aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2011-06-22 16:06:58 -0400
committerJohn W. Linville <linville@tuxdriver.com>2011-06-22 16:06:58 -0400
commit1c1236e3af9c0a52e63c1c386413f13627e68e67 (patch)
tree554430c73c927a8a3fcab132cad83f4a04a7626d
parente10542c447abf7c840931ff12f7d0dee976ca2ea (diff)
parent43f3dc41571c47a1fbded9aca1cf0a737967b005 (diff)
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetooth-next-2.6
Diffstat
-rw-r--r--include/net/bluetooth/hci.h34
-rw-r--r--include/net/bluetooth/hci_core.h13
-rw-r--r--include/net/bluetooth/l2cap.h95
-rw-r--r--include/net/bluetooth/mgmt.h10
-rw-r--r--include/net/bluetooth/smp.h46
-rw-r--r--net/bluetooth/Kconfig8
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/hci_conn.c56
-rw-r--r--net/bluetooth/hci_core.c113
-rw-r--r--net/bluetooth/hci_event.c69
-rw-r--r--net/bluetooth/hci_sock.c70
-rw-r--r--net/bluetooth/l2cap_core.c700
-rw-r--r--net/bluetooth/l2cap_sock.c97
-rw-r--r--net/bluetooth/mgmt.c72
-rw-r--r--net/bluetooth/smp.c533
15 files changed, 1460 insertions, 458 deletions
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index bd285c6a5509..65345cd215be 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -745,6 +745,33 @@ struct hci_cp_le_conn_update {
745 __le16 max_ce_len; 745 __le16 max_ce_len;
746} __packed; 746} __packed;
747 747
748#define HCI_OP_LE_START_ENC 0x2019
749struct hci_cp_le_start_enc {
750 __le16 handle;
751 __u8 rand[8];
752 __le16 ediv;
753 __u8 ltk[16];
754} __packed;
755
756#define HCI_OP_LE_LTK_REPLY 0x201a
757struct hci_cp_le_ltk_reply {
758 __le16 handle;
759 __u8 ltk[16];
760} __packed;
761struct hci_rp_le_ltk_reply {
762 __u8 status;
763 __le16 handle;
764} __packed;
765
766#define HCI_OP_LE_LTK_NEG_REPLY 0x201b
767struct hci_cp_le_ltk_neg_reply {
768 __le16 handle;
769} __packed;
770struct hci_rp_le_ltk_neg_reply {
771 __u8 status;
772 __le16 handle;
773} __packed;
774
748/* ---- HCI Events ---- */ 775/* ---- HCI Events ---- */
749#define HCI_EV_INQUIRY_COMPLETE 0x01 776#define HCI_EV_INQUIRY_COMPLETE 0x01
750 777
@@ -1035,6 +1062,13 @@ struct hci_ev_le_conn_complete {
1035 __u8 clk_accurancy; 1062 __u8 clk_accurancy;
1036} __packed; 1063} __packed;
1037 1064
1065#define HCI_EV_LE_LTK_REQ 0x05
1066struct hci_ev_le_ltk_req {
1067 __le16 handle;
1068 __u8 random[8];
1069 __le16 ediv;
1070} __packed;
1071
1038/* Advertising report event types */ 1072/* Advertising report event types */
1039#define ADV_IND 0x00 1073#define ADV_IND 0x00
1040#define ADV_DIRECT_IND 0x01 1074#define ADV_DIRECT_IND 0x01
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 836d3e8c4bf1..26233d4d371c 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -177,6 +177,8 @@ struct hci_dev {
177 177
178 __u16 init_last_cmd; 178 __u16 init_last_cmd;
179 179
180 struct crypto_blkcipher *tfm;
181
180 struct inquiry_cache inq_cache; 182 struct inquiry_cache inq_cache;
181 struct hci_conn_hash conn_hash; 183 struct hci_conn_hash conn_hash;
182 struct list_head blacklist; 184 struct list_head blacklist;
@@ -247,6 +249,7 @@ struct hci_conn {
247 __u8 power_save; 249 __u8 power_save;
248 __u16 disc_timeout; 250 __u16 disc_timeout;
249 unsigned long pend; 251 unsigned long pend;
252 __u8 ltk[16];
250 253
251 __u8 remote_cap; 254 __u8 remote_cap;
252 __u8 remote_oob; 255 __u8 remote_oob;
@@ -526,6 +529,8 @@ int hci_inquiry(void __user *arg);
526 529
527struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr); 530struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr);
528int hci_blacklist_clear(struct hci_dev *hdev); 531int hci_blacklist_clear(struct hci_dev *hdev);
532int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr);
533int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr);
529 534
530int hci_uuids_clear(struct hci_dev *hdev); 535int hci_uuids_clear(struct hci_dev *hdev);
531 536
@@ -742,6 +747,9 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status,
742 if (conn->sec_level == BT_SECURITY_SDP) 747 if (conn->sec_level == BT_SECURITY_SDP)
743 conn->sec_level = BT_SECURITY_LOW; 748 conn->sec_level = BT_SECURITY_LOW;
744 749
750 if (conn->pending_sec_level > conn->sec_level)
751 conn->sec_level = conn->pending_sec_level;
752
745 hci_proto_encrypt_cfm(conn, status, encrypt); 753 hci_proto_encrypt_cfm(conn, status, encrypt);
746 754
747 read_lock_bh(&hci_cb_list_lock); 755 read_lock_bh(&hci_cb_list_lock);
@@ -859,4 +867,9 @@ void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result);
859 867
860void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, 868void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
861 u16 latency, u16 to_multiplier); 869 u16 latency, u16 to_multiplier);
870void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
871 __u8 ltk[16]);
872void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16]);
873void hci_le_ltk_neg_reply(struct hci_conn *conn);
874
862#endif /* __HCI_CORE_H */ 875#endif /* __HCI_CORE_H */
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 0529d278e068..9c18e555b6ed 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -287,6 +287,10 @@ struct l2cap_chan {
287 287
288 struct l2cap_conn *conn; 288 struct l2cap_conn *conn;
289 289
290 __u8 state;
291
292 atomic_t refcnt;
293
290 __le16 psm; 294 __le16 psm;
291 __u16 dcid; 295 __u16 dcid;
292 __u16 scid; 296 __u16 scid;
@@ -320,8 +324,8 @@ struct l2cap_chan {
320 __u16 monitor_timeout; 324 __u16 monitor_timeout;
321 __u16 mps; 325 __u16 mps;
322 326
323 __u8 conf_state; 327 unsigned long conf_state;
324 __u16 conn_state; 328 unsigned long conn_state;
325 329
326 __u8 next_tx_seq; 330 __u8 next_tx_seq;
327 __u8 expected_ack_seq; 331 __u8 expected_ack_seq;
@@ -354,6 +358,18 @@ struct l2cap_chan {
354 358
355 struct list_head list; 359 struct list_head list;
356 struct list_head global_l; 360 struct list_head global_l;
361
362 void *data;
363 struct l2cap_ops *ops;
364};
365
366struct l2cap_ops {
367 char *name;
368
369 struct l2cap_chan *(*new_connection) (void *data);
370 int (*recv) (void *data, struct sk_buff *skb);
371 void (*close) (void *data);
372 void (*state_change) (void *data, int state);
357}; 373};
358 374
359struct l2cap_conn { 375struct l2cap_conn {
@@ -379,6 +395,15 @@ struct l2cap_conn {
379 395
380 __u8 disc_reason; 396 __u8 disc_reason;
381 397
398 __u8 preq[7]; /* SMP Pairing Request */
399 __u8 prsp[7]; /* SMP Pairing Response */
400 __u8 prnd[16]; /* SMP Pairing Random */
401 __u8 pcnf[16]; /* SMP Pairing Confirm */
402 __u8 tk[16]; /* SMP Temporary Key */
403 __u8 smp_key_size;
404
405 struct timer_list security_timer;
406
382 struct list_head chan_l; 407 struct list_head chan_l;
383 rwlock_t chan_lock; 408 rwlock_t chan_lock;
384}; 409};
@@ -399,36 +424,45 @@ struct l2cap_pinfo {
399 struct l2cap_chan *chan; 424 struct l2cap_chan *chan;
400}; 425};
401 426
402#define L2CAP_CONF_REQ_SENT 0x01 427enum {
403#define L2CAP_CONF_INPUT_DONE 0x02 428 CONF_REQ_SENT,
404#define L2CAP_CONF_OUTPUT_DONE 0x04 429 CONF_INPUT_DONE,
405#define L2CAP_CONF_MTU_DONE 0x08 430 CONF_OUTPUT_DONE,
406#define L2CAP_CONF_MODE_DONE 0x10 431 CONF_MTU_DONE,
407#define L2CAP_CONF_CONNECT_PEND 0x20 432 CONF_MODE_DONE,
408#define L2CAP_CONF_NO_FCS_RECV 0x40 433 CONF_CONNECT_PEND,
409#define L2CAP_CONF_STATE2_DEVICE 0x80 434 CONF_NO_FCS_RECV,
435 CONF_STATE2_DEVICE,
436};
410 437
411#define L2CAP_CONF_MAX_CONF_REQ 2 438#define L2CAP_CONF_MAX_CONF_REQ 2
412#define L2CAP_CONF_MAX_CONF_RSP 2 439#define L2CAP_CONF_MAX_CONF_RSP 2
413 440
414#define L2CAP_CONN_SAR_SDU 0x0001 441enum {
415#define L2CAP_CONN_SREJ_SENT 0x0002 442 CONN_SAR_SDU,
416#define L2CAP_CONN_WAIT_F 0x0004 443 CONN_SREJ_SENT,
417#define L2CAP_CONN_SREJ_ACT 0x0008 444 CONN_WAIT_F,
418#define L2CAP_CONN_SEND_PBIT 0x0010 445 CONN_SREJ_ACT,
419#define L2CAP_CONN_REMOTE_BUSY 0x0020 446 CONN_SEND_PBIT,
420#define L2CAP_CONN_LOCAL_BUSY 0x0040 447 CONN_REMOTE_BUSY,
421#define L2CAP_CONN_REJ_ACT 0x0080 448 CONN_LOCAL_BUSY,
422#define L2CAP_CONN_SEND_FBIT 0x0100 449 CONN_REJ_ACT,
423#define L2CAP_CONN_RNR_SENT 0x0200 450 CONN_SEND_FBIT,
424#define L2CAP_CONN_SAR_RETRY 0x0400 451 CONN_RNR_SENT,
425 452 CONN_SAR_RETRY,
426#define __mod_retrans_timer() mod_timer(&chan->retrans_timer, \ 453};
427 jiffies + msecs_to_jiffies(L2CAP_DEFAULT_RETRANS_TO)); 454
428#define __mod_monitor_timer() mod_timer(&chan->monitor_timer, \ 455#define __set_chan_timer(c, t) l2cap_set_timer(c, &c->chan_timer, (t))
429 jiffies + msecs_to_jiffies(L2CAP_DEFAULT_MONITOR_TO)); 456#define __clear_chan_timer(c) l2cap_clear_timer(c, &c->chan_timer)
430#define __mod_ack_timer() mod_timer(&chan->ack_timer, \ 457#define __set_retrans_timer(c) l2cap_set_timer(c, &c->retrans_timer, \
431 jiffies + msecs_to_jiffies(L2CAP_DEFAULT_ACK_TO)); 458 L2CAP_DEFAULT_RETRANS_TO);
459#define __clear_retrans_timer(c) l2cap_clear_timer(c, &c->retrans_timer)
460#define __set_monitor_timer(c) l2cap_set_timer(c, &c->monitor_timer, \
461 L2CAP_DEFAULT_MONITOR_TO);
462#define __clear_monitor_timer(c) l2cap_clear_timer(c, &c->monitor_timer)
463#define __set_ack_timer(c) l2cap_set_timer(c, &chan->ack_timer, \
464 L2CAP_DEFAULT_ACK_TO);
465#define __clear_ack_timer(c) l2cap_clear_timer(c, &c->ack_timer)
432 466
433static inline int l2cap_tx_window_full(struct l2cap_chan *ch) 467static inline int l2cap_tx_window_full(struct l2cap_chan *ch)
434{ 468{
@@ -459,11 +493,6 @@ int __l2cap_wait_ack(struct sock *sk);
459int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm); 493int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm);
460int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid); 494int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid);
461 495
462void l2cap_sock_kill(struct sock *sk);
463void l2cap_sock_init(struct sock *sk, struct sock *parent);
464struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
465 int proto, gfp_t prio);
466
467struct l2cap_chan *l2cap_chan_create(struct sock *sk); 496struct l2cap_chan *l2cap_chan_create(struct sock *sk);
468void l2cap_chan_close(struct l2cap_chan *chan, int reason); 497void l2cap_chan_close(struct l2cap_chan *chan, int reason);
469void l2cap_chan_destroy(struct l2cap_chan *chan); 498void l2cap_chan_destroy(struct l2cap_chan *chan);
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 4899286ed4e4..45bea25d737f 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -199,6 +199,16 @@ struct mgmt_cp_remove_remote_oob_data {
199 199
200#define MGMT_OP_STOP_DISCOVERY 0x001C 200#define MGMT_OP_STOP_DISCOVERY 0x001C
201 201
202#define MGMT_OP_BLOCK_DEVICE 0x001D
203struct mgmt_cp_block_device {
204 bdaddr_t bdaddr;
205} __packed;
206
207#define MGMT_OP_UNBLOCK_DEVICE 0x001E
208struct mgmt_cp_unblock_device {
209 bdaddr_t bdaddr;
210} __packed;
211
202#define MGMT_EV_CMD_COMPLETE 0x0001 212#define MGMT_EV_CMD_COMPLETE 0x0001
203struct mgmt_ev_cmd_complete { 213struct mgmt_ev_cmd_complete {
204 __le16 opcode; 214 __le16 opcode;
diff --git a/include/net/bluetooth/smp.h b/include/net/bluetooth/smp.h
index 8f2edbf979dc..4fb7d198a876 100644
--- a/include/net/bluetooth/smp.h
+++ b/include/net/bluetooth/smp.h
@@ -1,3 +1,25 @@
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
1#ifndef __SMP_H 23#ifndef __SMP_H
2#define __SMP_H 24#define __SMP_H
3 25
@@ -16,6 +38,23 @@ struct smp_cmd_pairing {
16 __u8 resp_key_dist; 38 __u8 resp_key_dist;
17} __packed; 39} __packed;
18 40
41#define SMP_IO_DISPLAY_ONLY 0x00
42#define SMP_IO_DISPLAY_YESNO 0x01
43#define SMP_IO_KEYBOARD_ONLY 0x02
44#define SMP_IO_NO_INPUT_OUTPUT 0x03
45#define SMP_IO_KEYBOARD_DISPLAY 0x04
46
47#define SMP_OOB_NOT_PRESENT 0x00
48#define SMP_OOB_PRESENT 0x01
49
50#define SMP_DIST_ENC_KEY 0x01
51#define SMP_DIST_ID_KEY 0x02
52#define SMP_DIST_SIGN 0x04
53
54#define SMP_AUTH_NONE 0x00
55#define SMP_AUTH_BONDING 0x01
56#define SMP_AUTH_MITM 0x04
57
19#define SMP_CMD_PAIRING_CONFIRM 0x03 58#define SMP_CMD_PAIRING_CONFIRM 0x03
20struct smp_cmd_pairing_confirm { 59struct smp_cmd_pairing_confirm {
21 __u8 confirm_val[16]; 60 __u8 confirm_val[16];
@@ -73,4 +112,11 @@ struct smp_cmd_security_req {
73#define SMP_UNSPECIFIED 0x08 112#define SMP_UNSPECIFIED 0x08
74#define SMP_REPEATED_ATTEMPTS 0x09 113#define SMP_REPEATED_ATTEMPTS 0x09
75 114
115#define SMP_MIN_ENC_KEY_SIZE 7
116#define SMP_MAX_ENC_KEY_SIZE 16
117
118/* SMP Commands */
119int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level);
120int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
121
76#endif /* __SMP_H */ 122#endif /* __SMP_H */
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 6ae5ec508587..f495dea741e3 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -22,6 +22,7 @@ menuconfig BT
22 BNEP Module (Bluetooth Network Encapsulation Protocol) 22 BNEP Module (Bluetooth Network Encapsulation Protocol)
23 CMTP Module (CAPI Message Transport Protocol) 23 CMTP Module (CAPI Message Transport Protocol)
24 HIDP Module (Human Interface Device Protocol) 24 HIDP Module (Human Interface Device Protocol)
25 SMP Module (Security Manager Protocol)
25 26
26 Say Y here to compile Bluetooth support into the kernel or say M to 27 Say Y here to compile Bluetooth support into the kernel or say M to
27 compile it as module (bluetooth). 28 compile it as module (bluetooth).
