aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2011-05-20 16:43:21 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2011-05-20 16:43:21 -0400
commit06f4e926d256d902dd9a53dcb400fd74974ce087 (patch)
tree0b438b67f5f0eff6fd617bc497a9dace6164a488 /net/bluetooth
parent8e7bfcbab3825d1b404d615cb1b54f44ff81f981 (diff)
parentd93515611bbc70c2fe4db232e5feb448ed8e4cc9 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1446 commits) macvlan: fix panic if lowerdev in a bond tg3: Add braces around 5906 workaround. tg3: Fix NETIF_F_LOOPBACK error macvlan: remove one synchronize_rcu() call networking: NET_CLS_ROUTE4 depends on INET irda: Fix error propagation in ircomm_lmp_connect_response() irda: Kill set but unused variable 'bytes' in irlan_check_command_param() irda: Kill set but unused variable 'clen' in ircomm_connect_indication() rxrpc: Fix set but unused variable 'usage' in rxrpc_get_transport() be2net: Kill set but unused variable 'req' in lancer_fw_download() irda: Kill set but unused vars 'saddr' and 'daddr' in irlan_provider_connect_indication() atl1c: atl1c_resume() is only used when CONFIG_PM_SLEEP is defined. rxrpc: Fix set but unused variable 'usage' in rxrpc_get_peer(). rxrpc: Kill set but unused variable 'local' in rxrpc_UDP_error_handler() rxrpc: Kill set but unused variable 'sp' in rxrpc_process_connection() rxrpc: Kill set but unused variable 'sp' in rxrpc_rotate_tx_window() pkt_sched: Kill set but unused variable 'protocol' in tc_classify() isdn: capi: Use pr_debug() instead of ifdefs. tg3: Update version to 3.119 tg3: Apply rx_discards fix to 5719/5720 ... Fix up trivial conflicts in arch/x86/Kconfig and net/mac80211/agg-tx.c as per Davem.
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/bnep/bnep.h148
-rw-r--r--net/bluetooth/bnep/core.c71
-rw-r--r--net/bluetooth/bnep/sock.c2
-rw-r--r--net/bluetooth/cmtp/capi.c6
-rw-r--r--net/bluetooth/cmtp/cmtp.h11
-rw-r--r--net/bluetooth/cmtp/core.c28
-rw-r--r--net/bluetooth/cmtp/sock.c2
-rw-r--r--net/bluetooth/hci_conn.c95
-rw-r--r--net/bluetooth/hci_core.c154
-rw-r--r--net/bluetooth/hci_event.c267
-rw-r--r--net/bluetooth/hci_sysfs.c71
-rw-r--r--net/bluetooth/hidp/core.c96
-rw-r--r--net/bluetooth/hidp/hidp.h6
-rw-r--r--net/bluetooth/hidp/sock.c7
-rw-r--r--net/bluetooth/l2cap_core.c1966
-rw-r--r--net/bluetooth/l2cap_sock.c330
-rw-r--r--net/bluetooth/mgmt.c612
-rw-r--r--net/bluetooth/rfcomm/core.c23
-rw-r--r--net/bluetooth/rfcomm/sock.c5
19 files changed, 2492 insertions, 1408 deletions
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 70672544db86..8e6c06158f8e 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -23,88 +23,88 @@
23#include <linux/crc32.h> 23#include <linux/crc32.h>
24#include <net/bluetooth/bluetooth.h> 24#include <net/bluetooth/bluetooth.h>
25 25
26// Limits 26/* Limits */
27#define BNEP_MAX_PROTO_FILTERS 5 27#define BNEP_MAX_PROTO_FILTERS 5
28#define BNEP_MAX_MULTICAST_FILTERS 20 28#define BNEP_MAX_MULTICAST_FILTERS 20
29 29
30// UUIDs 30/* UUIDs */
31#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB 31#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB
32#define BNEP_UUID16 0x02 32#define BNEP_UUID16 0x02
33#define BNEP_UUID32 0x04 33#define BNEP_UUID32 0x04
34#define BNEP_UUID128 0x16 34#define BNEP_UUID128 0x16
35 35
36#define BNEP_SVC_PANU 0x1115 36#define BNEP_SVC_PANU 0x1115
37#define BNEP_SVC_NAP 0x1116 37#define BNEP_SVC_NAP 0x1116
38#define BNEP_SVC_GN 0x1117 38#define BNEP_SVC_GN 0x1117
39 39
40// Packet types 40/* Packet types */
41#define BNEP_GENERAL 0x00 41#define BNEP_GENERAL 0x00
42#define BNEP_CONTROL 0x01 42#define BNEP_CONTROL 0x01
43#define BNEP_COMPRESSED 0x02 43#define BNEP_COMPRESSED 0x02
44#define BNEP_COMPRESSED_SRC_ONLY 0x03 44#define BNEP_COMPRESSED_SRC_ONLY 0x03
45#define BNEP_COMPRESSED_DST_ONLY 0x04 45#define BNEP_COMPRESSED_DST_ONLY 0x04
46 46
47// Control types 47/* Control types */
48#define BNEP_CMD_NOT_UNDERSTOOD 0x00 48#define BNEP_CMD_NOT_UNDERSTOOD 0x00
49#define BNEP_SETUP_CONN_REQ 0x01 49#define BNEP_SETUP_CONN_REQ 0x01
50#define BNEP_SETUP_CONN_RSP 0x02 50#define BNEP_SETUP_CONN_RSP 0x02
51#define BNEP_FILTER_NET_TYPE_SET 0x03 51#define BNEP_FILTER_NET_TYPE_SET 0x03
52#define BNEP_FILTER_NET_TYPE_RSP 0x04 52#define BNEP_FILTER_NET_TYPE_RSP 0x04
53#define BNEP_FILTER_MULTI_ADDR_SET 0x05 53#define BNEP_FILTER_MULTI_ADDR_SET 0x05
54#define BNEP_FILTER_MULTI_ADDR_RSP 0x06 54#define BNEP_FILTER_MULTI_ADDR_RSP 0x06
55 55
56// Extension types 56/* Extension types */
57#define BNEP_EXT_CONTROL 0x00 57#define BNEP_EXT_CONTROL 0x00
58 58
59// Response messages 59/* Response messages */
60#define BNEP_SUCCESS 0x00 60#define BNEP_SUCCESS 0x00
61 61
62#define BNEP_CONN_INVALID_DST 0x01 62#define BNEP_CONN_INVALID_DST 0x01
63#define BNEP_CONN_INVALID_SRC 0x02 63#define BNEP_CONN_INVALID_SRC 0x02
64#define BNEP_CONN_INVALID_SVC 0x03 64#define BNEP_CONN_INVALID_SVC 0x03
65#define BNEP_CONN_NOT_ALLOWED 0x04 65#define BNEP_CONN_NOT_ALLOWED 0x04
66 66
67#define BNEP_FILTER_UNSUPPORTED_REQ 0x01 67#define BNEP_FILTER_UNSUPPORTED_REQ 0x01
68#define BNEP_FILTER_INVALID_RANGE 0x02 68#define BNEP_FILTER_INVALID_RANGE 0x02
69#define BNEP_FILTER_INVALID_MCADDR 0x02 69#define BNEP_FILTER_INVALID_MCADDR 0x02
70#define BNEP_FILTER_LIMIT_REACHED 0x03 70#define BNEP_FILTER_LIMIT_REACHED 0x03
71#define BNEP_FILTER_DENIED_SECURITY 0x04 71#define BNEP_FILTER_DENIED_SECURITY 0x04
72 72
73// L2CAP settings 73/* L2CAP settings */
74#define BNEP_MTU 1691 74#define BNEP_MTU 1691
75#define BNEP_PSM 0x0f 75#define BNEP_PSM 0x0f
76#define BNEP_FLUSH_TO 0xffff 76#define BNEP_FLUSH_TO 0xffff
77#define BNEP_CONNECT_TO 15 77#define BNEP_CONNECT_TO 15
78#define BNEP_FILTER_TO 15 78#define BNEP_FILTER_TO 15
79 79
80// Headers 80/* Headers */
81#define BNEP_TYPE_MASK 0x7f 81#define BNEP_TYPE_MASK 0x7f
82#define BNEP_EXT_HEADER 0x80 82#define BNEP_EXT_HEADER 0x80
83 83
84struct bnep_setup_conn_req { 84struct bnep_setup_conn_req {
85 __u8 type; 85 __u8 type;
86 __u8 ctrl; 86 __u8 ctrl;
87 __u8 uuid_size; 87 __u8 uuid_size;
88 __u8 service[0]; 88 __u8 service[0];
89} __packed; 89} __packed;
90 90
91struct bnep_set_filter_req { 91struct bnep_set_filter_req {
92 __u8 type; 92 __u8 type;
93 __u8 ctrl; 93 __u8 ctrl;
94 __be16 len; 94 __be16 len;
95 __u8 list[0]; 95 __u8 list[0];
96} __packed; 96} __packed;
97 97
98struct bnep_control_rsp { 98struct bnep_control_rsp {
99 __u8 type; 99 __u8 type;
100 __u8 ctrl; 100 __u8 ctrl;
101 __be16 resp; 101 __be16 resp;
102} __packed; 102} __packed;
103 103
104struct bnep_ext_hdr { 104struct bnep_ext_hdr {
105 __u8 type; 105 __u8 type;
106 __u8 len; 106 __u8 len;
107 __u8 data[0]; 107 __u8 data[0];
108} __packed; 108} __packed;
109 109
110/* BNEP ioctl defines */ 110/* BNEP ioctl defines */
@@ -114,10 +114,10 @@ struct bnep_ext_hdr {
114#define BNEPGETCONNINFO _IOR('B', 211, int) 114#define BNEPGETCONNINFO _IOR('B', 211, int)
115 115
116struct bnep_connadd_req { 116struct bnep_connadd_req {
117 int sock; // Connected socket 117 int sock; /* Connected socket */
118 __u32 flags; 118 __u32 flags;
119 __u16 role; 119 __u16 role;
120 char device[16]; // Name of the Ethernet device 120 char device[16]; /* Name of the Ethernet device */
121}; 121};
122 122
123struct bnep_conndel_req { 123struct bnep_conndel_req {
@@ -148,14 +148,14 @@ int bnep_del_connection(struct bnep_conndel_req *req);
148int bnep_get_connlist(struct bnep_connlist_req *req); 148int bnep_get_connlist(struct bnep_connlist_req *req);
149int bnep_get_conninfo(struct bnep_conninfo *ci); 149int bnep_get_conninfo(struct bnep_conninfo *ci);
150 150
151// BNEP sessions 151/* BNEP sessions */
152struct bnep_session { 152struct bnep_session {
153 struct list_head list; 153 struct list_head list;
154 154
155 unsigned int role; 155 unsigned int role;
156 unsigned long state; 156 unsigned long state;
157 unsigned long flags; 157 unsigned long flags;
158 atomic_t killed; 158 struct task_struct *task;
159 159
160 struct ethhdr eh; 160 struct ethhdr eh;
161 struct msghdr msg; 161 struct msghdr msg;
@@ -173,7 +173,7 @@ void bnep_sock_cleanup(void);
173 173
174static inline int bnep_mc_hash(__u8 *addr) 174static inline int bnep_mc_hash(__u8 *addr)
175{ 175{
176 return (crc32_be(~0, addr, ETH_ALEN) >> 26); 176 return crc32_be(~0, addr, ETH_ALEN) >> 26;
177} 177}
178 178
179#endif 179#endif
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 03d4d1245d58..ca39fcf010ce 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -36,6 +36,7 @@
36#include <linux/errno.h> 36#include <linux/errno.h>
37#include <linux/net.h> 37#include <linux/net.h>
38#include <linux/slab.h> 38#include <linux/slab.h>
39#include <linux/kthread.h>
39#include <net/sock.h> 40#include <net/sock.h>
40 41
41#include <linux/socket.h> 42#include <linux/socket.h>
@@ -131,7 +132,8 @@ static int bnep_ctrl_set_netfilter(struct bnep_session *s, __be16 *data, int len
131 return -EILSEQ; 132 return -EILSEQ;
132 133
133 n = get_unaligned_be16(data); 134 n = get_unaligned_be16(data);
134 data++; len -= 2; 135 data++;
136 len -= 2;
135 137
136 if (len < n) 138 if (len < n)
137 return -EILSEQ; 139 return -EILSEQ;
@@ -176,7 +178,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
176 return -EILSEQ; 178 return -EILSEQ;
177 179
178 n = get_unaligned_be16(data); 180 n = get_unaligned_be16(data);
179 data += 2; len -= 2; 181 data += 2;
182 len -= 2;
180 183
181 if (len < n) 184 if (len < n)
182 return -EILSEQ; 185 return -EILSEQ;
@@ -187,6 +190,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
187 n /= (ETH_ALEN * 2); 190 n /= (ETH_ALEN * 2);
188 191
189 if (n > 0) { 192 if (n > 0) {
193 int i;
194
190 s->mc_filter = 0; 195 s->mc_filter = 0;
191 196
192 /* Always send broadcast */ 197 /* Always send broadcast */
@@ -196,18 +201,22 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
196 for (; n > 0; n--) { 201 for (; n > 0; n--) {
197 u8 a1[6], *a2; 202 u8 a1[6], *a2;
198 203
199 memcpy(a1, data, ETH_ALEN); data += ETH_ALEN; 204 memcpy(a1, data, ETH_ALEN);
200 a2 = data; data += ETH_ALEN; 205 data += ETH_ALEN;
206 a2 = data;
207 data += ETH_ALEN;
201 208
202 BT_DBG("mc filter %s -> %s", 209 BT_DBG("mc filter %s -> %s",
203 batostr((void *) a1), batostr((void *) a2)); 210 batostr((void *) a1), batostr((void *) a2));
204 211
205 #define INCA(a) { int i = 5; while (i >=0 && ++a[i--] == 0); }
206
207 /* Iterate from a1 to a2 */ 212 /* Iterate from a1 to a2 */
208 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 213 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
209 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) { 214 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
210 INCA(a1); 215 /* Increment a1 */
216 i = 5;
217 while (i >= 0 && ++a1[i--] == 0)
218 ;
219
211 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 220 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
212 } 221 }
213 } 222 }
@@ -227,7 +236,8 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
227 u8 cmd = *(u8 *)data; 236 u8 cmd = *(u8 *)data;
228 int err = 0; 237 int err = 0;
229 238
230 data++; len--; 239 data++;
240 len--;
231 241
232 switch (cmd) { 242 switch (cmd) {
233 case BNEP_CMD_NOT_UNDERSTOOD: 243 case BNEP_CMD_NOT_UNDERSTOOD:
@@ -302,7 +312,6 @@ static u8 __bnep_rx_hlen[] = {
302 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */ 312 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
303 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */ 313 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */
304}; 314};
305#define BNEP_RX_TYPES (sizeof(__bnep_rx_hlen) - 1)
306 315
307static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) 316static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
308{ 317{
@@ -312,9 +321,10 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
312 321
313 dev->stats.rx_bytes += skb->len; 322 dev->stats.rx_bytes += skb->len;
314 323
315 type = *(u8 *) skb->data; skb_pull(skb, 1); 324 type = *(u8 *) skb->data;
325 skb_pull(skb, 1);
316 326
317 if ((type & BNEP_TYPE_MASK) > BNEP_RX_TYPES) 327 if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
318 goto badframe; 328 goto badframe;
319 329
320 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) { 330 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
@@ -367,14 +377,14 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
367 377
368 case BNEP_COMPRESSED_DST_ONLY: 378 case BNEP_COMPRESSED_DST_ONLY:
369 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb), 379 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb),
370 ETH_ALEN); 380 ETH_ALEN);
371 memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source, 381 memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source,
372 ETH_ALEN + 2); 382 ETH_ALEN + 2);
373 break; 383 break;
374 384
375 case BNEP_GENERAL: 385 case BNEP_GENERAL:
376 memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb), 386 memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb),
377 ETH_ALEN * 2); 387 ETH_ALEN * 2);
378 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2)); 388 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
379 break; 389 break;
380 } 390 }
@@ -470,15 +480,14 @@ static int bnep_session(void *arg)
470 480
471 BT_DBG(""); 481 BT_DBG("");
472 482
473 daemonize("kbnepd %s", dev->name);
474 set_user_nice(current, -15); 483 set_user_nice(current, -15);
475 484
476 init_waitqueue_entry(&wait, current); 485 init_waitqueue_entry(&wait, current);
477 add_wait_queue(sk_sleep(sk), &wait); 486 add_wait_queue(sk_sleep(sk), &wait);
478 while (!atomic_read(&s->killed)) { 487 while (!kthread_should_stop()) {
479 set_current_state(TASK_INTERRUPTIBLE); 488 set_current_state(TASK_INTERRUPTIBLE);
480 489
481 // RX 490 /* RX */
482 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 491 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
483 skb_orphan(skb); 492 skb_orphan(skb);
484 bnep_rx_frame(s, skb); 493 bnep_rx_frame(s, skb);
@@ -487,7 +496,7 @@ static int bnep_session(void *arg)
487 if (sk->sk_state != BT_CONNECTED) 496 if (sk->sk_state != BT_CONNECTED)
488 break; 497 break;
489 498
490 // TX 499 /* TX */
491 while ((skb = skb_dequeue(&sk->sk_write_queue))) 500 while ((skb = skb_dequeue(&sk->sk_write_queue)))
492 if (bnep_tx_frame(s, skb)) 501 if (bnep_tx_frame(s, skb))
493 break; 502 break;
@@ -555,8 +564,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
555 564
556 /* session struct allocated as private part of net_device */ 565 /* session struct allocated as private part of net_device */
557 dev = alloc_netdev(sizeof(struct bnep_session), 566 dev = alloc_netdev(sizeof(struct bnep_session),
558 (*req->device) ? req->device : "bnep%d", 567 (*req->device) ? req->device : "bnep%d",
559 bnep_net_setup); 568 bnep_net_setup);
560 if (!dev) 569 if (!dev)
561 return -ENOMEM; 570 return -ENOMEM;
562 571
@@ -571,7 +580,7 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
571 s = netdev_priv(dev); 580 s = netdev_priv(dev);
572 581
573 /* This is rx header therefore addresses are swapped. 582 /* This is rx header therefore addresses are swapped.
574 * ie eh.h_dest is our local address. */ 583 * ie. eh.h_dest is our local address. */
575 memcpy(s->eh.h_dest, &src, ETH_ALEN); 584 memcpy(s->eh.h_dest, &src, ETH_ALEN);
576 memcpy(s->eh.h_source, &dst, ETH_ALEN); 585 memcpy(s->eh.h_source, &dst, ETH_ALEN);
577 memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN); 586 memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN);
@@ -597,17 +606,17 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
597 SET_NETDEV_DEVTYPE(dev, &bnep_type); 606 SET_NETDEV_DEVTYPE(dev, &bnep_type);
598 607
599 err = register_netdev(dev); 608 err = register_netdev(dev);
600 if (err) { 609 if (err)
601 goto failed; 610 goto failed;
602 }
603 611
604 __bnep_link_session(s); 612 __bnep_link_session(s);
605 613
606 err = kernel_thread(bnep_session, s, CLONE_KERNEL); 614 s->task = kthread_run(bnep_session, s, "kbnepd %s", dev->name);
607 if (err < 0) { 615 if (IS_ERR(s->task)) {
608 /* Session thread start failed, gotta cleanup. */ 616 /* Session thread start failed, gotta cleanup. */
609 unregister_netdev(dev); 617 unregister_netdev(dev);
610 __bnep_unlink_session(s); 618 __bnep_unlink_session(s);
619 err = PTR_ERR(s->task);
611 goto failed; 620 goto failed;
612 } 621 }
613 622
@@ -631,15 +640,9 @@ int bnep_del_connection(struct bnep_conndel_req *req)
631 down_read(&bnep_session_sem); 640 down_read(&bnep_session_sem);
632 641
633 s = __bnep_get_session(req->dst); 642 s = __bnep_get_session(req->dst);
634 if (s) { 643 if (s)
635 /* Wakeup user-space which is polling for socket errors. 644 kthread_stop(s->task);
636 * This is temporary hack until we have shutdown in L2CAP */ 645 else
637 s->sock->sk->sk_err = EUNATCH;
638
639 /* Kill session thread */
640 atomic_inc(&s->killed);
641 wake_up_interruptible(sk_sleep(s->sock->sk));
642 } else
643 err = -ENOENT; 646 err = -ENOENT;
644 647
645 up_read(&bnep_session_sem); 648 up_read(&bnep_session_sem);
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index d935da71ab3b..17800b1d28ea 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -39,10 +39,10 @@
39#include <linux/init.h> 39#include <linux/init.h>
40#include <linux/compat.h> 40#include <linux/compat.h>
41#include <linux/gfp.h> 41#include <linux/gfp.h>
42#include <linux/uaccess.h>
42#include <net/sock.h> 43#include <net/sock.h>
43 44
44#include <asm/system.h> 45#include <asm/system.h>
45#include <asm/uaccess.h>
46 46
47#include "bnep.h" 47#include "bnep.h"
48 48
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 67cff810c77d..744233cba244 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -35,6 +35,7 @@
35#include <linux/ioctl.h> 35#include <linux/ioctl.h>
36#include <linux/file.h> 36#include <linux/file.h>
37#include <linux/wait.h> 37#include <linux/wait.h>
38#include <linux/kthread.h>
38#include <net/sock.h> 39#include <net/sock.h>
39 40
40#include <linux/isdn/capilli.h> 41#include <linux/isdn/capilli.h>
@@ -143,7 +144,7 @@ static void cmtp_send_capimsg(struct cmtp_session *session, struct sk_buff *skb)
143 144
144 skb_queue_tail(&session->transmit, skb); 145 skb_queue_tail(&session->transmit, skb);
145 146
146 cmtp_schedule(session); 147 wake_up_interruptible(sk_sleep(session->sock->sk));
147} 148}
148 149
149static void cmtp_send_interopmsg(struct cmtp_session *session, 150static void cmtp_send_interopmsg(struct cmtp_session *session,
@@ -386,8 +387,7 @@ static void cmtp_reset_ctr(struct capi_ctr *ctrl)
386 387
387 capi_ctr_down(ctrl); 388 capi_ctr_down(ctrl);
388 389
389 atomic_inc(&session->terminate); 390 kthread_stop(session->task);
390 cmtp_schedule(session);
391} 391}
392 392
393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp) 393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index 785e79e953c5..db43b54ac9af 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -37,7 +37,7 @@
37#define CMTP_LOOPBACK 0 37#define CMTP_LOOPBACK 0
38 38
39struct cmtp_connadd_req { 39struct cmtp_connadd_req {
40 int sock; // Connected socket 40 int sock; /* Connected socket */
41 __u32 flags; 41 __u32 flags;
42}; 42};
43 43
@@ -81,7 +81,7 @@ struct cmtp_session {
81 81
82 char name[BTNAMSIZ]; 82 char name[BTNAMSIZ];
83 83
84 atomic_t terminate; 84 struct task_struct *task;
85 85
86 wait_queue_head_t wait; 86 wait_queue_head_t wait;
87 87
@@ -121,13 +121,6 @@ void cmtp_detach_device(struct cmtp_session *session);
121 121
122void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb); 122void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb);
123 123
124static inline void cmtp_schedule(struct cmtp_session *session)
125{
126 struct sock *sk = session->sock->sk;
127
128 wake_up_interruptible(sk_sleep(sk));
129}
130
131/* CMTP init defines */ 124/* CMTP init defines */
132int cmtp_init_sockets(void); 125int cmtp_init_sockets(void);
133void cmtp_cleanup_sockets(void); 126void cmtp_cleanup_sockets(void);
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 964ea9126f9f..c5b11af908be 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -35,6 +35,7 @@
35#include <linux/ioctl.h> 35#include <linux/ioctl.h>
36#include <linux/file.h> 36#include <linux/file.h>
37#include <linux/init.h> 37#include <linux/init.h>
38#include <linux/kthread.h>
38#include <net/sock.h> 39#include <net/sock.h>
39 40
40#include <linux/isdn/capilli.h> 41#include <linux/isdn/capilli.h>
@@ -235,9 +236,12 @@ static void cmtp_process_transmit(struct cmtp_session *session)
235 236
236 size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len); 237 size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len);
237 238
238 if ((scb->id < 0) && ((scb->id = cmtp_alloc_block_id(session)) < 0)) { 239 if (scb->id < 0) {
239 skb_queue_head(&session->transmit, skb); 240 scb->id = cmtp_alloc_block_id(session);
240 break; 241 if (scb->id < 0) {
242 skb_queue_head(&session->transmit, skb);
243 break;
244 }
241 } 245 }
242 246
243 if (size < 256) { 247 if (size < 256) {
@@ -284,12 +288,11 @@ static int cmtp_session(void *arg)
284 288
285 BT_DBG("session %p", session); 289 BT_DBG("session %p", session);
286 290
287 daemonize("kcmtpd_ctr_%d", session->num);
288 set_user_nice(current, -15); 291 set_user_nice(current, -15);
289 292
290 init_waitqueue_entry(&wait, current); 293 init_waitqueue_entry(&wait, current);
291 add_wait_queue(sk_sleep(sk), &wait); 294 add_wait_queue(sk_sleep(sk), &wait);
292 while (!atomic_read(&session->terminate)) { 295 while (!kthread_should_stop()) {
293 set_current_state(TASK_INTERRUPTIBLE); 296 set_current_state(TASK_INTERRUPTIBLE);
294 297
295 if (sk->sk_state != BT_CONNECTED) 298 if (sk->sk_state != BT_CONNECTED)
@@ -343,7 +346,8 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
343 346
344 bacpy(&session->bdaddr, &bt_sk(sock->sk)->dst); 347 bacpy(&session->bdaddr, &bt_sk(sock->sk)->dst);
345 348
346 session->mtu = min_t(uint, l2cap_pi(sock->sk)->omtu, l2cap_pi(sock->sk)->imtu); 349 session->mtu = min_t(uint, l2cap_pi(sock->sk)->chan->omtu,
350 l2cap_pi(sock->sk)->chan->imtu);
347 351
348 BT_DBG("mtu %d", session->mtu); 352 BT_DBG("mtu %d", session->mtu);
349 353
@@ -367,9 +371,12 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
367 371
368 __cmtp_link_session(session); 372 __cmtp_link_session(session);
369 373
370 err = kernel_thread(cmtp_session, session, CLONE_KERNEL); 374 session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
371 if (err < 0) 375 session->num);
376 if (IS_ERR(session->task)) {
377 err = PTR_ERR(session->task);
372 goto unlink; 378 goto unlink;
379 }
373 380
374 if (!(session->flags & (1 << CMTP_LOOPBACK))) { 381 if (!(session->flags & (1 << CMTP_LOOPBACK))) {
375 err = cmtp_attach_device(session); 382 err = cmtp_attach_device(session);
@@ -406,9 +413,8 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
406 /* Flush the transmit queue */ 413 /* Flush the transmit queue */
407 skb_queue_purge(&session->transmit); 414 skb_queue_purge(&session->transmit);
408 415
409 /* Kill session thread */ 416 /* Stop session thread */
410 atomic_inc(&session->terminate); 417 kthread_stop(session->task);
411 cmtp_schedule(session);
412 } else 418 } else
413 err = -ENOENT; 419 err = -ENOENT;
414 420
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 7ea1979a8e4f..3f2dd5c25ae5 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -34,12 +34,12 @@
34#include <linux/file.h> 34#include <linux/file.h>
35#include <linux/compat.h> 35#include <linux/compat.h>
36#include <linux/gfp.h> 36#include <linux/gfp.h>
37#include <linux/uaccess.h>
37#include <net/sock.h> 38#include <net/sock.h>
38 39
39#include <linux/isdn/capilli.h> 40#include <linux/isdn/capilli.h>
40 41
41#include <asm/system.h> 42#include <asm/system.h>
42#include <asm/uaccess.h>
43 43
44#include "cmtp.h" 44#include "cmtp.h"
45 45
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 7a6f56b2f49d..3163330cd4f1 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -269,6 +269,19 @@ static void hci_conn_idle(unsigned long arg)
269 hci_conn_enter_sniff_mode(conn); 269 hci_conn_enter_sniff_mode(conn);
270} 270}
271 271
272static void hci_conn_auto_accept(unsigned long arg)
273{
274 struct hci_conn *conn = (void *) arg;
275 struct hci_dev *hdev = conn->hdev;
276
277 hci_dev_lock(hdev);
278
279 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
280 &conn->dst);
281
282 hci_dev_unlock(hdev);
283}
284
272struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 285struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
273{ 286{
274 struct hci_conn *conn; 287 struct hci_conn *conn;
@@ -287,6 +300,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
287 conn->auth_type = HCI_AT_GENERAL_BONDING; 300 conn->auth_type = HCI_AT_GENERAL_BONDING;
288 conn->io_capability = hdev->io_capability; 301 conn->io_capability = hdev->io_capability;
289 conn->remote_auth = 0xff; 302 conn->remote_auth = 0xff;
303 conn->key_type = 0xff;
290 304
291 conn->power_save = 1; 305 conn->power_save = 1;
292 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 306 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
@@ -311,6 +325,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
311 325
312 setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn); 326 setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn);
313 setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn); 327 setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
328 setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept,
329 (unsigned long) conn);
314 330
315 atomic_set(&conn->refcnt, 0); 331 atomic_set(&conn->refcnt, 0);
316 332
@@ -341,6 +357,8 @@ int hci_conn_del(struct hci_conn *conn)
341 357
342 del_timer(&conn->disc_timer); 358 del_timer(&conn->disc_timer);
343 359
360 del_timer(&conn->auto_accept_timer);
361
344 if (conn->type == ACL_LINK) { 362 if (conn->type == ACL_LINK) {
345 struct hci_conn *sco = conn->link; 363 struct hci_conn *sco = conn->link;
346 if (sco) 364 if (sco)
@@ -535,36 +553,93 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
535 return 0; 553 return 0;
536} 554}
537 555
556/* Encrypt the the link */
557static void hci_conn_encrypt(struct hci_conn *conn)
558{
559 BT_DBG("conn %p", conn);
560
561 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
562 struct hci_cp_set_conn_encrypt cp;
563 cp.handle = cpu_to_le16(conn->handle);
564 cp.encrypt = 0x01;
565 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
566 &cp);
567 }
568}
569
538/* Enable security */ 570/* Enable security */
539int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 571int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
540{ 572{
541 BT_DBG("conn %p", conn); 573 BT_DBG("conn %p", conn);
542 574
575 /* For sdp we don't need the link key. */
543 if (sec_level == BT_SECURITY_SDP) 576 if (sec_level == BT_SECURITY_SDP)
544 return 1; 577 return 1;
545 578
579 /* For non 2.1 devices and low security level we don't need the link
580 key. */
546 if (sec_level == BT_SECURITY_LOW && 581 if (sec_level == BT_SECURITY_LOW &&
547 (!conn->ssp_mode || !conn->hdev->ssp_mode)) 582 (!conn->ssp_mode || !conn->hdev->ssp_mode))
548 return 1; 583 return 1;
549 584
550 if (conn->link_mode & HCI_LM_ENCRYPT) 585 /* For other security levels we need the link key. */
551 return hci_conn_auth(conn, sec_level, auth_type); 586 if (!(conn->link_mode & HCI_LM_AUTH))
552 587 goto auth;
588
589 /* An authenticated combination key has sufficient security for any
590 security level. */
591 if (conn->key_type == HCI_LK_AUTH_COMBINATION)
592 goto encrypt;
593
594 /* An unauthenticated combination key has sufficient security for
595 security level 1 and 2. */
596 if (conn->key_type == HCI_LK_UNAUTH_COMBINATION &&
597 (sec_level == BT_SECURITY_MEDIUM ||
598 sec_level == BT_SECURITY_LOW))
599 goto encrypt;
600
601 /* A combination key has always sufficient security for the security
602 levels 1 or 2. High security level requires the combination key
603 is generated using maximum PIN code length (16).
