aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/Kconfig9
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/af_bluetooth.c44
-rw-r--r--net/bluetooth/bnep/bnep.h1
-rw-r--r--net/bluetooth/bnep/core.c13
-rw-r--r--net/bluetooth/bnep/netdev.c1
-rw-r--r--net/bluetooth/cmtp/capi.c6
-rw-r--r--net/bluetooth/cmtp/cmtp.h1
-rw-r--r--net/bluetooth/cmtp/core.c20
-rw-r--r--net/bluetooth/hci_conn.c136
-rw-r--r--net/bluetooth/hci_core.c273
-rw-r--r--net/bluetooth/hci_event.c328
-rw-r--r--net/bluetooth/hci_sock.c70
-rw-r--r--net/bluetooth/hidp/core.c19
-rw-r--r--net/bluetooth/l2cap_core.c1062
-rw-r--r--net/bluetooth/l2cap_sock.c476
-rw-r--r--net/bluetooth/lib.c23
-rw-r--r--net/bluetooth/mgmt.c283
-rw-r--r--net/bluetooth/rfcomm/core.c43
-rw-r--r--net/bluetooth/rfcomm/sock.c37
-rw-r--r--net/bluetooth/sco.c91
-rw-r--r--net/bluetooth/smp.c705
22 files changed, 2597 insertions, 1046 deletions
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 6ae5ec50858..bfb3dc03c9d 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -6,6 +6,7 @@ menuconfig BT
6 tristate "Bluetooth subsystem support" 6 tristate "Bluetooth subsystem support"
7 depends on NET && !S390 7 depends on NET && !S390
8 depends on RFKILL || !RFKILL 8 depends on RFKILL || !RFKILL
9 select CRYPTO
9 help 10 help
10 Bluetooth is low-cost, low-power, short-range wireless technology. 11 Bluetooth is low-cost, low-power, short-range wireless technology.
11 It was designed as a replacement for cables and other short-range 12 It was designed as a replacement for cables and other short-range
@@ -22,6 +23,7 @@ menuconfig BT
22 BNEP Module (Bluetooth Network Encapsulation Protocol) 23 BNEP Module (Bluetooth Network Encapsulation Protocol)
23 CMTP Module (CAPI Message Transport Protocol) 24 CMTP Module (CAPI Message Transport Protocol)
24 HIDP Module (Human Interface Device Protocol) 25 HIDP Module (Human Interface Device Protocol)
26 SMP Module (Security Manager Protocol)
25 27
26 Say Y here to compile Bluetooth support into the kernel or say M to 28 Say Y here to compile Bluetooth support into the kernel or say M to
27 compile it as module (bluetooth). 29 compile it as module (bluetooth).
@@ -36,11 +38,18 @@ if BT != n
36config BT_L2CAP 38config BT_L2CAP
37 bool "L2CAP protocol support" 39 bool "L2CAP protocol support"
38 select CRC16 40 select CRC16
41 select CRYPTO
42 select CRYPTO_BLKCIPHER
43 select CRYPTO_AES
44 select CRYPTO_ECB
39 help 45 help
40 L2CAP (Logical Link Control and Adaptation Protocol) provides 46 L2CAP (Logical Link Control and Adaptation Protocol) provides
41 connection oriented and connection-less data transport. L2CAP 47 connection oriented and connection-less data transport. L2CAP
42 support is required for most Bluetooth applications. 48 support is required for most Bluetooth applications.
43 49
50 Also included is support for SMP (Security Manager Protocol) which
51 is the security layer on top of LE (Low Energy) links.
52
44config BT_SCO 53config BT_SCO
45 bool "SCO links support" 54 bool "SCO links support"
46 help 55 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index f04fe9a9d63..9b67f3d08fa 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -9,5 +9,5 @@ obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o 12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o 13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 8add9b49991..7c73a10d7ed 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -40,6 +40,15 @@
40 40
41#include <net/bluetooth/bluetooth.h> 41#include <net/bluetooth/bluetooth.h>
42 42
43#ifdef CONFIG_ANDROID_PARANOID_NETWORK
44#include <linux/android_aid.h>
45#endif
46
47#ifndef CONFIG_BT_SOCK_DEBUG
48#undef BT_DBG
49#define BT_DBG(D...)
50#endif
51
43#define VERSION "2.16" 52#define VERSION "2.16"
44 53
45/* Bluetooth sockets */ 54/* Bluetooth sockets */
@@ -125,11 +134,40 @@ int bt_sock_unregister(int proto)
125} 134}
126EXPORT_SYMBOL(bt_sock_unregister); 135EXPORT_SYMBOL(bt_sock_unregister);
127 136
137#ifdef CONFIG_ANDROID_PARANOID_NETWORK
138static inline int current_has_bt_admin(void)
139{
140 return (!current_euid() || in_egroup_p(AID_NET_BT_ADMIN));
141}
142
143static inline int current_has_bt(void)
144{
145 return (current_has_bt_admin() || in_egroup_p(AID_NET_BT));
146}
147# else
148static inline int current_has_bt_admin(void)
149{
150 return 1;
151}
152
153static inline int current_has_bt(void)
154{
155 return 1;
156}
157#endif
158
128static int bt_sock_create(struct net *net, struct socket *sock, int proto, 159static int bt_sock_create(struct net *net, struct socket *sock, int proto,
129 int kern) 160 int kern)
130{ 161{
131 int err; 162 int err;
132 163
164 if (proto == BTPROTO_RFCOMM || proto == BTPROTO_SCO ||
165 proto == BTPROTO_L2CAP) {
166 if (!current_has_bt())
167 return -EPERM;
168 } else if (!current_has_bt_admin())
169 return -EPERM;
170
133 if (net != &init_net) 171 if (net != &init_net)
134 return -EAFNOSUPPORT; 172 return -EAFNOSUPPORT;
135 173
@@ -494,9 +532,8 @@ int bt_sock_wait_state(struct sock *sk, int state, unsigned long timeo)
494 BT_DBG("sk %p", sk); 532 BT_DBG("sk %p", sk);
495 533
496 add_wait_queue(sk_sleep(sk), &wait); 534 add_wait_queue(sk_sleep(sk), &wait);
535 set_current_state(TASK_INTERRUPTIBLE);
497 while (sk->sk_state != state) { 536 while (sk->sk_state != state) {
498 set_current_state(TASK_INTERRUPTIBLE);
499
500 if (!timeo) { 537 if (!timeo) {
501 err = -EINPROGRESS; 538 err = -EINPROGRESS;
502 break; 539 break;
@@ -510,12 +547,13 @@ int bt_sock_wait_state(struct sock *sk, int state, unsigned long timeo)
510 release_sock(sk); 547 release_sock(sk);
511 timeo = schedule_timeout(timeo); 548 timeo = schedule_timeout(timeo);
512 lock_sock(sk); 549 lock_sock(sk);
550 set_current_state(TASK_INTERRUPTIBLE);
513 551
514 err = sock_error(sk); 552 err = sock_error(sk);
515 if (err) 553 if (err)
516 break; 554 break;
517 } 555 }
518 set_current_state(TASK_RUNNING); 556 __set_current_state(TASK_RUNNING);
519 remove_wait_queue(sk_sleep(sk), &wait); 557 remove_wait_queue(sk_sleep(sk), &wait);
520 return err; 558 return err;
521} 559}
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 8e6c06158f8..e7ee5314f39 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -155,6 +155,7 @@ struct bnep_session {
155 unsigned int role; 155 unsigned int role;
156 unsigned long state; 156 unsigned long state;
157 unsigned long flags; 157 unsigned long flags;
158 atomic_t terminate;
158 struct task_struct *task; 159 struct task_struct *task;
159 160
160 struct ethhdr eh; 161 struct ethhdr eh;
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index ca39fcf010c..d9edfe8bf9d 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -484,9 +484,11 @@ static int bnep_session(void *arg)
484 484
485 init_waitqueue_entry(&wait, current); 485 init_waitqueue_entry(&wait, current);
486 add_wait_queue(sk_sleep(sk), &wait); 486 add_wait_queue(sk_sleep(sk), &wait);
487 while (!kthread_should_stop()) { 487 while (1) {
488 set_current_state(TASK_INTERRUPTIBLE); 488 set_current_state(TASK_INTERRUPTIBLE);
489 489
490 if (atomic_read(&s->terminate))
491 break;
490 /* RX */ 492 /* RX */
491 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 493 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
492 skb_orphan(skb); 494 skb_orphan(skb);
@@ -504,7 +506,7 @@ static int bnep_session(void *arg)
504 506
505 schedule(); 507 schedule();
506 } 508 }
507 set_current_state(TASK_RUNNING); 509 __set_current_state(TASK_RUNNING);
508 remove_wait_queue(sk_sleep(sk), &wait); 510 remove_wait_queue(sk_sleep(sk), &wait);
509 511
510 /* Cleanup session */ 512 /* Cleanup session */
@@ -640,9 +642,10 @@ int bnep_del_connection(struct bnep_conndel_req *req)
640 down_read(&bnep_session_sem); 642 down_read(&bnep_session_sem);
641 643
642 s = __bnep_get_session(req->dst); 644 s = __bnep_get_session(req->dst);
643 if (s) 645 if (s) {
644 kthread_stop(s->task); 646 atomic_inc(&s->terminate);
645 else 647 wake_up_process(s->task);
648 } else
646 err = -ENOENT; 649 err = -ENOENT;
647 650
648 up_read(&bnep_session_sem); 651 up_read(&bnep_session_sem);
diff --git a/net/bluetooth/bnep/netdev.c b/net/bluetooth/bnep/netdev.c
index 8c100c9dae2..d4f5dff7c95 100644
--- a/net/bluetooth/bnep/netdev.c
+++ b/net/bluetooth/bnep/netdev.c
@@ -231,6 +231,7 @@ void bnep_net_setup(struct net_device *dev)
231 dev->addr_len = ETH_ALEN; 231 dev->addr_len = ETH_ALEN;
232 232
233 ether_setup(dev); 233 ether_setup(dev);
234 dev->priv_flags &= ~IFF_TX_SKB_SHARING;
234 dev->netdev_ops = &bnep_netdev_ops; 235 dev->netdev_ops = &bnep_netdev_ops;
235 236
236 dev->watchdog_timeo = HZ * 2; 237 dev->watchdog_timeo = HZ * 2;
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 744233cba24..50f0d135eb8 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -326,7 +326,7 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
326{ 326{
327 struct capi_ctr *ctrl = &session->ctrl; 327 struct capi_ctr *ctrl = &session->ctrl;
328 struct cmtp_application *application; 328 struct cmtp_application *application;
329 __u16 cmd, appl; 329 __u16 appl;
330 __u32 contr; 330 __u32 contr;
331 331
332 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 332 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
@@ -344,7 +344,6 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
344 return; 344 return;
345 } 345 }
346 346
347 cmd = CAPICMD(CAPIMSG_COMMAND(skb->data), CAPIMSG_SUBCOMMAND(skb->data));
348 appl = CAPIMSG_APPID(skb->data); 347 appl = CAPIMSG_APPID(skb->data);
349 contr = CAPIMSG_CONTROL(skb->data); 348 contr = CAPIMSG_CONTROL(skb->data);
350 349
@@ -387,7 +386,8 @@ static void cmtp_reset_ctr(struct capi_ctr *ctrl)
387 386
388 capi_ctr_down(ctrl); 387 capi_ctr_down(ctrl);
389 388
390 kthread_stop(session->task); 389 atomic_inc(&session->terminate);
390 wake_up_process(session->task);
391} 391}
392 392
393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp) 393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index db43b54ac9a..c32638dddbf 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -81,6 +81,7 @@ struct cmtp_session {
81 81
82 char name[BTNAMSIZ]; 82 char name[BTNAMSIZ];
83 83
84 atomic_t terminate;
84 struct task_struct *task; 85 struct task_struct *task;
85 86
86 wait_queue_head_t wait; 87 wait_queue_head_t wait;
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index c5b11af908b..521baa4fe83 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -292,9 +292,11 @@ static int cmtp_session(void *arg)
292 292
293 init_waitqueue_entry(&wait, current); 293 init_waitqueue_entry(&wait, current);
294 add_wait_queue(sk_sleep(sk), &wait); 294 add_wait_queue(sk_sleep(sk), &wait);
295 while (!kthread_should_stop()) { 295 while (1) {
296 set_current_state(TASK_INTERRUPTIBLE); 296 set_current_state(TASK_INTERRUPTIBLE);
297 297
298 if (atomic_read(&session->terminate))
299 break;
298 if (sk->sk_state != BT_CONNECTED) 300 if (sk->sk_state != BT_CONNECTED)
299 break; 301 break;
300 302
@@ -307,7 +309,7 @@ static int cmtp_session(void *arg)
307 309
308 schedule(); 310 schedule();
309 } 311 }
310 set_current_state(TASK_RUNNING); 312 __set_current_state(TASK_RUNNING);
311 remove_wait_queue(sk_sleep(sk), &wait); 313 remove_wait_queue(sk_sleep(sk), &wait);
312 314
313 down_write(&cmtp_session_sem); 315 down_write(&cmtp_session_sem);
@@ -380,16 +382,17 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
380 382
381 if (!(session->flags & (1 << CMTP_LOOPBACK))) { 383 if (!(session->flags & (1 << CMTP_LOOPBACK))) {
382 err = cmtp_attach_device(session); 384 err = cmtp_attach_device(session);
383 if (err < 0) 385 if (err < 0) {
384 goto detach; 386 atomic_inc(&session->terminate);
387 wake_up_process(session->task);
388 up_write(&cmtp_session_sem);
389 return err;
390 }
385 } 391 }
386 392
387 up_write(&cmtp_session_sem); 393 up_write(&cmtp_session_sem);
388 return 0; 394 return 0;
389 395
390detach:
391 cmtp_detach_device(session);
392
393unlink: 396unlink:
394 __cmtp_unlink_session(session); 397 __cmtp_unlink_session(session);
395 398
@@ -414,7 +417,8 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
414 skb_queue_purge(&session->transmit); 417 skb_queue_purge(&session->transmit);
415 418
416 /* Stop session thread */ 419 /* Stop session thread */
417 kthread_stop(session->task); 420 atomic_inc(&session->terminate);
421 wake_up_process(session->task);
418 } else 422 } else
419 err = -ENOENT; 423 err = -ENOENT;
420 424
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index bcd158f40bb..33c4e0cd83b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -53,11 +53,13 @@ static void hci_le_connect(struct hci_conn *conn)
53 conn->state = BT_CONNECT; 53 conn->state = BT_CONNECT;
54 conn->out = 1; 54 conn->out = 1;
55 conn->link_mode |= HCI_LM_MASTER; 55 conn->link_mode |= HCI_LM_MASTER;
56 conn->sec_level = BT_SECURITY_LOW;
56 57
57 memset(&cp, 0, sizeof(cp)); 58 memset(&cp, 0, sizeof(cp));
58 cp.scan_interval = cpu_to_le16(0x0004); 59 cp.scan_interval = cpu_to_le16(0x0004);
59 cp.scan_window = cpu_to_le16(0x0004); 60 cp.scan_window = cpu_to_le16(0x0004);
60 bacpy(&cp.peer_addr, &conn->dst); 61 bacpy(&cp.peer_addr, &conn->dst);
62 cp.peer_addr_type = conn->dst_type;
61 cp.conn_interval_min = cpu_to_le16(0x0008); 63 cp.conn_interval_min = cpu_to_le16(0x0008);
62 cp.conn_interval_max = cpu_to_le16(0x0100); 64 cp.conn_interval_max = cpu_to_le16(0x0100);
63 cp.supervision_timeout = cpu_to_le16(0x0064); 65 cp.supervision_timeout = cpu_to_le16(0x0064);
@@ -203,6 +205,55 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
203} 205}
204EXPORT_SYMBOL(hci_le_conn_update); 206EXPORT_SYMBOL(hci_le_conn_update);
205 207
208void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
209 __u8 ltk[16])
210{
211 struct hci_dev *hdev = conn->hdev;
212 struct hci_cp_le_start_enc cp;
213
214 BT_DBG("%p", conn);
215
216 memset(&cp, 0, sizeof(cp));
217
218 cp.handle = cpu_to_le16(conn->handle);
219 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
220 cp.ediv = ediv;
221 memcpy(cp.rand, rand, sizeof(rand));
222
223 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
224}
225EXPORT_SYMBOL(hci_le_start_enc);
226
227void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16])
228{
229 struct hci_dev *hdev = conn->hdev;
230 struct hci_cp_le_ltk_reply cp;
231
232 BT_DBG("%p", conn);
233
234 memset(&cp, 0, sizeof(cp));
235
236 cp.handle = cpu_to_le16(conn->handle);
237 memcpy(cp.ltk, ltk, sizeof(ltk));
238
239 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
240}
241EXPORT_SYMBOL(hci_le_ltk_reply);
242
243void hci_le_ltk_neg_reply(struct hci_conn *conn)
244{
245 struct hci_dev *hdev = conn->hdev;
246 struct hci_cp_le_ltk_neg_reply cp;
247
248 BT_DBG("%p", conn);
249
250 memset(&cp, 0, sizeof(cp));
251
252 cp.handle = cpu_to_le16(conn->handle);
253
254 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(cp), &cp);
255}
256
206/* Device _must_ be locked */ 257/* Device _must_ be locked */
207void hci_sco_setup(struct hci_conn *conn, __u8 status) 258void hci_sco_setup(struct hci_conn *conn, __u8 status)
208{ 259{
@@ -282,7 +333,8 @@ static void hci_conn_auto_accept(unsigned long arg)
282 hci_dev_unlock(hdev); 333 hci_dev_unlock(hdev);
283} 334}
284 335
285struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 336struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
337 __u16 pkt_type, bdaddr_t *dst)
286{ 338{
287 struct hci_conn *conn; 339 struct hci_conn *conn;
288 340
@@ -310,14 +362,22 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
310 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 362 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
311 break; 363 break;
312 case SCO_LINK: 364 case SCO_LINK:
313 if (lmp_esco_capable(hdev)) 365 if (!pkt_type)
314 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 366 pkt_type = SCO_ESCO_MASK;
315 (hdev->esco_type & EDR_ESCO_MASK);
316 else
317 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
318 break;
319 case ESCO_LINK: 367 case ESCO_LINK:
320 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 368 if (!pkt_type)
369 pkt_type = ALL_ESCO_MASK;
370 if (lmp_esco_capable(hdev)) {
371 /* HCI Setup Synchronous Connection Command uses
372 reverse logic on the EDR_ESCO_MASK bits */
373 conn->pkt_type = (pkt_type ^ EDR_ESCO_MASK) &
374 hdev->esco_type;
375 } else {
376 /* Legacy HCI Add Sco Connection Command uses a
377 shifted bitmask */
378 conn->pkt_type = (pkt_type << 5) & hdev->pkt_type &
379 SCO_PTYPE_MASK;
380 }
321 break; 381 break;
322 } 382 }
323 383
@@ -441,7 +501,9 @@ EXPORT_SYMBOL(hci_get_route);
441 501
442/* Create SCO, ACL or LE connection. 502/* Create SCO, ACL or LE connection.
443 * Device _must_ be locked */ 503 * Device _must_ be locked */
444struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 sec_level, __u8 auth_type) 504struct hci_conn *hci_connect(struct hci_dev *hdev, int type,
505 __u16 pkt_type, bdaddr_t *dst,
506 __u8 sec_level, __u8 auth_type)
445{ 507{
446 struct hci_conn *acl; 508 struct hci_conn *acl;
447 struct hci_conn *sco; 509 struct hci_conn *sco;
@@ -450,14 +512,23 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
450 BT_DBG("%s dst %s", hdev->name, batostr(dst)); 512 BT_DBG("%s dst %s", hdev->name, batostr(dst));
451 513
452 if (type == LE_LINK) { 514 if (type == LE_LINK) {
515 struct adv_entry *entry;
516
453 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 517 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
454 if (le) 518 if (le)
455 return ERR_PTR(-EBUSY); 519 return ERR_PTR(-EBUSY);
456 le = hci_conn_add(hdev, LE_LINK, dst); 520
521 entry = hci_find_adv_entry(hdev, dst);
522 if (!entry)
523 return ERR_PTR(-EHOSTUNREACH);
524
525 le = hci_conn_add(hdev, LE_LINK, 0, dst);
457 if (!le) 526 if (!le)
458 return ERR_PTR(-ENOMEM); 527 return ERR_PTR(-ENOMEM);
459 if (le->state == BT_OPEN) 528
460 hci_le_connect(le); 529 le->dst_type = entry->bdaddr_type;
530
531 hci_le_connect(le);
461 532
462 hci_conn_hold(le); 533 hci_conn_hold(le);
463 534
@@ -466,7 +537,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
466 537
467 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 538 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
468 if (!acl) { 539 if (!acl) {
469 acl = hci_conn_add(hdev, ACL_LINK, dst); 540 acl = hci_conn_add(hdev, ACL_LINK, 0, dst);
470 if (!acl) 541 if (!acl)
471 return NULL; 542 return NULL;
472 } 543 }
@@ -485,7 +556,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
485 556
486 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 557 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
487 if (!sco) { 558 if (!sco) {
488 sco = hci_conn_add(hdev, type, dst); 559 sco = hci_conn_add(hdev, type, pkt_type, dst);
489 if (!sco) { 560 if (!sco) {
490 hci_conn_put(acl); 561 hci_conn_put(acl);
491 return NULL; 562 return NULL;
@@ -500,7 +571,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
500 if (acl->state == BT_CONNECTED && 571 if (acl->state == BT_CONNECTED &&
501 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 572 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
502 acl->power_save = 1; 573 acl->power_save = 1;
503 hci_conn_enter_active_mode(acl); 574 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
504 575
505 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) { 576 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) {
506 /* defer SCO setup until mode change completed */ 577 /* defer SCO setup until mode change completed */
@@ -548,9 +619,15 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
548 619
549 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) { 620 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
550 struct hci_cp_auth_requested cp; 621 struct hci_cp_auth_requested cp;
622
623 /* encrypt must be pending if auth is also pending */
624 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
625
551 cp.handle = cpu_to_le16(conn->handle); 626 cp.handle = cpu_to_le16(conn->handle);
552 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 627 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
553 sizeof(cp), &cp); 628 sizeof(cp), &cp);
629 if (conn->key_type != 0xff)
630 set_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
554 } 631 }
555 632
556 return 0; 633 return 0;
@@ -634,9 +711,7 @@ int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
634 if (sec_level != BT_SECURITY_HIGH) 711 if (sec_level != BT_SECURITY_HIGH)
635 return 1; /* Accept if non-secure is required */ 712 return 1; /* Accept if non-secure is required */
636 713
637 if (conn->key_type == HCI_LK_AUTH_COMBINATION || 714 if (conn->sec_level == BT_SECURITY_HIGH)
638 (conn->key_type == HCI_LK_COMBINATION &&
639 conn->pin_length == 16))
640 return 1; 715 return 1;
641 716
642 return 0; /* Reject not secure link */ 717 return 0; /* Reject not secure link */
@@ -679,7 +754,7 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
679EXPORT_SYMBOL(hci_conn_switch_role); 754EXPORT_SYMBOL(hci_conn_switch_role);
680 755
681/* Enter active mode */ 756/* Enter active mode */
682void hci_conn_enter_active_mode(struct hci_conn *conn) 757void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
683{ 758{
684 struct hci_dev *hdev = conn->hdev; 759 struct hci_dev *hdev = conn->hdev;
685 760
@@ -688,7 +763,10 @@ void hci_conn_enter_active_mode(struct hci_conn *conn)
688 if (test_bit(HCI_RAW, &hdev->flags)) 763 if (test_bit(HCI_RAW, &hdev->flags))
689 return; 764 return;
690 765
691 if (conn->mode != HCI_CM_SNIFF || !conn->power_save) 766 if (conn->mode != HCI_CM_SNIFF)
767 goto timer;
768
769 if (!conn->power_save && !force_active)
692 goto timer; 770 goto timer;
693 771
694 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) { 772 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
@@ -829,6 +907,15 @@ int hci_get_conn_list(void __user *arg)
829 (ci + n)->out = c->out; 907 (ci + n)->out = c->out;
830 (ci + n)->state = c->state; 908 (ci + n)->state = c->state;
831 (ci + n)->link_mode = c->link_mode; 909 (ci + n)->link_mode = c->link_mode;
910 if (c->type == SCO_LINK) {
911 (ci + n)->mtu = hdev->sco_mtu;
912 (ci + n)->cnt = hdev->sco_cnt;
913 (ci + n)->pkts = hdev->sco_pkts;
914 } else {
915 (ci + n)->mtu = hdev->acl_mtu;
916 (ci + n)->cnt = hdev->acl_cnt;
917 (ci + n)->pkts = hdev->acl_pkts;
918 }
832 if (++n >= req.conn_num) 919 if (++n >= req.conn_num)
833 break; 920 break;
834 } 921 }
@@ -865,6 +952,15 @@ int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
865 ci.out = conn->out; 952 ci.out = conn->out;
866 ci.state = conn->state; 953 ci.state = conn->state;
867 ci.link_mode = conn->link_mode; 954 ci.link_mode = conn->link_mode;
955 if (req.type == SCO_LINK) {
956 ci.mtu = hdev->sco_mtu;
957 ci.cnt = hdev->sco_cnt;
958 ci.pkts = hdev->sco_pkts;
959 } else {
960 ci.mtu = hdev->acl_mtu;
961 ci.cnt = hdev->acl_cnt;
962 ci.pkts = hdev->acl_pkts;
963 }
868 } 964 }
869 hci_dev_unlock_bh(hdev); 965 hci_dev_unlock_bh(hdev);
870 966
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 815269b07f2..ac3a60a75b8 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -42,6 +42,7 @@
42#include <linux/notifier.h> 42#include <linux/notifier.h>
43#include <linux/rfkill.h> 43#include <linux/rfkill.h>
44#include <linux/timer.h> 44#include <linux/timer.h>
45#include <linux/crypto.h>
45#include <net/sock.h> 46#include <net/sock.h>
46 47
47#include <asm/system.h> 48#include <asm/system.h>
@@ -145,7 +146,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
145 146
146 switch (hdev->req_status) { 147 switch (hdev->req_status) {
147 case HCI_REQ_DONE: 148 case HCI_REQ_DONE:
148 err = -bt_err(hdev->req_result); 149 err = -bt_to_errno(hdev->req_result);
149 break; 150 break;
150 151
151 case HCI_REQ_CANCELED: 152 case HCI_REQ_CANCELED:
@@ -539,7 +540,7 @@ int hci_dev_open(__u16 dev)
539 ret = __hci_request(hdev, hci_init_req, 0, 540 ret = __hci_request(hdev, hci_init_req, 0,
540 msecs_to_jiffies(HCI_INIT_TIMEOUT)); 541 msecs_to_jiffies(HCI_INIT_TIMEOUT));
541 542
542 if (lmp_le_capable(hdev)) 543 if (lmp_host_le_capable(hdev))
543 ret = __hci_request(hdev, hci_le_init_req, 0, 544 ret = __hci_request(hdev, hci_le_init_req, 0,
544 msecs_to_jiffies(HCI_INIT_TIMEOUT)); 545 msecs_to_jiffies(HCI_INIT_TIMEOUT));
545 546
@@ -1056,6 +1057,42 @@ static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1056 return 0; 1057 return 0;
1057} 1058}
1058 1059
1060struct link_key *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1061{
1062 struct link_key *k;
1063
1064 list_for_each_entry(k, &hdev->link_keys, list) {
1065 struct key_master_id *id;
1066
1067 if (k->type != HCI_LK_SMP_LTK)
1068 continue;
1069
1070 if (k->dlen != sizeof(*id))
1071 continue;
1072
1073 id = (void *) &k->data;
1074 if (id->ediv == ediv &&
1075 (memcmp(rand, id->rand, sizeof(id->rand)) == 0))
1076 return k;
1077 }
1078
1079 return NULL;
1080}
1081EXPORT_SYMBOL(hci_find_ltk);
1082
1083struct link_key *hci_find_link_key_type(struct hci_dev *hdev,
1084 bdaddr_t *bdaddr, u8 type)
1085{
1086 struct link_key *k;
1087
1088 list_for_each_entry(k, &hdev->link_keys, list)
1089 if (k->type == type && bacmp(bdaddr, &k->bdaddr) == 0)
1090 return k;
1091
1092 return NULL;
1093}
1094EXPORT_SYMBOL(hci_find_link_key_type);
1095
1059int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 1096int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1060 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len) 1097 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1061{ 1098{
@@ -1111,6 +1148,44 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1111 return 0; 1148 return 0;
1112} 1149}
1113 1150
1151int hci_add_ltk(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
1152 u8 key_size, __le16 ediv, u8 rand[8], u8 ltk[16])
1153{
1154 struct link_key *key, *old_key;
1155 struct key_master_id *id;
1156 u8 old_key_type;
1157
1158 BT_DBG("%s addr %s", hdev->name, batostr(bdaddr));
1159
1160 old_key = hci_find_link_key_type(hdev, bdaddr, HCI_LK_SMP_LTK);
1161 if (old_key) {
1162 key = old_key;
1163 old_key_type = old_key->type;
1164 } else {
1165 key = kzalloc(sizeof(*key) + sizeof(*id), GFP_ATOMIC);
1166 if (!key)
1167 return -ENOMEM;
1168 list_add(&key->list, &hdev->link_keys);
1169 old_key_type = 0xff;
1170 }
1171
1172 key->dlen = sizeof(*id);
1173
1174 bacpy(&key->bdaddr, bdaddr);
1175 memcpy(key->val, ltk, sizeof(key->val));
1176 key->type = HCI_LK_SMP_LTK;
1177 key->pin_len = key_size;
1178
1179 id = (void *) &key->data;
1180 id->ediv = ediv;
1181 memcpy(id->rand, rand, sizeof(id->rand));
1182
1183 if (new_key)
1184 mgmt_new_key(hdev->id, key, old_key_type);
1185
1186 return 0;
1187}
1188
1114int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1189int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1115{ 1190{
1116 struct link_key *key; 1191 struct link_key *key;
@@ -1134,7 +1209,6 @@ static void hci_cmd_timer(unsigned long arg)
1134 1209
1135 BT_ERR("%s command tx timeout", hdev->name); 1210 BT_ERR("%s command tx timeout", hdev->name);
1136 atomic_set(&hdev->cmd_cnt, 1); 1211 atomic_set(&hdev->cmd_cnt, 1);
1137 clear_bit(HCI_RESET, &hdev->flags);
1138 tasklet_schedule(&hdev->cmd_task); 1212 tasklet_schedule(&hdev->cmd_task);
1139} 1213}
1140 1214
@@ -1202,6 +1276,169 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1202 return 0; 1276 return 0;
1203} 1277}
1204 1278
1279struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
1280 bdaddr_t *bdaddr)
1281{
1282 struct list_head *p;
1283
1284 list_for_each(p, &hdev->blacklist) {
1285 struct bdaddr_list *b;
1286
1287 b = list_entry(p, struct bdaddr_list, list);
1288
1289 if (bacmp(bdaddr, &b->bdaddr) == 0)
1290 return b;
1291 }
1292
1293 return NULL;
1294}
1295
1296int hci_blacklist_clear(struct hci_dev *hdev)
1297{
1298 struct list_head *p, *n;
1299
1300 list_for_each_safe(p, n, &hdev->blacklist) {
1301 struct bdaddr_list *b;
1302
1303 b = list_entry(p, struct bdaddr_list, list);
1304
1305 list_del(p);
1306 kfree(b);
1307 }
1308
1309 return 0;
1310}
1311
1312int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
1313{
1314 struct bdaddr_list *entry;
1315 int err;
1316
1317 if (bacmp(bdaddr, BDADDR_ANY) == 0)
1318 return -EBADF;
1319
1320 hci_dev_lock_bh(hdev);
1321
1322 if (hci_blacklist_lookup(hdev, bdaddr)) {
1323 err = -EEXIST;
1324 goto err;
1325 }
1326
1327 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1328 if (!entry) {
1329 err = -ENOMEM;
1330 goto err;
1331 }
1332
1333 bacpy(&entry->bdaddr, bdaddr);
1334
1335 list_add(&entry->list, &hdev->blacklist);
1336
1337 err = 0;
1338
1339err:
1340 hci_dev_unlock_bh(hdev);
1341 return err;
1342}
1343
1344int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1345{
1346 struct bdaddr_list *entry;
1347 int err = 0;
1348
1349 hci_dev_lock_bh(hdev);
1350
1351 if (bacmp(bdaddr, BDADDR_ANY) == 0) {
1352 hci_blacklist_clear(hdev);
1353 goto done;
1354 }
1355
1356 entry = hci_blacklist_lookup(hdev, bdaddr);
1357 if (!entry) {
1358 err = -ENOENT;
1359 goto done;
1360 }
1361
1362 list_del(&entry->list);
1363 kfree(entry);
1364
1365done:
1366 hci_dev_unlock_bh(hdev);
1367 return err;
1368}
1369
1370static void hci_clear_adv_cache(unsigned long arg)
1371{
1372 struct hci_dev *hdev = (void *) arg;
1373
1374 hci_dev_lock(hdev);
1375
1376 hci_adv_entries_clear(hdev);
1377
1378 hci_dev_unlock(hdev);
1379}
1380
1381int hci_adv_entries_clear(struct hci_dev *hdev)
1382{
1383 struct adv_entry *entry, *tmp;
1384
1385 list_for_each_entry_safe(entry, tmp, &hdev->adv_entries, list) {
1386 list_del(&entry->list);
1387 kfree(entry);
1388 }
1389
1390 BT_DBG("%s adv cache cleared", hdev->name);
1391
1392 return 0;
1393}
1394
1395struct adv_entry *hci_find_adv_entry(struct hci_dev *hdev, bdaddr_t *bdaddr)
1396{
1397 struct adv_entry *entry;
1398
1399 list_for_each_entry(entry, &hdev->adv_entries, list)
1400 if (bacmp(bdaddr, &entry->bdaddr) == 0)
1401 return entry;
1402
1403 return NULL;
1404}
1405
1406static inline int is_connectable_adv(u8 evt_type)
1407{
1408 if (evt_type == ADV_IND || evt_type == ADV_DIRECT_IND)
1409 return 1;
1410
1411 return 0;
1412}
1413
1414int hci_add_adv_entry(struct hci_dev *hdev,
1415 struct hci_ev_le_advertising_info *ev)
1416{
1417 struct adv_entry *entry;
1418
1419 if (!is_connectable_adv(ev->evt_type))
1420 return -EINVAL;
1421
1422 /* Only new entries should be added to adv_entries. So, if
1423 * bdaddr was found, don't add it. */
1424 if (hci_find_adv_entry(hdev, &ev->bdaddr))
1425 return 0;
1426
1427 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
1428 if (!entry)
1429 return -ENOMEM;
1430
1431 bacpy(&entry->bdaddr, &ev->bdaddr);
1432 entry->bdaddr_type = ev->bdaddr_type;
1433
1434 list_add(&entry->list, &hdev->adv_entries);
1435
1436 BT_DBG("%s adv entry added: address %s type %u", hdev->name,
1437 batostr(&entry->bdaddr), entry->bdaddr_type);
1438
1439 return 0;
1440}
1441
1205/* Register HCI device */ 1442/* Register HCI device */
1206int hci_register_dev(struct hci_dev *hdev) 1443int hci_register_dev(struct hci_dev *hdev)
1207{ 1444{
@@ -1268,6 +1505,10 @@ int hci_register_dev(struct hci_dev *hdev)
1268 1505
1269 INIT_LIST_HEAD(&hdev->remote_oob_data); 1506 INIT_LIST_HEAD(&hdev->remote_oob_data);
1270 1507
1508 INIT_LIST_HEAD(&hdev->adv_entries);
1509 setup_timer(&hdev->adv_timer, hci_clear_adv_cache,
1510 (unsigned long) hdev);
1511
1271 INIT_WORK(&hdev->power_on, hci_power_on); 1512 INIT_WORK(&hdev->power_on, hci_power_on);
1272 INIT_WORK(&hdev->power_off, hci_power_off); 1513 INIT_WORK(&hdev->power_off, hci_power_off);
1273 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev); 1514 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1282,6 +1523,11 @@ int hci_register_dev(struct hci_dev *hdev)
1282 if (!hdev->workqueue) 1523 if (!hdev->workqueue)
1283 goto nomem; 1524 goto nomem;
1284 1525
1526 hdev->tfm = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1527 if (IS_ERR(hdev->tfm))
1528 BT_INFO("Failed to load transform for ecb(aes): %ld",
1529 PTR_ERR(hdev->tfm));
1530
1285 hci_register_sysfs(hdev); 1531 hci_register_sysfs(hdev);
1286 1532
1287 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 1533 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
@@ -1330,6 +1576,9 @@ int hci_unregister_dev(struct hci_dev *hdev)
1330 !test_bit(HCI_SETUP, &hdev->flags)) 1576 !test_bit(HCI_SETUP, &hdev->flags))
1331 mgmt_index_removed(hdev->id); 1577 mgmt_index_removed(hdev->id);
1332 1578
1579 if (!IS_ERR(hdev->tfm))
1580 crypto_free_blkcipher(hdev->tfm);
1581
1333 hci_notify(hdev, HCI_DEV_UNREG); 1582 hci_notify(hdev, HCI_DEV_UNREG);
1334 1583
1335 if (hdev->rfkill) { 1584 if (hdev->rfkill) {
@@ -1340,6 +1589,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1340 hci_unregister_sysfs(hdev); 1589 hci_unregister_sysfs(hdev);
1341 1590
1342 hci_del_off_timer(hdev); 1591 hci_del_off_timer(hdev);
1592 del_timer(&hdev->adv_timer);
1343 1593