@@ -36,11 +37,18 @@ if BT != n
36config BT_L2CAP 37config BT_L2CAP
37 bool "L2CAP protocol support" 38 bool "L2CAP protocol support"
38 select CRC16 39 select CRC16
40 select CRYPTO
41 select CRYPTO_BLKCIPHER
42 select CRYPTO_AES
43 select CRYPTO_ECB
39 help 44 help
40 L2CAP (Logical Link Control and Adaptation Protocol) provides 45 L2CAP (Logical Link Control and Adaptation Protocol) provides
41 connection oriented and connection-less data transport. L2CAP 46 connection oriented and connection-less data transport. L2CAP
42 support is required for most Bluetooth applications. 47 support is required for most Bluetooth applications.
43 48
49 Also included is support for SMP (Security Manager Protocol) which
50 is the security layer on top of LE (Low Energy) links.
51
44config BT_SCO 52config BT_SCO
45 bool "SCO links support" 53 bool "SCO links support"
46 help 54 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index f04fe9a9d634..9b67f3d08fa4 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -9,5 +9,5 @@ obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o 12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o 13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 37f5a174f072..fa48c0b3d93c 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -53,6 +53,7 @@ static void hci_le_connect(struct hci_conn *conn)
53 conn->state = BT_CONNECT; 53 conn->state = BT_CONNECT;
54 conn->out = 1; 54 conn->out = 1;
55 conn->link_mode |= HCI_LM_MASTER; 55 conn->link_mode |= HCI_LM_MASTER;
56 conn->sec_level = BT_SECURITY_LOW;
56 57
57 memset(&cp, 0, sizeof(cp)); 58 memset(&cp, 0, sizeof(cp));
58 cp.scan_interval = cpu_to_le16(0x0004); 59 cp.scan_interval = cpu_to_le16(0x0004);
@@ -204,6 +205,55 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
204} 205}
205EXPORT_SYMBOL(hci_le_conn_update); 206EXPORT_SYMBOL(hci_le_conn_update);
206 207
208void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
209 __u8 ltk[16])
210{
211 struct hci_dev *hdev = conn->hdev;
212 struct hci_cp_le_start_enc cp;
213
214 BT_DBG("%p", conn);
215
216 memset(&cp, 0, sizeof(cp));
217
218 cp.handle = cpu_to_le16(conn->handle);
219 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
220 cp.ediv = ediv;
221 memcpy(cp.rand, rand, sizeof(rand));
222
223 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
224}
225EXPORT_SYMBOL(hci_le_start_enc);
226
227void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16])
228{
229 struct hci_dev *hdev = conn->hdev;
230 struct hci_cp_le_ltk_reply cp;
231
232 BT_DBG("%p", conn);
233
234 memset(&cp, 0, sizeof(cp));
235
236 cp.handle = cpu_to_le16(conn->handle);
237 memcpy(cp.ltk, ltk, sizeof(ltk));
238
239 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
240}
241EXPORT_SYMBOL(hci_le_ltk_reply);
242
243void hci_le_ltk_neg_reply(struct hci_conn *conn)
244{
245 struct hci_dev *hdev = conn->hdev;
246 struct hci_cp_le_ltk_neg_reply cp;
247
248 BT_DBG("%p", conn);
249
250 memset(&cp, 0, sizeof(cp));
251
252 cp.handle = cpu_to_le16(conn->handle);
253
254 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(cp), &cp);
255}
256
207/* Device _must_ be locked */ 257/* Device _must_ be locked */
208void hci_sco_setup(struct hci_conn *conn, __u8 status) 258void hci_sco_setup(struct hci_conn *conn, __u8 status)
209{ 259{
@@ -620,11 +670,11 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
620 goto encrypt; 670 goto encrypt;
621 671
622auth: 672auth:
623 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) 673 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
624 return 0; 674 return 0;
625 675
626 hci_conn_auth(conn, sec_level, auth_type); 676 if (!hci_conn_auth(conn, sec_level, auth_type))
627 return 0; 677 return 0;
628 678
629encrypt: 679encrypt:
630 if (conn->link_mode & HCI_LM_ENCRYPT) 680 if (conn->link_mode & HCI_LM_ENCRYPT)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e14e8a1cb04e..0029e178e52e 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -42,6 +42,7 @@
42#include <linux/notifier.h> 42#include <linux/notifier.h>
43#include <linux/rfkill.h> 43#include <linux/rfkill.h>
44#include <linux/timer.h> 44#include <linux/timer.h>
45#include <linux/crypto.h>
45#include <net/sock.h> 46#include <net/sock.h>
46 47
47#include <asm/system.h> 48#include <asm/system.h>
@@ -59,6 +60,8 @@ static void hci_tx_task(unsigned long arg);
59 60
60static DEFINE_RWLOCK(hci_task_lock); 61static DEFINE_RWLOCK(hci_task_lock);
61 62
63static int enable_smp;
64
62/* HCI device list */ 65/* HCI device list */
63LIST_HEAD(hci_dev_list); 66LIST_HEAD(hci_dev_list);
64DEFINE_RWLOCK(hci_dev_list_lock); 67DEFINE_RWLOCK(hci_dev_list_lock);
@@ -1202,6 +1205,97 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1202 return 0; 1205 return 0;
1203} 1206}
1204 1207
1208struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
1209 bdaddr_t *bdaddr)
1210{
1211 struct list_head *p;
1212
1213 list_for_each(p, &hdev->blacklist) {
1214 struct bdaddr_list *b;
1215
1216 b = list_entry(p, struct bdaddr_list, list);
1217
1218 if (bacmp(bdaddr, &b->bdaddr) == 0)
1219 return b;
1220 }
1221
1222 return NULL;
1223}
1224
1225int hci_blacklist_clear(struct hci_dev *hdev)
1226{
1227 struct list_head *p, *n;
1228
1229 list_for_each_safe(p, n, &hdev->blacklist) {
1230 struct bdaddr_list *b;
1231
1232 b = list_entry(p, struct bdaddr_list, list);
1233
1234 list_del(p);
1235 kfree(b);
1236 }
1237
1238 return 0;
1239}
1240
1241int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
1242{
1243 struct bdaddr_list *entry;
1244 int err;
1245
1246 if (bacmp(bdaddr, BDADDR_ANY) == 0)
1247 return -EBADF;
1248
1249 hci_dev_lock(hdev);
1250
1251 if (hci_blacklist_lookup(hdev, bdaddr)) {
1252 err = -EEXIST;
1253 goto err;
1254 }
1255
1256 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1257 if (!entry) {
1258 return -ENOMEM;
1259 goto err;
1260 }
1261
1262 bacpy(&entry->bdaddr, bdaddr);
1263
1264 list_add(&entry->list, &hdev->blacklist);
1265
1266 err = 0;
1267
1268err:
1269 hci_dev_unlock(hdev);
1270 return err;
1271}
1272
1273int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1274{
1275 struct bdaddr_list *entry;
1276 int err = 0;
1277
1278 hci_dev_lock(hdev);
1279
1280 if (bacmp(bdaddr, BDADDR_ANY) == 0) {
1281 hci_blacklist_clear(hdev);
1282 goto done;
1283 }
1284
1285 entry = hci_blacklist_lookup(hdev, bdaddr);
1286 if (!entry) {
1287 err = -ENOENT;
1288 goto done;
1289 }
1290
1291 list_del(&entry->list);
1292 kfree(entry);
1293
1294done:
1295 hci_dev_unlock(hdev);
1296 return err;
1297}
1298
1205static void hci_clear_adv_cache(unsigned long arg) 1299static void hci_clear_adv_cache(unsigned long arg)
1206{ 1300{
1207 struct hci_dev *hdev = (void *) arg; 1301 struct hci_dev *hdev = (void *) arg;
@@ -1274,6 +1368,14 @@ int hci_add_adv_entry(struct hci_dev *hdev,
1274 return 0; 1368 return 0;
1275} 1369}
1276 1370
1371static struct crypto_blkcipher *alloc_cypher(void)
1372{
1373 if (enable_smp)
1374 return crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1375
1376 return ERR_PTR(-ENOTSUPP);
1377}
1378
1277/* Register HCI device */ 1379/* Register HCI device */
1278int hci_register_dev(struct hci_dev *hdev) 1380int hci_register_dev(struct hci_dev *hdev)
1279{ 1381{
@@ -1358,6 +1460,11 @@ int hci_register_dev(struct hci_dev *hdev)
1358 if (!hdev->workqueue) 1460 if (!hdev->workqueue)
1359 goto nomem; 1461 goto nomem;
1360 1462
1463 hdev->tfm = alloc_cypher();
1464 if (IS_ERR(hdev->tfm))
1465 BT_INFO("Failed to load transform for ecb(aes): %ld",
1466 PTR_ERR(hdev->tfm));
1467
1361 hci_register_sysfs(hdev); 1468 hci_register_sysfs(hdev);
1362 1469
1363 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 1470 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
@@ -1406,6 +1513,9 @@ int hci_unregister_dev(struct hci_dev *hdev)
1406 !test_bit(HCI_SETUP, &hdev->flags)) 1513 !test_bit(HCI_SETUP, &hdev->flags))
1407 mgmt_index_removed(hdev->id); 1514 mgmt_index_removed(hdev->id);
1408 1515
1516 if (!IS_ERR(hdev->tfm))
1517 crypto_free_blkcipher(hdev->tfm);
1518
1409 hci_notify(hdev, HCI_DEV_UNREG); 1519 hci_notify(hdev, HCI_DEV_UNREG);
1410 1520
1411 if (hdev->rfkill) { 1521 if (hdev->rfkill) {
@@ -2242,3 +2352,6 @@ static void hci_cmd_task(unsigned long arg)
2242 } 2352 }
2243 } 2353 }
2244} 2354}
2355
2356module_param(enable_smp, bool, 0644);
2357MODULE_PARM_DESC(enable_smp, "Enable SMP support (LE only)");
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 0f643f84131f..ac2c5e89617c 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -868,6 +868,30 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
868 hci_dev_unlock(hdev); 868 hci_dev_unlock(hdev);
869} 869}
870 870
871static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
872{
873 struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
874
875 BT_DBG("%s status 0x%x", hdev->name, rp->status);
876
877 if (rp->status)
878 return;
879
880 hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
881}
882
883static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
884{
885 struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
886
887 BT_DBG("%s status 0x%x", hdev->name, rp->status);
888
889 if (rp->status)
890 return;
891
892 hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
893}
894
871static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 895static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
872{ 896{
873 BT_DBG("%s status 0x%x", hdev->name, status); 897 BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1248,6 +1272,11 @@ static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1248 hci_dev_unlock(hdev); 1272 hci_dev_unlock(hdev);
1249} 1273}
1250 1274
1275static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1276{
1277 BT_DBG("%s status 0x%x", hdev->name, status);
1278}
1279
1251static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1280static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1252{ 1281{
1253 __u8 status = *((__u8 *) skb->data); 1282 __u8 status = *((__u8 *) skb->data);
@@ -1593,6 +1622,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
1593 /* Encryption implies authentication */ 1622 /* Encryption implies authentication */
1594 conn->link_mode |= HCI_LM_AUTH; 1623 conn->link_mode |= HCI_LM_AUTH;
1595 conn->link_mode |= HCI_LM_ENCRYPT; 1624 conn->link_mode |= HCI_LM_ENCRYPT;
1625 conn->sec_level = conn->pending_sec_level;
1596 } else 1626 } else
1597 conn->link_mode &= ~HCI_LM_ENCRYPT; 1627 conn->link_mode &= ~HCI_LM_ENCRYPT;
1598 } 1628 }
@@ -1856,6 +1886,14 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1856 hci_cc_le_set_scan_enable(hdev, skb); 1886 hci_cc_le_set_scan_enable(hdev, skb);
1857 break; 1887 break;
1858 1888
1889 case HCI_OP_LE_LTK_REPLY:
1890 hci_cc_le_ltk_reply(hdev, skb);
1891 break;
1892
1893 case HCI_OP_LE_LTK_NEG_REPLY:
1894 hci_cc_le_ltk_neg_reply(hdev, skb);
1895 break;
1896
1859 default: 1897 default:
1860 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1898 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1861 break; 1899 break;
@@ -1934,6 +1972,10 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1934 hci_cs_le_create_conn(hdev, ev->status); 1972 hci_cs_le_create_conn(hdev, ev->status);
1935 break; 1973 break;
1936 1974
1975 case HCI_OP_LE_START_ENC:
1976 hci_cs_le_start_enc(hdev, ev->status);
1977 break;
1978
1937 default: 1979 default:
1938 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1980 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1939 break; 1981 break;
@@ -2712,6 +2754,7 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2712 2754
2713 mgmt_connected(hdev->id, &ev->bdaddr); 2755 mgmt_connected(hdev->id, &ev->bdaddr);
2714 2756
2757 conn->sec_level = BT_SECURITY_LOW;
2715 conn->handle = __le16_to_cpu(ev->handle); 2758 conn->handle = __le16_to_cpu(ev->handle);
2716 conn->state = BT_CONNECTED; 2759 conn->state = BT_CONNECTED;
2717 2760
@@ -2745,6 +2788,28 @@ static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2745 hci_dev_unlock(hdev); 2788 hci_dev_unlock(hdev);
2746} 2789}
2747 2790
2791static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2792 struct sk_buff *skb)
2793{
2794 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2795 struct hci_cp_le_ltk_reply cp;
2796 struct hci_conn *conn;
2797
2798 BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2799
2800 hci_dev_lock(hdev);
2801
2802 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2803
2804 memset(&cp, 0, sizeof(cp));
2805 cp.handle = cpu_to_le16(conn->handle);
2806 memcpy(cp.ltk, conn->ltk, sizeof(conn->ltk));
2807
2808 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2809
2810 hci_dev_unlock(hdev);
2811}
2812
2748static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 2813static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2749{ 2814{
2750 struct hci_ev_le_meta *le_ev = (void *) skb->data; 2815 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -2760,6 +2825,10 @@ static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2760 hci_le_adv_report_evt(hdev, skb); 2825 hci_le_adv_report_evt(hdev, skb);
2761 break; 2826 break;
2762 2827
2828 case HCI_EV_LE_LTK_REQ:
2829 hci_le_ltk_request_evt(hdev, skb);
2830 break;
2831
2763 default: 2832 default:
2764 break; 2833 break;
2765 } 2834 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 295e4a88fff8..ff02cf5e77cc 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -180,82 +180,24 @@ static int hci_sock_release(struct socket *sock)
180 return 0; 180 return 0;
181} 181}
182 182
183struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr) 183static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
184{
185 struct list_head *p;
186
187 list_for_each(p, &hdev->blacklist) {
188 struct bdaddr_list *b;
189
190 b = list_entry(p, struct bdaddr_list, list);
191
192 if (bacmp(bdaddr, &b->bdaddr) == 0)
193 return b;
194 }
195
196 return NULL;
197}
198
199static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg)
200{ 184{
201 bdaddr_t bdaddr; 185 bdaddr_t bdaddr;
202 struct bdaddr_list *entry;
203 186
204 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 187 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
205 return -EFAULT; 188 return -EFAULT;
206 189
207 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 190 return hci_blacklist_add(hdev, &bdaddr);
208 return -EBADF;
209
210 if (hci_blacklist_lookup(hdev, &bdaddr))
211 return -EEXIST;
212
213 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
214 if (!entry)
215 return -ENOMEM;
216
217 bacpy(&entry->bdaddr, &bdaddr);
218
219 list_add(&entry->list, &hdev->blacklist);
220
221 return 0;
222}
223
224int hci_blacklist_clear(struct hci_dev *hdev)
225{
226 struct list_head *p, *n;
227
228 list_for_each_safe(p, n, &hdev->blacklist) {
229 struct bdaddr_list *b;
230
231 b = list_entry(p, struct bdaddr_list, list);
232
233 list_del(p);
234 kfree(b);
235 }
236
237 return 0;
238} 191}
239 192
240static int hci_blacklist_del(struct hci_dev *hdev, void __user *arg) 193static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
241{ 194{
242 bdaddr_t bdaddr; 195 bdaddr_t bdaddr;
243 struct bdaddr_list *entry;
244 196
245 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 197 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
246 return -EFAULT; 198 return -EFAULT;
247 199