604 For pre 2.1 units. */
605 if (conn->key_type == HCI_LK_COMBINATION &&
606 (sec_level != BT_SECURITY_HIGH ||
607 conn->pin_length == 16))
608 goto encrypt;
609
610auth:
553 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) 611 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
554 return 0; 612 return 0;
555 613
556 if (hci_conn_auth(conn, sec_level, auth_type)) { 614 hci_conn_auth(conn, sec_level, auth_type);
557 struct hci_cp_set_conn_encrypt cp; 615 return 0;
558 cp.handle = cpu_to_le16(conn->handle); 616
559 cp.encrypt = 1; 617encrypt:
560 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, 618 if (conn->link_mode & HCI_LM_ENCRYPT)
561 sizeof(cp), &cp); 619 return 1;
562 }
563 620
621 hci_conn_encrypt(conn);
564 return 0; 622 return 0;
565} 623}
566EXPORT_SYMBOL(hci_conn_security); 624EXPORT_SYMBOL(hci_conn_security);
567 625
626/* Check secure link requirement */
627int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
628{
629 BT_DBG("conn %p", conn);
630
631 if (sec_level != BT_SECURITY_HIGH)
632 return 1; /* Accept if non-secure is required */
633
634 if (conn->key_type == HCI_LK_AUTH_COMBINATION ||
635 (conn->key_type == HCI_LK_COMBINATION &&
636 conn->pin_length == 16))
637 return 1;
638
639 return 0; /* Reject not secure link */
640}
641EXPORT_SYMBOL(hci_conn_check_secure);
642
568/* Change link key */ 643/* Change link key */
569int hci_conn_change_link_key(struct hci_conn *conn) 644int hci_conn_change_link_key(struct hci_conn *conn)
570{ 645{
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index b5a8afc2be33..815269b07f20 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -56,7 +56,6 @@
56static void hci_cmd_task(unsigned long arg); 56static void hci_cmd_task(unsigned long arg);
57static void hci_rx_task(unsigned long arg); 57static void hci_rx_task(unsigned long arg);
58static void hci_tx_task(unsigned long arg); 58static void hci_tx_task(unsigned long arg);
59static void hci_notify(struct hci_dev *hdev, int event);
60 59
61static DEFINE_RWLOCK(hci_task_lock); 60static DEFINE_RWLOCK(hci_task_lock);
62 61
@@ -1021,18 +1020,54 @@ struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1021 return NULL; 1020 return NULL;
1022} 1021}
1023 1022
1024int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr, 1023static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1025 u8 *val, u8 type, u8 pin_len) 1024 u8 key_type, u8 old_key_type)
1025{
1026 /* Legacy key */
1027 if (key_type < 0x03)
1028 return 1;
1029
1030 /* Debug keys are insecure so don't store them persistently */
1031 if (key_type == HCI_LK_DEBUG_COMBINATION)
1032 return 0;
1033
1034 /* Changed combination key and there's no previous one */
1035 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1036 return 0;
1037
1038 /* Security mode 3 case */
1039 if (!conn)
1040 return 1;
1041
1042 /* Neither local nor remote side had no-bonding as requirement */
1043 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1044 return 1;
1045
1046 /* Local side had dedicated bonding as requirement */
1047 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1048 return 1;
1049
1050 /* Remote side had dedicated bonding as requirement */
1051 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1052 return 1;
1053
1054 /* If none of the above criteria match, then don't store the key
1055 * persistently */
1056 return 0;
1057}
1058
1059int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1060 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1026{ 1061{
1027 struct link_key *key, *old_key; 1062 struct link_key *key, *old_key;
1028 u8 old_key_type; 1063 u8 old_key_type, persistent;
1029 1064
1030 old_key = hci_find_link_key(hdev, bdaddr); 1065 old_key = hci_find_link_key(hdev, bdaddr);
1031 if (old_key) { 1066 if (old_key) {
1032 old_key_type = old_key->type; 1067 old_key_type = old_key->type;
1033 key = old_key; 1068 key = old_key;
1034 } else { 1069 } else {
1035 old_key_type = 0xff; 1070 old_key_type = conn ? conn->key_type : 0xff;
1036 key = kzalloc(sizeof(*key), GFP_ATOMIC); 1071 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1037 if (!key) 1072 if (!key)
1038 return -ENOMEM; 1073 return -ENOMEM;
@@ -1041,16 +1076,37 @@ int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
1041 1076
1042 BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type); 1077 BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
1043 1078
1079 /* Some buggy controller combinations generate a changed
1080 * combination key for legacy pairing even when there's no
1081 * previous key */
1082 if (type == HCI_LK_CHANGED_COMBINATION &&
1083 (!conn || conn->remote_auth == 0xff) &&
1084 old_key_type == 0xff) {
1085 type = HCI_LK_COMBINATION;
1086 if (conn)
1087 conn->key_type = type;
1088 }
1089
1044 bacpy(&key->bdaddr, bdaddr); 1090 bacpy(&key->bdaddr, bdaddr);
1045 memcpy(key->val, val, 16); 1091 memcpy(key->val, val, 16);
1046 key->type = type;
1047 key->pin_len = pin_len; 1092 key->pin_len = pin_len;
1048 1093
1049 if (new_key) 1094 if (type == HCI_LK_CHANGED_COMBINATION)
1050 mgmt_new_key(hdev->id, key, old_key_type);
1051
1052 if (type == 0x06)
1053 key->type = old_key_type; 1095 key->type = old_key_type;
1096 else
1097 key->type = type;
1098
1099 if (!new_key)
1100 return 0;
1101
1102 persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1103
1104 mgmt_new_key(hdev->id, key, persistent);
1105
1106 if (!persistent) {
1107 list_del(&key->list);
1108 kfree(key);
1109 }
1054 1110
1055 return 0; 1111 return 0;
1056} 1112}
@@ -1082,6 +1138,70 @@ static void hci_cmd_timer(unsigned long arg)
1082 tasklet_schedule(&hdev->cmd_task); 1138 tasklet_schedule(&hdev->cmd_task);
1083} 1139}
1084 1140
1141struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1142 bdaddr_t *bdaddr)
1143{
1144 struct oob_data *data;
1145
1146 list_for_each_entry(data, &hdev->remote_oob_data, list)
1147 if (bacmp(bdaddr, &data->bdaddr) == 0)
1148 return data;
1149
1150 return NULL;
1151}
1152
1153int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1154{
1155 struct oob_data *data;
1156
1157 data = hci_find_remote_oob_data(hdev, bdaddr);
1158 if (!data)
1159 return -ENOENT;
1160
1161 BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1162
1163 list_del(&data->list);
1164 kfree(data);
1165
1166 return 0;
1167}
1168
1169int hci_remote_oob_data_clear(struct hci_dev *hdev)
1170{
1171 struct oob_data *data, *n;
1172
1173 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1174 list_del(&data->list);
1175 kfree(data);
1176 }
1177
1178 return 0;
1179}
1180
1181int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1182 u8 *randomizer)
1183{
1184 struct oob_data *data;
1185
1186 data = hci_find_remote_oob_data(hdev, bdaddr);
1187
1188 if (!data) {
1189 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1190 if (!data)
1191 return -ENOMEM;
1192
1193 bacpy(&data->bdaddr, bdaddr);
1194 list_add(&data->list, &hdev->remote_oob_data);
1195 }
1196
1197 memcpy(data->hash, hash, sizeof(data->hash));
1198 memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1199
1200 BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
1201
1202 return 0;
1203}
1204
1085/* Register HCI device */ 1205/* Register HCI device */
1086int hci_register_dev(struct hci_dev *hdev) 1206int hci_register_dev(struct hci_dev *hdev)
1087{ 1207{
@@ -1146,6 +1266,8 @@ int hci_register_dev(struct hci_dev *hdev)
1146 1266
1147 INIT_LIST_HEAD(&hdev->link_keys); 1267 INIT_LIST_HEAD(&hdev->link_keys);
1148 1268
1269 INIT_LIST_HEAD(&hdev->remote_oob_data);
1270
1149 INIT_WORK(&hdev->power_on, hci_power_on); 1271 INIT_WORK(&hdev->power_on, hci_power_on);
1150 INIT_WORK(&hdev->power_off, hci_power_off); 1272 INIT_WORK(&hdev->power_off, hci_power_off);
1151 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev); 1273 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1225,6 +1347,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1225 hci_blacklist_clear(hdev); 1347 hci_blacklist_clear(hdev);
1226 hci_uuids_clear(hdev); 1348 hci_uuids_clear(hdev);
1227 hci_link_keys_clear(hdev); 1349 hci_link_keys_clear(hdev);
1350 hci_remote_oob_data_clear(hdev);
1228 hci_dev_unlock_bh(hdev); 1351 hci_dev_unlock_bh(hdev);
1229 1352
1230 __hci_dev_put(hdev); 1353 __hci_dev_put(hdev);
@@ -1274,7 +1397,7 @@ int hci_recv_frame(struct sk_buff *skb)
1274EXPORT_SYMBOL(hci_recv_frame); 1397EXPORT_SYMBOL(hci_recv_frame);
1275 1398
1276static int hci_reassembly(struct hci_dev *hdev, int type, void *data, 1399static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1277 int count, __u8 index, gfp_t gfp_mask) 1400 int count, __u8 index)
1278{ 1401{
1279 int len = 0; 1402 int len = 0;
1280 int hlen = 0; 1403 int hlen = 0;
@@ -1304,7 +1427,7 @@ static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1304 break; 1427 break;
1305 } 1428 }
1306 1429
1307 skb = bt_skb_alloc(len, gfp_mask); 1430 skb = bt_skb_alloc(len, GFP_ATOMIC);
1308 if (!skb) 1431 if (!skb)
1309 return -ENOMEM; 1432 return -ENOMEM;
1310 1433
@@ -1390,8 +1513,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1390 return -EILSEQ; 1513 return -EILSEQ;
1391 1514
1392 while (count) { 1515 while (count) {
1393 rem = hci_reassembly(hdev, type, data, count, 1516 rem = hci_reassembly(hdev, type, data, count, type - 1);
1394 type - 1, GFP_ATOMIC);
1395 if (rem < 0) 1517 if (rem < 0)
1396 return rem; 1518 return rem;
1397 1519
@@ -1425,8 +1547,8 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1425 } else 1547 } else
1426 type = bt_cb(skb)->pkt_type; 1548 type = bt_cb(skb)->pkt_type;
1427 1549
1428 rem = hci_reassembly(hdev, type, data, 1550 rem = hci_reassembly(hdev, type, data, count,
1429 count, STREAM_REASSEMBLY, GFP_ATOMIC); 1551 STREAM_REASSEMBLY);
1430 if (rem < 0) 1552 if (rem < 0)
1431 return rem; 1553 return rem;
1432 1554
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b2570159a044..f13ddbf858ba 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -56,7 +56,9 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
56 if (status) 56 if (status)
57 return; 57 return;
58 58
59 clear_bit(HCI_INQUIRY, &hdev->flags); 59 if (test_bit(HCI_MGMT, &hdev->flags) &&
60 test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
61 mgmt_discovering(hdev->id, 0);
60 62
61 hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status); 63 hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
62 64
@@ -72,7 +74,9 @@ static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
72 if (status) 74 if (status)
73 return; 75 return;
74 76
75 clear_bit(HCI_INQUIRY, &hdev->flags); 77 if (test_bit(HCI_MGMT, &hdev->flags) &&
78 test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
79 mgmt_discovering(hdev->id, 0);
76 80
77 hci_conn_check_pending(hdev); 81 hci_conn_check_pending(hdev);
78} 82}
@@ -195,14 +199,17 @@ static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
195 199
196 BT_DBG("%s status 0x%x", hdev->name, status); 200 BT_DBG("%s status 0x%x", hdev->name, status);
197 201
198 if (status)
199 return;
200
201 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 202 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
202 if (!sent) 203 if (!sent)
203 return; 204 return;
204 205
205 memcpy(hdev->dev_name, sent, 248); 206 if (test_bit(HCI_MGMT, &hdev->flags))
207 mgmt_set_local_name_complete(hdev->id, sent, status);
208
209 if (status)
210 return;
211
212 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
206} 213}
207 214
208static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 215static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -214,7 +221,7 @@ static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
214 if (rp->status) 221 if (rp->status)
215 return; 222 return;
216 223
217 memcpy(hdev->dev_name, rp->name, 248); 224 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
218} 225}
219 226
220static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 227static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
@@ -821,16 +828,31 @@ static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
821 rp->status); 828 rp->status);
822} 829}
823 830
831static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
832 struct sk_buff *skb)
833{
834 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
835
836 BT_DBG("%s status 0x%x", hdev->name, rp->status);
837
838 mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
839 rp->randomizer, rp->status);
840}
841
824static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 842static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
825{ 843{
826 BT_DBG("%s status 0x%x", hdev->name, status); 844 BT_DBG("%s status 0x%x", hdev->name, status);
827 845
828 if (status) { 846 if (status) {
829 hci_req_complete(hdev, HCI_OP_INQUIRY, status); 847 hci_req_complete(hdev, HCI_OP_INQUIRY, status);
830
831 hci_conn_check_pending(hdev); 848 hci_conn_check_pending(hdev);
832 } else 849 return;
833 set_bit(HCI_INQUIRY, &hdev->flags); 850 }
851
852 if (test_bit(HCI_MGMT, &hdev->flags) &&
853 !test_and_set_bit(HCI_INQUIRY,
854 &hdev->flags))
855 mgmt_discovering(hdev->id, 1);
834} 856}
835 857
836static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 858static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
@@ -999,12 +1021,19 @@ static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
999 hci_dev_lock(hdev); 1021 hci_dev_lock(hdev);
1000 1022
1001 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1023 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1002 if (conn && hci_outgoing_auth_needed(hdev, conn)) { 1024 if (!conn)
1025 goto unlock;
1026
1027 if (!hci_outgoing_auth_needed(hdev, conn))
1028 goto unlock;
1029
1030 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1003 struct hci_cp_auth_requested cp; 1031 struct hci_cp_auth_requested cp;
1004 cp.handle = __cpu_to_le16(conn->handle); 1032 cp.handle = __cpu_to_le16(conn->handle);
1005 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 1033 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1006 } 1034 }
1007 1035
1036unlock:
1008 hci_dev_unlock(hdev); 1037 hci_dev_unlock(hdev);
1009} 1038}
1010 1039
@@ -1194,7 +1223,9 @@ static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff
1194 1223
1195 BT_DBG("%s status %d", hdev->name, status); 1224 BT_DBG("%s status %d", hdev->name, status);
1196 1225
1197 clear_bit(HCI_INQUIRY, &hdev->flags); 1226 if (test_bit(HCI_MGMT, &hdev->flags) &&
1227 test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1228 mgmt_discovering(hdev->id, 0);
1198 1229
1199 hci_req_complete(hdev, HCI_OP_INQUIRY, status); 1230 hci_req_complete(hdev, HCI_OP_INQUIRY, status);
1200 1231
@@ -1214,7 +1245,13 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
1214 1245
1215 hci_dev_lock(hdev); 1246 hci_dev_lock(hdev);
1216 1247
1217 for (; num_rsp; num_rsp--) { 1248 if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
1249
1250 if (test_bit(HCI_MGMT, &hdev->flags))
1251 mgmt_discovering(hdev->id, 1);
1252 }
1253
1254 for (; num_rsp; num_rsp--, info++) {
1218 bacpy(&data.bdaddr, &info->bdaddr); 1255 bacpy(&data.bdaddr, &info->bdaddr);
1219 data.pscan_rep_mode = info->pscan_rep_mode; 1256 data.pscan_rep_mode = info->pscan_rep_mode;
1220 data.pscan_period_mode = info->pscan_period_mode; 1257 data.pscan_period_mode = info->pscan_period_mode;
@@ -1223,8 +1260,9 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
1223 data.clock_offset = info->clock_offset; 1260 data.clock_offset = info->clock_offset;
1224 data.rssi = 0x00; 1261 data.rssi = 0x00;
1225 data.ssp_mode = 0x00; 1262 data.ssp_mode = 0x00;
1226 info++;
1227 hci_inquiry_cache_update(hdev, &data); 1263 hci_inquiry_cache_update(hdev, &data);
1264 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
1265 NULL);
1228 } 1266 }
1229 1267
1230 hci_dev_unlock(hdev); 1268 hci_dev_unlock(hdev);
@@ -1402,7 +1440,7 @@ static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff
1402 1440
1403 conn->state = BT_CLOSED; 1441 conn->state = BT_CLOSED;
1404 1442
1405 if (conn->type == ACL_LINK) 1443 if (conn->type == ACL_LINK || conn->type == LE_LINK)
1406 mgmt_disconnected(hdev->id, &conn->dst); 1444 mgmt_disconnected(hdev->id, &conn->dst);
1407 1445
1408 hci_proto_disconn_cfm(conn, ev->reason); 1446 hci_proto_disconn_cfm(conn, ev->reason);
@@ -1428,7 +1466,6 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1428 conn->sec_level = conn->pending_sec_level; 1466 conn->sec_level = conn->pending_sec_level;
1429 } else { 1467 } else {
1430 mgmt_auth_failed(hdev->id, &conn->dst, ev->status); 1468 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1431 conn->sec_level = BT_SECURITY_LOW;
1432 } 1469 }
1433 1470
1434 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1471 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
@@ -1482,13 +1519,23 @@ static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb
1482 1519
1483 hci_dev_lock(hdev); 1520 hci_dev_lock(hdev);
1484 1521
1522 if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
1523 mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
1524
1485 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 1525 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
1486 if (conn && hci_outgoing_auth_needed(hdev, conn)) { 1526 if (!conn)
1527 goto unlock;
1528
1529 if (!hci_outgoing_auth_needed(hdev, conn))
1530 goto unlock;
1531
1532 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1487 struct hci_cp_auth_requested cp; 1533 struct hci_cp_auth_requested cp;
1488 cp.handle = __cpu_to_le16(conn->handle); 1534 cp.handle = __cpu_to_le16(conn->handle);
1489 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 1535 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1490 } 1536 }
1491 1537
1538unlock:
1492 hci_dev_unlock(hdev); 1539 hci_dev_unlock(hdev);
1493} 1540}
1494 1541
@@ -1751,6 +1798,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1751 hci_cc_pin_code_neg_reply(hdev, skb); 1798 hci_cc_pin_code_neg_reply(hdev, skb);
1752 break; 1799 break;
1753 1800
1801 case HCI_OP_READ_LOCAL_OOB_DATA:
1802 hci_cc_read_local_oob_data_reply(hdev, skb);
1803 break;
1804
1754 case HCI_OP_LE_READ_BUFFER_SIZE: 1805 case HCI_OP_LE_READ_BUFFER_SIZE:
1755 hci_cc_le_read_buffer_size(hdev, skb); 1806 hci_cc_le_read_buffer_size(hdev, skb);
1756 break; 1807 break;
@@ -1984,9 +2035,16 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
1984 if (!test_bit(HCI_PAIRABLE, &hdev->flags)) 2035 if (!test_bit(HCI_PAIRABLE, &hdev->flags))
1985 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 2036 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
1986 sizeof(ev->bdaddr), &ev->bdaddr); 2037 sizeof(ev->bdaddr), &ev->bdaddr);
2038 else if (test_bit(HCI_MGMT, &hdev->flags)) {
2039 u8 secure;
1987 2040
1988 if (test_bit(HCI_MGMT, &hdev->flags)) 2041 if (conn->pending_sec_level == BT_SECURITY_HIGH)
1989 mgmt_pin_code_request(hdev->id, &ev->bdaddr); 2042 secure = 1;
2043 else
2044 secure = 0;
2045
2046 mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
2047 }
1990 2048
1991 hci_dev_unlock(hdev); 2049 hci_dev_unlock(hdev);
1992} 2050}
@@ -2015,17 +2073,30 @@ static inline void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff
2015 BT_DBG("%s found key type %u for %s", hdev->name, key->type, 2073 BT_DBG("%s found key type %u for %s", hdev->name, key->type,
2016 batostr(&ev->bdaddr)); 2074 batostr(&ev->bdaddr));
2017 2075
2018 if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) && key->type == 0x03) { 2076 if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) &&
2077 key->type == HCI_LK_DEBUG_COMBINATION) {
2019 BT_DBG("%s ignoring debug key", hdev->name); 2078 BT_DBG("%s ignoring debug key", hdev->name);
2020 goto not_found; 2079 goto not_found;
2021 } 2080 }
2022 2081
2023 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2082 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2083 if (conn) {
2084 if (key->type == HCI_LK_UNAUTH_COMBINATION &&
2085 conn->auth_type != 0xff &&
2086 (conn->auth_type & 0x01)) {
2087 BT_DBG("%s ignoring unauthenticated key", hdev->name);
2088 goto not_found;
2089 }
2024 2090
2025 if (key->type == 0x04 && conn && conn->auth_type != 0xff && 2091 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2026 (conn->auth_type & 0x01)) { 2092 conn->pending_sec_level == BT_SECURITY_HIGH) {
2027 BT_DBG("%s ignoring unauthenticated key", hdev->name); 2093 BT_DBG("%s ignoring key unauthenticated for high \
2028 goto not_found; 2094 security", hdev->name);
2095 goto not_found;
2096 }
2097
2098 conn->key_type = key->type;
2099 conn->pin_length = key->pin_len;
2029 } 2100 }
2030 2101
2031 bacpy(&cp.bdaddr, &ev->bdaddr); 2102 bacpy(&cp.bdaddr, &ev->bdaddr);
@@ -2057,11 +2128,15 @@ static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff
2057 hci_conn_hold(conn); 2128 hci_conn_hold(conn);
2058 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2129 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2059 pin_len = conn->pin_length; 2130 pin_len = conn->pin_length;
2131
2132 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2133 conn->key_type = ev->key_type;
2134
2060 hci_conn_put(conn); 2135 hci_conn_put(conn);
2061 } 2136 }
2062 2137
2063 if (test_bit(HCI_LINK_KEYS, &hdev->flags)) 2138 if (test_bit(HCI_LINK_KEYS, &hdev->flags))
2064 hci_add_link_key(hdev, 1, &ev->bdaddr, ev->link_key, 2139 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
2065 ev->key_type, pin_len); 2140 ev->key_type, pin_len);
2066 2141
2067 hci_dev_unlock(hdev); 2142 hci_dev_unlock(hdev);
@@ -2136,11 +2211,17 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2136 2211
2137 hci_dev_lock(hdev); 2212 hci_dev_lock(hdev);
2138 2213
2214 if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2215
2216 if (test_bit(HCI_MGMT, &hdev->flags))
2217 mgmt_discovering(hdev->id, 1);
2218 }
2219
2139 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 2220 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
2140 struct inquiry_info_with_rssi_and_pscan_mode *info; 2221 struct inquiry_info_with_rssi_and_pscan_mode *info;
2141 info = (void *) (skb->data + 1); 2222 info = (void *) (skb->data + 1);
2142 2223
2143 for (; num_rsp; num_rsp--) { 2224 for (; num_rsp; num_rsp--, info++) {
2144 bacpy(&data.bdaddr, &info->bdaddr); 2225 bacpy(&data.bdaddr, &info->bdaddr);
2145 data.pscan_rep_mode = info->pscan_rep_mode; 2226 data.pscan_rep_mode = info->pscan_rep_mode;
2146 data.pscan_period_mode = info->pscan_period_mode; 2227 data.pscan_period_mode = info->pscan_period_mode;
@@ -2149,13 +2230,15 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2149 data.clock_offset = info->clock_offset; 2230 data.clock_offset = info->clock_offset;
2150 data.rssi = info->rssi; 2231 data.rssi = info->rssi;
2151 data.ssp_mode = 0x00; 2232 data.ssp_mode = 0x00;
2152 info++;
2153 hci_inquiry_cache_update(hdev, &data); 2233 hci_inquiry_cache_update(hdev, &data);
2234 mgmt_device_found(hdev->id, &info->bdaddr,
2235 info->dev_class, info->rssi,
2236 NULL);
2154 } 2237 }
2155 } else { 2238 } else {
2156 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 2239 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
2157 2240
2158 for (; num_rsp; num_rsp--) { 2241 for (; num_rsp; num_rsp--, info++) {
2159 bacpy(&data.bdaddr, &info->bdaddr); 2242 bacpy(&data.bdaddr, &info->bdaddr);
2160 data.pscan_rep_mode = info->pscan_rep_mode; 2243 data.pscan_rep_mode = info->pscan_rep_mode;
2161 data.pscan_period_mode = info->pscan_period_mode; 2244 data.pscan_period_mode = info->pscan_period_mode;
@@ -2164,8 +2247,10 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2164 data.clock_offset = info->clock_offset; 2247 data.clock_offset = info->clock_offset;
2165 data.rssi = info->rssi; 2248 data.rssi = info->rssi;
2166 data.ssp_mode = 0x00; 2249 data.ssp_mode = 0x00;
2167 info++;
2168 hci_inquiry_cache_update(hdev, &data); 2250 hci_inquiry_cache_update(hdev, &data);
2251 mgmt_device_found(hdev->id, &info->bdaddr,
2252 info->dev_class, info->rssi,
2253 NULL);
2169 } 2254 }
2170 } 2255 }
2171 2256
@@ -2294,9 +2379,15 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
2294 if (!num_rsp) 2379 if (!num_rsp)
2295 return; 2380 return;
2296 2381
2382 if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2383
2384 if (test_bit(HCI_MGMT, &hdev->flags))
2385 mgmt_discovering(hdev->id, 1);
2386 }
2387
2297 hci_dev_lock(hdev); 2388 hci_dev_lock(hdev);
2298 2389
2299 for (; num_rsp; num_rsp--) { 2390 for (; num_rsp; num_rsp--, info++) {
2300 bacpy(&data.bdaddr, &info->bdaddr); 2391 bacpy(&data.bdaddr, &info->bdaddr);
2301 data.pscan_rep_mode = info->pscan_rep_mode; 2392 data.pscan_rep_mode = info->pscan_rep_mode;
2302 data.pscan_period_mode = info->pscan_period_mode; 2393 data.pscan_period_mode = info->pscan_period_mode;
@@ -2305,8 +2396,9 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
2305 data.clock_offset = info->clock_offset; 2396 data.clock_offset = info->clock_offset;
2306 data.rssi = info->rssi; 2397 data.rssi = info->rssi;
2307 data.ssp_mode = 0x01; 2398 data.ssp_mode = 0x01;
2308 info++;
2309 hci_inquiry_cache_update(hdev, &data); 2399 hci_inquiry_cache_update(hdev, &data);
2400 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
2401 info->rssi, info->data);
2310 } 2402 }
2311 2403
2312 hci_dev_unlock(hdev); 2404 hci_dev_unlock(hdev);
@@ -2326,7 +2418,7 @@ static inline u8 hci_get_auth_req(struct hci_conn *conn)
2326 2418
2327 /* If remote requests no-bonding follow that lead */ 2419 /* If remote requests no-bonding follow that lead */
2328 if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01) 2420 if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
2329 return 0x00; 2421 return conn->remote_auth | (conn->auth_type & 0x01);
2330 2422
2331 return conn->auth_type; 2423 return conn->auth_type;
2332} 2424}
@@ -2355,8 +2447,14 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
2355 2447
2356 bacpy(&cp.bdaddr, &ev->bdaddr); 2448 bacpy(&cp.bdaddr, &ev->bdaddr);
2357 cp.capability = conn->io_capability; 2449 cp.capability = conn->io_capability;
2358 cp.oob_data = 0; 2450 conn->auth_type = hci_get_auth_req(conn);
2359 cp.authentication = hci_get_auth_req(conn); 2451 cp.authentication = conn->auth_type;
2452
2453 if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
2454 hci_find_remote_oob_data(hdev, &conn->dst))
2455 cp.oob_data = 0x01;
2456 else
2457 cp.oob_data = 0x00;
2360 2458
2361 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 2459 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
2362 sizeof(cp), &cp); 2460 sizeof(cp), &cp);
@@ -2364,7 +2462,7 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
2364 struct hci_cp_io_capability_neg_reply cp; 2462 struct hci_cp_io_capability_neg_reply cp;
2365 2463
2366 bacpy(&cp.bdaddr, &ev->bdaddr); 2464 bacpy(&cp.bdaddr, &ev->bdaddr);
2367 cp.reason = 0x16; /* Pairing not allowed */ 2465 cp.reason = 0x18; /* Pairing not allowed */
2368 2466
2369 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 2467 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
2370 sizeof(cp), &cp); 2468 sizeof(cp), &cp);
@@ -2399,14 +2497,67 @@ static inline void hci_user_confirm_request_evt(struct hci_dev *hdev,
2399 struct sk_buff *skb) 2497 struct sk_buff *skb)
2400{ 2498{
2401 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 2499 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
2500 int loc_mitm, rem_mitm, confirm_hint = 0;
2501 struct hci_conn *conn;
2402 2502
2403 BT_DBG("%s", hdev->name); 2503 BT_DBG("%s", hdev->name);
2404 2504
2405 hci_dev_lock(hdev); 2505 hci_dev_lock(hdev);
2406 2506
2407 if (test_bit(HCI_MGMT, &hdev->flags)) 2507 if (!test_bit(HCI_MGMT, &hdev->flags))
2408 mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey); 2508 goto unlock;
2509
2510 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2511 if (!conn)
2512 goto unlock;
2513
2514 loc_mitm = (conn->auth_type & 0x01);
2515 rem_mitm = (conn->remote_auth & 0x01);
2516
2517 /* If we require MITM but the remote device can't provide that
2518 * (it has NoInputNoOutput) then reject the confirmation
2519 * request. The only exception is when we're dedicated bonding
2520 * initiators (connect_cfm_cb set) since then we always have the MITM
2521 * bit set. */
2522 if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
2523 BT_DBG("Rejecting request: remote device can't provide MITM");
2524 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
2525 sizeof(ev->bdaddr), &ev->bdaddr);
2526 goto unlock;
2527 }
2528
2529 /* If no side requires MITM protection; auto-accept */
2530 if ((!loc_mitm || conn->remote_cap == 0x03) &&
2531 (!rem_mitm || conn->io_capability == 0x03)) {
2532
2533 /* If we're not the initiators request authorization to
2534 * proceed from user space (mgmt_user_confirm with
2535 * confirm_hint set to 1). */
2536 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
2537 BT_DBG("Confirming auto-accept as acceptor");
2538 confirm_hint = 1;
2539 goto confirm;
2540 }
2541
2542 BT_DBG("Auto-accept of user confirmation with %ums delay",
2543 hdev->auto_accept_delay);
2544
2545 if (hdev->auto_accept_delay > 0) {
2546 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
2547 mod_timer(&conn->auto_accept_timer, jiffies + delay);
2548 goto unlock;
2549 }
2550
2551 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
2552 sizeof(ev->bdaddr), &ev->bdaddr);
2553 goto unlock;
2554 }
2555
2556confirm:
2557 mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey,
2558 confirm_hint);
2409 2559
2560unlock:
2410 hci_dev_unlock(hdev); 2561 hci_dev_unlock(hdev);
2411} 2562}
2412 2563
@@ -2453,6 +2604,41 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
2453 hci_dev_unlock(hdev); 2604 hci_dev_unlock(hdev);
2454} 2605}
2455 2606
2607static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
2608 struct sk_buff *skb)
2609{
2610 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
2611 struct oob_data *data;
2612
2613 BT_DBG("%s", hdev->name);
2614
2615 hci_dev_lock(hdev);
2616
2617 if (!test_bit(HCI_MGMT, &hdev->flags))
2618 goto unlock;
2619
2620 data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
2621 if (data) {
2622 struct hci_cp_remote_oob_data_reply cp;
2623
2624 bacpy(&cp.bdaddr, &ev->bdaddr);
2625 memcpy(cp.hash, data->hash, sizeof(cp.hash));
2626 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
2627
2628 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
2629 &cp);
2630 } else {
2631 struct hci_cp_remote_oob_data_neg_reply cp;
2632
2633 bacpy(&cp.bdaddr, &ev->bdaddr);
2634 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
2635 &cp);
2636 }
2637
2638unlock:
2639 hci_dev_unlock(hdev);
2640}
2641
2456static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2642static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2457{ 2643{
2458 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 2644 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -2473,12 +2659,15 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2473 } 2659 }
2474 2660
2475 if (ev->status) { 2661 if (ev->status) {
2662 mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
2476 hci_proto_connect_cfm(conn, ev->status); 2663 hci_proto_connect_cfm(conn, ev->status);
2477 conn->state = BT_CLOSED; 2664 conn->state = BT_CLOSED;
2478 hci_conn_del(conn); 2665 hci_conn_del(conn);
2479 goto unlock; 2666 goto unlock;
2480 } 2667 }
2481 2668
2669 mgmt_connected(hdev->id, &ev->bdaddr);
2670
2482 conn->handle = __le16_to_cpu(ev->handle); 2671 conn->handle = __le16_to_cpu(ev->handle);
2483 conn->state = BT_CONNECTED; 2672 conn->state = BT_CONNECTED;
2484 2673
@@ -2655,6 +2844,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2655 hci_le_meta_evt(hdev, skb); 2844 hci_le_meta_evt(hdev, skb);
2656 break; 2845 break;
2657 2846
2847 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
2848 hci_remote_oob_data_request_evt(hdev, skb);
2849 break;
2850
2658 default: 2851 default:
2659 BT_DBG("%s event 0x%x", hdev->name, event); 2852 BT_DBG("%s event 0x%x", hdev->name, event);
2660 break; 2853 break;
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 3c838a65a75a..a6c3aa8be1f7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -216,13 +216,13 @@ static ssize_t show_type(struct device *dev, struct device_attribute *attr, char
216static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf) 216static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf)
217{ 217{
218 struct hci_dev *hdev = dev_get_drvdata(dev); 218 struct hci_dev *hdev = dev_get_drvdata(dev);
219 char name[249]; 219 char name[HCI_MAX_NAME_LENGTH + 1];
220 int i; 220 int i;
221 221
222 for (i = 0; i < 248; i++) 222 for (i = 0; i < HCI_MAX_NAME_LENGTH; i++)
223 name[i] = hdev->dev_name[i]; 223 name[i] = hdev->dev_name[i];
224 224
225 name[248] = '\0'; 225 name[HCI_MAX_NAME_LENGTH] = '\0';
226 return sprintf(buf, "%s\n", name); 226 return sprintf(buf, "%s\n", name);
227} 227}
228 228
@@ -277,10 +277,12 @@ static ssize_t show_idle_timeout(struct device *dev, struct device_attribute *at
277static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 277static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
278{ 278{
279 struct hci_dev *hdev = dev_get_drvdata(dev); 279 struct hci_dev *hdev = dev_get_drvdata(dev);
280 unsigned long val; 280 unsigned int val;
281 int rv;
281 282
282 if (strict_strtoul(buf, 0, &val) < 0) 283 rv = kstrtouint(buf, 0, &val);
283 return -EINVAL; 284 if (rv < 0)
285 return rv;
284 286
285 if (val != 0 && (val < 500 || val > 3600000)) 287 if (val != 0 && (val < 500 || val > 3600000))
286 return -EINVAL; 288 return -EINVAL;
@@ -299,15 +301,14 @@ static ssize_t show_sniff_max_interval(struct device *dev, struct device_attribu
299static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 301static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
300{ 302{
301 struct hci_dev *hdev = dev_get_drvdata(dev); 303 struct hci_dev *hdev = dev_get_drvdata(dev);
302 unsigned long val; 304 u16 val;
303 305 int rv;
304 if (strict_strtoul(buf, 0, &val) < 0)
305 return -EINVAL;
306 306
307 if (val < 0x0002 || val > 0xFFFE || val % 2) 307 rv = kstrtou16(buf, 0, &val);
308 return -EINVAL; 308 if (rv < 0)
309 return rv;
309 310
310 if (val < hdev->sniff_min_interval) 311 if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
311 return -EINVAL; 312 return -EINVAL;
312 313
313 hdev->sniff_max_interval = val; 314 hdev->sniff_max_interval = val;
@@ -324,15 +325,14 @@ static ssize_t show_sniff_min_interval(struct device *dev, struct device_attribu
324static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 325static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
325{ 326{
326 struct hci_dev *hdev = dev_get_drvdata(dev); 327 struct hci_dev *hdev = dev_get_drvdata(dev);
327 unsigned long val; 328 u16 val;
329 int rv;
328 330
329 if (strict_strtoul(buf, 0, &val) < 0) 331 rv = kstrtou16(buf, 0, &val);
330 return -EINVAL; 332 if (rv < 0)
331 333 return rv;
332 if (val < 0x0002 || val > 0xFFFE || val % 2)
333 return -EINVAL;
334 334
335 if (val > hdev->sniff_max_interval) 335 if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
336 return -EINVAL; 336 return -EINVAL;
337 337
338 hdev->sniff_min_interval = val; 338 hdev->sniff_min_interval = val;
@@ -511,6 +511,35 @@ static const struct file_operations uuids_fops = {
511 .release = single_release, 511 .release = single_release,
512}; 512};
513 513
514static int auto_accept_delay_set(void *data, u64 val)
515{
516 struct hci_dev *hdev = data;
517
518 hci_dev_lock_bh(hdev);
519
520 hdev->auto_accept_delay = val;
521
522 hci_dev_unlock_bh(hdev);
523
524 return 0;
525}
526
527static int auto_accept_delay_get(void *data, u64 *val)
528{
529 struct hci_dev *hdev = data;
530
531 hci_dev_lock_bh(hdev);
532
533 *val = hdev->auto_accept_delay;
534
535 hci_dev_unlock_bh(hdev);
536
537 return 0;
538}
539
540DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
541 auto_accept_delay_set, "%llu\n");
542
514int hci_register_sysfs(struct hci_dev *hdev) 543int hci_register_sysfs(struct hci_dev *hdev)
515{ 544{
516 struct device *dev = &hdev->dev; 545 struct device *dev = &hdev->dev;
@@ -545,6 +574,8 @@ int hci_register_sysfs(struct hci_dev *hdev)
545 574
546 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops); 575 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
547 576
577 debugfs_create_file("auto_accept_delay", 0444, hdev->debugfs, hdev,
578 &auto_accept_delay_fops);
548 return 0; 579 return 0;
549} 580}
550 581
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 5ec12971af6b..c405a954a603 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -37,6 +37,7 @@
37#include <linux/init.h> 37#include <linux/init.h>
38#include <linux/wait.h> 38#include <linux/wait.h>
39#include <linux/mutex.h> 39#include <linux/mutex.h>
40#include <linux/kthread.h>
40#include <net/sock.h> 41#include <net/sock.h>
41 42
42#include <linux/input.h> 43#include <linux/input.h>
@@ -55,22 +56,24 @@ static DECLARE_RWSEM(hidp_session_sem);
55static LIST_HEAD(hidp_session_list); 56static LIST_HEAD(hidp_session_list);
56 57
57static unsigned char hidp_keycode[256] = { 58static unsigned char hidp_keycode[256] = {
58 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38, 59 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
59 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44, 2, 3, 60 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
60 4, 5, 6, 7, 8, 9, 10, 11, 28, 1, 14, 15, 57, 12, 13, 26, 61 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
61 27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64, 62 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
62 65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106, 63 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
63 105,108,103, 69, 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 64 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69,
64 72, 73, 82, 83, 86,127,116,117,183,184,185,186,187,188,189,190, 65 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73,
65 191,192,193,194,134,138,130,132,128,129,131,137,133,135,136,113, 66 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
66 115,114, 0, 0, 0,121, 0, 89, 93,124, 92, 94, 95, 0, 0, 0, 67 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
67 122,123, 90, 91, 85, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94,
68 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0,
69 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
70 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 71 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
71 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 72 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
72 29, 42, 56,125, 97, 54,100,126,164,166,165,163,161,115,114,113, 73 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
73 150,158,159,128,136,177,178,176,142,152,173,140 74 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
75 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115,
76 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
74}; 77};
75 78
76static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 79static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
@@ -461,8 +464,7 @@ static void hidp_idle_timeout(unsigned long arg)
461{ 464{
462 struct hidp_session *session = (struct hidp_session *) arg; 465 struct hidp_session *session = (struct hidp_session *) arg;
463 466
464 atomic_inc(&session->terminate); 467 kthread_stop(session->task);
465 hidp_schedule(session);
466} 468}
467 469
468static void hidp_set_timer(struct hidp_session *session) 470static void hidp_set_timer(struct hidp_session *session)
@@ -533,9 +535,7 @@ static void hidp_process_hid_control(struct hidp_session *session,
533 skb_queue_purge(&session->ctrl_transmit); 535 skb_queue_purge(&session->ctrl_transmit);
534 skb_queue_purge(&session->intr_transmit); 536 skb_queue_purge(&session->intr_transmit);
535 537
536 /* Kill session thread */ 538 kthread_stop(session->task);
537 atomic_inc(&session->terminate);
538 hidp_schedule(session);
539 } 539 }
540} 540}
541 541
@@ -694,22 +694,10 @@ static int hidp_session(void *arg)
694 struct sock *ctrl_sk = session->ctrl_sock->sk; 694 struct sock *ctrl_sk = session->ctrl_sock->sk;
695 struct sock *intr_sk = session->intr_sock->sk; 695 struct sock *intr_sk = session->intr_sock->sk;
696 struct sk_buff *skb; 696 struct sk_buff *skb;
697 int vendor = 0x0000, product = 0x0000;
698 wait_queue_t ctrl_wait, intr_wait; 697 wait_queue_t ctrl_wait, intr_wait;
699 698
700 BT_DBG("session %p", session); 699 BT_DBG("session %p", session);
701 700
702 if (session->input) {
703 vendor = session->input->id.vendor;
704 product = session->input->id.product;
705 }
706
707 if (session->hid) {
708 vendor = session->hid->vendor;
709 product = session->hid->product;
710 }
711
712 daemonize("khidpd_%04x%04x", vendor, product);
713 set_user_nice(current, -15); 701 set_user_nice(current, -15);
714 702
715 init_waitqueue_entry(&ctrl_wait, current); 703 init_waitqueue_entry(&ctrl_wait, current);
@@ -718,10 +706,11 @@ static int hidp_session(void *arg)
718 add_wait_queue(sk_sleep(intr_sk), &intr_wait); 706 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
719 session->waiting_for_startup = 0; 707 session->waiting_for_startup = 0;
720 wake_up_interruptible(&session->startup_queue); 708 wake_up_interruptible(&session->startup_queue);
721 while (!atomic_read(&session->terminate)) { 709 while (!kthread_should_stop()) {
722 set_current_state(TASK_INTERRUPTIBLE); 710 set_current_state(TASK_INTERRUPTIBLE);
723 711
724 if (ctrl_sk->sk_state != BT_CONNECTED || intr_sk->sk_state != BT_CONNECTED) 712 if (ctrl_sk->sk_state != BT_CONNECTED ||
713 intr_sk->sk_state != BT_CONNECTED)
725 break; 714 break;
726 715
727 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) { 716 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
@@ -965,6 +954,7 @@ fault:
965int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock) 954int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
966{ 955{
967 struct hidp_session *session, *s; 956 struct hidp_session *session, *s;
957 int vendor, product;
968 int err; 958 int err;
969 959
970 BT_DBG(""); 960 BT_DBG("");
@@ -989,8 +979,10 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
989 979
990 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst); 980 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
991 981
992 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->omtu, l2cap_pi(ctrl_sock->sk)->imtu); 982 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
993 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->omtu, l2cap_pi(intr_sock->sk)->imtu); 983 l2cap_pi(ctrl_sock->sk)->chan->imtu);
984 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
985 l2cap_pi(intr_sock->sk)->chan->imtu);
994 986
995 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu); 987 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
996 988
@@ -1026,9 +1018,24 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1026 1018
1027 hidp_set_timer(session); 1019 hidp_set_timer(session);
1028 1020
1029 err = kernel_thread(hidp_session, session, CLONE_KERNEL); 1021 if (session->hid) {
1030 if (err < 0) 1022 vendor = session->hid->vendor;
1023 product = session->hid->product;
1024 } else if (session->input) {
1025 vendor = session->input->id.vendor;
1026 product = session->input->id.product;
1027 } else {
1028 vendor = 0x0000;
1029 product = 0x0000;
1030 }
1031
1032 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
1033 vendor, product);
1034 if (IS_ERR(session->task)) {
1035 err = PTR_ERR(session->task);
1031 goto unlink; 1036 goto unlink;
1037 }
1038
1032 while (session->waiting_for_startup) { 1039 while (session->waiting_for_startup) {
1033 wait_event_interruptible(session->startup_queue, 1040 wait_event_interruptible(session->startup_queue,
1034 !session->waiting_for_startup); 1041 !session->waiting_for_startup);
@@ -1053,8 +1060,7 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1053err_add_device: 1060err_add_device:
1054 hid_destroy_device(session->hid); 1061 hid_destroy_device(session->hid);
1055 session->hid = NULL; 1062 session->hid = NULL;
1056 atomic_inc(&session->terminate); 1063 kthread_stop(session->task);
1057 hidp_schedule(session);
1058 1064
1059unlink: 1065unlink:
1060 hidp_del_timer(session); 1066 hidp_del_timer(session);
@@ -1105,13 +1111,7 @@ int hidp_del_connection(struct hidp_conndel_req *req)
1105 skb_queue_purge(&session->ctrl_transmit); 1111 skb_queue_purge(&session->ctrl_transmit);
1106 skb_queue_purge(&session->intr_transmit); 1112 skb_queue_purge(&session->intr_transmit);
1107 1113
1108 /* Wakeup user-space polling for socket errors */ 1114 kthread_stop(session->task);
1109 session->intr_sock->sk->sk_err = EUNATCH;
1110 session->ctrl_sock->sk->sk_err = EUNATCH;
1111
1112 /* Kill session thread */
1113 atomic_inc(&session->terminate);
1114 hidp_schedule(session);
1115 } 1115 }
1116 } else 1116 } else
1117 err = -ENOENT; 1117 err = -ENOENT;
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 13de5fa03480..12822cde4b49 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -84,8 +84,8 @@
84#define HIDP_WAITING_FOR_SEND_ACK 11 84#define HIDP_WAITING_FOR_SEND_ACK 11
85 85
86struct hidp_connadd_req { 86struct hidp_connadd_req {
87 int ctrl_sock; // Connected control socket 87 int ctrl_sock; /* Connected control socket */
88 int intr_sock; // Connteted interrupt socket 88 int intr_sock; /* Connected interrupt socket */
89 __u16 parser; 89 __u16 parser;
90 __u16 rd_size; 90 __u16 rd_size;
91 __u8 __user *rd_data; 91 __u8 __user *rd_data;
@@ -142,7 +142,7 @@ struct hidp_session {
142 uint ctrl_mtu; 142 uint ctrl_mtu;
143 uint intr_mtu; 143 uint intr_mtu;
144 144
145 atomic_t terminate; 145 struct task_struct *task;
146 146
147 unsigned char keys[8]; 147 unsigned char keys[8];
148 unsigned char leds; 148 unsigned char leds;
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 250dfd46237d..178ac7f127ad 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -85,7 +85,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
85 return err; 85 return err;
86 } 86 }
87 87
88 if (csock->sk->sk_state != BT_CONNECTED || isock->sk->sk_state != BT_CONNECTED) { 88 if (csock->sk->sk_state != BT_CONNECTED ||
89 isock->sk->sk_state != BT_CONNECTED) {
89 sockfd_put(csock); 90 sockfd_put(csock);
90 sockfd_put(isock); 91 sockfd_put(isock);
91 return -EBADFD; 92 return -EBADFD;
@@ -140,8 +141,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
140 141
141#ifdef CONFIG_COMPAT 142#ifdef CONFIG_COMPAT
142struct compat_hidp_connadd_req { 143struct compat_hidp_connadd_req {
143 int ctrl_sock; // Connected control socket 144 int ctrl_sock; /* Connected control socket */
144 int intr_sock; // Connteted interrupt socket 145 int intr_sock; /* Connected interrupt socket */
145 __u16 parser; 146 __u16 parser;
146 __u16 rd_size; 147 __u16 rd_size;
147 compat_uptr_t rd_data; 148 compat_uptr_t rd_data;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c8dd4494c63..a86f9ba4f05c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -62,168 +62,233 @@ static u8 l2cap_fixed_chan[8] = { 0x02, };
62 62
63static struct workqueue_struct *_busy_wq; 63static struct workqueue_struct *_busy_wq;
64 64
65struct bt_sock_list l2cap_sk_list = { 65LIST_HEAD(chan_list);
66 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 66DEFINE_RWLOCK(chan_list_lock);
67};
68 67
69static void l2cap_busy_work(struct work_struct *work); 68static void l2cap_busy_work(struct work_struct *work);
70 69
71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data); 71 u8 code, u8 ident, u16 dlen, void *data);
72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 73
74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75 75
76/* ---- L2CAP channels ---- */ 76/* ---- L2CAP channels ---- */
77static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid) 77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{ 78{
79 struct sock *s; 79 struct l2cap_chan *c;
80 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 80
81 if (l2cap_pi(s)->dcid == cid) 81 list_for_each_entry(c, &conn->chan_l, list) {
82 break; 82 if (c->dcid == cid)
83 return c;
83 } 84 }
84 return s; 85 return NULL;
86
85} 87}
86 88
87static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid) 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
88{ 90{
89 struct sock *s; 91 struct l2cap_chan *c;
90 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 92
91 if (l2cap_pi(s)->scid == cid) 93 list_for_each_entry(c, &conn->chan_l, list) {
92 break; 94 if (c->scid == cid)
95 return c;
93 } 96 }
94 return s; 97 return NULL;
95} 98}
96 99
97/* Find channel with given SCID. 100/* Find channel with given SCID.