1344 destroy_workqueue(hdev->workqueue); 1594 destroy_workqueue(hdev->workqueue);
1345 1595
@@ -1348,6 +1598,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1348 hci_uuids_clear(hdev); 1598 hci_uuids_clear(hdev);
1349 hci_link_keys_clear(hdev); 1599 hci_link_keys_clear(hdev);
1350 hci_remote_oob_data_clear(hdev); 1600 hci_remote_oob_data_clear(hdev);
1601 hci_adv_entries_clear(hdev);
1351 hci_dev_unlock_bh(hdev); 1602 hci_dev_unlock_bh(hdev);
1352 1603
1353 __hci_dev_put(hdev); 1604 __hci_dev_put(hdev);
@@ -1519,7 +1770,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1519 1770
1520 data += (count - rem); 1771 data += (count - rem);
1521 count = rem; 1772 count = rem;
1522 }; 1773 }
1523 1774
1524 return rem; 1775 return rem;
1525} 1776}
@@ -1554,7 +1805,7 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1554 1805
1555 data += (count - rem); 1806 data += (count - rem);
1556 count = rem; 1807 count = rem;
1557 }; 1808 }
1558 1809
1559 return rem; 1810 return rem;
1560} 1811}
@@ -1653,6 +1904,9 @@ static int hci_send_frame(struct sk_buff *skb)
1653 /* Get rid of skb owner, prior to sending to the driver. */ 1904 /* Get rid of skb owner, prior to sending to the driver. */
1654 skb_orphan(skb); 1905 skb_orphan(skb);
1655 1906
1907 /* Notify the registered devices about a new send */
1908 hci_notify(hdev, HCI_DEV_WRITE);
1909
1656 return hdev->send(skb); 1910 return hdev->send(skb);
1657} 1911}
1658 1912
@@ -1891,7 +2145,7 @@ static inline void hci_sched_acl(struct hci_dev *hdev)
1891 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 2145 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1892 BT_DBG("skb %p len %d", skb, skb->len); 2146 BT_DBG("skb %p len %d", skb, skb->len);
1893 2147
1894 hci_conn_enter_active_mode(conn); 2148 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
1895 2149
1896 hci_send_frame(skb); 2150 hci_send_frame(skb);
1897 hdev->acl_last_tx = jiffies; 2151 hdev->acl_last_tx = jiffies;
@@ -2030,7 +2284,7 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2030 if (conn) { 2284 if (conn) {
2031 register struct hci_proto *hp; 2285 register struct hci_proto *hp;
2032 2286
2033 hci_conn_enter_active_mode(conn); 2287 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2034 2288
2035 /* Send to upper protocol */ 2289 /* Send to upper protocol */
2036 hp = hci_proto[HCI_PROTO_L2CAP]; 2290 hp = hci_proto[HCI_PROTO_L2CAP];
@@ -2156,7 +2410,10 @@ static void hci_cmd_task(unsigned long arg)
2156 if (hdev->sent_cmd) { 2410 if (hdev->sent_cmd) {
2157 atomic_dec(&hdev->cmd_cnt); 2411 atomic_dec(&hdev->cmd_cnt);
2158 hci_send_frame(skb); 2412 hci_send_frame(skb);
2159 mod_timer(&hdev->cmd_timer, 2413 if (test_bit(HCI_RESET, &hdev->flags))
2414 del_timer(&hdev->cmd_timer);
2415 else
2416 mod_timer(&hdev->cmd_timer,
2160 jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT)); 2417 jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
2161 } else { 2418 } else {
2162 skb_queue_head(&hdev->cmd_q, skb); 2419 skb_queue_head(&hdev->cmd_q, skb);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 77930aa522e..5a7074a7b5b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -45,6 +45,8 @@
45#include <net/bluetooth/bluetooth.h> 45#include <net/bluetooth/bluetooth.h>
46#include <net/bluetooth/hci_core.h> 46#include <net/bluetooth/hci_core.h>
47 47
48static int enable_le;
49
48/* Handle HCI Event packets */ 50/* Handle HCI Event packets */
49 51
50static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 52static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
@@ -56,8 +58,8 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
56 if (status) 58 if (status)
57 return; 59 return;
58 60
59 if (test_bit(HCI_MGMT, &hdev->flags) && 61 if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
60 test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 62 test_bit(HCI_MGMT, &hdev->flags))
61 mgmt_discovering(hdev->id, 0); 63 mgmt_discovering(hdev->id, 0);
62 64
63 hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status); 65 hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
@@ -74,8 +76,8 @@ static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
74 if (status) 76 if (status)
75 return; 77 return;
76 78
77 if (test_bit(HCI_MGMT, &hdev->flags) && 79 if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
78 test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 80 test_bit(HCI_MGMT, &hdev->flags))
79 mgmt_discovering(hdev->id, 0); 81 mgmt_discovering(hdev->id, 0);
80 82
81 hci_conn_check_pending(hdev); 83 hci_conn_check_pending(hdev);
@@ -525,6 +527,20 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
525 hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events); 527 hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
526} 528}
527 529
530static void hci_set_le_support(struct hci_dev *hdev)
531{
532 struct hci_cp_write_le_host_supported cp;
533
534 memset(&cp, 0, sizeof(cp));
535
536 if (enable_le) {
537 cp.le = 1;
538 cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
539 }
540
541 hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp), &cp);
542}
543
528static void hci_setup(struct hci_dev *hdev) 544static void hci_setup(struct hci_dev *hdev)
529{ 545{
530 hci_setup_event_mask(hdev); 546 hci_setup_event_mask(hdev);
@@ -542,6 +558,17 @@ static void hci_setup(struct hci_dev *hdev)
542 558
543 if (hdev->features[7] & LMP_INQ_TX_PWR) 559 if (hdev->features[7] & LMP_INQ_TX_PWR)
544 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL); 560 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
561
562 if (hdev->features[7] & LMP_EXTFEATURES) {
563 struct hci_cp_read_local_ext_features cp;
564
565 cp.page = 0x01;
566 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES,
567 sizeof(cp), &cp);
568 }
569
570 if (hdev->features[4] & LMP_LE)
571 hci_set_le_support(hdev);
545} 572}
546 573
547static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 574static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
@@ -658,6 +685,21 @@ static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb
658 hdev->features[6], hdev->features[7]); 685 hdev->features[6], hdev->features[7]);
659} 686}
660 687
688static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
689 struct sk_buff *skb)
690{
691 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
692
693 BT_DBG("%s status 0x%x", hdev->name, rp->status);
694
695 if (rp->status)
696 return;
697
698 memcpy(hdev->extfeatures, rp->features, 8);
699
700 hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
701}
702
661static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 703static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662{ 704{
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 705 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
@@ -841,6 +883,72 @@ static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
841 rp->randomizer, rp->status); 883 rp->randomizer, rp->status);
842} 884}
843 885
886static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
887 struct sk_buff *skb)
888{
889 struct hci_cp_le_set_scan_enable *cp;
890 __u8 status = *((__u8 *) skb->data);
891
892 BT_DBG("%s status 0x%x", hdev->name, status);
893
894 if (status)
895 return;
896
897 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
898 if (!cp)
899 return;
900
901 hci_dev_lock(hdev);
902
903 if (cp->enable == 0x01) {
904 del_timer(&hdev->adv_timer);
905 hci_adv_entries_clear(hdev);
906 } else if (cp->enable == 0x00) {
907 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT);
908 }
909
910 hci_dev_unlock(hdev);
911}
912
913static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
914{
915 struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
916
917 BT_DBG("%s status 0x%x", hdev->name, rp->status);
918
919 if (rp->status)
920 return;
921
922 hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
923}
924
925static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
926{
927 struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
928
929 BT_DBG("%s status 0x%x", hdev->name, rp->status);
930
931 if (rp->status)
932 return;
933
934 hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
935}
936
937static inline void hci_cc_write_le_host_supported(struct hci_dev *hdev,
938 struct sk_buff *skb)
939{
940 struct hci_cp_read_local_ext_features cp;
941 __u8 status = *((__u8 *) skb->data);
942
943 BT_DBG("%s status 0x%x", hdev->name, status);
944
945 if (status)
946 return;
947
948 cp.page = 0x01;
949 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp), &cp);
950}
951
844static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 952static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
845{ 953{
846 BT_DBG("%s status 0x%x", hdev->name, status); 954 BT_DBG("%s status 0x%x", hdev->name, status);
@@ -851,9 +959,8 @@ static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
851 return; 959 return;
852 } 960 }
853 961
854 if (test_bit(HCI_MGMT, &hdev->flags) && 962 if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags) &&
855 !test_and_set_bit(HCI_INQUIRY, 963 test_bit(HCI_MGMT, &hdev->flags))
856 &hdev->flags))
857 mgmt_discovering(hdev->id, 1); 964 mgmt_discovering(hdev->id, 1);
858} 965}
859 966
@@ -885,7 +992,7 @@ static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
885 } 992 }
886 } else { 993 } else {
887 if (!conn) { 994 if (!conn) {
888 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr); 995 conn = hci_conn_add(hdev, ACL_LINK, 0, &cp->bdaddr);
889 if (conn) { 996 if (conn) {
890 conn->out = 1; 997 conn->out = 1;
891 conn->link_mode |= HCI_LM_MASTER; 998 conn->link_mode |= HCI_LM_MASTER;
@@ -1208,25 +1315,32 @@ static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1208 } 1315 }
1209 } else { 1316 } else {
1210 if (!conn) { 1317 if (!conn) {
1211 conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr); 1318 conn = hci_conn_add(hdev, LE_LINK, 0, &cp->peer_addr);
1212 if (conn) 1319 if (conn) {
1320 conn->dst_type = cp->peer_addr_type;
1213 conn->out = 1; 1321 conn->out = 1;
1214 else 1322 } else {
1215 BT_ERR("No memory for new connection"); 1323 BT_ERR("No memory for new connection");
1324 }
1216 } 1325 }
1217 } 1326 }
1218 1327
1219 hci_dev_unlock(hdev); 1328 hci_dev_unlock(hdev);
1220} 1329}
1221 1330
1331static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1332{
1333 BT_DBG("%s status 0x%x", hdev->name, status);
1334}
1335
1222static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1336static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1223{ 1337{
1224 __u8 status = *((__u8 *) skb->data); 1338 __u8 status = *((__u8 *) skb->data);
1225 1339
1226 BT_DBG("%s status %d", hdev->name, status); 1340 BT_DBG("%s status %d", hdev->name, status);
1227 1341
1228 if (test_bit(HCI_MGMT, &hdev->flags) && 1342 if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
1229 test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 1343 test_bit(HCI_MGMT, &hdev->flags))
1230 mgmt_discovering(hdev->id, 0); 1344 mgmt_discovering(hdev->id, 0);
1231 1345
1232 hci_req_complete(hdev, HCI_OP_INQUIRY, status); 1346 hci_req_complete(hdev, HCI_OP_INQUIRY, status);
@@ -1348,6 +1462,15 @@ unlock:
1348 hci_conn_check_pending(hdev); 1462 hci_conn_check_pending(hdev);
1349} 1463}
1350 1464
1465static inline bool is_sco_active(struct hci_dev *hdev)
1466{
1467 if (hci_conn_hash_lookup_state(hdev, SCO_LINK, BT_CONNECTED) ||
1468 (hci_conn_hash_lookup_state(hdev, ESCO_LINK,
1469 BT_CONNECTED)))
1470 return true;
1471 return false;
1472}
1473
1351static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 1474static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1352{ 1475{
1353 struct hci_ev_conn_request *ev = (void *) skb->data; 1476 struct hci_ev_conn_request *ev = (void *) skb->data;
@@ -1372,7 +1495,8 @@ static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *sk
1372 1495
1373 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 1496 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1374 if (!conn) { 1497 if (!conn) {
1375 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr); 1498 /* pkt_type not yet used for incoming connections */
1499 conn = hci_conn_add(hdev, ev->link_type, 0, &ev->bdaddr);
1376 if (!conn) { 1500 if (!conn) {
1377 BT_ERR("No memory for new connection"); 1501 BT_ERR("No memory for new connection");
1378 hci_dev_unlock(hdev); 1502 hci_dev_unlock(hdev);
@@ -1390,7 +1514,8 @@ static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *sk
1390 1514
1391 bacpy(&cp.bdaddr, &ev->bdaddr); 1515 bacpy(&cp.bdaddr, &ev->bdaddr);
1392 1516
1393 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 1517 if (lmp_rswitch_capable(hdev) && ((mask & HCI_LM_MASTER)
1518 || is_sco_active(hdev)))
1394 cp.role = 0x00; /* Become master */ 1519 cp.role = 0x00; /* Become master */
1395 else 1520 else
1396 cp.role = 0x01; /* Remain slave */ 1521 cp.role = 0x01; /* Remain slave */
@@ -1462,51 +1587,58 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1462 hci_dev_lock(hdev); 1587 hci_dev_lock(hdev);
1463 1588
1464 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 1589 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1465 if (conn) { 1590 if (!conn)
1466 if (!ev->status) { 1591 goto unlock;
1592
1593 if (!ev->status) {
1594 if (!(conn->ssp_mode > 0 && hdev->ssp_mode > 0) &&
1595 test_bit(HCI_CONN_REAUTH_PEND, &conn->pend)) {
1596 BT_INFO("re-auth of legacy device is not possible.");
1597 } else {
1467 conn->link_mode |= HCI_LM_AUTH; 1598 conn->link_mode |= HCI_LM_AUTH;
1468 conn->sec_level = conn->pending_sec_level; 1599 conn->sec_level = conn->pending_sec_level;
1469 } else {
1470 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1471 } 1600 }
1601 } else {
1602 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1603 }
1472 1604
1473 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1605 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1606 clear_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
1474 1607
1475 if (conn->state == BT_CONFIG) { 1608 if (conn->state == BT_CONFIG) {
1476 if (!ev->status && hdev->ssp_mode > 0 && 1609 if (!ev->status && hdev->ssp_mode > 0 && conn->ssp_mode > 0) {
1477 conn->ssp_mode > 0) { 1610 struct hci_cp_set_conn_encrypt cp;
1478 struct hci_cp_set_conn_encrypt cp; 1611 cp.handle = ev->handle;
1479 cp.handle = ev->handle; 1612 cp.encrypt = 0x01;
1480 cp.encrypt = 0x01; 1613 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1481 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1614 &cp);
1482 sizeof(cp), &cp);
1483 } else {
1484 conn->state = BT_CONNECTED;
1485 hci_proto_connect_cfm(conn, ev->status);
1486 hci_conn_put(conn);
1487 }
1488 } else { 1615 } else {
1489 hci_auth_cfm(conn, ev->status); 1616 conn->state = BT_CONNECTED;
1490 1617 hci_proto_connect_cfm(conn, ev->status);
1491 hci_conn_hold(conn);
1492 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1493 hci_conn_put(conn); 1618 hci_conn_put(conn);
1494 } 1619 }
1620 } else {
1621 hci_auth_cfm(conn, ev->status);
1495 1622
1496 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) { 1623 hci_conn_hold(conn);
1497 if (!ev->status) { 1624 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1498 struct hci_cp_set_conn_encrypt cp; 1625 hci_conn_put(conn);
1499 cp.handle = ev->handle; 1626 }
1500 cp.encrypt = 0x01; 1627
1501 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1628 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
1502 sizeof(cp), &cp); 1629 if (!ev->status) {
1503 } else { 1630 struct hci_cp_set_conn_encrypt cp;
1504 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); 1631 cp.handle = ev->handle;
1505 hci_encrypt_cfm(conn, ev->status, 0x00); 1632 cp.encrypt = 0x01;
1506 } 1633 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1634 &cp);
1635 } else {
1636 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1637 hci_encrypt_cfm(conn, ev->status, 0x00);
1507 } 1638 }
1508 } 1639 }
1509 1640
1641unlock:
1510 hci_dev_unlock(hdev); 1642 hci_dev_unlock(hdev);
1511} 1643}
1512 1644
@@ -1557,6 +1689,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
1557 /* Encryption implies authentication */ 1689 /* Encryption implies authentication */
1558 conn->link_mode |= HCI_LM_AUTH; 1690 conn->link_mode |= HCI_LM_AUTH;
1559 conn->link_mode |= HCI_LM_ENCRYPT; 1691 conn->link_mode |= HCI_LM_ENCRYPT;
1692 conn->sec_level = conn->pending_sec_level;
1560 } else 1693 } else
1561 conn->link_mode &= ~HCI_LM_ENCRYPT; 1694 conn->link_mode &= ~HCI_LM_ENCRYPT;
1562 } 1695 }
@@ -1760,6 +1893,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1760 hci_cc_read_local_features(hdev, skb); 1893 hci_cc_read_local_features(hdev, skb);
1761 break; 1894 break;
1762 1895
1896 case HCI_OP_READ_LOCAL_EXT_FEATURES:
1897 hci_cc_read_local_ext_features(hdev, skb);
1898 break;
1899
1763 case HCI_OP_READ_BUFFER_SIZE: 1900 case HCI_OP_READ_BUFFER_SIZE:
1764 hci_cc_read_buffer_size(hdev, skb); 1901 hci_cc_read_buffer_size(hdev, skb);
1765 break; 1902 break;
@@ -1816,6 +1953,22 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1816 hci_cc_user_confirm_neg_reply(hdev, skb); 1953 hci_cc_user_confirm_neg_reply(hdev, skb);
1817 break; 1954 break;
1818 1955
1956 case HCI_OP_LE_SET_SCAN_ENABLE:
1957 hci_cc_le_set_scan_enable(hdev, skb);
1958 break;
1959
1960 case HCI_OP_LE_LTK_REPLY:
1961 hci_cc_le_ltk_reply(hdev, skb);
1962 break;
1963
1964 case HCI_OP_LE_LTK_NEG_REPLY:
1965 hci_cc_le_ltk_neg_reply(hdev, skb);
1966 break;
1967
1968 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
1969 hci_cc_write_le_host_supported(hdev, skb);
1970 break;
1971
1819 default: 1972 default:
1820 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1973 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1821 break; 1974 break;
@@ -1894,6 +2047,10 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1894 hci_cs_le_create_conn(hdev, ev->status); 2047 hci_cs_le_create_conn(hdev, ev->status);
1895 break; 2048 break;
1896 2049
2050 case HCI_OP_LE_START_ENC:
2051 hci_cs_le_start_enc(hdev, ev->status);
2052 break;
2053
1897 default: 2054 default:
1898 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 2055 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1899 break; 2056 break;
@@ -2333,6 +2490,7 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
2333 hci_conn_add_sysfs(conn); 2490 hci_conn_add_sysfs(conn);
2334 break; 2491 break;
2335 2492
2493 case 0x10: /* Connection Accept Timeout */
2336 case 0x11: /* Unsupported Feature or Parameter Value */ 2494 case 0x11: /* Unsupported Feature or Parameter Value */
2337 case 0x1c: /* SCO interval rejected */ 2495 case 0x1c: /* SCO interval rejected */
2338 case 0x1a: /* Unsupported Remote Feature */ 2496 case 0x1a: /* Unsupported Remote Feature */
@@ -2652,12 +2810,14 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2652 2810
2653 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr); 2811 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr);
2654 if (!conn) { 2812 if (!conn) {
2655 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr); 2813 conn = hci_conn_add(hdev, LE_LINK, 0, &ev->bdaddr);
2656 if (!conn) { 2814 if (!conn) {
2657 BT_ERR("No memory for new connection"); 2815 BT_ERR("No memory for new connection");
2658 hci_dev_unlock(hdev); 2816 hci_dev_unlock(hdev);
2659 return; 2817 return;
2660 } 2818 }
2819
2820 conn->dst_type = ev->bdaddr_type;
2661 } 2821 }
2662 2822
2663 if (ev->status) { 2823 if (ev->status) {
@@ -2670,6 +2830,7 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2670 2830
2671 mgmt_connected(hdev->id, &ev->bdaddr); 2831 mgmt_connected(hdev->id, &ev->bdaddr);
2672 2832
2833 conn->sec_level = BT_SECURITY_LOW;
2673 conn->handle = __le16_to_cpu(ev->handle); 2834 conn->handle = __le16_to_cpu(ev->handle);
2674 conn->state = BT_CONNECTED; 2835 conn->state = BT_CONNECTED;
2675 2836
@@ -2682,6 +2843,64 @@ unlock:
2682 hci_dev_unlock(hdev); 2843 hci_dev_unlock(hdev);
2683} 2844}
2684 2845
2846static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2847 struct sk_buff *skb)
2848{
2849 struct hci_ev_le_advertising_info *ev;
2850 u8 num_reports;
2851
2852 num_reports = skb->data[0];
2853 ev = (void *) &skb->data[1];
2854
2855 hci_dev_lock(hdev);
2856
2857 hci_add_adv_entry(hdev, ev);
2858
2859 while (--num_reports) {
2860 ev = (void *) (ev->data + ev->length + 1);
2861 hci_add_adv_entry(hdev, ev);
2862 }
2863
2864 hci_dev_unlock(hdev);
2865}
2866
2867static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2868 struct sk_buff *skb)
2869{
2870 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2871 struct hci_cp_le_ltk_reply cp;
2872 struct hci_cp_le_ltk_neg_reply neg;
2873 struct hci_conn *conn;
2874 struct link_key *ltk;
2875
2876 BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2877
2878 hci_dev_lock(hdev);
2879
2880 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2881 if (conn == NULL)
2882 goto not_found;
2883
2884 ltk = hci_find_ltk(hdev, ev->ediv, ev->random);
2885 if (ltk == NULL)
2886 goto not_found;
2887
2888 memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
2889 cp.handle = cpu_to_le16(conn->handle);
2890 conn->pin_length = ltk->pin_len;
2891
2892 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2893
2894 hci_dev_unlock(hdev);
2895
2896 return;
2897
2898not_found:
2899 neg.handle = ev->handle;
2900 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
2901 hci_dev_unlock(hdev);
2902}
2903
2685static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 2904static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2686{ 2905{
2687 struct hci_ev_le_meta *le_ev = (void *) skb->data; 2906 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -2693,6 +2912,14 @@ static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2693 hci_le_conn_complete_evt(hdev, skb); 2912 hci_le_conn_complete_evt(hdev, skb);
2694 break; 2913 break;
2695 2914
2915 case HCI_EV_LE_ADVERTISING_REPORT:
2916 hci_le_adv_report_evt(hdev, skb);
2917 break;
2918
2919 case HCI_EV_LE_LTK_REQ:
2920 hci_le_ltk_request_evt(hdev, skb);
2921 break;
2922
2696 default: 2923 default:
2697 break; 2924 break;
2698 } 2925 }
@@ -2886,3 +3113,6 @@ void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
2886 hci_send_to_sock(hdev, skb, NULL); 3113 hci_send_to_sock(hdev, skb, NULL);
2887 kfree_skb(skb); 3114 kfree_skb(skb);
2888} 3115}
3116
3117module_param(enable_le, bool, 0444);
3118MODULE_PARM_DESC(enable_le, "Enable LE support");
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 295e4a88fff..ff02cf5e77c 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -180,82 +180,24 @@ static int hci_sock_release(struct socket *sock)
180 return 0; 180 return 0;
181} 181}
182 182
183struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr) 183static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
184{
185 struct list_head *p;
186
187 list_for_each(p, &hdev->blacklist) {
188 struct bdaddr_list *b;
189
190 b = list_entry(p, struct bdaddr_list, list);
191
192 if (bacmp(bdaddr, &b->bdaddr) == 0)
193 return b;
194 }
195
196 return NULL;
197}
198
199static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg)
200{ 184{
201 bdaddr_t bdaddr; 185 bdaddr_t bdaddr;
202 struct bdaddr_list *entry;
203 186
204 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 187 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
205 return -EFAULT; 188 return -EFAULT;
206 189
207 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 190 return hci_blacklist_add(hdev, &bdaddr);
208 return -EBADF;
209
210 if (hci_blacklist_lookup(hdev, &bdaddr))
211 return -EEXIST;
212
213 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
214 if (!entry)
215 return -ENOMEM;
216
217 bacpy(&entry->bdaddr, &bdaddr);
218
219 list_add(&entry->list, &hdev->blacklist);
220
221 return 0;
222}
223
224int hci_blacklist_clear(struct hci_dev *hdev)
225{
226 struct list_head *p, *n;
227
228 list_for_each_safe(p, n, &hdev->blacklist) {
229 struct bdaddr_list *b;
230
231 b = list_entry(p, struct bdaddr_list, list);
232
233 list_del(p);
234 kfree(b);
235 }
236
237 return 0;
238} 191}
239 192
240static int hci_blacklist_del(struct hci_dev *hdev, void __user *arg) 193static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
241{ 194{
242 bdaddr_t bdaddr; 195 bdaddr_t bdaddr;
243 struct bdaddr_list *entry;
244 196
245 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 197 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
246 return -EFAULT; 198 return -EFAULT;
247 199
248 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 200 return hci_blacklist_del(hdev, &bdaddr);
249 return hci_blacklist_clear(hdev);
250
251 entry = hci_blacklist_lookup(hdev, &bdaddr);
252 if (!entry)
253 return -ENOENT;
254
255 list_del(&entry->list);
256 kfree(entry);
257
258 return 0;
259} 201}
260 202
261/* Ioctls that require bound socket */ 203/* Ioctls that require bound socket */
@@ -290,12 +232,12 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
290 case HCIBLOCKADDR: 232 case HCIBLOCKADDR:
291 if (!capable(CAP_NET_ADMIN)) 233 if (!capable(CAP_NET_ADMIN))
292 return -EACCES; 234 return -EACCES;
293 return hci_blacklist_add(hdev, (void __user *) arg); 235 return hci_sock_blacklist_add(hdev, (void __user *) arg);
294 236
295 case HCIUNBLOCKADDR: 237 case HCIUNBLOCKADDR:
296 if (!capable(CAP_NET_ADMIN)) 238 if (!capable(CAP_NET_ADMIN))
297 return -EACCES; 239 return -EACCES;
298 return hci_blacklist_del(hdev, (void __user *) arg); 240 return hci_sock_blacklist_del(hdev, (void __user *) arg);
299 241
300 default: 242 default:
301 if (hdev->ioctl) 243 if (hdev->ioctl)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 43b4c2deb7c..fb68f344c34 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -764,6 +764,7 @@ static int hidp_session(void *arg)
764 764
765 up_write(&hidp_session_sem); 765 up_write(&hidp_session_sem);
766 766
767 kfree(session->rd_data);
767 kfree(session); 768 kfree(session);
768 return 0; 769 return 0;
769} 770}
@@ -841,7 +842,8 @@ static int hidp_setup_input(struct hidp_session *session,
841 842
842 err = input_register_device(input); 843 err = input_register_device(input);
843 if (err < 0) { 844 if (err < 0) {
844 hci_conn_put_device(session->conn); 845 input_free_device(input);
846 session->input = NULL;
845 return err; 847 return err;
846 } 848 }
847 849
@@ -1044,8 +1046,12 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1044 } 1046 }
1045 1047
1046 err = hid_add_device(session->hid); 1048 err = hid_add_device(session->hid);
1047 if (err < 0) 1049 if (err < 0) {
1048 goto err_add_device; 1050 atomic_inc(&session->terminate);
1051 wake_up_process(session->task);
1052 up_write(&hidp_session_sem);
1053 return err;
1054 }
1049 1055
1050 if (session->input) { 1056 if (session->input) {
1051 hidp_send_ctrl_message(session, 1057 hidp_send_ctrl_message(session,
@@ -1059,12 +1065,6 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1059 up_write(&hidp_session_sem); 1065 up_write(&hidp_session_sem);
1060 return 0; 1066 return 0;
1061 1067
1062err_add_device:
1063 hid_destroy_device(session->hid);
1064 session->hid = NULL;
1065 atomic_inc(&session->terminate);
1066 wake_up_process(session->task);
1067
1068unlink: 1068unlink:
1069 hidp_del_timer(session); 1069 hidp_del_timer(session);
1070 1070
@@ -1090,7 +1090,6 @@ purge:
1090failed: 1090failed:
1091 up_write(&hidp_session_sem); 1091 up_write(&hidp_session_sem);
1092 1092
1093 input_free_device(session->input);
1094 kfree(session); 1093 kfree(session);
1095 return err; 1094 return err;
1096} 1095}
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7705e26e699..12844fdac68 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -54,26 +54,39 @@
54#include <net/bluetooth/bluetooth.h> 54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
57#include <net/bluetooth/smp.h>
57 58
58int disable_ertm; 59int disable_ertm;
59 60
60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN; 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
61static u8 l2cap_fixed_chan[8] = { 0x02, }; 62static u8 l2cap_fixed_chan[8] = { 0x02, };
62 63
63static struct workqueue_struct *_busy_wq; 64static LIST_HEAD(chan_list);
64 65static DEFINE_RWLOCK(chan_list_lock);
65LIST_HEAD(chan_list);
66DEFINE_RWLOCK(chan_list_lock);
67
68static void l2cap_busy_work(struct work_struct *work);
69 66
70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data); 68 u8 code, u8 ident, u16 dlen, void *data);
69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data); 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
73 74
74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75 76
76/* ---- L2CAP channels ---- */ 77/* ---- L2CAP channels ---- */
78
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{ 91{
79 struct l2cap_chan *c; 92 struct l2cap_chan *c;
@@ -204,6 +217,62 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
204 return 0; 217 return 0;
205} 218}
206 219
220static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
221{
222 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
223
224 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
225 chan_hold(chan);
226}
227
228static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
229{
230 BT_DBG("chan %p state %d", chan, chan->state);
231
232 if (timer_pending(timer) && del_timer(timer))
233 chan_put(chan);
234}
235
236static void l2cap_state_change(struct l2cap_chan *chan, int state)
237{
238 chan->state = state;
239 chan->ops->state_change(chan->data, state);
240}
241
242static void l2cap_chan_timeout(unsigned long arg)
243{
244 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
245 struct sock *sk = chan->sk;
246 int reason;
247
248 BT_DBG("chan %p state %d", chan, chan->state);
249
250 bh_lock_sock(sk);
251
252 if (sock_owned_by_user(sk)) {
253 /* sk is owned by user. Try again later */
254 __set_chan_timer(chan, HZ / 5);
255 bh_unlock_sock(sk);
256 chan_put(chan);
257 return;
258 }
259
260 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
261 reason = ECONNREFUSED;
262 else if (chan->state == BT_CONNECT &&
263 chan->sec_level != BT_SECURITY_SDP)
264 reason = ECONNREFUSED;
265 else
266 reason = ETIMEDOUT;
267
268 l2cap_chan_close(chan, reason);
269
270 bh_unlock_sock(sk);
271
272 chan->ops->close(chan->data);
273 chan_put(chan);
274}
275
207struct l2cap_chan *l2cap_chan_create(struct sock *sk) 276struct l2cap_chan *l2cap_chan_create(struct sock *sk)
208{ 277{
209 struct l2cap_chan *chan; 278 struct l2cap_chan *chan;
@@ -218,6 +287,12 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
218 list_add(&chan->global_l, &chan_list); 287 list_add(&chan->global_l, &chan_list);
219 write_unlock_bh(&chan_list_lock); 288 write_unlock_bh(&chan_list_lock);
220 289
290 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
291
292 chan->state = BT_OPEN;
293
294 atomic_set(&chan->refcnt, 1);
295
221 return chan; 296 return chan;
222} 297}
223 298
@@ -227,13 +302,11 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
227 list_del(&chan->global_l); 302 list_del(&chan->global_l);
228 write_unlock_bh(&chan_list_lock); 303 write_unlock_bh(&chan_list_lock);
229 304
230 kfree(chan); 305 chan_put(chan);
231} 306}
232 307
233static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 308static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
234{ 309{
235 struct sock *sk = chan->sk;
236
237 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 310 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
238 chan->psm, chan->dcid); 311 chan->psm, chan->dcid);
239 312
@@ -241,7 +314,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
241 314
242 chan->conn = conn; 315 chan->conn = conn;
243 316
244 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) { 317 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
245 if (conn->hcon->type == LE_LINK) { 318 if (conn->hcon->type == LE_LINK) {
246 /* LE connection */ 319 /* LE connection */
247 chan->omtu = L2CAP_LE_DEFAULT_MTU; 320 chan->omtu = L2CAP_LE_DEFAULT_MTU;
@@ -252,7 +325,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
252 chan->scid = l2cap_alloc_cid(conn); 325 chan->scid = l2cap_alloc_cid(conn);
253 chan->omtu = L2CAP_DEFAULT_MTU; 326 chan->omtu = L2CAP_DEFAULT_MTU;
254 } 327 }
255 } else if (sk->sk_type == SOCK_DGRAM) { 328 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
256 /* Connectionless socket */ 329 /* Connectionless socket */
257 chan->scid = L2CAP_CID_CONN_LESS; 330 chan->scid = L2CAP_CID_CONN_LESS;
258 chan->dcid = L2CAP_CID_CONN_LESS; 331 chan->dcid = L2CAP_CID_CONN_LESS;
@@ -264,20 +337,20 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
264 chan->omtu = L2CAP_DEFAULT_MTU; 337 chan->omtu = L2CAP_DEFAULT_MTU;
265 } 338 }
266 339
267 sock_hold(sk); 340 chan_hold(chan);
268 341
269 list_add(&chan->list, &conn->chan_l); 342 list_add(&chan->list, &conn->chan_l);
270} 343}
271 344
272/* Delete channel. 345/* Delete channel.
