI_AT_NO_BONDING;
281
282                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
283                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
284         } else {
285                 switch (l2cap_pi(sk)->sec_level) {
286                 case BT_SECURITY_HIGH:
287                         auth_type = HCI_AT_GENERAL_BONDING_MITM;
288                         break;
289                 case BT_SECURITY_MEDIUM:
290                         auth_type = HCI_AT_GENERAL_BONDING;
291                         break;
292                 default:
293                         auth_type = HCI_AT_NO_BONDING;
294                         break;
295                 }
296         }
297
298         return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
299                                                                 auth_type);
300 }
301
302 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
303 {
304         u8 id;
305
306         /* Get next available identificator.
307          *    1 - 128 are used by kernel.
308          *  129 - 199 are reserved.
309          *  200 - 254 are used by utilities like l2ping, etc.
310          */
311
312         spin_lock_bh(&conn->lock);
313
314         if (++conn->tx_ident > 128)
315                 conn->tx_ident = 1;
316
317         id = conn->tx_ident;
318
319         spin_unlock_bh(&conn->lock);
320
321         return id;
322 }
323
324 static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
325 {
326         struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
327
328         BT_DBG("code 0x%2.2x", code);
329
330         if (!skb)
331                 return -ENOMEM;
332
333         return hci_send_acl(conn->hcon, skb, 0);
334 }
335
336 static void l2cap_do_start(struct sock *sk)
337 {
338         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
339
340         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
341                 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
342                         return;
343
344                 if (l2cap_check_security(sk)) {
345                         struct l2cap_conn_req req;
346                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
347                         req.psm  = l2cap_pi(sk)->psm;
348
349                         l2cap_pi(sk)->ident = l2cap_get_ident(conn);
350
351                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
352                                         L2CAP_CONN_REQ, sizeof(req), &req);
353                 }
354         } else {
355                 struct l2cap_info_req req;
356                 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
357
358                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
359                 conn->info_ident = l2cap_get_ident(conn);
360
361                 mod_timer(&conn->info_timer, jiffies +
362                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
363
364                 l2cap_send_cmd(conn, conn->info_ident,
365                                         L2CAP_INFO_REQ, sizeof(req), &req);
366         }
367 }
368
369 /* ---- L2CAP connections ---- */
370 static void l2cap_conn_start(struct l2cap_conn *conn)
371 {
372         struct l2cap_chan_list *l = &conn->chan_list;
373         struct sock *sk;
374
375         BT_DBG("conn %p", conn);
376
377         read_lock(&l->lock);
378
379         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
380                 bh_lock_sock(sk);
381
382                 if (sk->sk_type != SOCK_SEQPACKET) {
383                         bh_unlock_sock(sk);
384                         continue;
385                 }
386
387                 if (sk->sk_state == BT_CONNECT) {
388                         if (l2cap_check_security(sk)) {
389                                 struct l2cap_conn_req req;
390                                 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
391                                 req.psm  = l2cap_pi(sk)->psm;
392
393                                 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
394
395                                 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
396                                         L2CAP_CONN_REQ, sizeof(req), &req);
397                         }
398                 } else if (sk->sk_state == BT_CONNECT2) {
399                         struct l2cap_conn_rsp rsp;
400                         rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
401                         rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
402
403                         if (l2cap_check_security(sk)) {
404                                 if (bt_sk(sk)->defer_setup) {
405                                         struct sock *parent = bt_sk(sk)->parent;
406                                         rsp.result = cpu_to_le16(L2CAP_CR_PEND);
407                                         rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
408                                         parent->sk_data_ready(parent, 0);
409
410                                 } else {
411                                         sk->sk_state = BT_CONFIG;
412                                         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
413                                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
414                                 }
415                         } else {
416                                 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
417                                 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
418                         }
419
420                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
421                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
422                 }
423
424                 bh_unlock_sock(sk);
425         }
426
427         read_unlock(&l->lock);
428 }
429
430 static void l2cap_conn_ready(struct l2cap_conn *conn)
431 {
432         struct l2cap_chan_list *l = &conn->chan_list;
433         struct sock *sk;
434
435         BT_DBG("conn %p", conn);
436
437         read_lock(&l->lock);
438
439         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
440                 bh_lock_sock(sk);
441
442                 if (sk->sk_type != SOCK_SEQPACKET) {
443                         l2cap_sock_clear_timer(sk);
444                         sk->sk_state = BT_CONNECTED;
445                         sk->sk_state_change(sk);
446                 } else if (sk->sk_state == BT_CONNECT)
447                         l2cap_do_start(sk);
448
449                 bh_unlock_sock(sk);
450         }
451
452         read_unlock(&l->lock);
453 }
454
455 /* Notify sockets that we cannot guaranty reliability anymore */
456 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
457 {
458         struct l2cap_chan_list *l = &conn->chan_list;
459         struct sock *sk;
460
461         BT_DBG("conn %p", conn);
462
463         read_lock(&l->lock);
464
465         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
466                 if (l2cap_pi(sk)->force_reliable)
467                         sk->sk_err = err;
468         }
469
470         read_unlock(&l->lock);
471 }
472
473 static void l2cap_info_timeout(unsigned long arg)
474 {
475         struct l2cap_conn *conn = (void *) arg;
476
477         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
478         conn->info_ident = 0;
479
480         l2cap_conn_start(conn);
481 }
482
483 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
484 {
485         struct l2cap_conn *conn = hcon->l2cap_data;
486
487         if (conn || status)
488                 return conn;
489
490         conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
491         if (!conn)
492                 return NULL;
493
494         hcon->l2cap_data = conn;
495         conn->hcon = hcon;
496
497         BT_DBG("hcon %p conn %p", hcon, conn);
498
499         conn->mtu = hcon->hdev->acl_mtu;
500         conn->src = &hcon->hdev->bdaddr;
501         conn->dst = &hcon->dst;
502
503         conn->feat_mask = 0;
504
505         setup_timer(&conn->info_timer, l2cap_info_timeout,
506                                                 (unsigned long) conn);
507
508         spin_lock_init(&conn->lock);
509         rwlock_init(&conn->chan_list.lock);
510
511         conn->disc_reason = 0x13;
512
513         return conn;
514 }
515
516 static void l2cap_conn_del(struct hci_conn *hcon, int err)
517 {
518         struct l2cap_conn *conn = hcon->l2cap_data;
519         struct sock *sk;
520
521         if (!conn)
522                 return;
523
524         BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
525
526         kfree_skb(conn->rx_skb);
527
528         /* Kill channels */
529         while ((sk = conn->chan_list.head)) {
530                 bh_lock_sock(sk);
531                 l2cap_chan_del(sk, err);
532                 bh_unlock_sock(sk);
533                 l2cap_sock_kill(sk);
534         }
535
536         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
537                 del_timer_sync(&conn->info_timer);
538
539         hcon->l2cap_data = NULL;
540         kfree(conn);
541 }
542
543 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
544 {
545         struct l2cap_chan_list *l = &conn->chan_list;
546         write_lock_bh(&l->lock);
547         __l2cap_chan_add(conn, sk, parent);
548         write_unlock_bh(&l->lock);
549 }
550
551 /* ---- Socket interface ---- */
552 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
553 {
554         struct sock *sk;
555         struct hlist_node *node;
556         sk_for_each(sk, node, &l2cap_sk_list.head)
557                 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
558                         goto found;
559         sk = NULL;
560 found:
561         return sk;
562 }
563
564 /* Find socket with psm and source bdaddr.
565  * Returns closest match.
566  */
567 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
568 {
569         struct sock *sk = NULL, *sk1 = NULL;
570         struct hlist_node *node;
571
572         sk_for_each(sk, node, &l2cap_sk_list.head) {
573                 if (state && sk->sk_state != state)
574                         continue;
575
576                 if (l2cap_pi(sk)->psm == psm) {
577                         /* Exact match. */
578                         if (!bacmp(&bt_sk(sk)->src, src))
579                                 break;
580
581                         /* Closest match */
582                         if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
583                                 sk1 = sk;
584                 }
585         }
586         return node ? sk : sk1;
587 }
588
589 /* Find socket with given address (psm, src).
590  * Returns locked socket */
591 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
592 {
593         struct sock *s;
594         read_lock(&l2cap_sk_list.lock);
595         s = __l2cap_get_sock_by_psm(state, psm, src);
596         if (s)
597                 bh_lock_sock(s);
598         read_unlock(&l2cap_sk_list.lock);
599         return s;
600 }
601
602 static void l2cap_sock_destruct(struct sock *sk)
603 {
604         BT_DBG("sk %p", sk);
605
606         skb_queue_purge(&sk->sk_receive_queue);
607         skb_queue_purge(&sk->sk_write_queue);
608 }
609
610 static void l2cap_sock_cleanup_listen(struct sock *parent)
611 {
612         struct sock *sk;
613
614         BT_DBG("parent %p", parent);
615
616         /* Close not yet accepted channels */
617         while ((sk = bt_accept_dequeue(parent, NULL)))
618                 l2cap_sock_close(sk);
619
620         parent->sk_state = BT_CLOSED;
621         sock_set_flag(parent, SOCK_ZAPPED);
622 }
623
624 /* Kill socket (only if zapped and orphan)
625  * Must be called on unlocked socket.