98 * Returns locked socket */ 101 * Returns locked socket */
99static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid) 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
100{ 103{
101 struct sock *s; 104 struct l2cap_chan *c;
102 read_lock(&l->lock); 105
103 s = __l2cap_get_chan_by_scid(l, cid); 106 read_lock(&conn->chan_lock);
104 if (s) 107 c = __l2cap_get_chan_by_scid(conn, cid);
105 bh_lock_sock(s); 108 if (c)
106 read_unlock(&l->lock); 109 bh_lock_sock(c->sk);
107 return s; 110 read_unlock(&conn->chan_lock);
111 return c;
108} 112}
109 113
110static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident) 114static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
111{ 115{
112 struct sock *s; 116 struct l2cap_chan *c;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 117
114 if (l2cap_pi(s)->ident == ident) 118 list_for_each_entry(c, &conn->chan_l, list) {
115 break; 119 if (c->ident == ident)
120 return c;
121 }
122 return NULL;
123}
124
125static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
126{
127 struct l2cap_chan *c;
128
129 read_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_ident(conn, ident);
131 if (c)
132 bh_lock_sock(c->sk);
133 read_unlock(&conn->chan_lock);
134 return c;
135}
136
137static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
138{
139 struct l2cap_chan *c;
140
141 list_for_each_entry(c, &chan_list, global_l) {
142 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
143 goto found;
144 }
145
146 c = NULL;
147found:
148 return c;
149}
150
151int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
152{
153 int err;
154
155 write_lock_bh(&chan_list_lock);
156
157 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
158 err = -EADDRINUSE;
159 goto done;
116 } 160 }
117 return s; 161
162 if (psm) {
163 chan->psm = psm;
164 chan->sport = psm;
165 err = 0;
166 } else {
167 u16 p;
168
169 err = -EINVAL;
170 for (p = 0x1001; p < 0x1100; p += 2)
171 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
172 chan->psm = cpu_to_le16(p);
173 chan->sport = cpu_to_le16(p);
174 err = 0;
175 break;
176 }
177 }
178
179done:
180 write_unlock_bh(&chan_list_lock);
181 return err;
118} 182}
119 183
120static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident) 184int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
121{ 185{
122 struct sock *s; 186 write_lock_bh(&chan_list_lock);
123 read_lock(&l->lock); 187
124 s = __l2cap_get_chan_by_ident(l, ident); 188 chan->scid = scid;
125 if (s) 189
126 bh_lock_sock(s); 190 write_unlock_bh(&chan_list_lock);
127 read_unlock(&l->lock); 191
128 return s; 192 return 0;
129} 193}
130 194
131static u16 l2cap_alloc_cid(struct l2cap_chan_list *l) 195static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
132{ 196{
133 u16 cid = L2CAP_CID_DYN_START; 197 u16 cid = L2CAP_CID_DYN_START;
134 198
135 for (; cid < L2CAP_CID_DYN_END; cid++) { 199 for (; cid < L2CAP_CID_DYN_END; cid++) {
136 if (!__l2cap_get_chan_by_scid(l, cid)) 200 if (!__l2cap_get_chan_by_scid(conn, cid))
137 return cid; 201 return cid;
138 } 202 }
139 203
140 return 0; 204 return 0;
141} 205}
142 206
143static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk) 207struct l2cap_chan *l2cap_chan_create(struct sock *sk)
144{ 208{
145 sock_hold(sk); 209 struct l2cap_chan *chan;
146 210
147 if (l->head) 211 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
148 l2cap_pi(l->head)->prev_c = sk; 212 if (!chan)
213 return NULL;
149 214
150 l2cap_pi(sk)->next_c = l->head; 215 chan->sk = sk;
151 l2cap_pi(sk)->prev_c = NULL;
152 l->head = sk;
153}
154 216
155static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk) 217 write_lock_bh(&chan_list_lock);
156{ 218 list_add(&chan->global_l, &chan_list);
157 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c; 219 write_unlock_bh(&chan_list_lock);
158 220
159 write_lock_bh(&l->lock); 221 return chan;
160 if (sk == l->head) 222}
161 l->head = next;
162 223
163 if (next) 224void l2cap_chan_destroy(struct l2cap_chan *chan)
164 l2cap_pi(next)->prev_c = prev; 225{
165 if (prev) 226 write_lock_bh(&chan_list_lock);
166 l2cap_pi(prev)->next_c = next; 227 list_del(&chan->global_l);
167 write_unlock_bh(&l->lock); 228 write_unlock_bh(&chan_list_lock);
168 229
169 __sock_put(sk); 230 kfree(chan);
170} 231}
171 232
172static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent) 233static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
173{ 234{
174 struct l2cap_chan_list *l = &conn->chan_list; 235 struct sock *sk = chan->sk;
175 236
176 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 237 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
177 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid); 238 chan->psm, chan->dcid);
178 239
179 conn->disc_reason = 0x13; 240 conn->disc_reason = 0x13;
180 241
181 l2cap_pi(sk)->conn = conn; 242 chan->conn = conn;
182 243
183 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) { 244 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
184 if (conn->hcon->type == LE_LINK) { 245 if (conn->hcon->type == LE_LINK) {
185 /* LE connection */ 246 /* LE connection */
186 l2cap_pi(sk)->omtu = L2CAP_LE_DEFAULT_MTU; 247 chan->omtu = L2CAP_LE_DEFAULT_MTU;
187 l2cap_pi(sk)->scid = L2CAP_CID_LE_DATA; 248 chan->scid = L2CAP_CID_LE_DATA;
188 l2cap_pi(sk)->dcid = L2CAP_CID_LE_DATA; 249 chan->dcid = L2CAP_CID_LE_DATA;
189 } else { 250 } else {
190 /* Alloc CID for connection-oriented socket */ 251 /* Alloc CID for connection-oriented socket */
191 l2cap_pi(sk)->scid = l2cap_alloc_cid(l); 252 chan->scid = l2cap_alloc_cid(conn);
192 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU; 253 chan->omtu = L2CAP_DEFAULT_MTU;
193 } 254 }
194 } else if (sk->sk_type == SOCK_DGRAM) { 255 } else if (sk->sk_type == SOCK_DGRAM) {
195 /* Connectionless socket */ 256 /* Connectionless socket */
196 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS; 257 chan->scid = L2CAP_CID_CONN_LESS;
197 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS; 258 chan->dcid = L2CAP_CID_CONN_LESS;
198 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU; 259 chan->omtu = L2CAP_DEFAULT_MTU;
199 } else { 260 } else {
200 /* Raw socket can send/recv signalling messages only */ 261 /* Raw socket can send/recv signalling messages only */
201 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING; 262 chan->scid = L2CAP_CID_SIGNALING;
202 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING; 263 chan->dcid = L2CAP_CID_SIGNALING;
203 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU; 264 chan->omtu = L2CAP_DEFAULT_MTU;
204 } 265 }
205 266
206 __l2cap_chan_link(l, sk); 267 sock_hold(sk);
207 268
208 if (parent) 269 list_add(&chan->list, &conn->chan_l);
209 bt_accept_enqueue(parent, sk);
210} 270}
211 271
212/* Delete channel. 272/* Delete channel.
213 * Must be called on the locked socket. */ 273 * Must be called on the locked socket. */
214void l2cap_chan_del(struct sock *sk, int err) 274void l2cap_chan_del(struct l2cap_chan *chan, int err)
215{ 275{
216 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 276 struct sock *sk = chan->sk;
277 struct l2cap_conn *conn = chan->conn;
217 struct sock *parent = bt_sk(sk)->parent; 278 struct sock *parent = bt_sk(sk)->parent;
218 279
219 l2cap_sock_clear_timer(sk); 280 l2cap_sock_clear_timer(sk);
220 281
221 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 282 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
222 283
223 if (conn) { 284 if (conn) {
224 /* Unlink from channel list */ 285 /* Delete from channel list */
225 l2cap_chan_unlink(&conn->chan_list, sk); 286 write_lock_bh(&conn->chan_lock);
226 l2cap_pi(sk)->conn = NULL; 287 list_del(&chan->list);
288 write_unlock_bh(&conn->chan_lock);
289 __sock_put(sk);
290
291 chan->conn = NULL;
227 hci_conn_put(conn->hcon); 292 hci_conn_put(conn->hcon);
228 } 293 }
229 294
@@ -239,29 +304,35 @@ void l2cap_chan_del(struct sock *sk, int err)
239 } else 304 } else
240 sk->sk_state_change(sk); 305 sk->sk_state_change(sk);
241 306
242 skb_queue_purge(TX_QUEUE(sk)); 307 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
308 chan->conf_state & L2CAP_CONF_INPUT_DONE))
309 return;
310
311 skb_queue_purge(&chan->tx_q);
243 312
244 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { 313 if (chan->mode == L2CAP_MODE_ERTM) {
245 struct srej_list *l, *tmp; 314 struct srej_list *l, *tmp;
246 315
247 del_timer(&l2cap_pi(sk)->retrans_timer); 316 del_timer(&chan->retrans_timer);
248 del_timer(&l2cap_pi(sk)->monitor_timer); 317 del_timer(&chan->monitor_timer);
249 del_timer(&l2cap_pi(sk)->ack_timer); 318 del_timer(&chan->ack_timer);
250 319
251 skb_queue_purge(SREJ_QUEUE(sk)); 320 skb_queue_purge(&chan->srej_q);
252 skb_queue_purge(BUSY_QUEUE(sk)); 321 skb_queue_purge(&chan->busy_q);
253 322
254 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) { 323 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
255 list_del(&l->list); 324 list_del(&l->list);
256 kfree(l); 325 kfree(l);
257 } 326 }
258 } 327 }
259} 328}
260 329
261static inline u8 l2cap_get_auth_type(struct sock *sk) 330static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
262{ 331{
332 struct sock *sk = chan->sk;
333
263 if (sk->sk_type == SOCK_RAW) { 334 if (sk->sk_type == SOCK_RAW) {
264 switch (l2cap_pi(sk)->sec_level) { 335 switch (chan->sec_level) {
265 case BT_SECURITY_HIGH: 336 case BT_SECURITY_HIGH:
266 return HCI_AT_DEDICATED_BONDING_MITM; 337 return HCI_AT_DEDICATED_BONDING_MITM;
267 case BT_SECURITY_MEDIUM: 338 case BT_SECURITY_MEDIUM:
@@ -269,16 +340,16 @@ static inline u8 l2cap_get_auth_type(struct sock *sk)
269 default: 340 default:
270 return HCI_AT_NO_BONDING; 341 return HCI_AT_NO_BONDING;
271 } 342 }
272 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) { 343 } else if (chan->psm == cpu_to_le16(0x0001)) {
273 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW) 344 if (chan->sec_level == BT_SECURITY_LOW)
274 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP; 345 chan->sec_level = BT_SECURITY_SDP;
275 346
276 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH) 347 if (chan->sec_level == BT_SECURITY_HIGH)
277 return HCI_AT_NO_BONDING_MITM; 348 return HCI_AT_NO_BONDING_MITM;
278 else 349 else
279 return HCI_AT_NO_BONDING; 350 return HCI_AT_NO_BONDING;
280 } else { 351 } else {
281 switch (l2cap_pi(sk)->sec_level) { 352 switch (chan->sec_level) {
282 case BT_SECURITY_HIGH: 353 case BT_SECURITY_HIGH:
283 return HCI_AT_GENERAL_BONDING_MITM; 354 return HCI_AT_GENERAL_BONDING_MITM;
284 case BT_SECURITY_MEDIUM: 355 case BT_SECURITY_MEDIUM:
@@ -290,15 +361,14 @@ static inline u8 l2cap_get_auth_type(struct sock *sk)
290} 361}
291 362
292/* Service level security */ 363/* Service level security */
293static inline int l2cap_check_security(struct sock *sk) 364static inline int l2cap_check_security(struct l2cap_chan *chan)
294{ 365{
295 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 366 struct l2cap_conn *conn = chan->conn;
296 __u8 auth_type; 367 __u8 auth_type;
297 368
298 auth_type = l2cap_get_auth_type(sk); 369 auth_type = l2cap_get_auth_type(chan);
299 370
300 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level, 371 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
301 auth_type);
302} 372}
303 373
304u8 l2cap_get_ident(struct l2cap_conn *conn) 374u8 l2cap_get_ident(struct l2cap_conn *conn)
@@ -341,11 +411,12 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
341 hci_send_acl(conn->hcon, skb, flags); 411 hci_send_acl(conn->hcon, skb, flags);
342} 412}
343 413
344static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control) 414static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
345{ 415{
346 struct sk_buff *skb; 416 struct sk_buff *skb;
347 struct l2cap_hdr *lh; 417 struct l2cap_hdr *lh;
348 struct l2cap_conn *conn = pi->conn; 418 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419 struct l2cap_conn *conn = chan->conn;
349 struct sock *sk = (struct sock *)pi; 420 struct sock *sk = (struct sock *)pi;
350 int count, hlen = L2CAP_HDR_SIZE + 2; 421 int count, hlen = L2CAP_HDR_SIZE + 2;
351 u8 flags; 422 u8 flags;
@@ -353,22 +424,22 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
353 if (sk->sk_state != BT_CONNECTED) 424 if (sk->sk_state != BT_CONNECTED)
354 return; 425 return;
355 426
356 if (pi->fcs == L2CAP_FCS_CRC16) 427 if (chan->fcs == L2CAP_FCS_CRC16)
357 hlen += 2; 428 hlen += 2;
358 429
359 BT_DBG("pi %p, control 0x%2.2x", pi, control); 430 BT_DBG("chan %p, control 0x%2.2x", chan, control);
360 431
361 count = min_t(unsigned int, conn->mtu, hlen); 432 count = min_t(unsigned int, conn->mtu, hlen);
362 control |= L2CAP_CTRL_FRAME_TYPE; 433 control |= L2CAP_CTRL_FRAME_TYPE;
363 434
364 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 435 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
365 control |= L2CAP_CTRL_FINAL; 436 control |= L2CAP_CTRL_FINAL;
366 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 437 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
367 } 438 }
368 439
369 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) { 440 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
370 control |= L2CAP_CTRL_POLL; 441 control |= L2CAP_CTRL_POLL;
371 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT; 442 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
372 } 443 }
373 444
374 skb = bt_skb_alloc(count, GFP_ATOMIC); 445 skb = bt_skb_alloc(count, GFP_ATOMIC);
@@ -377,10 +448,10 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
377 448
378 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 449 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
379 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 450 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
380 lh->cid = cpu_to_le16(pi->dcid); 451 lh->cid = cpu_to_le16(chan->dcid);
381 put_unaligned_le16(control, skb_put(skb, 2)); 452 put_unaligned_le16(control, skb_put(skb, 2));
382 453
383 if (pi->fcs == L2CAP_FCS_CRC16) { 454 if (chan->fcs == L2CAP_FCS_CRC16) {
384 u16 fcs = crc16(0, (u8 *)lh, count - 2); 455 u16 fcs = crc16(0, (u8 *)lh, count - 2);
385 put_unaligned_le16(fcs, skb_put(skb, 2)); 456 put_unaligned_le16(fcs, skb_put(skb, 2));
386 } 457 }
@@ -390,45 +461,46 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
390 else 461 else
391 flags = ACL_START; 462 flags = ACL_START;
392 463
393 hci_send_acl(pi->conn->hcon, skb, flags); 464 hci_send_acl(chan->conn->hcon, skb, flags);
394} 465}
395 466
396static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control) 467static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
397{ 468{
398 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 469 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
399 control |= L2CAP_SUPER_RCV_NOT_READY; 470 control |= L2CAP_SUPER_RCV_NOT_READY;
400 pi->conn_state |= L2CAP_CONN_RNR_SENT; 471 chan->conn_state |= L2CAP_CONN_RNR_SENT;
401 } else 472 } else
402 control |= L2CAP_SUPER_RCV_READY; 473 control |= L2CAP_SUPER_RCV_READY;
403 474
404 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 475 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
405 476
406 l2cap_send_sframe(pi, control); 477 l2cap_send_sframe(chan, control);
407} 478}
408 479
409static inline int __l2cap_no_conn_pending(struct sock *sk) 480static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
410{ 481{
411 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND); 482 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
412} 483}
413 484
414static void l2cap_do_start(struct sock *sk) 485static void l2cap_do_start(struct l2cap_chan *chan)
415{ 486{
416 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 487 struct l2cap_conn *conn = chan->conn;
417 488
418 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) { 489 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
419 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 490 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
420 return; 491 return;
421 492
422 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) { 493 if (l2cap_check_security(chan) &&
494 __l2cap_no_conn_pending(chan)) {
423 struct l2cap_conn_req req; 495 struct l2cap_conn_req req;
424 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 496 req.scid = cpu_to_le16(chan->scid);
425 req.psm = l2cap_pi(sk)->psm; 497 req.psm = chan->psm;
426 498
427 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 499 chan->ident = l2cap_get_ident(conn);
428 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 500 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
429 501
430 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 502 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
431 L2CAP_CONN_REQ, sizeof(req), &req); 503 sizeof(req), &req);
432 } 504 }
433 } else { 505 } else {
434 struct l2cap_info_req req; 506 struct l2cap_info_req req;
@@ -461,23 +533,24 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
461 } 533 }
462} 534}
463 535
464void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err) 536void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
465{ 537{
538 struct sock *sk;
466 struct l2cap_disconn_req req; 539 struct l2cap_disconn_req req;
467 540
468 if (!conn) 541 if (!conn)
469 return; 542 return;
470 543
471 skb_queue_purge(TX_QUEUE(sk)); 544 sk = chan->sk;
472 545
473 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { 546 if (chan->mode == L2CAP_MODE_ERTM) {
474 del_timer(&l2cap_pi(sk)->retrans_timer); 547 del_timer(&chan->retrans_timer);
475 del_timer(&l2cap_pi(sk)->monitor_timer); 548 del_timer(&chan->monitor_timer);
476 del_timer(&l2cap_pi(sk)->ack_timer); 549 del_timer(&chan->ack_timer);
477 } 550 }
478 551
479 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid); 552 req.dcid = cpu_to_le16(chan->dcid);
480 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 553 req.scid = cpu_to_le16(chan->scid);
481 l2cap_send_cmd(conn, l2cap_get_ident(conn), 554 l2cap_send_cmd(conn, l2cap_get_ident(conn),
482 L2CAP_DISCONN_REQ, sizeof(req), &req); 555 L2CAP_DISCONN_REQ, sizeof(req), &req);
483 556
@@ -488,17 +561,15 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
488/* ---- L2CAP connections ---- */ 561/* ---- L2CAP connections ---- */
489static void l2cap_conn_start(struct l2cap_conn *conn) 562static void l2cap_conn_start(struct l2cap_conn *conn)
490{ 563{
491 struct l2cap_chan_list *l = &conn->chan_list; 564 struct l2cap_chan *chan, *tmp;
492 struct sock_del_list del, *tmp1, *tmp2;
493 struct sock *sk;
494 565
495 BT_DBG("conn %p", conn); 566 BT_DBG("conn %p", conn);
496 567
497 INIT_LIST_HEAD(&del.list); 568 read_lock(&conn->chan_lock);
498 569
499 read_lock(&l->lock); 570 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
571 struct sock *sk = chan->sk;
500 572
501 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
502 bh_lock_sock(sk); 573 bh_lock_sock(sk);
503 574
504 if (sk->sk_type != SOCK_SEQPACKET && 575 if (sk->sk_type != SOCK_SEQPACKET &&
@@ -510,40 +581,41 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
510 if (sk->sk_state == BT_CONNECT) { 581 if (sk->sk_state == BT_CONNECT) {
511 struct l2cap_conn_req req; 582 struct l2cap_conn_req req;
512 583
513 if (!l2cap_check_security(sk) || 584 if (!l2cap_check_security(chan) ||
514 !__l2cap_no_conn_pending(sk)) { 585 !__l2cap_no_conn_pending(chan)) {
515 bh_unlock_sock(sk); 586 bh_unlock_sock(sk);
516 continue; 587 continue;
517 } 588 }
518 589
519 if (!l2cap_mode_supported(l2cap_pi(sk)->mode, 590 if (!l2cap_mode_supported(chan->mode,
520 conn->feat_mask) 591 conn->feat_mask)
521 && l2cap_pi(sk)->conf_state & 592 && chan->conf_state &
522 L2CAP_CONF_STATE2_DEVICE) { 593 L2CAP_CONF_STATE2_DEVICE) {
523 tmp1 = kzalloc(sizeof(struct sock_del_list), 594 /* __l2cap_sock_close() calls list_del(chan)
524 GFP_ATOMIC); 595 * so release the lock */
525 tmp1->sk = sk; 596 read_unlock_bh(&conn->chan_lock);
526 list_add_tail(&tmp1->list, &del.list); 597 __l2cap_sock_close(sk, ECONNRESET);
598 read_lock_bh(&conn->chan_lock);
527 bh_unlock_sock(sk); 599 bh_unlock_sock(sk);
528 continue; 600 continue;
529 } 601 }
530 602
531 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 603 req.scid = cpu_to_le16(chan->scid);
532 req.psm = l2cap_pi(sk)->psm; 604 req.psm = chan->psm;
533 605
534 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 606 chan->ident = l2cap_get_ident(conn);
535 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 607 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
536 608
537 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 609 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
538 L2CAP_CONN_REQ, sizeof(req), &req); 610 sizeof(req), &req);
539 611
540 } else if (sk->sk_state == BT_CONNECT2) { 612 } else if (sk->sk_state == BT_CONNECT2) {
541 struct l2cap_conn_rsp rsp; 613 struct l2cap_conn_rsp rsp;
542 char buf[128]; 614 char buf[128];
543 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 615 rsp.scid = cpu_to_le16(chan->dcid);
544 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 616 rsp.dcid = cpu_to_le16(chan->scid);
545 617
546 if (l2cap_check_security(sk)) { 618 if (l2cap_check_security(chan)) {
547 if (bt_sk(sk)->defer_setup) { 619 if (bt_sk(sk)->defer_setup) {
548 struct sock *parent = bt_sk(sk)->parent; 620 struct sock *parent = bt_sk(sk)->parent;
549 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 621 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
@@ -560,80 +632,77 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
560 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 632 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
561 } 633 }
562 634
563 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 635 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
564 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 636 sizeof(rsp), &rsp);
565 637
566 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT || 638 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
567 rsp.result != L2CAP_CR_SUCCESS) { 639 rsp.result != L2CAP_CR_SUCCESS) {
568 bh_unlock_sock(sk); 640 bh_unlock_sock(sk);
569 continue; 641 continue;
570 } 642 }
571 643
572 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 644 chan->conf_state |= L2CAP_CONF_REQ_SENT;
573 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 645 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
574 l2cap_build_conf_req(sk, buf), buf); 646 l2cap_build_conf_req(chan, buf), buf);
575 l2cap_pi(sk)->num_conf_req++; 647 chan->num_conf_req++;
576 } 648 }
577 649
578 bh_unlock_sock(sk); 650 bh_unlock_sock(sk);
579 } 651 }
580 652
581 read_unlock(&l->lock); 653 read_unlock(&conn->chan_lock);
582
583 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
584 bh_lock_sock(tmp1->sk);
585 __l2cap_sock_close(tmp1->sk, ECONNRESET);
586 bh_unlock_sock(tmp1->sk);
587 list_del(&tmp1->list);
588 kfree(tmp1);
589 }
590} 654}
591 655
592/* Find socket with cid and source bdaddr. 656/* Find socket with cid and source bdaddr.
593 * Returns closest match, locked. 657 * Returns closest match, locked.