273 * Must be called on the locked socket. */ 346 * Must be called on the locked socket. */
274void l2cap_chan_del(struct l2cap_chan *chan, int err) 347static void l2cap_chan_del(struct l2cap_chan *chan, int err)
275{ 348{
276 struct sock *sk = chan->sk; 349 struct sock *sk = chan->sk;
277 struct l2cap_conn *conn = chan->conn; 350 struct l2cap_conn *conn = chan->conn;
278 struct sock *parent = bt_sk(sk)->parent; 351 struct sock *parent = bt_sk(sk)->parent;
279 352
280 l2cap_sock_clear_timer(sk); 353 __clear_chan_timer(chan);
281 354
282 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 355 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
283 356
@@ -286,13 +359,13 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
286 write_lock_bh(&conn->chan_lock); 359 write_lock_bh(&conn->chan_lock);
287 list_del(&chan->list); 360 list_del(&chan->list);
288 write_unlock_bh(&conn->chan_lock); 361 write_unlock_bh(&conn->chan_lock);
289 __sock_put(sk); 362 chan_put(chan);
290 363
291 chan->conn = NULL; 364 chan->conn = NULL;
292 hci_conn_put(conn->hcon); 365 hci_conn_put(conn->hcon);
293 } 366 }
294 367
295 sk->sk_state = BT_CLOSED; 368 l2cap_state_change(chan, BT_CLOSED);
296 sock_set_flag(sk, SOCK_ZAPPED); 369 sock_set_flag(sk, SOCK_ZAPPED);
297 370
298 if (err) 371 if (err)
@@ -304,8 +377,8 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
304 } else 377 } else
305 sk->sk_state_change(sk); 378 sk->sk_state_change(sk);
306 379
307 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE && 380 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
308 chan->conf_state & L2CAP_CONF_INPUT_DONE)) 381 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
309 return; 382 return;
310 383
311 skb_queue_purge(&chan->tx_q); 384 skb_queue_purge(&chan->tx_q);
@@ -313,12 +386,11 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
313 if (chan->mode == L2CAP_MODE_ERTM) { 386 if (chan->mode == L2CAP_MODE_ERTM) {
314 struct srej_list *l, *tmp; 387 struct srej_list *l, *tmp;
315 388
316 del_timer(&chan->retrans_timer); 389 __clear_retrans_timer(chan);
317 del_timer(&chan->monitor_timer); 390 __clear_monitor_timer(chan);
318 del_timer(&chan->ack_timer); 391 __clear_ack_timer(chan);
319 392
320 skb_queue_purge(&chan->srej_q); 393 skb_queue_purge(&chan->srej_q);
321 skb_queue_purge(&chan->busy_q);
322 394
323 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) { 395 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
324 list_del(&l->list); 396 list_del(&l->list);
@@ -327,11 +399,86 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
327 } 399 }
328} 400}
329 401
330static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 402static void l2cap_chan_cleanup_listen(struct sock *parent)
331{ 403{
404 struct sock *sk;
405
406 BT_DBG("parent %p", parent);
407
408 /* Close not yet accepted channels */
409 while ((sk = bt_accept_dequeue(parent, NULL))) {
410 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
411 __clear_chan_timer(chan);
412 lock_sock(sk);
413 l2cap_chan_close(chan, ECONNRESET);
414 release_sock(sk);
415 chan->ops->close(chan->data);
416 }
417}
418
419void l2cap_chan_close(struct l2cap_chan *chan, int reason)
420{
421 struct l2cap_conn *conn = chan->conn;
332 struct sock *sk = chan->sk; 422 struct sock *sk = chan->sk;
333 423
334 if (sk->sk_type == SOCK_RAW) { 424 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
425
426 switch (chan->state) {
427 case BT_LISTEN:
428 l2cap_chan_cleanup_listen(sk);
429
430 l2cap_state_change(chan, BT_CLOSED);
431 sock_set_flag(sk, SOCK_ZAPPED);
432 break;
433
434 case BT_CONNECTED:
435 case BT_CONFIG:
436 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
437 conn->hcon->type == ACL_LINK) {
438 __clear_chan_timer(chan);
439 __set_chan_timer(chan, sk->sk_sndtimeo);
440 l2cap_send_disconn_req(conn, chan, reason);
441 } else
442 l2cap_chan_del(chan, reason);
443 break;
444
445 case BT_CONNECT2:
446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
447 conn->hcon->type == ACL_LINK) {
448 struct l2cap_conn_rsp rsp;
449 __u16 result;
450
451 if (bt_sk(sk)->defer_setup)
452 result = L2CAP_CR_SEC_BLOCK;
453 else
454 result = L2CAP_CR_BAD_PSM;
455 l2cap_state_change(chan, BT_DISCONN);
456
457 rsp.scid = cpu_to_le16(chan->dcid);
458 rsp.dcid = cpu_to_le16(chan->scid);
459 rsp.result = cpu_to_le16(result);
460 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
461 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
462 sizeof(rsp), &rsp);
463 }
464
465 l2cap_chan_del(chan, reason);
466 break;
467
468 case BT_CONNECT:
469 case BT_DISCONN:
470 l2cap_chan_del(chan, reason);
471 break;
472
473 default:
474 sock_set_flag(sk, SOCK_ZAPPED);
475 break;
476 }
477}
478
479static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
480{
481 if (chan->chan_type == L2CAP_CHAN_RAW) {
335 switch (chan->sec_level) { 482 switch (chan->sec_level) {
336 case BT_SECURITY_HIGH: 483 case BT_SECURITY_HIGH:
337 return HCI_AT_DEDICATED_BONDING_MITM; 484 return HCI_AT_DEDICATED_BONDING_MITM;
@@ -371,7 +518,7 @@ static inline int l2cap_check_security(struct l2cap_chan *chan)
371 return hci_conn_security(conn->hcon, chan->sec_level, auth_type); 518 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
372} 519}
373 520
374u8 l2cap_get_ident(struct l2cap_conn *conn) 521static u8 l2cap_get_ident(struct l2cap_conn *conn)
375{ 522{
376 u8 id; 523 u8 id;
377 524
@@ -393,7 +540,7 @@ u8 l2cap_get_ident(struct l2cap_conn *conn)
393 return id; 540 return id;
394} 541}
395 542
396void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data) 543static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
397{ 544{
398 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 545 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
399 u8 flags; 546 u8 flags;
@@ -408,6 +555,8 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
408 else 555 else
409 flags = ACL_START; 556 flags = ACL_START;
410 557
558 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
559
411 hci_send_acl(conn->hcon, skb, flags); 560 hci_send_acl(conn->hcon, skb, flags);
412} 561}
413 562
@@ -415,13 +564,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
415{ 564{
416 struct sk_buff *skb; 565 struct sk_buff *skb;
417 struct l2cap_hdr *lh; 566 struct l2cap_hdr *lh;
418 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419 struct l2cap_conn *conn = chan->conn; 567 struct l2cap_conn *conn = chan->conn;
420 struct sock *sk = (struct sock *)pi;
421 int count, hlen = L2CAP_HDR_SIZE + 2; 568 int count, hlen = L2CAP_HDR_SIZE + 2;
422 u8 flags; 569 u8 flags;
423 570
424 if (sk->sk_state != BT_CONNECTED) 571 if (chan->state != BT_CONNECTED)
425 return; 572 return;
426 573
427 if (chan->fcs == L2CAP_FCS_CRC16) 574 if (chan->fcs == L2CAP_FCS_CRC16)
@@ -432,15 +579,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
432 count = min_t(unsigned int, conn->mtu, hlen); 579 count = min_t(unsigned int, conn->mtu, hlen);
433 control |= L2CAP_CTRL_FRAME_TYPE; 580 control |= L2CAP_CTRL_FRAME_TYPE;
434 581
435 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 582 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
436 control |= L2CAP_CTRL_FINAL; 583 control |= L2CAP_CTRL_FINAL;
437 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
438 }
439 584
440 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) { 585 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
441 control |= L2CAP_CTRL_POLL; 586 control |= L2CAP_CTRL_POLL;
442 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
443 }
444 587
445 skb = bt_skb_alloc(count, GFP_ATOMIC); 588 skb = bt_skb_alloc(count, GFP_ATOMIC);
446 if (!skb) 589 if (!skb)
@@ -461,14 +604,16 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
461 else 604 else
462 flags = ACL_START; 605 flags = ACL_START;
463 606
607 bt_cb(skb)->force_active = chan->force_active;
608
464 hci_send_acl(chan->conn->hcon, skb, flags); 609 hci_send_acl(chan->conn->hcon, skb, flags);
465} 610}
466 611
467static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control) 612static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
468{ 613{
469 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 614 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
470 control |= L2CAP_SUPER_RCV_NOT_READY; 615 control |= L2CAP_SUPER_RCV_NOT_READY;
471 chan->conn_state |= L2CAP_CONN_RNR_SENT; 616 set_bit(CONN_RNR_SENT, &chan->conn_state);
472 } else 617 } else
473 control |= L2CAP_SUPER_RCV_READY; 618 control |= L2CAP_SUPER_RCV_READY;
474 619
@@ -479,7 +624,7 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
479 624
480static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 625static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
481{ 626{
482 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND); 627 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
483} 628}
484 629
485static void l2cap_do_start(struct l2cap_chan *chan) 630static void l2cap_do_start(struct l2cap_chan *chan)
@@ -497,7 +642,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
497 req.psm = chan->psm; 642 req.psm = chan->psm;
498 643
499 chan->ident = l2cap_get_ident(conn); 644 chan->ident = l2cap_get_ident(conn);
500 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 645 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
501 646
502 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 647 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
503 sizeof(req), &req); 648 sizeof(req), &req);
@@ -533,7 +678,7 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
533 } 678 }
534} 679}
535 680
536void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err) 681static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
537{ 682{
538 struct sock *sk; 683 struct sock *sk;
539 struct l2cap_disconn_req req; 684 struct l2cap_disconn_req req;
@@ -544,9 +689,9 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
544 sk = chan->sk; 689 sk = chan->sk;
545 690
546 if (chan->mode == L2CAP_MODE_ERTM) { 691 if (chan->mode == L2CAP_MODE_ERTM) {
547 del_timer(&chan->retrans_timer); 692 __clear_retrans_timer(chan);
548 del_timer(&chan->monitor_timer); 693 __clear_monitor_timer(chan);
549 del_timer(&chan->ack_timer); 694 __clear_ack_timer(chan);
550 } 695 }
551 696
552 req.dcid = cpu_to_le16(chan->dcid); 697 req.dcid = cpu_to_le16(chan->dcid);
@@ -554,7 +699,7 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
554 l2cap_send_cmd(conn, l2cap_get_ident(conn), 699 l2cap_send_cmd(conn, l2cap_get_ident(conn),
555 L2CAP_DISCONN_REQ, sizeof(req), &req); 700 L2CAP_DISCONN_REQ, sizeof(req), &req);
556 701
557 sk->sk_state = BT_DISCONN; 702 l2cap_state_change(chan, BT_DISCONN);
558 sk->sk_err = err; 703 sk->sk_err = err;
559} 704}
560 705
@@ -572,13 +717,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
572 717
573 bh_lock_sock(sk); 718 bh_lock_sock(sk);
574 719
575 if (sk->sk_type != SOCK_SEQPACKET && 720 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
576 sk->sk_type != SOCK_STREAM) {
577 bh_unlock_sock(sk); 721 bh_unlock_sock(sk);
578 continue; 722 continue;
579 } 723 }
580 724
581 if (sk->sk_state == BT_CONNECT) { 725 if (chan->state == BT_CONNECT) {
582 struct l2cap_conn_req req; 726 struct l2cap_conn_req req;
583 727
584 if (!l2cap_check_security(chan) || 728 if (!l2cap_check_security(chan) ||
@@ -587,15 +731,14 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
587 continue; 731 continue;
588 } 732 }
589 733
590 if (!l2cap_mode_supported(chan->mode, 734 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
591 conn->feat_mask) 735 && test_bit(CONF_STATE2_DEVICE,
592 && chan->conf_state & 736 &chan->conf_state)) {
593 L2CAP_CONF_STATE2_DEVICE) { 737 /* l2cap_chan_close() calls list_del(chan)
594 /* __l2cap_sock_close() calls list_del(chan)
595 * so release the lock */ 738 * so release the lock */
596 read_unlock_bh(&conn->chan_lock); 739 read_unlock(&conn->chan_lock);
597 __l2cap_sock_close(sk, ECONNRESET); 740 l2cap_chan_close(chan, ECONNRESET);
598 read_lock_bh(&conn->chan_lock); 741 read_lock(&conn->chan_lock);
599 bh_unlock_sock(sk); 742 bh_unlock_sock(sk);
600 continue; 743 continue;
601 } 744 }
@@ -604,12 +747,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
604 req.psm = chan->psm; 747 req.psm = chan->psm;
605 748
606 chan->ident = l2cap_get_ident(conn); 749 chan->ident = l2cap_get_ident(conn);
607 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 750 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
608 751
609 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 752 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
610 sizeof(req), &req); 753 sizeof(req), &req);
611 754
612 } else if (sk->sk_state == BT_CONNECT2) { 755 } else if (chan->state == BT_CONNECT2) {
613 struct l2cap_conn_rsp rsp; 756 struct l2cap_conn_rsp rsp;
614 char buf[128]; 757 char buf[128];
615 rsp.scid = cpu_to_le16(chan->dcid); 758 rsp.scid = cpu_to_le16(chan->dcid);
@@ -624,7 +767,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
624 parent->sk_data_ready(parent, 0); 767 parent->sk_data_ready(parent, 0);
625 768
626 } else { 769 } else {
627 sk->sk_state = BT_CONFIG; 770 l2cap_state_change(chan, BT_CONFIG);
628 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 771 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
629 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
630 } 773 }
@@ -636,13 +779,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
636 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
637 sizeof(rsp), &rsp); 780 sizeof(rsp), &rsp);
638 781
639 if (chan->conf_state & L2CAP_CONF_REQ_SENT || 782 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
640 rsp.result != L2CAP_CR_SUCCESS) { 783 rsp.result != L2CAP_CR_SUCCESS) {
641 bh_unlock_sock(sk); 784 bh_unlock_sock(sk);
642 continue; 785 continue;
643 } 786 }
644 787
645 chan->conf_state |= L2CAP_CONF_REQ_SENT; 788 set_bit(CONF_REQ_SENT, &chan->conf_state);
646 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 789 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
647 l2cap_build_conf_req(chan, buf), buf); 790 l2cap_build_conf_req(chan, buf), buf);
648 chan->num_conf_req++; 791 chan->num_conf_req++;
@@ -666,7 +809,7 @@ static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdadd
666 list_for_each_entry(c, &chan_list, global_l) { 809 list_for_each_entry(c, &chan_list, global_l) {
667 struct sock *sk = c->sk; 810 struct sock *sk = c->sk;
668 811
669 if (state && sk->sk_state != state) 812 if (state && c->state != state)
670 continue; 813 continue;
671 814
672 if (c->scid == cid) { 815 if (c->scid == cid) {
@@ -710,24 +853,16 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
710 goto clean; 853 goto clean;
711 } 854 }
712 855
713 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 856 chan = pchan->ops->new_connection(pchan->data);
714 if (!sk) 857 if (!chan)
715 goto clean;
716
717 chan = l2cap_chan_create(sk);
718 if (!chan) {
719 l2cap_sock_kill(sk);
720 goto clean; 858 goto clean;
721 }
722 859
723 l2cap_pi(sk)->chan = chan; 860 sk = chan->sk;
724 861
725 write_lock_bh(&conn->chan_lock); 862 write_lock_bh(&conn->chan_lock);
726 863
727 hci_conn_hold(conn->hcon); 864 hci_conn_hold(conn->hcon);
728 865
729 l2cap_sock_init(sk, parent);
730
731 bacpy(&bt_sk(sk)->src, conn->src); 866 bacpy(&bt_sk(sk)->src, conn->src);
732 bacpy(&bt_sk(sk)->dst, conn->dst); 867 bacpy(&bt_sk(sk)->dst, conn->dst);
733 868
@@ -735,9 +870,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
735 870
736 __l2cap_chan_add(conn, chan); 871 __l2cap_chan_add(conn, chan);
737 872
738 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 873 __set_chan_timer(chan, sk->sk_sndtimeo);
739 874
740 sk->sk_state = BT_CONNECTED; 875 l2cap_state_change(chan, BT_CONNECTED);
741 parent->sk_data_ready(parent, 0); 876 parent->sk_data_ready(parent, 0);
742 877
743 write_unlock_bh(&conn->chan_lock); 878 write_unlock_bh(&conn->chan_lock);
@@ -746,6 +881,23 @@ clean:
746 bh_unlock_sock(parent); 881 bh_unlock_sock(parent);
747} 882}
748 883
884static void l2cap_chan_ready(struct sock *sk)
885{
886 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
887 struct sock *parent = bt_sk(sk)->parent;
888
889 BT_DBG("sk %p, parent %p", sk, parent);
890
891 chan->conf_state = 0;
892 __clear_chan_timer(chan);
893
894 l2cap_state_change(chan, BT_CONNECTED);
895 sk->sk_state_change(sk);
896
897 if (parent)
898 parent->sk_data_ready(parent, 0);
899}
900
749static void l2cap_conn_ready(struct l2cap_conn *conn) 901static void l2cap_conn_ready(struct l2cap_conn *conn)
750{ 902{
751 struct l2cap_chan *chan; 903 struct l2cap_chan *chan;
@@ -763,17 +915,15 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
763 bh_lock_sock(sk); 915 bh_lock_sock(sk);
764 916
765 if (conn->hcon->type == LE_LINK) { 917 if (conn->hcon->type == LE_LINK) {
766 l2cap_sock_clear_timer(sk); 918 if (smp_conn_security(conn, chan->sec_level))
767 sk->sk_state = BT_CONNECTED; 919 l2cap_chan_ready(sk);
768 sk->sk_state_change(sk);
769 }
770 920
771 if (sk->sk_type != SOCK_SEQPACKET && 921 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
772 sk->sk_type != SOCK_STREAM) { 922 __clear_chan_timer(chan);
773 l2cap_sock_clear_timer(sk); 923 l2cap_state_change(chan, BT_CONNECTED);
774 sk->sk_state = BT_CONNECTED;
775 sk->sk_state_change(sk); 924 sk->sk_state_change(sk);
776 } else if (sk->sk_state == BT_CONNECT) 925
926 } else if (chan->state == BT_CONNECT)
777 l2cap_do_start(chan); 927 l2cap_do_start(chan);
778 928
779 bh_unlock_sock(sk); 929 bh_unlock_sock(sk);
@@ -811,6 +961,45 @@ static void l2cap_info_timeout(unsigned long arg)
811 l2cap_conn_start(conn); 961 l2cap_conn_start(conn);
812} 962}
813 963
964static void l2cap_conn_del(struct hci_conn *hcon, int err)
965{
966 struct l2cap_conn *conn = hcon->l2cap_data;
967 struct l2cap_chan *chan, *l;
968 struct sock *sk;
969
970 if (!conn)
971 return;
972
973 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
974
975 kfree_skb(conn->rx_skb);
976
977 /* Kill channels */
978 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
979 sk = chan->sk;
980 bh_lock_sock(sk);
981 l2cap_chan_del(chan, err);
982 bh_unlock_sock(sk);
983 chan->ops->close(chan->data);
984 }
985
986 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
987 del_timer_sync(&conn->info_timer);
988
989 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
990 del_timer(&conn->security_timer);
991
992 hcon->l2cap_data = NULL;
993 kfree(conn);
994}
995
996static void security_timeout(unsigned long arg)
997{
998 struct l2cap_conn *conn = (void *) arg;
999
1000 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1001}
1002
814static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1003static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
815{ 1004{
816 struct l2cap_conn *conn = hcon->l2cap_data; 1005 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -842,7 +1031,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
842 1031
843 INIT_LIST_HEAD(&conn->chan_l); 1032 INIT_LIST_HEAD(&conn->chan_l);
844 1033
845 if (hcon->type != LE_LINK) 1034 if (hcon->type == LE_LINK)
1035 setup_timer(&conn->security_timer, security_timeout,
1036 (unsigned long) conn);
1037 else
846 setup_timer(&conn->info_timer, l2cap_info_timeout, 1038 setup_timer(&conn->info_timer, l2cap_info_timeout,
847 (unsigned long) conn); 1039 (unsigned long) conn);
848 1040
@@ -851,35 +1043,6 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
851 return conn; 1043 return conn;
852} 1044}
853 1045
854static void l2cap_conn_del(struct hci_conn *hcon, int err)
855{
856 struct l2cap_conn *conn = hcon->l2cap_data;
857 struct l2cap_chan *chan, *l;
858 struct sock *sk;
859
860 if (!conn)
861 return;
862
863 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
864
865 kfree_skb(conn->rx_skb);
866
867 /* Kill channels */
868 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
869 sk = chan->sk;
870 bh_lock_sock(sk);
871 l2cap_chan_del(chan, err);
872 bh_unlock_sock(sk);
873 l2cap_sock_kill(sk);
874 }
875
876 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
877 del_timer_sync(&conn->info_timer);
878
879 hcon->l2cap_data = NULL;
880 kfree(conn);
881}
882
883static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 1046static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
884{ 1047{
885 write_lock_bh(&conn->chan_lock); 1048 write_lock_bh(&conn->chan_lock);
@@ -901,7 +1064,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr
901 list_for_each_entry(c, &chan_list, global_l) { 1064 list_for_each_entry(c, &chan_list, global_l) {
902 struct sock *sk = c->sk; 1065 struct sock *sk = c->sk;
903 1066
904 if (state && sk->sk_state != state) 1067 if (state && c->state != state)
905 continue; 1068 continue;
906 1069
907 if (c->psm == psm) { 1070 if (c->psm == psm) {
@@ -945,10 +1108,10 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
945 auth_type = l2cap_get_auth_type(chan); 1108 auth_type = l2cap_get_auth_type(chan);
946 1109
947 if (chan->dcid == L2CAP_CID_LE_DATA) 1110 if (chan->dcid == L2CAP_CID_LE_DATA)
948 hcon = hci_connect(hdev, LE_LINK, dst, 1111 hcon = hci_connect(hdev, LE_LINK, 0, dst,
949 chan->sec_level, auth_type); 1112 chan->sec_level, auth_type);
950 else 1113 else
951 hcon = hci_connect(hdev, ACL_LINK, dst, 1114 hcon = hci_connect(hdev, ACL_LINK, 0, dst,
952 chan->sec_level, auth_type); 1115 chan->sec_level, auth_type);
953 1116
954 if (IS_ERR(hcon)) { 1117 if (IS_ERR(hcon)) {
@@ -968,15 +1131,14 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
968 1131
969 l2cap_chan_add(conn, chan); 1132 l2cap_chan_add(conn, chan);
970 1133
971 sk->sk_state = BT_CONNECT; 1134 l2cap_state_change(chan, BT_CONNECT);
972 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 1135 __set_chan_timer(chan, sk->sk_sndtimeo);
973 1136
974 if (hcon->state == BT_CONNECTED) { 1137 if (hcon->state == BT_CONNECTED) {
975 if (sk->sk_type != SOCK_SEQPACKET && 1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
976 sk->sk_type != SOCK_STREAM) { 1139 __clear_chan_timer(chan);
977 l2cap_sock_clear_timer(sk);
978 if (l2cap_check_security(chan)) 1140 if (l2cap_check_security(chan))