626  */
627 static void l2cap_sock_kill(struct sock *sk)
628 {
629         if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
630                 return;
631
632         BT_DBG("sk %p state %d", sk, sk->sk_state);
633
634         /* Kill poor orphan */
635         bt_sock_unlink(&l2cap_sk_list, sk);
636         sock_set_flag(sk, SOCK_DEAD);
637         sock_put(sk);
638 }
639
640 static void __l2cap_sock_close(struct sock *sk, int reason)
641 {
642         BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
643
644         switch (sk->sk_state) {
645         case BT_LISTEN:
646                 l2cap_sock_cleanup_listen(sk);
647                 break;
648
649         case BT_CONNECTED:
650         case BT_CONFIG:
651                 if (sk->sk_type == SOCK_SEQPACKET) {
652                         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
653                         struct l2cap_disconn_req req;
654
655                         sk->sk_state = BT_DISCONN;
656                         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
657
658                         req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
659                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
660                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
661                                         L2CAP_DISCONN_REQ, sizeof(req), &req);
662                 } else
663                         l2cap_chan_del(sk, reason);
664                 break;
665
666         case BT_CONNECT2:
667                 if (sk->sk_type == SOCK_SEQPACKET) {
668                         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
669                         struct l2cap_conn_rsp rsp;
670                         __u16 result;
671
672                         if (bt_sk(sk)->defer_setup)
673                                 result = L2CAP_CR_SEC_BLOCK;
674                         else
675                                 result = L2CAP_CR_BAD_PSM;
676
677                         rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
678                         rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
679                         rsp.result = cpu_to_le16(result);
680                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
681                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
682                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
683                 } else
684                         l2cap_chan_del(sk, reason);
685                 break;
686
687         case BT_CONNECT:
688         case BT_DISCONN:
689                 l2cap_chan_del(sk, reason);
690                 break;
691
692         default:
693                 sock_set_flag(sk, SOCK_ZAPPED);
694                 break;
695         }
696 }
697
698 /* Must be called on unlocked socket. */
699 static void l2cap_sock_close(struct sock *sk)
700 {
701         l2cap_sock_clear_timer(sk);
702         lock_sock(sk);
703         __l2cap_sock_close(sk, ECONNRESET);
704         release_sock(sk);
705         l2cap_sock_kill(sk);
706 }
707
708 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
709 {
710         struct l2cap_pinfo *pi = l2cap_pi(sk);
711
712         BT_DBG("sk %p", sk);
713
714         if (parent) {
715                 sk->sk_type = parent->sk_type;
716                 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
717
718                 pi->imtu = l2cap_pi(parent)->imtu;
719                 pi->omtu = l2cap_pi(parent)->omtu;
720                 pi->mode = l2cap_pi(parent)->mode;
721                 pi->fcs  = l2cap_pi(parent)->fcs;
722                 pi->sec_level = l2cap_pi(parent)->sec_level;
723                 pi->role_switch = l2cap_pi(parent)->role_switch;
724                 pi->force_reliable = l2cap_pi(parent)->force_reliable;
725         } else {
726                 pi->imtu = L2CAP_DEFAULT_MTU;
727                 pi->omtu = 0;
728                 pi->mode = L2CAP_MODE_BASIC;
729                 pi->fcs  = L2CAP_FCS_CRC16;
730                 pi->sec_level = BT_SECURITY_LOW;
731                 pi->role_switch = 0;
732                 pi->force_reliable = 0;
733         }
734
735         /* Default config options */
736         pi->conf_len = 0;
737         pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
738 }
739
740 static struct proto l2cap_proto = {
741         .name           = "L2CAP",
742         .owner          = THIS_MODULE,
743         .obj_size       = sizeof(struct l2cap_pinfo)
744 };
745
746 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
747 {
748         struct sock *sk;
749
750         sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
751         if (!sk)
752                 return NULL;
753
754         sock_init_data(sock, sk);
755         INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
756
757         sk->sk_destruct = l2cap_sock_destruct;
758         sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
759
760         sock_reset_flag(sk, SOCK_ZAPPED);
761
762         sk->sk_protocol = proto;
763         sk->sk_state = BT_OPEN;
764
765         setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
766
767         bt_sock_link(&l2cap_sk_list, sk);
768         return sk;
769 }
770
771 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
772 {
773         struct sock *sk;
774
775         BT_DBG("sock %p", sock);
776
777         sock->state = SS_UNCONNECTED;
778
779         if (sock->type != SOCK_SEQPACKET &&
780                         sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
781                 return -ESOCKTNOSUPPORT;
782
783         if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
784                 return -EPERM;
785
786         sock->ops = &l2cap_sock_ops;
787
788         sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
789         if (!sk)
790                 return -ENOMEM;
791
792         l2cap_sock_init(sk, NULL);
793         return 0;
794 }
795
796 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
797 {
798         struct sock *sk = sock->sk;
799         struct sockaddr_l2 la;
800         int len, err = 0;
801
802         BT_DBG("sk %p", sk);
803
804         if (!addr || addr->sa_family != AF_BLUETOOTH)
805                 return -EINVAL;
806
807         memset(&la, 0, sizeof(la));
808         len = min_t(unsigned int, sizeof(la), alen);
809         memcpy(&la, addr, len);
810
811         if (la.l2_cid)
812                 return -EINVAL;
813
814         lock_sock(sk);
815
816         if (sk->sk_state != BT_OPEN) {
817                 err = -EBADFD;
818                 goto done;
819         }
820
821         if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
822                                 !capable(CAP_NET_BIND_SERVICE)) {
823                 err = -EACCES;
824                 goto done;
825         }
826
827         write_lock_bh(&l2cap_sk_list.lock);
828
829         if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
830                 err = -EADDRINUSE;
831         } else {
832                 /* Save source address */
833                 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
834                 l2cap_pi(sk)->psm   = la.l2_psm;
835                 l2cap_pi(sk)->sport = la.l2_psm;
836                 sk->sk_state = BT_BOUND;
837
838                 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
839                                         __le16_to_cpu(la.l2_psm) == 0x0003)
840                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
841         }
842
843         write_unlock_bh(&l2cap_sk_list.lock);
844
845 done:
846         release_sock(sk);
847         return err;
848 }
849
850 static int l2cap_do_connect(struct sock *sk)
851 {
852         bdaddr_t *src = &bt_sk(sk)->src;
853         bdaddr_t *dst = &bt_sk(sk)->dst;
854         struct l2cap_conn *conn;
855         struct hci_conn *hcon;
856         struct hci_dev *hdev;
857         __u8 auth_type;
858         int err;
859
860         BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
861                                                         l2cap_pi(sk)->psm);
862
863         hdev = hci_get_route(dst, src);
864         if (!hdev)
865                 return -EHOSTUNREACH;
866
867         hci_dev_lock_bh(hdev);
868
869         err = -ENOMEM;
870
871         if (sk->sk_type == SOCK_RAW) {
872                 switch (l2cap_pi(sk)->sec_level) {
873                 case BT_SECURITY_HIGH:
874                         auth_type = HCI_AT_DEDICATED_BONDING_MITM;
875                         break;
876                 case BT_SECURITY_MEDIUM:
877                         auth_type = HCI_AT_DEDICATED_BONDING;
878                         break;
879                 default:
880                         auth_type = HCI_AT_NO_BONDING;
881                         break;
882                 }
883         } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
884                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
885                         auth_type = HCI_AT_NO_BONDING_MITM;
886                 else
887                         auth_type = HCI_AT_NO_BONDING;
888
889                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
890                         l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
891         } else {
892                 switch (l2cap_pi(sk)->sec_level) {
893                 case BT_SECURITY_HIGH:
894                         auth_type = HCI_AT_GENERAL_BONDING_MITM;
895                         break;
896                 case BT_SECURITY_MEDIUM:
897                         auth_type = HCI_AT_GENERAL_BONDING;
898                         break;
899                 default:
900                         auth_type = HCI_AT_NO_BONDING;
901                         break;
902                 }
903         }
904
905         hcon = hci_connect(hdev, ACL_LINK, dst,
906                                         l2cap_pi(sk)->sec_level, auth_type);
907         if (!hcon)
908                 goto done;
909
910         conn = l2cap_conn_add(hcon, 0);
911         if (!conn) {
912                 hci_conn_put(hcon);
913                 goto done;
914         }
915
916         err = 0;
917
918         /* Update source addr of the socket */
919         bacpy(src, conn->src);
920
921         l2cap_chan_add(conn, sk, NULL);
922
923         sk->sk_state = BT_CONNECT;
924         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
925
926         if (hcon->state == BT_CONNECTED) {
927                 if (sk->sk_type != SOCK_SEQPACKET) {
928                         l2cap_sock_clear_timer(sk);