248 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 200 return hci_blacklist_del(hdev, &bdaddr);
249 return hci_blacklist_clear(hdev);
250
251 entry = hci_blacklist_lookup(hdev, &bdaddr);
252 if (!entry)
253 return -ENOENT;
254
255 list_del(&entry->list);
256 kfree(entry);
257
258 return 0;
259} 201}
260 202
261/* Ioctls that require bound socket */ 203/* Ioctls that require bound socket */
@@ -290,12 +232,12 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
290 case HCIBLOCKADDR: 232 case HCIBLOCKADDR:
291 if (!capable(CAP_NET_ADMIN)) 233 if (!capable(CAP_NET_ADMIN))
292 return -EACCES; 234 return -EACCES;
293 return hci_blacklist_add(hdev, (void __user *) arg); 235 return hci_sock_blacklist_add(hdev, (void __user *) arg);
294 236
295 case HCIUNBLOCKADDR: 237 case HCIUNBLOCKADDR:
296 if (!capable(CAP_NET_ADMIN)) 238 if (!capable(CAP_NET_ADMIN))
297 return -EACCES; 239 return -EACCES;
298 return hci_blacklist_del(hdev, (void __user *) arg); 240 return hci_sock_blacklist_del(hdev, (void __user *) arg);
299 241
300 default: 242 default:
301 if (hdev->ioctl) 243 if (hdev->ioctl)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index dff9d76fe790..9ec9c8c5eb5e 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -54,6 +54,7 @@
54#include <net/bluetooth/bluetooth.h> 54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
57#include <net/bluetooth/smp.h>
57 58
58int disable_ertm; 59int disable_ertm;
59 60
@@ -78,6 +79,18 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn,
78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79 80
80/* ---- L2CAP channels ---- */ 81/* ---- L2CAP channels ---- */
82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
82{ 95{
83 struct l2cap_chan *c; 96 struct l2cap_chan *c;
@@ -208,20 +221,26 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
208 return 0; 221 return 0;
209} 222}
210 223
211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout) 224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
212{ 225{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state, 226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
214 timeout); 227
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout)) 228 if (!mod_timer(timer, jiffies + timeout))
216 sock_hold(chan->sk); 229 chan_hold(chan);
217} 230}
218 231
219static void l2cap_chan_clear_timer(struct l2cap_chan *chan) 232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
220{ 233{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state); 234 BT_DBG("chan %p state %d", chan, chan->state);
235
236 if (timer_pending(timer) && del_timer(timer))
237 chan_put(chan);
238}
222 239
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer)) 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
224 __sock_put(chan->sk); 241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
225} 244}
226 245
227static void l2cap_chan_timeout(unsigned long arg) 246static void l2cap_chan_timeout(unsigned long arg)
@@ -230,21 +249,21 @@ static void l2cap_chan_timeout(unsigned long arg)
230 struct sock *sk = chan->sk; 249 struct sock *sk = chan->sk;
231 int reason; 250 int reason;
232 251
233 BT_DBG("chan %p state %d", chan, sk->sk_state); 252 BT_DBG("chan %p state %d", chan, chan->state);
234 253
235 bh_lock_sock(sk); 254 bh_lock_sock(sk);
236 255
237 if (sock_owned_by_user(sk)) { 256 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */ 257 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5); 258 __set_chan_timer(chan, HZ / 5);
240 bh_unlock_sock(sk); 259 bh_unlock_sock(sk);
241 sock_put(sk); 260 chan_put(chan);
242 return; 261 return;
243 } 262 }
244 263
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG) 264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
246 reason = ECONNREFUSED; 265 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT && 266 else if (chan->state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP) 267 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED; 268 reason = ECONNREFUSED;
250 else 269 else
@@ -254,8 +273,8 @@ static void l2cap_chan_timeout(unsigned long arg)
254 273
255 bh_unlock_sock(sk); 274 bh_unlock_sock(sk);
256 275
257 l2cap_sock_kill(sk); 276 chan->ops->close(chan->data);
258 sock_put(sk); 277 chan_put(chan);
259} 278}
260 279
261struct l2cap_chan *l2cap_chan_create(struct sock *sk) 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
@@ -274,6 +293,10 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
274 293
275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan); 294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276 295
296 chan->state = BT_OPEN;
297
298 atomic_set(&chan->refcnt, 1);
299
277 return chan; 300 return chan;
278} 301}
279 302
@@ -283,13 +306,11 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
283 list_del(&chan->global_l); 306 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock); 307 write_unlock_bh(&chan_list_lock);
285 308
286 kfree(chan); 309 chan_put(chan);
287} 310}
288 311
289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
290{ 313{
291 struct sock *sk = chan->sk;
292
293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
294 chan->psm, chan->dcid); 315 chan->psm, chan->dcid);
295 316
@@ -320,7 +341,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
320 chan->omtu = L2CAP_DEFAULT_MTU; 341 chan->omtu = L2CAP_DEFAULT_MTU;
321 } 342 }
322 343
323 sock_hold(sk); 344 chan_hold(chan);
324 345
325 list_add(&chan->list, &conn->chan_l); 346 list_add(&chan->list, &conn->chan_l);
326} 347}
@@ -333,7 +354,7 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
333 struct l2cap_conn *conn = chan->conn; 354 struct l2cap_conn *conn = chan->conn;
334 struct sock *parent = bt_sk(sk)->parent; 355 struct sock *parent = bt_sk(sk)->parent;
335 356
336 l2cap_chan_clear_timer(chan); 357 __clear_chan_timer(chan);
337 358
338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
339 360
@@ -342,13 +363,13 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
342 write_lock_bh(&conn->chan_lock); 363 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list); 364 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock); 365 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk); 366 chan_put(chan);
346 367
347 chan->conn = NULL; 368 chan->conn = NULL;
348 hci_conn_put(conn->hcon); 369 hci_conn_put(conn->hcon);
349 } 370 }
350 371
351 sk->sk_state = BT_CLOSED; 372 l2cap_state_change(chan, BT_CLOSED);
352 sock_set_flag(sk, SOCK_ZAPPED); 373 sock_set_flag(sk, SOCK_ZAPPED);
353 374
354 if (err) 375 if (err)
@@ -360,8 +381,8 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
360 } else 381 } else
361 sk->sk_state_change(sk); 382 sk->sk_state_change(sk);
362 383
363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE && 384 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE)) 385 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
365 return; 386 return;
366 387
367 skb_queue_purge(&chan->tx_q); 388 skb_queue_purge(&chan->tx_q);
@@ -369,9 +390,9 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
369 if (chan->mode == L2CAP_MODE_ERTM) { 390 if (chan->mode == L2CAP_MODE_ERTM) {
370 struct srej_list *l, *tmp; 391 struct srej_list *l, *tmp;
371 392
372 del_timer(&chan->retrans_timer); 393 __clear_retrans_timer(chan);
373 del_timer(&chan->monitor_timer); 394 __clear_monitor_timer(chan);
374 del_timer(&chan->ack_timer); 395 __clear_ack_timer(chan);
375 396
376 skb_queue_purge(&chan->srej_q); 397 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q); 398 skb_queue_purge(&chan->busy_q);
@@ -391,15 +412,13 @@ static void l2cap_chan_cleanup_listen(struct sock *parent)
391 412
392 /* Close not yet accepted channels */ 413 /* Close not yet accepted channels */
393 while ((sk = bt_accept_dequeue(parent, NULL))) { 414 while ((sk = bt_accept_dequeue(parent, NULL))) {
394 l2cap_chan_clear_timer(l2cap_pi(sk)->chan); 415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
416 __clear_chan_timer(chan);
395 lock_sock(sk); 417 lock_sock(sk);
396 l2cap_chan_close(l2cap_pi(sk)->chan, ECONNRESET); 418 l2cap_chan_close(chan, ECONNRESET);
397 release_sock(sk); 419 release_sock(sk);
398 l2cap_sock_kill(sk); 420 chan->ops->close(chan->data);
399 } 421 }
400
401 parent->sk_state = BT_CLOSED;
402 sock_set_flag(parent, SOCK_ZAPPED);
403} 422}
404 423
405void l2cap_chan_close(struct l2cap_chan *chan, int reason) 424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
@@ -407,19 +426,22 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
407 struct l2cap_conn *conn = chan->conn; 426 struct l2cap_conn *conn = chan->conn;
408 struct sock *sk = chan->sk; 427 struct sock *sk = chan->sk;
409 428
410 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket); 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
411 430
412 switch (sk->sk_state) { 431 switch (chan->state) {
413 case BT_LISTEN: 432 case BT_LISTEN:
414 l2cap_chan_cleanup_listen(sk); 433 l2cap_chan_cleanup_listen(sk);
434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
415 break; 437 break;
416 438
417 case BT_CONNECTED: 439 case BT_CONNECTED:
418 case BT_CONFIG: 440 case BT_CONFIG:
419 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && 441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
420 conn->hcon->type == ACL_LINK) { 442 conn->hcon->type == ACL_LINK) {
421 l2cap_chan_clear_timer(chan); 443 __clear_chan_timer(chan);
422 l2cap_chan_set_timer(chan, sk->sk_sndtimeo); 444 __set_chan_timer(chan, sk->sk_sndtimeo);
423 l2cap_send_disconn_req(conn, chan, reason); 445 l2cap_send_disconn_req(conn, chan, reason);
424 } else 446 } else
425 l2cap_chan_del(chan, reason); 447 l2cap_chan_del(chan, reason);
@@ -435,7 +457,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
435 result = L2CAP_CR_SEC_BLOCK; 457 result = L2CAP_CR_SEC_BLOCK;
436 else 458 else
437 result = L2CAP_CR_BAD_PSM; 459 result = L2CAP_CR_BAD_PSM;
438 sk->sk_state = BT_DISCONN; 460 l2cap_state_change(chan, BT_DISCONN);
439 461
440 rsp.scid = cpu_to_le16(chan->dcid); 462 rsp.scid = cpu_to_le16(chan->dcid);
441 rsp.dcid = cpu_to_le16(chan->scid); 463 rsp.dcid = cpu_to_le16(chan->scid);
@@ -547,13 +569,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
547{ 569{
548 struct sk_buff *skb; 570 struct sk_buff *skb;
549 struct l2cap_hdr *lh; 571 struct l2cap_hdr *lh;
550 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
551 struct l2cap_conn *conn = chan->conn; 572 struct l2cap_conn *conn = chan->conn;
552 struct sock *sk = (struct sock *)pi;
553 int count, hlen = L2CAP_HDR_SIZE + 2; 573 int count, hlen = L2CAP_HDR_SIZE + 2;
554 u8 flags; 574 u8 flags;
555 575
556 if (sk->sk_state != BT_CONNECTED) 576 if (chan->state != BT_CONNECTED)
557 return; 577 return;
558 578
559 if (chan->fcs == L2CAP_FCS_CRC16) 579 if (chan->fcs == L2CAP_FCS_CRC16)
@@ -564,15 +584,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
564 count = min_t(unsigned int, conn->mtu, hlen); 584 count = min_t(unsigned int, conn->mtu, hlen);
565 control |= L2CAP_CTRL_FRAME_TYPE; 585 control |= L2CAP_CTRL_FRAME_TYPE;
566 586
567 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 587 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
568 control |= L2CAP_CTRL_FINAL; 588 control |= L2CAP_CTRL_FINAL;
569 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
570 }
571 589
572 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) { 590 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
573 control |= L2CAP_CTRL_POLL; 591 control |= L2CAP_CTRL_POLL;
574 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
575 }
576 592
577 skb = bt_skb_alloc(count, GFP_ATOMIC); 593 skb = bt_skb_alloc(count, GFP_ATOMIC);
578 if (!skb) 594 if (!skb)
@@ -600,9 +616,9 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
600 616
601static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control) 617static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
602{ 618{
603 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 619 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
604 control |= L2CAP_SUPER_RCV_NOT_READY; 620 control |= L2CAP_SUPER_RCV_NOT_READY;
605 chan->conn_state |= L2CAP_CONN_RNR_SENT; 621 set_bit(CONN_RNR_SENT, &chan->conn_state);
606 } else 622 } else
607 control |= L2CAP_SUPER_RCV_READY; 623 control |= L2CAP_SUPER_RCV_READY;
608 624
@@ -613,7 +629,7 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
613 629
614static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 630static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
615{ 631{
616 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND); 632 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
617} 633}
618 634
619static void l2cap_do_start(struct l2cap_chan *chan) 635static void l2cap_do_start(struct l2cap_chan *chan)
@@ -631,7 +647,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
631 req.psm = chan->psm; 647 req.psm = chan->psm;
632 648
633 chan->ident = l2cap_get_ident(conn); 649 chan->ident = l2cap_get_ident(conn);
634 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 650 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
635 651
636 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
637 sizeof(req), &req); 653 sizeof(req), &req);
@@ -678,9 +694,9 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *c
678 sk = chan->sk; 694 sk = chan->sk;
679 695
680 if (chan->mode == L2CAP_MODE_ERTM) { 696 if (chan->mode == L2CAP_MODE_ERTM) {
681 del_timer(&chan->retrans_timer); 697 __clear_retrans_timer(chan);
682 del_timer(&chan->monitor_timer); 698 __clear_monitor_timer(chan);
683 del_timer(&chan->ack_timer); 699 __clear_ack_timer(chan);
684 } 700 }
685 701
686 req.dcid = cpu_to_le16(chan->dcid); 702 req.dcid = cpu_to_le16(chan->dcid);
@@ -688,7 +704,7 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *c
688 l2cap_send_cmd(conn, l2cap_get_ident(conn), 704 l2cap_send_cmd(conn, l2cap_get_ident(conn),
689 L2CAP_DISCONN_REQ, sizeof(req), &req); 705 L2CAP_DISCONN_REQ, sizeof(req), &req);
690 706
691 sk->sk_state = BT_DISCONN; 707 l2cap_state_change(chan, BT_DISCONN);
692 sk->sk_err = err; 708 sk->sk_err = err;
693} 709}
694 710
@@ -711,7 +727,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
711 continue; 727 continue;
712 } 728 }
713 729
714 if (sk->sk_state == BT_CONNECT) { 730 if (chan->state == BT_CONNECT) {
715 struct l2cap_conn_req req; 731 struct l2cap_conn_req req;
716 732
717 if (!l2cap_check_security(chan) || 733 if (!l2cap_check_security(chan) ||
@@ -720,14 +736,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
720 continue; 736 continue;
721 } 737 }
722 738
723 if (!l2cap_mode_supported(chan->mode, 739 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
724 conn->feat_mask) 740 && test_bit(CONF_STATE2_DEVICE,
725 && chan->conf_state & 741 &chan->conf_state)) {
726 L2CAP_CONF_STATE2_DEVICE) {
727 /* l2cap_chan_close() calls list_del(chan) 742 /* l2cap_chan_close() calls list_del(chan)
728 * so release the lock */ 743 * so release the lock */
729 read_unlock_bh(&conn->chan_lock); 744 read_unlock_bh(&conn->chan_lock);
730 l2cap_chan_close(chan, ECONNRESET); 745 l2cap_chan_close(chan, ECONNRESET);
731 read_lock_bh(&conn->chan_lock); 746 read_lock_bh(&conn->chan_lock);
732 bh_unlock_sock(sk); 747 bh_unlock_sock(sk);
733 continue; 748 continue;
@@ -737,12 +752,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