979 sk->sk_state = BT_CONNECTED; 1141 l2cap_state_change(chan, BT_CONNECTED);
980 } else 1142 } else
981 l2cap_do_start(chan); 1143 l2cap_do_start(chan);
982 } 1144 }
@@ -997,9 +1159,8 @@ int __l2cap_wait_ack(struct sock *sk)
997 int timeo = HZ/5; 1159 int timeo = HZ/5;
998 1160
999 add_wait_queue(sk_sleep(sk), &wait); 1161 add_wait_queue(sk_sleep(sk), &wait);
1000 while ((chan->unacked_frames > 0 && chan->conn)) { 1162 set_current_state(TASK_INTERRUPTIBLE);
1001 set_current_state(TASK_INTERRUPTIBLE); 1163 while (chan->unacked_frames > 0 && chan->conn) {
1002
1003 if (!timeo) 1164 if (!timeo)
1004 timeo = HZ/5; 1165 timeo = HZ/5;
1005 1166
@@ -1011,6 +1172,7 @@ int __l2cap_wait_ack(struct sock *sk)
1011 release_sock(sk); 1172 release_sock(sk);
1012 timeo = schedule_timeout(timeo); 1173 timeo = schedule_timeout(timeo);
1013 lock_sock(sk); 1174 lock_sock(sk);
1175 set_current_state(TASK_INTERRUPTIBLE);
1014 1176
1015 err = sock_error(sk); 1177 err = sock_error(sk);
1016 if (err) 1178 if (err)
@@ -1036,7 +1198,7 @@ static void l2cap_monitor_timeout(unsigned long arg)
1036 } 1198 }
1037 1199
1038 chan->retry_count++; 1200 chan->retry_count++;
1039 __mod_monitor_timer(); 1201 __set_monitor_timer(chan);
1040 1202
1041 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1203 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1042 bh_unlock_sock(sk); 1204 bh_unlock_sock(sk);
@@ -1051,9 +1213,9 @@ static void l2cap_retrans_timeout(unsigned long arg)
1051 1213
1052 bh_lock_sock(sk); 1214 bh_lock_sock(sk);
1053 chan->retry_count = 1; 1215 chan->retry_count = 1;
1054 __mod_monitor_timer(); 1216 __set_monitor_timer(chan);
1055 1217
1056 chan->conn_state |= L2CAP_CONN_WAIT_F; 1218 set_bit(CONN_WAIT_F, &chan->conn_state);
1057 1219
1058 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1220 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1059 bh_unlock_sock(sk); 1221 bh_unlock_sock(sk);
@@ -1075,7 +1237,7 @@ static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1075 } 1237 }
1076 1238
1077 if (!chan->unacked_frames) 1239 if (!chan->unacked_frames)
1078 del_timer(&chan->retrans_timer); 1240 __clear_retrans_timer(chan);
1079} 1241}
1080 1242
1081void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 1243void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1090,6 +1252,7 @@ void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1090 else 1252 else
1091 flags = ACL_START; 1253 flags = ACL_START;
1092 1254
1255 bt_cb(skb)->force_active = chan->force_active;
1093 hci_send_acl(hcon, skb, flags); 1256 hci_send_acl(hcon, skb, flags);
1094} 1257}
1095 1258
@@ -1143,10 +1306,8 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1143 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1306 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1144 control &= L2CAP_CTRL_SAR; 1307 control &= L2CAP_CTRL_SAR;
1145 1308
1146 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1309 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1147 control |= L2CAP_CTRL_FINAL; 1310 control |= L2CAP_CTRL_FINAL;
1148 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1149 }
1150 1311
1151 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1312 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1152 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1313 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
@@ -1164,11 +1325,10 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1164int l2cap_ertm_send(struct l2cap_chan *chan) 1325int l2cap_ertm_send(struct l2cap_chan *chan)
1165{ 1326{
1166 struct sk_buff *skb, *tx_skb; 1327 struct sk_buff *skb, *tx_skb;
1167 struct sock *sk = chan->sk;
1168 u16 control, fcs; 1328 u16 control, fcs;
1169 int nsent = 0; 1329 int nsent = 0;
1170 1330
1171 if (sk->sk_state != BT_CONNECTED) 1331 if (chan->state != BT_CONNECTED)
1172 return -ENOTCONN; 1332 return -ENOTCONN;
1173 1333
1174 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) { 1334 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
@@ -1186,10 +1346,9 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1186 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1346 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1187 control &= L2CAP_CTRL_SAR; 1347 control &= L2CAP_CTRL_SAR;
1188 1348
1189 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1349 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1190 control |= L2CAP_CTRL_FINAL; 1350 control |= L2CAP_CTRL_FINAL;
1191 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1351
1192 }
1193 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1352 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1194 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1353 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1195 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1354 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
@@ -1202,7 +1361,7 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1202 1361
1203 l2cap_do_send(chan, tx_skb); 1362 l2cap_do_send(chan, tx_skb);
1204 1363
1205 __mod_retrans_timer(); 1364 __set_retrans_timer(chan);
1206 1365
1207 bt_cb(skb)->tx_seq = chan->next_tx_seq; 1366 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1208 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64; 1367 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
@@ -1241,9 +1400,9 @@ static void l2cap_send_ack(struct l2cap_chan *chan)
1241 1400
1242 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1401 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1243 1402
1244 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1403 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1245 control |= L2CAP_SUPER_RCV_NOT_READY; 1404 control |= L2CAP_SUPER_RCV_NOT_READY;
1246 chan->conn_state |= L2CAP_CONN_RNR_SENT; 1405 set_bit(CONN_RNR_SENT, &chan->conn_state);
1247 l2cap_send_sframe(chan, control); 1406 l2cap_send_sframe(chan, control);
1248 return; 1407 return;
1249 } 1408 }
@@ -1451,28 +1610,83 @@ int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t le
1451 return size; 1610 return size;
1452} 1611}
1453 1612
1454static void l2cap_chan_ready(struct sock *sk) 1613int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1455{ 1614{
1456 struct sock *parent = bt_sk(sk)->parent; 1615 struct sk_buff *skb;
1457 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1616 u16 control;
1617 int err;
1458 1618
1459 BT_DBG("sk %p, parent %p", sk, parent); 1619 /* Connectionless channel */
1620 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1621 skb = l2cap_create_connless_pdu(chan, msg, len);
1622 if (IS_ERR(skb))
1623 return PTR_ERR(skb);
1460 1624
1461 chan->conf_state = 0; 1625 l2cap_do_send(chan, skb);
1462 l2cap_sock_clear_timer(sk); 1626 return len;
1627 }
1463 1628
1464 if (!parent) { 1629 switch (chan->mode) {
1465 /* Outgoing channel. 1630 case L2CAP_MODE_BASIC:
1466 * Wake up socket sleeping on connect. 1631 /* Check outgoing MTU */
1467 */ 1632 if (len > chan->omtu)
1468 sk->sk_state = BT_CONNECTED; 1633 return -EMSGSIZE;
1469 sk->sk_state_change(sk); 1634
1470 } else { 1635 /* Create a basic PDU */
1471 /* Incoming channel. 1636 skb = l2cap_create_basic_pdu(chan, msg, len);
1472 * Wake up socket sleeping on accept. 1637 if (IS_ERR(skb))
1473 */ 1638 return PTR_ERR(skb);
1474 parent->sk_data_ready(parent, 0); 1639
1640 l2cap_do_send(chan, skb);
1641 err = len;
1642 break;
1643
1644 case L2CAP_MODE_ERTM:
1645 case L2CAP_MODE_STREAMING:
1646 /* Entire SDU fits into one PDU */
1647 if (len <= chan->remote_mps) {
1648 control = L2CAP_SDU_UNSEGMENTED;
1649 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1650 0);
1651 if (IS_ERR(skb))
1652 return PTR_ERR(skb);
1653
1654 __skb_queue_tail(&chan->tx_q, skb);
1655
1656 if (chan->tx_send_head == NULL)
1657 chan->tx_send_head = skb;
1658
1659 } else {
1660 /* Segment SDU into multiples PDUs */
1661 err = l2cap_sar_segment_sdu(chan, msg, len);
1662 if (err < 0)
1663 return err;
1664 }
1665
1666 if (chan->mode == L2CAP_MODE_STREAMING) {
1667 l2cap_streaming_send(chan);
1668 err = len;
1669 break;
1670 }
1671
1672 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1673 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1674 err = len;
1675 break;
1676 }
1677
1678 err = l2cap_ertm_send(chan);
1679 if (err >= 0)
1680 err = len;
1681
1682 break;
1683
1684 default:
1685 BT_DBG("bad state %1.1x", chan->mode);
1686 err = -EBADFD;
1475 } 1687 }
1688
1689 return err;
1476} 1690}
1477 1691
1478/* Copy frame to all raw sockets on that connection */ 1692/* Copy frame to all raw sockets on that connection */
@@ -1486,7 +1700,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1486 read_lock(&conn->chan_lock); 1700 read_lock(&conn->chan_lock);
1487 list_for_each_entry(chan, &conn->chan_l, list) { 1701 list_for_each_entry(chan, &conn->chan_l, list) {
1488 struct sock *sk = chan->sk; 1702 struct sock *sk = chan->sk;
1489 if (sk->sk_type != SOCK_RAW) 1703 if (chan->chan_type != L2CAP_CHAN_RAW)
1490 continue; 1704 continue;
1491 1705
1492 /* Don't send frame to the socket it came from */ 1706 /* Don't send frame to the socket it came from */
@@ -1496,7 +1710,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1496 if (!nskb) 1710 if (!nskb)
1497 continue; 1711 continue;
1498 1712
1499 if (sock_queue_rcv_skb(sk, nskb)) 1713 if (chan->ops->recv(chan->data, nskb))
1500 kfree_skb(nskb); 1714 kfree_skb(nskb);
1501 } 1715 }
1502 read_unlock(&conn->chan_lock); 1716 read_unlock(&conn->chan_lock);
@@ -1655,11 +1869,9 @@ static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1655 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan); 1869 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1656 1870
1657 skb_queue_head_init(&chan->srej_q); 1871 skb_queue_head_init(&chan->srej_q);
1658 skb_queue_head_init(&chan->busy_q);
1659 1872
1660 INIT_LIST_HEAD(&chan->srej_l); 1873 INIT_LIST_HEAD(&chan->srej_l);
1661 1874
1662 INIT_WORK(&chan->busy_work, l2cap_busy_work);
1663 1875
1664 sk->sk_backlog_rcv = l2cap_ertm_data_rcv; 1876 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1665} 1877}
@@ -1691,7 +1903,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1691 switch (chan->mode) { 1903 switch (chan->mode) {
1692 case L2CAP_MODE_STREAMING: 1904 case L2CAP_MODE_STREAMING:
1693 case L2CAP_MODE_ERTM: 1905 case L2CAP_MODE_ERTM:
1694 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE) 1906 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
1695 break; 1907 break;
1696 1908
1697 /* fall through */ 1909 /* fall through */
@@ -1738,7 +1950,7 @@ done:
1738 break; 1950 break;
1739 1951
1740 if (chan->fcs == L2CAP_FCS_NONE || 1952 if (chan->fcs == L2CAP_FCS_NONE ||
1741 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1953 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1742 chan->fcs = L2CAP_FCS_NONE; 1954 chan->fcs = L2CAP_FCS_NONE;
1743 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1955 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1744 } 1956 }
@@ -1761,7 +1973,7 @@ done:
1761 break; 1973 break;
1762 1974
1763 if (chan->fcs == L2CAP_FCS_NONE || 1975 if (chan->fcs == L2CAP_FCS_NONE ||
1764 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1976 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1765 chan->fcs = L2CAP_FCS_NONE; 1977 chan->fcs = L2CAP_FCS_NONE;
1766 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1978 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1767 } 1979 }
@@ -1813,7 +2025,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1813 2025
1814 case L2CAP_CONF_FCS: 2026 case L2CAP_CONF_FCS:
1815 if (val == L2CAP_FCS_NONE) 2027 if (val == L2CAP_FCS_NONE)
1816 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV; 2028 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
1817 2029
1818 break; 2030 break;
1819 2031
@@ -1833,7 +2045,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1833 switch (chan->mode) { 2045 switch (chan->mode) {
1834 case L2CAP_MODE_STREAMING: 2046 case L2CAP_MODE_STREAMING:
1835 case L2CAP_MODE_ERTM: 2047 case L2CAP_MODE_ERTM:
1836 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) { 2048 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
1837 chan->mode = l2cap_select_mode(rfc.mode, 2049 chan->mode = l2cap_select_mode(rfc.mode,
1838 chan->conn->feat_mask); 2050 chan->conn->feat_mask);
1839 break; 2051 break;
@@ -1866,14 +2078,14 @@ done:
1866 result = L2CAP_CONF_UNACCEPT; 2078 result = L2CAP_CONF_UNACCEPT;
1867 else { 2079 else {
1868 chan->omtu = mtu; 2080 chan->omtu = mtu;
1869 chan->conf_state |= L2CAP_CONF_MTU_DONE; 2081 set_bit(CONF_MTU_DONE, &chan->conf_state);
1870 } 2082 }
1871 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); 2083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1872 2084
1873 switch (rfc.mode) { 2085 switch (rfc.mode) {
1874 case L2CAP_MODE_BASIC: 2086 case L2CAP_MODE_BASIC:
1875 chan->fcs = L2CAP_FCS_NONE; 2087 chan->fcs = L2CAP_FCS_NONE;
1876 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2088 set_bit(CONF_MODE_DONE, &chan->conf_state);
1877 break; 2089 break;
1878 2090
1879 case L2CAP_MODE_ERTM: 2091 case L2CAP_MODE_ERTM:
@@ -1890,7 +2102,7 @@ done:
1890 rfc.monitor_timeout = 2102 rfc.monitor_timeout =
1891 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO); 2103 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1892 2104
1893 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2105 set_bit(CONF_MODE_DONE, &chan->conf_state);
1894 2106
1895 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2107 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1896 sizeof(rfc), (unsigned long) &rfc); 2108 sizeof(rfc), (unsigned long) &rfc);
@@ -1903,7 +2115,7 @@ done:
1903 2115
1904 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size); 2116 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1905 2117
1906 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2118 set_bit(CONF_MODE_DONE, &chan->conf_state);
1907 2119
1908 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1909 sizeof(rfc), (unsigned long) &rfc); 2121 sizeof(rfc), (unsigned long) &rfc);
@@ -1918,7 +2130,7 @@ done:
1918 } 2130 }
1919 2131
1920 if (result == L2CAP_CONF_SUCCESS) 2132 if (result == L2CAP_CONF_SUCCESS)
1921 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE; 2133 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
1922 } 2134 }
1923 rsp->scid = cpu_to_le16(chan->dcid); 2135 rsp->scid = cpu_to_le16(chan->dcid);
1924 rsp->result = cpu_to_le16(result); 2136 rsp->result = cpu_to_le16(result);
@@ -1960,7 +2172,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
1960 if (olen == sizeof(rfc)) 2172 if (olen == sizeof(rfc))
1961 memcpy(&rfc, (void *)val, olen); 2173 memcpy(&rfc, (void *)val, olen);
1962 2174
1963 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) && 2175 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
1964 rfc.mode != chan->mode) 2176 rfc.mode != chan->mode)
1965 return -ECONNREFUSED; 2177 return -ECONNREFUSED;
1966 2178
@@ -2022,10 +2234,9 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2022 l2cap_send_cmd(conn, chan->ident, 2234 l2cap_send_cmd(conn, chan->ident,
2023 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 2235 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2024 2236
2025 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2237 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2026 return; 2238 return;
2027 2239
2028 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2029 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2240 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2030 l2cap_build_conf_req(chan, buf), buf); 2241 l2cap_build_conf_req(chan, buf), buf);
2031 chan->num_conf_req++; 2242 chan->num_conf_req++;
@@ -2067,9 +2278,9 @@ done:
2067 2278
2068static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 2279static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2069{ 2280{
2070 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data; 2281 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2071 2282
2072 if (rej->reason != 0x0000) 2283 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2073 return 0; 2284 return 0;
2074 2285
2075 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 2286 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
@@ -2125,17 +2336,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2125 goto response; 2336 goto response;
2126 } 2337 }
2127 2338
2128 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 2339 chan = pchan->ops->new_connection(pchan->data);
2129 if (!sk) 2340 if (!chan)
2130 goto response;
2131
2132 chan = l2cap_chan_create(sk);
2133 if (!chan) {
2134 l2cap_sock_kill(sk);
2135 goto response; 2341 goto response;
2136 }
2137 2342
2138 l2cap_pi(sk)->chan = chan; 2343 sk = chan->sk;
2139 2344
2140 write_lock_bh(&conn->chan_lock); 2345 write_lock_bh(&conn->chan_lock);
2141 2346
@@ -2143,13 +2348,12 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2143 if (__l2cap_get_chan_by_dcid(conn, scid)) { 2348 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2144 write_unlock_bh(&conn->chan_lock); 2349 write_unlock_bh(&conn->chan_lock);
2145 sock_set_flag(sk, SOCK_ZAPPED); 2350 sock_set_flag(sk, SOCK_ZAPPED);
2146 l2cap_sock_kill(sk); 2351 chan->ops->close(chan->data);
2147 goto response; 2352 goto response;
2148 } 2353 }
2149 2354
2150 hci_conn_hold(conn->hcon); 2355 hci_conn_hold(conn->hcon);
2151 2356
2152 l2cap_sock_init(sk, parent);
2153 bacpy(&bt_sk(sk)->src, conn->src); 2357 bacpy(&bt_sk(sk)->src, conn->src);
2154 bacpy(&bt_sk(sk)->dst, conn->dst); 2358 bacpy(&bt_sk(sk)->dst, conn->dst);
2155 chan->psm = psm; 2359 chan->psm = psm;
@@ -2161,29 +2365,29 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2161 2365
2162 dcid = chan->scid; 2366 dcid = chan->scid;
2163 2367
2164 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 2368 __set_chan_timer(chan, sk->sk_sndtimeo);
2165 2369
2166 chan->ident = cmd->ident; 2370 chan->ident = cmd->ident;
2167 2371
2168 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2372 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2169 if (l2cap_check_security(chan)) { 2373 if (l2cap_check_security(chan)) {
2170 if (bt_sk(sk)->defer_setup) { 2374 if (bt_sk(sk)->defer_setup) {
2171 sk->sk_state = BT_CONNECT2; 2375 l2cap_state_change(chan, BT_CONNECT2);
2172 result = L2CAP_CR_PEND; 2376 result = L2CAP_CR_PEND;
2173 status = L2CAP_CS_AUTHOR_PEND; 2377 status = L2CAP_CS_AUTHOR_PEND;
2174 parent->sk_data_ready(parent, 0); 2378 parent->sk_data_ready(parent, 0);
2175 } else { 2379 } else {
2176 sk->sk_state = BT_CONFIG; 2380 l2cap_state_change(chan, BT_CONFIG);
2177 result = L2CAP_CR_SUCCESS; 2381 result = L2CAP_CR_SUCCESS;
2178 status = L2CAP_CS_NO_INFO; 2382 status = L2CAP_CS_NO_INFO;
2179 } 2383 }
2180 } else { 2384 } else {
2181 sk->sk_state = BT_CONNECT2; 2385 l2cap_state_change(chan, BT_CONNECT2);
2182 result = L2CAP_CR_PEND; 2386 result = L2CAP_CR_PEND;
2183 status = L2CAP_CS_AUTHEN_PEND; 2387 status = L2CAP_CS_AUTHEN_PEND;
2184 } 2388 }
2185 } else { 2389 } else {
2186 sk->sk_state = BT_CONNECT2; 2390 l2cap_state_change(chan, BT_CONNECT2);
2187 result = L2CAP_CR_PEND; 2391 result = L2CAP_CR_PEND;
2188 status = L2CAP_CS_NO_INFO; 2392 status = L2CAP_CS_NO_INFO;
2189 } 2393 }
@@ -2214,10 +2418,10 @@ sendresp:
2214 L2CAP_INFO_REQ, sizeof(info), &info); 2418 L2CAP_INFO_REQ, sizeof(info), &info);
2215 } 2419 }
2216 2420
2217 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) && 2421 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2218 result == L2CAP_CR_SUCCESS) { 2422 result == L2CAP_CR_SUCCESS) {
2219 u8 buf[128]; 2423 u8 buf[128];
2220 chan->conf_state |= L2CAP_CONF_REQ_SENT; 2424 set_bit(CONF_REQ_SENT, &chan->conf_state);
2221 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2425 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2222 l2cap_build_conf_req(chan, buf), buf); 2426 l2cap_build_conf_req(chan, buf), buf);
2223 chan->num_conf_req++; 2427 chan->num_conf_req++;
@@ -2255,31 +2459,29 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2255 2459
2256 switch (result) { 2460 switch (result) {
2257 case L2CAP_CR_SUCCESS: 2461 case L2CAP_CR_SUCCESS:
2258 sk->sk_state = BT_CONFIG; 2462 l2cap_state_change(chan, BT_CONFIG);
2259 chan->ident = 0; 2463 chan->ident = 0;
2260 chan->dcid = dcid; 2464 chan->dcid = dcid;
2261 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2465 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2262 2466
2263 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2467 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2264 break; 2468 break;
2265 2469
2266 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2267
2268 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2470 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2269 l2cap_build_conf_req(chan, req), req); 2471 l2cap_build_conf_req(chan, req), req);
2270 chan->num_conf_req++; 2472 chan->num_conf_req++;
2271 break; 2473 break;
2272 2474
2273 case L2CAP_CR_PEND: 2475 case L2CAP_CR_PEND:
2274 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 2476 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2275 break; 2477 break;
2276 2478
2277 default: 2479 default:
2278 /* don't delete l2cap channel if sk is owned by user */ 2480 /* don't delete l2cap channel if sk is owned by user */
2279 if (sock_owned_by_user(sk)) { 2481 if (sock_owned_by_user(sk)) {
2280 sk->sk_state = BT_DISCONN; 2482 l2cap_state_change(chan, BT_DISCONN);
2281 l2cap_sock_clear_timer(sk); 2483 __clear_chan_timer(chan);
2282 l2cap_sock_set_timer(sk, HZ / 5); 2484 __set_chan_timer(chan, HZ / 5);
2283 break; 2485 break;
2284 } 2486 }
2285 2487
@@ -2293,14 +2495,12 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2293 2495
2294static inline void set_default_fcs(struct l2cap_chan *chan) 2496static inline void set_default_fcs(struct l2cap_chan *chan)
2295{ 2497{
2296 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2297
2298 /* FCS is enabled only in ERTM or streaming mode, if one or both 2498 /* FCS is enabled only in ERTM or streaming mode, if one or both
2299 * sides request it. 2499 * sides request it.