929                         sk->sk_state = BT_CONNECTED;
930                 } else
931                         l2cap_do_start(sk);
932         }
933
934 done:
935         hci_dev_unlock_bh(hdev);
936         hci_dev_put(hdev);
937         return err;
938 }
939
940 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
941 {
942         struct sock *sk = sock->sk;
943         struct sockaddr_l2 la;
944         int len, err = 0;
945
946         BT_DBG("sk %p", sk);
947
948         if (!addr || addr->sa_family != AF_BLUETOOTH)
949                 return -EINVAL;
950
951         memset(&la, 0, sizeof(la));
952         len = min_t(unsigned int, sizeof(la), alen);
953         memcpy(&la, addr, len);
954
955         if (la.l2_cid)
956                 return -EINVAL;
957
958         lock_sock(sk);
959
960         if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
961                 err = -EINVAL;
962                 goto done;
963         }
964
965         switch (l2cap_pi(sk)->mode) {
966         case L2CAP_MODE_BASIC:
967                 break;
968         case L2CAP_MODE_ERTM:
969                 if (enable_ertm)
970                         break;
971                 /* fall through */
972         default:
973                 err = -ENOTSUPP;
974                 goto done;
975         }
976
977         switch (sk->sk_state) {
978         case BT_CONNECT:
979         case BT_CONNECT2:
980         case BT_CONFIG:
981                 /* Already connecting */
982                 goto wait;
983
984         case BT_CONNECTED:
985                 /* Already connected */
986                 goto done;
987
988         case BT_OPEN:
989         case BT_BOUND:
990                 /* Can connect */
991                 break;
992
993         default:
994                 err = -EBADFD;
995                 goto done;
996         }
997
998         /* Set destination address and psm */
999         bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1000         l2cap_pi(sk)->psm = la.l2_psm;
1001
1002         err = l2cap_do_connect(sk);
1003         if (err)
1004                 goto done;
1005
1006 wait:
1007         err = bt_sock_wait_state(sk, BT_CONNECTED,
1008                         sock_sndtimeo(sk, flags & O_NONBLOCK));
1009 done:
1010         release_sock(sk);
1011         return err;
1012 }
1013
1014 static int l2cap_sock_listen(struct socket *sock, int backlog)
1015 {
1016         struct sock *sk = sock->sk;
1017         int err = 0;
1018
1019         BT_DBG("sk %p backlog %d", sk, backlog);
1020
1021         lock_sock(sk);
1022
1023         if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1024                 err = -EBADFD;
1025                 goto done;
1026         }
1027
1028         switch (l2cap_pi(sk)->mode) {
1029         case L2CAP_MODE_BASIC:
1030                 break;
1031         case L2CAP_MODE_ERTM:
1032                 if (enable_ertm)
1033                         break;
1034                 /* fall through */
1035         default:
1036                 err = -ENOTSUPP;
1037                 goto done;
1038         }
1039
1040         if (!l2cap_pi(sk)->psm) {
1041                 bdaddr_t *src = &bt_sk(sk)->src;
1042                 u16 psm;
1043
1044                 err = -EINVAL;
1045
1046                 write_lock_bh(&l2cap_sk_list.lock);
1047
1048                 for (psm = 0x1001; psm < 0x1100; psm += 2)
1049                         if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1050                                 l2cap_pi(sk)->psm   = cpu_to_le16(psm);
1051                                 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1052                                 err = 0;
1053                                 break;
1054                         }
1055
1056                 write_unlock_bh(&l2cap_sk_list.lock);
1057
1058                 if (err < 0)
1059                         goto done;
1060         }
1061
1062         sk->sk_max_ack_backlog = backlog;
1063         sk->sk_ack_backlog = 0;
1064         sk->sk_state = BT_LISTEN;
1065
1066 done:
1067         release_sock(sk);
1068         return err;
1069 }
1070
1071 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1072 {
1073         DECLARE_WAITQUEUE(wait, current);
1074         struct sock *sk = sock->sk, *nsk;
1075         long timeo;
1076         int err = 0;
1077
1078         lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1079
1080         if (sk->sk_state != BT_LISTEN) {
1081                 err = -EBADFD;
1082                 goto done;
1083         }
1084
1085         timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1086
1087         BT_DBG("sk %p timeo %ld", sk, timeo);
1088
1089         /* Wait for an incoming connection. (wake-one). */
1090         add_wait_queue_exclusive(sk->sk_sleep, &wait);
1091         while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1092                 set_current_state(TASK_INTERRUPTIBLE);
1093                 if (!timeo) {
1094                         err = -EAGAIN;
1095                         break;
1096                 }
1097
1098                 release_sock(sk);
1099                 timeo = schedule_timeout(timeo);
1100                 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1101
1102                 if (sk->sk_state != BT_LISTEN) {
1103                         err = -EBADFD;
1104                         break;
1105                 }
1106
1107                 if (signal_pending(current)) {
1108                         err = sock_intr_errno(timeo);
1109                         break;
1110                 }
1111         }
1112         set_current_state(TASK_RUNNING);
1113         remove_wait_queue(sk->sk_sleep, &wait);
1114
1115         if (err)
1116                 goto done;
1117
1118         newsock->state = SS_CONNECTED;
1119
1120         BT_DBG("new socket %p", nsk);
1121
1122 done:
1123         release_sock(sk);
1124         return err;
1125 }
1126
1127 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1128 {
1129         struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1130         struct sock *sk = sock->sk;
1131
1132         BT_DBG("sock %p, sk %p", sock, sk);
1133
1134         addr->sa_family = AF_BLUETOOTH;
1135         *len = sizeof(struct sockaddr_l2);
1136
1137         if (peer) {
1138                 la->l2_psm = l2cap_pi(sk)->psm;
1139                 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1140                 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1141         } else {
1142                 la->l2_psm = l2cap_pi(sk)->sport;
1143                 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1144                 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
1145         }
1146
1147         return 0;
1148 }
1149
1150 static inline int l2cap_do_send(struct sock *sk, struct msghdr *msg, int len)
1151 {
1152         struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1153         struct sk_buff *skb, **frag;
1154         int err, hlen, count, sent = 0;
1155         struct l2cap_hdr *lh;
1156
1157         BT_DBG("sk %p len %d", sk, len);
1158
1159         /* First fragment (with L2CAP header) */
1160         if (sk->sk_type == SOCK_DGRAM)
1161                 hlen = L2CAP_HDR_SIZE + 2;
1162         else
1163                 hlen = L2CAP_HDR_SIZE;
1164
1165         count = min_t(unsigned int, (conn->mtu - hlen), len);
1166
1167         skb = bt_skb_send_alloc(sk, hlen + count,
1168                         msg->msg_flags & MSG_DONTWAIT, &err);
1169         if (!skb)
1170                 return err;
1171
1172         /* Create L2CAP header */
1173         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1174         lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1175         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1176
1177         if (sk->sk_type == SOCK_DGRAM)
1178                 put_unaligned(l2cap_pi(sk)->psm, (__le16 *) skb_put(skb, 2));
1179
1180         if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1181                 err = -EFAULT;
1182                 goto fail;
1183         }
1184
1185         sent += count;
1186         len  -= count;
1187
1188         /* Continuation fragments (no L2CAP header) */
1189         frag = &skb_shinfo(skb)->frag_list;
1190         while (len) {
1191                 count = min_t(unsigned int, conn->mtu, len);
1192
1193                 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1194                 if (!*frag)
1195                         goto fail;
1196
1197                 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) {
1198                         err = -EFAULT;
1199                         goto fail;
1200                 }
1201
1202                 sent += count;
1203                 len  -= count;
1204
1205                 frag = &(*frag)->next;
1206         }
1207         err = hci_send_acl(conn->hcon, skb, 0);
1208         if (err < 0)
1209                 goto fail;
1210
1211         return sent;
1212
1213 fail:
1214         kfree_skb(skb);
1215         return err;
1216 }
1217
1218 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1219 {
1220         struct sock *sk = sock->sk;
1221         int err = 0;
1222
1223         BT_DBG("sock %p, sk %p", sock, sk);
1224
1225         err = sock_error(sk);
1226         if (err)
1227                 return err;
1228
1229         if (msg->msg_flags & MSG_OOB)
1230                 return -EOPNOTSUPP;
1231
1232         /* Check outgoing MTU */
1233         if (sk->sk_type != SOCK_RAW && len > l2cap_pi(sk)->omtu)
1234                 return -EINVAL;
1235
1236         lock_sock(sk);
1237
1238         if (sk->sk_state == BT_CONNECTED)
1239                 err = l2cap_do_send(sk, msg, len);
1240         else
1241                 err = -ENOTCONN;
1242
1243         release_sock(sk);
1244         return err;
1245 }
1246
1247 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1248 {
1249         struct sock *sk = sock->sk;
1250
1251         lock_sock(sk);
1252
1253         if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1254                 struct l2cap_conn_rsp rsp;
1255
1256                 sk->sk_state = BT_CONFIG;
1257
1258                 rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1259                 rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
1260                 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1261                 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1262                 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1263                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1264