737 req.psm = chan->psm; 752 req.psm = chan->psm;
738 753
739 chan->ident = l2cap_get_ident(conn); 754 chan->ident = l2cap_get_ident(conn);
740 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 755 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
741 756
742 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 757 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
743 sizeof(req), &req); 758 sizeof(req), &req);
744 759
745 } else if (sk->sk_state == BT_CONNECT2) { 760 } else if (chan->state == BT_CONNECT2) {
746 struct l2cap_conn_rsp rsp; 761 struct l2cap_conn_rsp rsp;
747 char buf[128]; 762 char buf[128];
748 rsp.scid = cpu_to_le16(chan->dcid); 763 rsp.scid = cpu_to_le16(chan->dcid);
@@ -756,7 +771,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
756 parent->sk_data_ready(parent, 0); 771 parent->sk_data_ready(parent, 0);
757 772
758 } else { 773 } else {
759 sk->sk_state = BT_CONFIG; 774 l2cap_state_change(chan, BT_CONFIG);
760 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 775 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
761 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 776 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
762 } 777 }
@@ -768,13 +783,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
768 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 783 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
769 sizeof(rsp), &rsp); 784 sizeof(rsp), &rsp);
770 785
771 if (chan->conf_state & L2CAP_CONF_REQ_SENT || 786 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
772 rsp.result != L2CAP_CR_SUCCESS) { 787 rsp.result != L2CAP_CR_SUCCESS) {
773 bh_unlock_sock(sk); 788 bh_unlock_sock(sk);
774 continue; 789 continue;
775 } 790 }
776 791
777 chan->conf_state |= L2CAP_CONF_REQ_SENT; 792 set_bit(CONF_REQ_SENT, &chan->conf_state);
778 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 793 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
779 l2cap_build_conf_req(chan, buf), buf); 794 l2cap_build_conf_req(chan, buf), buf);
780 chan->num_conf_req++; 795 chan->num_conf_req++;
@@ -798,7 +813,7 @@ static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdadd
798 list_for_each_entry(c, &chan_list, global_l) { 813 list_for_each_entry(c, &chan_list, global_l) {
799 struct sock *sk = c->sk; 814 struct sock *sk = c->sk;
800 815
801 if (state && sk->sk_state != state) 816 if (state && c->state != state)
802 continue; 817 continue;
803 818
804 if (c->scid == cid) { 819 if (c->scid == cid) {
@@ -842,24 +857,16 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
842 goto clean; 857 goto clean;
843 } 858 }
844 859
845 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 860 chan = pchan->ops->new_connection(pchan->data);
846 if (!sk) 861 if (!chan)
847 goto clean;
848
849 chan = l2cap_chan_create(sk);
850 if (!chan) {
851 l2cap_sock_kill(sk);
852 goto clean; 862 goto clean;
853 }
854 863
855 l2cap_pi(sk)->chan = chan; 864 sk = chan->sk;
856 865
857 write_lock_bh(&conn->chan_lock); 866 write_lock_bh(&conn->chan_lock);
858 867
859 hci_conn_hold(conn->hcon); 868 hci_conn_hold(conn->hcon);
860 869
861 l2cap_sock_init(sk, parent);
862
863 bacpy(&bt_sk(sk)->src, conn->src); 870 bacpy(&bt_sk(sk)->src, conn->src);
864 bacpy(&bt_sk(sk)->dst, conn->dst); 871 bacpy(&bt_sk(sk)->dst, conn->dst);
865 872
@@ -867,9 +874,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
867 874
868 __l2cap_chan_add(conn, chan); 875 __l2cap_chan_add(conn, chan);
869 876
870 l2cap_chan_set_timer(chan, sk->sk_sndtimeo); 877 __set_chan_timer(chan, sk->sk_sndtimeo);
871 878
872 sk->sk_state = BT_CONNECTED; 879 l2cap_state_change(chan, BT_CONNECTED);
873 parent->sk_data_ready(parent, 0); 880 parent->sk_data_ready(parent, 0);
874 881
875 write_unlock_bh(&conn->chan_lock); 882 write_unlock_bh(&conn->chan_lock);
@@ -878,6 +885,23 @@ clean:
878 bh_unlock_sock(parent); 885 bh_unlock_sock(parent);
879} 886}
880 887
888static void l2cap_chan_ready(struct sock *sk)
889{
890 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
891 struct sock *parent = bt_sk(sk)->parent;
892
893 BT_DBG("sk %p, parent %p", sk, parent);
894
895 chan->conf_state = 0;
896 __clear_chan_timer(chan);
897
898 l2cap_state_change(chan, BT_CONNECTED);
899 sk->sk_state_change(sk);
900
901 if (parent)
902 parent->sk_data_ready(parent, 0);
903}
904
881static void l2cap_conn_ready(struct l2cap_conn *conn) 905static void l2cap_conn_ready(struct l2cap_conn *conn)
882{ 906{
883 struct l2cap_chan *chan; 907 struct l2cap_chan *chan;
@@ -895,16 +919,15 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
895 bh_lock_sock(sk); 919 bh_lock_sock(sk);
896 920
897 if (conn->hcon->type == LE_LINK) { 921 if (conn->hcon->type == LE_LINK) {
898 l2cap_chan_clear_timer(chan); 922 if (smp_conn_security(conn, chan->sec_level))
899 sk->sk_state = BT_CONNECTED; 923 l2cap_chan_ready(sk);
900 sk->sk_state_change(sk);
901 }
902 924
903 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 925 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
904 l2cap_chan_clear_timer(chan); 926 __clear_chan_timer(chan);
905 sk->sk_state = BT_CONNECTED; 927 l2cap_state_change(chan, BT_CONNECTED);
906 sk->sk_state_change(sk); 928 sk->sk_state_change(sk);
907 } else if (sk->sk_state == BT_CONNECT) 929
930 } else if (chan->state == BT_CONNECT)
908 l2cap_do_start(chan); 931 l2cap_do_start(chan);
909 932
910 bh_unlock_sock(sk); 933 bh_unlock_sock(sk);
@@ -942,6 +965,45 @@ static void l2cap_info_timeout(unsigned long arg)
942 l2cap_conn_start(conn); 965 l2cap_conn_start(conn);
943} 966}
944 967
968static void l2cap_conn_del(struct hci_conn *hcon, int err)
969{
970 struct l2cap_conn *conn = hcon->l2cap_data;
971 struct l2cap_chan *chan, *l;
972 struct sock *sk;
973
974 if (!conn)
975 return;
976
977 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
978
979 kfree_skb(conn->rx_skb);
980
981 /* Kill channels */
982 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
983 sk = chan->sk;
984 bh_lock_sock(sk);
985 l2cap_chan_del(chan, err);
986 bh_unlock_sock(sk);
987 chan->ops->close(chan->data);
988 }
989
990 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
991 del_timer_sync(&conn->info_timer);
992
993 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
994 del_timer(&conn->security_timer);
995
996 hcon->l2cap_data = NULL;
997 kfree(conn);
998}
999
1000static void security_timeout(unsigned long arg)
1001{
1002 struct l2cap_conn *conn = (void *) arg;
1003
1004 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1005}
1006
945static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1007static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
946{ 1008{
947 struct l2cap_conn *conn = hcon->l2cap_data; 1009 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -973,7 +1035,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
973 1035
974 INIT_LIST_HEAD(&conn->chan_l); 1036 INIT_LIST_HEAD(&conn->chan_l);
975 1037
976 if (hcon->type != LE_LINK) 1038 if (hcon->type == LE_LINK)
1039 setup_timer(&conn->security_timer, security_timeout,
1040 (unsigned long) conn);
1041 else
977 setup_timer(&conn->info_timer, l2cap_info_timeout, 1042 setup_timer(&conn->info_timer, l2cap_info_timeout,
978 (unsigned long) conn); 1043 (unsigned long) conn);
979 1044
@@ -982,35 +1047,6 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
982 return conn; 1047 return conn;
983} 1048}
984 1049
985static void l2cap_conn_del(struct hci_conn *hcon, int err)
986{
987 struct l2cap_conn *conn = hcon->l2cap_data;
988 struct l2cap_chan *chan, *l;
989 struct sock *sk;
990
991 if (!conn)
992 return;
993
994 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
995
996 kfree_skb(conn->rx_skb);
997
998 /* Kill channels */
999 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1000 sk = chan->sk;
1001 bh_lock_sock(sk);
1002 l2cap_chan_del(chan, err);
1003 bh_unlock_sock(sk);
1004 l2cap_sock_kill(sk);
1005 }
1006
1007 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1008 del_timer_sync(&conn->info_timer);
1009
1010 hcon->l2cap_data = NULL;
1011 kfree(conn);
1012}
1013
1014static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 1050static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1015{ 1051{
1016 write_lock_bh(&conn->chan_lock); 1052 write_lock_bh(&conn->chan_lock);
@@ -1032,7 +1068,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr
1032 list_for_each_entry(c, &chan_list, global_l) { 1068 list_for_each_entry(c, &chan_list, global_l) {
1033 struct sock *sk = c->sk; 1069 struct sock *sk = c->sk;
1034 1070
1035 if (state && sk->sk_state != state) 1071 if (state && c->state != state)
1036 continue; 1072 continue;
1037 1073
1038 if (c->psm == psm) { 1074 if (c->psm == psm) {
@@ -1099,14 +1135,14 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
1099 1135
1100 l2cap_chan_add(conn, chan); 1136 l2cap_chan_add(conn, chan);
1101 1137
1102 sk->sk_state = BT_CONNECT; 1138 l2cap_state_change(chan, BT_CONNECT);
1103 l2cap_chan_set_timer(chan, sk->sk_sndtimeo); 1139 __set_chan_timer(chan, sk->sk_sndtimeo);
1104 1140
1105 if (hcon->state == BT_CONNECTED) { 1141 if (hcon->state == BT_CONNECTED) {
1106 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1142 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1107 l2cap_chan_clear_timer(chan); 1143 __clear_chan_timer(chan);
1108 if (l2cap_check_security(chan)) 1144 if (l2cap_check_security(chan))
1109 sk->sk_state = BT_CONNECTED; 1145 l2cap_state_change(chan, BT_CONNECTED);
1110 } else 1146 } else
1111 l2cap_do_start(chan); 1147 l2cap_do_start(chan);
1112 } 1148 }
@@ -1166,7 +1202,7 @@ static void l2cap_monitor_timeout(unsigned long arg)
1166 } 1202 }
1167 1203
1168 chan->retry_count++; 1204 chan->retry_count++;
1169 __mod_monitor_timer(); 1205 __set_monitor_timer(chan);
1170 1206
1171 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1207 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1172 bh_unlock_sock(sk); 1208 bh_unlock_sock(sk);
@@ -1181,9 +1217,9 @@ static void l2cap_retrans_timeout(unsigned long arg)
1181 1217
1182 bh_lock_sock(sk); 1218 bh_lock_sock(sk);
1183 chan->retry_count = 1; 1219 chan->retry_count = 1;
1184 __mod_monitor_timer(); 1220 __set_monitor_timer(chan);
1185 1221
1186 chan->conn_state |= L2CAP_CONN_WAIT_F; 1222 set_bit(CONN_WAIT_F, &chan->conn_state);
1187 1223
1188 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1224 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1189 bh_unlock_sock(sk); 1225 bh_unlock_sock(sk);
@@ -1205,7 +1241,7 @@ static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1205 } 1241 }
1206 1242
1207 if (!chan->unacked_frames) 1243 if (!chan->unacked_frames)
1208 del_timer(&chan->retrans_timer); 1244 __clear_retrans_timer(chan);
1209} 1245}
1210 1246
1211void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 1247void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1274,10 +1310,8 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1274 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1310 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1275 control &= L2CAP_CTRL_SAR; 1311 control &= L2CAP_CTRL_SAR;
1276 1312
1277 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1313 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1278 control |= L2CAP_CTRL_FINAL; 1314 control |= L2CAP_CTRL_FINAL;
1279 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1280 }
1281 1315
1282 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1316 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1283 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1317 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
@@ -1295,11 +1329,10 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1295int l2cap_ertm_send(struct l2cap_chan *chan) 1329int l2cap_ertm_send(struct l2cap_chan *chan)
1296{ 1330{
1297 struct sk_buff *skb, *tx_skb; 1331 struct sk_buff *skb, *tx_skb;
1298 struct sock *sk = chan->sk;
1299 u16 control, fcs; 1332 u16 control, fcs;
1300 int nsent = 0; 1333 int nsent = 0;
1301 1334
1302 if (sk->sk_state != BT_CONNECTED) 1335 if (chan->state != BT_CONNECTED)
1303 return -ENOTCONN; 1336 return -ENOTCONN;
1304 1337
1305 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) { 1338 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
@@ -1317,10 +1350,9 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1317 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1350 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1318 control &= L2CAP_CTRL_SAR; 1351 control &= L2CAP_CTRL_SAR;
1319 1352
1320 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1353 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1321 control |= L2CAP_CTRL_FINAL; 1354 control |= L2CAP_CTRL_FINAL;
1322 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1355
1323 }
1324 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1356 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1325 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1357 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1326 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1358 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
@@ -1333,7 +1365,7 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1333 1365
1334 l2cap_do_send(chan, tx_skb); 1366 l2cap_do_send(chan, tx_skb);
1335 1367
1336 __mod_retrans_timer(); 1368 __set_retrans_timer(chan);
1337 1369
1338 bt_cb(skb)->tx_seq = chan->next_tx_seq; 1370 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1339 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64; 1371 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
@@ -1372,9 +1404,9 @@ static void l2cap_send_ack(struct l2cap_chan *chan)
1372 1404
1373 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1405 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1374 1406
1375 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1407 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1376 control |= L2CAP_SUPER_RCV_NOT_READY; 1408 control |= L2CAP_SUPER_RCV_NOT_READY;
1377 chan->conn_state |= L2CAP_CONN_RNR_SENT; 1409 set_bit(CONN_RNR_SENT, &chan->conn_state);
1378 l2cap_send_sframe(chan, control); 1410 l2cap_send_sframe(chan, control);
1379 return; 1411 return;
1380 } 1412 }
@@ -1641,8 +1673,8 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1641 break; 1673 break;
1642 } 1674 }
1643 1675
1644 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 1676 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1645 (chan->conn_state & L2CAP_CONN_WAIT_F)) { 1677 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1646 err = len; 1678 err = len;
1647 break; 1679 break;
1648 } 1680 }
@@ -1661,30 +1693,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1661 return err; 1693 return err;
1662} 1694}
1663 1695
1664static void l2cap_chan_ready(struct sock *sk)
1665{
1666 struct sock *parent = bt_sk(sk)->parent;
1667 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1668
1669 BT_DBG("sk %p, parent %p", sk, parent);
1670
1671 chan->conf_state = 0;
1672 l2cap_chan_clear_timer(chan);
1673
1674 if (!parent) {
1675 /* Outgoing channel.
1676 * Wake up socket sleeping on connect.
1677 */
1678 sk->sk_state = BT_CONNECTED;
1679 sk->sk_state_change(sk);
1680 } else {
1681 /* Incoming channel.
1682 * Wake up socket sleeping on accept.