594 */ 658 */
595static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src) 659static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
596{ 660{
597 struct sock *s, *sk = NULL, *sk1 = NULL; 661 struct l2cap_chan *c, *c1 = NULL;
598 struct hlist_node *node; 662
663 read_lock(&chan_list_lock);
599 664
600 read_lock(&l2cap_sk_list.lock); 665 list_for_each_entry(c, &chan_list, global_l) {
666 struct sock *sk = c->sk;
601 667
602 sk_for_each(sk, node, &l2cap_sk_list.head) {
603 if (state && sk->sk_state != state) 668 if (state && sk->sk_state != state)
604 continue; 669 continue;
605 670
606 if (l2cap_pi(sk)->scid == cid) { 671 if (c->scid == cid) {
607 /* Exact match. */ 672 /* Exact match. */
608 if (!bacmp(&bt_sk(sk)->src, src)) 673 if (!bacmp(&bt_sk(sk)->src, src)) {
609 break; 674 read_unlock(&chan_list_lock);
675 return c;
676 }
610 677
611 /* Closest match */ 678 /* Closest match */
612 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) 679 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
613 sk1 = sk; 680 c1 = c;
614 } 681 }
615 } 682 }
616 s = node ? sk : sk1;
617 if (s)
618 bh_lock_sock(s);
619 read_unlock(&l2cap_sk_list.lock);
620 683
621 return s; 684 read_unlock(&chan_list_lock);
685
686 return c1;
622} 687}
623 688
624static void l2cap_le_conn_ready(struct l2cap_conn *conn) 689static void l2cap_le_conn_ready(struct l2cap_conn *conn)
625{ 690{
626 struct l2cap_chan_list *list = &conn->chan_list; 691 struct sock *parent, *sk;
627 struct sock *parent, *uninitialized_var(sk); 692 struct l2cap_chan *chan, *pchan;
628 693
629 BT_DBG(""); 694 BT_DBG("");
630 695
631 /* Check if we have socket listening on cid */ 696 /* Check if we have socket listening on cid */
632 parent = l2cap_get_sock_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA, 697 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
633 conn->src); 698 conn->src);
634 if (!parent) 699 if (!pchan)
635 return; 700 return;
636 701
702 parent = pchan->sk;
703
704 bh_lock_sock(parent);
705
637 /* Check for backlog size */ 706 /* Check for backlog size */
638 if (sk_acceptq_is_full(parent)) { 707 if (sk_acceptq_is_full(parent)) {
639 BT_DBG("backlog full %d", parent->sk_ack_backlog); 708 BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -644,22 +713,33 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
644 if (!sk) 713 if (!sk)
645 goto clean; 714 goto clean;
646 715
647 write_lock_bh(&list->lock); 716 chan = l2cap_chan_create(sk);
717 if (!chan) {
718 l2cap_sock_kill(sk);
719 goto clean;
720 }
721
722 l2cap_pi(sk)->chan = chan;
723
724 write_lock_bh(&conn->chan_lock);
648 725
649 hci_conn_hold(conn->hcon); 726 hci_conn_hold(conn->hcon);
650 727
651 l2cap_sock_init(sk, parent); 728 l2cap_sock_init(sk, parent);
729
652 bacpy(&bt_sk(sk)->src, conn->src); 730 bacpy(&bt_sk(sk)->src, conn->src);
653 bacpy(&bt_sk(sk)->dst, conn->dst); 731 bacpy(&bt_sk(sk)->dst, conn->dst);
654 732
655 __l2cap_chan_add(conn, sk, parent); 733 bt_accept_enqueue(parent, sk);
734
735 __l2cap_chan_add(conn, chan);
656 736
657 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 737 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
658 738
659 sk->sk_state = BT_CONNECTED; 739 sk->sk_state = BT_CONNECTED;
660 parent->sk_data_ready(parent, 0); 740 parent->sk_data_ready(parent, 0);
661 741
662 write_unlock_bh(&list->lock); 742 write_unlock_bh(&conn->chan_lock);
663 743
664clean: 744clean:
665 bh_unlock_sock(parent); 745 bh_unlock_sock(parent);
@@ -667,17 +747,18 @@ clean:
667 747
668static void l2cap_conn_ready(struct l2cap_conn *conn) 748static void l2cap_conn_ready(struct l2cap_conn *conn)
669{ 749{
670 struct l2cap_chan_list *l = &conn->chan_list; 750 struct l2cap_chan *chan;
671 struct sock *sk;
672 751
673 BT_DBG("conn %p", conn); 752 BT_DBG("conn %p", conn);
674 753
675 if (!conn->hcon->out && conn->hcon->type == LE_LINK) 754 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
676 l2cap_le_conn_ready(conn); 755 l2cap_le_conn_ready(conn);
677 756
678 read_lock(&l->lock); 757 read_lock(&conn->chan_lock);
758
759 list_for_each_entry(chan, &conn->chan_l, list) {
760 struct sock *sk = chan->sk;
679 761
680 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
681 bh_lock_sock(sk); 762 bh_lock_sock(sk);
682 763
683 if (conn->hcon->type == LE_LINK) { 764 if (conn->hcon->type == LE_LINK) {
@@ -692,30 +773,31 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
692 sk->sk_state = BT_CONNECTED; 773 sk->sk_state = BT_CONNECTED;
693 sk->sk_state_change(sk); 774 sk->sk_state_change(sk);
694 } else if (sk->sk_state == BT_CONNECT) 775 } else if (sk->sk_state == BT_CONNECT)
695 l2cap_do_start(sk); 776 l2cap_do_start(chan);
696 777
697 bh_unlock_sock(sk); 778 bh_unlock_sock(sk);
698 } 779 }
699 780
700 read_unlock(&l->lock); 781 read_unlock(&conn->chan_lock);
701} 782}
702 783
703/* Notify sockets that we cannot guaranty reliability anymore */ 784/* Notify sockets that we cannot guaranty reliability anymore */
704static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 785static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
705{ 786{
706 struct l2cap_chan_list *l = &conn->chan_list; 787 struct l2cap_chan *chan;
707 struct sock *sk;
708 788
709 BT_DBG("conn %p", conn); 789 BT_DBG("conn %p", conn);
710 790
711 read_lock(&l->lock); 791 read_lock(&conn->chan_lock);
712 792
713 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 793 list_for_each_entry(chan, &conn->chan_l, list) {
714 if (l2cap_pi(sk)->force_reliable) 794 struct sock *sk = chan->sk;
795
796 if (chan->force_reliable)
715 sk->sk_err = err; 797 sk->sk_err = err;
716 } 798 }
717 799
718 read_unlock(&l->lock); 800 read_unlock(&conn->chan_lock);
719} 801}
720 802
721static void l2cap_info_timeout(unsigned long arg) 803static void l2cap_info_timeout(unsigned long arg)
@@ -755,7 +837,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
755 conn->feat_mask = 0; 837 conn->feat_mask = 0;
756 838
757 spin_lock_init(&conn->lock); 839 spin_lock_init(&conn->lock);
758 rwlock_init(&conn->chan_list.lock); 840 rwlock_init(&conn->chan_lock);
841
842 INIT_LIST_HEAD(&conn->chan_l);
759 843
760 if (hcon->type != LE_LINK) 844 if (hcon->type != LE_LINK)
761 setup_timer(&conn->info_timer, l2cap_info_timeout, 845 setup_timer(&conn->info_timer, l2cap_info_timeout,
@@ -769,6 +853,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
769static void l2cap_conn_del(struct hci_conn *hcon, int err) 853static void l2cap_conn_del(struct hci_conn *hcon, int err)
770{ 854{
771 struct l2cap_conn *conn = hcon->l2cap_data; 855 struct l2cap_conn *conn = hcon->l2cap_data;
856 struct l2cap_chan *chan, *l;
772 struct sock *sk; 857 struct sock *sk;
773 858
774 if (!conn) 859 if (!conn)
@@ -779,9 +864,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
779 kfree_skb(conn->rx_skb); 864 kfree_skb(conn->rx_skb);
780 865
781 /* Kill channels */ 866 /* Kill channels */
782 while ((sk = conn->chan_list.head)) { 867 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
868 sk = chan->sk;
783 bh_lock_sock(sk); 869 bh_lock_sock(sk);
784 l2cap_chan_del(sk, err); 870 l2cap_chan_del(chan, err);
785 bh_unlock_sock(sk); 871 bh_unlock_sock(sk);
786 l2cap_sock_kill(sk); 872 l2cap_sock_kill(sk);
787 } 873 }
@@ -793,12 +879,11 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
793 kfree(conn); 879 kfree(conn);
794} 880}
795 881
796static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent) 882static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
797{ 883{
798 struct l2cap_chan_list *l = &conn->chan_list; 884 write_lock_bh(&conn->chan_lock);
799 write_lock_bh(&l->lock); 885 __l2cap_chan_add(conn, chan);
800 __l2cap_chan_add(conn, sk, parent); 886 write_unlock_bh(&conn->chan_lock);
801 write_unlock_bh(&l->lock);
802} 887}
803 888
804/* ---- Socket interface ---- */ 889/* ---- Socket interface ---- */
@@ -806,35 +891,39 @@ static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, stru
806/* Find socket with psm and source bdaddr. 891/* Find socket with psm and source bdaddr.
807 * Returns closest match. 892 * Returns closest match.
808 */ 893 */
809static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src) 894static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
810{ 895{
811 struct sock *sk = NULL, *sk1 = NULL; 896 struct l2cap_chan *c, *c1 = NULL;
812 struct hlist_node *node;
813 897
814 read_lock(&l2cap_sk_list.lock); 898 read_lock(&chan_list_lock);
899
900 list_for_each_entry(c, &chan_list, global_l) {
901 struct sock *sk = c->sk;
815 902
816 sk_for_each(sk, node, &l2cap_sk_list.head) {
817 if (state && sk->sk_state != state) 903 if (state && sk->sk_state != state)
818 continue; 904 continue;
819 905
820 if (l2cap_pi(sk)->psm == psm) { 906 if (c->psm == psm) {
821 /* Exact match. */ 907 /* Exact match. */
822 if (!bacmp(&bt_sk(sk)->src, src)) 908 if (!bacmp(&bt_sk(sk)->src, src)) {
823 break; 909 read_unlock_bh(&chan_list_lock);
910 return c;
911 }
824 912
825 /* Closest match */ 913 /* Closest match */
826 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) 914 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
827 sk1 = sk; 915 c1 = c;
828 } 916 }
829 } 917 }
830 918
831 read_unlock(&l2cap_sk_list.lock); 919 read_unlock(&chan_list_lock);
832 920
833 return node ? sk : sk1; 921 return c1;
834} 922}
835 923
836int l2cap_do_connect(struct sock *sk) 924int l2cap_chan_connect(struct l2cap_chan *chan)
837{ 925{
926 struct sock *sk = chan->sk;
838 bdaddr_t *src = &bt_sk(sk)->src; 927 bdaddr_t *src = &bt_sk(sk)->src;
839 bdaddr_t *dst = &bt_sk(sk)->dst; 928 bdaddr_t *dst = &bt_sk(sk)->dst;
840 struct l2cap_conn *conn; 929 struct l2cap_conn *conn;
@@ -844,7 +933,7 @@ int l2cap_do_connect(struct sock *sk)
844 int err; 933 int err;
845 934
846 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst), 935 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
847 l2cap_pi(sk)->psm); 936 chan->psm);
848 937
849 hdev = hci_get_route(dst, src); 938 hdev = hci_get_route(dst, src);
850 if (!hdev) 939 if (!hdev)
@@ -852,14 +941,14 @@ int l2cap_do_connect(struct sock *sk)
852 941
853 hci_dev_lock_bh(hdev); 942 hci_dev_lock_bh(hdev);
854 943
855 auth_type = l2cap_get_auth_type(sk); 944 auth_type = l2cap_get_auth_type(chan);
856 945
857 if (l2cap_pi(sk)->dcid == L2CAP_CID_LE_DATA) 946 if (chan->dcid == L2CAP_CID_LE_DATA)
858 hcon = hci_connect(hdev, LE_LINK, dst, 947 hcon = hci_connect(hdev, LE_LINK, dst,
859 l2cap_pi(sk)->sec_level, auth_type); 948 chan->sec_level, auth_type);
860 else 949 else
861 hcon = hci_connect(hdev, ACL_LINK, dst, 950 hcon = hci_connect(hdev, ACL_LINK, dst,
862 l2cap_pi(sk)->sec_level, auth_type); 951 chan->sec_level, auth_type);
863 952
864 if (IS_ERR(hcon)) { 953 if (IS_ERR(hcon)) {
865 err = PTR_ERR(hcon); 954 err = PTR_ERR(hcon);
@@ -876,7 +965,7 @@ int l2cap_do_connect(struct sock *sk)
876 /* Update source addr of the socket */ 965 /* Update source addr of the socket */
877 bacpy(src, conn->src); 966 bacpy(src, conn->src);
878 967
879 l2cap_chan_add(conn, sk, NULL); 968 l2cap_chan_add(conn, chan);
880 969
881 sk->sk_state = BT_CONNECT; 970 sk->sk_state = BT_CONNECT;
882 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 971 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -885,10 +974,10 @@ int l2cap_do_connect(struct sock *sk)
885 if (sk->sk_type != SOCK_SEQPACKET && 974 if (sk->sk_type != SOCK_SEQPACKET &&
886 sk->sk_type != SOCK_STREAM) { 975 sk->sk_type != SOCK_STREAM) {
887 l2cap_sock_clear_timer(sk); 976 l2cap_sock_clear_timer(sk);
888 if (l2cap_check_security(sk)) 977 if (l2cap_check_security(chan))
889 sk->sk_state = BT_CONNECTED; 978 sk->sk_state = BT_CONNECTED;
890 } else 979 } else
891 l2cap_do_start(sk); 980 l2cap_do_start(chan);
892 } 981 }
893 982
894 err = 0; 983 err = 0;
@@ -901,12 +990,13 @@ done:
901 990
902int __l2cap_wait_ack(struct sock *sk) 991int __l2cap_wait_ack(struct sock *sk)
903{ 992{
993 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
904 DECLARE_WAITQUEUE(wait, current); 994 DECLARE_WAITQUEUE(wait, current);
905 int err = 0; 995 int err = 0;
906 int timeo = HZ/5; 996 int timeo = HZ/5;
907 997
908 add_wait_queue(sk_sleep(sk), &wait); 998 add_wait_queue(sk_sleep(sk), &wait);
909 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) { 999 while ((chan->unacked_frames > 0 && chan->conn)) {
910 set_current_state(TASK_INTERRUPTIBLE); 1000 set_current_state(TASK_INTERRUPTIBLE);
911 1001
912 if (!timeo) 1002 if (!timeo)
@@ -932,68 +1022,69 @@ int __l2cap_wait_ack(struct sock *sk)
932 1022
933static void l2cap_monitor_timeout(unsigned long arg) 1023static void l2cap_monitor_timeout(unsigned long arg)
934{ 1024{
935 struct sock *sk = (void *) arg; 1025 struct l2cap_chan *chan = (void *) arg;
1026 struct sock *sk = chan->sk;
936 1027
937 BT_DBG("sk %p", sk); 1028 BT_DBG("chan %p", chan);
938 1029
939 bh_lock_sock(sk); 1030 bh_lock_sock(sk);
940 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { 1031 if (chan->retry_count >= chan->remote_max_tx) {
941 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED); 1032 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
942 bh_unlock_sock(sk); 1033 bh_unlock_sock(sk);
943 return; 1034 return;
944 } 1035 }
945 1036
946 l2cap_pi(sk)->retry_count++; 1037 chan->retry_count++;
947 __mod_monitor_timer(); 1038 __mod_monitor_timer();
948 1039
949 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL); 1040 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
950 bh_unlock_sock(sk); 1041 bh_unlock_sock(sk);
951} 1042}
952 1043
953static void l2cap_retrans_timeout(unsigned long arg) 1044static void l2cap_retrans_timeout(unsigned long arg)
954{ 1045{
955 struct sock *sk = (void *) arg; 1046 struct l2cap_chan *chan = (void *) arg;
1047 struct sock *sk = chan->sk;
956 1048
957 BT_DBG("sk %p", sk); 1049 BT_DBG("chan %p", chan);
958 1050
959 bh_lock_sock(sk); 1051 bh_lock_sock(sk);
960 l2cap_pi(sk)->retry_count = 1; 1052 chan->retry_count = 1;
961 __mod_monitor_timer(); 1053 __mod_monitor_timer();
962 1054
963 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F; 1055 chan->conn_state |= L2CAP_CONN_WAIT_F;
964 1056
965 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL); 1057 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
966 bh_unlock_sock(sk); 1058 bh_unlock_sock(sk);
967} 1059}
968 1060
969static void l2cap_drop_acked_frames(struct sock *sk) 1061static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
970{ 1062{
971 struct sk_buff *skb; 1063 struct sk_buff *skb;
972 1064
973 while ((skb = skb_peek(TX_QUEUE(sk))) && 1065 while ((skb = skb_peek(&chan->tx_q)) &&
974 l2cap_pi(sk)->unacked_frames) { 1066 chan->unacked_frames) {
975 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq) 1067 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
976 break; 1068 break;
977 1069
978 skb = skb_dequeue(TX_QUEUE(sk)); 1070 skb = skb_dequeue(&chan->tx_q);
979 kfree_skb(skb); 1071 kfree_skb(skb);
980 1072
981 l2cap_pi(sk)->unacked_frames--; 1073 chan->unacked_frames--;
982 } 1074 }
983 1075
984 if (!l2cap_pi(sk)->unacked_frames) 1076 if (!chan->unacked_frames)
985 del_timer(&l2cap_pi(sk)->retrans_timer); 1077 del_timer(&chan->retrans_timer);
986} 1078}
987 1079
988void l2cap_do_send(struct sock *sk, struct sk_buff *skb) 1080void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
989{ 1081{
990 struct l2cap_pinfo *pi = l2cap_pi(sk); 1082 struct hci_conn *hcon = chan->conn->hcon;
991 struct hci_conn *hcon = pi->conn->hcon;
992 u16 flags; 1083 u16 flags;
993 1084
994 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len); 1085 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
995 1086
996 if (!pi->flushable && lmp_no_flush_capable(hcon->hdev)) 1087 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
997 flags = ACL_START_NO_FLUSH; 1088 flags = ACL_START_NO_FLUSH;
998 else 1089 else
999 flags = ACL_START; 1090 flags = ACL_START;
@@ -1001,35 +1092,33 @@ void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1001 hci_send_acl(hcon, skb, flags); 1092 hci_send_acl(hcon, skb, flags);
1002} 1093}
1003 1094
1004void l2cap_streaming_send(struct sock *sk) 1095void l2cap_streaming_send(struct l2cap_chan *chan)
1005{ 1096{
1006 struct sk_buff *skb; 1097 struct sk_buff *skb;
1007 struct l2cap_pinfo *pi = l2cap_pi(sk);
1008 u16 control, fcs; 1098 u16 control, fcs;
1009 1099
1010 while ((skb = skb_dequeue(TX_QUEUE(sk)))) { 1100 while ((skb = skb_dequeue(&chan->tx_q))) {
1011 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE); 1101 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1012 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; 1102 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1013 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE); 1103 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1014 1104
1015 if (pi->fcs == L2CAP_FCS_CRC16) { 1105 if (chan->fcs == L2CAP_FCS_CRC16) {
1016 fcs = crc16(0, (u8 *)skb->data, skb->len - 2); 1106 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1017 put_unaligned_le16(fcs, skb->data + skb->len - 2); 1107 put_unaligned_le16(fcs, skb->data + skb->len - 2);
1018 } 1108 }
1019 1109
1020 l2cap_do_send(sk, skb); 1110 l2cap_do_send(chan, skb);
1021 1111
1022 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1112 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1023 } 1113 }
1024} 1114}
1025 1115
1026static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq) 1116static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1027{ 1117{
1028 struct l2cap_pinfo *pi = l2cap_pi(sk);
1029 struct sk_buff *skb, *tx_skb; 1118 struct sk_buff *skb, *tx_skb;
1030 u16 control, fcs; 1119 u16 control, fcs;
1031 1120
1032 skb = skb_peek(TX_QUEUE(sk)); 1121 skb = skb_peek(&chan->tx_q);
1033 if (!skb) 1122 if (!skb)
1034 return; 1123 return;
1035 1124
@@ -1037,14 +1126,14 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1037 if (bt_cb(skb)->tx_seq == tx_seq) 1126 if (bt_cb(skb)->tx_seq == tx_seq)
1038 break; 1127 break;
1039 1128
1040 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1129 if (skb_queue_is_last(&chan->tx_q, skb))
1041 return; 1130 return;
1042 1131
1043 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb))); 1132 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
1044 1133
1045 if (pi->remote_max_tx && 1134 if (chan->remote_max_tx &&
1046 bt_cb(skb)->retries == pi->remote_max_tx) { 1135 bt_cb(skb)->retries == chan->remote_max_tx) {
1047 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED); 1136 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1048 return; 1137 return;
1049 } 1138 }
1050 1139
@@ -1053,39 +1142,39 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1053 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1142 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1054 control &= L2CAP_CTRL_SAR; 1143 control &= L2CAP_CTRL_SAR;
1055 1144
1056 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 1145 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1057 control |= L2CAP_CTRL_FINAL; 1146 control |= L2CAP_CTRL_FINAL;
1058 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1147 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1059 } 1148 }
1060 1149
1061 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1150 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1062 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1151 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1063 1152
1064 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1153 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1065 1154
1066 if (pi->fcs == L2CAP_FCS_CRC16) { 1155 if (chan->fcs == L2CAP_FCS_CRC16) {
1067 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2); 1156 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1068 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2); 1157 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1069 } 1158 }
1070 1159
1071 l2cap_do_send(sk, tx_skb); 1160 l2cap_do_send(chan, tx_skb);
1072} 1161}
1073 1162
1074int l2cap_ertm_send(struct sock *sk) 1163int l2cap_ertm_send(struct l2cap_chan *chan)
1075{ 1164{
1076 struct sk_buff *skb, *tx_skb; 1165 struct sk_buff *skb, *tx_skb;
1077 struct l2cap_pinfo *pi = l2cap_pi(sk); 1166 struct sock *sk = chan->sk;
1078 u16 control, fcs; 1167 u16 control, fcs;
1079 int nsent = 0; 1168 int nsent = 0;
1080 1169
1081 if (sk->sk_state != BT_CONNECTED) 1170 if (sk->sk_state != BT_CONNECTED)
1082 return -ENOTCONN; 1171 return -ENOTCONN;
1083 1172
1084 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) { 1173 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1085 1174
1086 if (pi->remote_max_tx && 1175 if (chan->remote_max_tx &&
1087 bt_cb(skb)->retries == pi->remote_max_tx) { 1176 bt_cb(skb)->retries == chan->remote_max_tx) {
1088 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED); 1177 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1089 break; 1178 break;
1090 } 1179 }
1091 1180
@@ -1096,36 +1185,36 @@ int l2cap_ertm_send(struct sock *sk)
1096 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1185 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1097 control &= L2CAP_CTRL_SAR; 1186 control &= L2CAP_CTRL_SAR;
1098 1187
1099 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 1188 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1100 control |= L2CAP_CTRL_FINAL; 1189 control |= L2CAP_CTRL_FINAL;
1101 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1190 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1102 } 1191 }
1103 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1192 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1104 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1193 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1105 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1194 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1106 1195
1107 1196
1108 if (pi->fcs == L2CAP_FCS_CRC16) { 1197 if (chan->fcs == L2CAP_FCS_CRC16) {
1109 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2); 1198 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1110 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2); 1199 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1111 } 1200 }
1112 1201
1113 l2cap_do_send(sk, tx_skb); 1202 l2cap_do_send(chan, tx_skb);
1114 1203
1115 __mod_retrans_timer(); 1204 __mod_retrans_timer();
1116 1205
1117 bt_cb(skb)->tx_seq = pi->next_tx_seq; 1206 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1118 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1207 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1119 1208
1120 if (bt_cb(skb)->retries == 1) 1209 if (bt_cb(skb)->retries == 1)
1121 pi->unacked_frames++; 1210 chan->unacked_frames++;
1122 1211
1123 pi->frames_sent++; 1212 chan->frames_sent++;
1124 1213
1125 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1214 if (skb_queue_is_last(&chan->tx_q, skb))
1126 sk->sk_send_head = NULL; 1215 chan->tx_send_head = NULL;
1127 else 1216 else
1128 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb); 1217 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1129 1218
1130 nsent++; 1219 nsent++;
1131 } 1220 }
@@ -1133,41 +1222,39 @@ int l2cap_ertm_send(struct sock *sk)
1133 return nsent; 1222 return nsent;
1134} 1223}
1135 1224
1136static int l2cap_retransmit_frames(struct sock *sk) 1225static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1137{ 1226{
1138 struct l2cap_pinfo *pi = l2cap_pi(sk);
1139 int ret; 1227 int ret;
1140 1228
1141 if (!skb_queue_empty(TX_QUEUE(sk))) 1229 if (!skb_queue_empty(&chan->tx_q))
1142 sk->sk_send_head = TX_QUEUE(sk)->next; 1230 chan->tx_send_head = chan->tx_q.next;
1143 1231
1144 pi->next_tx_seq = pi->expected_ack_seq; 1232 chan->next_tx_seq = chan->expected_ack_seq;
1145 ret = l2cap_ertm_send(sk); 1233 ret = l2cap_ertm_send(chan);
1146 return ret; 1234 return ret;
1147} 1235}
1148 1236
1149static void l2cap_send_ack(struct l2cap_pinfo *pi) 1237static void l2cap_send_ack(struct l2cap_chan *chan)
1150{ 1238{
1151 struct sock *sk = (struct sock *)pi;
1152 u16 control = 0; 1239 u16 control = 0;
1153 1240
1154 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1241 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1155 1242
1156 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1243 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1157 control |= L2CAP_SUPER_RCV_NOT_READY; 1244 control |= L2CAP_SUPER_RCV_NOT_READY;
1158 pi->conn_state |= L2CAP_CONN_RNR_SENT; 1245 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1159 l2cap_send_sframe(pi, control); 1246 l2cap_send_sframe(chan, control);
1160 return; 1247 return;
1161 } 1248 }
1162 1249
1163 if (l2cap_ertm_send(sk) > 0) 1250 if (l2cap_ertm_send(chan) > 0)
1164 return; 1251 return;
1165 1252
1166 control |= L2CAP_SUPER_RCV_READY; 1253 control |= L2CAP_SUPER_RCV_READY;
1167 l2cap_send_sframe(pi, control); 1254 l2cap_send_sframe(chan, control);
1168} 1255}
1169 1256
1170static void l2cap_send_srejtail(struct sock *sk) 1257static void l2cap_send_srejtail(struct l2cap_chan *chan)
1171{ 1258{
1172 struct srej_list *tail; 1259 struct srej_list *tail;
1173 u16 control; 1260 u16 control;
@@ -1175,15 +1262,15 @@ static void l2cap_send_srejtail(struct sock *sk)
1175 control = L2CAP_SUPER_SELECT_REJECT; 1262 control = L2CAP_SUPER_SELECT_REJECT;
1176 control |= L2CAP_CTRL_FINAL; 1263 control |= L2CAP_CTRL_FINAL;
1177 1264
1178 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list); 1265 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1179 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1266 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1180 1267
1181 l2cap_send_sframe(l2cap_pi(sk), control); 1268 l2cap_send_sframe(chan, control);
1182} 1269}
1183 1270
1184static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb) 1271static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1185{ 1272{
1186 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 1273 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1187 struct sk_buff **frag; 1274 struct sk_buff **frag;
1188 int err, sent = 0; 1275 int err, sent = 0;
1189 1276
@@ -1213,9 +1300,10 @@ static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, in
1213 return sent; 1300 return sent;
1214} 1301}
1215 1302
1216struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len) 1303struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1217{ 1304{
1218 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 1305 struct sock *sk = chan->sk;
1306 struct l2cap_conn *conn = chan->conn;
1219 struct sk_buff *skb; 1307 struct sk_buff *skb;
1220 int err, count, hlen = L2CAP_HDR_SIZE + 2; 1308 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1221 struct l2cap_hdr *lh; 1309 struct l2cap_hdr *lh;
@@ -1230,9 +1318,9 @@ struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, s
1230 1318
1231 /* Create L2CAP header */ 1319 /* Create L2CAP header */
1232 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 1320 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1233 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid); 1321 lh->cid = cpu_to_le16(chan->dcid);
1234 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 1322 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1235 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2)); 1323 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1236 1324
1237 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb); 1325 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1238 if (unlikely(err < 0)) { 1326 if (unlikely(err < 0)) {
@@ -1242,9 +1330,10 @@ struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, s
1242 return skb; 1330 return skb;
1243} 1331}
1244 1332
1245struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len) 1333struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1246{ 1334{
1247 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 1335 struct sock *sk = chan->sk;
1336 struct l2cap_conn *conn = chan->conn;
1248 struct sk_buff *skb; 1337 struct sk_buff *skb;
1249 int err, count, hlen = L2CAP_HDR_SIZE; 1338 int err, count, hlen = L2CAP_HDR_SIZE;
1250 struct l2cap_hdr *lh; 1339 struct l2cap_hdr *lh;
@@ -1259,7 +1348,7 @@ struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size
1259 1348
1260 /* Create L2CAP header */ 1349 /* Create L2CAP header */
1261 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 1350 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1262 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid); 1351 lh->cid = cpu_to_le16(chan->dcid);
1263 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 1352 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1264 1353
1265 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb); 1354 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
@@ -1270,9 +1359,10 @@ struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size
1270 return skb; 1359 return skb;
1271} 1360}
1272 1361
1273struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen) 1362struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1274{ 1363{
1275 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 1364 struct sock *sk = chan->sk;
1365 struct l2cap_conn *conn = chan->conn;
1276 struct sk_buff *skb; 1366 struct sk_buff *skb;
1277 int err, count, hlen = L2CAP_HDR_SIZE + 2; 1367 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1278 struct l2cap_hdr *lh; 1368 struct l2cap_hdr *lh;
@@ -1285,7 +1375,7 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
1285 if (sdulen) 1375 if (sdulen)
1286 hlen += 2; 1376 hlen += 2;
1287 1377
1288 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) 1378 if (chan->fcs == L2CAP_FCS_CRC16)
1289 hlen += 2; 1379 hlen += 2;
1290 1380
1291 count = min_t(unsigned int, (conn->mtu - hlen), len); 1381 count = min_t(unsigned int, (conn->mtu - hlen), len);
@@ -1296,7 +1386,7 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
1296 1386
1297 /* Create L2CAP header */ 1387 /* Create L2CAP header */
1298 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 1388 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1299 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid); 1389 lh->cid = cpu_to_le16(chan->dcid);
1300 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 1390 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1301 put_unaligned_le16(control, skb_put(skb, 2)); 1391 put_unaligned_le16(control, skb_put(skb, 2));
1302 if (sdulen) 1392 if (sdulen)
@@ -1308,16 +1398,15 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
1308 return ERR_PTR(err); 1398 return ERR_PTR(err);
1309 } 1399 }
1310 1400
1311 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) 1401 if (chan->fcs == L2CAP_FCS_CRC16)
1312 put_unaligned_le16(0, skb_put(skb, 2)); 1402 put_unaligned_le16(0, skb_put(skb, 2));
1313 1403
1314 bt_cb(skb)->retries = 0; 1404 bt_cb(skb)->retries = 0;
1315 return skb; 1405 return skb;
1316} 1406}
1317 1407
1318int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len) 1408int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1319{ 1409{
1320 struct l2cap_pinfo *pi = l2cap_pi(sk);
1321 struct sk_buff *skb; 1410 struct sk_buff *skb;
1322 struct sk_buff_head sar_queue; 1411 struct sk_buff_head sar_queue;
1323 u16 control; 1412 u16 control;
@@ -1325,26 +1414,26 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1325 1414
1326 skb_queue_head_init(&sar_queue); 1415 skb_queue_head_init(&sar_queue);
1327 control = L2CAP_SDU_START; 1416 control = L2CAP_SDU_START;
1328 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len); 1417 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1329 if (IS_ERR(skb)) 1418 if (IS_ERR(skb))
1330 return PTR_ERR(skb); 1419 return PTR_ERR(skb);
1331 1420
1332 __skb_queue_tail(&sar_queue, skb); 1421 __skb_queue_tail(&sar_queue, skb);
1333 len -= pi->remote_mps; 1422 len -= chan->remote_mps;
1334 size += pi->remote_mps; 1423 size += chan->remote_mps;
1335 1424
1336 while (len > 0) { 1425 while (len > 0) {
1337 size_t buflen; 1426 size_t buflen;
1338 1427
1339 if (len > pi->remote_mps) { 1428 if (len > chan->remote_mps) {
1340 control = L2CAP_SDU_CONTINUE; 1429 control = L2CAP_SDU_CONTINUE;
1341 buflen = pi->remote_mps; 1430 buflen = chan->remote_mps;
1342 } else { 1431 } else {
1343 control = L2CAP_SDU_END; 1432 control = L2CAP_SDU_END;
1344 buflen = len; 1433 buflen = len;
1345 } 1434 }
1346 1435
1347 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0); 1436 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1348 if (IS_ERR(skb)) { 1437 if (IS_ERR(skb)) {
1349 skb_queue_purge(&sar_queue); 1438 skb_queue_purge(&sar_queue);
1350 return PTR_ERR(skb); 1439 return PTR_ERR(skb);
@@ -1354,9 +1443,9 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1354 len -= buflen; 1443 len -= buflen;
1355 size += buflen; 1444 size += buflen;
1356 } 1445 }
1357 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk)); 1446 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1358 if (sk->sk_send_head == NULL) 1447 if (chan->tx_send_head == NULL)
1359 sk->sk_send_head = sar_queue.next; 1448 chan->tx_send_head = sar_queue.next;
1360 1449
1361 return size; 1450 return size;
1362} 1451}
@@ -1364,10 +1453,11 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1364static void l2cap_chan_ready(struct sock *sk) 1453static void l2cap_chan_ready(struct sock *sk)
1365{ 1454{
1366 struct sock *parent = bt_sk(sk)->parent; 1455 struct sock *parent = bt_sk(sk)->parent;
1456 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1367 1457
1368 BT_DBG("sk %p, parent %p", sk, parent); 1458 BT_DBG("sk %p, parent %p", sk, parent);
1369 1459
1370 l2cap_pi(sk)->conf_state = 0; 1460 chan->conf_state = 0;
1371 l2cap_sock_clear_timer(sk); 1461 l2cap_sock_clear_timer(sk);
1372 1462
1373 if (!parent) { 1463 if (!parent) {
@@ -1387,14 +1477,14 @@ static void l2cap_chan_ready(struct sock *sk)
1387/* Copy frame to all raw sockets on that connection */ 1477/* Copy frame to all raw sockets on that connection */
1388static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 1478static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1389{ 1479{
1390 struct l2cap_chan_list *l = &conn->chan_list;
1391 struct sk_buff *nskb; 1480 struct sk_buff *nskb;
1392 struct sock *sk; 1481 struct l2cap_chan *chan;
1393 1482
1394 BT_DBG("conn %p", conn); 1483 BT_DBG("conn %p", conn);
1395 1484
1396 read_lock(&l->lock); 1485 read_lock(&conn->chan_lock);
1397 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 1486 list_for_each_entry(chan, &conn->chan_l, list) {
1487 struct sock *sk = chan->sk;
1398 if (sk->sk_type != SOCK_RAW) 1488 if (sk->sk_type != SOCK_RAW)
1399 continue; 1489 continue;
1400 1490
@@ -1408,7 +1498,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1408 if (sock_queue_rcv_skb(sk, nskb)) 1498 if (sock_queue_rcv_skb(sk, nskb))
1409 kfree_skb(nskb); 1499 kfree_skb(nskb);
1410 } 1500 }
1411 read_unlock(&l->lock); 1501 read_unlock(&conn->chan_lock);
1412} 1502}
1413 1503
1414/* ---- L2CAP signalling commands ---- */ 1504/* ---- L2CAP signalling commands ---- */
@@ -1540,32 +1630,35 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1540 1630
1541static void l2cap_ack_timeout(unsigned long arg) 1631static void l2cap_ack_timeout(unsigned long arg)
1542{ 1632{
1543 struct sock *sk = (void *) arg; 1633 struct l2cap_chan *chan = (void *) arg;
1544 1634
1545 bh_lock_sock(sk); 1635 bh_lock_sock(chan->sk);
1546 l2cap_send_ack(l2cap_pi(sk)); 1636 l2cap_send_ack(chan);
1547 bh_unlock_sock(sk); 1637 bh_unlock_sock(chan->sk);
1548} 1638}
1549 1639
1550static inline void l2cap_ertm_init(struct sock *sk) 1640static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1551{ 1641{
1552 l2cap_pi(sk)->expected_ack_seq = 0; 1642 struct sock *sk = chan->sk;
1553 l2cap_pi(sk)->unacked_frames = 0; 1643
1554 l2cap_pi(sk)->buffer_seq = 0; 1644 chan->expected_ack_seq = 0;
1555 l2cap_pi(sk)->num_acked = 0; 1645 chan->unacked_frames = 0;
1556 l2cap_pi(sk)->frames_sent = 0; 1646 chan->buffer_seq = 0;
1647 chan->num_acked = 0;
1648 chan->frames_sent = 0;
1557 1649
1558 setup_timer(&l2cap_pi(sk)->retrans_timer, 1650 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1559 l2cap_retrans_timeout, (unsigned long) sk); 1651 (unsigned long) chan);
1560 setup_timer(&l2cap_pi(sk)->monitor_timer, 1652 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1561 l2cap_monitor_timeout, (unsigned long) sk); 1653 (unsigned long) chan);
1562 setup_timer(&l2cap_pi(sk)->ack_timer, 1654 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1563 l2cap_ack_timeout, (unsigned long) sk);
1564 1655
1565 __skb_queue_head_init(SREJ_QUEUE(sk)); 1656 skb_queue_head_init(&chan->srej_q);
1566 __skb_queue_head_init(BUSY_QUEUE(sk)); 1657 skb_queue_head_init(&chan->busy_q);
1567 1658
1568 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work); 1659 INIT_LIST_HEAD(&chan->srej_l);
1660
1661 INIT_WORK(&chan->busy_work, l2cap_busy_work);
1569 1662
1570 sk->sk_backlog_rcv = l2cap_ertm_data_rcv; 1663 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1571} 1664}
@@ -1583,38 +1676,37 @@ static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1583 } 1676 }
1584} 1677}
1585 1678
1586int l2cap_build_conf_req(struct sock *sk, void *data) 1679static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1587{ 1680{
1588 struct l2cap_pinfo *pi = l2cap_pi(sk);
1589 struct l2cap_conf_req *req = data; 1681 struct l2cap_conf_req *req = data;
1590 struct l2cap_conf_rfc rfc = { .mode = pi->mode }; 1682 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1591 void *ptr = req->data; 1683 void *ptr = req->data;
1592 1684
1593 BT_DBG("sk %p", sk); 1685 BT_DBG("chan %p", chan);
1594 1686
1595 if (pi->num_conf_req || pi->num_conf_rsp) 1687 if (chan->num_conf_req || chan->num_conf_rsp)
1596 goto done; 1688 goto done;
1597 1689
1598 switch (pi->mode) { 1690 switch (chan->mode) {
1599 case L2CAP_MODE_STREAMING: 1691 case L2CAP_MODE_STREAMING:
1600 case L2CAP_MODE_ERTM: 1692 case L2CAP_MODE_ERTM:
1601 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE) 1693 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
1602 break; 1694 break;
1603 1695
1604 /* fall through */ 1696 /* fall through */
1605 default: 1697 default:
1606 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask); 1698 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
1607 break; 1699 break;
1608 } 1700 }
1609 1701
1610done: 1702done:
1611 if (pi->imtu != L2CAP_DEFAULT_MTU) 1703 if (chan->imtu != L2CAP_DEFAULT_MTU)
1612 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); 1704 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1613 1705
1614 switch (pi->mode) { 1706 switch (chan->mode) {
1615 case L2CAP_MODE_BASIC: 1707 case L2CAP_MODE_BASIC:
1616 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) && 1708 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1617 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING)) 1709 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
1618 break; 1710 break;
1619 1711
1620 rfc.mode = L2CAP_MODE_BASIC; 1712 rfc.mode = L2CAP_MODE_BASIC;
@@ -1630,24 +1722,24 @@ done:
1630 1722
1631 case L2CAP_MODE_ERTM: 1723 case L2CAP_MODE_ERTM:
1632 rfc.mode = L2CAP_MODE_ERTM; 1724 rfc.mode = L2CAP_MODE_ERTM;