1265                 release_sock(sk);
1266                 return 0;
1267         }
1268
1269         release_sock(sk);
1270
1271         return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1272 }
1273
1274 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1275 {
1276         struct sock *sk = sock->sk;
1277         struct l2cap_options opts;
1278         int len, err = 0;
1279         u32 opt;
1280
1281         BT_DBG("sk %p", sk);
1282
1283         lock_sock(sk);
1284
1285         switch (optname) {
1286         case L2CAP_OPTIONS:
1287                 opts.imtu     = l2cap_pi(sk)->imtu;
1288                 opts.omtu     = l2cap_pi(sk)->omtu;
1289                 opts.flush_to = l2cap_pi(sk)->flush_to;
1290                 opts.mode     = l2cap_pi(sk)->mode;
1291
1292                 len = min_t(unsigned int, sizeof(opts), optlen);
1293                 if (copy_from_user((char *) &opts, optval, len)) {
1294                         err = -EFAULT;
1295                         break;
1296                 }
1297
1298                 l2cap_pi(sk)->imtu = opts.imtu;
1299                 l2cap_pi(sk)->omtu = opts.omtu;
1300                 l2cap_pi(sk)->mode = opts.mode;
1301                 break;
1302
1303         case L2CAP_LM:
1304                 if (get_user(opt, (u32 __user *) optval)) {
1305                         err = -EFAULT;
1306                         break;
1307                 }
1308
1309                 if (opt & L2CAP_LM_AUTH)
1310                         l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1311                 if (opt & L2CAP_LM_ENCRYPT)
1312                         l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1313                 if (opt & L2CAP_LM_SECURE)
1314                         l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1315
1316                 l2cap_pi(sk)->role_switch    = (opt & L2CAP_LM_MASTER);
1317                 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1318                 break;
1319
1320         default:
1321                 err = -ENOPROTOOPT;
1322                 break;
1323         }
1324
1325         release_sock(sk);
1326         return err;
1327 }
1328
1329 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1330 {
1331         struct sock *sk = sock->sk;
1332         struct bt_security sec;
1333         int len, err = 0;
1334         u32 opt;
1335
1336         BT_DBG("sk %p", sk);
1337
1338         if (level == SOL_L2CAP)
1339                 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1340
1341         if (level != SOL_BLUETOOTH)
1342                 return -ENOPROTOOPT;
1343
1344         lock_sock(sk);
1345
1346         switch (optname) {
1347         case BT_SECURITY:
1348                 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1349                         err = -EINVAL;
1350                         break;
1351                 }
1352
1353                 sec.level = BT_SECURITY_LOW;
1354
1355                 len = min_t(unsigned int, sizeof(sec), optlen);
1356                 if (copy_from_user((char *) &sec, optval, len)) {
1357                         err = -EFAULT;
1358                         break;
1359                 }
1360
1361                 if (sec.level < BT_SECURITY_LOW ||
1362                                         sec.level > BT_SECURITY_HIGH) {
1363                         err = -EINVAL;
1364                         break;
1365                 }
1366
1367                 l2cap_pi(sk)->sec_level = sec.level;
1368                 break;
1369
1370         case BT_DEFER_SETUP:
1371                 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1372                         err = -EINVAL;
1373                         break;
1374                 }
1375
1376                 if (get_user(opt, (u32 __user *) optval)) {
1377                         err = -EFAULT;
1378                         break;
1379                 }
1380
1381                 bt_sk(sk)->defer_setup = opt;
1382                 break;
1383
1384         default:
1385                 err = -ENOPROTOOPT;
1386                 break;
1387         }
1388
1389         release_sock(sk);
1390         return err;
1391 }
1392
1393 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1394 {
1395         struct sock *sk = sock->sk;
1396         struct l2cap_options opts;
1397         struct l2cap_conninfo cinfo;
1398         int len, err = 0;
1399         u32 opt;
1400
1401         BT_DBG("sk %p", sk);
1402
1403         if (get_user(len, optlen))
1404                 return -EFAULT;
1405
1406         lock_sock(sk);
1407
1408         switch (optname) {
1409         case L2CAP_OPTIONS:
1410                 opts.imtu     = l2cap_pi(sk)->imtu;
1411                 opts.omtu     = l2cap_pi(sk)->omtu;
1412                 opts.flush_to = l2cap_pi(sk)->flush_to;
1413                 opts.mode     = l2cap_pi(sk)->mode;
1414
1415                 len = min_t(unsigned int, len, sizeof(opts));
1416                 if (copy_to_user(optval, (char *) &opts, len))
1417                         err = -EFAULT;
1418
1419                 break;
1420
1421         case L2CAP_LM:
1422                 switch (l2cap_pi(sk)->sec_level) {
1423                 case BT_SECURITY_LOW:
1424                         opt = L2CAP_LM_AUTH;
1425                         break;
1426                 case BT_SECURITY_MEDIUM:
1427                         opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1428                         break;
1429                 case BT_SECURITY_HIGH:
1430                         opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1431                                                         L2CAP_LM_SECURE;
1432                         break;
1433                 default:
1434                         opt = 0;
1435                         break;
1436                 }
1437
1438                 if (l2cap_pi(sk)->role_switch)
1439                         opt |= L2CAP_LM_MASTER;
1440
1441                 if (l2cap_pi(sk)->force_reliable)
1442                         opt |= L2CAP_LM_RELIABLE;
1443
1444                 if (put_user(opt, (u32 __user *) optval))
1445                         err = -EFAULT;
1446                 break;
1447
1448         case L2CAP_CONNINFO:
1449                 if (sk->sk_state != BT_CONNECTED &&
1450                                         !(sk->sk_state == BT_CONNECT2 &&
1451                                                 bt_sk(sk)->defer_setup)) {
1452                         err = -ENOTCONN;
1453                         break;
1454                 }
1455
1456                 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1457                 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1458
1459                 len = min_t(unsigned int, len, sizeof(cinfo));
1460                 if (copy_to_user(optval, (char *) &cinfo, len))
1461                         err = -EFAULT;
1462
1463                 break;
1464
1465         default:
1466                 err = -ENOPROTOOPT;
1467                 break;
1468         }
1469
1470         release_sock(sk);
1471         return err;
1472 }
1473
1474 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1475 {
1476         struct sock *sk = sock->sk;
1477         struct bt_security sec;
1478         int len, err = 0;
1479
1480         BT_DBG("sk %p", sk);
1481
1482         if (level == SOL_L2CAP)
1483                 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1484
1485         if (level != SOL_BLUETOOTH)
1486                 return -ENOPROTOOPT;
1487
1488         if (get_user(len, optlen))
1489                 return -EFAULT;
1490
1491         lock_sock(sk);
1492
1493         switch (optname) {
1494         case BT_SECURITY:
1495                 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1496                         err = -EINVAL;
1497                         break;
1498                 }
1499
1500                 sec.level = l2cap_pi(sk)->sec_level;
1501
1502                 len = min_t(unsigned int, len, sizeof(sec));
1503                 if (copy_to_user(optval, (char *) &sec, len))
1504                         err = -EFAULT;
1505
1506                 break;
1507
1508         case BT_DEFER_SETUP:
1509                 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1510                         err = -EINVAL;
1511                         break;
1512                 }
1513
1514                 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1515                         err = -EFAULT;
1516
1517                 break;
1518
1519         default:
1520                 err = -ENOPROTOOPT;
1521                 break;
1522         }
1523
1524         release_sock(sk);
1525         return err;
1526 }
1527
1528 static int l2cap_sock_shutdown(struct socket *sock, int how)
1529 {
1530         struct sock *sk = sock->sk;
1531         int err = 0;
1532
1533         BT_DBG("sock %p, sk %p", sock, sk);
1534
1535         if (!sk)
1536                 return 0;
1537
1538         lock_sock(sk);
1539         if (!sk->sk_shutdown) {
1540                 sk->sk_shutdown = SHUTDOWN_MASK;
1541                 l2cap_sock_clear_timer(sk);
1542                 __l2cap_sock_close(sk, 0);
1543
1544                 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1545                         err = bt_sock_wait_state(sk, BT_CLOSED,
1546                                                         sk->sk_lingertime);
1547         }
1548         release_sock(sk);
1549         return err;
1550 }
1551
1552 static int l2cap_sock_release(struct socket *sock)
1553 {
1554         struct sock *sk = sock->sk;
1555         int err;
1556
1557         BT_DBG("sock %p, sk %p", sock, sk);
1558
1559         if (!sk)
1560                 return 0;
1561
1562         err = l2cap_sock_shutdown(sock, 2);
1563
1564         sock_orphan(sk);
1565         l2cap_sock_kill(sk);
1566         return err;
1567 }
1568
1569 static void l2cap_chan_ready(struct sock *sk)
1570 {
1571         struct sock *parent = bt_sk(sk)->parent;
1572
1573         BT_DBG("sk %p, parent %p", sk, parent);
1574
1575         l2cap_pi(sk)->conf_state = 0;
1576         l2cap_sock_clear_timer(sk);
1577
1578         if (!parent) {
1579                 /* Outgoing channel.
1580                  * Wake up socket sleeping on connect.
1581                  */
1582                 sk->sk_state = BT_CONNECTED;
1583                 sk->sk_state_change(sk);
1584         } else {
1585                 /* Incoming channel.
1586                  * Wake up socket sleeping on accept.