1683 */
1684 parent->sk_data_ready(parent, 0);
1685 }
1686}
1687
1688/* Copy frame to all raw sockets on that connection */ 1696/* Copy frame to all raw sockets on that connection */
1689static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 1697static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1690{ 1698{
@@ -1706,7 +1714,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1706 if (!nskb) 1714 if (!nskb)
1707 continue; 1715 continue;
1708 1716
1709 if (sock_queue_rcv_skb(sk, nskb)) 1717 if (chan->ops->recv(chan->data, nskb))
1710 kfree_skb(nskb); 1718 kfree_skb(nskb);
1711 } 1719 }
1712 read_unlock(&conn->chan_lock); 1720 read_unlock(&conn->chan_lock);
@@ -1901,7 +1909,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1901 switch (chan->mode) { 1909 switch (chan->mode) {
1902 case L2CAP_MODE_STREAMING: 1910 case L2CAP_MODE_STREAMING:
1903 case L2CAP_MODE_ERTM: 1911 case L2CAP_MODE_ERTM:
1904 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE) 1912 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
1905 break; 1913 break;
1906 1914
1907 /* fall through */ 1915 /* fall through */
@@ -1948,7 +1956,7 @@ done:
1948 break; 1956 break;
1949 1957
1950 if (chan->fcs == L2CAP_FCS_NONE || 1958 if (chan->fcs == L2CAP_FCS_NONE ||
1951 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1959 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1952 chan->fcs = L2CAP_FCS_NONE; 1960 chan->fcs = L2CAP_FCS_NONE;
1953 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1961 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1954 } 1962 }
@@ -1971,7 +1979,7 @@ done:
1971 break; 1979 break;
1972 1980
1973 if (chan->fcs == L2CAP_FCS_NONE || 1981 if (chan->fcs == L2CAP_FCS_NONE ||
1974 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1982 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1975 chan->fcs = L2CAP_FCS_NONE; 1983 chan->fcs = L2CAP_FCS_NONE;
1976 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1984 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1977 } 1985 }
@@ -2023,7 +2031,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2023 2031
2024 case L2CAP_CONF_FCS: 2032 case L2CAP_CONF_FCS:
2025 if (val == L2CAP_FCS_NONE) 2033 if (val == L2CAP_FCS_NONE)
2026 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV; 2034 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2027 2035
2028 break; 2036 break;
2029 2037
@@ -2043,7 +2051,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2043 switch (chan->mode) { 2051 switch (chan->mode) {
2044 case L2CAP_MODE_STREAMING: 2052 case L2CAP_MODE_STREAMING:
2045 case L2CAP_MODE_ERTM: 2053 case L2CAP_MODE_ERTM:
2046 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) { 2054 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2047 chan->mode = l2cap_select_mode(rfc.mode, 2055 chan->mode = l2cap_select_mode(rfc.mode,
2048 chan->conn->feat_mask); 2056 chan->conn->feat_mask);
2049 break; 2057 break;
@@ -2076,14 +2084,14 @@ done:
2076 result = L2CAP_CONF_UNACCEPT; 2084 result = L2CAP_CONF_UNACCEPT;
2077 else { 2085 else {
2078 chan->omtu = mtu; 2086 chan->omtu = mtu;
2079 chan->conf_state |= L2CAP_CONF_MTU_DONE; 2087 set_bit(CONF_MTU_DONE, &chan->conf_state);
2080 } 2088 }
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); 2089 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2082 2090
2083 switch (rfc.mode) { 2091 switch (rfc.mode) {
2084 case L2CAP_MODE_BASIC: 2092 case L2CAP_MODE_BASIC:
2085 chan->fcs = L2CAP_FCS_NONE; 2093 chan->fcs = L2CAP_FCS_NONE;
2086 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2094 set_bit(CONF_MODE_DONE, &chan->conf_state);
2087 break; 2095 break;
2088 2096
2089 case L2CAP_MODE_ERTM: 2097 case L2CAP_MODE_ERTM:
@@ -2100,7 +2108,7 @@ done:
2100 rfc.monitor_timeout = 2108 rfc.monitor_timeout =
2101 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO); 2109 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2102 2110
2103 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2111 set_bit(CONF_MODE_DONE, &chan->conf_state);
2104 2112
2105 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2113 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2106 sizeof(rfc), (unsigned long) &rfc); 2114 sizeof(rfc), (unsigned long) &rfc);
@@ -2113,7 +2121,7 @@ done:
2113 2121
2114 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size); 2122 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2115 2123
2116 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2124 set_bit(CONF_MODE_DONE, &chan->conf_state);
2117 2125
2118 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2126 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2119 sizeof(rfc), (unsigned long) &rfc); 2127 sizeof(rfc), (unsigned long) &rfc);
@@ -2128,7 +2136,7 @@ done:
2128 } 2136 }
2129 2137
2130 if (result == L2CAP_CONF_SUCCESS) 2138 if (result == L2CAP_CONF_SUCCESS)
2131 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE; 2139 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2132 } 2140 }
2133 rsp->scid = cpu_to_le16(chan->dcid); 2141 rsp->scid = cpu_to_le16(chan->dcid);
2134 rsp->result = cpu_to_le16(result); 2142 rsp->result = cpu_to_le16(result);
@@ -2170,7 +2178,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
2170 if (olen == sizeof(rfc)) 2178 if (olen == sizeof(rfc))
2171 memcpy(&rfc, (void *)val, olen); 2179 memcpy(&rfc, (void *)val, olen);
2172 2180
2173 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) && 2181 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2174 rfc.mode != chan->mode) 2182 rfc.mode != chan->mode)
2175 return -ECONNREFUSED; 2183 return -ECONNREFUSED;
2176 2184
@@ -2232,10 +2240,9 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2232 l2cap_send_cmd(conn, chan->ident, 2240 l2cap_send_cmd(conn, chan->ident,
2233 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 2241 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2234 2242
2235 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2243 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2236 return; 2244 return;
2237 2245
2238 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2239 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2246 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2240 l2cap_build_conf_req(chan, buf), buf); 2247 l2cap_build_conf_req(chan, buf), buf);
2241 chan->num_conf_req++; 2248 chan->num_conf_req++;
@@ -2335,17 +2342,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2335 goto response; 2342 goto response;
2336 } 2343 }
2337 2344
2338 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 2345 chan = pchan->ops->new_connection(pchan->data);
2339 if (!sk) 2346 if (!chan)
2340 goto response;
2341
2342 chan = l2cap_chan_create(sk);
2343 if (!chan) {
2344 l2cap_sock_kill(sk);
2345 goto response; 2347 goto response;
2346 }
2347 2348
2348 l2cap_pi(sk)->chan = chan; 2349 sk = chan->sk;
2349 2350
2350 write_lock_bh(&conn->chan_lock); 2351 write_lock_bh(&conn->chan_lock);
2351 2352
@@ -2353,13 +2354,12 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2353 if (__l2cap_get_chan_by_dcid(conn, scid)) { 2354 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2354 write_unlock_bh(&conn->chan_lock); 2355 write_unlock_bh(&conn->chan_lock);
2355 sock_set_flag(sk, SOCK_ZAPPED); 2356 sock_set_flag(sk, SOCK_ZAPPED);
2356 l2cap_sock_kill(sk); 2357 chan->ops->close(chan->data);
2357 goto response; 2358 goto response;
2358 } 2359 }
2359 2360
2360 hci_conn_hold(conn->hcon); 2361 hci_conn_hold(conn->hcon);
2361 2362
2362 l2cap_sock_init(sk, parent);
2363 bacpy(&bt_sk(sk)->src, conn->src); 2363 bacpy(&bt_sk(sk)->src, conn->src);
2364 bacpy(&bt_sk(sk)->dst, conn->dst); 2364 bacpy(&bt_sk(sk)->dst, conn->dst);
2365 chan->psm = psm; 2365 chan->psm = psm;
@@ -2371,29 +2371,29 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2371 2371
2372 dcid = chan->scid; 2372 dcid = chan->scid;
2373 2373
2374 l2cap_chan_set_timer(chan, sk->sk_sndtimeo); 2374 __set_chan_timer(chan, sk->sk_sndtimeo);
2375 2375
2376 chan->ident = cmd->ident; 2376 chan->ident = cmd->ident;
2377 2377
2378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2379 if (l2cap_check_security(chan)) { 2379 if (l2cap_check_security(chan)) {
2380 if (bt_sk(sk)->defer_setup) { 2380 if (bt_sk(sk)->defer_setup) {
2381 sk->sk_state = BT_CONNECT2; 2381 l2cap_state_change(chan, BT_CONNECT2);
2382 result = L2CAP_CR_PEND; 2382 result = L2CAP_CR_PEND;
2383 status = L2CAP_CS_AUTHOR_PEND; 2383 status = L2CAP_CS_AUTHOR_PEND;
2384 parent->sk_data_ready(parent, 0); 2384 parent->sk_data_ready(parent, 0);
2385 } else { 2385 } else {
2386 sk->sk_state = BT_CONFIG; 2386 l2cap_state_change(chan, BT_CONFIG);
2387 result = L2CAP_CR_SUCCESS; 2387 result = L2CAP_CR_SUCCESS;
2388 status = L2CAP_CS_NO_INFO; 2388 status = L2CAP_CS_NO_INFO;
2389 } 2389 }
2390 } else { 2390 } else {
2391 sk->sk_state = BT_CONNECT2; 2391 l2cap_state_change(chan, BT_CONNECT2);
2392 result = L2CAP_CR_PEND; 2392 result = L2CAP_CR_PEND;
2393 status = L2CAP_CS_AUTHEN_PEND; 2393 status = L2CAP_CS_AUTHEN_PEND;
2394 } 2394 }
2395 } else { 2395 } else {
2396 sk->sk_state = BT_CONNECT2; 2396 l2cap_state_change(chan, BT_CONNECT2);
2397 result = L2CAP_CR_PEND; 2397 result = L2CAP_CR_PEND;
2398 status = L2CAP_CS_NO_INFO; 2398 status = L2CAP_CS_NO_INFO;
2399 } 2399 }
@@ -2424,10 +2424,10 @@ sendresp:
2424 L2CAP_INFO_REQ, sizeof(info), &info); 2424 L2CAP_INFO_REQ, sizeof(info), &info);
2425 } 2425 }
2426 2426
2427 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) && 2427 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2428 result == L2CAP_CR_SUCCESS) { 2428 result == L2CAP_CR_SUCCESS) {
2429 u8 buf[128]; 2429 u8 buf[128];
2430 chan->conf_state |= L2CAP_CONF_REQ_SENT; 2430 set_bit(CONF_REQ_SENT, &chan->conf_state);
2431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2432 l2cap_build_conf_req(chan, buf), buf); 2432 l2cap_build_conf_req(chan, buf), buf);
2433 chan->num_conf_req++; 2433 chan->num_conf_req++;
@@ -2465,31 +2465,29 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2465 2465
2466 switch (result) { 2466 switch (result) {
2467 case L2CAP_CR_SUCCESS: 2467 case L2CAP_CR_SUCCESS:
2468 sk->sk_state = BT_CONFIG; 2468 l2cap_state_change(chan, BT_CONFIG);
2469 chan->ident = 0; 2469 chan->ident = 0;
2470 chan->dcid = dcid; 2470 chan->dcid = dcid;
2471 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2471 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2472 2472
2473 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2473 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2474 break; 2474 break;
2475 2475
2476 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2477
2478 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2479 l2cap_build_conf_req(chan, req), req); 2477 l2cap_build_conf_req(chan, req), req);
2480 chan->num_conf_req++; 2478 chan->num_conf_req++;
2481 break; 2479 break;
2482 2480
2483 case L2CAP_CR_PEND: 2481 case L2CAP_CR_PEND:
2484 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 2482 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2485 break; 2483 break;
2486 2484
2487 default: 2485 default:
2488 /* don't delete l2cap channel if sk is owned by user */ 2486 /* don't delete l2cap channel if sk is owned by user */
2489 if (sock_owned_by_user(sk)) { 2487 if (sock_owned_by_user(sk)) {
2490 sk->sk_state = BT_DISCONN; 2488 l2cap_state_change(chan, BT_DISCONN);
2491 l2cap_chan_clear_timer(chan); 2489 __clear_chan_timer(chan);
2492 l2cap_chan_set_timer(chan, HZ / 5); 2490 __set_chan_timer(chan, HZ / 5);
2493 break; 2491 break;
2494 } 2492 }
2495 2493
@@ -2503,14 +2501,12 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2503 2501
2504static inline void set_default_fcs(struct l2cap_chan *chan) 2502static inline void set_default_fcs(struct l2cap_chan *chan)
2505{ 2503{
2506 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2507
2508 /* FCS is enabled only in ERTM or streaming mode, if one or both 2504 /* FCS is enabled only in ERTM or streaming mode, if one or both
2509 * sides request it. 2505 * sides request it.
2510 */ 2506 */
2511 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 2507 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2512 chan->fcs = L2CAP_FCS_NONE; 2508 chan->fcs = L2CAP_FCS_NONE;
2513 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV)) 2509 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2514 chan->fcs = L2CAP_FCS_CRC16; 2510 chan->fcs = L2CAP_FCS_CRC16;
2515} 2511}
2516 2512
@@ -2534,7 +2530,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2534 2530
2535 sk = chan->sk; 2531 sk = chan->sk;
2536 2532
2537 if (sk->sk_state != BT_CONFIG) { 2533 if (chan->state != BT_CONFIG) {
2538 struct l2cap_cmd_rej rej; 2534 struct l2cap_cmd_rej rej;
2539 2535
2540 rej.reason = cpu_to_le16(0x0002); 2536 rej.reason = cpu_to_le16(0x0002);
@@ -2577,13 +2573,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2577 /* Reset config buffer. */ 2573 /* Reset config buffer. */
2578 chan->conf_len = 0; 2574 chan->conf_len = 0;
2579 2575
2580 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2576 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2581 goto unlock; 2577 goto unlock;
2582 2578
2583 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) { 2579 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2584 set_default_fcs(chan); 2580 set_default_fcs(chan);
2585 2581
2586 sk->sk_state = BT_CONNECTED; 2582 l2cap_state_change(chan, BT_CONNECTED);
2587 2583
2588 chan->next_tx_seq = 0; 2584 chan->next_tx_seq = 0;
2589 chan->expected_tx_seq = 0; 2585 chan->expected_tx_seq = 0;
@@ -2595,9 +2591,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2595 goto unlock; 2591 goto unlock;
2596 } 2592 }
2597 2593
2598 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) { 2594 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2599 u8 buf[64]; 2595 u8 buf[64];
2600 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2601 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2596 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2602 l2cap_build_conf_req(chan, buf), buf); 2597 l2cap_build_conf_req(chan, buf), buf);
2603 chan->num_conf_req++; 2598 chan->num_conf_req++;
@@ -2662,7 +2657,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2662 2657
2663 default: 2658 default:
2664 sk->sk_err = ECONNRESET; 2659 sk->sk_err = ECONNRESET;
2665 l2cap_chan_set_timer(chan, HZ * 5); 2660 __set_chan_timer(chan, HZ * 5);
2666 l2cap_send_disconn_req(conn, chan, ECONNRESET); 2661 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2667 goto done; 2662 goto done;
2668 } 2663 }
@@ -2670,12 +2665,12 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2670 if (flags & 0x01) 2665 if (flags & 0x01)
2671 goto done; 2666 goto done;
2672 2667
2673 chan->conf_state |= L2CAP_CONF_INPUT_DONE; 2668 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2674 2669
2675 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) { 2670 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2676 set_default_fcs(chan); 2671 set_default_fcs(chan);
2677 2672
2678 sk->sk_state = BT_CONNECTED; 2673 l2cap_state_change(chan, BT_CONNECTED);
2679 chan->next_tx_seq = 0; 2674 chan->next_tx_seq = 0;
2680 chan->expected_tx_seq = 0; 2675 chan->expected_tx_seq = 0;
2681 skb_queue_head_init(&chan->tx_q); 2676 skb_queue_head_init(&chan->tx_q);
@@ -2717,9 +2712,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2717 2712
2718 /* don't delete l2cap channel if sk is owned by user */ 2713 /* don't delete l2cap channel if sk is owned by user */
2719 if (sock_owned_by_user(sk)) { 2714 if (sock_owned_by_user(sk)) {
2720 sk->sk_state = BT_DISCONN; 2715 l2cap_state_change(chan, BT_DISCONN);
2721 l2cap_chan_clear_timer(chan); 2716 __clear_chan_timer(chan);
2722 l2cap_chan_set_timer(chan, HZ / 5); 2717 __set_chan_timer(chan, HZ / 5);
2723 bh_unlock_sock(sk); 2718 bh_unlock_sock(sk);
2724 return 0; 2719 return 0;
2725 } 2720 }
@@ -2727,7 +2722,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2727 l2cap_chan_del(chan, ECONNRESET); 2722 l2cap_chan_del(chan, ECONNRESET);
2728 bh_unlock_sock(sk); 2723 bh_unlock_sock(sk);
2729 2724
2730 l2cap_sock_kill(sk); 2725 chan->ops->close(chan->data);
2731 return 0; 2726 return 0;
2732} 2727}
2733 2728
@@ -2751,9 +2746,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2751 2746
2752 /* don't delete l2cap channel if sk is owned by user */ 2747 /* don't delete l2cap channel if sk is owned by user */
2753 if (sock_owned_by_user(sk)) { 2748 if (sock_owned_by_user(sk)) {
2754 sk->sk_state = BT_DISCONN; 2749 l2cap_state_change(chan,BT_DISCONN);
2755 l2cap_chan_clear_timer(chan); 2750 __clear_chan_timer(chan);
2756 l2cap_chan_set_timer(chan, HZ / 5); 2751 __set_chan_timer(chan, HZ / 5);
2757 bh_unlock_sock(sk); 2752 bh_unlock_sock(sk);