1633 rfc.txwin_size = pi->tx_win; 1725 rfc.txwin_size = chan->tx_win;
1634 rfc.max_transmit = pi->max_tx; 1726 rfc.max_transmit = chan->max_tx;
1635 rfc.retrans_timeout = 0; 1727 rfc.retrans_timeout = 0;
1636 rfc.monitor_timeout = 0; 1728 rfc.monitor_timeout = 0;
1637 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); 1729 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1638 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) 1730 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1639 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1731 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1640 1732
1641 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 1733 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1642 (unsigned long) &rfc); 1734 (unsigned long) &rfc);
1643 1735
1644 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 1736 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1645 break; 1737 break;
1646 1738
1647 if (pi->fcs == L2CAP_FCS_NONE || 1739 if (chan->fcs == L2CAP_FCS_NONE ||
1648 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1740 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1649 pi->fcs = L2CAP_FCS_NONE; 1741 chan->fcs = L2CAP_FCS_NONE;
1650 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs); 1742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1651 } 1743 }
1652 break; 1744 break;
1653 1745
@@ -1658,43 +1750,42 @@ done:
1658 rfc.retrans_timeout = 0; 1750 rfc.retrans_timeout = 0;
1659 rfc.monitor_timeout = 0; 1751 rfc.monitor_timeout = 0;
1660 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); 1752 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1661 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) 1753 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1662 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1754 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1663 1755
1664 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 1756 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1665 (unsigned long) &rfc); 1757 (unsigned long) &rfc);
1666 1758
1667 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 1759 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1668 break; 1760 break;
1669 1761
1670 if (pi->fcs == L2CAP_FCS_NONE || 1762 if (chan->fcs == L2CAP_FCS_NONE ||
1671 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1763 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1672 pi->fcs = L2CAP_FCS_NONE; 1764 chan->fcs = L2CAP_FCS_NONE;
1673 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs); 1765 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1674 } 1766 }
1675 break; 1767 break;
1676 } 1768 }
1677 1769
1678 req->dcid = cpu_to_le16(pi->dcid); 1770 req->dcid = cpu_to_le16(chan->dcid);
1679 req->flags = cpu_to_le16(0); 1771 req->flags = cpu_to_le16(0);
1680 1772
1681 return ptr - data; 1773 return ptr - data;
1682} 1774}
1683 1775
1684static int l2cap_parse_conf_req(struct sock *sk, void *data) 1776static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1685{ 1777{
1686 struct l2cap_pinfo *pi = l2cap_pi(sk);
1687 struct l2cap_conf_rsp *rsp = data; 1778 struct l2cap_conf_rsp *rsp = data;
1688 void *ptr = rsp->data; 1779 void *ptr = rsp->data;
1689 void *req = pi->conf_req; 1780 void *req = chan->conf_req;
1690 int len = pi->conf_len; 1781 int len = chan->conf_len;
1691 int type, hint, olen; 1782 int type, hint, olen;
1692 unsigned long val; 1783 unsigned long val;
1693 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 1784 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1694 u16 mtu = L2CAP_DEFAULT_MTU; 1785 u16 mtu = L2CAP_DEFAULT_MTU;
1695 u16 result = L2CAP_CONF_SUCCESS; 1786 u16 result = L2CAP_CONF_SUCCESS;
1696 1787
1697 BT_DBG("sk %p", sk); 1788 BT_DBG("chan %p", chan);
1698 1789
1699 while (len >= L2CAP_CONF_OPT_SIZE) { 1790 while (len >= L2CAP_CONF_OPT_SIZE) {
1700 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 1791 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
@@ -1708,7 +1799,7 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
1708 break; 1799 break;
1709 1800
1710 case L2CAP_CONF_FLUSH_TO: 1801 case L2CAP_CONF_FLUSH_TO:
1711 pi->flush_to = val; 1802 chan->flush_to = val;
1712 break; 1803 break;
1713 1804
1714 case L2CAP_CONF_QOS: 1805 case L2CAP_CONF_QOS:
@@ -1721,7 +1812,7 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
1721 1812
1722 case L2CAP_CONF_FCS: 1813 case L2CAP_CONF_FCS:
1723 if (val == L2CAP_FCS_NONE) 1814 if (val == L2CAP_FCS_NONE)
1724 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV; 1815 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
1725 1816
1726 break; 1817 break;
1727 1818
@@ -1735,30 +1826,30 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
1735 } 1826 }
1736 } 1827 }
1737 1828
1738 if (pi->num_conf_rsp || pi->num_conf_req > 1) 1829 if (chan->num_conf_rsp || chan->num_conf_req > 1)
1739 goto done; 1830 goto done;
1740 1831
1741 switch (pi->mode) { 1832 switch (chan->mode) {
1742 case L2CAP_MODE_STREAMING: 1833 case L2CAP_MODE_STREAMING:
1743 case L2CAP_MODE_ERTM: 1834 case L2CAP_MODE_ERTM:
1744 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) { 1835 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
1745 pi->mode = l2cap_select_mode(rfc.mode, 1836 chan->mode = l2cap_select_mode(rfc.mode,
1746 pi->conn->feat_mask); 1837 chan->conn->feat_mask);
1747 break; 1838 break;
1748 } 1839 }
1749 1840
1750 if (pi->mode != rfc.mode) 1841 if (chan->mode != rfc.mode)
1751 return -ECONNREFUSED; 1842 return -ECONNREFUSED;
1752 1843
1753 break; 1844 break;
1754 } 1845 }
1755 1846
1756done: 1847done:
1757 if (pi->mode != rfc.mode) { 1848 if (chan->mode != rfc.mode) {
1758 result = L2CAP_CONF_UNACCEPT; 1849 result = L2CAP_CONF_UNACCEPT;
1759 rfc.mode = pi->mode; 1850 rfc.mode = chan->mode;
1760 1851
1761 if (pi->num_conf_rsp == 1) 1852 if (chan->num_conf_rsp == 1)
1762 return -ECONNREFUSED; 1853 return -ECONNREFUSED;
1763 1854
1764 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 1855 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
@@ -1773,32 +1864,32 @@ done:
1773 if (mtu < L2CAP_DEFAULT_MIN_MTU) 1864 if (mtu < L2CAP_DEFAULT_MIN_MTU)
1774 result = L2CAP_CONF_UNACCEPT; 1865 result = L2CAP_CONF_UNACCEPT;
1775 else { 1866 else {
1776 pi->omtu = mtu; 1867 chan->omtu = mtu;
1777 pi->conf_state |= L2CAP_CONF_MTU_DONE; 1868 chan->conf_state |= L2CAP_CONF_MTU_DONE;
1778 } 1869 }
1779 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu); 1870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1780 1871
1781 switch (rfc.mode) { 1872 switch (rfc.mode) {
1782 case L2CAP_MODE_BASIC: 1873 case L2CAP_MODE_BASIC:
1783 pi->fcs = L2CAP_FCS_NONE; 1874 chan->fcs = L2CAP_FCS_NONE;
1784 pi->conf_state |= L2CAP_CONF_MODE_DONE; 1875 chan->conf_state |= L2CAP_CONF_MODE_DONE;
1785 break; 1876 break;
1786 1877
1787 case L2CAP_MODE_ERTM: 1878 case L2CAP_MODE_ERTM:
1788 pi->remote_tx_win = rfc.txwin_size; 1879 chan->remote_tx_win = rfc.txwin_size;
1789 pi->remote_max_tx = rfc.max_transmit; 1880 chan->remote_max_tx = rfc.max_transmit;
1790 1881
1791 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) 1882 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
1792 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1883 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1793 1884
1794 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); 1885 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1795 1886
1796 rfc.retrans_timeout = 1887 rfc.retrans_timeout =
1797 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO); 1888 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
1798 rfc.monitor_timeout = 1889 rfc.monitor_timeout =
1799 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO); 1890 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1800 1891
1801 pi->conf_state |= L2CAP_CONF_MODE_DONE; 1892 chan->conf_state |= L2CAP_CONF_MODE_DONE;
1802 1893
1803 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 1894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1804 sizeof(rfc), (unsigned long) &rfc); 1895 sizeof(rfc), (unsigned long) &rfc);
@@ -1806,12 +1897,12 @@ done:
1806 break; 1897 break;
1807 1898
1808 case L2CAP_MODE_STREAMING: 1899 case L2CAP_MODE_STREAMING:
1809 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) 1900 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
1810 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1901 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1811 1902
1812 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); 1903 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1813 1904
1814 pi->conf_state |= L2CAP_CONF_MODE_DONE; 1905 chan->conf_state |= L2CAP_CONF_MODE_DONE;
1815 1906
1816 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 1907 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1817 sizeof(rfc), (unsigned long) &rfc); 1908 sizeof(rfc), (unsigned long) &rfc);
@@ -1822,29 +1913,28 @@ done:
1822 result = L2CAP_CONF_UNACCEPT; 1913 result = L2CAP_CONF_UNACCEPT;
1823 1914
1824 memset(&rfc, 0, sizeof(rfc)); 1915 memset(&rfc, 0, sizeof(rfc));
1825 rfc.mode = pi->mode; 1916 rfc.mode = chan->mode;
1826 } 1917 }
1827 1918
1828 if (result == L2CAP_CONF_SUCCESS) 1919 if (result == L2CAP_CONF_SUCCESS)
1829 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE; 1920 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1830 } 1921 }
1831 rsp->scid = cpu_to_le16(pi->dcid); 1922 rsp->scid = cpu_to_le16(chan->dcid);
1832 rsp->result = cpu_to_le16(result); 1923 rsp->result = cpu_to_le16(result);
1833 rsp->flags = cpu_to_le16(0x0000); 1924 rsp->flags = cpu_to_le16(0x0000);
1834 1925
1835 return ptr - data; 1926 return ptr - data;
1836} 1927}
1837 1928
1838static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result) 1929static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
1839{ 1930{
1840 struct l2cap_pinfo *pi = l2cap_pi(sk);
1841 struct l2cap_conf_req *req = data; 1931 struct l2cap_conf_req *req = data;
1842 void *ptr = req->data; 1932 void *ptr = req->data;
1843 int type, olen; 1933 int type, olen;
1844 unsigned long val; 1934 unsigned long val;
1845 struct l2cap_conf_rfc rfc; 1935 struct l2cap_conf_rfc rfc;
1846 1936
1847 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data); 1937 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
1848 1938
1849 while (len >= L2CAP_CONF_OPT_SIZE) { 1939 while (len >= L2CAP_CONF_OPT_SIZE) {
1850 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 1940 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
@@ -1853,27 +1943,27 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
1853 case L2CAP_CONF_MTU: 1943 case L2CAP_CONF_MTU:
1854 if (val < L2CAP_DEFAULT_MIN_MTU) { 1944 if (val < L2CAP_DEFAULT_MIN_MTU) {
1855 *result = L2CAP_CONF_UNACCEPT; 1945 *result = L2CAP_CONF_UNACCEPT;
1856 pi->imtu = L2CAP_DEFAULT_MIN_MTU; 1946 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
1857 } else 1947 } else
1858 pi->imtu = val; 1948 chan->imtu = val;
1859 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); 1949 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1860 break; 1950 break;
1861 1951
1862 case L2CAP_CONF_FLUSH_TO: 1952 case L2CAP_CONF_FLUSH_TO:
1863 pi->flush_to = val; 1953 chan->flush_to = val;
1864 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 1954 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
1865 2, pi->flush_to); 1955 2, chan->flush_to);
1866 break; 1956 break;
1867 1957
1868 case L2CAP_CONF_RFC: 1958 case L2CAP_CONF_RFC:
1869 if (olen == sizeof(rfc)) 1959 if (olen == sizeof(rfc))
1870 memcpy(&rfc, (void *)val, olen); 1960 memcpy(&rfc, (void *)val, olen);
1871 1961
1872 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) && 1962 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
1873 rfc.mode != pi->mode) 1963 rfc.mode != chan->mode)
1874 return -ECONNREFUSED; 1964 return -ECONNREFUSED;
1875 1965
1876 pi->fcs = 0; 1966 chan->fcs = 0;
1877 1967
1878 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 1968 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1879 sizeof(rfc), (unsigned long) &rfc); 1969 sizeof(rfc), (unsigned long) &rfc);
@@ -1881,53 +1971,74 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
1881 } 1971 }
1882 } 1972 }
1883 1973
1884 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode) 1974 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
1885 return -ECONNREFUSED; 1975 return -ECONNREFUSED;
1886 1976
1887 pi->mode = rfc.mode; 1977 chan->mode = rfc.mode;
1888 1978
1889 if (*result == L2CAP_CONF_SUCCESS) { 1979 if (*result == L2CAP_CONF_SUCCESS) {
1890 switch (rfc.mode) { 1980 switch (rfc.mode) {
1891 case L2CAP_MODE_ERTM: 1981 case L2CAP_MODE_ERTM:
1892 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 1982 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1893 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 1983 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1894 pi->mps = le16_to_cpu(rfc.max_pdu_size); 1984 chan->mps = le16_to_cpu(rfc.max_pdu_size);
1895 break; 1985 break;
1896 case L2CAP_MODE_STREAMING: 1986 case L2CAP_MODE_STREAMING:
1897 pi->mps = le16_to_cpu(rfc.max_pdu_size); 1987 chan->mps = le16_to_cpu(rfc.max_pdu_size);
1898 } 1988 }
1899 } 1989 }
1900 1990
1901 req->dcid = cpu_to_le16(pi->dcid); 1991 req->dcid = cpu_to_le16(chan->dcid);
1902 req->flags = cpu_to_le16(0x0000); 1992 req->flags = cpu_to_le16(0x0000);
1903 1993
1904 return ptr - data; 1994 return ptr - data;
1905} 1995}
1906 1996
1907static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags) 1997static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1908{ 1998{
1909 struct l2cap_conf_rsp *rsp = data; 1999 struct l2cap_conf_rsp *rsp = data;
1910 void *ptr = rsp->data; 2000 void *ptr = rsp->data;
1911 2001
1912 BT_DBG("sk %p", sk); 2002 BT_DBG("chan %p", chan);
1913 2003
1914 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid); 2004 rsp->scid = cpu_to_le16(chan->dcid);
1915 rsp->result = cpu_to_le16(result); 2005 rsp->result = cpu_to_le16(result);
1916 rsp->flags = cpu_to_le16(flags); 2006 rsp->flags = cpu_to_le16(flags);
1917 2007
1918 return ptr - data; 2008 return ptr - data;
1919} 2009}
1920 2010
1921static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len) 2011void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2012{
2013 struct l2cap_conn_rsp rsp;
2014 struct l2cap_conn *conn = chan->conn;
2015 u8 buf[128];
2016
2017 rsp.scid = cpu_to_le16(chan->dcid);
2018 rsp.dcid = cpu_to_le16(chan->scid);
2019 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2020 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2021 l2cap_send_cmd(conn, chan->ident,
2022 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2023
2024 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2025 return;
2026
2027 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2028 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2029 l2cap_build_conf_req(chan, buf), buf);
2030 chan->num_conf_req++;
2031}
2032
2033static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
1922{ 2034{
1923 struct l2cap_pinfo *pi = l2cap_pi(sk);
1924 int type, olen; 2035 int type, olen;
1925 unsigned long val; 2036 unsigned long val;
1926 struct l2cap_conf_rfc rfc; 2037 struct l2cap_conf_rfc rfc;
1927 2038
1928 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len); 2039 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
1929 2040
1930 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING)) 2041 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
1931 return; 2042 return;
1932 2043
1933 while (len >= L2CAP_CONF_OPT_SIZE) { 2044 while (len >= L2CAP_CONF_OPT_SIZE) {
@@ -1944,12 +2055,12 @@ static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
1944done: 2055done:
1945 switch (rfc.mode) { 2056 switch (rfc.mode) {
1946 case L2CAP_MODE_ERTM: 2057 case L2CAP_MODE_ERTM:
1947 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 2058 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1948 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 2059 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1949 pi->mps = le16_to_cpu(rfc.max_pdu_size); 2060 chan->mps = le16_to_cpu(rfc.max_pdu_size);
1950 break; 2061 break;
1951 case L2CAP_MODE_STREAMING: 2062 case L2CAP_MODE_STREAMING:
1952 pi->mps = le16_to_cpu(rfc.max_pdu_size); 2063 chan->mps = le16_to_cpu(rfc.max_pdu_size);
1953 } 2064 }
1954} 2065}
1955 2066
@@ -1975,9 +2086,9 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
1975 2086
1976static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 2087static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1977{ 2088{
1978 struct l2cap_chan_list *list = &conn->chan_list;
1979 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 2089 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1980 struct l2cap_conn_rsp rsp; 2090 struct l2cap_conn_rsp rsp;
2091 struct l2cap_chan *chan = NULL, *pchan;
1981 struct sock *parent, *sk = NULL; 2092 struct sock *parent, *sk = NULL;
1982 int result, status = L2CAP_CS_NO_INFO; 2093 int result, status = L2CAP_CS_NO_INFO;
1983 2094
@@ -1987,12 +2098,14 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
1987 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid); 2098 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1988 2099
1989 /* Check if we have socket listening on psm */ 2100 /* Check if we have socket listening on psm */
1990 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src); 2101 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
1991 if (!parent) { 2102 if (!pchan) {
1992 result = L2CAP_CR_BAD_PSM; 2103 result = L2CAP_CR_BAD_PSM;
1993 goto sendresp; 2104 goto sendresp;
1994 } 2105 }
1995 2106
2107 parent = pchan->sk;
2108
1996 bh_lock_sock(parent); 2109 bh_lock_sock(parent);
1997 2110
1998 /* Check if the ACL is secure enough (if not SDP) */ 2111 /* Check if the ACL is secure enough (if not SDP) */
@@ -2015,11 +2128,19 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2015 if (!sk) 2128 if (!sk)
2016 goto response; 2129 goto response;
2017 2130
2018 write_lock_bh(&list->lock); 2131 chan = l2cap_chan_create(sk);
2132 if (!chan) {
2133 l2cap_sock_kill(sk);
2134 goto response;
2135 }
2136
2137 l2cap_pi(sk)->chan = chan;
2138
2139 write_lock_bh(&conn->chan_lock);
2019 2140
2020 /* Check if we already have channel with that dcid */ 2141 /* Check if we already have channel with that dcid */
2021 if (__l2cap_get_chan_by_dcid(list, scid)) { 2142 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2022 write_unlock_bh(&list->lock); 2143 write_unlock_bh(&conn->chan_lock);
2023 sock_set_flag(sk, SOCK_ZAPPED); 2144 sock_set_flag(sk, SOCK_ZAPPED);
2024 l2cap_sock_kill(sk); 2145 l2cap_sock_kill(sk);
2025 goto response; 2146 goto response;
@@ -2030,18 +2151,21 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2030 l2cap_sock_init(sk, parent); 2151 l2cap_sock_init(sk, parent);
2031 bacpy(&bt_sk(sk)->src, conn->src); 2152 bacpy(&bt_sk(sk)->src, conn->src);
2032 bacpy(&bt_sk(sk)->dst, conn->dst); 2153 bacpy(&bt_sk(sk)->dst, conn->dst);
2033 l2cap_pi(sk)->psm = psm; 2154 chan->psm = psm;
2034 l2cap_pi(sk)->dcid = scid; 2155 chan->dcid = scid;
2156
2157 bt_accept_enqueue(parent, sk);
2158
2159 __l2cap_chan_add(conn, chan);
2035 2160
2036 __l2cap_chan_add(conn, sk, parent); 2161 dcid = chan->scid;
2037 dcid = l2cap_pi(sk)->scid;
2038 2162
2039 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 2163 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2040 2164
2041 l2cap_pi(sk)->ident = cmd->ident; 2165 chan->ident = cmd->ident;
2042 2166
2043 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2167 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2044 if (l2cap_check_security(sk)) { 2168 if (l2cap_check_security(chan)) {
2045 if (bt_sk(sk)->defer_setup) { 2169 if (bt_sk(sk)->defer_setup) {
2046 sk->sk_state = BT_CONNECT2; 2170 sk->sk_state = BT_CONNECT2;
2047 result = L2CAP_CR_PEND; 2171 result = L2CAP_CR_PEND;
@@ -2063,7 +2187,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2063 status = L2CAP_CS_NO_INFO; 2187 status = L2CAP_CS_NO_INFO;
2064 } 2188 }
2065 2189
2066 write_unlock_bh(&list->lock); 2190 write_unlock_bh(&conn->chan_lock);
2067 2191
2068response: 2192response:
2069 bh_unlock_sock(parent); 2193 bh_unlock_sock(parent);
@@ -2089,13 +2213,13 @@ sendresp:
2089 L2CAP_INFO_REQ, sizeof(info), &info); 2213 L2CAP_INFO_REQ, sizeof(info), &info);
2090 } 2214 }
2091 2215
2092 if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && 2216 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
2093 result == L2CAP_CR_SUCCESS) { 2217 result == L2CAP_CR_SUCCESS) {
2094 u8 buf[128]; 2218 u8 buf[128];
2095 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2219 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2096 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2220 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2097 l2cap_build_conf_req(sk, buf), buf); 2221 l2cap_build_conf_req(chan, buf), buf);
2098 l2cap_pi(sk)->num_conf_req++; 2222 chan->num_conf_req++;
2099 } 2223 }
2100 2224
2101 return 0; 2225 return 0;
@@ -2105,6 +2229,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2105{ 2229{
2106 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 2230 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2107 u16 scid, dcid, result, status; 2231 u16 scid, dcid, result, status;
2232 struct l2cap_chan *chan;
2108 struct sock *sk; 2233 struct sock *sk;
2109 u8 req[128]; 2234 u8 req[128];
2110 2235
@@ -2116,34 +2241,36 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2116 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status); 2241 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2117 2242
2118 if (scid) { 2243 if (scid) {
2119 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2244 chan = l2cap_get_chan_by_scid(conn, scid);
2120 if (!sk) 2245 if (!chan)
2121 return -EFAULT; 2246 return -EFAULT;
2122 } else { 2247 } else {
2123 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident); 2248 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2124 if (!sk) 2249 if (!chan)
2125 return -EFAULT; 2250 return -EFAULT;
2126 } 2251 }
2127 2252
2253 sk = chan->sk;
2254
2128 switch (result) { 2255 switch (result) {
2129 case L2CAP_CR_SUCCESS: 2256 case L2CAP_CR_SUCCESS:
2130 sk->sk_state = BT_CONFIG; 2257 sk->sk_state = BT_CONFIG;
2131 l2cap_pi(sk)->ident = 0; 2258 chan->ident = 0;
2132 l2cap_pi(sk)->dcid = dcid; 2259 chan->dcid = dcid;
2133 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2260 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2134 2261
2135 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) 2262 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2136 break; 2263 break;
2137 2264
2138 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2265 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2139 2266
2140 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2267 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2141 l2cap_build_conf_req(sk, req), req); 2268 l2cap_build_conf_req(chan, req), req);
2142 l2cap_pi(sk)->num_conf_req++; 2269 chan->num_conf_req++;
2143 break; 2270 break;
2144 2271
2145 case L2CAP_CR_PEND: 2272 case L2CAP_CR_PEND:
2146 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 2273 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
2147 break; 2274 break;
2148 2275
2149 default: 2276 default:
@@ -2155,7 +2282,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2155 break; 2282 break;
2156 } 2283 }
2157 2284
2158 l2cap_chan_del(sk, ECONNREFUSED); 2285 l2cap_chan_del(chan, ECONNREFUSED);
2159 break; 2286 break;
2160 } 2287 }
2161 2288
@@ -2163,15 +2290,17 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2163 return 0; 2290 return 0;
2164} 2291}
2165 2292
2166static inline void set_default_fcs(struct l2cap_pinfo *pi) 2293static inline void set_default_fcs(struct l2cap_chan *chan)
2167{ 2294{
2295 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2296
2168 /* FCS is enabled only in ERTM or streaming mode, if one or both 2297 /* FCS is enabled only in ERTM or streaming mode, if one or both
2169 * sides request it. 2298 * sides request it.
2170 */ 2299 */
2171 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING) 2300 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2172 pi->fcs = L2CAP_FCS_NONE; 2301 chan->fcs = L2CAP_FCS_NONE;
2173 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV)) 2302 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
2174 pi->fcs = L2CAP_FCS_CRC16; 2303 chan->fcs = L2CAP_FCS_CRC16;
2175} 2304}
2176 2305
2177static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 2306static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
@@ -2179,6 +2308,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2179 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 2308 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2180 u16 dcid, flags; 2309 u16 dcid, flags;
2181 u8 rsp[64]; 2310 u8 rsp[64];
2311 struct l2cap_chan *chan;
2182 struct sock *sk; 2312 struct sock *sk;
2183 int len; 2313 int len;
2184 2314
@@ -2187,10 +2317,12 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2187 2317
2188 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 2318 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2189 2319
2190 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid); 2320 chan = l2cap_get_chan_by_scid(conn, dcid);
2191 if (!sk) 2321 if (!chan)
2192 return -ENOENT; 2322 return -ENOENT;
2193 2323
2324 sk = chan->sk;
2325
2194 if (sk->sk_state != BT_CONFIG) { 2326 if (sk->sk_state != BT_CONFIG) {
2195 struct l2cap_cmd_rej rej; 2327 struct l2cap_cmd_rej rej;
2196 2328
@@ -2202,62 +2334,62 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2202 2334
2203 /* Reject if config buffer is too small. */ 2335 /* Reject if config buffer is too small. */
2204 len = cmd_len - sizeof(*req); 2336 len = cmd_len - sizeof(*req);
2205 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { 2337 if (chan->conf_len + len > sizeof(chan->conf_req)) {
2206 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 2338 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2207 l2cap_build_conf_rsp(sk, rsp, 2339 l2cap_build_conf_rsp(chan, rsp,
2208 L2CAP_CONF_REJECT, flags), rsp); 2340 L2CAP_CONF_REJECT, flags), rsp);
2209 goto unlock; 2341 goto unlock;
2210 } 2342 }
2211 2343
2212 /* Store config. */ 2344 /* Store config. */
2213 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len); 2345 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2214 l2cap_pi(sk)->conf_len += len; 2346 chan->conf_len += len;
2215 2347
2216 if (flags & 0x0001) { 2348 if (flags & 0x0001) {
2217 /* Incomplete config. Send empty response. */ 2349 /* Incomplete config. Send empty response. */
2218 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 2350 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2219 l2cap_build_conf_rsp(sk, rsp, 2351 l2cap_build_conf_rsp(chan, rsp,
2220 L2CAP_CONF_SUCCESS, 0x0001), rsp); 2352 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2221 goto unlock; 2353 goto unlock;
2222 } 2354 }
2223 2355
2224 /* Complete config. */ 2356 /* Complete config. */
2225 len = l2cap_parse_conf_req(sk, rsp); 2357 len = l2cap_parse_conf_req(chan, rsp);
2226 if (len < 0) { 2358 if (len < 0) {
2227 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2359 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2228 goto unlock; 2360 goto unlock;
2229 } 2361 }
2230 2362
2231 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 2363 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2232 l2cap_pi(sk)->num_conf_rsp++; 2364 chan->num_conf_rsp++;
2233 2365
2234 /* Reset config buffer. */ 2366 /* Reset config buffer. */
2235 l2cap_pi(sk)->conf_len = 0; 2367 chan->conf_len = 0;
2236 2368
2237 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2369 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
2238 goto unlock; 2370 goto unlock;
2239 2371
2240 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) { 2372 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
2241 set_default_fcs(l2cap_pi(sk)); 2373 set_default_fcs(chan);
2242 2374
2243 sk->sk_state = BT_CONNECTED; 2375 sk->sk_state = BT_CONNECTED;
2244 2376
2245 l2cap_pi(sk)->next_tx_seq = 0; 2377 chan->next_tx_seq = 0;
2246 l2cap_pi(sk)->expected_tx_seq = 0; 2378 chan->expected_tx_seq = 0;
2247 __skb_queue_head_init(TX_QUEUE(sk)); 2379 skb_queue_head_init(&chan->tx_q);
2248 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) 2380 if (chan->mode == L2CAP_MODE_ERTM)
2249 l2cap_ertm_init(sk); 2381 l2cap_ertm_init(chan);
2250 2382
2251 l2cap_chan_ready(sk); 2383 l2cap_chan_ready(sk);
2252 goto unlock; 2384 goto unlock;
2253 } 2385 }
2254 2386
2255 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) { 2387 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
2256 u8 buf[64]; 2388 u8 buf[64];
2257 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2389 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2258 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2390 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2259 l2cap_build_conf_req(sk, buf), buf); 2391 l2cap_build_conf_req(chan, buf), buf);
2260 l2cap_pi(sk)->num_conf_req++; 2392 chan->num_conf_req++;
2261 } 2393 }
2262 2394
2263unlock: 2395unlock:
@@ -2269,6 +2401,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2269{ 2401{
2270 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 2402 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2271 u16 scid, flags, result; 2403 u16 scid, flags, result;
2404 struct l2cap_chan *chan;
2272 struct sock *sk; 2405 struct sock *sk;
2273 int len = cmd->len - sizeof(*rsp); 2406 int len = cmd->len - sizeof(*rsp);
2274 2407
@@ -2279,36 +2412,38 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2279 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", 2412 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2280 scid, flags, result); 2413 scid, flags, result);
2281 2414
2282 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2415 chan = l2cap_get_chan_by_scid(conn, scid);
2283 if (!sk) 2416 if (!chan)
2284 return 0; 2417 return 0;
2285 2418
2419 sk = chan->sk;
2420
2286 switch (result) { 2421 switch (result) {
2287 case L2CAP_CONF_SUCCESS: 2422 case L2CAP_CONF_SUCCESS:
2288 l2cap_conf_rfc_get(sk, rsp->data, len); 2423 l2cap_conf_rfc_get(chan, rsp->data, len);
2289 break; 2424 break;
2290 2425
2291 case L2CAP_CONF_UNACCEPT: 2426 case L2CAP_CONF_UNACCEPT:
2292 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 2427 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2293 char req[64]; 2428 char req[64];
2294 2429
2295 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 2430 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2296 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2431 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2297 goto done; 2432 goto done;
2298 } 2433 }
2299 2434
2300 /* throw out any old stored conf requests */ 2435 /* throw out any old stored conf requests */
2301 result = L2CAP_CONF_SUCCESS; 2436 result = L2CAP_CONF_SUCCESS;
2302 len = l2cap_parse_conf_rsp(sk, rsp->data, 2437 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2303 len, req, &result); 2438 req, &result);
2304 if (len < 0) { 2439 if (len < 0) {
2305 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2440 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2306 goto done; 2441 goto done;
2307 } 2442 }
2308 2443
2309 l2cap_send_cmd(conn, l2cap_get_ident(conn), 2444 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2310 L2CAP_CONF_REQ, len, req); 2445 L2CAP_CONF_REQ, len, req);
2311 l2cap_pi(sk)->num_conf_req++; 2446 chan->num_conf_req++;
2312 if (result != L2CAP_CONF_SUCCESS) 2447 if (result != L2CAP_CONF_SUCCESS)
2313 goto done; 2448 goto done;
2314 break; 2449 break;
@@ -2317,24 +2452,24 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2317 default: 2452 default:
2318 sk->sk_err = ECONNRESET; 2453 sk->sk_err = ECONNRESET;
2319 l2cap_sock_set_timer(sk, HZ * 5); 2454 l2cap_sock_set_timer(sk, HZ * 5);
2320 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2455 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2321 goto done; 2456 goto done;
2322 } 2457 }
2323 2458
2324 if (flags & 0x01) 2459 if (flags & 0x01)
2325 goto done; 2460 goto done;
2326 2461
2327 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE; 2462 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
2328 2463
2329 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) { 2464 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2330 set_default_fcs(l2cap_pi(sk)); 2465 set_default_fcs(chan);
2331 2466
2332 sk->sk_state = BT_CONNECTED; 2467 sk->sk_state = BT_CONNECTED;
2333 l2cap_pi(sk)->next_tx_seq = 0; 2468 chan->next_tx_seq = 0;
2334 l2cap_pi(sk)->expected_tx_seq = 0; 2469 chan->expected_tx_seq = 0;
2335 __skb_queue_head_init(TX_QUEUE(sk)); 2470 skb_queue_head_init(&chan->tx_q);
2336 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) 2471 if (chan->mode == L2CAP_MODE_ERTM)
2337 l2cap_ertm_init(sk); 2472 l2cap_ertm_init(chan);
2338 2473
2339 l2cap_chan_ready(sk); 2474 l2cap_chan_ready(sk);
2340 } 2475 }
@@ -2349,6 +2484,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2349 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 2484 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2350 struct l2cap_disconn_rsp rsp; 2485 struct l2cap_disconn_rsp rsp;
2351 u16 dcid, scid; 2486 u16 dcid, scid;
2487 struct l2cap_chan *chan;
2352 struct sock *sk; 2488 struct sock *sk;
2353 2489
2354 scid = __le16_to_cpu(req->scid); 2490 scid = __le16_to_cpu(req->scid);
@@ -2356,12 +2492,14 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2356 2492
2357 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 2493 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2358 2494
2359 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid); 2495 chan = l2cap_get_chan_by_scid(conn, dcid);
2360 if (!sk) 2496 if (!chan)
2361 return 0; 2497 return 0;
2362 2498
2363 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 2499 sk = chan->sk;
2364 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 2500
2501 rsp.dcid = cpu_to_le16(chan->scid);
2502 rsp.scid = cpu_to_le16(chan->dcid);
2365 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 2503 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2366 2504
2367 sk->sk_shutdown = SHUTDOWN_MASK; 2505 sk->sk_shutdown = SHUTDOWN_MASK;
@@ -2375,7 +2513,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2375 return 0; 2513 return 0;
2376 } 2514 }
2377 2515
2378 l2cap_chan_del(sk, ECONNRESET); 2516 l2cap_chan_del(chan, ECONNRESET);
2379 bh_unlock_sock(sk); 2517 bh_unlock_sock(sk);
2380 2518
2381 l2cap_sock_kill(sk); 2519 l2cap_sock_kill(sk);
@@ -2386,6 +2524,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2386{ 2524{
2387 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 2525 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2388 u16 dcid, scid; 2526 u16 dcid, scid;
2527 struct l2cap_chan *chan;
2389 struct sock *sk; 2528 struct sock *sk;
2390 2529
2391 scid = __le16_to_cpu(rsp->scid); 2530 scid = __le16_to_cpu(rsp->scid);
@@ -2393,10 +2532,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2393 2532
2394 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 2533 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2395 2534
2396 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2535 chan = l2cap_get_chan_by_scid(conn, scid);
2397 if (!sk) 2536 if (!chan)
2398 return 0; 2537 return 0;
2399 2538
2539 sk = chan->sk;
2540
2400 /* don't delete l2cap channel if sk is owned by user */ 2541 /* don't delete l2cap channel if sk is owned by user */
2401 if (sock_owned_by_user(sk)) { 2542 if (sock_owned_by_user(sk)) {
2402 sk->sk_state = BT_DISCONN; 2543 sk->sk_state = BT_DISCONN;
@@ -2406,7 +2547,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2406 return 0; 2547 return 0;
2407 } 2548 }
2408 2549
2409 l2cap_chan_del(sk, 0); 2550 l2cap_chan_del(chan, 0);
2410 bh_unlock_sock(sk); 2551 bh_unlock_sock(sk);
2411 2552
2412 l2cap_sock_kill(sk); 2553 l2cap_sock_kill(sk);
@@ -2463,6 +2604,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
2463 2604
2464 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 2605 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2465 2606
2607 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2608 if (cmd->ident != conn->info_ident ||
2609 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2610 return 0;
2611
2466 del_timer(&conn->info_timer); 2612 del_timer(&conn->info_timer);
2467 2613
2468 if (result != L2CAP_IR_SUCCESS) { 2614 if (result != L2CAP_IR_SUCCESS) {
@@ -2673,7 +2819,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2673 2819
2674 if (err) { 2820 if (err) {
2675 struct l2cap_cmd_rej rej; 2821 struct l2cap_cmd_rej rej;
2676 BT_DBG("error %d", err); 2822
2823 BT_ERR("Wrong link type (%d)", err);
2677 2824
2678 /* FIXME: Map err to a valid reason */ 2825 /* FIXME: Map err to a valid reason */
2679 rej.reason = cpu_to_le16(0); 2826 rej.reason = cpu_to_le16(0);
@@ -2687,12 +2834,12 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2687 kfree_skb(skb); 2834 kfree_skb(skb);
2688} 2835}
2689 2836
2690static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb) 2837static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
2691{ 2838{
2692 u16 our_fcs, rcv_fcs; 2839 u16 our_fcs, rcv_fcs;
2693 int hdr_size = L2CAP_HDR_SIZE + 2; 2840 int hdr_size = L2CAP_HDR_SIZE + 2;
2694 2841
2695 if (pi->fcs == L2CAP_FCS_CRC16) { 2842 if (chan->fcs == L2CAP_FCS_CRC16) {
2696 skb_trim(skb, skb->len - 2); 2843 skb_trim(skb, skb->len - 2);
2697 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 2844 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
2698 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 2845 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
@@ -2703,49 +2850,47 @@ static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
2703 return 0; 2850 return 0;
2704} 2851}
2705 2852
2706static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk) 2853static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2707{ 2854{
2708 struct l2cap_pinfo *pi = l2cap_pi(sk);
2709 u16 control = 0; 2855 u16 control = 0;
2710 2856
2711 pi->frames_sent = 0; 2857 chan->frames_sent = 0;
2712 2858
2713 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 2859 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2714 2860
2715 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 2861 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2716 control |= L2CAP_SUPER_RCV_NOT_READY; 2862 control |= L2CAP_SUPER_RCV_NOT_READY;
2717 l2cap_send_sframe(pi, control); 2863 l2cap_send_sframe(chan, control);
2718 pi->conn_state |= L2CAP_CONN_RNR_SENT; 2864 chan->conn_state |= L2CAP_CONN_RNR_SENT;
2719 } 2865 }
2720 2866
2721 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY) 2867 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
2722 l2cap_retransmit_frames(sk); 2868 l2cap_retransmit_frames(chan);
2723 2869
2724 l2cap_ertm_send(sk); 2870 l2cap_ertm_send(chan);
2725 2871
2726 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) && 2872 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