2300 */ 2500 */
2301 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 2501 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2302 chan->fcs = L2CAP_FCS_NONE; 2502 chan->fcs = L2CAP_FCS_NONE;
2303 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV)) 2503 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2304 chan->fcs = L2CAP_FCS_CRC16; 2504 chan->fcs = L2CAP_FCS_CRC16;
2305} 2505}
2306 2506
@@ -2324,10 +2524,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2324 2524
2325 sk = chan->sk; 2525 sk = chan->sk;
2326 2526
2327 if (sk->sk_state != BT_CONFIG && sk->sk_state != BT_CONNECT2) { 2527 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2328 struct l2cap_cmd_rej rej; 2528 struct l2cap_cmd_rej_cid rej;
2529
2530 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2531 rej.scid = cpu_to_le16(chan->scid);
2532 rej.dcid = cpu_to_le16(chan->dcid);
2329 2533
2330 rej.reason = cpu_to_le16(0x0002);
2331 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 2534 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2332 sizeof(rej), &rej); 2535 sizeof(rej), &rej);
2333 goto unlock; 2536 goto unlock;
@@ -2367,13 +2570,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2367 /* Reset config buffer. */ 2570 /* Reset config buffer. */
2368 chan->conf_len = 0; 2571 chan->conf_len = 0;
2369 2572
2370 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2573 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2371 goto unlock; 2574 goto unlock;
2372 2575
2373 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) { 2576 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2374 set_default_fcs(chan); 2577 set_default_fcs(chan);
2375 2578
2376 sk->sk_state = BT_CONNECTED; 2579 l2cap_state_change(chan, BT_CONNECTED);
2377 2580
2378 chan->next_tx_seq = 0; 2581 chan->next_tx_seq = 0;
2379 chan->expected_tx_seq = 0; 2582 chan->expected_tx_seq = 0;
@@ -2385,9 +2588,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2385 goto unlock; 2588 goto unlock;
2386 } 2589 }
2387 2590
2388 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) { 2591 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2389 u8 buf[64]; 2592 u8 buf[64];
2390 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2391 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2593 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2392 l2cap_build_conf_req(chan, buf), buf); 2594 l2cap_build_conf_req(chan, buf), buf);
2393 chan->num_conf_req++; 2595 chan->num_conf_req++;
@@ -2452,7 +2654,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2452 2654
2453 default: 2655 default:
2454 sk->sk_err = ECONNRESET; 2656 sk->sk_err = ECONNRESET;
2455 l2cap_sock_set_timer(sk, HZ * 5); 2657 __set_chan_timer(chan, HZ * 5);
2456 l2cap_send_disconn_req(conn, chan, ECONNRESET); 2658 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2457 goto done; 2659 goto done;
2458 } 2660 }
@@ -2460,12 +2662,12 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2460 if (flags & 0x01) 2662 if (flags & 0x01)
2461 goto done; 2663 goto done;
2462 2664
2463 chan->conf_state |= L2CAP_CONF_INPUT_DONE; 2665 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2464 2666
2465 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) { 2667 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2466 set_default_fcs(chan); 2668 set_default_fcs(chan);
2467 2669
2468 sk->sk_state = BT_CONNECTED; 2670 l2cap_state_change(chan, BT_CONNECTED);
2469 chan->next_tx_seq = 0; 2671 chan->next_tx_seq = 0;
2470 chan->expected_tx_seq = 0; 2672 chan->expected_tx_seq = 0;
2471 skb_queue_head_init(&chan->tx_q); 2673 skb_queue_head_init(&chan->tx_q);
@@ -2507,9 +2709,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2507 2709
2508 /* don't delete l2cap channel if sk is owned by user */ 2710 /* don't delete l2cap channel if sk is owned by user */
2509 if (sock_owned_by_user(sk)) { 2711 if (sock_owned_by_user(sk)) {
2510 sk->sk_state = BT_DISCONN; 2712 l2cap_state_change(chan, BT_DISCONN);
2511 l2cap_sock_clear_timer(sk); 2713 __clear_chan_timer(chan);
2512 l2cap_sock_set_timer(sk, HZ / 5); 2714 __set_chan_timer(chan, HZ / 5);
2513 bh_unlock_sock(sk); 2715 bh_unlock_sock(sk);
2514 return 0; 2716 return 0;
2515 } 2717 }
@@ -2517,7 +2719,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2517 l2cap_chan_del(chan, ECONNRESET); 2719 l2cap_chan_del(chan, ECONNRESET);
2518 bh_unlock_sock(sk); 2720 bh_unlock_sock(sk);
2519 2721
2520 l2cap_sock_kill(sk); 2722 chan->ops->close(chan->data);
2521 return 0; 2723 return 0;
2522} 2724}
2523 2725
@@ -2541,9 +2743,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2541 2743
2542 /* don't delete l2cap channel if sk is owned by user */ 2744 /* don't delete l2cap channel if sk is owned by user */
2543 if (sock_owned_by_user(sk)) { 2745 if (sock_owned_by_user(sk)) {
2544 sk->sk_state = BT_DISCONN; 2746 l2cap_state_change(chan,BT_DISCONN);
2545 l2cap_sock_clear_timer(sk); 2747 __clear_chan_timer(chan);
2546 l2cap_sock_set_timer(sk, HZ / 5); 2748 __set_chan_timer(chan, HZ / 5);
2547 bh_unlock_sock(sk); 2749 bh_unlock_sock(sk);
2548 return 0; 2750 return 0;
2549 } 2751 }
@@ -2551,7 +2753,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2551 l2cap_chan_del(chan, 0); 2753 l2cap_chan_del(chan, 0);
2552 bh_unlock_sock(sk); 2754 bh_unlock_sock(sk);
2553 2755
2554 l2cap_sock_kill(sk); 2756 chan->ops->close(chan->data);
2555 return 0; 2757 return 0;
2556} 2758}
2557 2759
@@ -2819,12 +3021,12 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2819 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data); 3021 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
2820 3022
2821 if (err) { 3023 if (err) {
2822 struct l2cap_cmd_rej rej; 3024 struct l2cap_cmd_rej_unk rej;
2823 3025
2824 BT_ERR("Wrong link type (%d)", err); 3026 BT_ERR("Wrong link type (%d)", err);
2825 3027
2826 /* FIXME: Map err to a valid reason */ 3028 /* FIXME: Map err to a valid reason */
2827 rej.reason = cpu_to_le16(0); 3029 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2828 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 3030 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2829 } 3031 }
2830 3032
@@ -2859,18 +3061,18 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2859 3061
2860 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3062 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2861 3063
2862 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3064 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
2863 control |= L2CAP_SUPER_RCV_NOT_READY; 3065 control |= L2CAP_SUPER_RCV_NOT_READY;
2864 l2cap_send_sframe(chan, control); 3066 l2cap_send_sframe(chan, control);
2865 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3067 set_bit(CONN_RNR_SENT, &chan->conn_state);
2866 } 3068 }
2867 3069
2868 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY) 3070 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2869 l2cap_retransmit_frames(chan); 3071 l2cap_retransmit_frames(chan);
2870 3072
2871 l2cap_ertm_send(chan); 3073 l2cap_ertm_send(chan);
2872 3074
2873 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) && 3075 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2874 chan->frames_sent == 0) { 3076 chan->frames_sent == 0) {
2875 control |= L2CAP_SUPER_RCV_READY; 3077 control |= L2CAP_SUPER_RCV_READY;
2876 l2cap_send_sframe(chan, control); 3078 l2cap_send_sframe(chan, control);
@@ -2926,17 +3128,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2926 3128
2927 switch (control & L2CAP_CTRL_SAR) { 3129 switch (control & L2CAP_CTRL_SAR) {
2928 case L2CAP_SDU_UNSEGMENTED: 3130 case L2CAP_SDU_UNSEGMENTED:
2929 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3131 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2930 goto drop; 3132 goto drop;
2931 3133
2932 err = sock_queue_rcv_skb(chan->sk, skb); 3134 return chan->ops->recv(chan->data, skb);
2933 if (!err)
2934 return err;
2935
2936 break;
2937 3135
2938 case L2CAP_SDU_START: 3136 case L2CAP_SDU_START:
2939 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3137 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2940 goto drop; 3138 goto drop;
2941 3139
2942 chan->sdu_len = get_unaligned_le16(skb->data); 3140 chan->sdu_len = get_unaligned_le16(skb->data);
@@ -2955,12 +3153,12 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2955 3153
2956 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3154 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2957 3155
2958 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3156 set_bit(CONN_SAR_SDU, &chan->conn_state);
2959 chan->partial_sdu_len = skb->len; 3157 chan->partial_sdu_len = skb->len;
2960 break; 3158 break;
2961 3159
2962 case L2CAP_SDU_CONTINUE: 3160 case L2CAP_SDU_CONTINUE:
2963 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3161 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2964 goto disconnect; 3162 goto disconnect;
2965 3163
2966 if (!chan->sdu) 3164 if (!chan->sdu)
@@ -2975,39 +3173,34 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2975 break; 3173 break;
2976 3174
2977 case L2CAP_SDU_END: 3175 case L2CAP_SDU_END:
2978 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3176 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2979 goto disconnect; 3177 goto disconnect;
2980 3178
2981 if (!chan->sdu) 3179 if (!chan->sdu)
2982 goto disconnect; 3180 goto disconnect;
2983 3181
2984 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) { 3182 chan->partial_sdu_len += skb->len;
2985 chan->partial_sdu_len += skb->len;
2986 3183
2987 if (chan->partial_sdu_len > chan->imtu) 3184 if (chan->partial_sdu_len > chan->imtu)
2988 goto drop; 3185 goto drop;
2989 3186
2990 if (chan->partial_sdu_len != chan->sdu_len) 3187 if (chan->partial_sdu_len != chan->sdu_len)
2991 goto drop; 3188 goto drop;
2992 3189
2993 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3190 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2994 }
2995 3191
2996 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3192 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2997 if (!_skb) { 3193 if (!_skb) {
2998 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2999 return -ENOMEM; 3194 return -ENOMEM;
3000 } 3195 }
3001 3196
3002 err = sock_queue_rcv_skb(chan->sk, _skb); 3197 err = chan->ops->recv(chan->data, _skb);
3003 if (err < 0) { 3198 if (err < 0) {
3004 kfree_skb(_skb); 3199 kfree_skb(_skb);
3005 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
3006 return err; 3200 return err;
3007 } 3201 }
3008 3202
3009 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY; 3203 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3010 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3011 3204
3012 kfree_skb(chan->sdu); 3205 kfree_skb(chan->sdu);
3013 break; 3206 break;
@@ -3026,128 +3219,55 @@ disconnect:
3026 return 0; 3219 return 0;
3027} 3220}
3028 3221
3029static int l2cap_try_push_rx_skb(struct l2cap_chan *chan) 3222static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3030{ 3223{
3031 struct sk_buff *skb;
3032 u16 control; 3224 u16 control;
3033 int err;
3034 3225
3035 while ((skb = skb_dequeue(&chan->busy_q))) { 3226 BT_DBG("chan %p, Enter local busy", chan);
3036 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3037 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3038 if (err < 0) {
3039 skb_queue_head(&chan->busy_q, skb);
3040 return -EBUSY;
3041 }
3042 3227
3043 chan->buffer_seq = (chan->buffer_seq + 1) % 64; 3228 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3044 }
3045
3046 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
3047 goto done;
3048 3229
3049 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3230 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3050 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL; 3231 control |= L2CAP_SUPER_RCV_NOT_READY;
3051 l2cap_send_sframe(chan, control); 3232 l2cap_send_sframe(chan, control);
3052 chan->retry_count = 1;
3053
3054 del_timer(&chan->retrans_timer);
3055 __mod_monitor_timer();
3056
3057 chan->conn_state |= L2CAP_CONN_WAIT_F;
3058 3233
3059done: 3234 set_bit(CONN_RNR_SENT, &chan->conn_state);
3060 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3061 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
3062
3063 BT_DBG("chan %p, Exit local busy", chan);
3064 3235
3065 return 0; 3236 __clear_ack_timer(chan);
3066} 3237}
3067 3238
3068static void l2cap_busy_work(struct work_struct *work) 3239static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3069{ 3240{
3070 DECLARE_WAITQUEUE(wait, current); 3241 u16 control;
3071 struct l2cap_chan *chan =
3072 container_of(work, struct l2cap_chan, busy_work);
3073 struct sock *sk = chan->sk;
3074 int n_tries = 0, timeo = HZ/5, err;
3075 struct sk_buff *skb;
3076
3077 lock_sock(sk);
3078
3079 add_wait_queue(sk_sleep(sk), &wait);
3080 while ((skb = skb_peek(&chan->busy_q))) {
3081 set_current_state(TASK_INTERRUPTIBLE);
3082 3242
3083 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) { 3243 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3084 err = -EBUSY; 3244 goto done;
3085 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
3086 break;
3087 }
3088 3245
3089 if (!timeo) 3246 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3090 timeo = HZ/5; 3247 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3248 l2cap_send_sframe(chan, control);
3249 chan->retry_count = 1;
3091 3250
3092 if (signal_pending(current)) { 3251 __clear_retrans_timer(chan);
3093 err = sock_intr_errno(timeo); 3252 __set_monitor_timer(chan);
3094 break;
3095 }
3096 3253
3097 release_sock(sk); 3254 set_bit(CONN_WAIT_F, &chan->conn_state);
3098 timeo = schedule_timeout(timeo);
3099 lock_sock(sk);
3100 3255
3101 err = sock_error(sk); 3256done:
3102 if (err) 3257 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3103 break; 3258 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3104
3105 if (l2cap_try_push_rx_skb(chan) == 0)
3106 break;
3107 }
3108
3109 set_current_state(TASK_RUNNING);
3110 remove_wait_queue(sk_sleep(sk), &wait);
3111 3259
3112 release_sock(sk); 3260 BT_DBG("chan %p, Exit local busy", chan);
3113} 3261}
3114 3262
3115static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control) 3263void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3116{ 3264{
3117 int sctrl, err; 3265 if (chan->mode == L2CAP_MODE_ERTM) {
3118 3266 if (busy)
3119 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3267 l2cap_ertm_enter_local_busy(chan);
3120 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3268 else
3121 __skb_queue_tail(&chan->busy_q, skb); 3269 l2cap_ertm_exit_local_busy(chan);
3122 return l2cap_try_push_rx_skb(chan);
3123
3124
3125 }
3126
3127 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3128 if (err >= 0) {
3129 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3130 return err;
3131 } 3270 }
3132
3133 /* Busy Condition */
3134 BT_DBG("chan %p, Enter local busy", chan);
3135
3136 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3137 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3138 __skb_queue_tail(&chan->busy_q, skb);
3139
3140 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3141 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3142 l2cap_send_sframe(chan, sctrl);
3143
3144 chan->conn_state |= L2CAP_CONN_RNR_SENT;
3145
3146 del_timer(&chan->ack_timer);
3147
3148 queue_work(_busy_wq, &chan->busy_work);
3149
3150 return err;
3151} 3271}
3152 3272
3153static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control) 3273static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
@@ -3162,19 +3282,19 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3162 3282
3163 switch (control & L2CAP_CTRL_SAR) { 3283 switch (control & L2CAP_CTRL_SAR) {
3164 case L2CAP_SDU_UNSEGMENTED: 3284 case L2CAP_SDU_UNSEGMENTED:
3165 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3285 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3166 kfree_skb(chan->sdu); 3286 kfree_skb(chan->sdu);
3167 break; 3287 break;
3168 } 3288 }
3169 3289
3170 err = sock_queue_rcv_skb(chan->sk, skb); 3290 err = chan->ops->recv(chan->data, skb);
3171 if (!err) 3291 if (!err)
3172 return 0; 3292 return 0;
3173 3293
3174 break; 3294 break;
3175 3295
3176 case L2CAP_SDU_START: 3296 case L2CAP_SDU_START:
3177 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3297 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3178 kfree_skb(chan->sdu); 3298 kfree_skb(chan->sdu);
3179 break; 3299 break;
3180 } 3300 }
@@ -3195,13 +3315,13 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3195 3315
3196 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3316 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3197 3317
3198 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3318 set_bit(CONN_SAR_SDU, &chan->conn_state);
3199 chan->partial_sdu_len = skb->len; 3319 chan->partial_sdu_len = skb->len;
3200 err = 0; 3320 err = 0;
3201 break; 3321 break;
3202 3322
3203 case L2CAP_SDU_CONTINUE: 3323 case L2CAP_SDU_CONTINUE:
3204 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3324 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3205 break; 3325 break;
3206 3326
3207 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3327 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
@@ -3215,12 +3335,12 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3215 break; 3335 break;
3216 3336
3217 case L2CAP_SDU_END: 3337 case L2CAP_SDU_END:
3218 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3338 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3219 break; 3339 break;
3220 3340
3221 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3341 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3222 3342
3223 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3343 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3224 chan->partial_sdu_len += skb->len; 3344 chan->partial_sdu_len += skb->len;
3225 3345
3226 if (chan->partial_sdu_len > chan->imtu) 3346 if (chan->partial_sdu_len > chan->imtu)
@@ -3228,7 +3348,7 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3228 3348
3229 if (chan->partial_sdu_len == chan->sdu_len) { 3349 if (chan->partial_sdu_len == chan->sdu_len) {
3230 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3350 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3231 err = sock_queue_rcv_skb(chan->sk, _skb); 3351 err = chan->ops->recv(chan->data, _skb);
3232 if (err < 0) 3352 if (err < 0)
3233 kfree_skb(_skb); 3353 kfree_skb(_skb);
3234 } 3354 }
@@ -3248,13 +3368,22 @@ static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3248 struct sk_buff *skb; 3368 struct sk_buff *skb;
3249 u16 control; 3369 u16 control;
3250 3370
3251 while ((skb = skb_peek(&chan->srej_q))) { 3371 while ((skb = skb_peek(&chan->srej_q)) &&
3372 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3373 int err;
3374
3252 if (bt_cb(skb)->tx_seq != tx_seq) 3375 if (bt_cb(skb)->tx_seq != tx_seq)
3253 break; 3376 break;
3254 3377
3255 skb = skb_dequeue(&chan->srej_q); 3378 skb = skb_dequeue(&chan->srej_q);
3256 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3379 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3257 l2cap_ertm_reassembly_sdu(chan, skb, control); 3380 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3381
3382 if (err < 0) {
3383 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3384 break;
3385 }
3386
3258 chan->buffer_seq_srej = 3387 chan->buffer_seq_srej =
3259 (chan->buffer_seq_srej + 1) % 64; 3388 (chan->buffer_seq_srej + 1) % 64;
3260 tx_seq = (tx_seq + 1) % 64; 3389 tx_seq = (tx_seq + 1) % 64;
@@ -3311,19 +3440,16 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3311 tx_seq, rx_control); 3440 tx_seq, rx_control);
3312 3441
3313 if (L2CAP_CTRL_FINAL & rx_control && 3442 if (L2CAP_CTRL_FINAL & rx_control &&
3314 chan->conn_state & L2CAP_CONN_WAIT_F) { 3443 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3315 del_timer(&chan->monitor_timer); 3444 __clear_monitor_timer(chan);
3316 if (chan->unacked_frames > 0) 3445 if (chan->unacked_frames > 0)
3317 __mod_retrans_timer(); 3446 __set_retrans_timer(chan);
3318 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3447 clear_bit(CONN_WAIT_F, &chan->conn_state);
3319 } 3448 }
3320 3449
3321 chan->expected_ack_seq = req_seq; 3450 chan->expected_ack_seq = req_seq;
3322 l2cap_drop_acked_frames(chan); 3451 l2cap_drop_acked_frames(chan);
3323 3452
3324 if (tx_seq == chan->expected_tx_seq)
3325 goto expected;
3326
3327 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64; 3453 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3328 if (tx_seq_offset < 0) 3454 if (tx_seq_offset < 0)
3329 tx_seq_offset += 64; 3455 tx_seq_offset += 64;
@@ -3334,10 +3460,13 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3334 goto drop; 3460 goto drop;
3335 } 3461 }
3336 3462
3337 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY) 3463 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3338 goto drop; 3464 goto drop;
3339 3465
3340 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3466 if (tx_seq == chan->expected_tx_seq)
3467 goto expected;
3468
3469 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3341 struct srej_list *first; 3470 struct srej_list *first;
3342 3471
3343 first = list_first_entry(&chan->srej_l, 3472 first = list_first_entry(&chan->srej_l,
@@ -3351,7 +3480,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3351 3480
3352 if (list_empty(&chan->srej_l)) { 3481 if (list_empty(&chan->srej_l)) {
3353 chan->buffer_seq = chan->buffer_seq_srej; 3482 chan->buffer_seq = chan->buffer_seq_srej;
3354 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3483 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3355 l2cap_send_ack(chan); 3484 l2cap_send_ack(chan);
3356 BT_DBG("chan %p, Exit SREJ_SENT", chan); 3485 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3357 } 3486 }
@@ -3380,7 +3509,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3380 if (tx_seq_offset < expected_tx_seq_offset) 3509 if (tx_seq_offset < expected_tx_seq_offset)
3381 goto drop; 3510 goto drop;
3382 3511
3383 chan->conn_state |= L2CAP_CONN_SREJ_SENT; 3512 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3384 3513
3385 BT_DBG("chan %p, Enter SREJ", chan); 3514 BT_DBG("chan %p, Enter SREJ", chan);
3386 3515
@@ -3388,39 +3517,39 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3388 chan->buffer_seq_srej = chan->buffer_seq; 3517 chan->buffer_seq_srej = chan->buffer_seq;
3389 3518
3390 __skb_queue_head_init(&chan->srej_q); 3519 __skb_queue_head_init(&chan->srej_q);
3391 __skb_queue_head_init(&chan->busy_q);
3392 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar); 3520 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3393 3521
3394 chan->conn_state |= L2CAP_CONN_SEND_PBIT; 3522 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3395 3523
3396 l2cap_send_srejframe(chan, tx_seq); 3524 l2cap_send_srejframe(chan, tx_seq);
3397 3525
3398 del_timer(&chan->ack_timer); 3526 __clear_ack_timer(chan);
3399 } 3527 }
3400 return 0; 3528 return 0;
3401 3529
3402expected: 3530expected:
3403 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64; 3531 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3404 3532
3405 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3533 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3406 bt_cb(skb)->tx_seq = tx_seq; 3534 bt_cb(skb)->tx_seq = tx_seq;
3407 bt_cb(skb)->sar = sar; 3535 bt_cb(skb)->sar = sar;
3408 __skb_queue_tail(&chan->srej_q, skb); 3536 __skb_queue_tail(&chan->srej_q, skb);
3409 return 0; 3537 return 0;
3410 } 3538 }
3411 3539
3412 err = l2cap_push_rx_skb(chan, skb, rx_control); 3540 err = l2cap_ertm_reassembly_sdu(chan, skb, rx_control);
3413 if (err < 0) 3541 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3414 return 0; 3542 if (err < 0) {
3543 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3544 return err;
3545 }
3415 3546
3416 if (rx_control & L2CAP_CTRL_FINAL) { 3547 if (rx_control & L2CAP_CTRL_FINAL) {
3417 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3548 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3418 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3419 else
3420 l2cap_retransmit_frames(chan); 3549 l2cap_retransmit_frames(chan);
3421 } 3550 }
3422 3551
3423 __mod_ack_timer(); 3552 __set_ack_timer(chan);
3424 3553
3425 chan->num_acked = (chan->num_acked + 1) % num_to_ack; 3554 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3426 if (chan->num_acked == num_to_ack - 1) 3555 if (chan->num_acked == num_to_ack - 1)
@@ -3442,33 +3571,31 @@ static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_co
3442 l2cap_drop_acked_frames(chan); 3571 l2cap_drop_acked_frames(chan);
3443 3572
3444 if (rx_control & L2CAP_CTRL_POLL) { 3573 if (rx_control & L2CAP_CTRL_POLL) {
3445 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3574 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3446 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3575 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3447 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3576 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3448 (chan->unacked_frames > 0)) 3577 (chan->unacked_frames > 0))
3449 __mod_retrans_timer(); 3578 __set_retrans_timer(chan);
3450 3579
3451 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3580 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3452 l2cap_send_srejtail(chan); 3581 l2cap_send_srejtail(chan);
3453 } else { 3582 } else {
3454 l2cap_send_i_or_rr_or_rnr(chan); 3583 l2cap_send_i_or_rr_or_rnr(chan);
3455 } 3584 }
3456 3585
3457 } else if (rx_control & L2CAP_CTRL_FINAL) { 3586 } else if (rx_control & L2CAP_CTRL_FINAL) {
3458 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3587 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3459 3588
3460 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3589 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3461 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3462 else
3463 l2cap_retransmit_frames(chan); 3590 l2cap_retransmit_frames(chan);
3464 3591
3465 } else { 3592 } else {
3466 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3593 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3467 (chan->unacked_frames > 0)) 3594 (chan->unacked_frames > 0))
3468 __mod_retrans_timer(); 3595 __set_retrans_timer(chan);
3469 3596
3470 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3597 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3471 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) 3598 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3472 l2cap_send_ack(chan); 3599 l2cap_send_ack(chan);
3473 else 3600 else
3474 l2cap_ertm_send(chan); 3601 l2cap_ertm_send(chan);
@@ -3481,21 +3608,19 @@ static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_c
3481 3608
3482 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3609 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3483 3610
3484 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3611 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3485 3612
3486 chan->expected_ack_seq = tx_seq; 3613 chan->expected_ack_seq = tx_seq;
3487 l2cap_drop_acked_frames(chan); 3614 l2cap_drop_acked_frames(chan);
3488 3615
3489 if (rx_control & L2CAP_CTRL_FINAL) { 3616 if (rx_control & L2CAP_CTRL_FINAL) {
3490 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3617 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3491 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3492 else
3493 l2cap_retransmit_frames(chan); 3618 l2cap_retransmit_frames(chan);
3494 } else { 3619 } else {
3495 l2cap_retransmit_frames(chan); 3620 l2cap_retransmit_frames(chan);
3496 3621
3497 if (chan->conn_state & L2CAP_CONN_WAIT_F) 3622 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3498 chan->conn_state |= L2CAP_CONN_REJ_ACT; 3623 set_bit(CONN_REJ_ACT, &chan->conn_state);
3499 } 3624 }
3500} 3625}
3501static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control) 3626static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
@@ -3504,32 +3629,32 @@ static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_
3504 3629
3505 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3630 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3506 3631
3507 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3632 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3508 3633
3509 if (rx_control & L2CAP_CTRL_POLL) { 3634 if (rx_control & L2CAP_CTRL_POLL) {
3510 chan->expected_ack_seq = tx_seq; 3635 chan->expected_ack_seq = tx_seq;
3511 l2cap_drop_acked_frames(chan); 3636 l2cap_drop_acked_frames(chan);
3512 3637
3513 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3638 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3514 l2cap_retransmit_one_frame(chan, tx_seq); 3639 l2cap_retransmit_one_frame(chan, tx_seq);
3515 3640
3516 l2cap_ertm_send(chan); 3641 l2cap_ertm_send(chan);
3517 3642
3518 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3643 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3519 chan->srej_save_reqseq = tx_seq; 3644 chan->srej_save_reqseq = tx_seq;
3520 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3645 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3521 } 3646 }
3522 } else if (rx_control & L2CAP_CTRL_FINAL) { 3647 } else if (rx_control & L2CAP_CTRL_FINAL) {
3523 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) && 3648 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3524 chan->srej_save_reqseq == tx_seq) 3649 chan->srej_save_reqseq == tx_seq)
3525 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3650 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3526 else 3651 else
3527 l2cap_retransmit_one_frame(chan, tx_seq); 3652 l2cap_retransmit_one_frame(chan, tx_seq);
3528 } else { 3653 } else {
3529 l2cap_retransmit_one_frame(chan, tx_seq); 3654 l2cap_retransmit_one_frame(chan, tx_seq);
3530 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3655 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3531 chan->srej_save_reqseq = tx_seq; 3656 chan->srej_save_reqseq = tx_seq;
3532 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3657 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3533 } 3658 }
3534 } 3659 }
3535} 3660}
@@ -3540,15 +3665,15 @@ static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_c
3540 3665
3541 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3666 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3542 3667
3543 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3668 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3544 chan->expected_ack_seq = tx_seq; 3669 chan->expected_ack_seq = tx_seq;
3545 l2cap_drop_acked_frames(chan); 3670 l2cap_drop_acked_frames(chan);
3546 3671
3547 if (rx_control & L2CAP_CTRL_POLL) 3672 if (rx_control & L2CAP_CTRL_POLL)
3548 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3673 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3549 3674
3550 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) { 3675 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3551 del_timer(&chan->retrans_timer); 3676 __clear_retrans_timer(chan);
3552 if (rx_control & L2CAP_CTRL_POLL) 3677 if (rx_control & L2CAP_CTRL_POLL)
3553 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL); 3678 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3554 return; 3679 return;
@@ -3565,11 +3690,11 @@ static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_cont
3565 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len); 3690 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3566 3691
3567 if (L2CAP_CTRL_FINAL & rx_control && 3692 if (L2CAP_CTRL_FINAL & rx_control &&
3568 chan->conn_state & L2CAP_CONN_WAIT_F) { 3693 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3569 del_timer(&chan->monitor_timer); 3694 __clear_monitor_timer(chan);
3570 if (chan->unacked_frames > 0) 3695 if (chan->unacked_frames > 0)
3571 __mod_retrans_timer(); 3696 __set_retrans_timer(chan);
3572 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3697 clear_bit(CONN_WAIT_F, &chan->conn_state);
3573 } 3698 }
3574 3699
3575 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3700 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
@@ -3668,7 +3793,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3668{ 3793{
3669 struct l2cap_chan *chan; 3794 struct l2cap_chan *chan;
3670 struct sock *sk = NULL; 3795 struct sock *sk = NULL;
3671 struct l2cap_pinfo *pi;
3672 u16 control; 3796 u16 control;
3673 u8 tx_seq; 3797 u8 tx_seq;
3674 int len; 3798 int len;
@@ -3680,11 +3804,10 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3680 } 3804 }
3681 3805
3682 sk = chan->sk; 3806 sk = chan->sk;
3683 pi = l2cap_pi(sk);
3684 3807
3685 BT_DBG("chan %p, len %d", chan, skb->len); 3808 BT_DBG("chan %p, len %d", chan, skb->len);
3686 3809
3687 if (sk->sk_state != BT_CONNECTED) 3810 if (chan->state != BT_CONNECTED)
3688 goto drop; 3811 goto drop;
3689 3812
3690 switch (chan->mode) { 3813 switch (chan->mode) {
@@ -3697,7 +3820,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3697 if (chan->imtu < skb->len) 3820 if (chan->imtu < skb->len)
3698 goto drop; 3821 goto drop;
3699 3822
3700 if (!sock_queue_rcv_skb(sk, skb)) 3823 if (!chan->ops->recv(chan->data, skb))
3701 goto done; 3824 goto done;
3702 break; 3825 break;
3703 3826
@@ -3769,13 +3892,13 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
3769 3892
3770 BT_DBG("sk %p, len %d", sk, skb->len); 3893 BT_DBG("sk %p, len %d", sk, skb->len);
3771 3894
3772 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3895 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3773 goto drop; 3896 goto drop;
3774 3897
3775 if (l2cap_pi(sk)->chan->imtu < skb->len) 3898 if (chan->imtu < skb->len)
3776 goto drop; 3899 goto drop;