2758 return 0; 2753 return 0;
2759 } 2754 }
@@ -2761,7 +2756,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2761 l2cap_chan_del(chan, 0); 2756 l2cap_chan_del(chan, 0);
2762 bh_unlock_sock(sk); 2757 bh_unlock_sock(sk);
2763 2758
2764 l2cap_sock_kill(sk); 2759 chan->ops->close(chan->data);
2765 return 0; 2760 return 0;
2766} 2761}
2767 2762
@@ -3069,18 +3064,18 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3069 3064
3070 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3065 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3071 3066
3072 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3067 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3073 control |= L2CAP_SUPER_RCV_NOT_READY; 3068 control |= L2CAP_SUPER_RCV_NOT_READY;
3074 l2cap_send_sframe(chan, control); 3069 l2cap_send_sframe(chan, control);
3075 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3070 set_bit(CONN_RNR_SENT, &chan->conn_state);
3076 } 3071 }
3077 3072
3078 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY) 3073 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3079 l2cap_retransmit_frames(chan); 3074 l2cap_retransmit_frames(chan);
3080 3075
3081 l2cap_ertm_send(chan); 3076 l2cap_ertm_send(chan);
3082 3077
3083 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) && 3078 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3084 chan->frames_sent == 0) { 3079 chan->frames_sent == 0) {
3085 control |= L2CAP_SUPER_RCV_READY; 3080 control |= L2CAP_SUPER_RCV_READY;
3086 l2cap_send_sframe(chan, control); 3081 l2cap_send_sframe(chan, control);
@@ -3136,13 +3131,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
3136 3131
3137 switch (control & L2CAP_CTRL_SAR) { 3132 switch (control & L2CAP_CTRL_SAR) {
3138 case L2CAP_SDU_UNSEGMENTED: 3133 case L2CAP_SDU_UNSEGMENTED:
3139 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3134 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
3140 goto drop; 3135 goto drop;
3141 3136
3142 return sock_queue_rcv_skb(chan->sk, skb); 3137 return chan->ops->recv(chan->data, skb);
3143 3138
3144 case L2CAP_SDU_START: 3139 case L2CAP_SDU_START:
3145 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3140 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
3146 goto drop; 3141 goto drop;
3147 3142
3148 chan->sdu_len = get_unaligned_le16(skb->data); 3143 chan->sdu_len = get_unaligned_le16(skb->data);
@@ -3161,12 +3156,12 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
3161 3156
3162 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3157 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3163 3158
3164 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3159 set_bit(CONN_SAR_SDU, &chan->conn_state);
3165 chan->partial_sdu_len = skb->len; 3160 chan->partial_sdu_len = skb->len;
3166 break; 3161 break;
3167 3162
3168 case L2CAP_SDU_CONTINUE: 3163 case L2CAP_SDU_CONTINUE:
3169 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3164 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3170 goto disconnect; 3165 goto disconnect;
3171 3166
3172 if (!chan->sdu) 3167 if (!chan->sdu)
@@ -3181,13 +3176,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
3181 break; 3176 break;
3182 3177
3183 case L2CAP_SDU_END: 3178 case L2CAP_SDU_END:
3184 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3179 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3185 goto disconnect; 3180 goto disconnect;
3186 3181
3187 if (!chan->sdu) 3182 if (!chan->sdu)
3188 goto disconnect; 3183 goto disconnect;
3189 3184
3190 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) { 3185 if (!test_bit(CONN_SAR_RETRY, &chan->conn_state)) {
3191 chan->partial_sdu_len += skb->len; 3186 chan->partial_sdu_len += skb->len;
3192 3187
3193 if (chan->partial_sdu_len > chan->imtu) 3188 if (chan->partial_sdu_len > chan->imtu)
@@ -3201,19 +3196,19 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
3201 3196
3202 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3197 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3203 if (!_skb) { 3198 if (!_skb) {
3204 chan->conn_state |= L2CAP_CONN_SAR_RETRY; 3199 set_bit(CONN_SAR_RETRY, &chan->conn_state);
3205 return -ENOMEM; 3200 return -ENOMEM;
3206 } 3201 }
3207 3202
3208 err = sock_queue_rcv_skb(chan->sk, _skb); 3203 err = chan->ops->recv(chan->data, _skb);
3209 if (err < 0) { 3204 if (err < 0) {
3210 kfree_skb(_skb); 3205 kfree_skb(_skb);
3211 chan->conn_state |= L2CAP_CONN_SAR_RETRY; 3206 set_bit(CONN_SAR_RETRY, &chan->conn_state);
3212 return err; 3207 return err;
3213 } 3208 }
3214 3209
3215 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY; 3210 clear_bit(CONN_SAR_RETRY, &chan->conn_state);
3216 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3211 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3217 3212
3218 kfree_skb(chan->sdu); 3213 kfree_skb(chan->sdu);
3219 break; 3214 break;
@@ -3249,7 +3244,7 @@ static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3249 chan->buffer_seq = (chan->buffer_seq + 1) % 64; 3244 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3250 } 3245 }
3251 3246
3252 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT)) 3247 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3253 goto done; 3248 goto done;
3254 3249
3255 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3250 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
@@ -3257,14 +3252,14 @@ static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3257 l2cap_send_sframe(chan, control); 3252 l2cap_send_sframe(chan, control);
3258 chan->retry_count = 1; 3253 chan->retry_count = 1;
3259 3254
3260 del_timer(&chan->retrans_timer); 3255 __clear_retrans_timer(chan);
3261 __mod_monitor_timer(); 3256 __set_monitor_timer(chan);
3262 3257
3263 chan->conn_state |= L2CAP_CONN_WAIT_F; 3258 set_bit(CONN_WAIT_F, &chan->conn_state);
3264 3259
3265done: 3260done:
3266 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY; 3261 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3267 chan->conn_state &= ~L2CAP_CONN_RNR_SENT; 3262 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3268 3263
3269 BT_DBG("chan %p, Exit local busy", chan); 3264 BT_DBG("chan %p, Exit local busy", chan);
3270 3265
@@ -3322,7 +3317,7 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3322{ 3317{
3323 int sctrl, err; 3318 int sctrl, err;
3324 3319
3325 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3320 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3326 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3321 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3327 __skb_queue_tail(&chan->busy_q, skb); 3322 __skb_queue_tail(&chan->busy_q, skb);
3328 return l2cap_try_push_rx_skb(chan); 3323 return l2cap_try_push_rx_skb(chan);
@@ -3339,7 +3334,7 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3339 /* Busy Condition */ 3334 /* Busy Condition */
3340 BT_DBG("chan %p, Enter local busy", chan); 3335 BT_DBG("chan %p, Enter local busy", chan);
3341 3336
3342 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY; 3337 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3343 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3338 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3344 __skb_queue_tail(&chan->busy_q, skb); 3339 __skb_queue_tail(&chan->busy_q, skb);
3345 3340
@@ -3347,9 +3342,9 @@ static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 c
3347 sctrl |= L2CAP_SUPER_RCV_NOT_READY; 3342 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3348 l2cap_send_sframe(chan, sctrl); 3343 l2cap_send_sframe(chan, sctrl);
3349 3344
3350 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3345 set_bit(CONN_RNR_SENT, &chan->conn_state);
3351 3346
3352 del_timer(&chan->ack_timer); 3347 __clear_ack_timer(chan);
3353 3348
3354 queue_work(_busy_wq, &chan->busy_work); 3349 queue_work(_busy_wq, &chan->busy_work);
3355 3350
@@ -3368,19 +3363,19 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3368 3363
3369 switch (control & L2CAP_CTRL_SAR) { 3364 switch (control & L2CAP_CTRL_SAR) {
3370 case L2CAP_SDU_UNSEGMENTED: 3365 case L2CAP_SDU_UNSEGMENTED:
3371 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3366 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3372 kfree_skb(chan->sdu); 3367 kfree_skb(chan->sdu);
3373 break; 3368 break;
3374 } 3369 }
3375 3370
3376 err = sock_queue_rcv_skb(chan->sk, skb); 3371 err = chan->ops->recv(chan->data, skb);
3377 if (!err) 3372 if (!err)
3378 return 0; 3373 return 0;
3379 3374
3380 break; 3375 break;
3381 3376
3382 case L2CAP_SDU_START: 3377 case L2CAP_SDU_START:
3383 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3378 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3384 kfree_skb(chan->sdu); 3379 kfree_skb(chan->sdu);
3385 break; 3380 break;
3386 } 3381 }
@@ -3401,13 +3396,13 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3401 3396
3402 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3397 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3403 3398
3404 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3399 set_bit(CONN_SAR_SDU, &chan->conn_state);
3405 chan->partial_sdu_len = skb->len; 3400 chan->partial_sdu_len = skb->len;
3406 err = 0; 3401 err = 0;
3407 break; 3402 break;
3408 3403
3409 case L2CAP_SDU_CONTINUE: 3404 case L2CAP_SDU_CONTINUE:
3410 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3405 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3411 break; 3406 break;
3412 3407
3413 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3408 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
@@ -3421,12 +3416,12 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3421 break; 3416 break;
3422 3417
3423 case L2CAP_SDU_END: 3418 case L2CAP_SDU_END:
3424 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3419 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3425 break; 3420 break;
3426 3421
3427 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3422 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3428 3423
3429 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3424 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3430 chan->partial_sdu_len += skb->len; 3425 chan->partial_sdu_len += skb->len;
3431 3426
3432 if (chan->partial_sdu_len > chan->imtu) 3427 if (chan->partial_sdu_len > chan->imtu)
@@ -3434,7 +3429,7 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3434 3429
3435 if (chan->partial_sdu_len == chan->sdu_len) { 3430 if (chan->partial_sdu_len == chan->sdu_len) {
3436 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3431 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3437 err = sock_queue_rcv_skb(chan->sk, _skb); 3432 err = chan->ops->recv(chan->data, _skb);
3438 if (err < 0) 3433 if (err < 0)
3439 kfree_skb(_skb); 3434 kfree_skb(_skb);
3440 } 3435 }
@@ -3517,11 +3512,11 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3517 tx_seq, rx_control); 3512 tx_seq, rx_control);
3518 3513
3519 if (L2CAP_CTRL_FINAL & rx_control && 3514 if (L2CAP_CTRL_FINAL & rx_control &&
3520 chan->conn_state & L2CAP_CONN_WAIT_F) { 3515 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3521 del_timer(&chan->monitor_timer); 3516 __clear_monitor_timer(chan);
3522 if (chan->unacked_frames > 0) 3517 if (chan->unacked_frames > 0)
3523 __mod_retrans_timer(); 3518 __set_retrans_timer(chan);
3524 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3519 clear_bit(CONN_WAIT_F, &chan->conn_state);
3525 } 3520 }
3526 3521
3527 chan->expected_ack_seq = req_seq; 3522 chan->expected_ack_seq = req_seq;
@@ -3540,10 +3535,10 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3540 goto drop; 3535 goto drop;
3541 } 3536 }
3542 3537
3543 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) 3538 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3544 goto drop; 3539 goto drop;
3545 3540
3546 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3541 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3547 struct srej_list *first; 3542 struct srej_list *first;
3548 3543
3549 first = list_first_entry(&chan->srej_l, 3544 first = list_first_entry(&chan->srej_l,
@@ -3557,7 +3552,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3557 3552
3558 if (list_empty(&chan->srej_l)) { 3553 if (list_empty(&chan->srej_l)) {
3559 chan->buffer_seq = chan->buffer_seq_srej; 3554 chan->buffer_seq = chan->buffer_seq_srej;
3560 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3555 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3561 l2cap_send_ack(chan); 3556 l2cap_send_ack(chan);
3562 BT_DBG("chan %p, Exit SREJ_SENT", chan); 3557 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3563 } 3558 }
@@ -3586,7 +3581,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3586 if (tx_seq_offset < expected_tx_seq_offset) 3581 if (tx_seq_offset < expected_tx_seq_offset)
3587 goto drop; 3582 goto drop;
3588 3583
3589 chan->conn_state |= L2CAP_CONN_SREJ_SENT; 3584 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3590 3585
3591 BT_DBG("chan %p, Enter SREJ", chan); 3586 BT_DBG("chan %p, Enter SREJ", chan);
3592 3587
@@ -3597,18 +3592,18 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3597 __skb_queue_head_init(&chan->busy_q); 3592 __skb_queue_head_init(&chan->busy_q);
3598 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar); 3593 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3599 3594
3600 chan->conn_state |= L2CAP_CONN_SEND_PBIT; 3595 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3601 3596
3602 l2cap_send_srejframe(chan, tx_seq); 3597 l2cap_send_srejframe(chan, tx_seq);
3603 3598
3604 del_timer(&chan->ack_timer); 3599 __clear_ack_timer(chan);
3605 } 3600 }
3606 return 0; 3601 return 0;
3607 3602
3608expected: 3603expected:
3609 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64; 3604 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3610 3605
3611 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3606 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3612 bt_cb(skb)->tx_seq = tx_seq; 3607 bt_cb(skb)->tx_seq = tx_seq;
3613 bt_cb(skb)->sar = sar; 3608 bt_cb(skb)->sar = sar;
3614 __skb_queue_tail(&chan->srej_q, skb); 3609 __skb_queue_tail(&chan->srej_q, skb);
@@ -3620,13 +3615,11 @@ expected:
3620 return 0; 3615 return 0;
3621 3616
3622 if (rx_control & L2CAP_CTRL_FINAL) { 3617 if (rx_control & L2CAP_CTRL_FINAL) {
3623 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3618 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3624 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3625 else
3626 l2cap_retransmit_frames(chan); 3619 l2cap_retransmit_frames(chan);
3627 } 3620 }
3628 3621
3629 __mod_ack_timer(); 3622 __set_ack_timer(chan);
3630 3623
3631 chan->num_acked = (chan->num_acked + 1) % num_to_ack; 3624 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3632 if (chan->num_acked == num_to_ack - 1) 3625 if (chan->num_acked == num_to_ack - 1)
@@ -3648,33 +3641,31 @@ static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_co
3648 l2cap_drop_acked_frames(chan); 3641 l2cap_drop_acked_frames(chan);
3649 3642
3650 if (rx_control & L2CAP_CTRL_POLL) { 3643 if (rx_control & L2CAP_CTRL_POLL) {
3651 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3644 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3652 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3645 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3653 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3646 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3654 (chan->unacked_frames > 0)) 3647 (chan->unacked_frames > 0))
3655 __mod_retrans_timer(); 3648 __set_retrans_timer(chan);
3656 3649
3657 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3650 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3658 l2cap_send_srejtail(chan); 3651 l2cap_send_srejtail(chan);
3659 } else { 3652 } else {
3660 l2cap_send_i_or_rr_or_rnr(chan); 3653 l2cap_send_i_or_rr_or_rnr(chan);
3661 } 3654 }
3662 3655
3663 } else if (rx_control & L2CAP_CTRL_FINAL) { 3656 } else if (rx_control & L2CAP_CTRL_FINAL) {
3664 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3657 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3665 3658
3666 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3659 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3667 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3668 else
3669 l2cap_retransmit_frames(chan); 3660 l2cap_retransmit_frames(chan);
3670 3661
3671 } else { 3662 } else {
3672 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3663 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3673 (chan->unacked_frames > 0)) 3664 (chan->unacked_frames > 0))
3674 __mod_retrans_timer(); 3665 __set_retrans_timer(chan);
3675 3666