1587                  */
1588                 parent->sk_data_ready(parent, 0);
1589         }
1590 }
1591
1592 /* Copy frame to all raw sockets on that connection */
1593 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1594 {
1595         struct l2cap_chan_list *l = &conn->chan_list;
1596         struct sk_buff *nskb;
1597         struct sock *sk;
1598
1599         BT_DBG("conn %p", conn);
1600
1601         read_lock(&l->lock);
1602         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1603                 if (sk->sk_type != SOCK_RAW)
1604                         continue;
1605
1606                 /* Don't send frame to the socket it came from */
1607                 if (skb->sk == sk)
1608                         continue;
1609                 nskb = skb_clone(skb, GFP_ATOMIC);
1610                 if (!nskb)
1611                         continue;
1612
1613                 if (sock_queue_rcv_skb(sk, nskb))
1614                         kfree_skb(nskb);
1615         }
1616         read_unlock(&l->lock);
1617 }
1618
1619 /* ---- L2CAP signalling commands ---- */
1620 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1621                                 u8 code, u8 ident, u16 dlen, void *data)
1622 {
1623         struct sk_buff *skb, **frag;
1624         struct l2cap_cmd_hdr *cmd;
1625         struct l2cap_hdr *lh;
1626         int len, count;
1627
1628         BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1629                         conn, code, ident, dlen);
1630
1631         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1632         count = min_t(unsigned int, conn->mtu, len);
1633
1634         skb = bt_skb_alloc(count, GFP_ATOMIC);
1635         if (!skb)
1636                 return NULL;
1637
1638         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1639         lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1640         lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1641
1642         cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1643         cmd->code  = code;
1644         cmd->ident = ident;
1645         cmd->len   = cpu_to_le16(dlen);
1646
1647         if (dlen) {
1648                 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1649                 memcpy(skb_put(skb, count), data, count);
1650                 data += count;
1651         }
1652
1653         len -= skb->len;
1654
1655         /* Continuation fragments (no L2CAP header) */
1656         frag = &skb_shinfo(skb)->frag_list;
1657         while (len) {
1658                 count = min_t(unsigned int, conn->mtu, len);
1659
1660                 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1661                 if (!*frag)
1662                         goto fail;
1663
1664                 memcpy(skb_put(*frag, count), data, count);
1665
1666                 len  -= count;
1667                 data += count;
1668
1669                 frag = &(*frag)->next;
1670         }
1671
1672         return skb;
1673
1674 fail:
1675         kfree_skb(skb);
1676         return NULL;
1677 }
1678
1679 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1680 {
1681         struct l2cap_conf_opt *opt = *ptr;
1682         int len;
1683
1684         len = L2CAP_CONF_OPT_SIZE + opt->len;
1685         *ptr += len;
1686
1687         *type = opt->type;
1688         *olen = opt->len;
1689
1690         switch (opt->len) {
1691         case 1:
1692                 *val = *((u8 *) opt->val);
1693                 break;
1694
1695         case 2:
1696                 *val = __le16_to_cpu(*((__le16 *) opt->val));
1697                 break;
1698
1699         case 4:
1700                 *val = __le32_to_cpu(*((__le32 *) opt->val));
1701                 break;
1702
1703         default:
1704                 *val = (unsigned long) opt->val;
1705                 break;
1706         }
1707
1708         BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1709         return len;
1710 }
1711
1712 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1713 {
1714         struct l2cap_conf_opt *opt = *ptr;
1715
1716         BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1717
1718         opt->type = type;
1719         opt->len  = len;
1720
1721         switch (len) {
1722         case 1:
1723                 *((u8 *) opt->val)  = val;
1724                 break;
1725
1726         case 2:
1727                 *((__le16 *) opt->val) = cpu_to_le16(val);
1728                 break;
1729
1730         case 4:
1731                 *((__le32 *) opt->val) = cpu_to_le32(val);
1732                 break;
1733
1734         default:
1735                 memcpy(opt->val, (void *) val, len);
1736                 break;
1737         }
1738
1739         *ptr += L2CAP_CONF_OPT_SIZE + len;
1740 }
1741
1742 static int l2cap_build_conf_req(struct sock *sk, void *data)
1743 {
1744         struct l2cap_pinfo *pi = l2cap_pi(sk);
1745         struct l2cap_conf_req *req = data;
1746         void *ptr = req->data;
1747
1748         BT_DBG("sk %p", sk);
1749
1750         if (pi->imtu != L2CAP_DEFAULT_MTU)
1751                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1752
1753         /* FIXME: Need actual value of the flush timeout */
1754         //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1755         //   l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1756
1757         req->dcid  = cpu_to_le16(pi->dcid);
1758         req->flags = cpu_to_le16(0);
1759
1760         return ptr - data;
1761 }
1762
1763 static int l2cap_parse_conf_req(struct sock *sk, void *data)
1764 {
1765         struct l2cap_pinfo *pi = l2cap_pi(sk);
1766         struct l2cap_conf_rsp *rsp = data;
1767         void *ptr = rsp->data;
1768         void *req = pi->conf_req;
1769         int len = pi->conf_len;
1770         int type, hint, olen;
1771         unsigned long val;
1772         struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1773         u16 mtu = L2CAP_DEFAULT_MTU;
1774         u16 result = L2CAP_CONF_SUCCESS;
1775
1776         BT_DBG("sk %p", sk);
1777
1778         while (len >= L2CAP_CONF_OPT_SIZE) {
1779                 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1780
1781                 hint  = type & L2CAP_CONF_HINT;
1782                 type &= L2CAP_CONF_MASK;
1783
1784                 switch (type) {
1785                 case L2CAP_CONF_MTU:
1786                         mtu = val;
1787                         break;
1788
1789                 case L2CAP_CONF_FLUSH_TO:
1790                         pi->flush_to = val;
1791                         break;
1792
1793                 case L2CAP_CONF_QOS:
1794                         break;
1795
1796                 case L2CAP_CONF_RFC:
1797                         if (olen == sizeof(rfc))
1798                                 memcpy(&rfc, (void *) val, olen);
1799                         break;
1800
1801                 default:
1802                         if (hint)
1803                                 break;
1804
1805                         result = L2CAP_CONF_UNKNOWN;
1806                         *((u8 *) ptr++) = type;
1807                         break;
1808                 }
1809         }
1810
1811         if (result == L2CAP_CONF_SUCCESS) {
1812                 /* Configure output options and let the other side know
1813                  * which ones we don't like. */
1814
1815                 if (rfc.mode == L2CAP_MODE_BASIC) {
1816                         if (mtu < pi->omtu)
1817                                 result = L2CAP_CONF_UNACCEPT;
1818                         else {
1819                                 pi->omtu = mtu;
1820                                 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1821                         }
1822
1823                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
1824                 } else {
1825                         result = L2CAP_CONF_UNACCEPT;
1826
1827                         memset(&rfc, 0, sizeof(rfc));
1828                         rfc.mode = L2CAP_MODE_BASIC;
1829
1830                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1831                                                 sizeof(rfc), (unsigned long) &rfc);
1832                 }
1833         }
1834
1835         rsp->scid   = cpu_to_le16(pi->dcid);
1836         rsp->result = cpu_to_le16(result);
1837         rsp->flags  = cpu_to_le16(0x0000);
1838
1839         return ptr - data;
1840 }
1841
1842 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1843 {
1844         struct l2cap_conf_rsp *rsp = data;
1845         void *ptr = rsp->data;
1846
1847         BT_DBG("sk %p", sk);
1848
1849         rsp->scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
1850         rsp->result = cpu_to_le16(result);
1851         rsp->flags  = cpu_to_le16(flags);
1852
1853         return ptr - data;
1854 }
1855
1856 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1857 {
1858         struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1859
1860         if (rej->reason != 0x0000)
1861                 return 0;
1862
1863         if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1864                                         cmd->ident == conn->info_ident) {
1865                 del_timer(&conn->info_timer);
1866
1867                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1868                 conn->info_ident = 0;
1869
1870                 l2cap_conn_start(conn);
1871         }
1872
1873         return 0;
1874 }
1875
1876 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1877 {
1878         struct l2cap_chan_list *list = &conn->chan_list;
1879         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1880         struct l2cap_conn_rsp rsp;
1881         struct sock *sk, *parent;
1882         int result, status = L2CAP_CS_NO_INFO;
1883
1884         u16 dcid = 0, scid = __le16_to_cpu(req->scid);
1885         __le16 psm = req->psm;
1886
1887         BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1888
1889         /* Check if we have socket listening on psm */
1890         parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1891         if (!parent) {
1892                 result = L2CAP_CR_BAD_PSM;
1893                 goto sendresp;
1894         }
1895
1896         /* Check if the ACL is secure enough (if not SDP) */
1897         if (psm != cpu_to_le16(0x0001) &&
1898                                 !hci_conn_check_link_mode(conn->hcon)) {
1899                 conn->disc_reason = 0x05;
1900                 result = L2CAP_CR_SEC_BLOCK;
1901                 goto response;
1902         }
1903
1904         result = L2CAP_CR_NO_MEM;
1905
1906         /* Check for backlog size */
1907         if (sk_acceptq_is_full(parent)) {
1908                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1909                 goto response;
1910         }
1911
1912         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1913         if (!sk)
1914                 goto response;
1915
1916         write_lock_bh(&list->lock);
1917
1918         /* Check if we already have channel with that dcid */
1919         if (__l2cap_get_chan_by_dcid(list, scid)) {
1920                 write_unlock_bh(&list->lock);
1921                 sock_set_flag(sk, SOCK_ZAPPED);
1922                 l2cap_sock_kill(sk);
1923                 goto response;
1924         }
1925
1926         hci_conn_hold(conn->hcon);
1927
1928         l2cap_sock_init(sk, parent);
1929         bacpy(&bt_sk(sk)->src, conn->src);
1930         bacpy(&bt_sk(sk)->dst, conn->dst);