2727 pi->frames_sent == 0) { 2873 chan->frames_sent == 0) {
2728 control |= L2CAP_SUPER_RCV_READY; 2874 control |= L2CAP_SUPER_RCV_READY;
2729 l2cap_send_sframe(pi, control); 2875 l2cap_send_sframe(chan, control);
2730 } 2876 }
2731} 2877}
2732 2878
2733static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) 2879static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
2734{ 2880{
2735 struct sk_buff *next_skb; 2881 struct sk_buff *next_skb;
2736 struct l2cap_pinfo *pi = l2cap_pi(sk);
2737 int tx_seq_offset, next_tx_seq_offset; 2882 int tx_seq_offset, next_tx_seq_offset;
2738 2883
2739 bt_cb(skb)->tx_seq = tx_seq; 2884 bt_cb(skb)->tx_seq = tx_seq;
2740 bt_cb(skb)->sar = sar; 2885 bt_cb(skb)->sar = sar;
2741 2886
2742 next_skb = skb_peek(SREJ_QUEUE(sk)); 2887 next_skb = skb_peek(&chan->srej_q);
2743 if (!next_skb) { 2888 if (!next_skb) {
2744 __skb_queue_tail(SREJ_QUEUE(sk), skb); 2889 __skb_queue_tail(&chan->srej_q, skb);
2745 return 0; 2890 return 0;
2746 } 2891 }
2747 2892
2748 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; 2893 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
2749 if (tx_seq_offset < 0) 2894 if (tx_seq_offset < 0)
2750 tx_seq_offset += 64; 2895 tx_seq_offset += 64;
2751 2896
@@ -2754,53 +2899,52 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
2754 return -EINVAL; 2899 return -EINVAL;
2755 2900
2756 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq - 2901 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
2757 pi->buffer_seq) % 64; 2902 chan->buffer_seq) % 64;
2758 if (next_tx_seq_offset < 0) 2903 if (next_tx_seq_offset < 0)
2759 next_tx_seq_offset += 64; 2904 next_tx_seq_offset += 64;
2760 2905
2761 if (next_tx_seq_offset > tx_seq_offset) { 2906 if (next_tx_seq_offset > tx_seq_offset) {
2762 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); 2907 __skb_queue_before(&chan->srej_q, next_skb, skb);
2763 return 0; 2908 return 0;
2764 } 2909 }
2765 2910
2766 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb)) 2911 if (skb_queue_is_last(&chan->srej_q, next_skb))
2767 break; 2912 break;
2768 2913
2769 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb))); 2914 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
2770 2915
2771 __skb_queue_tail(SREJ_QUEUE(sk), skb); 2916 __skb_queue_tail(&chan->srej_q, skb);
2772 2917
2773 return 0; 2918 return 0;
2774} 2919}
2775 2920
2776static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control) 2921static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2777{ 2922{
2778 struct l2cap_pinfo *pi = l2cap_pi(sk);
2779 struct sk_buff *_skb; 2923 struct sk_buff *_skb;
2780 int err; 2924 int err;
2781 2925
2782 switch (control & L2CAP_CTRL_SAR) { 2926 switch (control & L2CAP_CTRL_SAR) {
2783 case L2CAP_SDU_UNSEGMENTED: 2927 case L2CAP_SDU_UNSEGMENTED:
2784 if (pi->conn_state & L2CAP_CONN_SAR_SDU) 2928 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2785 goto drop; 2929 goto drop;
2786 2930
2787 err = sock_queue_rcv_skb(sk, skb); 2931 err = sock_queue_rcv_skb(chan->sk, skb);
2788 if (!err) 2932 if (!err)
2789 return err; 2933 return err;
2790 2934
2791 break; 2935 break;
2792 2936
2793 case L2CAP_SDU_START: 2937 case L2CAP_SDU_START:
2794 if (pi->conn_state & L2CAP_CONN_SAR_SDU) 2938 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2795 goto drop; 2939 goto drop;
2796 2940
2797 pi->sdu_len = get_unaligned_le16(skb->data); 2941 chan->sdu_len = get_unaligned_le16(skb->data);
2798 2942
2799 if (pi->sdu_len > pi->imtu) 2943 if (chan->sdu_len > chan->imtu)
2800 goto disconnect; 2944 goto disconnect;
2801 2945
2802 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); 2946 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
2803 if (!pi->sdu) 2947 if (!chan->sdu)
2804 return -ENOMEM; 2948 return -ENOMEM;
2805 2949
2806 /* pull sdu_len bytes only after alloc, because of Local Busy 2950 /* pull sdu_len bytes only after alloc, because of Local Busy
@@ -2808,63 +2952,63 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
2808 * only once, i.e., when alloc does not fail */ 2952 * only once, i.e., when alloc does not fail */
2809 skb_pull(skb, 2); 2953 skb_pull(skb, 2);
2810 2954
2811 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2955 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2812 2956
2813 pi->conn_state |= L2CAP_CONN_SAR_SDU; 2957 chan->conn_state |= L2CAP_CONN_SAR_SDU;
2814 pi->partial_sdu_len = skb->len; 2958 chan->partial_sdu_len = skb->len;
2815 break; 2959 break;
2816 2960
2817 case L2CAP_SDU_CONTINUE: 2961 case L2CAP_SDU_CONTINUE:
2818 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 2962 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2819 goto disconnect; 2963 goto disconnect;
2820 2964
2821 if (!pi->sdu) 2965 if (!chan->sdu)
2822 goto disconnect; 2966 goto disconnect;
2823 2967
2824 pi->partial_sdu_len += skb->len; 2968 chan->partial_sdu_len += skb->len;
2825 if (pi->partial_sdu_len > pi->sdu_len) 2969 if (chan->partial_sdu_len > chan->sdu_len)
2826 goto drop; 2970 goto drop;
2827 2971
2828 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2972 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2829 2973
2830 break; 2974 break;
2831 2975
2832 case L2CAP_SDU_END: 2976 case L2CAP_SDU_END:
2833 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 2977 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2834 goto disconnect; 2978 goto disconnect;
2835 2979
2836 if (!pi->sdu) 2980 if (!chan->sdu)
2837 goto disconnect; 2981 goto disconnect;
2838 2982
2839 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) { 2983 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
2840 pi->partial_sdu_len += skb->len; 2984 chan->partial_sdu_len += skb->len;
2841 2985
2842 if (pi->partial_sdu_len > pi->imtu) 2986 if (chan->partial_sdu_len > chan->imtu)
2843 goto drop; 2987 goto drop;
2844 2988
2845 if (pi->partial_sdu_len != pi->sdu_len) 2989 if (chan->partial_sdu_len != chan->sdu_len)
2846 goto drop; 2990 goto drop;
2847 2991
2848 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2992 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2849 } 2993 }
2850 2994
2851 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 2995 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2852 if (!_skb) { 2996 if (!_skb) {
2853 pi->conn_state |= L2CAP_CONN_SAR_RETRY; 2997 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2854 return -ENOMEM; 2998 return -ENOMEM;
2855 } 2999 }
2856 3000
2857 err = sock_queue_rcv_skb(sk, _skb); 3001 err = sock_queue_rcv_skb(chan->sk, _skb);
2858 if (err < 0) { 3002 if (err < 0) {
2859 kfree_skb(_skb); 3003 kfree_skb(_skb);
2860 pi->conn_state |= L2CAP_CONN_SAR_RETRY; 3004 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2861 return err; 3005 return err;
2862 } 3006 }
2863 3007
2864 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY; 3008 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
2865 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 3009 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
2866 3010
2867 kfree_skb(pi->sdu); 3011 kfree_skb(chan->sdu);
2868 break; 3012 break;
2869 } 3013 }
2870 3014
@@ -2872,51 +3016,50 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
2872 return 0; 3016 return 0;
2873 3017
2874drop: 3018drop:
2875 kfree_skb(pi->sdu); 3019 kfree_skb(chan->sdu);
2876 pi->sdu = NULL; 3020 chan->sdu = NULL;
2877 3021
2878disconnect: 3022disconnect:
2879 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3023 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
2880 kfree_skb(skb); 3024 kfree_skb(skb);
2881 return 0; 3025 return 0;
2882} 3026}
2883 3027
2884static int l2cap_try_push_rx_skb(struct sock *sk) 3028static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
2885{ 3029{
2886 struct l2cap_pinfo *pi = l2cap_pi(sk);
2887 struct sk_buff *skb; 3030 struct sk_buff *skb;
2888 u16 control; 3031 u16 control;
2889 int err; 3032 int err;
2890 3033
2891 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) { 3034 while ((skb = skb_dequeue(&chan->busy_q))) {
2892 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3035 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
2893 err = l2cap_ertm_reassembly_sdu(sk, skb, control); 3036 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
2894 if (err < 0) { 3037 if (err < 0) {
2895 skb_queue_head(BUSY_QUEUE(sk), skb); 3038 skb_queue_head(&chan->busy_q, skb);
2896 return -EBUSY; 3039 return -EBUSY;
2897 } 3040 }
2898 3041
2899 pi->buffer_seq = (pi->buffer_seq + 1) % 64; 3042 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
2900 } 3043 }
2901 3044
2902 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT)) 3045 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
2903 goto done; 3046 goto done;
2904 3047
2905 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3048 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2906 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL; 3049 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
2907 l2cap_send_sframe(pi, control); 3050 l2cap_send_sframe(chan, control);
2908 l2cap_pi(sk)->retry_count = 1; 3051 chan->retry_count = 1;
2909 3052
2910 del_timer(&pi->retrans_timer); 3053 del_timer(&chan->retrans_timer);
2911 __mod_monitor_timer(); 3054 __mod_monitor_timer();
2912 3055
2913 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F; 3056 chan->conn_state |= L2CAP_CONN_WAIT_F;
2914 3057
2915done: 3058done:
2916 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY; 3059 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
2917 pi->conn_state &= ~L2CAP_CONN_RNR_SENT; 3060 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
2918 3061
2919 BT_DBG("sk %p, Exit local busy", sk); 3062 BT_DBG("chan %p, Exit local busy", chan);
2920 3063
2921 return 0; 3064 return 0;
2922} 3065}
@@ -2924,21 +3067,21 @@ done:
2924static void l2cap_busy_work(struct work_struct *work) 3067static void l2cap_busy_work(struct work_struct *work)
2925{ 3068{
2926 DECLARE_WAITQUEUE(wait, current); 3069 DECLARE_WAITQUEUE(wait, current);
2927 struct l2cap_pinfo *pi = 3070 struct l2cap_chan *chan =
2928 container_of(work, struct l2cap_pinfo, busy_work); 3071 container_of(work, struct l2cap_chan, busy_work);
2929 struct sock *sk = (struct sock *)pi; 3072 struct sock *sk = chan->sk;
2930 int n_tries = 0, timeo = HZ/5, err; 3073 int n_tries = 0, timeo = HZ/5, err;
2931 struct sk_buff *skb; 3074 struct sk_buff *skb;
2932 3075
2933 lock_sock(sk); 3076 lock_sock(sk);
2934 3077
2935 add_wait_queue(sk_sleep(sk), &wait); 3078 add_wait_queue(sk_sleep(sk), &wait);
2936 while ((skb = skb_peek(BUSY_QUEUE(sk)))) { 3079 while ((skb = skb_peek(&chan->busy_q))) {
2937 set_current_state(TASK_INTERRUPTIBLE); 3080 set_current_state(TASK_INTERRUPTIBLE);
2938 3081
2939 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) { 3082 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
2940 err = -EBUSY; 3083 err = -EBUSY;
2941 l2cap_send_disconn_req(pi->conn, sk, EBUSY); 3084 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
2942 break; 3085 break;
2943 } 3086 }
2944 3087
@@ -2958,7 +3101,7 @@ static void l2cap_busy_work(struct work_struct *work)
2958 if (err) 3101 if (err)
2959 break; 3102 break;
2960 3103
2961 if (l2cap_try_push_rx_skb(sk) == 0) 3104 if (l2cap_try_push_rx_skb(chan) == 0)
2962 break; 3105 break;
2963 } 3106 }
2964 3107
@@ -2968,48 +3111,46 @@ static void l2cap_busy_work(struct work_struct *work)
2968 release_sock(sk); 3111 release_sock(sk);
2969} 3112}
2970 3113
2971static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control) 3114static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2972{ 3115{
2973 struct l2cap_pinfo *pi = l2cap_pi(sk);
2974 int sctrl, err; 3116 int sctrl, err;
2975 3117
2976 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3118 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2977 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3119 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2978 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3120 __skb_queue_tail(&chan->busy_q, skb);
2979 return l2cap_try_push_rx_skb(sk); 3121 return l2cap_try_push_rx_skb(chan);
2980 3122
2981 3123
2982 } 3124 }
2983 3125
2984 err = l2cap_ertm_reassembly_sdu(sk, skb, control); 3126 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
2985 if (err >= 0) { 3127 if (err >= 0) {
2986 pi->buffer_seq = (pi->buffer_seq + 1) % 64; 3128 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
2987 return err; 3129 return err;
2988 } 3130 }
2989 3131
2990 /* Busy Condition */ 3132 /* Busy Condition */
2991 BT_DBG("sk %p, Enter local busy", sk); 3133 BT_DBG("chan %p, Enter local busy", chan);
2992 3134
2993 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY; 3135 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
2994 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3136 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2995 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3137 __skb_queue_tail(&chan->busy_q, skb);
2996 3138
2997 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3139 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2998 sctrl |= L2CAP_SUPER_RCV_NOT_READY; 3140 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
2999 l2cap_send_sframe(pi, sctrl); 3141 l2cap_send_sframe(chan, sctrl);
3000 3142
3001 pi->conn_state |= L2CAP_CONN_RNR_SENT; 3143 chan->conn_state |= L2CAP_CONN_RNR_SENT;
3002 3144
3003 del_timer(&pi->ack_timer); 3145 del_timer(&chan->ack_timer);
3004 3146
3005 queue_work(_busy_wq, &pi->busy_work); 3147 queue_work(_busy_wq, &chan->busy_work);
3006 3148
3007 return err; 3149 return err;
3008} 3150}
3009 3151
3010static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control) 3152static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3011{ 3153{
3012 struct l2cap_pinfo *pi = l2cap_pi(sk);
3013 struct sk_buff *_skb; 3154 struct sk_buff *_skb;
3014 int err = -EINVAL; 3155 int err = -EINVAL;
3015 3156
@@ -3020,80 +3161,80 @@ static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb,
3020 3161
3021 switch (control & L2CAP_CTRL_SAR) { 3162 switch (control & L2CAP_CTRL_SAR) {
3022 case L2CAP_SDU_UNSEGMENTED: 3163 case L2CAP_SDU_UNSEGMENTED:
3023 if (pi->conn_state & L2CAP_CONN_SAR_SDU) { 3164 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3024 kfree_skb(pi->sdu); 3165 kfree_skb(chan->sdu);
3025 break; 3166 break;
3026 } 3167 }
3027 3168
3028 err = sock_queue_rcv_skb(sk, skb); 3169 err = sock_queue_rcv_skb(chan->sk, skb);
3029 if (!err) 3170 if (!err)
3030 return 0; 3171 return 0;
3031 3172
3032 break; 3173 break;
3033 3174
3034 case L2CAP_SDU_START: 3175 case L2CAP_SDU_START:
3035 if (pi->conn_state & L2CAP_CONN_SAR_SDU) { 3176 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3036 kfree_skb(pi->sdu); 3177 kfree_skb(chan->sdu);
3037 break; 3178 break;
3038 } 3179 }
3039 3180
3040 pi->sdu_len = get_unaligned_le16(skb->data); 3181 chan->sdu_len = get_unaligned_le16(skb->data);
3041 skb_pull(skb, 2); 3182 skb_pull(skb, 2);
3042 3183
3043 if (pi->sdu_len > pi->imtu) { 3184 if (chan->sdu_len > chan->imtu) {
3044 err = -EMSGSIZE; 3185 err = -EMSGSIZE;
3045 break; 3186 break;
3046 } 3187 }
3047 3188
3048 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); 3189 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3049 if (!pi->sdu) { 3190 if (!chan->sdu) {
3050 err = -ENOMEM; 3191 err = -ENOMEM;
3051 break; 3192 break;
3052 } 3193 }
3053 3194
3054 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3195 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3055 3196
3056 pi->conn_state |= L2CAP_CONN_SAR_SDU; 3197 chan->conn_state |= L2CAP_CONN_SAR_SDU;
3057 pi->partial_sdu_len = skb->len; 3198 chan->partial_sdu_len = skb->len;
3058 err = 0; 3199 err = 0;
3059 break; 3200 break;
3060 3201
3061 case L2CAP_SDU_CONTINUE: 3202 case L2CAP_SDU_CONTINUE:
3062 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 3203 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3063 break; 3204 break;
3064 3205
3065 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3206 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3066 3207
3067 pi->partial_sdu_len += skb->len; 3208 chan->partial_sdu_len += skb->len;
3068 if (pi->partial_sdu_len > pi->sdu_len) 3209 if (chan->partial_sdu_len > chan->sdu_len)
3069 kfree_skb(pi->sdu); 3210 kfree_skb(chan->sdu);
3070 else 3211 else
3071 err = 0; 3212 err = 0;
3072 3213
3073 break; 3214 break;
3074 3215
3075 case L2CAP_SDU_END: 3216 case L2CAP_SDU_END:
3076 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 3217 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3077 break; 3218 break;
3078 3219
3079 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3220 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3080 3221
3081 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 3222 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3082 pi->partial_sdu_len += skb->len; 3223 chan->partial_sdu_len += skb->len;
3083 3224
3084 if (pi->partial_sdu_len > pi->imtu) 3225 if (chan->partial_sdu_len > chan->imtu)
3085 goto drop; 3226 goto drop;
3086 3227
3087 if (pi->partial_sdu_len == pi->sdu_len) { 3228 if (chan->partial_sdu_len == chan->sdu_len) {
3088 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 3229 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3089 err = sock_queue_rcv_skb(sk, _skb); 3230 err = sock_queue_rcv_skb(chan->sk, _skb);
3090 if (err < 0) 3231 if (err < 0)
3091 kfree_skb(_skb); 3232 kfree_skb(_skb);
3092 } 3233 }
3093 err = 0; 3234 err = 0;
3094 3235
3095drop: 3236drop:
3096 kfree_skb(pi->sdu); 3237 kfree_skb(chan->sdu);
3097 break; 3238 break;
3098 } 3239 }
3099 3240
@@ -3101,31 +3242,30 @@ drop:
3101 return err; 3242 return err;
3102} 3243}
3103 3244
3104static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq) 3245static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3105{ 3246{
3106 struct sk_buff *skb; 3247 struct sk_buff *skb;
3107 u16 control; 3248 u16 control;
3108 3249
3109 while ((skb = skb_peek(SREJ_QUEUE(sk)))) { 3250 while ((skb = skb_peek(&chan->srej_q))) {
3110 if (bt_cb(skb)->tx_seq != tx_seq) 3251 if (bt_cb(skb)->tx_seq != tx_seq)
3111 break; 3252 break;
3112 3253
3113 skb = skb_dequeue(SREJ_QUEUE(sk)); 3254 skb = skb_dequeue(&chan->srej_q);
3114 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3255 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3115 l2cap_ertm_reassembly_sdu(sk, skb, control); 3256 l2cap_ertm_reassembly_sdu(chan, skb, control);
3116 l2cap_pi(sk)->buffer_seq_srej = 3257 chan->buffer_seq_srej =
3117 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64; 3258 (chan->buffer_seq_srej + 1) % 64;
3118 tx_seq = (tx_seq + 1) % 64; 3259 tx_seq = (tx_seq + 1) % 64;
3119 } 3260 }
3120} 3261}
3121 3262
3122static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq) 3263static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3123{ 3264{
3124 struct l2cap_pinfo *pi = l2cap_pi(sk);
3125 struct srej_list *l, *tmp; 3265 struct srej_list *l, *tmp;
3126 u16 control; 3266 u16 control;
3127 3267
3128 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) { 3268 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3129 if (l->tx_seq == tx_seq) { 3269 if (l->tx_seq == tx_seq) {
3130 list_del(&l->list); 3270 list_del(&l->list);
3131 kfree(l); 3271 kfree(l);
@@ -3133,107 +3273,105 @@ static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3133 } 3273 }
3134 control = L2CAP_SUPER_SELECT_REJECT; 3274 control = L2CAP_SUPER_SELECT_REJECT;
3135 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3275 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3136 l2cap_send_sframe(pi, control); 3276 l2cap_send_sframe(chan, control);
3137 list_del(&l->list); 3277 list_del(&l->list);
3138 list_add_tail(&l->list, SREJ_LIST(sk)); 3278 list_add_tail(&l->list, &chan->srej_l);
3139 } 3279 }
3140} 3280}
3141 3281
3142static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq) 3282static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3143{ 3283{
3144 struct l2cap_pinfo *pi = l2cap_pi(sk);
3145 struct srej_list *new; 3284 struct srej_list *new;
3146 u16 control; 3285 u16 control;
3147 3286
3148 while (tx_seq != pi->expected_tx_seq) { 3287 while (tx_seq != chan->expected_tx_seq) {
3149 control = L2CAP_SUPER_SELECT_REJECT; 3288 control = L2CAP_SUPER_SELECT_REJECT;
3150 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3289 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3151 l2cap_send_sframe(pi, control); 3290 l2cap_send_sframe(chan, control);
3152 3291
3153 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC); 3292 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3154 new->tx_seq = pi->expected_tx_seq; 3293 new->tx_seq = chan->expected_tx_seq;
3155 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3294 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3156 list_add_tail(&new->list, SREJ_LIST(sk)); 3295 list_add_tail(&new->list, &chan->srej_l);
3157 } 3296 }
3158 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3297 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3159} 3298}
3160 3299
3161static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3300static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3162{ 3301{
3163 struct l2cap_pinfo *pi = l2cap_pi(sk);
3164 u8 tx_seq = __get_txseq(rx_control); 3302 u8 tx_seq = __get_txseq(rx_control);
3165 u8 req_seq = __get_reqseq(rx_control); 3303 u8 req_seq = __get_reqseq(rx_control);
3166 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT; 3304 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3167 int tx_seq_offset, expected_tx_seq_offset; 3305 int tx_seq_offset, expected_tx_seq_offset;
3168 int num_to_ack = (pi->tx_win/6) + 1; 3306 int num_to_ack = (chan->tx_win/6) + 1;
3169 int err = 0; 3307 int err = 0;
3170 3308
3171 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq, 3309 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3172 rx_control); 3310 tx_seq, rx_control);
3173 3311
3174 if (L2CAP_CTRL_FINAL & rx_control && 3312 if (L2CAP_CTRL_FINAL & rx_control &&
3175 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) { 3313 chan->conn_state & L2CAP_CONN_WAIT_F) {
3176 del_timer(&pi->monitor_timer); 3314 del_timer(&chan->monitor_timer);
3177 if (pi->unacked_frames > 0) 3315 if (chan->unacked_frames > 0)
3178 __mod_retrans_timer(); 3316 __mod_retrans_timer();
3179 pi->conn_state &= ~L2CAP_CONN_WAIT_F; 3317 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3180 } 3318 }
3181 3319
3182 pi->expected_ack_seq = req_seq; 3320 chan->expected_ack_seq = req_seq;
3183 l2cap_drop_acked_frames(sk); 3321 l2cap_drop_acked_frames(chan);
3184 3322
3185 if (tx_seq == pi->expected_tx_seq) 3323 if (tx_seq == chan->expected_tx_seq)
3186 goto expected; 3324 goto expected;
3187 3325
3188 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; 3326 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3189 if (tx_seq_offset < 0) 3327 if (tx_seq_offset < 0)
3190 tx_seq_offset += 64; 3328 tx_seq_offset += 64;
3191 3329
3192 /* invalid tx_seq */ 3330 /* invalid tx_seq */
3193 if (tx_seq_offset >= pi->tx_win) { 3331 if (tx_seq_offset >= chan->tx_win) {
3194 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3332 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3195 goto drop; 3333 goto drop;
3196 } 3334 }
3197 3335
3198 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY) 3336 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
3199 goto drop; 3337 goto drop;
3200 3338
3201 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3339 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3202 struct srej_list *first; 3340 struct srej_list *first;
3203 3341
3204 first = list_first_entry(SREJ_LIST(sk), 3342 first = list_first_entry(&chan->srej_l,
3205 struct srej_list, list); 3343 struct srej_list, list);
3206 if (tx_seq == first->tx_seq) { 3344 if (tx_seq == first->tx_seq) {
3207 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 3345 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3208 l2cap_check_srej_gap(sk, tx_seq); 3346 l2cap_check_srej_gap(chan, tx_seq);
3209 3347
3210 list_del(&first->list); 3348 list_del(&first->list);
3211 kfree(first); 3349 kfree(first);
3212 3350
3213 if (list_empty(SREJ_LIST(sk))) { 3351 if (list_empty(&chan->srej_l)) {
3214 pi->buffer_seq = pi->buffer_seq_srej; 3352 chan->buffer_seq = chan->buffer_seq_srej;
3215 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3353 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3216 l2cap_send_ack(pi); 3354 l2cap_send_ack(chan);
3217 BT_DBG("sk %p, Exit SREJ_SENT", sk); 3355 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3218 } 3356 }
3219 } else { 3357 } else {
3220 struct srej_list *l; 3358 struct srej_list *l;
3221 3359
3222 /* duplicated tx_seq */ 3360 /* duplicated tx_seq */
3223 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0) 3361 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3224 goto drop; 3362 goto drop;
3225 3363
3226 list_for_each_entry(l, SREJ_LIST(sk), list) { 3364 list_for_each_entry(l, &chan->srej_l, list) {
3227 if (l->tx_seq == tx_seq) { 3365 if (l->tx_seq == tx_seq) {
3228 l2cap_resend_srejframe(sk, tx_seq); 3366 l2cap_resend_srejframe(chan, tx_seq);
3229 return 0; 3367 return 0;
3230 } 3368 }
3231 } 3369 }
3232 l2cap_send_srejframe(sk, tx_seq); 3370 l2cap_send_srejframe(chan, tx_seq);
3233 } 3371 }
3234 } else { 3372 } else {
3235 expected_tx_seq_offset = 3373 expected_tx_seq_offset =
3236 (pi->expected_tx_seq - pi->buffer_seq) % 64; 3374 (chan->expected_tx_seq - chan->buffer_seq) % 64;
3237 if (expected_tx_seq_offset < 0) 3375 if (expected_tx_seq_offset < 0)
3238 expected_tx_seq_offset += 64; 3376 expected_tx_seq_offset += 64;
3239 3377
@@ -3241,51 +3379,51 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3241 if (tx_seq_offset < expected_tx_seq_offset) 3379 if (tx_seq_offset < expected_tx_seq_offset)
3242 goto drop; 3380 goto drop;
3243 3381
3244 pi->conn_state |= L2CAP_CONN_SREJ_SENT; 3382 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
3245 3383
3246 BT_DBG("sk %p, Enter SREJ", sk); 3384 BT_DBG("chan %p, Enter SREJ", chan);
3247 3385
3248 INIT_LIST_HEAD(SREJ_LIST(sk)); 3386 INIT_LIST_HEAD(&chan->srej_l);
3249 pi->buffer_seq_srej = pi->buffer_seq; 3387 chan->buffer_seq_srej = chan->buffer_seq;
3250 3388
3251 __skb_queue_head_init(SREJ_QUEUE(sk)); 3389 __skb_queue_head_init(&chan->srej_q);
3252 __skb_queue_head_init(BUSY_QUEUE(sk)); 3390 __skb_queue_head_init(&chan->busy_q);
3253 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 3391 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3254 3392
3255 pi->conn_state |= L2CAP_CONN_SEND_PBIT; 3393 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
3256 3394
3257 l2cap_send_srejframe(sk, tx_seq); 3395 l2cap_send_srejframe(chan, tx_seq);
3258 3396
3259 del_timer(&pi->ack_timer); 3397 del_timer(&chan->ack_timer);
3260 } 3398 }
3261 return 0; 3399 return 0;
3262 3400
3263expected: 3401expected:
3264 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3402 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3265 3403
3266 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3404 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3267 bt_cb(skb)->tx_seq = tx_seq; 3405 bt_cb(skb)->tx_seq = tx_seq;
3268 bt_cb(skb)->sar = sar; 3406 bt_cb(skb)->sar = sar;
3269 __skb_queue_tail(SREJ_QUEUE(sk), skb); 3407 __skb_queue_tail(&chan->srej_q, skb);
3270 return 0; 3408 return 0;
3271 } 3409 }
3272 3410
3273 err = l2cap_push_rx_skb(sk, skb, rx_control); 3411 err = l2cap_push_rx_skb(chan, skb, rx_control);
3274 if (err < 0) 3412 if (err < 0)
3275 return 0; 3413 return 0;
3276 3414
3277 if (rx_control & L2CAP_CTRL_FINAL) { 3415 if (rx_control & L2CAP_CTRL_FINAL) {
3278 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3416 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3279 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3417 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3280 else 3418 else
3281 l2cap_retransmit_frames(sk); 3419 l2cap_retransmit_frames(chan);
3282 } 3420 }
3283 3421
3284 __mod_ack_timer(); 3422 __mod_ack_timer();
3285 3423
3286 pi->num_acked = (pi->num_acked + 1) % num_to_ack; 3424 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3287 if (pi->num_acked == num_to_ack - 1) 3425 if (chan->num_acked == num_to_ack - 1)
3288 l2cap_send_ack(pi); 3426 l2cap_send_ack(chan);
3289 3427
3290 return 0; 3428 return 0;
3291 3429
@@ -3294,165 +3432,160 @@ drop:
3294 return 0; 3432 return 0;
3295} 3433}
3296 3434
3297static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control) 3435static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
3298{ 3436{
3299 struct l2cap_pinfo *pi = l2cap_pi(sk); 3437 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
3300
3301 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
3302 rx_control); 3438 rx_control);
3303 3439
3304 pi->expected_ack_seq = __get_reqseq(rx_control); 3440 chan->expected_ack_seq = __get_reqseq(rx_control);
3305 l2cap_drop_acked_frames(sk); 3441 l2cap_drop_acked_frames(chan);
3306 3442
3307 if (rx_control & L2CAP_CTRL_POLL) { 3443 if (rx_control & L2CAP_CTRL_POLL) {
3308 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3444 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3309 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3445 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3310 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3446 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3311 (pi->unacked_frames > 0)) 3447 (chan->unacked_frames > 0))
3312 __mod_retrans_timer(); 3448 __mod_retrans_timer();
3313 3449
3314 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3450 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3315 l2cap_send_srejtail(sk); 3451 l2cap_send_srejtail(chan);
3316 } else { 3452 } else {
3317 l2cap_send_i_or_rr_or_rnr(sk); 3453 l2cap_send_i_or_rr_or_rnr(chan);
3318 } 3454 }
3319 3455
3320 } else if (rx_control & L2CAP_CTRL_FINAL) { 3456 } else if (rx_control & L2CAP_CTRL_FINAL) {
3321 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3457 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3322 3458
3323 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3459 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3324 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3460 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3325 else 3461 else
3326 l2cap_retransmit_frames(sk); 3462 l2cap_retransmit_frames(chan);
3327 3463
3328 } else { 3464 } else {
3329 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3465 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3330 (pi->unacked_frames > 0)) 3466 (chan->unacked_frames > 0))
3331 __mod_retrans_timer(); 3467 __mod_retrans_timer();
3332 3468
3333 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3469 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3334 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) 3470 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3335 l2cap_send_ack(pi); 3471 l2cap_send_ack(chan);
3336 else 3472 else
3337 l2cap_ertm_send(sk); 3473 l2cap_ertm_send(chan);
3338 } 3474 }
3339} 3475}
3340 3476
3341static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control) 3477static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
3342{ 3478{
3343 struct l2cap_pinfo *pi = l2cap_pi(sk);
3344 u8 tx_seq = __get_reqseq(rx_control); 3479 u8 tx_seq = __get_reqseq(rx_control);
3345 3480
3346 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3481 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3347 3482
3348 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3483 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3349 3484
3350 pi->expected_ack_seq = tx_seq; 3485 chan->expected_ack_seq = tx_seq;
3351 l2cap_drop_acked_frames(sk); 3486 l2cap_drop_acked_frames(chan);
3352 3487
3353 if (rx_control & L2CAP_CTRL_FINAL) { 3488 if (rx_control & L2CAP_CTRL_FINAL) {
3354 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3489 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3355 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3490 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3356 else 3491 else
3357 l2cap_retransmit_frames(sk); 3492 l2cap_retransmit_frames(chan);
3358 } else { 3493 } else {
3359 l2cap_retransmit_frames(sk); 3494 l2cap_retransmit_frames(chan);
3360 3495
3361 if (pi->conn_state & L2CAP_CONN_WAIT_F) 3496 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3362 pi->conn_state |= L2CAP_CONN_REJ_ACT; 3497 chan->conn_state |= L2CAP_CONN_REJ_ACT;
3363 } 3498 }
3364} 3499}
3365static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control) 3500static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
3366{ 3501{
3367 struct l2cap_pinfo *pi = l2cap_pi(sk);
3368 u8 tx_seq = __get_reqseq(rx_control); 3502 u8 tx_seq = __get_reqseq(rx_control);
3369 3503
3370 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3504 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3371 3505
3372 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3506 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3373 3507
3374 if (rx_control & L2CAP_CTRL_POLL) { 3508 if (rx_control & L2CAP_CTRL_POLL) {
3375 pi->expected_ack_seq = tx_seq; 3509 chan->expected_ack_seq = tx_seq;
3376 l2cap_drop_acked_frames(sk); 3510 l2cap_drop_acked_frames(chan);
3377 3511
3378 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3512 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3379 l2cap_retransmit_one_frame(sk, tx_seq); 3513 l2cap_retransmit_one_frame(chan, tx_seq);
3380 3514
3381 l2cap_ertm_send(sk); 3515 l2cap_ertm_send(chan);
3382 3516
3383 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 3517 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3384 pi->srej_save_reqseq = tx_seq; 3518 chan->srej_save_reqseq = tx_seq;
3385 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 3519 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3386 } 3520 }
3387 } else if (rx_control & L2CAP_CTRL_FINAL) { 3521 } else if (rx_control & L2CAP_CTRL_FINAL) {
3388 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) && 3522 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
3389 pi->srej_save_reqseq == tx_seq) 3523 chan->srej_save_reqseq == tx_seq)
3390 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3524 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3391 else 3525 else
3392 l2cap_retransmit_one_frame(sk, tx_seq); 3526 l2cap_retransmit_one_frame(chan, tx_seq);
3393 } else { 3527 } else {
3394 l2cap_retransmit_one_frame(sk, tx_seq); 3528 l2cap_retransmit_one_frame(chan, tx_seq);
3395 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 3529 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3396 pi->srej_save_reqseq = tx_seq; 3530 chan->srej_save_reqseq = tx_seq;
3397 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 3531 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3398 } 3532 }
3399 } 3533 }
3400} 3534}
3401 3535
3402static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control) 3536static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
3403{ 3537{
3404 struct l2cap_pinfo *pi = l2cap_pi(sk);
3405 u8 tx_seq = __get_reqseq(rx_control); 3538 u8 tx_seq = __get_reqseq(rx_control);
3406 3539
3407 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3540 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3408 3541
3409 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3542 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3410 pi->expected_ack_seq = tx_seq; 3543 chan->expected_ack_seq = tx_seq;
3411 l2cap_drop_acked_frames(sk); 3544 l2cap_drop_acked_frames(chan);
3412 3545
3413 if (rx_control & L2CAP_CTRL_POLL) 3546 if (rx_control & L2CAP_CTRL_POLL)
3414 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3547 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3415 3548
3416 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) { 3549 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
3417 del_timer(&pi->retrans_timer); 3550 del_timer(&chan->retrans_timer);
3418 if (rx_control & L2CAP_CTRL_POLL) 3551 if (rx_control & L2CAP_CTRL_POLL)
3419 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL); 3552 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3420 return; 3553 return;
3421 } 3554 }
3422 3555
3423 if (rx_control & L2CAP_CTRL_POLL) 3556 if (rx_control & L2CAP_CTRL_POLL)
3424 l2cap_send_srejtail(sk); 3557 l2cap_send_srejtail(chan);
3425 else 3558 else
3426 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY); 3559 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
3427} 3560}
3428 3561
3429static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3562static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3430{ 3563{
3431 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len); 3564 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3432 3565
3433 if (L2CAP_CTRL_FINAL & rx_control && 3566 if (L2CAP_CTRL_FINAL & rx_control &&
3434 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) { 3567 chan->conn_state & L2CAP_CONN_WAIT_F) {
3435 del_timer(&l2cap_pi(sk)->monitor_timer); 3568 del_timer(&chan->monitor_timer);
3436 if (l2cap_pi(sk)->unacked_frames > 0) 3569 if (chan->unacked_frames > 0)
3437 __mod_retrans_timer(); 3570 __mod_retrans_timer();
3438 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F; 3571 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3439 } 3572 }
3440 3573
3441 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3574 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3442 case L2CAP_SUPER_RCV_READY: 3575 case L2CAP_SUPER_RCV_READY:
3443 l2cap_data_channel_rrframe(sk, rx_control); 3576 l2cap_data_channel_rrframe(chan, rx_control);
3444 break; 3577 break;
3445 3578
3446 case L2CAP_SUPER_REJECT: 3579 case L2CAP_SUPER_REJECT:
3447 l2cap_data_channel_rejframe(sk, rx_control); 3580 l2cap_data_channel_rejframe(chan, rx_control);
3448 break; 3581 break;
3449 3582
3450 case L2CAP_SUPER_SELECT_REJECT: 3583 case L2CAP_SUPER_SELECT_REJECT:
3451 l2cap_data_channel_srejframe(sk, rx_control); 3584 l2cap_data_channel_srejframe(chan, rx_control);
3452 break; 3585 break;
3453 3586
3454 case L2CAP_SUPER_RCV_NOT_READY: 3587 case L2CAP_SUPER_RCV_NOT_READY:
3455 l2cap_data_channel_rnrframe(sk, rx_control); 3588 l2cap_data_channel_rnrframe(chan, rx_control);
3456 break; 3589 break;
3457 } 3590 }
3458 3591
@@ -3462,7 +3595,7 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
3462 3595
3463static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb) 3596static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3464{ 3597{
3465 struct l2cap_pinfo *pi = l2cap_pi(sk); 3598 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3466 u16 control; 3599 u16 control;
3467 u8 req_seq; 3600 u8 req_seq;
3468 int len, next_tx_seq_offset, req_seq_offset; 3601 int len, next_tx_seq_offset, req_seq_offset;
@@ -3476,51 +3609,51 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3476 * Receiver will miss it and start proper recovery 3609 * Receiver will miss it and start proper recovery
3477 * procedures and ask retransmission. 3610 * procedures and ask retransmission.