3676 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3667 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3677 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) 3668 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3678 l2cap_send_ack(chan); 3669 l2cap_send_ack(chan);
3679 else 3670 else
3680 l2cap_ertm_send(chan); 3671 l2cap_ertm_send(chan);
@@ -3687,21 +3678,19 @@ static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_c
3687 3678
3688 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3679 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3689 3680
3690 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3681 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3691 3682
3692 chan->expected_ack_seq = tx_seq; 3683 chan->expected_ack_seq = tx_seq;
3693 l2cap_drop_acked_frames(chan); 3684 l2cap_drop_acked_frames(chan);
3694 3685
3695 if (rx_control & L2CAP_CTRL_FINAL) { 3686 if (rx_control & L2CAP_CTRL_FINAL) {
3696 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3687 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3697 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3698 else
3699 l2cap_retransmit_frames(chan); 3688 l2cap_retransmit_frames(chan);
3700 } else { 3689 } else {
3701 l2cap_retransmit_frames(chan); 3690 l2cap_retransmit_frames(chan);
3702 3691
3703 if (chan->conn_state & L2CAP_CONN_WAIT_F) 3692 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3704 chan->conn_state |= L2CAP_CONN_REJ_ACT; 3693 set_bit(CONN_REJ_ACT, &chan->conn_state);
3705 } 3694 }
3706} 3695}
3707static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control) 3696static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
@@ -3710,32 +3699,32 @@ static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_
3710 3699
3711 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3700 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3712 3701
3713 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3702 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3714 3703
3715 if (rx_control & L2CAP_CTRL_POLL) { 3704 if (rx_control & L2CAP_CTRL_POLL) {
3716 chan->expected_ack_seq = tx_seq; 3705 chan->expected_ack_seq = tx_seq;
3717 l2cap_drop_acked_frames(chan); 3706 l2cap_drop_acked_frames(chan);
3718 3707
3719 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3708 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3720 l2cap_retransmit_one_frame(chan, tx_seq); 3709 l2cap_retransmit_one_frame(chan, tx_seq);
3721 3710
3722 l2cap_ertm_send(chan); 3711 l2cap_ertm_send(chan);
3723 3712
3724 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3713 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3725 chan->srej_save_reqseq = tx_seq; 3714 chan->srej_save_reqseq = tx_seq;
3726 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3715 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3727 } 3716 }
3728 } else if (rx_control & L2CAP_CTRL_FINAL) { 3717 } else if (rx_control & L2CAP_CTRL_FINAL) {
3729 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) && 3718 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3730 chan->srej_save_reqseq == tx_seq) 3719 chan->srej_save_reqseq == tx_seq)
3731 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3720 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3732 else 3721 else
3733 l2cap_retransmit_one_frame(chan, tx_seq); 3722 l2cap_retransmit_one_frame(chan, tx_seq);
3734 } else { 3723 } else {
3735 l2cap_retransmit_one_frame(chan, tx_seq); 3724 l2cap_retransmit_one_frame(chan, tx_seq);
3736 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3725 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3737 chan->srej_save_reqseq = tx_seq; 3726 chan->srej_save_reqseq = tx_seq;
3738 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3727 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3739 } 3728 }
3740 } 3729 }
3741} 3730}
@@ -3746,15 +3735,15 @@ static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_c
3746 3735
3747 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3736 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3748 3737
3749 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3738 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3750 chan->expected_ack_seq = tx_seq; 3739 chan->expected_ack_seq = tx_seq;
3751 l2cap_drop_acked_frames(chan); 3740 l2cap_drop_acked_frames(chan);
3752 3741
3753 if (rx_control & L2CAP_CTRL_POLL) 3742 if (rx_control & L2CAP_CTRL_POLL)
3754 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3743 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3755 3744
3756 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) { 3745 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3757 del_timer(&chan->retrans_timer); 3746 __clear_retrans_timer(chan);
3758 if (rx_control & L2CAP_CTRL_POLL) 3747 if (rx_control & L2CAP_CTRL_POLL)
3759 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL); 3748 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3760 return; 3749 return;
@@ -3771,11 +3760,11 @@ static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_cont
3771 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len); 3760 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3772 3761
3773 if (L2CAP_CTRL_FINAL & rx_control && 3762 if (L2CAP_CTRL_FINAL & rx_control &&
3774 chan->conn_state & L2CAP_CONN_WAIT_F) { 3763 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3775 del_timer(&chan->monitor_timer); 3764 __clear_monitor_timer(chan);
3776 if (chan->unacked_frames > 0) 3765 if (chan->unacked_frames > 0)
3777 __mod_retrans_timer(); 3766 __set_retrans_timer(chan);
3778 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3767 clear_bit(CONN_WAIT_F, &chan->conn_state);
3779 } 3768 }
3780 3769
3781 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3770 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
@@ -3888,7 +3877,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3888 3877
3889 BT_DBG("chan %p, len %d", chan, skb->len); 3878 BT_DBG("chan %p, len %d", chan, skb->len);
3890 3879
3891 if (sk->sk_state != BT_CONNECTED) 3880 if (chan->state != BT_CONNECTED)
3892 goto drop; 3881 goto drop;
3893 3882
3894 switch (chan->mode) { 3883 switch (chan->mode) {
@@ -3901,7 +3890,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3901 if (chan->imtu < skb->len) 3890 if (chan->imtu < skb->len)
3902 goto drop; 3891 goto drop;
3903 3892
3904 if (!sock_queue_rcv_skb(sk, skb)) 3893 if (!chan->ops->recv(chan->data, skb))
3905 goto done; 3894 goto done;
3906 break; 3895 break;
3907 3896
@@ -3973,13 +3962,13 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
3973 3962
3974 BT_DBG("sk %p, len %d", sk, skb->len); 3963 BT_DBG("sk %p, len %d", sk, skb->len);
3975 3964
3976 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3965 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3977 goto drop; 3966 goto drop;
3978 3967
3979 if (l2cap_pi(sk)->chan->imtu < skb->len) 3968 if (chan->imtu < skb->len)
3980 goto drop; 3969 goto drop;
3981 3970
3982 if (!sock_queue_rcv_skb(sk, skb)) 3971 if (!chan->ops->recv(chan->data, skb))
3983 goto done; 3972 goto done;
3984 3973
3985drop: 3974drop:
@@ -4006,13 +3995,13 @@ static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct
4006 3995
4007 BT_DBG("sk %p, len %d", sk, skb->len); 3996 BT_DBG("sk %p, len %d", sk, skb->len);
4008 3997
4009 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3998 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4010 goto drop; 3999 goto drop;
4011 4000
4012 if (l2cap_pi(sk)->chan->imtu < skb->len) 4001 if (chan->imtu < skb->len)
4013 goto drop; 4002 goto drop;
4014 4003
4015 if (!sock_queue_rcv_skb(sk, skb)) 4004 if (!chan->ops->recv(chan->data, skb))
4016 goto done; 4005 goto done;
4017 4006
4018drop: 4007drop:
@@ -4057,6 +4046,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4057 l2cap_att_channel(conn, cid, skb); 4046 l2cap_att_channel(conn, cid, skb);
4058 break; 4047 break;
4059 4048
4049 case L2CAP_CID_SMP:
4050 if (smp_sig_channel(conn, skb))
4051 l2cap_conn_del(conn->hcon, EACCES);
4052 break;
4053
4060 default: 4054 default:
4061 l2cap_data_channel(conn, cid, skb); 4055 l2cap_data_channel(conn, cid, skb);
4062 break; 4056 break;
@@ -4080,7 +4074,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4080 list_for_each_entry(c, &chan_list, global_l) { 4074 list_for_each_entry(c, &chan_list, global_l) {
4081 struct sock *sk = c->sk; 4075 struct sock *sk = c->sk;
4082 4076
4083 if (sk->sk_state != BT_LISTEN) 4077 if (c->state != BT_LISTEN)
4084 continue; 4078 continue;
4085 4079
4086 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 4080 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
@@ -4124,7 +4118,7 @@ static int l2cap_disconn_ind(struct hci_conn *hcon)
4124 4118
4125 BT_DBG("hcon %p", hcon); 4119 BT_DBG("hcon %p", hcon);
4126 4120
4127 if (hcon->type != ACL_LINK || !conn) 4121 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
4128 return 0x13; 4122 return 0x13;
4129 4123
4130 return conn->disc_reason; 4124 return conn->disc_reason;
@@ -4149,13 +4143,13 @@ static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4149 4143
4150 if (encrypt == 0x00) { 4144 if (encrypt == 0x00) {
4151 if (chan->sec_level == BT_SECURITY_MEDIUM) { 4145 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4152 l2cap_chan_clear_timer(chan); 4146 __clear_chan_timer(chan);
4153 l2cap_chan_set_timer(chan, HZ * 5); 4147 __set_chan_timer(chan, HZ * 5);
4154 } else if (chan->sec_level == BT_SECURITY_HIGH) 4148 } else if (chan->sec_level == BT_SECURITY_HIGH)
4155 l2cap_chan_close(chan, ECONNREFUSED); 4149 l2cap_chan_close(chan, ECONNREFUSED);
4156 } else { 4150 } else {
4157 if (chan->sec_level == BT_SECURITY_MEDIUM) 4151 if (chan->sec_level == BT_SECURITY_MEDIUM)
4158 l2cap_chan_clear_timer(chan); 4152 __clear_chan_timer(chan);
4159 } 4153 }
4160} 4154}
4161 4155
@@ -4176,50 +4170,72 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4176 4170
4177 bh_lock_sock(sk); 4171 bh_lock_sock(sk);
4178 4172
4179 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) { 4173 BT_DBG("chan->scid %d", chan->scid);
4174
4175 if (chan->scid == L2CAP_CID_LE_DATA) {
4176 if (!status && encrypt) {
4177 chan->sec_level = hcon->sec_level;
4178 del_timer(&conn->security_timer);
4179 l2cap_chan_ready(sk);
4180 }
4181
4182 bh_unlock_sock(sk);
4183 continue;
4184 }
4185
4186 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4180 bh_unlock_sock(sk); 4187 bh_unlock_sock(sk);
4181 continue; 4188 continue;
4182 } 4189 }
4183 4190
4184 if (!status && (sk->sk_state == BT_CONNECTED || 4191 if (!status && (chan->state == BT_CONNECTED ||
4185 sk->sk_state == BT_CONFIG)) { 4192 chan->state == BT_CONFIG)) {
4186 l2cap_check_encryption(chan, encrypt); 4193 l2cap_check_encryption(chan, encrypt);
4187 bh_unlock_sock(sk); 4194 bh_unlock_sock(sk);
4188 continue; 4195 continue;
4189 } 4196 }
4190 4197
4191 if (sk->sk_state == BT_CONNECT) { 4198 if (chan->state == BT_CONNECT) {
4192 if (!status) { 4199 if (!status) {
4193 struct l2cap_conn_req req; 4200 struct l2cap_conn_req req;
4194 req.scid = cpu_to_le16(chan->scid); 4201 req.scid = cpu_to_le16(chan->scid);
4195 req.psm = chan->psm; 4202 req.psm = chan->psm;
4196 4203
4197 chan->ident = l2cap_get_ident(conn); 4204 chan->ident = l2cap_get_ident(conn);
4198 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 4205 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4199 4206
4200 l2cap_send_cmd(conn, chan->ident, 4207 l2cap_send_cmd(conn, chan->ident,
4201 L2CAP_CONN_REQ, sizeof(req), &req); 4208 L2CAP_CONN_REQ, sizeof(req), &req);
4202 } else { 4209 } else {
4203 l2cap_chan_clear_timer(chan); 4210 __clear_chan_timer(chan);
4204 l2cap_chan_set_timer(chan, HZ / 10); 4211 __set_chan_timer(chan, HZ / 10);
4205 } 4212 }
4206 } else if (sk->sk_state == BT_CONNECT2) { 4213 } else if (chan->state == BT_CONNECT2) {
4207 struct l2cap_conn_rsp rsp; 4214 struct l2cap_conn_rsp rsp;
4208 __u16 result; 4215 __u16 res, stat;
4209 4216
4210 if (!status) { 4217 if (!status) {
4211 sk->sk_state = BT_CONFIG; 4218 if (bt_sk(sk)->defer_setup) {
4212 result = L2CAP_CR_SUCCESS; 4219 struct sock *parent = bt_sk(sk)->parent;
4220 res = L2CAP_CR_PEND;
4221 stat = L2CAP_CS_AUTHOR_PEND;
4222 parent->sk_data_ready(parent, 0);
4223 } else {
4224 l2cap_state_change(chan, BT_CONFIG);
4225 res = L2CAP_CR_SUCCESS;
4226 stat = L2CAP_CS_NO_INFO;
4227 }
4213 } else { 4228 } else {
4214 sk->sk_state = BT_DISCONN; 4229 l2cap_state_change(chan, BT_DISCONN);
4215 l2cap_chan_set_timer(chan, HZ / 10); 4230 __set_chan_timer(chan, HZ / 10);
4216 result = L2CAP_CR_SEC_BLOCK; 4231 res = L2CAP_CR_SEC_BLOCK;
4232 stat = L2CAP_CS_NO_INFO;
4217 } 4233 }
4218 4234
4219 rsp.scid = cpu_to_le16(chan->dcid); 4235 rsp.scid = cpu_to_le16(chan->dcid);
4220 rsp.dcid = cpu_to_le16(chan->scid); 4236 rsp.dcid = cpu_to_le16(chan->scid);
4221 rsp.result = cpu_to_le16(result); 4237 rsp.result = cpu_to_le16(res);
4222 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4238 rsp.status = cpu_to_le16(stat);
4223 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 4239 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4224 sizeof(rsp), &rsp); 4240 sizeof(rsp), &rsp);
4225 } 4241 }
@@ -4355,10 +4371,10 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4355 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 4371 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4356 batostr(&bt_sk(sk)->src), 4372 batostr(&bt_sk(sk)->src),
4357 batostr(&bt_sk(sk)->dst), 4373 batostr(&bt_sk(sk)->dst),
4358 sk->sk_state, __le16_to_cpu(c->psm), 4374 c->state, __le16_to_cpu(c->psm),
4359 c->scid, c->dcid, c->imtu, c->omtu, 4375 c->scid, c->dcid, c->imtu, c->omtu,
4360 c->sec_level, c->mode); 4376 c->sec_level, c->mode);
4361 } 4377}
4362 4378
4363 read_unlock_bh(&chan_list_lock); 4379 read_unlock_bh(&chan_list_lock);
4364 4380
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ab81894c6677..39082d4e77ce 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -29,8 +29,11 @@
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h> 31#include <net/bluetooth/l2cap.h>
32#include <net/bluetooth/smp.h>
32 33
33static const struct proto_ops l2cap_sock_ops; 34static const struct proto_ops l2cap_sock_ops;
35static void l2cap_sock_init(struct sock *sk, struct sock *parent);
36static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
34 37
35static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 38static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
36{ 39{
@@ -87,6 +90,8 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
87 chan->sec_level = BT_SECURITY_SDP; 90 chan->sec_level = BT_SECURITY_SDP;
88 91
89 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr); 92 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
93
94 chan->state = BT_BOUND;
90 sk->sk_state = BT_BOUND; 95 sk->sk_state = BT_BOUND;
91 96
92done: 97done:
@@ -212,6 +217,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
212 217
213 sk->sk_max_ack_backlog = backlog; 218 sk->sk_max_ack_backlog = backlog;
214 sk->sk_ack_backlog = 0; 219 sk->sk_ack_backlog = 0;
220
221 chan->state = BT_LISTEN;
215 sk->sk_state = BT_LISTEN; 222 sk->sk_state = BT_LISTEN;
216 223
217done: 224done:
@@ -505,7 +512,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
505 chan->mode = opts.mode; 512 chan->mode = opts.mode;
506 switch (chan->mode) { 513 switch (chan->mode) {
507 case L2CAP_MODE_BASIC: 514 case L2CAP_MODE_BASIC:
508 chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE; 515 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
509 break; 516 break;
510 case L2CAP_MODE_ERTM: 517 case L2CAP_MODE_ERTM:
511 case L2CAP_MODE_STREAMING: 518 case L2CAP_MODE_STREAMING:
@@ -556,6 +563,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
556 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 563 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
557 struct bt_security sec; 564 struct bt_security sec;
558 struct bt_power pwr; 565 struct bt_power pwr;
566 struct l2cap_conn *conn;
559 int len, err = 0; 567 int len, err = 0;
560 u32 opt; 568 u32 opt;
561 569
@@ -592,6 +600,20 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
592 } 600 }
593 601
594 chan->sec_level = sec.level; 602 chan->sec_level = sec.level;
603
604 conn = chan->conn;
605 if (conn && chan->scid == L2CAP_CID_LE_DATA) {
606 if (!conn->hcon->out) {
607 err = -EINVAL;
608 break;
609 }
610
611 if (smp_conn_security(conn, sec.level))
612 break;
613
614 err = 0;
615 sk->sk_state = BT_CONFIG;
616 }
595 break; 617 break;
596 618
597 case BT_DEFER_SETUP: 619 case BT_DEFER_SETUP:
@@ -711,7 +733,7 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
711/* Kill socket (only if zapped and orphan) 733/* Kill socket (only if zapped and orphan)
712 * Must be called on unlocked socket. 734 * Must be called on unlocked socket.