1931         l2cap_pi(sk)->psm  = psm;
1932         l2cap_pi(sk)->dcid = scid;
1933
1934         __l2cap_chan_add(conn, sk, parent);
1935         dcid = l2cap_pi(sk)->scid;
1936
1937         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1938
1939         l2cap_pi(sk)->ident = cmd->ident;
1940
1941         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
1942                 if (l2cap_check_security(sk)) {
1943                         if (bt_sk(sk)->defer_setup) {
1944                                 sk->sk_state = BT_CONNECT2;
1945                                 result = L2CAP_CR_PEND;
1946                                 status = L2CAP_CS_AUTHOR_PEND;
1947                                 parent->sk_data_ready(parent, 0);
1948                         } else {
1949                                 sk->sk_state = BT_CONFIG;
1950                                 result = L2CAP_CR_SUCCESS;
1951                                 status = L2CAP_CS_NO_INFO;
1952                         }
1953                 } else {
1954                         sk->sk_state = BT_CONNECT2;
1955                         result = L2CAP_CR_PEND;
1956                         status = L2CAP_CS_AUTHEN_PEND;
1957                 }
1958         } else {
1959                 sk->sk_state = BT_CONNECT2;
1960                 result = L2CAP_CR_PEND;
1961                 status = L2CAP_CS_NO_INFO;
1962         }
1963
1964         write_unlock_bh(&list->lock);
1965
1966 response:
1967         bh_unlock_sock(parent);
1968
1969 sendresp:
1970         rsp.scid   = cpu_to_le16(scid);
1971         rsp.dcid   = cpu_to_le16(dcid);
1972         rsp.result = cpu_to_le16(result);
1973         rsp.status = cpu_to_le16(status);
1974         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1975
1976         if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1977                 struct l2cap_info_req info;
1978                 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1979
1980                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1981                 conn->info_ident = l2cap_get_ident(conn);
1982
1983                 mod_timer(&conn->info_timer, jiffies +
1984                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1985
1986                 l2cap_send_cmd(conn, conn->info_ident,
1987                                         L2CAP_INFO_REQ, sizeof(info), &info);
1988         }
1989
1990         return 0;
1991 }
1992
1993 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1994 {
1995         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
1996         u16 scid, dcid, result, status;
1997         struct sock *sk;
1998         u8 req[128];
1999
2000         scid   = __le16_to_cpu(rsp->scid);
2001         dcid   = __le16_to_cpu(rsp->dcid);
2002         result = __le16_to_cpu(rsp->result);
2003         status = __le16_to_cpu(rsp->status);
2004
2005         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2006
2007         if (scid) {
2008                 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2009                 if (!sk)
2010                         return 0;
2011         } else {
2012                 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2013                 if (!sk)
2014                         return 0;
2015         }
2016
2017         switch (result) {
2018         case L2CAP_CR_SUCCESS:
2019                 sk->sk_state = BT_CONFIG;
2020                 l2cap_pi(sk)->ident = 0;
2021                 l2cap_pi(sk)->dcid = dcid;
2022                 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2023
2024                 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2025
2026                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2027                                         l2cap_build_conf_req(sk, req), req);
2028                 break;
2029
2030         case L2CAP_CR_PEND:
2031                 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
2032                 break;
2033
2034         default:
2035                 l2cap_chan_del(sk, ECONNREFUSED);
2036                 break;
2037         }
2038
2039         bh_unlock_sock(sk);
2040         return 0;
2041 }
2042
2043 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2044 {
2045         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2046         u16 dcid, flags;
2047         u8 rsp[64];
2048         struct sock *sk;
2049         int len;
2050
2051         dcid  = __le16_to_cpu(req->dcid);
2052         flags = __le16_to_cpu(req->flags);
2053
2054         BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2055
2056         sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2057         if (!sk)
2058                 return -ENOENT;
2059
2060         if (sk->sk_state == BT_DISCONN)
2061                 goto unlock;
2062
2063         /* Reject if config buffer is too small. */
2064         len = cmd_len - sizeof(*req);
2065         if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2066                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2067                                 l2cap_build_conf_rsp(sk, rsp,
2068                                         L2CAP_CONF_REJECT, flags), rsp);
2069                 goto unlock;
2070         }
2071
2072         /* Store config. */
2073         memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2074         l2cap_pi(sk)->conf_len += len;
2075
2076         if (flags & 0x0001) {
2077                 /* Incomplete config. Send empty response. */
2078                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2079                                 l2cap_build_conf_rsp(sk, rsp,
2080                                         L2CAP_CONF_SUCCESS, 0x0001), rsp);
2081                 goto unlock;
2082         }
2083
2084         /* Complete config. */
2085         len = l2cap_parse_conf_req(sk, rsp);
2086         if (len < 0)
2087                 goto unlock;
2088
2089         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2090
2091         /* Reset config buffer. */
2092         l2cap_pi(sk)->conf_len = 0;
2093
2094         if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2095                 goto unlock;
2096
2097         if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2098                 sk->sk_state = BT_CONNECTED;
2099                 l2cap_chan_ready(sk);
2100                 goto unlock;
2101         }
2102
2103         if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2104                 u8 buf[64];
2105                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2106                                         l2cap_build_conf_req(sk, buf), buf);
2107         }
2108
2109 unlock:
2110         bh_unlock_sock(sk);
2111         return 0;
2112 }
2113
2114 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2115 {
2116         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2117         u16 scid, flags, result;
2118         struct sock *sk;
2119
2120         scid   = __le16_to_cpu(rsp->scid);
2121         flags  = __le16_to_cpu(rsp->flags);
2122         result = __le16_to_cpu(rsp->result);
2123
2124         BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2125                         scid, flags, result);
2126
2127         sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2128         if (!sk)
2129                 return 0;
2130
2131         switch (result) {
2132         case L2CAP_CONF_SUCCESS:
2133                 break;
2134
2135         case L2CAP_CONF_UNACCEPT:
2136                 if (++l2cap_pi(sk)->conf_retry < L2CAP_CONF_MAX_RETRIES) {
2137                         char req[128];
2138                         /* It does not make sense to adjust L2CAP parameters
2139                          * that are currently defined in the spec. We simply
2140                          * resend config request that we sent earlier. It is
2141                          * stupid, but it helps qualification testing which
2142                          * expects at least some response from us. */
2143                         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2144                                                 l2cap_build_conf_req(sk, req), req);
2145                         goto done;
2146                 }
2147
2148         default:
2149                 sk->sk_state = BT_DISCONN;
2150                 sk->sk_err = ECONNRESET;
2151                 l2cap_sock_set_timer(sk, HZ * 5);
2152                 {
2153                         struct l2cap_disconn_req req;
2154                         req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
2155                         req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2156                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
2157                                         L2CAP_DISCONN_REQ, sizeof(req), &req);
2158                 }
2159                 goto done;
2160         }
2161
2162         if (flags & 0x01)
2163                 goto done;
2164
2165         l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2166
2167         if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2168                 sk->sk_state = BT_CONNECTED;
2169                 l2cap_chan_ready(sk);
2170         }
2171
2172 done:
2173         bh_unlock_sock(sk);
2174         return 0;
2175 }
2176
2177 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2178 {
2179         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2180         struct l2cap_disconn_rsp rsp;
2181         u16 dcid, scid;
2182         struct sock *sk;
2183
2184         scid = __le16_to_cpu(req->scid);
2185         dcid = __le16_to_cpu(req->dcid);
2186
2187         BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2188
2189         sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2190         if (!sk)
2191                 return 0;
2192
2193         rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2194         rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2195         l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2196
2197         sk->sk_shutdown = SHUTDOWN_MASK;
2198
2199         l2cap_chan_del(sk, ECONNRESET);
2200         bh_unlock_sock(sk);
2201
2202         l2cap_sock_kill(sk);
2203         return 0;
2204 }
2205
2206 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2207 {
2208         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2209         u16 dcid, scid;
2210         struct sock *sk;
2211
2212         scid = __le16_to_cpu(rsp->scid);
2213         dcid = __le16_to_cpu(rsp->dcid);
2214
2215         BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2216
2217         sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2218         if (!sk)
2219                 return 0;
2220
2221         l2cap_chan_del(sk, 0);
2222         bh_unlock_sock(sk);
2223
2224         l2cap_sock_kill(sk);
2225         return 0;
2226 }
2227
2228 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2229 {
2230         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2231         u16 type;
2232
2233         type = __le16_to_cpu(req->type);
2234
2235         BT_DBG("type 0x%4.4x", type);
2236
2237         if (type == L2CAP_IT_FEAT_MASK) {
2238                 u8 buf[8];
2239                 u32 feat_mask = l2cap_feat_mask;
2240                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2241                 rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2242                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2243                 if (enable_ertm)