3478 */ 3611 */
3479 if (l2cap_check_fcs(pi, skb)) 3612 if (l2cap_check_fcs(chan, skb))
3480 goto drop; 3613 goto drop;
3481 3614
3482 if (__is_sar_start(control) && __is_iframe(control)) 3615 if (__is_sar_start(control) && __is_iframe(control))
3483 len -= 2; 3616 len -= 2;
3484 3617
3485 if (pi->fcs == L2CAP_FCS_CRC16) 3618 if (chan->fcs == L2CAP_FCS_CRC16)
3486 len -= 2; 3619 len -= 2;
3487 3620
3488 if (len > pi->mps) { 3621 if (len > chan->mps) {
3489 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3622 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3490 goto drop; 3623 goto drop;
3491 } 3624 }
3492 3625
3493 req_seq = __get_reqseq(control); 3626 req_seq = __get_reqseq(control);
3494 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64; 3627 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
3495 if (req_seq_offset < 0) 3628 if (req_seq_offset < 0)
3496 req_seq_offset += 64; 3629 req_seq_offset += 64;
3497 3630
3498 next_tx_seq_offset = 3631 next_tx_seq_offset =
3499 (pi->next_tx_seq - pi->expected_ack_seq) % 64; 3632 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
3500 if (next_tx_seq_offset < 0) 3633 if (next_tx_seq_offset < 0)
3501 next_tx_seq_offset += 64; 3634 next_tx_seq_offset += 64;
3502 3635
3503 /* check for invalid req-seq */ 3636 /* check for invalid req-seq */
3504 if (req_seq_offset > next_tx_seq_offset) { 3637 if (req_seq_offset > next_tx_seq_offset) {
3505 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3638 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3506 goto drop; 3639 goto drop;
3507 } 3640 }
3508 3641
3509 if (__is_iframe(control)) { 3642 if (__is_iframe(control)) {
3510 if (len < 0) { 3643 if (len < 0) {
3511 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3644 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3512 goto drop; 3645 goto drop;
3513 } 3646 }
3514 3647
3515 l2cap_data_channel_iframe(sk, control, skb); 3648 l2cap_data_channel_iframe(chan, control, skb);
3516 } else { 3649 } else {
3517 if (len != 0) { 3650 if (len != 0) {
3518 BT_ERR("%d", len); 3651 BT_ERR("%d", len);
3519 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3652 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3520 goto drop; 3653 goto drop;
3521 } 3654 }
3522 3655
3523 l2cap_data_channel_sframe(sk, control, skb); 3656 l2cap_data_channel_sframe(chan, control, skb);
3524 } 3657 }
3525 3658
3526 return 0; 3659 return 0;
@@ -3532,33 +3665,35 @@ drop:
3532 3665
3533static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb) 3666static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3534{ 3667{
3535 struct sock *sk; 3668 struct l2cap_chan *chan;
3669 struct sock *sk = NULL;
3536 struct l2cap_pinfo *pi; 3670 struct l2cap_pinfo *pi;
3537 u16 control; 3671 u16 control;
3538 u8 tx_seq; 3672 u8 tx_seq;
3539 int len; 3673 int len;
3540 3674
3541 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 3675 chan = l2cap_get_chan_by_scid(conn, cid);
3542 if (!sk) { 3676 if (!chan) {
3543 BT_DBG("unknown cid 0x%4.4x", cid); 3677 BT_DBG("unknown cid 0x%4.4x", cid);
3544 goto drop; 3678 goto drop;
3545 } 3679 }
3546 3680
3681 sk = chan->sk;
3547 pi = l2cap_pi(sk); 3682 pi = l2cap_pi(sk);
3548 3683
3549 BT_DBG("sk %p, len %d", sk, skb->len); 3684 BT_DBG("chan %p, len %d", chan, skb->len);
3550 3685
3551 if (sk->sk_state != BT_CONNECTED) 3686 if (sk->sk_state != BT_CONNECTED)
3552 goto drop; 3687 goto drop;
3553 3688
3554 switch (pi->mode) { 3689 switch (chan->mode) {
3555 case L2CAP_MODE_BASIC: 3690 case L2CAP_MODE_BASIC:
3556 /* If socket recv buffers overflows we drop data here 3691 /* If socket recv buffers overflows we drop data here
3557 * which is *bad* because L2CAP has to be reliable. 3692 * which is *bad* because L2CAP has to be reliable.
3558 * But we don't have any other choice. L2CAP doesn't 3693 * But we don't have any other choice. L2CAP doesn't
3559 * provide flow control mechanism. */ 3694 * provide flow control mechanism. */
3560 3695
3561 if (pi->imtu < skb->len) 3696 if (chan->imtu < skb->len)
3562 goto drop; 3697 goto drop;
3563 3698
3564 if (!sock_queue_rcv_skb(sk, skb)) 3699 if (!sock_queue_rcv_skb(sk, skb))
@@ -3580,31 +3715,31 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3580 skb_pull(skb, 2); 3715 skb_pull(skb, 2);
3581 len = skb->len; 3716 len = skb->len;
3582 3717
3583 if (l2cap_check_fcs(pi, skb)) 3718 if (l2cap_check_fcs(chan, skb))
3584 goto drop; 3719 goto drop;
3585 3720
3586 if (__is_sar_start(control)) 3721 if (__is_sar_start(control))
3587 len -= 2; 3722 len -= 2;
3588 3723
3589 if (pi->fcs == L2CAP_FCS_CRC16) 3724 if (chan->fcs == L2CAP_FCS_CRC16)
3590 len -= 2; 3725 len -= 2;
3591 3726
3592 if (len > pi->mps || len < 0 || __is_sframe(control)) 3727 if (len > chan->mps || len < 0 || __is_sframe(control))
3593 goto drop; 3728 goto drop;
3594 3729
3595 tx_seq = __get_txseq(control); 3730 tx_seq = __get_txseq(control);
3596 3731
3597 if (pi->expected_tx_seq == tx_seq) 3732 if (chan->expected_tx_seq == tx_seq)
3598 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3733 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3599 else 3734 else
3600 pi->expected_tx_seq = (tx_seq + 1) % 64; 3735 chan->expected_tx_seq = (tx_seq + 1) % 64;
3601 3736
3602 l2cap_streaming_reassembly_sdu(sk, skb, control); 3737 l2cap_streaming_reassembly_sdu(chan, skb, control);
3603 3738
3604 goto done; 3739 goto done;
3605 3740
3606 default: 3741 default:
3607 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode); 3742 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
3608 break; 3743 break;
3609 } 3744 }
3610 3745
@@ -3620,12 +3755,48 @@ done:
3620 3755
3621static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb) 3756static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3622{ 3757{
3623 struct sock *sk; 3758 struct sock *sk = NULL;
3759 struct l2cap_chan *chan;
3624 3760
3625 sk = l2cap_get_sock_by_psm(0, psm, conn->src); 3761 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3626 if (!sk) 3762 if (!chan)
3763 goto drop;
3764
3765 sk = chan->sk;
3766
3767 bh_lock_sock(sk);
3768
3769 BT_DBG("sk %p, len %d", sk, skb->len);
3770
3771 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3772 goto drop;
3773
3774 if (l2cap_pi(sk)->chan->imtu < skb->len)
3775 goto drop;
3776
3777 if (!sock_queue_rcv_skb(sk, skb))
3778 goto done;
3779
3780drop:
3781 kfree_skb(skb);
3782
3783done:
3784 if (sk)
3785 bh_unlock_sock(sk);
3786 return 0;
3787}
3788
3789static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3790{
3791 struct sock *sk = NULL;
3792 struct l2cap_chan *chan;
3793
3794 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3795 if (!chan)
3627 goto drop; 3796 goto drop;
3628 3797
3798 sk = chan->sk;
3799
3629 bh_lock_sock(sk); 3800 bh_lock_sock(sk);
3630 3801
3631 BT_DBG("sk %p, len %d", sk, skb->len); 3802 BT_DBG("sk %p, len %d", sk, skb->len);
@@ -3633,7 +3804,7 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
3633 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3804 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3634 goto drop; 3805 goto drop;
3635 3806
3636 if (l2cap_pi(sk)->imtu < skb->len) 3807 if (l2cap_pi(sk)->chan->imtu < skb->len)
3637 goto drop; 3808 goto drop;
3638 3809
3639 if (!sock_queue_rcv_skb(sk, skb)) 3810 if (!sock_queue_rcv_skb(sk, skb))
@@ -3677,6 +3848,10 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3677 l2cap_conless_channel(conn, psm, skb); 3848 l2cap_conless_channel(conn, psm, skb);
3678 break; 3849 break;
3679 3850
3851 case L2CAP_CID_LE_DATA:
3852 l2cap_att_channel(conn, cid, skb);
3853 break;
3854
3680 default: 3855 default:
3681 l2cap_data_channel(conn, cid, skb); 3856 l2cap_data_channel(conn, cid, skb);
3682 break; 3857 break;
@@ -3688,8 +3863,7 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3688static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 3863static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3689{ 3864{
3690 int exact = 0, lm1 = 0, lm2 = 0; 3865 int exact = 0, lm1 = 0, lm2 = 0;
3691 register struct sock *sk; 3866 struct l2cap_chan *c;
3692 struct hlist_node *node;
3693 3867
3694 if (type != ACL_LINK) 3868 if (type != ACL_LINK)
3695 return -EINVAL; 3869 return -EINVAL;
@@ -3697,23 +3871,25 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3697 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 3871 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3698 3872
3699 /* Find listening sockets and check their link_mode */ 3873 /* Find listening sockets and check their link_mode */
3700 read_lock(&l2cap_sk_list.lock); 3874 read_lock(&chan_list_lock);
3701 sk_for_each(sk, node, &l2cap_sk_list.head) { 3875 list_for_each_entry(c, &chan_list, global_l) {
3876 struct sock *sk = c->sk;
3877
3702 if (sk->sk_state != BT_LISTEN) 3878 if (sk->sk_state != BT_LISTEN)
3703 continue; 3879 continue;
3704 3880
3705 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 3881 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3706 lm1 |= HCI_LM_ACCEPT; 3882 lm1 |= HCI_LM_ACCEPT;
3707 if (l2cap_pi(sk)->role_switch) 3883 if (c->role_switch)
3708 lm1 |= HCI_LM_MASTER; 3884 lm1 |= HCI_LM_MASTER;
3709 exact++; 3885 exact++;
3710 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) { 3886 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3711 lm2 |= HCI_LM_ACCEPT; 3887 lm2 |= HCI_LM_ACCEPT;
3712 if (l2cap_pi(sk)->role_switch) 3888 if (c->role_switch)
3713 lm2 |= HCI_LM_MASTER; 3889 lm2 |= HCI_LM_MASTER;
3714 } 3890 }
3715 } 3891 }
3716 read_unlock(&l2cap_sk_list.lock); 3892 read_unlock(&chan_list_lock);
3717 3893
3718 return exact ? lm1 : lm2; 3894 return exact ? lm1 : lm2;
3719} 3895}
@@ -3761,49 +3937,50 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3761 return 0; 3937 return 0;
3762} 3938}
3763 3939
3764static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt) 3940static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3765{ 3941{
3942 struct sock *sk = chan->sk;
3943
3766 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) 3944 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3767 return; 3945 return;
3768 3946
3769 if (encrypt == 0x00) { 3947 if (encrypt == 0x00) {
3770 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) { 3948 if (chan->sec_level == BT_SECURITY_MEDIUM) {
3771 l2cap_sock_clear_timer(sk); 3949 l2cap_sock_clear_timer(sk);
3772 l2cap_sock_set_timer(sk, HZ * 5); 3950 l2cap_sock_set_timer(sk, HZ * 5);
3773 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH) 3951 } else if (chan->sec_level == BT_SECURITY_HIGH)
3774 __l2cap_sock_close(sk, ECONNREFUSED); 3952 __l2cap_sock_close(sk, ECONNREFUSED);
3775 } else { 3953 } else {
3776 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) 3954 if (chan->sec_level == BT_SECURITY_MEDIUM)
3777 l2cap_sock_clear_timer(sk); 3955 l2cap_sock_clear_timer(sk);
3778 } 3956 }
3779} 3957}
3780 3958
3781static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 3959static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3782{ 3960{
3783 struct l2cap_chan_list *l;
3784 struct l2cap_conn *conn = hcon->l2cap_data; 3961 struct l2cap_conn *conn = hcon->l2cap_data;
3785 struct sock *sk; 3962 struct l2cap_chan *chan;
3786 3963
3787 if (!conn) 3964 if (!conn)
3788 return 0; 3965 return 0;
3789 3966
3790 l = &conn->chan_list;
3791
3792 BT_DBG("conn %p", conn); 3967 BT_DBG("conn %p", conn);
3793 3968
3794 read_lock(&l->lock); 3969 read_lock(&conn->chan_lock);
3970
3971 list_for_each_entry(chan, &conn->chan_l, list) {
3972 struct sock *sk = chan->sk;
3795 3973
3796 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3797 bh_lock_sock(sk); 3974 bh_lock_sock(sk);
3798 3975
3799 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) { 3976 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
3800 bh_unlock_sock(sk); 3977 bh_unlock_sock(sk);
3801 continue; 3978 continue;
3802 } 3979 }
3803 3980
3804 if (!status && (sk->sk_state == BT_CONNECTED || 3981 if (!status && (sk->sk_state == BT_CONNECTED ||
3805 sk->sk_state == BT_CONFIG)) { 3982 sk->sk_state == BT_CONFIG)) {
3806 l2cap_check_encryption(sk, encrypt); 3983 l2cap_check_encryption(chan, encrypt);
3807 bh_unlock_sock(sk); 3984 bh_unlock_sock(sk);
3808 continue; 3985 continue;
3809 } 3986 }
@@ -3811,13 +3988,13 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3811 if (sk->sk_state == BT_CONNECT) { 3988 if (sk->sk_state == BT_CONNECT) {
3812 if (!status) { 3989 if (!status) {
3813 struct l2cap_conn_req req; 3990 struct l2cap_conn_req req;
3814 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 3991 req.scid = cpu_to_le16(chan->scid);
3815 req.psm = l2cap_pi(sk)->psm; 3992 req.psm = chan->psm;
3816 3993
3817 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 3994 chan->ident = l2cap_get_ident(conn);
3818 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 3995 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
3819 3996
3820 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 3997 l2cap_send_cmd(conn, chan->ident,
3821 L2CAP_CONN_REQ, sizeof(req), &req); 3998 L2CAP_CONN_REQ, sizeof(req), &req);
3822 } else { 3999 } else {
3823 l2cap_sock_clear_timer(sk); 4000 l2cap_sock_clear_timer(sk);
@@ -3836,18 +4013,18 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3836 result = L2CAP_CR_SEC_BLOCK; 4013 result = L2CAP_CR_SEC_BLOCK;
3837 } 4014 }
3838 4015
3839 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 4016 rsp.scid = cpu_to_le16(chan->dcid);
3840 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 4017 rsp.dcid = cpu_to_le16(chan->scid);
3841 rsp.result = cpu_to_le16(result); 4018 rsp.result = cpu_to_le16(result);
3842 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4019 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3843 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 4020 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
3844 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 4021 sizeof(rsp), &rsp);
3845 } 4022 }
3846 4023
3847 bh_unlock_sock(sk); 4024 bh_unlock_sock(sk);
3848 } 4025 }
3849 4026
3850 read_unlock(&l->lock); 4027 read_unlock(&conn->chan_lock);
3851 4028
3852 return 0; 4029 return 0;
3853} 4030}
@@ -3866,7 +4043,7 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
3866 4043
3867 if (!(flags & ACL_CONT)) { 4044 if (!(flags & ACL_CONT)) {
3868 struct l2cap_hdr *hdr; 4045 struct l2cap_hdr *hdr;
3869 struct sock *sk; 4046 struct l2cap_chan *chan;
3870 u16 cid; 4047 u16 cid;
3871 int len; 4048 int len;
3872 4049
@@ -3904,18 +4081,21 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
3904 goto drop; 4081 goto drop;
3905 } 4082 }
3906 4083
3907 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 4084 chan = l2cap_get_chan_by_scid(conn, cid);
3908 4085
3909 if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) { 4086 if (chan && chan->sk) {
3910 BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)", 4087 struct sock *sk = chan->sk;
3911 len, l2cap_pi(sk)->imtu);
3912 bh_unlock_sock(sk);
3913 l2cap_conn_unreliable(conn, ECOMM);
3914 goto drop;
3915 }
3916 4088
3917 if (sk) 4089 if (chan->imtu < len - L2CAP_HDR_SIZE) {
4090 BT_ERR("Frame exceeding recv MTU (len %d, "
4091 "MTU %d)", len,
4092 chan->imtu);
4093 bh_unlock_sock(sk);
4094 l2cap_conn_unreliable(conn, ECOMM);
4095 goto drop;
4096 }
3918 bh_unlock_sock(sk); 4097 bh_unlock_sock(sk);
4098 }
3919 4099
3920 /* Allocate skb for the complete frame (with header) */ 4100 /* Allocate skb for the complete frame (with header) */
3921 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC); 4101 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
@@ -3962,24 +4142,22 @@ drop:
3962 4142
3963static int l2cap_debugfs_show(struct seq_file *f, void *p) 4143static int l2cap_debugfs_show(struct seq_file *f, void *p)
3964{ 4144{
3965 struct sock *sk; 4145 struct l2cap_chan *c;
3966 struct hlist_node *node;
3967 4146
3968 read_lock_bh(&l2cap_sk_list.lock); 4147 read_lock_bh(&chan_list_lock);
3969 4148
3970 sk_for_each(sk, node, &l2cap_sk_list.head) { 4149 list_for_each_entry(c, &chan_list, global_l) {
3971 struct l2cap_pinfo *pi = l2cap_pi(sk); 4150 struct sock *sk = c->sk;
3972 4151
3973 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 4152 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
3974 batostr(&bt_sk(sk)->src), 4153 batostr(&bt_sk(sk)->src),
3975 batostr(&bt_sk(sk)->dst), 4154 batostr(&bt_sk(sk)->dst),
3976 sk->sk_state, __le16_to_cpu(pi->psm), 4155 sk->sk_state, __le16_to_cpu(c->psm),
3977 pi->scid, pi->dcid, 4156 c->scid, c->dcid, c->imtu, c->omtu,
3978 pi->imtu, pi->omtu, pi->sec_level, 4157 c->sec_level, c->mode);
3979 pi->mode);
3980 } 4158 }
3981 4159
3982 read_unlock_bh(&l2cap_sk_list.lock); 4160 read_unlock_bh(&chan_list_lock);
3983 4161
3984 return 0; 4162 return 0;
3985} 4163}
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 299fe56a9668..18dc9888d8c2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -30,6 +30,8 @@
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h> 31#include <net/bluetooth/l2cap.h>
32 32
33static const struct proto_ops l2cap_sock_ops;
34
33/* ---- L2CAP timers ---- */ 35/* ---- L2CAP timers ---- */
34static void l2cap_sock_timeout(unsigned long arg) 36static void l2cap_sock_timeout(unsigned long arg)
35{ 37{
@@ -51,7 +53,7 @@ static void l2cap_sock_timeout(unsigned long arg)
51 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG) 53 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
52 reason = ECONNREFUSED; 54 reason = ECONNREFUSED;
53 else if (sk->sk_state == BT_CONNECT && 55 else if (sk->sk_state == BT_CONNECT &&
54 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP) 56 l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
55 reason = ECONNREFUSED; 57 reason = ECONNREFUSED;
56 else 58 else
57 reason = ETIMEDOUT; 59 reason = ETIMEDOUT;
@@ -76,21 +78,10 @@ void l2cap_sock_clear_timer(struct sock *sk)
76 sk_stop_timer(sk, &sk->sk_timer); 78 sk_stop_timer(sk, &sk->sk_timer);
77} 79}
78 80
79static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
80{
81 struct sock *sk;
82 struct hlist_node *node;
83 sk_for_each(sk, node, &l2cap_sk_list.head)
84 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
85 goto found;
86 sk = NULL;
87found:
88 return sk;
89}
90
91static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
92{ 82{
93 struct sock *sk = sock->sk; 83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
94 struct sockaddr_l2 la; 85 struct sockaddr_l2 la;
95 int len, err = 0; 86 int len, err = 0;
96 87
@@ -129,26 +120,20 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
129 } 120 }
130 } 121 }
131 122
132 write_lock_bh(&l2cap_sk_list.lock); 123 if (la.l2_cid)
124 err = l2cap_add_scid(chan, la.l2_cid);
125 else
126 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
133 127
134 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) { 128 if (err < 0)
135 err = -EADDRINUSE; 129 goto done;
136 } else {
137 /* Save source address */
138 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
139 l2cap_pi(sk)->psm = la.l2_psm;
140 l2cap_pi(sk)->sport = la.l2_psm;
141 sk->sk_state = BT_BOUND;
142
143 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
144 __le16_to_cpu(la.l2_psm) == 0x0003)
145 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
146 }
147 130
148 if (la.l2_cid) 131 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
149 l2cap_pi(sk)->scid = la.l2_cid; 132 __le16_to_cpu(la.l2_psm) == 0x0003)
133 chan->sec_level = BT_SECURITY_SDP;
150 134
151 write_unlock_bh(&l2cap_sk_list.lock); 135 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
136 sk->sk_state = BT_BOUND;
152 137
153done: 138done:
154 release_sock(sk); 139 release_sock(sk);
@@ -158,6 +143,7 @@ done:
158static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 143static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
159{ 144{
160 struct sock *sk = sock->sk; 145 struct sock *sk = sock->sk;
146 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
161 struct sockaddr_l2 la; 147 struct sockaddr_l2 la;
162 int len, err = 0; 148 int len, err = 0;
163 149
@@ -182,7 +168,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
182 goto done; 168 goto done;
183 } 169 }
184 170
185 switch (l2cap_pi(sk)->mode) { 171 switch (chan->mode) {
186 case L2CAP_MODE_BASIC: 172 case L2CAP_MODE_BASIC:
187 break; 173 break;
188 case L2CAP_MODE_ERTM: 174 case L2CAP_MODE_ERTM:
@@ -226,10 +212,10 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
226 212
227 /* Set destination address and psm */ 213 /* Set destination address and psm */
228 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr); 214 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
229 l2cap_pi(sk)->psm = la.l2_psm; 215 chan->psm = la.l2_psm;
230 l2cap_pi(sk)->dcid = la.l2_cid; 216 chan->dcid = la.l2_cid;
231 217
232 err = l2cap_do_connect(sk); 218 err = l2cap_chan_connect(l2cap_pi(sk)->chan);
233 if (err) 219 if (err)
234 goto done; 220 goto done;
235 221
@@ -244,6 +230,7 @@ done:
244static int l2cap_sock_listen(struct socket *sock, int backlog) 230static int l2cap_sock_listen(struct socket *sock, int backlog)
245{ 231{
246 struct sock *sk = sock->sk; 232 struct sock *sk = sock->sk;
233 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
247 int err = 0; 234 int err = 0;
248 235
249 BT_DBG("sk %p backlog %d", sk, backlog); 236 BT_DBG("sk %p backlog %d", sk, backlog);
@@ -256,7 +243,7 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
256 goto done; 243 goto done;
257 } 244 }
258 245
259 switch (l2cap_pi(sk)->mode) { 246 switch (chan->mode) {
260 case L2CAP_MODE_BASIC: 247 case L2CAP_MODE_BASIC:
261 break; 248 break;
262 case L2CAP_MODE_ERTM: 249 case L2CAP_MODE_ERTM:
@@ -269,28 +256,6 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
269 goto done; 256 goto done;
270 } 257 }
271 258
272 if (!l2cap_pi(sk)->psm && !l2cap_pi(sk)->dcid) {
273 bdaddr_t *src = &bt_sk(sk)->src;
274 u16 psm;
275
276 err = -EINVAL;
277
278 write_lock_bh(&l2cap_sk_list.lock);
279
280 for (psm = 0x1001; psm < 0x1100; psm += 2)
281 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
282 l2cap_pi(sk)->psm = cpu_to_le16(psm);
283 l2cap_pi(sk)->sport = cpu_to_le16(psm);
284 err = 0;
285 break;
286 }
287
288 write_unlock_bh(&l2cap_sk_list.lock);
289
290 if (err < 0)
291 goto done;
292 }
293
294 sk->sk_max_ack_backlog = backlog; 259 sk->sk_max_ack_backlog = backlog;
295 sk->sk_ack_backlog = 0; 260 sk->sk_ack_backlog = 0;
296 sk->sk_state = BT_LISTEN; 261 sk->sk_state = BT_LISTEN;
@@ -360,6 +325,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
360{ 325{
361 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 326 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
362 struct sock *sk = sock->sk; 327 struct sock *sk = sock->sk;
328 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
363 329
364 BT_DBG("sock %p, sk %p", sock, sk); 330 BT_DBG("sock %p, sk %p", sock, sk);
365 331
@@ -367,13 +333,13 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
367 *len = sizeof(struct sockaddr_l2); 333 *len = sizeof(struct sockaddr_l2);
368 334
369 if (peer) { 335 if (peer) {
370 la->l2_psm = l2cap_pi(sk)->psm; 336 la->l2_psm = chan->psm;
371 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst); 337 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
372 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid); 338 la->l2_cid = cpu_to_le16(chan->dcid);
373 } else { 339 } else {
374 la->l2_psm = l2cap_pi(sk)->sport; 340 la->l2_psm = chan->sport;
375 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src); 341 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
376 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid); 342 la->l2_cid = cpu_to_le16(chan->scid);
377 } 343 }
378 344
379 return 0; 345 return 0;
@@ -382,6 +348,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
382static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 348static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
383{ 349{
384 struct sock *sk = sock->sk; 350 struct sock *sk = sock->sk;
351 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
385 struct l2cap_options opts; 352 struct l2cap_options opts;
386 struct l2cap_conninfo cinfo; 353 struct l2cap_conninfo cinfo;
387 int len, err = 0; 354 int len, err = 0;
@@ -397,13 +364,13 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
397 switch (optname) { 364 switch (optname) {
398 case L2CAP_OPTIONS: 365 case L2CAP_OPTIONS:
399 memset(&opts, 0, sizeof(opts)); 366 memset(&opts, 0, sizeof(opts));
400 opts.imtu = l2cap_pi(sk)->imtu; 367 opts.imtu = chan->imtu;
401 opts.omtu = l2cap_pi(sk)->omtu; 368 opts.omtu = chan->omtu;
402 opts.flush_to = l2cap_pi(sk)->flush_to; 369 opts.flush_to = chan->flush_to;
403 opts.mode = l2cap_pi(sk)->mode; 370 opts.mode = chan->mode;
404 opts.fcs = l2cap_pi(sk)->fcs; 371 opts.fcs = chan->fcs;
405 opts.max_tx = l2cap_pi(sk)->max_tx; 372 opts.max_tx = chan->max_tx;
406 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win; 373 opts.txwin_size = (__u16)chan->tx_win;
407 374
408 len = min_t(unsigned int, len, sizeof(opts)); 375 len = min_t(unsigned int, len, sizeof(opts));
409 if (copy_to_user(optval, (char *) &opts, len)) 376 if (copy_to_user(optval, (char *) &opts, len))
@@ -412,7 +379,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
412 break; 379 break;
413 380
414 case L2CAP_LM: 381 case L2CAP_LM:
415 switch (l2cap_pi(sk)->sec_level) { 382 switch (chan->sec_level) {
416 case BT_SECURITY_LOW: 383 case BT_SECURITY_LOW:
417 opt = L2CAP_LM_AUTH; 384 opt = L2CAP_LM_AUTH;
418 break; 385 break;
@@ -428,10 +395,10 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
428 break; 395 break;
429 } 396 }
430 397
431 if (l2cap_pi(sk)->role_switch) 398 if (chan->role_switch)
432 opt |= L2CAP_LM_MASTER; 399 opt |= L2CAP_LM_MASTER;
433 400
434 if (l2cap_pi(sk)->force_reliable) 401 if (chan->force_reliable)
435 opt |= L2CAP_LM_RELIABLE; 402 opt |= L2CAP_LM_RELIABLE;
436 403
437 if (put_user(opt, (u32 __user *) optval)) 404 if (put_user(opt, (u32 __user *) optval))
@@ -446,8 +413,8 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
446 break; 413 break;
447 } 414 }
448 415
449 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; 416 cinfo.hci_handle = chan->conn->hcon->handle;
450 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); 417 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
451 418
452 len = min_t(unsigned int, len, sizeof(cinfo)); 419 len = min_t(unsigned int, len, sizeof(cinfo));
453 if (copy_to_user(optval, (char *) &cinfo, len)) 420 if (copy_to_user(optval, (char *) &cinfo, len))
@@ -467,6 +434,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
467static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 434static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
468{ 435{
469 struct sock *sk = sock->sk; 436 struct sock *sk = sock->sk;
437 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
470 struct bt_security sec; 438 struct bt_security sec;
471 int len, err = 0; 439 int len, err = 0;
472 440
@@ -491,7 +459,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
491 break; 459 break;
492 } 460 }
493 461
494 sec.level = l2cap_pi(sk)->sec_level; 462 sec.level = chan->sec_level;
495 463
496 len = min_t(unsigned int, len, sizeof(sec)); 464 len = min_t(unsigned int, len, sizeof(sec));
497 if (copy_to_user(optval, (char *) &sec, len)) 465 if (copy_to_user(optval, (char *) &sec, len))
@@ -511,7 +479,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
511 break; 479 break;
512 480
513 case BT_FLUSHABLE: 481 case BT_FLUSHABLE:
514 if (put_user(l2cap_pi(sk)->flushable, (u32 __user *) optval)) 482 if (put_user(chan->flushable, (u32 __user *) optval))
515 err = -EFAULT; 483 err = -EFAULT;
516 484
517 break; 485 break;
@@ -528,6 +496,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
528static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen) 496static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
529{ 497{
530 struct sock *sk = sock->sk; 498 struct sock *sk = sock->sk;
499 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
531 struct l2cap_options opts; 500 struct l2cap_options opts;
532 int len, err = 0; 501 int len, err = 0;
533 u32 opt; 502 u32 opt;
@@ -543,13 +512,13 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
543 break; 512 break;
544 } 513 }
545 514
546 opts.imtu = l2cap_pi(sk)->imtu; 515 opts.imtu = chan->imtu;
547 opts.omtu = l2cap_pi(sk)->omtu; 516 opts.omtu = chan->omtu;
548 opts.flush_to = l2cap_pi(sk)->flush_to; 517 opts.flush_to = chan->flush_to;
549 opts.mode = l2cap_pi(sk)->mode; 518 opts.mode = chan->mode;
550 opts.fcs = l2cap_pi(sk)->fcs; 519 opts.fcs = chan->fcs;
551 opts.max_tx = l2cap_pi(sk)->max_tx; 520 opts.max_tx = chan->max_tx;
552 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win; 521 opts.txwin_size = (__u16)chan->tx_win;
553 522
554 len = min_t(unsigned int, sizeof(opts), optlen); 523 len = min_t(unsigned int, sizeof(opts), optlen);
555 if (copy_from_user((char *) &opts, optval, len)) { 524 if (copy_from_user((char *) &opts, optval, len)) {
@@ -562,10 +531,10 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
562 break; 531 break;
563 } 532 }
564 533
565 l2cap_pi(sk)->mode = opts.mode; 534 chan->mode = opts.mode;
566 switch (l2cap_pi(sk)->mode) { 535 switch (chan->mode) {
567 case L2CAP_MODE_BASIC: 536 case L2CAP_MODE_BASIC:
568 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE; 537 chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
569 break; 538 break;
570 case L2CAP_MODE_ERTM: 539 case L2CAP_MODE_ERTM:
571 case L2CAP_MODE_STREAMING: 540 case L2CAP_MODE_STREAMING:
@@ -577,11 +546,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
577 break; 546 break;
578 } 547 }
579 548
580 l2cap_pi(sk)->imtu = opts.imtu; 549 chan->imtu = opts.imtu;
581 l2cap_pi(sk)->omtu = opts.omtu; 550 chan->omtu = opts.omtu;
582 l2cap_pi(sk)->fcs = opts.fcs; 551 chan->fcs = opts.fcs;
583 l2cap_pi(sk)->max_tx = opts.max_tx; 552 chan->max_tx = opts.max_tx;
584 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size; 553 chan->tx_win = (__u8)opts.txwin_size;
585 break; 554 break;
586 555
587 case L2CAP_LM: 556 case L2CAP_LM:
@@ -591,14 +560,14 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
591 } 560 }
592 561
593 if (opt & L2CAP_LM_AUTH) 562 if (opt & L2CAP_LM_AUTH)
594 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW; 563 chan->sec_level = BT_SECURITY_LOW;
595 if (opt & L2CAP_LM_ENCRYPT) 564 if (opt & L2CAP_LM_ENCRYPT)
596 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 565 chan->sec_level = BT_SECURITY_MEDIUM;
597 if (opt & L2CAP_LM_SECURE) 566 if (opt & L2CAP_LM_SECURE)
598 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH; 567 chan->sec_level = BT_SECURITY_HIGH;
599 568
600 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER); 569 chan->role_switch = (opt & L2CAP_LM_MASTER);
601 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE); 570 chan->force_reliable = (opt & L2CAP_LM_RELIABLE);
602 break; 571 break;
603 572
604 default: 573 default:
@@ -613,6 +582,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
613static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen) 582static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
614{ 583{
615 struct sock *sk = sock->sk; 584 struct sock *sk = sock->sk;
585 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
616 struct bt_security sec; 586 struct bt_security sec;
617 int len, err = 0; 587 int len, err = 0;
618 u32 opt; 588 u32 opt;
@@ -649,7 +619,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
649 break; 619 break;
650 } 620 }
651 621
652 l2cap_pi(sk)->sec_level = sec.level; 622 chan->sec_level = sec.level;