3777 3900
3778 if (!sock_queue_rcv_skb(sk, skb)) 3901 if (!chan->ops->recv(chan->data, skb))
3779 goto done; 3902 goto done;
3780 3903
3781drop: 3904drop:
@@ -3802,13 +3925,13 @@ static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct
3802 3925
3803 BT_DBG("sk %p, len %d", sk, skb->len); 3926 BT_DBG("sk %p, len %d", sk, skb->len);
3804 3927
3805 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3928 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3806 goto drop; 3929 goto drop;
3807 3930
3808 if (l2cap_pi(sk)->chan->imtu < skb->len) 3931 if (chan->imtu < skb->len)
3809 goto drop; 3932 goto drop;
3810 3933
3811 if (!sock_queue_rcv_skb(sk, skb)) 3934 if (!chan->ops->recv(chan->data, skb))
3812 goto done; 3935 goto done;
3813 3936
3814drop: 3937drop:
@@ -3853,6 +3976,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3853 l2cap_att_channel(conn, cid, skb); 3976 l2cap_att_channel(conn, cid, skb);
3854 break; 3977 break;
3855 3978
3979 case L2CAP_CID_SMP:
3980 if (smp_sig_channel(conn, skb))
3981 l2cap_conn_del(conn->hcon, EACCES);
3982 break;
3983
3856 default: 3984 default:
3857 l2cap_data_channel(conn, cid, skb); 3985 l2cap_data_channel(conn, cid, skb);
3858 break; 3986 break;
@@ -3876,7 +4004,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3876 list_for_each_entry(c, &chan_list, global_l) { 4004 list_for_each_entry(c, &chan_list, global_l) {
3877 struct sock *sk = c->sk; 4005 struct sock *sk = c->sk;
3878 4006
3879 if (sk->sk_state != BT_LISTEN) 4007 if (c->state != BT_LISTEN)
3880 continue; 4008 continue;
3881 4009
3882 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 4010 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
@@ -3909,7 +4037,7 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3909 if (conn) 4037 if (conn)
3910 l2cap_conn_ready(conn); 4038 l2cap_conn_ready(conn);
3911 } else 4039 } else
3912 l2cap_conn_del(hcon, bt_err(status)); 4040 l2cap_conn_del(hcon, bt_to_errno(status));
3913 4041
3914 return 0; 4042 return 0;
3915} 4043}
@@ -3920,7 +4048,7 @@ static int l2cap_disconn_ind(struct hci_conn *hcon)
3920 4048
3921 BT_DBG("hcon %p", hcon); 4049 BT_DBG("hcon %p", hcon);
3922 4050
3923 if (hcon->type != ACL_LINK || !conn) 4051 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
3924 return 0x13; 4052 return 0x13;
3925 4053
3926 return conn->disc_reason; 4054 return conn->disc_reason;
@@ -3933,27 +4061,25 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3933 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK)) 4061 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3934 return -EINVAL; 4062 return -EINVAL;
3935 4063
3936 l2cap_conn_del(hcon, bt_err(reason)); 4064 l2cap_conn_del(hcon, bt_to_errno(reason));
3937 4065
3938 return 0; 4066 return 0;
3939} 4067}
3940 4068
3941static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 4069static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3942{ 4070{
3943 struct sock *sk = chan->sk; 4071 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
3944
3945 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3946 return; 4072 return;
3947 4073
3948 if (encrypt == 0x00) { 4074 if (encrypt == 0x00) {
3949 if (chan->sec_level == BT_SECURITY_MEDIUM) { 4075 if (chan->sec_level == BT_SECURITY_MEDIUM) {
3950 l2cap_sock_clear_timer(sk); 4076 __clear_chan_timer(chan);
3951 l2cap_sock_set_timer(sk, HZ * 5); 4077 __set_chan_timer(chan, HZ * 5);
3952 } else if (chan->sec_level == BT_SECURITY_HIGH) 4078 } else if (chan->sec_level == BT_SECURITY_HIGH)
3953 __l2cap_sock_close(sk, ECONNREFUSED); 4079 l2cap_chan_close(chan, ECONNREFUSED);
3954 } else { 4080 } else {
3955 if (chan->sec_level == BT_SECURITY_MEDIUM) 4081 if (chan->sec_level == BT_SECURITY_MEDIUM)
3956 l2cap_sock_clear_timer(sk); 4082 __clear_chan_timer(chan);
3957 } 4083 }
3958} 4084}
3959 4085
@@ -3974,34 +4100,48 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3974 4100
3975 bh_lock_sock(sk); 4101 bh_lock_sock(sk);
3976 4102
3977 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) { 4103 BT_DBG("chan->scid %d", chan->scid);
4104
4105 if (chan->scid == L2CAP_CID_LE_DATA) {
4106 if (!status && encrypt) {
4107 chan->sec_level = hcon->sec_level;
4108 del_timer(&conn->security_timer);
4109 l2cap_chan_ready(sk);
4110 smp_distribute_keys(conn, 0);
4111 }
4112
3978 bh_unlock_sock(sk); 4113 bh_unlock_sock(sk);
3979 continue; 4114 continue;
3980 } 4115 }
3981 4116
3982 if (!status && (sk->sk_state == BT_CONNECTED || 4117 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
3983 sk->sk_state == BT_CONFIG)) { 4118 bh_unlock_sock(sk);
4119 continue;
4120 }
4121
4122 if (!status && (chan->state == BT_CONNECTED ||
4123 chan->state == BT_CONFIG)) {
3984 l2cap_check_encryption(chan, encrypt); 4124 l2cap_check_encryption(chan, encrypt);
3985 bh_unlock_sock(sk); 4125 bh_unlock_sock(sk);
3986 continue; 4126 continue;
3987 } 4127 }
3988 4128
3989 if (sk->sk_state == BT_CONNECT) { 4129 if (chan->state == BT_CONNECT) {
3990 if (!status) { 4130 if (!status) {
3991 struct l2cap_conn_req req; 4131 struct l2cap_conn_req req;
3992 req.scid = cpu_to_le16(chan->scid); 4132 req.scid = cpu_to_le16(chan->scid);
3993 req.psm = chan->psm; 4133 req.psm = chan->psm;
3994 4134
3995 chan->ident = l2cap_get_ident(conn); 4135 chan->ident = l2cap_get_ident(conn);
3996 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 4136 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3997 4137
3998 l2cap_send_cmd(conn, chan->ident, 4138 l2cap_send_cmd(conn, chan->ident,
3999 L2CAP_CONN_REQ, sizeof(req), &req); 4139 L2CAP_CONN_REQ, sizeof(req), &req);
4000 } else { 4140 } else {
4001 l2cap_sock_clear_timer(sk); 4141 __clear_chan_timer(chan);
4002 l2cap_sock_set_timer(sk, HZ / 10); 4142 __set_chan_timer(chan, HZ / 10);
4003 } 4143 }
4004 } else if (sk->sk_state == BT_CONNECT2) { 4144 } else if (chan->state == BT_CONNECT2) {
4005 struct l2cap_conn_rsp rsp; 4145 struct l2cap_conn_rsp rsp;
4006 __u16 res, stat; 4146 __u16 res, stat;
4007 4147
@@ -4013,13 +4153,13 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4013 if (parent) 4153 if (parent)
4014 parent->sk_data_ready(parent, 0); 4154 parent->sk_data_ready(parent, 0);
4015 } else { 4155 } else {
4016 sk->sk_state = BT_CONFIG; 4156 l2cap_state_change(chan, BT_CONFIG);
4017 res = L2CAP_CR_SUCCESS; 4157 res = L2CAP_CR_SUCCESS;
4018 stat = L2CAP_CS_NO_INFO; 4158 stat = L2CAP_CS_NO_INFO;
4019 } 4159 }
4020 } else { 4160 } else {
4021 sk->sk_state = BT_DISCONN; 4161 l2cap_state_change(chan, BT_DISCONN);
4022 l2cap_sock_set_timer(sk, HZ / 10); 4162 __set_chan_timer(chan, HZ / 10);
4023 res = L2CAP_CR_SEC_BLOCK; 4163 res = L2CAP_CR_SEC_BLOCK;
4024 stat = L2CAP_CS_NO_INFO; 4164 stat = L2CAP_CS_NO_INFO;
4025 } 4165 }
@@ -4163,10 +4303,10 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4163 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 4303 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4164 batostr(&bt_sk(sk)->src), 4304 batostr(&bt_sk(sk)->src),
4165 batostr(&bt_sk(sk)->dst), 4305 batostr(&bt_sk(sk)->dst),
4166 sk->sk_state, __le16_to_cpu(c->psm), 4306 c->state, __le16_to_cpu(c->psm),
4167 c->scid, c->dcid, c->imtu, c->omtu, 4307 c->scid, c->dcid, c->imtu, c->omtu,
4168 c->sec_level, c->mode); 4308 c->sec_level, c->mode);
4169 } 4309}
4170 4310
4171 read_unlock_bh(&chan_list_lock); 4311 read_unlock_bh(&chan_list_lock);
4172 4312
@@ -4206,12 +4346,6 @@ int __init l2cap_init(void)
4206 if (err < 0) 4346 if (err < 0)
4207 return err; 4347 return err;
4208 4348
4209 _busy_wq = create_singlethread_workqueue("l2cap");
4210 if (!_busy_wq) {
4211 err = -ENOMEM;
4212 goto error;
4213 }
4214
4215 err = hci_register_proto(&l2cap_hci_proto); 4349 err = hci_register_proto(&l2cap_hci_proto);
4216 if (err < 0) { 4350 if (err < 0) {
4217 BT_ERR("L2CAP protocol registration failed"); 4351 BT_ERR("L2CAP protocol registration failed");
@@ -4229,7 +4363,6 @@ int __init l2cap_init(void)
4229 return 0; 4363 return 0;
4230 4364
4231error: 4365error:
4232 destroy_workqueue(_busy_wq);
4233 l2cap_cleanup_sockets(); 4366 l2cap_cleanup_sockets();
4234 return err; 4367 return err;
4235} 4368}
@@ -4238,9 +4371,6 @@ void l2cap_exit(void)
4238{ 4371{
4239 debugfs_remove(l2cap_debugfs); 4372 debugfs_remove(l2cap_debugfs);
4240 4373
4241 flush_workqueue(_busy_wq);
4242 destroy_workqueue(_busy_wq);
4243
4244 if (hci_unregister_proto(&l2cap_hci_proto) < 0) 4374 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4245 BT_ERR("L2CAP protocol unregistration failed"); 4375 BT_ERR("L2CAP protocol unregistration failed");
4246 4376
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8248303f44e..e8292369cdc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -26,57 +26,16 @@
26 26
27/* Bluetooth L2CAP sockets. */ 27/* Bluetooth L2CAP sockets. */
28 28
29#include <linux/security.h>
30
29#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 32#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h> 33#include <net/bluetooth/l2cap.h>
34#include <net/bluetooth/smp.h>
32 35
33static const struct proto_ops l2cap_sock_ops; 36static const struct proto_ops l2cap_sock_ops;
34 37static void l2cap_sock_init(struct sock *sk, struct sock *parent);
35/* ---- L2CAP timers ---- */ 38static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
36static void l2cap_sock_timeout(unsigned long arg)
37{
38 struct sock *sk = (struct sock *) arg;
39 int reason;
40
41 BT_DBG("sock %p state %d", sk, sk->sk_state);
42
43 bh_lock_sock(sk);
44
45 if (sock_owned_by_user(sk)) {
46 /* sk is owned by user. Try again later */
47 l2cap_sock_set_timer(sk, HZ / 5);
48 bh_unlock_sock(sk);
49 sock_put(sk);
50 return;
51 }
52
53 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
54 reason = ECONNREFUSED;
55 else if (sk->sk_state == BT_CONNECT &&
56 l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
57 reason = ECONNREFUSED;
58 else
59 reason = ETIMEDOUT;
60
61 __l2cap_sock_close(sk, reason);
62
63 bh_unlock_sock(sk);
64
65 l2cap_sock_kill(sk);
66 sock_put(sk);
67}
68
69void l2cap_sock_set_timer(struct sock *sk, long timeout)
70{
71 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
72 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
73}
74
75void l2cap_sock_clear_timer(struct sock *sk)
76{
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78 sk_stop_timer(sk, &sk->sk_timer);
79}
80 39
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 40static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{ 41{
@@ -133,6 +92,8 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
133 chan->sec_level = BT_SECURITY_SDP; 92 chan->sec_level = BT_SECURITY_SDP;
134 93
135 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr); 94 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
95
96 chan->state = BT_BOUND;
136 sk->sk_state = BT_BOUND; 97 sk->sk_state = BT_BOUND;
137 98
138done: 99done:
@@ -162,7 +123,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
162 123
163 lock_sock(sk); 124 lock_sock(sk);
164 125
165 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) 126 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED
166 && !(la.l2_psm || la.l2_cid)) { 127 && !(la.l2_psm || la.l2_cid)) {
167 err = -EINVAL; 128 err = -EINVAL;
168 goto done; 129 goto done;
@@ -204,8 +165,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
204 } 165 }
205 166
206 /* PSM must be odd and lsb of upper byte must be 0 */ 167 /* PSM must be odd and lsb of upper byte must be 0 */
207 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && 168 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && !la.l2_cid &&
208 sk->sk_type != SOCK_RAW && !la.l2_cid) { 169 chan->chan_type != L2CAP_CHAN_RAW) {
209 err = -EINVAL; 170 err = -EINVAL;
210 goto done; 171 goto done;
211 } 172 }
@@ -258,6 +219,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
258 219
259 sk->sk_max_ack_backlog = backlog; 220 sk->sk_max_ack_backlog = backlog;
260 sk->sk_ack_backlog = 0; 221 sk->sk_ack_backlog = 0;
222
223 chan->state = BT_LISTEN;
261 sk->sk_state = BT_LISTEN; 224 sk->sk_state = BT_LISTEN;
262 225
263done: 226done:
@@ -274,30 +237,26 @@ static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int fl
274 237
275 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 238 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
276 239
277 if (sk->sk_state != BT_LISTEN) {
278 err = -EBADFD;
279 goto done;
280 }
281
282 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 240 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
283 241
284 BT_DBG("sk %p timeo %ld", sk, timeo); 242 BT_DBG("sk %p timeo %ld", sk, timeo);
285 243
286 /* Wait for an incoming connection. (wake-one). */ 244 /* Wait for an incoming connection. (wake-one). */
287 add_wait_queue_exclusive(sk_sleep(sk), &wait); 245 add_wait_queue_exclusive(sk_sleep(sk), &wait);
288 while (!(nsk = bt_accept_dequeue(sk, newsock))) { 246 while (1) {
289 set_current_state(TASK_INTERRUPTIBLE); 247 set_current_state(TASK_INTERRUPTIBLE);
290 if (!timeo) { 248
291 err = -EAGAIN; 249 if (sk->sk_state != BT_LISTEN) {
250 err = -EBADFD;
292 break; 251 break;
293 } 252 }
294 253
295 release_sock(sk); 254 nsk = bt_accept_dequeue(sk, newsock);
296 timeo = schedule_timeout(timeo); 255 if (nsk)
297 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 256 break;
298 257
299 if (sk->sk_state != BT_LISTEN) { 258 if (!timeo) {
300 err = -EBADFD; 259 err = -EAGAIN;
301 break; 260 break;
302 } 261 }
303 262
@@ -305,8 +264,12 @@ static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int fl
305 err = sock_intr_errno(timeo); 264 err = sock_intr_errno(timeo);
306 break; 265 break;
307 } 266 }
267
268 release_sock(sk);
269 timeo = schedule_timeout(timeo);
270 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
308 } 271 }
309 set_current_state(TASK_RUNNING); 272 __set_current_state(TASK_RUNNING);
310 remove_wait_queue(sk_sleep(sk), &wait); 273 remove_wait_queue(sk_sleep(sk), &wait);
311 274
312 if (err) 275 if (err)
@@ -437,6 +400,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
437 struct sock *sk = sock->sk; 400 struct sock *sk = sock->sk;
438 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 401 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 struct bt_security sec; 402 struct bt_security sec;
403 struct bt_power pwr;
440 int len, err = 0; 404 int len, err = 0;
441 405
442 BT_DBG("sk %p", sk); 406 BT_DBG("sk %p", sk);
@@ -454,14 +418,18 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
454 418
455 switch (optname) { 419 switch (optname) {
456 case BT_SECURITY: 420 case BT_SECURITY:
457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 421 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
458 && sk->sk_type != SOCK_RAW) { 422 chan->chan_type != L2CAP_CHAN_RAW) {
459 err = -EINVAL; 423 err = -EINVAL;
460 break; 424 break;
461 } 425 }
462 426
427 memset(&sec, 0, sizeof(sec));
463 sec.level = chan->sec_level; 428 sec.level = chan->sec_level;
464 429
430 if (sk->sk_state == BT_CONNECTED)
431 sec.key_size = chan->conn->hcon->enc_key_size;
432
465 len = min_t(unsigned int, len, sizeof(sec)); 433 len = min_t(unsigned int, len, sizeof(sec));
466 if (copy_to_user(optval, (char *) &sec, len)) 434 if (copy_to_user(optval, (char *) &sec, len))
467 err = -EFAULT; 435 err = -EFAULT;
@@ -485,6 +453,21 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
485 453
486 break; 454 break;
487 455
456 case BT_POWER:
457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
458 && sk->sk_type != SOCK_RAW) {
459 err = -EINVAL;
460 break;
461 }
462
463 pwr.force_active = chan->force_active;
464
465 len = min_t(unsigned int, len, sizeof(pwr));
466 if (copy_to_user(optval, (char *) &pwr, len))
467 err = -EFAULT;
468
469 break;
470
488 default: 471 default:
489 err = -ENOPROTOOPT; 472 err = -ENOPROTOOPT;
490 break; 473 break;
@@ -535,7 +518,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
535 chan->mode = opts.mode; 518 chan->mode = opts.mode;
536 switch (chan->mode) { 519 switch (chan->mode) {
537 case L2CAP_MODE_BASIC: 520 case L2CAP_MODE_BASIC:
538 chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE; 521 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
539 break; 522 break;
540 case L2CAP_MODE_ERTM: 523 case L2CAP_MODE_ERTM:
541 case L2CAP_MODE_STREAMING: 524 case L2CAP_MODE_STREAMING:
@@ -585,6 +568,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
585 struct sock *sk = sock->sk; 568 struct sock *sk = sock->sk;
586 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 569 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
587 struct bt_security sec; 570 struct bt_security sec;
571 struct bt_power pwr;
572 struct l2cap_conn *conn;
588 int len, err = 0; 573 int len, err = 0;
589 u32 opt; 574 u32 opt;
590 575
@@ -600,8 +585,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
600 585
601 switch (optname) { 586 switch (optname) {
602 case BT_SECURITY: 587 case BT_SECURITY:
603 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 588 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
604 && sk->sk_type != SOCK_RAW) { 589 chan->chan_type != L2CAP_CHAN_RAW) {
605 err = -EINVAL; 590 err = -EINVAL;
606 break; 591 break;
607 } 592 }
@@ -621,6 +606,20 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
621 } 606 }
622 607
623 chan->sec_level = sec.level; 608 chan->sec_level = sec.level;
609
610 conn = chan->conn;
611 if (conn && chan->scid == L2CAP_CID_LE_DATA) {
612 if (!conn->hcon->out) {
613 err = -EINVAL;
614 break;
615 }
616
617 if (smp_conn_security(conn, sec.level))
618 break;
619
620 err = 0;
621 sk->sk_state = BT_CONFIG;
622 }
624 break; 623 break;
625 624
626 case BT_DEFER_SETUP: 625 case BT_DEFER_SETUP:
@@ -661,6 +660,23 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
661 chan->flushable = opt; 660 chan->flushable = opt;
662 break; 661 break;
663 662
663 case BT_POWER:
664 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
665 chan->chan_type != L2CAP_CHAN_RAW) {
666 err = -EINVAL;
667 break;
668 }
669
670 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
671
672 len = min_t(unsigned int, sizeof(pwr), optlen);
673 if (copy_from_user((char *) &pwr, optval, len)) {
674 err = -EFAULT;
675 break;
676 }
677 chan->force_active = pwr.force_active;
678 break;
679
664 default: 680 default:
665 err = -ENOPROTOOPT; 681 err = -ENOPROTOOPT;
666 break; 682 break;
@@ -674,8 +690,6 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
674{ 690{
675 struct sock *sk = sock->sk; 691 struct sock *sk = sock->sk;
676 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 692 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
677 struct sk_buff *skb;
678 u16 control;
679 int err; 693 int err;
680 694
681 BT_DBG("sock %p, sk %p", sock, sk); 695 BT_DBG("sock %p, sk %p", sock, sk);
@@ -690,87 +704,12 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
690 lock_sock(sk); 704 lock_sock(sk);
691 705
692 if (sk->sk_state != BT_CONNECTED) { 706 if (sk->sk_state != BT_CONNECTED) {
693 err = -ENOTCONN; 707 release_sock(sk);
694 goto done; 708 return -ENOTCONN;
695 }
696
697 /* Connectionless channel */
698 if (sk->sk_type == SOCK_DGRAM) {
699 skb = l2cap_create_connless_pdu(chan, msg, len);
700 if (IS_ERR(skb)) {
701 err = PTR_ERR(skb);
702 } else {
703 l2cap_do_send(chan, skb);
704 err = len;
705 }
706 goto done;
707 } 709 }
708 710
709 switch (chan->mode) { 711 err = l2cap_chan_send(chan, msg, len);
710 case L2CAP_MODE_BASIC:
711 /* Check outgoing MTU */
712 if (len > chan->omtu) {
713 err = -EMSGSIZE;
714 goto done;
715 }
716
717 /* Create a basic PDU */
718 skb = l2cap_create_basic_pdu(chan, msg, len);
719 if (IS_ERR(skb)) {
720 err = PTR_ERR(skb);
721 goto done;
722 }
723
724 l2cap_do_send(chan, skb);
725 err = len;
726 break;
727
728 case L2CAP_MODE_ERTM:
729 case L2CAP_MODE_STREAMING:
730 /* Entire SDU fits into one PDU */
731 if (len <= chan->remote_mps) {
732 control = L2CAP_SDU_UNSEGMENTED;
733 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
734 0);
735 if (IS_ERR(skb)) {
736 err = PTR_ERR(skb);
737 goto done;
738 }
739 __skb_queue_tail(&chan->tx_q, skb);
740
741 if (chan->tx_send_head == NULL)
742 chan->tx_send_head = skb;
743
744 } else {
745 /* Segment SDU into multiples PDUs */
746 err = l2cap_sar_segment_sdu(chan, msg, len);
747 if (err < 0)
748 goto done;
749 }
750
751 if (chan->mode == L2CAP_MODE_STREAMING) {
752 l2cap_streaming_send(chan);
753 err = len;
754 break;
755 }
756
757 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
758 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
759 err = len;
760 break;
761 }
762 err = l2cap_ertm_send(chan);
763
764 if (err >= 0)
765 err = len;
766 break;
767
768 default:
769 BT_DBG("bad state %1.1x", chan->mode);
770 err = -EBADFD;
771 }
772 712
773done:
774 release_sock(sk); 713 release_sock(sk);
775 return err; 714 return err;
776} 715}
@@ -778,13 +717,15 @@ done:
778static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags) 717static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
779{ 718{
780 struct sock *sk = sock->sk; 719 struct sock *sk = sock->sk;
720 struct l2cap_pinfo *pi = l2cap_pi(sk);
721 int err;
781 722
782 lock_sock(sk); 723 lock_sock(sk);
783 724
784 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 725 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
785 sk->sk_state = BT_CONFIG; 726 sk->sk_state = BT_CONFIG;
786 727
787 __l2cap_connect_rsp_defer(l2cap_pi(sk)->chan); 728 __l2cap_connect_rsp_defer(pi->chan);
788 release_sock(sk); 729 release_sock(sk);
789 return 0; 730 return 0;
790 } 731 }
@@ -792,15 +733,43 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
792 release_sock(sk); 733 release_sock(sk);
793 734
794 if (sock->type == SOCK_STREAM) 735 if (sock->type == SOCK_STREAM)
795 return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags); 736 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
737 else
738 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
739
740 if (pi->chan->mode != L2CAP_MODE_ERTM)
741 return err;
742
743 /* Attempt to put pending rx data in the socket buffer */
744
745 lock_sock(sk);
746
747 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
748 goto done;
749
750 if (pi->rx_busy_skb) {
751 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
752 pi->rx_busy_skb = NULL;
753 else
754 goto done;
755 }
796 756
797 return bt_sock_recvmsg(iocb, sock, msg, len, flags); 757 /* Restore data flow when half of the receive buffer is
758 * available. This avoids resending large numbers of
759 * frames.
760 */
761 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
762 l2cap_chan_busy(pi->chan, 0);
763
764done:
765 release_sock(sk);
766 return err;
798} 767}
799 768
800/* Kill socket (only if zapped and orphan) 769/* Kill socket (only if zapped and orphan)
801 * Must be called on unlocked socket. 770 * Must be called on unlocked socket.
802 */ 771 */
803void l2cap_sock_kill(struct sock *sk) 772static void l2cap_sock_kill(struct sock *sk)
804{ 773{
805 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 774 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
806 return; 775 return;
@@ -814,87 +783,6 @@ void l2cap_sock_kill(struct sock *sk)
814 sock_put(sk); 783 sock_put(sk);
815} 784}
816 785
817/* Must be called on unlocked socket. */
818static void l2cap_sock_close(struct sock *sk)
819{
820 l2cap_sock_clear_timer(sk);
821 lock_sock(sk);
822 __l2cap_sock_close(sk, ECONNRESET);
823 release_sock(sk);
824 l2cap_sock_kill(sk);
825}
826
827static void l2cap_sock_cleanup_listen(struct sock *parent)
828{
829 struct sock *sk;
830
831 BT_DBG("parent %p", parent);
832
833 /* Close not yet accepted channels */
834 while ((sk = bt_accept_dequeue(parent, NULL)))
835 l2cap_sock_close(sk);
836
837 parent->sk_state = BT_CLOSED;
838 sock_set_flag(parent, SOCK_ZAPPED);
839}
840
841void __l2cap_sock_close(struct sock *sk, int reason)
842{
843 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
844 struct l2cap_conn *conn = chan->conn;
845
846 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
847
848 switch (sk->sk_state) {
849 case BT_LISTEN:
850 l2cap_sock_cleanup_listen(sk);
851 break;
852
853 case BT_CONNECTED:
854 case BT_CONFIG:
855 if ((sk->sk_type == SOCK_SEQPACKET ||
856 sk->sk_type == SOCK_STREAM) &&
857 conn->hcon->type == ACL_LINK) {
858 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
859 l2cap_send_disconn_req(conn, chan, reason);
860 } else
861 l2cap_chan_del(chan, reason);
862 break;
863
864 case BT_CONNECT2:
865 if ((sk->sk_type == SOCK_SEQPACKET ||
866 sk->sk_type == SOCK_STREAM) &&
867 conn->hcon->type == ACL_LINK) {
868 struct l2cap_conn_rsp rsp;
869 __u16 result;
870
871 if (bt_sk(sk)->defer_setup)
872 result = L2CAP_CR_SEC_BLOCK;
873 else
874 result = L2CAP_CR_BAD_PSM;
875
876 rsp.scid = cpu_to_le16(chan->dcid);
877 rsp.dcid = cpu_to_le16(chan->scid);
878 rsp.result = cpu_to_le16(result);
879 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
880 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
881 sizeof(rsp), &rsp);
882 }
883
884 l2cap_chan_del(chan, reason);
885 break;
886
887 case BT_CONNECT:
888 case BT_DISCONN:
889 l2cap_chan_del(chan, reason);
890 break;
891
892 default:
893 sock_set_flag(sk, SOCK_ZAPPED);
894 break;
895 }
896}
897
898static int l2cap_sock_shutdown(struct socket *sock, int how) 786static int l2cap_sock_shutdown(struct socket *sock, int how)
899{ 787{
900 struct sock *sk = sock->sk; 788 struct sock *sk = sock->sk;
@@ -912,8 +800,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
912 err = __l2cap_wait_ack(sk); 800 err = __l2cap_wait_ack(sk);
913 801
914 sk->sk_shutdown = SHUTDOWN_MASK; 802 sk->sk_shutdown = SHUTDOWN_MASK;
915 l2cap_sock_clear_timer(sk); 803 l2cap_chan_close(chan, 0);
916 __l2cap_sock_close(sk, 0);
917 804
918 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime) 805 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
919 err = bt_sock_wait_state(sk, BT_CLOSED, 806 err = bt_sock_wait_state(sk, BT_CLOSED,
@@ -944,15 +831,85 @@ static int l2cap_sock_release(struct socket *sock)
944 return err; 831 return err;
945} 832}
946 833
834static struct l2cap_chan *l2cap_sock_new_connection_cb(void *data)
835{
836 struct sock *sk, *parent = data;
837
838 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
839 GFP_ATOMIC);
840 if (!sk)
841 return NULL;
842
843 l2cap_sock_init(sk, parent);
844
845 return l2cap_pi(sk)->chan;
846}
847
848static int l2cap_sock_recv_cb(void *data, struct sk_buff *skb)
849{
850 int err;
851 struct sock *sk = data;
852 struct l2cap_pinfo *pi = l2cap_pi(sk);
853
854 if (pi->rx_busy_skb)
855 return -ENOMEM;
856
857 err = sock_queue_rcv_skb(sk, skb);
858
859 /* For ERTM, handle one skb that doesn't fit into the recv
860 * buffer. This is important to do because the data frames
861 * have already been acked, so the skb cannot be discarded.
862 *
863 * Notify the l2cap core that the buffer is full, so the
864 * LOCAL_BUSY state is entered and no more frames are
865 * acked and reassembled until there is buffer space
866 * available.
867 */
868 if (err < 0 && pi->chan->mode == L2CAP_MODE_ERTM) {
869 pi->rx_busy_skb = skb;
870 l2cap_chan_busy(pi->chan, 1);
871 err = 0;
872 }
873
874 return err;
875}
876
877static void l2cap_sock_close_cb(void *data)
878{
879 struct sock *sk = data;
880
881 l2cap_sock_kill(sk);
882}
883
884static void l2cap_sock_state_change_cb(void *data, int state)
885{
886 struct sock *sk = data;
887
888 sk->sk_state = state;
889}
890
891static struct l2cap_ops l2cap_chan_ops = {
892 .name = "L2CAP Socket Interface",
893 .new_connection = l2cap_sock_new_connection_cb,
894 .recv = l2cap_sock_recv_cb,
895 .close = l2cap_sock_close_cb,
896 .state_change = l2cap_sock_state_change_cb,
897};
898
947static void l2cap_sock_destruct(struct sock *sk) 899static void l2cap_sock_destruct(struct sock *sk)
948{ 900{
949 BT_DBG("sk %p", sk); 901 BT_DBG("sk %p", sk);
950 902
903 if (l2cap_pi(sk)->rx_busy_skb) {
904 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
905 l2cap_pi(sk)->rx_busy_skb = NULL;
906 }
907
951 skb_queue_purge(&sk->sk_receive_queue); 908 skb_queue_purge(&sk->sk_receive_queue);
952 skb_queue_purge(&sk->sk_write_queue); 909 skb_queue_purge(&sk->sk_write_queue);
953} 910}
954 911
955void l2cap_sock_init(struct sock *sk, struct sock *parent) 912static void l2cap_sock_init(struct sock *sk, struct sock *parent)
956{ 913{
957 struct l2cap_pinfo *pi = l2cap_pi(sk); 914 struct l2cap_pinfo *pi = l2cap_pi(sk);
958 struct l2cap_chan *chan = pi->chan; 915 struct l2cap_chan *chan = pi->chan;
@@ -965,6 +922,7 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
965 sk->sk_type = parent->sk_type; 922 sk->sk_type = parent->sk_type;
966 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup; 923 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
967 924
925 chan->chan_type = pchan->chan_type;
968 chan->imtu = pchan->imtu; 926 chan->imtu = pchan->imtu;
969 chan->omtu = pchan->omtu; 927 chan->omtu = pchan->omtu;
970 chan->conf_state = pchan->conf_state; 928 chan->conf_state = pchan->conf_state;
@@ -976,12 +934,29 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
976 chan->role_switch = pchan->role_switch; 934 chan->role_switch = pchan->role_switch;
977 chan->force_reliable = pchan->force_reliable; 935 chan->force_reliable = pchan->force_reliable;
978 chan->flushable = pchan->flushable; 936 chan->flushable = pchan->flushable;
937 chan->force_active = pchan->force_active;
938
939 security_sk_clone(parent, sk);
979 } else { 940 } else {
941
942 switch (sk->sk_type) {
943 case SOCK_RAW:
944 chan->chan_type = L2CAP_CHAN_RAW;
945 break;
946 case SOCK_DGRAM:
947 chan->chan_type = L2CAP_CHAN_CONN_LESS;
948 break;
949 case SOCK_SEQPACKET:
950 case SOCK_STREAM:
951 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
952 break;
953 }
954
980 chan->imtu = L2CAP_DEFAULT_MTU; 955 chan->imtu = L2CAP_DEFAULT_MTU;
981 chan->omtu = 0; 956 chan->omtu = 0;
982 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 957 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
983 chan->mode = L2CAP_MODE_ERTM; 958 chan->mode = L2CAP_MODE_ERTM;
984 chan->conf_state |= L2CAP_CONF_STATE2_DEVICE; 959 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
985 } else { 960 } else {
986 chan->mode = L2CAP_MODE_BASIC; 961 chan->mode = L2CAP_MODE_BASIC;
987 } 962 }
@@ -992,10 +967,15 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
992 chan->role_switch = 0; 967 chan->role_switch = 0;
993 chan->force_reliable = 0; 968 chan->force_reliable = 0;
994 chan->flushable = BT_FLUSHABLE_OFF; 969 chan->flushable = BT_FLUSHABLE_OFF;
970 chan->force_active = BT_POWER_FORCE_ACTIVE_ON;
971
995 } 972 }
996 973
997 /* Default config options */ 974 /* Default config options */
998 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 975 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
976
977 chan->data = sk;
978 chan->ops = &l2cap_chan_ops;
999} 979}
1000 980
1001static struct proto l2cap_proto = { 981static struct proto l2cap_proto = {
@@ -1004,9 +984,10 @@ static struct proto l2cap_proto = {
1004 .obj_size = sizeof(struct l2cap_pinfo) 984 .obj_size = sizeof(struct l2cap_pinfo)
1005}; 985};
1006 986
1007struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio) 987static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1008{ 988{
1009 struct sock *sk; 989 struct sock *sk;
990 struct l2cap_chan *chan;
1010 991
1011 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto); 992 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1012 if (!sk) 993 if (!sk)
@@ -1016,14 +997,20 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
1016 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 997 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1017 998
1018 sk->sk_destruct = l2cap_sock_destruct; 999 sk->sk_destruct = l2cap_sock_destruct;
1019 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT); 1000 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1020 1001
1021 sock_reset_flag(sk, SOCK_ZAPPED); 1002 sock_reset_flag(sk, SOCK_ZAPPED);
1022 1003
1023 sk->sk_protocol = proto; 1004 sk->sk_protocol = proto;
1024 sk->sk_state = BT_OPEN; 1005 sk->sk_state = BT_OPEN;
1025 1006
1026 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk); 1007 chan = l2cap_chan_create(sk);
1008 if (!chan) {
1009 l2cap_sock_kill(sk);
1010 return NULL;
1011 }
1012
1013 l2cap_pi(sk)->chan = chan;
1027 1014
1028 return sk; 1015 return sk;
1029} 1016}
@@ -1032,7 +1019,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1032 int kern) 1019 int kern)
1033{ 1020{
1034 struct sock *sk; 1021 struct sock *sk;
1035 struct l2cap_chan *chan;
1036 1022
1037 BT_DBG("sock %p", sock); 1023 BT_DBG("sock %p", sock);
1038 1024
@@ -1051,14 +1037,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1051 if (!sk) 1037 if (!sk)
1052 return -ENOMEM; 1038 return -ENOMEM;
1053 1039
1054 chan = l2cap_chan_create(sk);
1055 if (!chan) {
1056 l2cap_sock_kill(sk);
1057 return -ENOMEM;
1058 }
1059
1060 l2cap_pi(sk)->chan = chan;
1061
1062 l2cap_sock_init(sk, NULL); 1040 l2cap_sock_init(sk, NULL);
1063 return 0; 1041 return 0;
1064} 1042}
diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
index b826d1bf10d..86a6bed229d 100644
--- a/net/bluetooth/lib.c
+++ b/net/bluetooth/lib.c
@@ -59,7 +59,7 @@ char *batostr(bdaddr_t *ba)
59EXPORT_SYMBOL(batostr); 59EXPORT_SYMBOL(batostr);
60 60
61/* Bluetooth error codes to Unix errno mapping */ 61/* Bluetooth error codes to Unix errno mapping */
62int bt_err(__u16 code) 62int bt_to_errno(__u16 code)
63{ 63{
64 switch (code) { 64 switch (code) {
65 case 0: 65 case 0:
@@ -149,4 +149,23 @@ int bt_err(__u16 code)
149 return ENOSYS; 149 return ENOSYS;
150 } 150 }
151} 151}
152EXPORT_SYMBOL(bt_err); 152EXPORT_SYMBOL(bt_to_errno);
153
154int bt_printk(const char *level, const char *format, ...)