713 */ 735 */
714void l2cap_sock_kill(struct sock *sk) 736static void l2cap_sock_kill(struct sock *sk)
715{ 737{
716 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 738 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
717 return; 739 return;
@@ -773,6 +795,49 @@ static int l2cap_sock_release(struct socket *sock)
773 return err; 795 return err;
774} 796}
775 797
798static struct l2cap_chan *l2cap_sock_new_connection_cb(void *data)
799{
800 struct sock *sk, *parent = data;
801
802 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
803 GFP_ATOMIC);
804 if (!sk)
805 return NULL;
806
807 l2cap_sock_init(sk, parent);
808
809 return l2cap_pi(sk)->chan;
810}
811
812static int l2cap_sock_recv_cb(void *data, struct sk_buff *skb)
813{
814 struct sock *sk = data;
815
816 return sock_queue_rcv_skb(sk, skb);
817}
818
819static void l2cap_sock_close_cb(void *data)
820{
821 struct sock *sk = data;
822
823 l2cap_sock_kill(sk);
824}
825
826static void l2cap_sock_state_change_cb(void *data, int state)
827{
828 struct sock *sk = data;
829
830 sk->sk_state = state;
831}
832
833static struct l2cap_ops l2cap_chan_ops = {
834 .name = "L2CAP Socket Interface",
835 .new_connection = l2cap_sock_new_connection_cb,
836 .recv = l2cap_sock_recv_cb,
837 .close = l2cap_sock_close_cb,
838 .state_change = l2cap_sock_state_change_cb,
839};
840
776static void l2cap_sock_destruct(struct sock *sk) 841static void l2cap_sock_destruct(struct sock *sk)
777{ 842{
778 BT_DBG("sk %p", sk); 843 BT_DBG("sk %p", sk);
@@ -781,7 +846,7 @@ static void l2cap_sock_destruct(struct sock *sk)
781 skb_queue_purge(&sk->sk_write_queue); 846 skb_queue_purge(&sk->sk_write_queue);
782} 847}
783 848
784void l2cap_sock_init(struct sock *sk, struct sock *parent) 849static void l2cap_sock_init(struct sock *sk, struct sock *parent)
785{ 850{
786 struct l2cap_pinfo *pi = l2cap_pi(sk); 851 struct l2cap_pinfo *pi = l2cap_pi(sk);
787 struct l2cap_chan *chan = pi->chan; 852 struct l2cap_chan *chan = pi->chan;
@@ -826,7 +891,7 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
826 chan->omtu = 0; 891 chan->omtu = 0;
827 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 892 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
828 chan->mode = L2CAP_MODE_ERTM; 893 chan->mode = L2CAP_MODE_ERTM;
829 chan->conf_state |= L2CAP_CONF_STATE2_DEVICE; 894 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
830 } else { 895 } else {
831 chan->mode = L2CAP_MODE_BASIC; 896 chan->mode = L2CAP_MODE_BASIC;
832 } 897 }
@@ -838,10 +903,14 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
838 chan->force_reliable = 0; 903 chan->force_reliable = 0;
839 chan->flushable = BT_FLUSHABLE_OFF; 904 chan->flushable = BT_FLUSHABLE_OFF;
840 chan->force_active = BT_POWER_FORCE_ACTIVE_ON; 905 chan->force_active = BT_POWER_FORCE_ACTIVE_ON;
906
841 } 907 }
842 908
843 /* Default config options */ 909 /* Default config options */
844 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 910 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
911
912 chan->data = sk;
913 chan->ops = &l2cap_chan_ops;
845} 914}
846 915
847static struct proto l2cap_proto = { 916static struct proto l2cap_proto = {
@@ -850,9 +919,10 @@ static struct proto l2cap_proto = {
850 .obj_size = sizeof(struct l2cap_pinfo) 919 .obj_size = sizeof(struct l2cap_pinfo)
851}; 920};
852 921
853struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio) 922static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
854{ 923{
855 struct sock *sk; 924 struct sock *sk;
925 struct l2cap_chan *chan;
856 926
857 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto); 927 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
858 if (!sk) 928 if (!sk)
@@ -869,6 +939,14 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
869 sk->sk_protocol = proto; 939 sk->sk_protocol = proto;
870 sk->sk_state = BT_OPEN; 940 sk->sk_state = BT_OPEN;
871 941
942 chan = l2cap_chan_create(sk);
943 if (!chan) {
944 l2cap_sock_kill(sk);
945 return NULL;
946 }
947
948 l2cap_pi(sk)->chan = chan;
949
872 return sk; 950 return sk;
873} 951}
874 952
@@ -876,7 +954,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
876 int kern) 954 int kern)
877{ 955{
878 struct sock *sk; 956 struct sock *sk;
879 struct l2cap_chan *chan;
880 957
881 BT_DBG("sock %p", sock); 958 BT_DBG("sock %p", sock);
882 959
@@ -895,14 +972,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
895 if (!sk) 972 if (!sk)
896 return -ENOMEM; 973 return -ENOMEM;
897 974
898 chan = l2cap_chan_create(sk);
899 if (!chan) {
900 l2cap_sock_kill(sk);
901 return -ENOMEM;
902 }
903
904 l2cap_pi(sk)->chan = chan;
905
906 l2cap_sock_init(sk, NULL); 975 l2cap_sock_init(sk, NULL);
907 return 0; 976 return 0;
908} 977}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index fcccf10f909a..64c0418a6221 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -990,7 +990,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
990 990
991 put_unaligned_le16(conn->handle, &dc.handle); 991 put_unaligned_le16(conn->handle, &dc.handle);
992 dc.reason = 0x13; /* Remote User Terminated Connection */ 992 dc.reason = 0x13; /* Remote User Terminated Connection */
993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, 0, NULL); 993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
994 } 994 }
995 995
996unlock: 996unlock:
@@ -1666,6 +1666,70 @@ failed:
1666 return err; 1666 return err;
1667} 1667}
1668 1668
1669static int block_device(struct sock *sk, u16 index, unsigned char *data,
1670 u16 len)
1671{
1672 struct hci_dev *hdev;
1673 struct mgmt_cp_block_device *cp;
1674 int err;
1675
1676 BT_DBG("hci%u", index);
1677
1678 cp = (void *) data;
1679
1680 if (len != sizeof(*cp))
1681 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1682 EINVAL);
1683
1684 hdev = hci_dev_get(index);
1685 if (!hdev)
1686 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1687 ENODEV);
1688
1689 err = hci_blacklist_add(hdev, &cp->bdaddr);
1690
1691 if (err < 0)
1692 err = cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE, -err);
1693 else
1694 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE,
1695 NULL, 0);
1696 hci_dev_put(hdev);
1697
1698 return err;
1699}
1700
1701static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1702 u16 len)
1703{
1704 struct hci_dev *hdev;
1705 struct mgmt_cp_unblock_device *cp;
1706 int err;
1707
1708 BT_DBG("hci%u", index);
1709
1710 cp = (void *) data;
1711
1712 if (len != sizeof(*cp))
1713 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1714 EINVAL);
1715
1716 hdev = hci_dev_get(index);
1717 if (!hdev)
1718 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1719 ENODEV);
1720
1721 err = hci_blacklist_del(hdev, &cp->bdaddr);
1722
1723 if (err < 0)
1724 err = cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE, -err);
1725 else
1726 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1727 NULL, 0);
1728 hci_dev_put(hdev);
1729
1730 return err;
1731}
1732
1669int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 1733int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1670{ 1734{
1671 unsigned char *buf; 1735 unsigned char *buf;
@@ -1780,6 +1844,12 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1780 case MGMT_OP_STOP_DISCOVERY: 1844 case MGMT_OP_STOP_DISCOVERY:
1781 err = stop_discovery(sk, index); 1845 err = stop_discovery(sk, index);
1782 break; 1846 break;
1847 case MGMT_OP_BLOCK_DEVICE:
1848 err = block_device(sk, index, buf + sizeof(*hdr), len);
1849 break;
1850 case MGMT_OP_UNBLOCK_DEVICE:
1851 err = unblock_device(sk, index, buf + sizeof(*hdr), len);
1852 break;
1783 default: 1853 default:
1784 BT_DBG("Unknown op %u", opcode); 1854 BT_DBG("Unknown op %u", opcode);
1785 err = cmd_status(sk, index, opcode, 0x01); 1855 err = cmd_status(sk, index, opcode, 0x01);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
new file mode 100644
index 000000000000..52e9ec2644c1
--- /dev/null
+++ b/net/bluetooth/smp.c
@@ -0,0 +1,533 @@
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/smp.h>
27#include <linux/crypto.h>
28#include <crypto/b128ops.h>
29
30#define SMP_TIMEOUT 30000 /* 30 seconds */
31
32static inline void swap128(u8 src[16], u8 dst[16])
33{
34 int i;
35 for (i = 0; i < 16; i++)
36 dst[15 - i] = src[i];
37}
38
39static inline void swap56(u8 src[7], u8 dst[7])
40{
41 int i;
42 for (i = 0; i < 7; i++)
43 dst[6 - i] = src[i];
44}
45
46static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
47{
48 struct blkcipher_desc desc;
49 struct scatterlist sg;
50 int err, iv_len;
51 unsigned char iv[128];
52
53 if (tfm == NULL) {
54 BT_ERR("tfm %p", tfm);
55 return -EINVAL;
56 }
57
58 desc.tfm = tfm;
59 desc.flags = 0;
60
61 err = crypto_blkcipher_setkey(tfm, k, 16);
62 if (err) {
63 BT_ERR("cipher setkey failed: %d", err);
64 return err;
65 }
66
67 sg_init_one(&sg, r, 16);
68
69 iv_len = crypto_blkcipher_ivsize(tfm);
70 if (iv_len) {
71 memset(&iv, 0xff, iv_len);
72 crypto_blkcipher_set_iv(tfm, iv, iv_len);
73 }
74
75 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
76 if (err)
77 BT_ERR("Encrypt data error %d", err);
78
79 return err;
80}
81
82static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
83 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
84 u8 _rat, bdaddr_t *ra, u8 res[16])
85{
86 u8 p1[16], p2[16];
87 int err;
88
89 memset(p1, 0, 16);
90
91 /* p1 = pres || preq || _rat || _iat */
92 swap56(pres, p1);
93 swap56(preq, p1 + 7);
94 p1[14] = _rat;
95 p1[15] = _iat;
96
97 memset(p2, 0, 16);
98
99 /* p2 = padding || ia || ra */
100 baswap((bdaddr_t *) (p2 + 4), ia);
101 baswap((bdaddr_t *) (p2 + 10), ra);
102
103 /* res = r XOR p1 */
104 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
105
106 /* res = e(k, res) */
107 err = smp_e(tfm, k, res);
108 if (err) {
109 BT_ERR("Encrypt data error");
110 return err;
111 }
112
113 /* res = res XOR p2 */
114 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
115
116 /* res = e(k, res) */
117 err = smp_e(tfm, k, res);
118 if (err)
119 BT_ERR("Encrypt data error");
120
121 return err;
122}
123
124static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
125 u8 r1[16], u8 r2[16], u8 _r[16])
126{
127 int err;
128
129 /* Just least significant octets from r1 and r2 are considered */
130 memcpy(_r, r1 + 8, 8);
131 memcpy(_r + 8, r2 + 8, 8);
132
133 err = smp_e(tfm, k, _r);
134 if (err)
135 BT_ERR("Encrypt data error");
136
137 return err;
138}
139
140static int smp_rand(u8 *buf)
141{
142 get_random_bytes(buf, 16);
143
144 return 0;
145}
146
147static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
148 u16 dlen, void *data)
149{
150 struct sk_buff *skb;
151 struct l2cap_hdr *lh;
152 int len;
153
154 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
155
156 if (len > conn->mtu)
157 return NULL;
158
159 skb = bt_skb_alloc(len, GFP_ATOMIC);
160 if (!skb)
161 return NULL;
162
163 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
164 lh->len = cpu_to_le16(sizeof(code) + dlen);
165 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
166
167 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
168
169 memcpy(skb_put(skb, dlen), data, dlen);
170
171 return skb;
172}
173
174static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
175{
176 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
177
178 BT_DBG("code 0x%2.2x", code);
179
180 if (!skb)
181 return;
182
183 hci_send_acl(conn->hcon, skb, 0);
184}
185
186static __u8 seclevel_to_authreq(__u8 level)
187{
188 switch (level) {
189 case BT_SECURITY_HIGH:
190 /* Right now we don't support bonding */
191 return SMP_AUTH_MITM;
192
193 default:
194 return SMP_AUTH_NONE;
195 }
196}
197
198static void build_pairing_cmd(struct l2cap_conn *conn,
199 struct smp_cmd_pairing *cmd, __u8 authreq)
200{
201 cmd->io_capability = conn->hcon->io_capability;
202 cmd->oob_flag = SMP_OOB_NOT_PRESENT;
203 cmd->max_key_size = SMP_MAX_ENC_KEY_SIZE;
204 cmd->init_key_dist = 0x00;
205 cmd->resp_key_dist = 0x00;
206 cmd->auth_req = authreq;
207}
208
209static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
210{
211 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
212 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
213 return SMP_ENC_KEY_SIZE;
214
215 conn->smp_key_size = max_key_size;
216
217 return 0;
218}
219
220static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
221{
222 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
223 u8 key_size;
224
225 BT_DBG("conn %p", conn);
226
227 conn->preq[0] = SMP_CMD_PAIRING_REQ;
228 memcpy(&conn->preq[1], req, sizeof(*req));
229 skb_pull(skb, sizeof(*req));
230
231 if (req->oob_flag)
232 return SMP_OOB_NOT_AVAIL;
233
234 /* We didn't start the pairing, so no requirements */
235 build_pairing_cmd(conn, &rsp, SMP_AUTH_NONE);
236
237 key_size = min(req->max_key_size, rsp.max_key_size);
238 if (check_enc_key_size(conn, key_size))
239 return SMP_ENC_KEY_SIZE;
240
241 /* Just works */
242 memset(conn->tk, 0, sizeof(conn->tk));
243
244 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
245 memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
246
247 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
248
249 mod_timer(&conn->security_timer, jiffies +
250 msecs_to_jiffies(SMP_TIMEOUT));
251
252 return 0;
253}
254
255static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
256{
257 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
258 struct smp_cmd_pairing_confirm cp;
259 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
260 int ret;
261 u8 res[16], key_size;
262
263 BT_DBG("conn %p", conn);
264
265 skb_pull(skb, sizeof(*rsp));
266
267 req = (void *) &conn->preq[1];
268
269 key_size = min(req->max_key_size, rsp->max_key_size);
270 if (check_enc_key_size(conn, key_size))
271 return SMP_ENC_KEY_SIZE;
272
273 if (rsp->oob_flag)
274 return SMP_OOB_NOT_AVAIL;
275
276 /* Just works */
277 memset(conn->tk, 0, sizeof(conn->tk));
278
279 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
280 memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
281
282 ret = smp_rand(conn->prnd);
283 if (ret)
284 return SMP_UNSPECIFIED;
285
286 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
287 conn->src, conn->hcon->dst_type, conn->dst, res);
288 if (ret)
289 return SMP_UNSPECIFIED;
290
291 swap128(res, cp.confirm_val);
292
293 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
294
295 return 0;
296}
297
298static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
299{
300 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
301
302 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
303
304 memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
305 skb_pull(skb, sizeof(conn->pcnf));
306
307 if (conn->hcon->out) {
308 u8 random[16];
309
310 swap128(conn->prnd, random);
311 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
312 random);
313 } else {
314 struct smp_cmd_pairing_confirm cp;
315 int ret;
316 u8 res[16];
317
318 ret = smp_rand(conn->prnd);
319 if (ret)
320 return SMP_UNSPECIFIED;
321
322 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
323 conn->hcon->dst_type, conn->dst,
324 0, conn->src, res);
325 if (ret)
326 return SMP_CONFIRM_FAILED;
327
328 swap128(res, cp.confirm_val);
329
330 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
331 }
332
333 mod_timer(&conn->security_timer, jiffies +
334 msecs_to_jiffies(SMP_TIMEOUT));
335
336 return 0;
337}
338
339static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
340{
341 struct hci_conn *hcon = conn->hcon;
342 struct crypto_blkcipher *tfm = hcon->hdev->tfm;
343 int ret;
344 u8 key[16], res[16], random[16], confirm[16];
345
346 swap128(skb->data, random);
347 skb_pull(skb, sizeof(random));
348
349 memset(hcon->ltk, 0, sizeof(hcon->ltk));
350
351 if (conn->hcon->out)
352 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
353 conn->src, conn->hcon->dst_type, conn->dst,
354 res);
355 else
356 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
357 conn->hcon->dst_type, conn->dst, 0, conn->src,
358 res);
359 if (ret)
360 return SMP_UNSPECIFIED;
361
362 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
363
364 swap128(res, confirm);
365
366 if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
367 BT_ERR("Pairing failed (confirmation values mismatch)");
368 return SMP_CONFIRM_FAILED;
369 }
370
371 if (conn->hcon->out) {
372 __le16 ediv;
373 u8 rand[8];
374
375 smp_s1(tfm, conn->tk, random, conn->prnd, key);
376 swap128(key, hcon->ltk);
377
378 memset(hcon->ltk + conn->smp_key_size, 0,
379 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
380
381 memset(rand, 0, sizeof(rand));
382 ediv = 0;
383 hci_le_start_enc(hcon, ediv, rand, hcon->ltk);
384 } else {
385 u8 r[16];
386
387 swap128(conn->prnd, r);
388 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
389
390 smp_s1(tfm, conn->tk, conn->prnd, random, key);
391 swap128(key, hcon->ltk);
392
393 memset(hcon->ltk + conn->smp_key_size, 0,
394 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
395 }
396
397 return 0;
398}
399
400static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
401{
402 struct smp_cmd_security_req *rp = (void *) skb->data;
403 struct smp_cmd_pairing cp;
404 struct hci_conn *hcon = conn->hcon;
405
406 BT_DBG("conn %p", conn);
407
408 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
409 return 0;
410
411 skb_pull(skb, sizeof(*rp));
412
413 memset(&cp, 0, sizeof(cp));
414 build_pairing_cmd(conn, &cp, rp->auth_req);
415
416 conn->preq[0] = SMP_CMD_PAIRING_REQ;
417 memcpy(&conn->preq[1], &cp, sizeof(cp));
418
419 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
420
421 mod_timer(&conn->security_timer, jiffies +
422 msecs_to_jiffies(SMP_TIMEOUT));
423
424 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
425
426 return 0;
427}
428
429int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
430{
431 struct hci_conn *hcon = conn->hcon;
432 __u8 authreq;
433
434 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
435
436 if (IS_ERR(hcon->hdev->tfm))
437 return 1;
438
439 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
440 return 0;
441
442 if (sec_level == BT_SECURITY_LOW)
443 return 1;
444
445 if (hcon->sec_level >= sec_level)
446 return 1;
447
448 authreq = seclevel_to_authreq(sec_level);
449
450 if (hcon->link_mode & HCI_LM_MASTER) {
451 struct smp_cmd_pairing cp;
452
453 build_pairing_cmd(conn, &cp, authreq);
454 conn->preq[0] = SMP_CMD_PAIRING_REQ;
455 memcpy(&conn->preq[1], &cp, sizeof(cp));
456
457 mod_timer(&conn->security_timer, jiffies +
458 msecs_to_jiffies(SMP_TIMEOUT));
459
460 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
461 } else {
462 struct smp_cmd_security_req cp;
463 cp.auth_req = authreq;
464 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
465 }
466
467 hcon->pending_sec_level = sec_level;
468 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
469
470 return 0;
471}
472
473int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
474{
475 __u8 code = skb->data[0];
476 __u8 reason;
477 int err = 0;
478
479 if (IS_ERR(conn->hcon->hdev->tfm)) {
480 err = PTR_ERR(conn->hcon->hdev->tfm);
481 reason = SMP_PAIRING_NOTSUPP;
482 goto done;
483 }
484
485 skb_pull(skb, sizeof(code));
486
487 switch (code) {
488 case SMP_CMD_PAIRING_REQ:
489 reason = smp_cmd_pairing_req(conn, skb);
490 break;
491
492 case SMP_CMD_PAIRING_FAIL:
493 reason = 0;
494 err = -EPERM;
495 break;
496
497 case SMP_CMD_PAIRING_RSP:
498 reason = smp_cmd_pairing_rsp(conn, skb);
499 break;
500
501 case SMP_CMD_SECURITY_REQ:
502 reason = smp_cmd_security_req(conn, skb);
503 break;
504
505 case SMP_CMD_PAIRING_CONFIRM:
506 reason = smp_cmd_pairing_confirm(conn, skb);
507 break;
508
509 case SMP_CMD_PAIRING_RANDOM:
510 reason = smp_cmd_pairing_random(conn, skb);
511 break;
512
513 case SMP_CMD_ENCRYPT_INFO:
514 case SMP_CMD_MASTER_IDENT:
515 case SMP_CMD_IDENT_INFO:
516 case SMP_CMD_IDENT_ADDR_INFO:
517 case SMP_CMD_SIGN_INFO:
518 default:
519 BT_DBG("Unknown command code 0x%2.2x", code);
520
521 reason = SMP_CMD_NOTSUPP;
522 err = -EOPNOTSUPP;
523 goto done;
524 }
525
526done:
527 if (reason)
528 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
529 &reason);
530
531 kfree_skb(skb);
532 return err;
533}
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-29 13:33:24 -0400