2244                         feat_mask |= L2CAP_FEAT_ERTM;
2245                 put_unaligned(cpu_to_le32(feat_mask), (__le32 *) rsp->data);
2246                 l2cap_send_cmd(conn, cmd->ident,
2247                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2248         } else if (type == L2CAP_IT_FIXED_CHAN) {
2249                 u8 buf[12];
2250                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2251                 rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2252                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2253                 memcpy(buf + 4, l2cap_fixed_chan, 8);
2254                 l2cap_send_cmd(conn, cmd->ident,
2255                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2256         } else {
2257                 struct l2cap_info_rsp rsp;
2258                 rsp.type   = cpu_to_le16(type);
2259                 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2260                 l2cap_send_cmd(conn, cmd->ident,
2261                                         L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2262         }
2263
2264         return 0;
2265 }
2266
2267 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2268 {
2269         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2270         u16 type, result;
2271
2272         type   = __le16_to_cpu(rsp->type);
2273         result = __le16_to_cpu(rsp->result);
2274
2275         BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2276
2277         del_timer(&conn->info_timer);
2278
2279         if (type == L2CAP_IT_FEAT_MASK) {
2280                 conn->feat_mask = get_unaligned_le32(rsp->data);
2281
2282                 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2283                         struct l2cap_info_req req;
2284                         req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2285
2286                         conn->info_ident = l2cap_get_ident(conn);
2287
2288                         l2cap_send_cmd(conn, conn->info_ident,
2289                                         L2CAP_INFO_REQ, sizeof(req), &req);
2290                 } else {
2291                         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2292                         conn->info_ident = 0;
2293
2294                         l2cap_conn_start(conn);
2295                 }
2296         } else if (type == L2CAP_IT_FIXED_CHAN) {
2297                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2298                 conn->info_ident = 0;
2299
2300                 l2cap_conn_start(conn);
2301         }
2302
2303         return 0;
2304 }
2305
2306 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2307 {
2308         u8 *data = skb->data;
2309         int len = skb->len;
2310         struct l2cap_cmd_hdr cmd;
2311         int err = 0;
2312
2313         l2cap_raw_recv(conn, skb);
2314
2315         while (len >= L2CAP_CMD_HDR_SIZE) {
2316                 u16 cmd_len;
2317                 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2318                 data += L2CAP_CMD_HDR_SIZE;
2319                 len  -= L2CAP_CMD_HDR_SIZE;
2320
2321                 cmd_len = le16_to_cpu(cmd.len);
2322
2323                 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
2324
2325                 if (cmd_len > len || !cmd.ident) {
2326                         BT_DBG("corrupted command");
2327                         break;
2328                 }
2329
2330                 switch (cmd.code) {
2331                 case L2CAP_COMMAND_REJ:
2332                         l2cap_command_rej(conn, &cmd, data);
2333                         break;
2334
2335                 case L2CAP_CONN_REQ:
2336                         err = l2cap_connect_req(conn, &cmd, data);
2337                         break;
2338
2339                 case L2CAP_CONN_RSP:
2340                         err = l2cap_connect_rsp(conn, &cmd, data);
2341                         break;
2342
2343                 case L2CAP_CONF_REQ:
2344                         err = l2cap_config_req(conn, &cmd, cmd_len, data);
2345                         break;
2346
2347                 case L2CAP_CONF_RSP:
2348                         err = l2cap_config_rsp(conn, &cmd, data);
2349                         break;
2350
2351                 case L2CAP_DISCONN_REQ:
2352                         err = l2cap_disconnect_req(conn, &cmd, data);
2353                         break;
2354
2355                 case L2CAP_DISCONN_RSP:
2356                         err = l2cap_disconnect_rsp(conn, &cmd, data);
2357                         break;
2358
2359                 case L2CAP_ECHO_REQ:
2360                         l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
2361                         break;
2362
2363                 case L2CAP_ECHO_RSP:
2364                         break;
2365
2366                 case L2CAP_INFO_REQ:
2367                         err = l2cap_information_req(conn, &cmd, data);
2368                         break;
2369
2370                 case L2CAP_INFO_RSP:
2371                         err = l2cap_information_rsp(conn, &cmd, data);
2372                         break;
2373
2374                 default:
2375                         BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2376                         err = -EINVAL;
2377                         break;
2378                 }
2379
2380                 if (err) {
2381                         struct l2cap_cmd_rej rej;
2382                         BT_DBG("error %d", err);
2383
2384                         /* FIXME: Map err to a valid reason */
2385                         rej.reason = cpu_to_le16(0);
2386                         l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2387                 }
2388
2389                 data += cmd_len;
2390                 len  -= cmd_len;
2391         }
2392
2393         kfree_skb(skb);
2394 }
2395
2396 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
2397 {
2398         struct sock *sk;
2399
2400         sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
2401         if (!sk) {
2402                 BT_DBG("unknown cid 0x%4.4x", cid);
2403                 goto drop;
2404         }
2405
2406         BT_DBG("sk %p, len %d", sk, skb->len);
2407
2408         if (sk->sk_state != BT_CONNECTED)
2409                 goto drop;
2410
2411         if (l2cap_pi(sk)->imtu < skb->len)
2412                 goto drop;
2413
2414         /* If socket recv buffers overflows we drop data here
2415          * which is *bad* because L2CAP has to be reliable.
2416          * But we don't have any other choice. L2CAP doesn't
2417          * provide flow control mechanism. */
2418
2419         if (!sock_queue_rcv_skb(sk, skb))
2420                 goto done;
2421
2422 drop:
2423         kfree_skb(skb);
2424
2425 done:
2426         if (sk)
2427                 bh_unlock_sock(sk);
2428
2429         return 0;
2430 }
2431
2432 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
2433 {
2434         struct sock *sk;
2435
2436         sk = l2cap_get_sock_by_psm(0, psm, conn->src);
2437         if (!sk)
2438                 goto drop;
2439
2440         BT_DBG("sk %p, len %d", sk, skb->len);
2441
2442         if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
2443                 goto drop;
2444
2445         if (l2cap_pi(sk)->imtu < skb->len)
2446                 goto drop;
2447
2448         if (!sock_queue_rcv_skb(sk, skb))
2449                 goto done;
2450
2451 drop:
2452         kfree_skb(skb);
2453
2454 done:
2455         if (sk)
2456                 bh_unlock_sock(sk);
2457         return 0;
2458 }
2459
2460 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
2461 {
2462         struct l2cap_hdr *lh = (void *) skb->data;
2463         u16 cid, len;
2464         __le16 psm;
2465
2466         skb_pull(skb, L2CAP_HDR_SIZE);
2467         cid = __le16_to_cpu(lh->cid);
2468         len = __le16_to_cpu(lh->len);
2469
2470         BT_DBG("len %d, cid 0x%4.4x", len, cid);
2471
2472         switch (cid) {
2473         case L2CAP_CID_SIGNALING:
2474                 l2cap_sig_channel(conn, skb);
2475                 break;
2476
2477         case L2CAP_CID_CONN_LESS:
2478                 psm = get_unaligned((__le16 *) skb->data);
2479                 skb_pull(skb, 2);
2480                 l2cap_conless_channel(conn, psm, skb);
2481                 break;
2482
2483         default:
2484                 l2cap_data_channel(conn, cid, skb);
2485                 break;
2486         }
2487 }
2488
2489 /* ---- L2CAP interface with lower layer (HCI) ---- */
2490
2491 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2492 {
2493         int exact = 0, lm1 = 0, lm2 = 0;
2494         register struct sock *sk;
2495         struct hlist_node *node;
2496
2497         if (type != ACL_LINK)
2498                 return 0;
2499
2500         BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
2501
2502         /* Find listening sockets and check their link_mode */
2503         read_lock(&l2cap_sk_list.lock);
2504         sk_for_each(sk, node, &l2cap_sk_list.head) {
2505                 if (sk->sk_state != BT_LISTEN)
2506                         continue;
2507
2508                 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2509                         lm1 |= HCI_LM_ACCEPT;
2510                         if (l2cap_pi(sk)->role_switch)
2511                                 lm1 |= HCI_LM_MASTER;
2512                         exact++;
2513                 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2514                         lm2 |= HCI_LM_ACCEPT;
2515                         if (l2cap_pi(sk)->role_switch)
2516                                 lm2 |= HCI_LM_MASTER;
2517                 }
2518         }
2519         read_unlock(&l2cap_sk_list.lock);
2520
2521         return exact ? lm1 : lm2;
2522 }
2523
2524 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2525 {
2526         struct l2cap_conn *conn;
2527
2528         BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
2529
2530         if (hcon->type != ACL_LINK)
2531                 return 0;
2532
2533         if (!status) {
2534                 conn = l2cap_conn_add(hcon, status);
2535                 if (conn)
2536                         l2cap_conn_ready(conn);
2537         } else
2538                 l2cap_conn_del(hcon, bt_err(status));
2539
2540         return 0;
2541 }
2542
2543 static int l2cap_disconn_ind(struct hci_conn *hcon)
2544 {
2545         struct l2cap_conn *conn = hcon->l2cap_data;
2546
2547         BT_DBG("hcon %p", hcon);
2548
2549         if (hcon->type != ACL_LINK || !conn)
2550                 return 0x13;
2551
2552         return conn->disc_reason;
2553 }
2554
2555 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
2556 {
2557         BT_DBG("hcon %p reason %d", hcon, reason);
2558
2559         if (hcon->type != ACL_LINK)
2560                 return 0;
2561
2562         l2cap_conn_del(hcon, bt_err(reason));
2563
2564         return 0;
2565 }
2566
2567 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2568 {
2569         if (sk->sk_type != SOCK_SEQPACKET)
2570                 return;
2571
2572         if (encrypt == 0x00) {
2573                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2574                         l2cap_sock_clear_timer(sk);
2575                         l2cap_sock_set_timer(sk, HZ * 5);