155{
156 struct va_format vaf;
157 va_list args;
158 int r;
159
160 va_start(args, format);
161
162 vaf.fmt = format;
163 vaf.va = &args;
164
165 r = printk("%sBluetooth: %pV\n", level, &vaf);
166
167 va_end(args);
168
169 return r;
170}
171EXPORT_SYMBOL(bt_printk);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index dae382ce702..98327213d93 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -41,7 +41,7 @@ struct pending_cmd {
41 void *user_data; 41 void *user_data;
42}; 42};
43 43
44LIST_HEAD(cmd_list); 44static LIST_HEAD(cmd_list);
45 45
46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status) 46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
47{ 47{
@@ -179,7 +179,7 @@ static int read_controller_info(struct sock *sk, u16 index)
179 179
180 hci_del_off_timer(hdev); 180 hci_del_off_timer(hdev);
181 181
182 hci_dev_lock(hdev); 182 hci_dev_lock_bh(hdev);
183 183
184 set_bit(HCI_MGMT, &hdev->flags); 184 set_bit(HCI_MGMT, &hdev->flags);
185 185
@@ -208,7 +208,7 @@ static int read_controller_info(struct sock *sk, u16 index)
208 208
209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name)); 209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
210 210
211 hci_dev_unlock(hdev); 211 hci_dev_unlock_bh(hdev);
212 hci_dev_put(hdev); 212 hci_dev_put(hdev);
213 213
214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp)); 214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -316,7 +316,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
316 if (!hdev) 316 if (!hdev)
317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV); 317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
318 318
319 hci_dev_lock(hdev); 319 hci_dev_lock_bh(hdev);
320 320
321 up = test_bit(HCI_UP, &hdev->flags); 321 up = test_bit(HCI_UP, &hdev->flags);
322 if ((cp->val && up) || (!cp->val && !up)) { 322 if ((cp->val && up) || (!cp->val && !up)) {
@@ -343,7 +343,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
343 err = 0; 343 err = 0;
344 344
345failed: 345failed:
346 hci_dev_unlock(hdev); 346 hci_dev_unlock_bh(hdev);
347 hci_dev_put(hdev); 347 hci_dev_put(hdev);
348 return err; 348 return err;
349} 349}
@@ -368,7 +368,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
368 if (!hdev) 368 if (!hdev)
369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV); 369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
370 370
371 hci_dev_lock(hdev); 371 hci_dev_lock_bh(hdev);
372 372
373 if (!test_bit(HCI_UP, &hdev->flags)) { 373 if (!test_bit(HCI_UP, &hdev->flags)) {
374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN); 374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
@@ -403,7 +403,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
403 mgmt_pending_remove(cmd); 403 mgmt_pending_remove(cmd);
404 404
405failed: 405failed:
406 hci_dev_unlock(hdev); 406 hci_dev_unlock_bh(hdev);
407 hci_dev_put(hdev); 407 hci_dev_put(hdev);
408 408
409 return err; 409 return err;
@@ -429,7 +429,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
429 if (!hdev) 429 if (!hdev)
430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV); 430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
431 431
432 hci_dev_lock(hdev); 432 hci_dev_lock_bh(hdev);
433 433
434 if (!test_bit(HCI_UP, &hdev->flags)) { 434 if (!test_bit(HCI_UP, &hdev->flags)) {
435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN); 435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
@@ -463,7 +463,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
463 mgmt_pending_remove(cmd); 463 mgmt_pending_remove(cmd);
464 464
465failed: 465failed:
466 hci_dev_unlock(hdev); 466 hci_dev_unlock_bh(hdev);
467 hci_dev_put(hdev); 467 hci_dev_put(hdev);
468 468
469 return err; 469 return err;
@@ -522,7 +522,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
522 if (!hdev) 522 if (!hdev)
523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV); 523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
524 524
525 hci_dev_lock(hdev); 525 hci_dev_lock_bh(hdev);
526 526
527 if (cp->val) 527 if (cp->val)
528 set_bit(HCI_PAIRABLE, &hdev->flags); 528 set_bit(HCI_PAIRABLE, &hdev->flags);
@@ -538,7 +538,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk); 538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
539 539
540failed: 540failed:
541 hci_dev_unlock(hdev); 541 hci_dev_unlock_bh(hdev);
542 hci_dev_put(hdev); 542 hci_dev_put(hdev);
543 543
544 return err; 544 return err;
@@ -739,7 +739,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
739 if (!hdev) 739 if (!hdev)
740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV); 740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
741 741
742 hci_dev_lock(hdev); 742 hci_dev_lock_bh(hdev);
743 743
744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC); 744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
745 if (!uuid) { 745 if (!uuid) {
@@ -763,7 +763,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0); 763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
764 764
765failed: 765failed:
766 hci_dev_unlock(hdev); 766 hci_dev_unlock_bh(hdev);
767 hci_dev_put(hdev); 767 hci_dev_put(hdev);
768 768
769 return err; 769 return err;
@@ -788,7 +788,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
788 if (!hdev) 788 if (!hdev)
789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV); 789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
790 790
791 hci_dev_lock(hdev); 791 hci_dev_lock_bh(hdev);
792 792
793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
794 err = hci_uuids_clear(hdev); 794 err = hci_uuids_clear(hdev);
@@ -823,7 +823,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0); 823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
824 824
825unlock: 825unlock:
826 hci_dev_unlock(hdev); 826 hci_dev_unlock_bh(hdev);
827 hci_dev_put(hdev); 827 hci_dev_put(hdev);
828 828
829 return err; 829 return err;
@@ -847,7 +847,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
847 if (!hdev) 847 if (!hdev)
848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV); 848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
849 849
850 hci_dev_lock(hdev); 850 hci_dev_lock_bh(hdev);
851 851
852 hdev->major_class = cp->major; 852 hdev->major_class = cp->major;
853 hdev->minor_class = cp->minor; 853 hdev->minor_class = cp->minor;
@@ -857,7 +857,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
857 if (err == 0) 857 if (err == 0)
858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0); 858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
859 859
860 hci_dev_unlock(hdev); 860 hci_dev_unlock_bh(hdev);
861 hci_dev_put(hdev); 861 hci_dev_put(hdev);
862 862
863 return err; 863 return err;
@@ -879,7 +879,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
879 if (!hdev) 879 if (!hdev)
880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV); 880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
881 881
882 hci_dev_lock(hdev); 882 hci_dev_lock_bh(hdev);
883 883
884 BT_DBG("hci%u enable %d", index, cp->enable); 884 BT_DBG("hci%u enable %d", index, cp->enable);
885 885
@@ -897,7 +897,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL, 897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
898 0); 898 0);
899 899
900 hci_dev_unlock(hdev); 900 hci_dev_unlock_bh(hdev);
901 hci_dev_put(hdev); 901 hci_dev_put(hdev);
902 902
903 return err; 903 return err;
@@ -908,7 +908,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
908 struct hci_dev *hdev; 908 struct hci_dev *hdev;
909 struct mgmt_cp_load_keys *cp; 909 struct mgmt_cp_load_keys *cp;
910 u16 key_count, expected_len; 910 u16 key_count, expected_len;
911 int i; 911 int i, err;
912 912
913 cp = (void *) data; 913 cp = (void *) data;
914 914
@@ -918,9 +918,9 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
918 key_count = get_unaligned_le16(&cp->key_count); 918 key_count = get_unaligned_le16(&cp->key_count);
919 919
920 expected_len = sizeof(*cp) + key_count * sizeof(struct mgmt_key_info); 920 expected_len = sizeof(*cp) + key_count * sizeof(struct mgmt_key_info);
921 if (expected_len != len) { 921 if (expected_len > len) {
922 BT_ERR("load_keys: expected %u bytes, got %u bytes", 922 BT_ERR("load_keys: expected at least %u bytes, got %u bytes",
923 len, expected_len); 923 expected_len, len);
924 return -EINVAL; 924 return -EINVAL;
925 } 925 }
926 926
@@ -931,7 +931,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys, 931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
932 key_count); 932 key_count);
933 933
934 hci_dev_lock(hdev); 934 hci_dev_lock_bh(hdev);
935 935
936 hci_link_keys_clear(hdev); 936 hci_link_keys_clear(hdev);
937 937
@@ -942,17 +942,36 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
942 else 942 else
943 clear_bit(HCI_DEBUG_KEYS, &hdev->flags); 943 clear_bit(HCI_DEBUG_KEYS, &hdev->flags);
944 944
945 for (i = 0; i < key_count; i++) { 945 len -= sizeof(*cp);
946 struct mgmt_key_info *key = &cp->keys[i]; 946 i = 0;
947
948 while (i < len) {
949 struct mgmt_key_info *key = (void *) cp->keys + i;
950
951 i += sizeof(*key) + key->dlen;
952
953 if (key->type == HCI_LK_SMP_LTK) {
954 struct key_master_id *id = (void *) key->data;
955
956 if (key->dlen != sizeof(struct key_master_id))
957 continue;
958
959 hci_add_ltk(hdev, 0, &key->bdaddr, key->pin_len,
960 id->ediv, id->rand, key->val);
961
962 continue;
963 }
947 964
948 hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type, 965 hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type,
949 key->pin_len); 966 key->pin_len);
950 } 967 }
951 968
952 hci_dev_unlock(hdev); 969 err = cmd_complete(sk, index, MGMT_OP_LOAD_KEYS, NULL, 0);
970
971 hci_dev_unlock_bh(hdev);
953 hci_dev_put(hdev); 972 hci_dev_put(hdev);
954 973
955 return 0; 974 return err;
956} 975}
957 976
958static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len) 977static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
@@ -971,7 +990,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
971 if (!hdev) 990 if (!hdev)
972 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV); 991 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
973 992
974 hci_dev_lock(hdev); 993 hci_dev_lock_bh(hdev);
975 994
976 err = hci_remove_link_key(hdev, &cp->bdaddr); 995 err = hci_remove_link_key(hdev, &cp->bdaddr);
977 if (err < 0) { 996 if (err < 0) {
@@ -990,11 +1009,11 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
990 1009
991 put_unaligned_le16(conn->handle, &dc.handle); 1010 put_unaligned_le16(conn->handle, &dc.handle);
992 dc.reason = 0x13; /* Remote User Terminated Connection */ 1011 dc.reason = 0x13; /* Remote User Terminated Connection */
993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, 0, NULL); 1012 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
994 } 1013 }
995 1014
996unlock: 1015unlock:
997 hci_dev_unlock(hdev); 1016 hci_dev_unlock_bh(hdev);
998 hci_dev_put(hdev); 1017 hci_dev_put(hdev);
999 1018
1000 return err; 1019 return err;
@@ -1020,7 +1039,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1020 if (!hdev) 1039 if (!hdev)
1021 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV); 1040 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
1022 1041
1023 hci_dev_lock(hdev); 1042 hci_dev_lock_bh(hdev);
1024 1043
1025 if (!test_bit(HCI_UP, &hdev->flags)) { 1044 if (!test_bit(HCI_UP, &hdev->flags)) {
1026 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN); 1045 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
@@ -1055,7 +1074,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1055 mgmt_pending_remove(cmd); 1074 mgmt_pending_remove(cmd);
1056 1075
1057failed: 1076failed:
1058 hci_dev_unlock(hdev); 1077 hci_dev_unlock_bh(hdev);
1059 hci_dev_put(hdev); 1078 hci_dev_put(hdev);
1060 1079
1061 return err; 1080 return err;
@@ -1076,7 +1095,7 @@ static int get_connections(struct sock *sk, u16 index)
1076 if (!hdev) 1095 if (!hdev)
1077 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV); 1096 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
1078 1097
1079 hci_dev_lock(hdev); 1098 hci_dev_lock_bh(hdev);
1080 1099
1081 count = 0; 1100 count = 0;
1082 list_for_each(p, &hdev->conn_hash.list) { 1101 list_for_each(p, &hdev->conn_hash.list) {
@@ -1092,8 +1111,6 @@ static int get_connections(struct sock *sk, u16 index)
1092 1111
1093 put_unaligned_le16(count, &rp->conn_count); 1112 put_unaligned_le16(count, &rp->conn_count);
1094 1113
1095 read_lock(&hci_dev_list_lock);
1096
1097 i = 0; 1114 i = 0;
1098 list_for_each(p, &hdev->conn_hash.list) { 1115 list_for_each(p, &hdev->conn_hash.list) {
1099 struct hci_conn *c = list_entry(p, struct hci_conn, list); 1116 struct hci_conn *c = list_entry(p, struct hci_conn, list);
@@ -1101,22 +1118,41 @@ static int get_connections(struct sock *sk, u16 index)
1101 bacpy(&rp->conn[i++], &c->dst); 1118 bacpy(&rp->conn[i++], &c->dst);
1102 } 1119 }
1103 1120
1104 read_unlock(&hci_dev_list_lock);
1105
1106 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len); 1121 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len);
1107 1122
1108unlock: 1123unlock:
1109 kfree(rp); 1124 kfree(rp);
1110 hci_dev_unlock(hdev); 1125 hci_dev_unlock_bh(hdev);
1111 hci_dev_put(hdev); 1126 hci_dev_put(hdev);
1112 return err; 1127 return err;
1113} 1128}
1114 1129
1130static int send_pin_code_neg_reply(struct sock *sk, u16 index,
1131 struct hci_dev *hdev, struct mgmt_cp_pin_code_neg_reply *cp)
1132{
1133 struct pending_cmd *cmd;
1134 int err;
1135
1136 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, cp,
1137 sizeof(*cp));
1138 if (!cmd)
1139 return -ENOMEM;
1140
1141 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1142 &cp->bdaddr);
1143 if (err < 0)
1144 mgmt_pending_remove(cmd);
1145
1146 return err;
1147}
1148
1115static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data, 1149static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1116 u16 len) 1150 u16 len)
1117{ 1151{
1118 struct hci_dev *hdev; 1152 struct hci_dev *hdev;
1153 struct hci_conn *conn;
1119 struct mgmt_cp_pin_code_reply *cp; 1154 struct mgmt_cp_pin_code_reply *cp;
1155 struct mgmt_cp_pin_code_neg_reply ncp;
1120 struct hci_cp_pin_code_reply reply; 1156 struct hci_cp_pin_code_reply reply;
1121 struct pending_cmd *cmd; 1157 struct pending_cmd *cmd;
1122 int err; 1158 int err;
@@ -1132,13 +1168,32 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1132 if (!hdev) 1168 if (!hdev)
1133 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV); 1169 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
1134 1170
1135 hci_dev_lock(hdev); 1171 hci_dev_lock_bh(hdev);
1136 1172
1137 if (!test_bit(HCI_UP, &hdev->flags)) { 1173 if (!test_bit(HCI_UP, &hdev->flags)) {
1138 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN); 1174 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
1139 goto failed; 1175 goto failed;
1140 } 1176 }
1141 1177
1178 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1179 if (!conn) {
1180 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENOTCONN);
1181 goto failed;
1182 }
1183
1184 if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
1185 bacpy(&ncp.bdaddr, &cp->bdaddr);
1186
1187 BT_ERR("PIN code is not 16 bytes long");
1188
1189 err = send_pin_code_neg_reply(sk, index, hdev, &ncp);
1190 if (err >= 0)
1191 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY,
1192 EINVAL);
1193
1194 goto failed;
1195 }
1196
1142 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len); 1197 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len);
1143 if (!cmd) { 1198 if (!cmd) {
1144 err = -ENOMEM; 1199 err = -ENOMEM;
@@ -1147,14 +1202,14 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1147 1202
1148 bacpy(&reply.bdaddr, &cp->bdaddr); 1203 bacpy(&reply.bdaddr, &cp->bdaddr);
1149 reply.pin_len = cp->pin_len; 1204 reply.pin_len = cp->pin_len;
1150 memcpy(reply.pin_code, cp->pin_code, 16); 1205 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
1151 1206
1152 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply); 1207 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
1153 if (err < 0) 1208 if (err < 0)
1154 mgmt_pending_remove(cmd); 1209 mgmt_pending_remove(cmd);
1155 1210
1156failed: 1211failed:
1157 hci_dev_unlock(hdev); 1212 hci_dev_unlock_bh(hdev);
1158 hci_dev_put(hdev); 1213 hci_dev_put(hdev);
1159 1214
1160 return err; 1215 return err;
@@ -1165,7 +1220,6 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1165{ 1220{
1166 struct hci_dev *hdev; 1221 struct hci_dev *hdev;
1167 struct mgmt_cp_pin_code_neg_reply *cp; 1222 struct mgmt_cp_pin_code_neg_reply *cp;
1168 struct pending_cmd *cmd;
1169 int err; 1223 int err;
1170 1224
1171 BT_DBG(""); 1225 BT_DBG("");
@@ -1181,7 +1235,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1181 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1235 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
1182 ENODEV); 1236 ENODEV);
1183 1237
1184 hci_dev_lock(hdev); 1238 hci_dev_lock_bh(hdev);
1185 1239
1186 if (!test_bit(HCI_UP, &hdev->flags)) { 1240 if (!test_bit(HCI_UP, &hdev->flags)) {
1187 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1241 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1189,20 +1243,10 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1189 goto failed; 1243 goto failed;
1190 } 1244 }
1191 1245
1192 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, 1246 err = send_pin_code_neg_reply(sk, index, hdev, cp);
1193 data, len);
1194 if (!cmd) {
1195 err = -ENOMEM;
1196 goto failed;
1197 }
1198
1199 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1200 &cp->bdaddr);
1201 if (err < 0)
1202 mgmt_pending_remove(cmd);
1203 1247
1204failed: 1248failed:
1205 hci_dev_unlock(hdev); 1249 hci_dev_unlock_bh(hdev);
1206 hci_dev_put(hdev); 1250 hci_dev_put(hdev);
1207 1251
1208 return err; 1252 return err;
@@ -1225,14 +1269,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
1225 if (!hdev) 1269 if (!hdev)
1226 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV); 1270 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
1227 1271
1228 hci_dev_lock(hdev); 1272 hci_dev_lock_bh(hdev);
1229 1273
1230 hdev->io_capability = cp->io_capability; 1274 hdev->io_capability = cp->io_capability;
1231 1275
1232 BT_DBG("%s IO capability set to 0x%02x", hdev->name, 1276 BT_DBG("%s IO capability set to 0x%02x", hdev->name,
1233 hdev->io_capability); 1277 hdev->io_capability);
1234 1278
1235 hci_dev_unlock(hdev); 1279 hci_dev_unlock_bh(hdev);
1236 hci_dev_put(hdev); 1280 hci_dev_put(hdev);
1237 1281
1238 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0); 1282 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1318,7 +1362,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1318 if (!hdev) 1362 if (!hdev)
1319 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV); 1363 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
1320 1364
1321 hci_dev_lock(hdev); 1365 hci_dev_lock_bh(hdev);
1322 1366
1323 if (cp->io_cap == 0x03) { 1367 if (cp->io_cap == 0x03) {
1324 sec_level = BT_SECURITY_MEDIUM; 1368 sec_level = BT_SECURITY_MEDIUM;
@@ -1328,7 +1372,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1328 auth_type = HCI_AT_DEDICATED_BONDING_MITM; 1372 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
1329 } 1373 }
1330 1374
1331 conn = hci_connect(hdev, ACL_LINK, &cp->bdaddr, sec_level, auth_type); 1375 conn = hci_connect(hdev, ACL_LINK, 0, &cp->bdaddr, sec_level, auth_type);
1332 if (IS_ERR(conn)) { 1376 if (IS_ERR(conn)) {
1333 err = PTR_ERR(conn); 1377 err = PTR_ERR(conn);
1334 goto unlock; 1378 goto unlock;
@@ -1360,7 +1404,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1360 err = 0; 1404 err = 0;
1361 1405
1362unlock: 1406unlock:
1363 hci_dev_unlock(hdev); 1407 hci_dev_unlock_bh(hdev);
1364 hci_dev_put(hdev); 1408 hci_dev_put(hdev);
1365 1409
1366 return err; 1410 return err;
@@ -1392,7 +1436,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1392 if (!hdev) 1436 if (!hdev)
1393 return cmd_status(sk, index, mgmt_op, ENODEV); 1437 return cmd_status(sk, index, mgmt_op, ENODEV);
1394 1438
1395 hci_dev_lock(hdev); 1439 hci_dev_lock_bh(hdev);
1396 1440
1397 if (!test_bit(HCI_UP, &hdev->flags)) { 1441 if (!test_bit(HCI_UP, &hdev->flags)) {
1398 err = cmd_status(sk, index, mgmt_op, ENETDOWN); 1442 err = cmd_status(sk, index, mgmt_op, ENETDOWN);
@@ -1410,7 +1454,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1410 mgmt_pending_remove(cmd); 1454 mgmt_pending_remove(cmd);
1411 1455
1412failed: 1456failed:
1413 hci_dev_unlock(hdev); 1457 hci_dev_unlock_bh(hdev);
1414 hci_dev_put(hdev); 1458 hci_dev_put(hdev);
1415 1459
1416 return err; 1460 return err;
@@ -1434,7 +1478,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1434 if (!hdev) 1478 if (!hdev)
1435 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV); 1479 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
1436 1480
1437 hci_dev_lock(hdev); 1481 hci_dev_lock_bh(hdev);
1438 1482
1439 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len); 1483 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
1440 if (!cmd) { 1484 if (!cmd) {
@@ -1449,7 +1493,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1449 mgmt_pending_remove(cmd); 1493 mgmt_pending_remove(cmd);
1450 1494
1451failed: 1495failed:
1452 hci_dev_unlock(hdev); 1496 hci_dev_unlock_bh(hdev);
1453 hci_dev_put(hdev); 1497 hci_dev_put(hdev);
1454 1498
1455 return err; 1499 return err;
@@ -1468,7 +1512,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1468 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1512 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1469 ENODEV); 1513 ENODEV);
1470 1514
1471 hci_dev_lock(hdev); 1515 hci_dev_lock_bh(hdev);
1472 1516
1473 if (!test_bit(HCI_UP, &hdev->flags)) { 1517 if (!test_bit(HCI_UP, &hdev->flags)) {
1474 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1518 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
@@ -1498,7 +1542,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1498 mgmt_pending_remove(cmd); 1542 mgmt_pending_remove(cmd);
1499 1543
1500unlock: 1544unlock:
1501 hci_dev_unlock(hdev); 1545 hci_dev_unlock_bh(hdev);
1502 hci_dev_put(hdev); 1546 hci_dev_put(hdev);
1503 1547
1504 return err; 1548 return err;
@@ -1522,7 +1566,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1522 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, 1566 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1523 ENODEV); 1567 ENODEV);
1524 1568
1525 hci_dev_lock(hdev); 1569 hci_dev_lock_bh(hdev);
1526 1570
1527 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash, 1571 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
1528 cp->randomizer); 1572 cp->randomizer);
@@ -1532,7 +1576,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1532 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL, 1576 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
1533 0); 1577 0);
1534 1578
1535 hci_dev_unlock(hdev); 1579 hci_dev_unlock_bh(hdev);
1536 hci_dev_put(hdev); 1580 hci_dev_put(hdev);
1537 1581
1538 return err; 1582 return err;
@@ -1556,7 +1600,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1556 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1600 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1557 ENODEV); 1601 ENODEV);
1558 1602
1559 hci_dev_lock(hdev); 1603 hci_dev_lock_bh(hdev);
1560 1604
1561 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr); 1605 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
1562 if (err < 0) 1606 if (err < 0)
@@ -1566,7 +1610,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1566 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1610 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1567 NULL, 0); 1611 NULL, 0);
1568 1612
1569 hci_dev_unlock(hdev); 1613 hci_dev_unlock_bh(hdev);
1570 hci_dev_put(hdev); 1614 hci_dev_put(hdev);
1571 1615
1572 return err; 1616 return err;
@@ -1641,6 +1685,70 @@ failed:
1641 return err; 1685 return err;
1642} 1686}
1643 1687
1688static int block_device(struct sock *sk, u16 index, unsigned char *data,
1689 u16 len)
1690{
1691 struct hci_dev *hdev;
1692 struct mgmt_cp_block_device *cp;
1693 int err;
1694
1695 BT_DBG("hci%u", index);
1696
1697 cp = (void *) data;
1698
1699 if (len != sizeof(*cp))
1700 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1701 EINVAL);
1702
1703 hdev = hci_dev_get(index);
1704 if (!hdev)
1705 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1706 ENODEV);
1707
1708 err = hci_blacklist_add(hdev, &cp->bdaddr);
1709
1710 if (err < 0)
1711 err = cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE, -err);
1712 else
1713 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE,
1714 NULL, 0);
1715 hci_dev_put(hdev);
1716
1717 return err;
1718}
1719
1720static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1721 u16 len)
1722{
1723 struct hci_dev *hdev;
1724 struct mgmt_cp_unblock_device *cp;
1725 int err;
1726
1727 BT_DBG("hci%u", index);
1728
1729 cp = (void *) data;
1730
1731 if (len != sizeof(*cp))
1732 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1733 EINVAL);
1734
1735 hdev = hci_dev_get(index);
1736 if (!hdev)
1737 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1738 ENODEV);
1739
1740 err = hci_blacklist_del(hdev, &cp->bdaddr);
1741
1742 if (err < 0)
1743 err = cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE, -err);
1744 else
1745 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1746 NULL, 0);
1747 hci_dev_put(hdev);
1748
1749 return err;
1750}
1751
1644int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 1752int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1645{ 1753{
1646 unsigned char *buf; 1754 unsigned char *buf;
@@ -1755,6 +1863,12 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1755 case MGMT_OP_STOP_DISCOVERY: 1863 case MGMT_OP_STOP_DISCOVERY:
1756 err = stop_discovery(sk, index); 1864 err = stop_discovery(sk, index);
1757 break; 1865 break;
1866 case MGMT_OP_BLOCK_DEVICE:
1867 err = block_device(sk, index, buf + sizeof(*hdr), len);
1868 break;
1869 case MGMT_OP_UNBLOCK_DEVICE:
1870 err = unblock_device(sk, index, buf + sizeof(*hdr), len);
1871 break;
1758 default: 1872 default:
1759 BT_DBG("Unknown op %u", opcode); 1873 BT_DBG("Unknown op %u", opcode);
1760 err = cmd_status(sk, index, opcode, 0x01); 1874 err = cmd_status(sk, index, opcode, 0x01);
@@ -1863,17 +1977,28 @@ int mgmt_connectable(u16 index, u8 connectable)
1863 1977
1864int mgmt_new_key(u16 index, struct link_key *key, u8 persistent) 1978int mgmt_new_key(u16 index, struct link_key *key, u8 persistent)
1865{ 1979{
1866 struct mgmt_ev_new_key ev; 1980 struct mgmt_ev_new_key *ev;
1981 int err, total;
1867 1982
1868 memset(&ev, 0, sizeof(ev)); 1983 total = sizeof(struct mgmt_ev_new_key) + key->dlen;
1984 ev = kzalloc(total, GFP_ATOMIC);
1985 if (!ev)
1986 return -ENOMEM;
1869 1987
1870 ev.store_hint = persistent; 1988 bacpy(&ev->key.bdaddr, &key->bdaddr);
1871 bacpy(&ev.key.bdaddr, &key->bdaddr); 1989 ev->key.type = key->type;
1872 ev.key.type = key->type; 1990 memcpy(ev->key.val, key->val, 16);
1873 memcpy(ev.key.val, key->val, 16); 1991 ev->key.pin_len = key->pin_len;
1874 ev.key.pin_len = key->pin_len; 1992 ev->key.dlen = key->dlen;
1993 ev->store_hint = persistent;
1875 1994
1876 return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL); 1995 memcpy(ev->key.data, key->data, key->dlen);
1996
1997 err = mgmt_event(MGMT_EV_NEW_KEY, index, ev, total, NULL);
1998
1999 kfree(ev);
2000
2001 return err;
1877} 2002}
1878 2003
1879int mgmt_connected(u16 index, bdaddr_t *bdaddr) 2004int mgmt_connected(u16 index, bdaddr_t *bdaddr)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 5759bb7054f..41b3a092841 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -62,7 +62,6 @@ static DEFINE_MUTEX(rfcomm_mutex);
62#define rfcomm_lock() mutex_lock(&rfcomm_mutex) 62#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
63#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 63#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64 64
65static unsigned long rfcomm_event;
66 65
67static LIST_HEAD(session_list); 66static LIST_HEAD(session_list);
68 67
@@ -120,7 +119,6 @@ static inline void rfcomm_schedule(void)
120{ 119{
121 if (!rfcomm_thread) 120 if (!rfcomm_thread)
122 return; 121 return;
123 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
124 wake_up_process(rfcomm_thread); 122 wake_up_process(rfcomm_thread);
125} 123}
126 124
@@ -466,7 +464,6 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
466 464
467 switch (d->state) { 465 switch (d->state) {
468 case BT_CONNECT: 466 case BT_CONNECT:
469 case BT_CONFIG:
470 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 467 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
471 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 468 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
472 rfcomm_schedule(); 469 rfcomm_schedule();
@@ -669,6 +666,9 @@ static void rfcomm_session_close(struct rfcomm_session *s, int err)
669 666
670 BT_DBG("session %p state %ld err %d", s, s->state, err); 667 BT_DBG("session %p state %ld err %d", s, s->state, err);
671 668
669 if (s->state == BT_CLOSED)
670 return;
671
672 rfcomm_session_hold(s); 672 rfcomm_session_hold(s);
673 673
674 s->state = BT_CLOSED; 674 s->state = BT_CLOSED;
@@ -681,6 +681,12 @@ static void rfcomm_session_close(struct rfcomm_session *s, int err)
681 } 681 }
682 682
683 rfcomm_session_clear_timer(s); 683 rfcomm_session_clear_timer(s);
684
685 /* Drop reference for incoming sessions */
686 if (!s->initiator)
687 if (list_empty(&s->dlcs))
688 rfcomm_session_put(s);
689
684 rfcomm_session_put(s); 690 rfcomm_session_put(s);
685} 691}
686 692
@@ -1161,12 +1167,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1161 break; 1167 break;
1162 1168
1163 case BT_DISCONN: 1169 case BT_DISCONN:
1164 /* When socket is closed and we are not RFCOMM 1170 rfcomm_session_close(s, 0);
1165 * initiator rfcomm_process_rx already calls
1166 * rfcomm_session_put() */
1167 if (s->sock->sk->sk_state != BT_CLOSED)
1168 if (list_empty(&s->dlcs))
1169 rfcomm_session_put(s);
1170 break; 1171 break;
1171 } 1172 }
1172 } 1173 }
@@ -1197,7 +1198,6 @@ static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1197 else 1198 else
1198 err = ECONNRESET; 1199 err = ECONNRESET;
1199 1200
1200 s->state = BT_CLOSED;
1201 rfcomm_session_close(s, err); 1201 rfcomm_session_close(s, err);
1202 } 1202 }