2576                 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2577                         __l2cap_sock_close(sk, ECONNREFUSED);
2578         } else {
2579                 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2580                         l2cap_sock_clear_timer(sk);
2581         }
2582 }
2583
2584 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2585 {
2586         struct l2cap_chan_list *l;
2587         struct l2cap_conn *conn = hcon->l2cap_data;
2588         struct sock *sk;
2589
2590         if (!conn)
2591                 return 0;
2592
2593         l = &conn->chan_list;
2594
2595         BT_DBG("conn %p", conn);
2596
2597         read_lock(&l->lock);
2598
2599         for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2600                 bh_lock_sock(sk);
2601
2602                 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2603                         bh_unlock_sock(sk);
2604                         continue;
2605                 }
2606
2607                 if (!status && (sk->sk_state == BT_CONNECTED ||
2608                                                 sk->sk_state == BT_CONFIG)) {
2609                         l2cap_check_encryption(sk, encrypt);
2610                         bh_unlock_sock(sk);
2611                         continue;
2612                 }
2613
2614                 if (sk->sk_state == BT_CONNECT) {
2615                         if (!status) {
2616                                 struct l2cap_conn_req req;
2617                                 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2618                                 req.psm  = l2cap_pi(sk)->psm;
2619
2620                                 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
2621
2622                                 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2623                                         L2CAP_CONN_REQ, sizeof(req), &req);
2624                         } else {
2625                                 l2cap_sock_clear_timer(sk);
2626                                 l2cap_sock_set_timer(sk, HZ / 10);
2627                         }
2628                 } else if (sk->sk_state == BT_CONNECT2) {
2629                         struct l2cap_conn_rsp rsp;
2630                         __u16 result;
2631
2632                         if (!status) {
2633                                 sk->sk_state = BT_CONFIG;
2634                                 result = L2CAP_CR_SUCCESS;
2635                         } else {
2636                                 sk->sk_state = BT_DISCONN;
2637                                 l2cap_sock_set_timer(sk, HZ / 10);
2638                                 result = L2CAP_CR_SEC_BLOCK;
2639                         }
2640
2641                         rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
2642                         rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
2643                         rsp.result = cpu_to_le16(result);
2644                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2645                         l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2646                                         L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2647                 }
2648
2649                 bh_unlock_sock(sk);
2650         }
2651
2652         read_unlock(&l->lock);
2653
2654         return 0;
2655 }
2656
2657 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2658 {
2659         struct l2cap_conn *conn = hcon->l2cap_data;
2660
2661         if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
2662                 goto drop;
2663
2664         BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
2665
2666         if (flags & ACL_START) {
2667                 struct l2cap_hdr *hdr;
2668                 int len;
2669
2670                 if (conn->rx_len) {
2671                         BT_ERR("Unexpected start frame (len %d)", skb->len);
2672                         kfree_skb(conn->rx_skb);
2673                         conn->rx_skb = NULL;
2674                         conn->rx_len = 0;
2675                         l2cap_conn_unreliable(conn, ECOMM);
2676                 }
2677
2678                 if (skb->len < 2) {
2679                         BT_ERR("Frame is too short (len %d)", skb->len);
2680                         l2cap_conn_unreliable(conn, ECOMM);
2681                         goto drop;
2682                 }
2683
2684                 hdr = (struct l2cap_hdr *) skb->data;
2685                 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
2686
2687                 if (len == skb->len) {
2688                         /* Complete frame received */
2689                         l2cap_recv_frame(conn, skb);
2690                         return 0;
2691                 }
2692
2693                 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
2694
2695                 if (skb->len > len) {
2696                         BT_ERR("Frame is too long (len %d, expected len %d)",
2697                                 skb->len, len);
2698                         l2cap_conn_unreliable(conn, ECOMM);
2699                         goto drop;
2700                 }
2701
2702                 /* Allocate skb for the complete frame (with header) */
2703                 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
2704                 if (!conn->rx_skb)
2705                         goto drop;
2706
2707                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2708                                                                 skb->len);
2709                 conn->rx_len = len - skb->len;
2710         } else {
2711                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
2712
2713                 if (!conn->rx_len) {
2714                         BT_ERR("Unexpected continuation frame (len %d)", skb->len);
2715                         l2cap_conn_unreliable(conn, ECOMM);
2716                         goto drop;
2717                 }
2718
2719                 if (skb->len > conn->rx_len) {
2720                         BT_ERR("Fragment is too long (len %d, expected %d)",
2721                                         skb->len, conn->rx_len);
2722                         kfree_skb(conn->rx_skb);
2723                         conn->rx_skb = NULL;
2724                         conn->rx_len = 0;
2725                         l2cap_conn_unreliable(conn, ECOMM);
2726                         goto drop;
2727                 }
2728
2729                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2730                                                                 skb->len);
2731                 conn->rx_len -= skb->len;
2732
2733                 if (!conn->rx_len) {
2734                         /* Complete frame received */
2735                         l2cap_recv_frame(conn, conn->rx_skb);
2736                         conn->rx_skb = NULL;
2737                 }
2738         }
2739
2740 drop:
2741         kfree_skb(skb);
2742         return 0;
2743 }
2744
2745 static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
2746 {
2747         struct sock *sk;
2748         struct hlist_node *node;
2749         char *str = buf;
2750
2751         read_lock_bh(&l2cap_sk_list.lock);
2752
2753         sk_for_each(sk, node, &l2cap_sk_list.head) {
2754                 struct l2cap_pinfo *pi = l2cap_pi(sk);
2755
2756                 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
2757                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2758                                 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
2759                                 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
2760         }
2761
2762         read_unlock_bh(&l2cap_sk_list.lock);
2763
2764         return str - buf;
2765 }
2766
2767 static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
2768
2769 static const struct proto_ops l2cap_sock_ops = {
2770         .family         = PF_BLUETOOTH,
2771         .owner          = THIS_MODULE,
2772         .release        = l2cap_sock_release,
2773         .bind           = l2cap_sock_bind,
2774         .connect        = l2cap_sock_connect,
2775         .listen         = l2cap_sock_listen,
2776         .accept         = l2cap_sock_accept,
2777         .getname        = l2cap_sock_getname,
2778         .sendmsg        = l2cap_sock_sendmsg,
2779         .recvmsg        = l2cap_sock_recvmsg,
2780         .poll           = bt_sock_poll,
2781         .ioctl          = bt_sock_ioctl,
2782         .mmap           = sock_no_mmap,
2783         .socketpair     = sock_no_socketpair,
2784         .shutdown       = l2cap_sock_shutdown,
2785         .setsockopt     = l2cap_sock_setsockopt,
2786         .getsockopt     = l2cap_sock_getsockopt
2787 };
2788
2789 static struct net_proto_family l2cap_sock_family_ops = {
2790         .family = PF_BLUETOOTH,
2791         .owner  = THIS_MODULE,
2792         .create = l2cap_sock_create,
2793 };
2794
2795 static struct hci_proto l2cap_hci_proto = {
2796         .name           = "L2CAP",
2797         .id             = HCI_PROTO_L2CAP,
2798         .connect_ind    = l2cap_connect_ind,
2799         .connect_cfm    = l2cap_connect_cfm,
2800         .disconn_ind    = l2cap_disconn_ind,
2801         .disconn_cfm    = l2cap_disconn_cfm,
2802         .security_cfm   = l2cap_security_cfm,
2803         .recv_acldata   = l2cap_recv_acldata
2804 };
2805
2806 static int __init l2cap_init(void)
2807 {
2808         int err;
2809
2810         err = proto_register(&l2cap_proto, 0);
2811         if (err < 0)
2812                 return err;
2813
2814         err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2815         if (err < 0) {
2816                 BT_ERR("L2CAP socket registration failed");
2817                 goto error;
2818         }
2819
2820         err = hci_register_proto(&l2cap_hci_proto);
2821         if (err < 0) {
2822                 BT_ERR("L2CAP protocol registration failed");
2823                 bt_sock_unregister(BTPROTO_L2CAP);
2824                 goto error;
2825         }
2826
2827         if (class_create_file(bt_class, &class_attr_l2cap) < 0)
2828                 BT_ERR("Failed to create L2CAP info file");
2829
2830         BT_INFO("L2CAP ver %s", VERSION);
2831         BT_INFO("L2CAP socket layer initialized");
2832
2833         return 0;
2834
2835 error:
2836         proto_unregister(&l2cap_proto);
2837         return err;
2838 }
2839
2840 static void __exit l2cap_exit(void)
2841 {
2842         class_remove_file(bt_class, &class_attr_l2cap);
2843
2844         if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
2845                 BT_ERR("L2CAP socket unregistration failed");
2846
2847         if (hci_unregister_proto(&l2cap_hci_proto) < 0)
2848                 BT_ERR("L2CAP protocol unregistration failed");
2849
2850         proto_unregister(&l2cap_proto);
2851 }
2852
2853 void l2cap_load(void)
2854 {
2855         /* Dummy function to trigger automatic L2CAP module loading by
2856          * other modules that use L2CAP sockets but don't use any other
2857          * symbols from it. */
2858         return;
2859 }
2860 EXPORT_SYMBOL(l2cap_load);
2861
2862 module_init(l2cap_init);
2863 module_exit(l2cap_exit);
2864
2865 module_param(enable_ertm, bool, 0644);
2866 MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
2867
2868 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2869 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
2870 MODULE_VERSION(VERSION);
2871 MODULE_LICENSE("GPL");
2872 MODULE_ALIAS("bt-proto-0");