1203 return 0; 1203 return 0;
@@ -1232,7 +1232,6 @@ static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1232 else 1232 else
1233 err = ECONNRESET; 1233 err = ECONNRESET;
1234 1234
1235 s->state = BT_CLOSED;
1236 rfcomm_session_close(s, err); 1235 rfcomm_session_close(s, err);
1237 } 1236 }
1238 1237
@@ -1858,12 +1857,8 @@ static inline void rfcomm_process_rx(struct rfcomm_session *s)
1858 rfcomm_recv_frame(s, skb); 1857 rfcomm_recv_frame(s, skb);
1859 } 1858 }
1860 1859
1861 if (sk->sk_state == BT_CLOSED) { 1860 if (sk->sk_state == BT_CLOSED)
1862 if (!s->initiator)
1863 rfcomm_session_put(s);
1864
1865 rfcomm_session_close(s, sk->sk_err); 1861 rfcomm_session_close(s, sk->sk_err);
1866 }
1867} 1862}
1868 1863
1869static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1864static inline void rfcomm_accept_connection(struct rfcomm_session *s)
@@ -1918,7 +1913,6 @@ static inline void rfcomm_check_connection(struct rfcomm_session *s)
1918 break; 1913 break;
1919 1914
1920 case BT_CLOSED: 1915 case BT_CLOSED:
1921 s->state = BT_CLOSED;
1922 rfcomm_session_close(s, sk->sk_err); 1916 rfcomm_session_close(s, sk->sk_err);
1923 break; 1917 break;
1924 } 1918 }
@@ -2038,19 +2032,18 @@ static int rfcomm_run(void *unused)
2038 2032
2039 rfcomm_add_listener(BDADDR_ANY); 2033 rfcomm_add_listener(BDADDR_ANY);
2040 2034
2041 while (!kthread_should_stop()) { 2035 while (1) {
2042 set_current_state(TASK_INTERRUPTIBLE); 2036 set_current_state(TASK_INTERRUPTIBLE);
2043 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) { 2037
2044 /* No pending events. Let's sleep. 2038 if (kthread_should_stop())
2045 * Incoming connections and data will wake us up. */ 2039 break;
2046 schedule();
2047 }
2048 set_current_state(TASK_RUNNING);
2049 2040
2050 /* Process stuff */ 2041 /* Process stuff */
2051 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
2052 rfcomm_process_sessions(); 2042 rfcomm_process_sessions();
2043
2044 schedule();
2053 } 2045 }
2046 __set_current_state(TASK_RUNNING);
2054 2047
2055 rfcomm_kill_listener(); 2048 rfcomm_kill_listener();
2056 2049
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 1b10727ce52..5417f612732 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -42,6 +42,7 @@
42#include <linux/device.h> 42#include <linux/device.h>
43#include <linux/debugfs.h> 43#include <linux/debugfs.h>
44#include <linux/seq_file.h> 44#include <linux/seq_file.h>
45#include <linux/security.h>
45#include <net/sock.h> 46#include <net/sock.h>
46 47
47#include <asm/system.h> 48#include <asm/system.h>
@@ -264,6 +265,8 @@ static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
264 265
265 pi->sec_level = rfcomm_pi(parent)->sec_level; 266 pi->sec_level = rfcomm_pi(parent)->sec_level;
266 pi->role_switch = rfcomm_pi(parent)->role_switch; 267 pi->role_switch = rfcomm_pi(parent)->role_switch;
268
269 security_sk_clone(parent, sk);
267 } else { 270 } else {
268 pi->dlc->defer_setup = 0; 271 pi->dlc->defer_setup = 0;
269 272
@@ -485,11 +488,6 @@ static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int f
485 488
486 lock_sock(sk); 489 lock_sock(sk);
487 490
488 if (sk->sk_state != BT_LISTEN) {
489 err = -EBADFD;
490 goto done;
491 }
492
493 if (sk->sk_type != SOCK_STREAM) { 491 if (sk->sk_type != SOCK_STREAM) {
494 err = -EINVAL; 492 err = -EINVAL;
495 goto done; 493 goto done;
@@ -501,19 +499,20 @@ static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int f
501 499
502 /* Wait for an incoming connection. (wake-one). */ 500 /* Wait for an incoming connection. (wake-one). */
503 add_wait_queue_exclusive(sk_sleep(sk), &wait); 501 add_wait_queue_exclusive(sk_sleep(sk), &wait);
504 while (!(nsk = bt_accept_dequeue(sk, newsock))) { 502 while (1) {
505 set_current_state(TASK_INTERRUPTIBLE); 503 set_current_state(TASK_INTERRUPTIBLE);
506 if (!timeo) { 504
507 err = -EAGAIN; 505 if (sk->sk_state != BT_LISTEN) {
506 err = -EBADFD;
508 break; 507 break;
509 } 508 }
510 509
511 release_sock(sk); 510 nsk = bt_accept_dequeue(sk, newsock);
512 timeo = schedule_timeout(timeo); 511 if (nsk)
513 lock_sock(sk); 512 break;
514 513
515 if (sk->sk_state != BT_LISTEN) { 514 if (!timeo) {
516 err = -EBADFD; 515 err = -EAGAIN;
517 break; 516 break;
518 } 517 }
519 518
@@ -521,8 +520,12 @@ static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int f
521 err = sock_intr_errno(timeo); 520 err = sock_intr_errno(timeo);
522 break; 521 break;
523 } 522 }
523
524 release_sock(sk);
525 timeo = schedule_timeout(timeo);
526 lock_sock(sk);
524 } 527 }
525 set_current_state(TASK_RUNNING); 528 __set_current_state(TASK_RUNNING);
526 remove_wait_queue(sk_sleep(sk), &wait); 529 remove_wait_queue(sk_sleep(sk), &wait);
527 530
528 if (err) 531 if (err)
@@ -679,7 +682,8 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
679{ 682{
680 struct sock *sk = sock->sk; 683 struct sock *sk = sock->sk;
681 struct bt_security sec; 684 struct bt_security sec;
682 int len, err = 0; 685 int err = 0;
686 size_t len;
683 u32 opt; 687 u32 opt;
684 688
685 BT_DBG("sk %p", sk); 689 BT_DBG("sk %p", sk);
@@ -741,7 +745,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
741static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 745static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
742{ 746{
743 struct sock *sk = sock->sk; 747 struct sock *sk = sock->sk;
744 struct sock *l2cap_sk;
745 struct rfcomm_conninfo cinfo; 748 struct rfcomm_conninfo cinfo;
746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 749 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
747 int len, err = 0; 750 int len, err = 0;
@@ -786,8 +789,6 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
786 break; 789 break;
787 } 790 }
788 791
789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
790
791 memset(&cinfo, 0, sizeof(cinfo)); 792 memset(&cinfo, 0, sizeof(cinfo));
792 cinfo.hci_handle = conn->hcon->handle; 793 cinfo.hci_handle = conn->hcon->handle;
793 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 794 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index cb4fb7837e5..c0b9ad0524e 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -41,6 +41,7 @@
41#include <linux/debugfs.h> 41#include <linux/debugfs.h>
42#include <linux/seq_file.h> 42#include <linux/seq_file.h>
43#include <linux/list.h> 43#include <linux/list.h>
44#include <linux/security.h>
44#include <net/sock.h> 45#include <net/sock.h>
45 46
46#include <asm/system.h> 47#include <asm/system.h>
@@ -177,6 +178,7 @@ static int sco_connect(struct sock *sk)
177{ 178{
178 bdaddr_t *src = &bt_sk(sk)->src; 179 bdaddr_t *src = &bt_sk(sk)->src;
179 bdaddr_t *dst = &bt_sk(sk)->dst; 180 bdaddr_t *dst = &bt_sk(sk)->dst;
181 __u16 pkt_type = sco_pi(sk)->pkt_type;
180 struct sco_conn *conn; 182 struct sco_conn *conn;
181 struct hci_conn *hcon; 183 struct hci_conn *hcon;
182 struct hci_dev *hdev; 184 struct hci_dev *hdev;
@@ -192,10 +194,12 @@ static int sco_connect(struct sock *sk)
192 194
193 if (lmp_esco_capable(hdev) && !disable_esco) 195 if (lmp_esco_capable(hdev) && !disable_esco)
194 type = ESCO_LINK; 196 type = ESCO_LINK;
195 else 197 else {
196 type = SCO_LINK; 198 type = SCO_LINK;
199 pkt_type &= SCO_ESCO_MASK;
200 }
197 201
198 hcon = hci_connect(hdev, type, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING); 202 hcon = hci_connect(hdev, type, pkt_type, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
199 if (IS_ERR(hcon)) { 203 if (IS_ERR(hcon)) {
200 err = PTR_ERR(hcon); 204 err = PTR_ERR(hcon);
201 goto done; 205 goto done;
@@ -403,8 +407,10 @@ static void sco_sock_init(struct sock *sk, struct sock *parent)
403{ 407{
404 BT_DBG("sk %p", sk); 408 BT_DBG("sk %p", sk);
405 409
406 if (parent) 410 if (parent) {
407 sk->sk_type = parent->sk_type; 411 sk->sk_type = parent->sk_type;
412 security_sk_clone(parent, sk);
413 }
408} 414}
409 415
410static struct proto sco_proto = { 416static struct proto sco_proto = {
@@ -460,18 +466,22 @@ static int sco_sock_create(struct net *net, struct socket *sock, int protocol,
460 return 0; 466 return 0;
461} 467}
462 468
463static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 469static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
464{ 470{
465 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr; 471 struct sockaddr_sco sa;
466 struct sock *sk = sock->sk; 472 struct sock *sk = sock->sk;
467 bdaddr_t *src = &sa->sco_bdaddr; 473 bdaddr_t *src = &sa.sco_bdaddr;
468 int err = 0; 474 int len, err = 0;
469 475
470 BT_DBG("sk %p %s", sk, batostr(&sa->sco_bdaddr)); 476 BT_DBG("sk %p %s", sk, batostr(&sa.sco_bdaddr));
471 477
472 if (!addr || addr->sa_family != AF_BLUETOOTH) 478 if (!addr || addr->sa_family != AF_BLUETOOTH)
473 return -EINVAL; 479 return -EINVAL;
474 480
481 memset(&sa, 0, sizeof(sa));
482 len = min_t(unsigned int, sizeof(sa), alen);
483 memcpy(&sa, addr, len);
484
475 lock_sock(sk); 485 lock_sock(sk);
476 486
477 if (sk->sk_state != BT_OPEN) { 487 if (sk->sk_state != BT_OPEN) {
@@ -485,7 +495,8 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
485 err = -EADDRINUSE; 495 err = -EADDRINUSE;
486 } else { 496 } else {
487 /* Save source address */ 497 /* Save source address */
488 bacpy(&bt_sk(sk)->src, &sa->sco_bdaddr); 498 bacpy(&bt_sk(sk)->src, &sa.sco_bdaddr);
499 sco_pi(sk)->pkt_type = sa.sco_pkt_type;
489 sk->sk_state = BT_BOUND; 500 sk->sk_state = BT_BOUND;
490 } 501 }
491 502
@@ -498,27 +509,34 @@ done:
498 509
499static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 510static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
500{ 511{
501 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
502 struct sock *sk = sock->sk; 512 struct sock *sk = sock->sk;
503 int err = 0; 513 struct sockaddr_sco sa;
504 514 int len, err = 0;
505 515
506 BT_DBG("sk %p", sk); 516 BT_DBG("sk %p", sk);
507 517
508 if (alen < sizeof(struct sockaddr_sco) || 518 if (!addr || addr->sa_family != AF_BLUETOOTH)
509 addr->sa_family != AF_BLUETOOTH)
510 return -EINVAL; 519 return -EINVAL;
511 520
512 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 521 memset(&sa, 0, sizeof(sa));
513 return -EBADFD; 522 len = min_t(unsigned int, sizeof(sa), alen);
514 523 memcpy(&sa, addr, len);
515 if (sk->sk_type != SOCK_SEQPACKET)
516 return -EINVAL;
517 524
518 lock_sock(sk); 525 lock_sock(sk);
519 526
527 if (sk->sk_type != SOCK_SEQPACKET) {
528 err = -EINVAL;
529 goto done;
530 }
531
532 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
533 err = -EBADFD;
534 goto done;
535 }
536
520 /* Set destination address and psm */ 537 /* Set destination address and psm */
521 bacpy(&bt_sk(sk)->dst, &sa->sco_bdaddr); 538 bacpy(&bt_sk(sk)->dst, &sa.sco_bdaddr);
539 sco_pi(sk)->pkt_type = sa.sco_pkt_type;
522 540
523 err = sco_connect(sk); 541 err = sco_connect(sk);
524 if (err) 542 if (err)
@@ -564,30 +582,26 @@ static int sco_sock_accept(struct socket *sock, struct socket *newsock, int flag
564 582
565 lock_sock(sk); 583 lock_sock(sk);
566 584
567 if (sk->sk_state != BT_LISTEN) {
568 err = -EBADFD;
569 goto done;
570 }
571
572 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 585 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
573 586
574 BT_DBG("sk %p timeo %ld", sk, timeo); 587 BT_DBG("sk %p timeo %ld", sk, timeo);
575 588
576 /* Wait for an incoming connection. (wake-one). */ 589 /* Wait for an incoming connection. (wake-one). */
577 add_wait_queue_exclusive(sk_sleep(sk), &wait); 590 add_wait_queue_exclusive(sk_sleep(sk), &wait);
578 while (!(ch = bt_accept_dequeue(sk, newsock))) { 591 while (1) {
579 set_current_state(TASK_INTERRUPTIBLE); 592 set_current_state(TASK_INTERRUPTIBLE);
580 if (!timeo) { 593
581 err = -EAGAIN; 594 if (sk->sk_state != BT_LISTEN) {
595 err = -EBADFD;
582 break; 596 break;
583 } 597 }
584 598
585 release_sock(sk); 599 ch = bt_accept_dequeue(sk, newsock);
586 timeo = schedule_timeout(timeo); 600 if (ch)
587 lock_sock(sk); 601 break;
588 602
589 if (sk->sk_state != BT_LISTEN) { 603 if (!timeo) {
590 err = -EBADFD; 604 err = -EAGAIN;
591 break; 605 break;
592 } 606 }
593 607
@@ -595,8 +609,12 @@ static int sco_sock_accept(struct socket *sock, struct socket *newsock, int flag
595 err = sock_intr_errno(timeo); 609 err = sock_intr_errno(timeo);
596 break; 610 break;
597 } 611 }
612
613 release_sock(sk);
614 timeo = schedule_timeout(timeo);
615 lock_sock(sk);
598 } 616 }
599 set_current_state(TASK_RUNNING); 617 __set_current_state(TASK_RUNNING);
600 remove_wait_queue(sk_sleep(sk), &wait); 618 remove_wait_queue(sk_sleep(sk), &wait);
601 619
602 if (err) 620 if (err)
@@ -625,6 +643,7 @@ static int sco_sock_getname(struct socket *sock, struct sockaddr *addr, int *len
625 bacpy(&sa->sco_bdaddr, &bt_sk(sk)->dst); 643 bacpy(&sa->sco_bdaddr, &bt_sk(sk)->dst);
626 else 644 else
627 bacpy(&sa->sco_bdaddr, &bt_sk(sk)->src); 645 bacpy(&sa->sco_bdaddr, &bt_sk(sk)->src);
646 sa->sco_pkt_type = sco_pi(sk)->pkt_type;
628 647
629 return 0; 648 return 0;
630} 649}
@@ -932,7 +951,7 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
932 if (conn) 951 if (conn)
933 sco_conn_ready(conn); 952 sco_conn_ready(conn);
934 } else 953 } else
935 sco_conn_del(hcon, bt_err(status)); 954 sco_conn_del(hcon, bt_to_errno(status));
936 955
937 return 0; 956 return 0;
938} 957}
@@ -944,7 +963,7 @@ static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
944 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) 963 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
945 return -EINVAL; 964 return -EINVAL;
946 965
947 sco_conn_del(hcon, bt_err(reason)); 966 sco_conn_del(hcon, bt_to_errno(reason));
948 967
949 return 0; 968 return 0;
950} 969}
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
new file mode 100644
index 00000000000..c45dd737cdd
--- /dev/null
+++ b/net/bluetooth/smp.c
@@ -0,0 +1,705 @@
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/smp.h>
27#include <linux/crypto.h>
28#include <linux/scatterlist.h>
29#include <crypto/b128ops.h>
30
31#define SMP_TIMEOUT 30000 /* 30 seconds */
32
33static inline void swap128(u8 src[16], u8 dst[16])
34{
35 int i;
36 for (i = 0; i < 16; i++)
37 dst[15 - i] = src[i];
38}
39
40static inline void swap56(u8 src[7], u8 dst[7])
41{
42 int i;
43 for (i = 0; i < 7; i++)
44 dst[6 - i] = src[i];
45}
46
47static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
48{
49 struct blkcipher_desc desc;
50 struct scatterlist sg;
51 int err, iv_len;
52 unsigned char iv[128];
53
54 if (tfm == NULL) {
55 BT_ERR("tfm %p", tfm);
56 return -EINVAL;
57 }
58
59 desc.tfm = tfm;
60 desc.flags = 0;
61
62 err = crypto_blkcipher_setkey(tfm, k, 16);
63 if (err) {
64 BT_ERR("cipher setkey failed: %d", err);
65 return err;
66 }
67
68 sg_init_one(&sg, r, 16);
69
70 iv_len = crypto_blkcipher_ivsize(tfm);
71 if (iv_len) {
72 memset(&iv, 0xff, iv_len);
73 crypto_blkcipher_set_iv(tfm, iv, iv_len);
74 }
75
76 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
77 if (err)
78 BT_ERR("Encrypt data error %d", err);
79
80 return err;
81}
82
83static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
84 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
85 u8 _rat, bdaddr_t *ra, u8 res[16])
86{
87 u8 p1[16], p2[16];
88 int err;
89
90 memset(p1, 0, 16);
91
92 /* p1 = pres || preq || _rat || _iat */
93 swap56(pres, p1);
94 swap56(preq, p1 + 7);
95 p1[14] = _rat;
96 p1[15] = _iat;
97
98 memset(p2, 0, 16);
99
100 /* p2 = padding || ia || ra */
101 baswap((bdaddr_t *) (p2 + 4), ia);
102 baswap((bdaddr_t *) (p2 + 10), ra);
103
104 /* res = r XOR p1 */
105 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
106
107 /* res = e(k, res) */
108 err = smp_e(tfm, k, res);
109 if (err) {
110 BT_ERR("Encrypt data error");
111 return err;
112 }
113
114 /* res = res XOR p2 */
115 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
116
117 /* res = e(k, res) */
118 err = smp_e(tfm, k, res);
119 if (err)
120 BT_ERR("Encrypt data error");
121
122 return err;
123}
124
125static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
126 u8 r1[16], u8 r2[16], u8 _r[16])
127{
128 int err;
129
130 /* Just least significant octets from r1 and r2 are considered */
131 memcpy(_r, r1 + 8, 8);
132 memcpy(_r + 8, r2 + 8, 8);
133
134 err = smp_e(tfm, k, _r);
135 if (err)
136 BT_ERR("Encrypt data error");
137
138 return err;
139}
140
141static int smp_rand(u8 *buf)
142{
143 get_random_bytes(buf, 16);
144
145 return 0;
146}
147
148static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
149 u16 dlen, void *data)
150{
151 struct sk_buff *skb;
152 struct l2cap_hdr *lh;
153 int len;
154
155 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
156
157 if (len > conn->mtu)
158 return NULL;
159
160 skb = bt_skb_alloc(len, GFP_ATOMIC);
161 if (!skb)
162 return NULL;
163
164 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
165 lh->len = cpu_to_le16(sizeof(code) + dlen);
166 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
167
168 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
169
170 memcpy(skb_put(skb, dlen), data, dlen);
171
172 return skb;
173}
174
175static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
176{
177 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
178
179 BT_DBG("code 0x%2.2x", code);
180
181 if (!skb)
182 return;
183
184 hci_send_acl(conn->hcon, skb, 0);
185}
186
187static __u8 seclevel_to_authreq(__u8 level)
188{
189 switch (level) {
190 case BT_SECURITY_HIGH:
191 /* Right now we don't support bonding */
192 return SMP_AUTH_MITM;
193
194 default:
195 return SMP_AUTH_NONE;
196 }
197}
198
199static void build_pairing_cmd(struct l2cap_conn *conn,
200 struct smp_cmd_pairing *req,
201 struct smp_cmd_pairing *rsp,
202 __u8 authreq)
203{
204 u8 dist_keys;
205
206 dist_keys = 0;
207 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) {
208 dist_keys = SMP_DIST_ENC_KEY | SMP_DIST_ID_KEY | SMP_DIST_SIGN;
209 authreq |= SMP_AUTH_BONDING;
210 }
211
212 if (rsp == NULL) {
213 req->io_capability = conn->hcon->io_capability;
214 req->oob_flag = SMP_OOB_NOT_PRESENT;
215 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
216 req->init_key_dist = dist_keys;
217 req->resp_key_dist = dist_keys;
218 req->auth_req = authreq;
219 return;
220 }
221
222 rsp->io_capability = conn->hcon->io_capability;
223 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
224 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
225 rsp->init_key_dist = req->init_key_dist & dist_keys;
226 rsp->resp_key_dist = req->resp_key_dist & dist_keys;
227 rsp->auth_req = authreq;
228}
229
230static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
231{
232 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
233 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
234 return SMP_ENC_KEY_SIZE;
235
236 conn->smp_key_size = max_key_size;
237
238 return 0;
239}
240
241static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
242{
243 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
244 u8 key_size;
245
246 BT_DBG("conn %p", conn);
247
248 conn->preq[0] = SMP_CMD_PAIRING_REQ;
249 memcpy(&conn->preq[1], req, sizeof(*req));
250 skb_pull(skb, sizeof(*req));
251
252 if (req->oob_flag)
253 return SMP_OOB_NOT_AVAIL;
254
255 /* We didn't start the pairing, so no requirements */
256 build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE);
257
258 key_size = min(req->max_key_size, rsp.max_key_size);
259 if (check_enc_key_size(conn, key_size))
260 return SMP_ENC_KEY_SIZE;
261
262 /* Just works */
263 memset(conn->tk, 0, sizeof(conn->tk));
264
265 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
266 memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
267
268 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
269
270 mod_timer(&conn->security_timer, jiffies +
271 msecs_to_jiffies(SMP_TIMEOUT));
272
273 mod_timer(&conn->security_timer, jiffies +
274 msecs_to_jiffies(SMP_TIMEOUT));
275
276 return 0;
277}
278
279static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
280{
281 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
282 struct smp_cmd_pairing_confirm cp;
283 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
284 int ret;
285 u8 res[16], key_size;
286
287 BT_DBG("conn %p", conn);
288
289 skb_pull(skb, sizeof(*rsp));
290
291 req = (void *) &conn->preq[1];
292
293 key_size = min(req->max_key_size, rsp->max_key_size);
294 if (check_enc_key_size(conn, key_size))
295 return SMP_ENC_KEY_SIZE;
296
297 if (rsp->oob_flag)
298 return SMP_OOB_NOT_AVAIL;
299
300 /* Just works */
301 memset(conn->tk, 0, sizeof(conn->tk));
302
303 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
304 memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
305
306 ret = smp_rand(conn->prnd);
307 if (ret)
308 return SMP_UNSPECIFIED;
309
310 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
311 conn->src, conn->hcon->dst_type, conn->dst, res);
312 if (ret)
313 return SMP_UNSPECIFIED;
314
315 swap128(res, cp.confirm_val);
316
317 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
318
319 return 0;
320}
321
322static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
323{
324 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
325
326 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
327
328 memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
329 skb_pull(skb, sizeof(conn->pcnf));
330
331 if (conn->hcon->out) {
332 u8 random[16];
333
334 swap128(conn->prnd, random);
335 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
336 random);
337 } else {
338 struct smp_cmd_pairing_confirm cp;
339 int ret;
340 u8 res[16];
341
342 ret = smp_rand(conn->prnd);
343 if (ret)
344 return SMP_UNSPECIFIED;
345
346 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
347 conn->hcon->dst_type, conn->dst,
348 0, conn->src, res);
349 if (ret)
350 return SMP_CONFIRM_FAILED;
351
352 swap128(res, cp.confirm_val);
353
354 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
355 }
356
357 mod_timer(&conn->security_timer, jiffies +
358 msecs_to_jiffies(SMP_TIMEOUT));
359
360 return 0;
361}
362
363static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
364{
365 struct hci_conn *hcon = conn->hcon;
366 struct crypto_blkcipher *tfm = hcon->hdev->tfm;
367 int ret;
368 u8 key[16], res[16], random[16], confirm[16];
369
370 swap128(skb->data, random);
371 skb_pull(skb, sizeof(random));
372
373 if (conn->hcon->out)
374 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
375 conn->src, conn->hcon->dst_type, conn->dst,
376 res);
377 else
378 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
379 conn->hcon->dst_type, conn->dst, 0, conn->src,
380 res);
381 if (ret)
382 return SMP_UNSPECIFIED;
383
384 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
385
386 swap128(res, confirm);
387
388 if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
389 BT_ERR("Pairing failed (confirmation values mismatch)");
390 return SMP_CONFIRM_FAILED;
391 }
392
393 if (conn->hcon->out) {
394 u8 stk[16], rand[8];
395 __le16 ediv;
396
397 memset(rand, 0, sizeof(rand));
398 ediv = 0;
399
400 smp_s1(tfm, conn->tk, random, conn->prnd, key);
401 swap128(key, stk);
402
403 memset(stk + conn->smp_key_size, 0,
404 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
405
406 hci_le_start_enc(hcon, ediv, rand, stk);
407 hcon->enc_key_size = conn->smp_key_size;
408 } else {
409 u8 stk[16], r[16], rand[8];
410 __le16 ediv;
411
412 memset(rand, 0, sizeof(rand));
413 ediv = 0;
414
415 swap128(conn->prnd, r);
416 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
417
418 smp_s1(tfm, conn->tk, conn->prnd, random, key);
419 swap128(key, stk);
420
421 memset(stk + conn->smp_key_size, 0,
422 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
423
424 hci_add_ltk(conn->hcon->hdev, 0, conn->dst, conn->smp_key_size,
425 ediv, rand, stk);
426 }
427
428 return 0;
429}
430
431static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
432{
433 struct smp_cmd_security_req *rp = (void *) skb->data;
434 struct smp_cmd_pairing cp;
435 struct hci_conn *hcon = conn->hcon;
436
437 BT_DBG("conn %p", conn);
438
439 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
440 return 0;
441
442 skb_pull(skb, sizeof(*rp));
443
444 memset(&cp, 0, sizeof(cp));
445 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
446
447 conn->preq[0] = SMP_CMD_PAIRING_REQ;
448 memcpy(&conn->preq[1], &cp, sizeof(cp));
449
450 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
451
452 mod_timer(&conn->security_timer, jiffies +
453 msecs_to_jiffies(SMP_TIMEOUT));
454
455 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
456
457 return 0;
458}
459
460int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
461{
462 struct hci_conn *hcon = conn->hcon;
463 __u8 authreq;
464
465 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
466
467 if (!lmp_host_le_capable(hcon->hdev))
468 return 1;
469
470 if (IS_ERR(hcon->hdev->tfm))
471 return 1;
472
473 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
474 return 0;
475
476 if (sec_level == BT_SECURITY_LOW)
477 return 1;
478
479 if (hcon->sec_level >= sec_level)
480 return 1;
481
482 authreq = seclevel_to_authreq(sec_level);
483
484 if (hcon->link_mode & HCI_LM_MASTER) {
485 struct smp_cmd_pairing cp;
486 struct link_key *key;
487
488 key = hci_find_link_key_type(hcon->hdev, conn->dst,
489 HCI_LK_SMP_LTK);
490 if (key) {
491 struct key_master_id *master = (void *) key->data;
492
493 hci_le_start_enc(hcon, master->ediv, master->rand,
494 key->val);
495 hcon->enc_key_size = key->pin_len;
496
497 goto done;
498 }
499
500 build_pairing_cmd(conn, &cp, NULL, authreq);
501 conn->preq[0] = SMP_CMD_PAIRING_REQ;
502 memcpy(&conn->preq[1], &cp, sizeof(cp));
503
504 mod_timer(&conn->security_timer, jiffies +
505 msecs_to_jiffies(SMP_TIMEOUT));
506
507 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
508 } else {
509 struct smp_cmd_security_req cp;
510 cp.auth_req = authreq;
511 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
512 }
513
514done:
515 hcon->pending_sec_level = sec_level;
516 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
517
518 return 0;
519}
520
521static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
522{
523 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
524
525 skb_pull(skb, sizeof(*rp));
526
527 memcpy(conn->tk, rp->ltk, sizeof(conn->tk));
528
529 return 0;
530}
531
532static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
533{
534 struct smp_cmd_master_ident *rp = (void *) skb->data;
535
536 skb_pull(skb, sizeof(*rp));
537
538 hci_add_ltk(conn->hcon->hdev, 1, conn->src, conn->smp_key_size,
539 rp->ediv, rp->rand, conn->tk);
540
541 smp_distribute_keys(conn, 1);
542
543 return 0;
544}
545
546int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
547{
548 __u8 code = skb->data[0];
549 __u8 reason;
550 int err = 0;
551
552 if (!lmp_host_le_capable(conn->hcon->hdev)) {
553 err = -ENOTSUPP;
554 reason = SMP_PAIRING_NOTSUPP;
555 goto done;
556 }
557
558 if (IS_ERR(conn->hcon->hdev->tfm)) {
559 err = PTR_ERR(conn->hcon->hdev->tfm);
560 reason = SMP_PAIRING_NOTSUPP;
561 goto done;
562 }
563
564 skb_pull(skb, sizeof(code));
565
566 switch (code) {
567 case SMP_CMD_PAIRING_REQ:
568 reason = smp_cmd_pairing_req(conn, skb);
569 break;
570
571 case SMP_CMD_PAIRING_FAIL:
572 reason = 0;
573 err = -EPERM;
574 break;
575
576 case SMP_CMD_PAIRING_RSP:
577 reason = smp_cmd_pairing_rsp(conn, skb);
578 break;
579
580 case SMP_CMD_SECURITY_REQ:
581 reason = smp_cmd_security_req(conn, skb);
582 break;
583
584 case SMP_CMD_PAIRING_CONFIRM:
585 reason = smp_cmd_pairing_confirm(conn, skb);
586 break;
587
588 case SMP_CMD_PAIRING_RANDOM:
589 reason = smp_cmd_pairing_random(conn, skb);
590 break;
591
592 case SMP_CMD_ENCRYPT_INFO:
593 reason = smp_cmd_encrypt_info(conn, skb);
594 break;
595
596 case SMP_CMD_MASTER_IDENT:
597 reason = smp_cmd_master_ident(conn, skb);
598 break;
599
600 case SMP_CMD_IDENT_INFO:
601 case SMP_CMD_IDENT_ADDR_INFO:
602 case SMP_CMD_SIGN_INFO:
603 /* Just ignored */
604 reason = 0;
605 break;
606
607 default:
608 BT_DBG("Unknown command code 0x%2.2x", code);
609
610 reason = SMP_CMD_NOTSUPP;
611 err = -EOPNOTSUPP;
612 goto done;
613 }
614
615done:
616 if (reason)
617 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
618 &reason);
619
620 kfree_skb(skb);
621 return err;
622}
623
624int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
625{
626 struct smp_cmd_pairing *req, *rsp;
627 __u8 *keydist;
628
629 BT_DBG("conn %p force %d", conn, force);
630
631 if (IS_ERR(conn->hcon->hdev->tfm))
632 return PTR_ERR(conn->hcon->hdev->tfm);
633
634 rsp = (void *) &conn->prsp[1];
635
636 /* The responder sends its keys first */
637 if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07))
638 return 0;
639
640 req = (void *) &conn->preq[1];
641
642 if (conn->hcon->out) {
643 keydist = &rsp->init_key_dist;
644 *keydist &= req->init_key_dist;
645 } else {
646 keydist = &rsp->resp_key_dist;
647 *keydist &= req->resp_key_dist;
648 }
649
650
651 BT_DBG("keydist 0x%x", *keydist);
652
653 if (*keydist & SMP_DIST_ENC_KEY) {
654 struct smp_cmd_encrypt_info enc;
655 struct smp_cmd_master_ident ident;
656 __le16 ediv;
657
658 get_random_bytes(enc.ltk, sizeof(enc.ltk));
659 get_random_bytes(&ediv, sizeof(ediv));
660 get_random_bytes(ident.rand, sizeof(ident.rand));
661
662 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
663
664 hci_add_ltk(conn->hcon->hdev, 1, conn->dst, conn->smp_key_size,
665 ediv, ident.rand, enc.ltk);
666
667 ident.ediv = cpu_to_le16(ediv);
668
669 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
670
671 *keydist &= ~SMP_DIST_ENC_KEY;
672 }
673
674 if (*keydist & SMP_DIST_ID_KEY) {
675 struct smp_cmd_ident_addr_info addrinfo;
676 struct smp_cmd_ident_info idinfo;
677
678 /* Send a dummy key */
679 get_random_bytes(idinfo.irk, sizeof(idinfo.irk));
680
681 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
682
683 /* Just public address */
684 memset(&addrinfo, 0, sizeof(addrinfo));
685 bacpy(&addrinfo.bdaddr, conn->src);
686
687 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
688 &addrinfo);
689
690 *keydist &= ~SMP_DIST_ID_KEY;
691 }
692
693 if (*keydist & SMP_DIST_SIGN) {
694 struct smp_cmd_sign_info sign;
695
696 /* Send a dummy key */
697 get_random_bytes(sign.csrk, sizeof(sign.csrk));
698
699 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
700
701 *keydist &= ~SMP_DIST_SIGN;
702 }
703
704 return 0;
705}
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-23 22:26:44 -0400