653 break; 623 break;
654 624
655 case BT_DEFER_SETUP: 625 case BT_DEFER_SETUP:
@@ -678,7 +648,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
678 } 648 }
679 649
680 if (opt == BT_FLUSHABLE_OFF) { 650 if (opt == BT_FLUSHABLE_OFF) {
681 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 651 struct l2cap_conn *conn = chan->conn;
682 /* proceed further only when we have l2cap_conn and 652 /* proceed further only when we have l2cap_conn and
683 No Flush support in the LM */ 653 No Flush support in the LM */
684 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 654 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
@@ -687,7 +657,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
687 } 657 }
688 } 658 }
689 659
690 l2cap_pi(sk)->flushable = opt; 660 chan->flushable = opt;
691 break; 661 break;
692 662
693 default: 663 default:
@@ -702,7 +672,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
702static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len) 672static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
703{ 673{
704 struct sock *sk = sock->sk; 674 struct sock *sk = sock->sk;
705 struct l2cap_pinfo *pi = l2cap_pi(sk); 675 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
706 struct sk_buff *skb; 676 struct sk_buff *skb;
707 u16 control; 677 u16 control;
708 int err; 678 int err;
@@ -725,74 +695,77 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
725 695
726 /* Connectionless channel */ 696 /* Connectionless channel */
727 if (sk->sk_type == SOCK_DGRAM) { 697 if (sk->sk_type == SOCK_DGRAM) {
728 skb = l2cap_create_connless_pdu(sk, msg, len); 698 skb = l2cap_create_connless_pdu(chan, msg, len);
729 if (IS_ERR(skb)) { 699 if (IS_ERR(skb)) {
730 err = PTR_ERR(skb); 700 err = PTR_ERR(skb);
731 } else { 701 } else {
732 l2cap_do_send(sk, skb); 702 l2cap_do_send(chan, skb);
733 err = len; 703 err = len;
734 } 704 }
735 goto done; 705 goto done;
736 } 706 }
737 707
738 switch (pi->mode) { 708 switch (chan->mode) {
739 case L2CAP_MODE_BASIC: 709 case L2CAP_MODE_BASIC:
740 /* Check outgoing MTU */ 710 /* Check outgoing MTU */
741 if (len > pi->omtu) { 711 if (len > chan->omtu) {
742 err = -EMSGSIZE; 712 err = -EMSGSIZE;
743 goto done; 713 goto done;
744 } 714 }
745 715
746 /* Create a basic PDU */ 716 /* Create a basic PDU */
747 skb = l2cap_create_basic_pdu(sk, msg, len); 717 skb = l2cap_create_basic_pdu(chan, msg, len);
748 if (IS_ERR(skb)) { 718 if (IS_ERR(skb)) {
749 err = PTR_ERR(skb); 719 err = PTR_ERR(skb);
750 goto done; 720 goto done;
751 } 721 }
752 722
753 l2cap_do_send(sk, skb); 723 l2cap_do_send(chan, skb);
754 err = len; 724 err = len;
755 break; 725 break;
756 726
757 case L2CAP_MODE_ERTM: 727 case L2CAP_MODE_ERTM:
758 case L2CAP_MODE_STREAMING: 728 case L2CAP_MODE_STREAMING:
759 /* Entire SDU fits into one PDU */ 729 /* Entire SDU fits into one PDU */
760 if (len <= pi->remote_mps) { 730 if (len <= chan->remote_mps) {
761 control = L2CAP_SDU_UNSEGMENTED; 731 control = L2CAP_SDU_UNSEGMENTED;
762 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0); 732 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
733 0);
763 if (IS_ERR(skb)) { 734 if (IS_ERR(skb)) {
764 err = PTR_ERR(skb); 735 err = PTR_ERR(skb);
765 goto done; 736 goto done;
766 } 737 }
767 __skb_queue_tail(TX_QUEUE(sk), skb); 738 __skb_queue_tail(&chan->tx_q, skb);
768 739
769 if (sk->sk_send_head == NULL) 740 if (chan->tx_send_head == NULL)
770 sk->sk_send_head = skb; 741 chan->tx_send_head = skb;
771 742
772 } else { 743 } else {
773 /* Segment SDU into multiples PDUs */ 744 /* Segment SDU into multiples PDUs */
774 err = l2cap_sar_segment_sdu(sk, msg, len); 745 err = l2cap_sar_segment_sdu(chan, msg, len);
775 if (err < 0) 746 if (err < 0)
776 goto done; 747 goto done;
777 } 748 }
778 749
779 if (pi->mode == L2CAP_MODE_STREAMING) { 750 if (chan->mode == L2CAP_MODE_STREAMING) {
780 l2cap_streaming_send(sk); 751 l2cap_streaming_send(chan);
781 } else { 752 err = len;
782 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 753 break;
783 (pi->conn_state & L2CAP_CONN_WAIT_F)) { 754 }
784 err = len; 755
785 break; 756 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
786 } 757 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
787 err = l2cap_ertm_send(sk); 758 err = len;
759 break;
788 } 760 }
761 err = l2cap_ertm_send(chan);
789 762
790 if (err >= 0) 763 if (err >= 0)
791 err = len; 764 err = len;
792 break; 765 break;
793 766
794 default: 767 default:
795 BT_DBG("bad state %1.1x", pi->mode); 768 BT_DBG("bad state %1.1x", chan->mode);
796 err = -EBADFD; 769 err = -EBADFD;
797 } 770 }
798 771
@@ -808,29 +781,9 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
808 lock_sock(sk); 781 lock_sock(sk);
809 782
810 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 783 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
811 struct l2cap_conn_rsp rsp;
812 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
813 u8 buf[128];
814
815 sk->sk_state = BT_CONFIG; 784 sk->sk_state = BT_CONFIG;
816 785
817 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 786 __l2cap_connect_rsp_defer(l2cap_pi(sk)->chan);
818 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
819 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
820 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
821 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
822 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
823
824 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
825 release_sock(sk);
826 return 0;
827 }
828
829 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
830 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
831 l2cap_build_conf_req(sk, buf), buf);
832 l2cap_pi(sk)->num_conf_req++;
833
834 release_sock(sk); 787 release_sock(sk);
835 return 0; 788 return 0;
836 } 789 }
@@ -854,7 +807,8 @@ void l2cap_sock_kill(struct sock *sk)
854 BT_DBG("sk %p state %d", sk, sk->sk_state); 807 BT_DBG("sk %p state %d", sk, sk->sk_state);
855 808
856 /* Kill poor orphan */ 809 /* Kill poor orphan */
857 bt_sock_unlink(&l2cap_sk_list, sk); 810
811 l2cap_chan_destroy(l2cap_pi(sk)->chan);
858 sock_set_flag(sk, SOCK_DEAD); 812 sock_set_flag(sk, SOCK_DEAD);
859 sock_put(sk); 813 sock_put(sk);
860} 814}
@@ -885,7 +839,8 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
885 839
886void __l2cap_sock_close(struct sock *sk, int reason) 840void __l2cap_sock_close(struct sock *sk, int reason)
887{ 841{
888 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 842 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
843 struct l2cap_conn *conn = chan->conn;
889 844
890 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 845 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
891 846
@@ -900,9 +855,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
900 sk->sk_type == SOCK_STREAM) && 855 sk->sk_type == SOCK_STREAM) &&
901 conn->hcon->type == ACL_LINK) { 856 conn->hcon->type == ACL_LINK) {
902 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 857 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
903 l2cap_send_disconn_req(conn, sk, reason); 858 l2cap_send_disconn_req(conn, chan, reason);
904 } else 859 } else
905 l2cap_chan_del(sk, reason); 860 l2cap_chan_del(chan, reason);
906 break; 861 break;
907 862
908 case BT_CONNECT2: 863 case BT_CONNECT2:
@@ -917,20 +872,20 @@ void __l2cap_sock_close(struct sock *sk, int reason)
917 else 872 else
918 result = L2CAP_CR_BAD_PSM; 873 result = L2CAP_CR_BAD_PSM;
919 874
920 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 875 rsp.scid = cpu_to_le16(chan->dcid);
921 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 876 rsp.dcid = cpu_to_le16(chan->scid);
922 rsp.result = cpu_to_le16(result); 877 rsp.result = cpu_to_le16(result);
923 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 878 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
924 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 879 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
925 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 880 sizeof(rsp), &rsp);
926 } 881 }
927 882
928 l2cap_chan_del(sk, reason); 883 l2cap_chan_del(chan, reason);
929 break; 884 break;
930 885
931 case BT_CONNECT: 886 case BT_CONNECT:
932 case BT_DISCONN: 887 case BT_DISCONN:
933 l2cap_chan_del(sk, reason); 888 l2cap_chan_del(chan, reason);
934 break; 889 break;
935 890
936 default: 891 default:
@@ -942,6 +897,7 @@ void __l2cap_sock_close(struct sock *sk, int reason)
942static int l2cap_sock_shutdown(struct socket *sock, int how) 897static int l2cap_sock_shutdown(struct socket *sock, int how)
943{ 898{
944 struct sock *sk = sock->sk; 899 struct sock *sk = sock->sk;
900 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
945 int err = 0; 901 int err = 0;
946 902
947 BT_DBG("sock %p, sk %p", sock, sk); 903 BT_DBG("sock %p, sk %p", sock, sk);
@@ -951,7 +907,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
951 907
952 lock_sock(sk); 908 lock_sock(sk);
953 if (!sk->sk_shutdown) { 909 if (!sk->sk_shutdown) {
954 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) 910 if (chan->mode == L2CAP_MODE_ERTM)
955 err = __l2cap_wait_ack(sk); 911 err = __l2cap_wait_ack(sk);
956 912
957 sk->sk_shutdown = SHUTDOWN_MASK; 913 sk->sk_shutdown = SHUTDOWN_MASK;
@@ -998,49 +954,47 @@ static void l2cap_sock_destruct(struct sock *sk)
998void l2cap_sock_init(struct sock *sk, struct sock *parent) 954void l2cap_sock_init(struct sock *sk, struct sock *parent)
999{ 955{
1000 struct l2cap_pinfo *pi = l2cap_pi(sk); 956 struct l2cap_pinfo *pi = l2cap_pi(sk);
957 struct l2cap_chan *chan = pi->chan;
1001 958
1002 BT_DBG("sk %p", sk); 959 BT_DBG("sk %p", sk);
1003 960
1004 if (parent) { 961 if (parent) {
962 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
963
1005 sk->sk_type = parent->sk_type; 964 sk->sk_type = parent->sk_type;
1006 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup; 965 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
1007 966
1008 pi->imtu = l2cap_pi(parent)->imtu; 967 chan->imtu = pchan->imtu;
1009 pi->omtu = l2cap_pi(parent)->omtu; 968 chan->omtu = pchan->omtu;
1010 pi->conf_state = l2cap_pi(parent)->conf_state; 969 chan->conf_state = pchan->conf_state;
1011 pi->mode = l2cap_pi(parent)->mode; 970 chan->mode = pchan->mode;
1012 pi->fcs = l2cap_pi(parent)->fcs; 971 chan->fcs = pchan->fcs;
1013 pi->max_tx = l2cap_pi(parent)->max_tx; 972 chan->max_tx = pchan->max_tx;
1014 pi->tx_win = l2cap_pi(parent)->tx_win; 973 chan->tx_win = pchan->tx_win;
1015 pi->sec_level = l2cap_pi(parent)->sec_level; 974 chan->sec_level = pchan->sec_level;
1016 pi->role_switch = l2cap_pi(parent)->role_switch; 975 chan->role_switch = pchan->role_switch;
1017 pi->force_reliable = l2cap_pi(parent)->force_reliable; 976 chan->force_reliable = pchan->force_reliable;
1018 pi->flushable = l2cap_pi(parent)->flushable; 977 chan->flushable = pchan->flushable;
1019 } else { 978 } else {
1020 pi->imtu = L2CAP_DEFAULT_MTU; 979 chan->imtu = L2CAP_DEFAULT_MTU;
1021 pi->omtu = 0; 980 chan->omtu = 0;
1022 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 981 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1023 pi->mode = L2CAP_MODE_ERTM; 982 chan->mode = L2CAP_MODE_ERTM;
1024 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE; 983 chan->conf_state |= L2CAP_CONF_STATE2_DEVICE;
1025 } else { 984 } else {
1026 pi->mode = L2CAP_MODE_BASIC; 985 chan->mode = L2CAP_MODE_BASIC;
1027 } 986 }
1028 pi->max_tx = L2CAP_DEFAULT_MAX_TX; 987 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
1029 pi->fcs = L2CAP_FCS_CRC16; 988 chan->fcs = L2CAP_FCS_CRC16;
1030 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW; 989 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
1031 pi->sec_level = BT_SECURITY_LOW; 990 chan->sec_level = BT_SECURITY_LOW;
1032 pi->role_switch = 0; 991 chan->role_switch = 0;
1033 pi->force_reliable = 0; 992 chan->force_reliable = 0;
1034 pi->flushable = BT_FLUSHABLE_OFF; 993 chan->flushable = BT_FLUSHABLE_OFF;
1035 } 994 }
1036 995
1037 /* Default config options */ 996 /* Default config options */
1038 pi->conf_len = 0; 997 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1039 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1040 skb_queue_head_init(TX_QUEUE(sk));
1041 skb_queue_head_init(SREJ_QUEUE(sk));
1042 skb_queue_head_init(BUSY_QUEUE(sk));
1043 INIT_LIST_HEAD(SREJ_LIST(sk));
1044} 998}
1045 999
1046static struct proto l2cap_proto = { 1000static struct proto l2cap_proto = {
@@ -1070,7 +1024,6 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
1070 1024
1071 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk); 1025 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1072 1026
1073 bt_sock_link(&l2cap_sk_list, sk);
1074 return sk; 1027 return sk;
1075} 1028}
1076 1029
@@ -1078,6 +1031,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1078 int kern) 1031 int kern)
1079{ 1032{
1080 struct sock *sk; 1033 struct sock *sk;
1034 struct l2cap_chan *chan;
1081 1035
1082 BT_DBG("sock %p", sock); 1036 BT_DBG("sock %p", sock);
1083 1037
@@ -1096,11 +1050,19 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1096 if (!sk) 1050 if (!sk)
1097 return -ENOMEM; 1051 return -ENOMEM;
1098 1052
1053 chan = l2cap_chan_create(sk);
1054 if (!chan) {
1055 l2cap_sock_kill(sk);
1056 return -ENOMEM;
1057 }
1058
1059 l2cap_pi(sk)->chan = chan;
1060
1099 l2cap_sock_init(sk, NULL); 1061 l2cap_sock_init(sk, NULL);
1100 return 0; 1062 return 0;
1101} 1063}
1102 1064
1103const struct proto_ops l2cap_sock_ops = { 1065static const struct proto_ops l2cap_sock_ops = {
1104 .family = PF_BLUETOOTH, 1066 .family = PF_BLUETOOTH,
1105 .owner = THIS_MODULE, 1067 .owner = THIS_MODULE,
1106 .release = l2cap_sock_release, 1068 .release = l2cap_sock_release,
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 4476d8e3c0f2..dae382ce7020 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -36,7 +36,7 @@ struct pending_cmd {
36 struct list_head list; 36 struct list_head list;
37 __u16 opcode; 37 __u16 opcode;
38 int index; 38 int index;
39 void *cmd; 39 void *param;
40 struct sock *sk; 40 struct sock *sk;
41 void *user_data; 41 void *user_data;
42}; 42};
@@ -179,10 +179,12 @@ static int read_controller_info(struct sock *sk, u16 index)
179 179
180 hci_del_off_timer(hdev); 180 hci_del_off_timer(hdev);
181 181
182 hci_dev_lock_bh(hdev); 182 hci_dev_lock(hdev);
183 183
184 set_bit(HCI_MGMT, &hdev->flags); 184 set_bit(HCI_MGMT, &hdev->flags);
185 185
186 memset(&rp, 0, sizeof(rp));
187
186 rp.type = hdev->dev_type; 188 rp.type = hdev->dev_type;
187 189
188 rp.powered = test_bit(HCI_UP, &hdev->flags); 190 rp.powered = test_bit(HCI_UP, &hdev->flags);
@@ -204,7 +206,9 @@ static int read_controller_info(struct sock *sk, u16 index)
204 rp.hci_ver = hdev->hci_ver; 206 rp.hci_ver = hdev->hci_ver;
205 put_unaligned_le16(hdev->hci_rev, &rp.hci_rev); 207 put_unaligned_le16(hdev->hci_rev, &rp.hci_rev);
206 208
207 hci_dev_unlock_bh(hdev); 209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
210
211 hci_dev_unlock(hdev);
208 hci_dev_put(hdev); 212 hci_dev_put(hdev);
209 213
210 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp)); 214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -213,7 +217,7 @@ static int read_controller_info(struct sock *sk, u16 index)
213static void mgmt_pending_free(struct pending_cmd *cmd) 217static void mgmt_pending_free(struct pending_cmd *cmd)
214{ 218{
215 sock_put(cmd->sk); 219 sock_put(cmd->sk);
216 kfree(cmd->cmd); 220 kfree(cmd->param);
217 kfree(cmd); 221 kfree(cmd);
218} 222}
219 223
@@ -229,13 +233,14 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
229 cmd->opcode = opcode; 233 cmd->opcode = opcode;
230 cmd->index = index; 234 cmd->index = index;
231 235
232 cmd->cmd = kmalloc(len, GFP_ATOMIC); 236 cmd->param = kmalloc(len, GFP_ATOMIC);
233 if (!cmd->cmd) { 237 if (!cmd->param) {
234 kfree(cmd); 238 kfree(cmd);
235 return NULL; 239 return NULL;
236 } 240 }
237 241
238 memcpy(cmd->cmd, data, len); 242 if (data)
243 memcpy(cmd->param, data, len);
239 244
240 cmd->sk = sk; 245 cmd->sk = sk;
241 sock_hold(sk); 246 sock_hold(sk);
@@ -311,7 +316,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
311 if (!hdev) 316 if (!hdev)
312 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV); 317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
313 318
314 hci_dev_lock_bh(hdev); 319 hci_dev_lock(hdev);
315 320
316 up = test_bit(HCI_UP, &hdev->flags); 321 up = test_bit(HCI_UP, &hdev->flags);
317 if ((cp->val && up) || (!cp->val && !up)) { 322 if ((cp->val && up) || (!cp->val && !up)) {
@@ -338,7 +343,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
338 err = 0; 343 err = 0;
339 344
340failed: 345failed:
341 hci_dev_unlock_bh(hdev); 346 hci_dev_unlock(hdev);
342 hci_dev_put(hdev); 347 hci_dev_put(hdev);
343 return err; 348 return err;
344} 349}
@@ -363,7 +368,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
363 if (!hdev) 368 if (!hdev)
364 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV); 369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
365 370
366 hci_dev_lock_bh(hdev); 371 hci_dev_lock(hdev);
367 372
368 if (!test_bit(HCI_UP, &hdev->flags)) { 373 if (!test_bit(HCI_UP, &hdev->flags)) {
369 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN); 374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
@@ -398,7 +403,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
398 mgmt_pending_remove(cmd); 403 mgmt_pending_remove(cmd);
399 404
400failed: 405failed:
401 hci_dev_unlock_bh(hdev); 406 hci_dev_unlock(hdev);
402 hci_dev_put(hdev); 407 hci_dev_put(hdev);
403 408
404 return err; 409 return err;
@@ -424,7 +429,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
424 if (!hdev) 429 if (!hdev)
425 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV); 430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
426 431
427 hci_dev_lock_bh(hdev); 432 hci_dev_lock(hdev);
428 433
429 if (!test_bit(HCI_UP, &hdev->flags)) { 434 if (!test_bit(HCI_UP, &hdev->flags)) {
430 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN); 435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
@@ -458,7 +463,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
458 mgmt_pending_remove(cmd); 463 mgmt_pending_remove(cmd);
459 464
460failed: 465failed:
461 hci_dev_unlock_bh(hdev); 466 hci_dev_unlock(hdev);
462 hci_dev_put(hdev); 467 hci_dev_put(hdev);
463 468
464 return err; 469 return err;
@@ -517,7 +522,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
517 if (!hdev) 522 if (!hdev)
518 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV); 523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
519 524
520 hci_dev_lock_bh(hdev); 525 hci_dev_lock(hdev);
521 526
522 if (cp->val) 527 if (cp->val)
523 set_bit(HCI_PAIRABLE, &hdev->flags); 528 set_bit(HCI_PAIRABLE, &hdev->flags);
@@ -533,12 +538,156 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
533 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk); 538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
534 539
535failed: 540failed:
536 hci_dev_unlock_bh(hdev); 541 hci_dev_unlock(hdev);
537 hci_dev_put(hdev); 542 hci_dev_put(hdev);
538 543
539 return err; 544 return err;
540} 545}
541 546
547#define EIR_FLAGS 0x01 /* flags */
548#define EIR_UUID16_SOME 0x02 /* 16-bit UUID, more available */
549#define EIR_UUID16_ALL 0x03 /* 16-bit UUID, all listed */
550#define EIR_UUID32_SOME 0x04 /* 32-bit UUID, more available */
551#define EIR_UUID32_ALL 0x05 /* 32-bit UUID, all listed */
552#define EIR_UUID128_SOME 0x06 /* 128-bit UUID, more available */
553#define EIR_UUID128_ALL 0x07 /* 128-bit UUID, all listed */
554#define EIR_NAME_SHORT 0x08 /* shortened local name */
555#define EIR_NAME_COMPLETE 0x09 /* complete local name */
556#define EIR_TX_POWER 0x0A /* transmit power level */
557#define EIR_DEVICE_ID 0x10 /* device ID */
558
559#define PNP_INFO_SVCLASS_ID 0x1200
560
561static u8 bluetooth_base_uuid[] = {
562 0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
563 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
564};
565
566static u16 get_uuid16(u8 *uuid128)
567{
568 u32 val;
569 int i;
570
571 for (i = 0; i < 12; i++) {
572 if (bluetooth_base_uuid[i] != uuid128[i])
573 return 0;
574 }
575
576 memcpy(&val, &uuid128[12], 4);
577
578 val = le32_to_cpu(val);
579 if (val > 0xffff)
580 return 0;
581
582 return (u16) val;
583}
584
585static void create_eir(struct hci_dev *hdev, u8 *data)
586{
587 u8 *ptr = data;
588 u16 eir_len = 0;
589 u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
590 int i, truncated = 0;
591 struct list_head *p;
592 size_t name_len;
593
594 name_len = strlen(hdev->dev_name);
595
596 if (name_len > 0) {
597 /* EIR Data type */
598 if (name_len > 48) {
599 name_len = 48;
600 ptr[1] = EIR_NAME_SHORT;
601 } else
602 ptr[1] = EIR_NAME_COMPLETE;
603
604 /* EIR Data length */
605 ptr[0] = name_len + 1;
606
607 memcpy(ptr + 2, hdev->dev_name, name_len);
608
609 eir_len += (name_len + 2);
610 ptr += (name_len + 2);
611 }
612
613 memset(uuid16_list, 0, sizeof(uuid16_list));
614
615 /* Group all UUID16 types */
616 list_for_each(p, &hdev->uuids) {
617 struct bt_uuid *uuid = list_entry(p, struct bt_uuid, list);
618 u16 uuid16;
619
620 uuid16 = get_uuid16(uuid->uuid);
621 if (uuid16 == 0)
622 return;
623
624 if (uuid16 < 0x1100)
625 continue;
626
627 if (uuid16 == PNP_INFO_SVCLASS_ID)
628 continue;
629
630 /* Stop if not enough space to put next UUID */
631 if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
632 truncated = 1;
633 break;
634 }
635
636 /* Check for duplicates */
637 for (i = 0; uuid16_list[i] != 0; i++)
638 if (uuid16_list[i] == uuid16)
639 break;
640
641 if (uuid16_list[i] == 0) {
642 uuid16_list[i] = uuid16;
643 eir_len += sizeof(u16);
644 }
645 }
646
647 if (uuid16_list[0] != 0) {
648 u8 *length = ptr;
649
650 /* EIR Data type */
651 ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
652
653 ptr += 2;
654 eir_len += 2;
655
656 for (i = 0; uuid16_list[i] != 0; i++) {
657 *ptr++ = (uuid16_list[i] & 0x00ff);
658 *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
659 }
660
661 /* EIR Data length */
662 *length = (i * sizeof(u16)) + 1;
663 }
664}
665
666static int update_eir(struct hci_dev *hdev)
667{
668 struct hci_cp_write_eir cp;
669
670 if (!(hdev->features[6] & LMP_EXT_INQ))
671 return 0;
672
673 if (hdev->ssp_mode == 0)
674 return 0;
675
676 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
677 return 0;
678
679 memset(&cp, 0, sizeof(cp));
680
681 create_eir(hdev, cp.data);
682
683 if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
684 return 0;
685
686 memcpy(hdev->eir, cp.data, sizeof(cp.data));
687
688 return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
689}
690
542static u8 get_service_classes(struct hci_dev *hdev) 691static u8 get_service_classes(struct hci_dev *hdev)
543{ 692{
544 struct list_head *p; 693 struct list_head *p;
@@ -590,7 +739,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
590 if (!hdev) 739 if (!hdev)
591 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV); 740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
592 741
593 hci_dev_lock_bh(hdev); 742 hci_dev_lock(hdev);
594 743
595 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC); 744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
596 if (!uuid) { 745 if (!uuid) {
@@ -607,10 +756,14 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
607 if (err < 0) 756 if (err < 0)
608 goto failed; 757 goto failed;
609 758
759 err = update_eir(hdev);
760 if (err < 0)
761 goto failed;
762
610 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0); 763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
611 764
612failed: 765failed:
613 hci_dev_unlock_bh(hdev); 766 hci_dev_unlock(hdev);
614 hci_dev_put(hdev); 767 hci_dev_put(hdev);
615 768
616 return err; 769 return err;
@@ -635,7 +788,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
635 if (!hdev) 788 if (!hdev)
636 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV); 789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
637 790
638 hci_dev_lock_bh(hdev); 791 hci_dev_lock(hdev);
639 792
640 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
641 err = hci_uuids_clear(hdev); 794 err = hci_uuids_clear(hdev);
@@ -663,10 +816,14 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
663 if (err < 0) 816 if (err < 0)
664 goto unlock; 817 goto unlock;
665 818
819 err = update_eir(hdev);
820 if (err < 0)
821 goto unlock;
822
666 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0); 823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
667 824
668unlock: 825unlock:
669 hci_dev_unlock_bh(hdev); 826 hci_dev_unlock(hdev);
670 hci_dev_put(hdev); 827 hci_dev_put(hdev);
671 828
672 return err; 829 return err;
@@ -690,7 +847,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
690 if (!hdev) 847 if (!hdev)
691 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV); 848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
692 849
693 hci_dev_lock_bh(hdev); 850 hci_dev_lock(hdev);
694 851
695 hdev->major_class = cp->major; 852 hdev->major_class = cp->major;
696 hdev->minor_class = cp->minor; 853 hdev->minor_class = cp->minor;
@@ -700,7 +857,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
700 if (err == 0) 857 if (err == 0)
701 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0); 858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
702 859
703 hci_dev_unlock_bh(hdev); 860 hci_dev_unlock(hdev);
704 hci_dev_put(hdev); 861 hci_dev_put(hdev);
705 862
706 return err; 863 return err;
@@ -722,7 +879,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
722 if (!hdev) 879 if (!hdev)
723 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV); 880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
724 881
725 hci_dev_lock_bh(hdev); 882 hci_dev_lock(hdev);
726 883
727 BT_DBG("hci%u enable %d", index, cp->enable); 884 BT_DBG("hci%u enable %d", index, cp->enable);
728 885
@@ -732,13 +889,15 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
732 } else { 889 } else {
733 clear_bit(HCI_SERVICE_CACHE, &hdev->flags); 890 clear_bit(HCI_SERVICE_CACHE, &hdev->flags);
734 err = update_class(hdev); 891 err = update_class(hdev);
892 if (err == 0)
893 err = update_eir(hdev);
735 } 894 }
736 895
737 if (err == 0) 896 if (err == 0)
738 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL, 897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
739 0); 898 0);
740 899
741 hci_dev_unlock_bh(hdev); 900 hci_dev_unlock(hdev);
742 hci_dev_put(hdev); 901 hci_dev_put(hdev);
743 902
744 return err; 903 return err;
@@ -772,7 +931,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
772 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys, 931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
773 key_count); 932 key_count);
774 933
775 hci_dev_lock_bh(hdev); 934 hci_dev_lock(hdev);
776 935
777 hci_link_keys_clear(hdev); 936 hci_link_keys_clear(hdev);
778 937
@@ -786,11 +945,11 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
786 for (i = 0; i < key_count; i++) { 945 for (i = 0; i < key_count; i++) {
787 struct mgmt_key_info *key = &cp->keys[i]; 946 struct mgmt_key_info *key = &cp->keys[i];
788 947
789 hci_add_link_key(hdev, 0, &key->bdaddr, key->val, key->type, 948 hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type,
790 key->pin_len); 949 key->pin_len);
791 } 950 }
792 951
793 hci_dev_unlock_bh(hdev); 952 hci_dev_unlock(hdev);
794 hci_dev_put(hdev); 953 hci_dev_put(hdev);
795 954
796 return 0; 955 return 0;
@@ -812,7 +971,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
812 if (!hdev) 971 if (!hdev)
813 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV); 972 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
814 973
815 hci_dev_lock_bh(hdev); 974 hci_dev_lock(hdev);
816 975
817 err = hci_remove_link_key(hdev, &cp->bdaddr); 976 err = hci_remove_link_key(hdev, &cp->bdaddr);
818 if (err < 0) { 977 if (err < 0) {
@@ -835,7 +994,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
835 } 994 }
836 995
837unlock: 996unlock:
838 hci_dev_unlock_bh(hdev); 997 hci_dev_unlock(hdev);
839 hci_dev_put(hdev); 998 hci_dev_put(hdev);
840 999
841 return err; 1000 return err;
@@ -861,7 +1020,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
861 if (!hdev) 1020 if (!hdev)
862 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV); 1021 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
863 1022
864 hci_dev_lock_bh(hdev); 1023 hci_dev_lock(hdev);
865 1024
866 if (!test_bit(HCI_UP, &hdev->flags)) { 1025 if (!test_bit(HCI_UP, &hdev->flags)) {
867 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN); 1026 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
@@ -874,6 +1033,9 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
874 } 1033 }
875 1034
876 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1035 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1036 if (!conn)
1037 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->bdaddr);
1038
877 if (!conn) { 1039 if (!conn) {
878 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENOTCONN); 1040 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENOTCONN);
879 goto failed; 1041 goto failed;
@@ -893,7 +1055,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
893 mgmt_pending_remove(cmd); 1055 mgmt_pending_remove(cmd);
894 1056
895failed: 1057failed:
896 hci_dev_unlock_bh(hdev); 1058 hci_dev_unlock(hdev);
897 hci_dev_put(hdev); 1059 hci_dev_put(hdev);
898 1060
899 return err; 1061 return err;
@@ -914,7 +1076,7 @@ static int get_connections(struct sock *sk, u16 index)
914 if (!hdev) 1076 if (!hdev)
915 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV); 1077 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
916 1078
917 hci_dev_lock_bh(hdev); 1079 hci_dev_lock(hdev);
918 1080
919 count = 0; 1081 count = 0;
920 list_for_each(p, &hdev->conn_hash.list) { 1082 list_for_each(p, &hdev->conn_hash.list) {
@@ -945,7 +1107,7 @@ static int get_connections(struct sock *sk, u16 index)
945 1107
946unlock: 1108unlock:
947 kfree(rp); 1109 kfree(rp);
948 hci_dev_unlock_bh(hdev); 1110 hci_dev_unlock(hdev);
949 hci_dev_put(hdev); 1111 hci_dev_put(hdev);
950 return err; 1112 return err;
951} 1113}
@@ -970,7 +1132,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
970 if (!hdev) 1132 if (!hdev)
971 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV); 1133 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
972 1134
973 hci_dev_lock_bh(hdev); 1135 hci_dev_lock(hdev);
974 1136
975 if (!test_bit(HCI_UP, &hdev->flags)) { 1137 if (!test_bit(HCI_UP, &hdev->flags)) {
976 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN); 1138 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
@@ -992,7 +1154,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
992 mgmt_pending_remove(cmd); 1154 mgmt_pending_remove(cmd);
993 1155
994failed: 1156failed:
995 hci_dev_unlock_bh(hdev); 1157 hci_dev_unlock(hdev);
996 hci_dev_put(hdev); 1158 hci_dev_put(hdev);
997 1159
998 return err; 1160 return err;
@@ -1019,7 +1181,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1019 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1181 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
1020 ENODEV); 1182 ENODEV);
1021 1183
1022 hci_dev_lock_bh(hdev); 1184 hci_dev_lock(hdev);
1023 1185
1024 if (!test_bit(HCI_UP, &hdev->flags)) { 1186 if (!test_bit(HCI_UP, &hdev->flags)) {
1025 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1187 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1040,7 +1202,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1040 mgmt_pending_remove(cmd); 1202 mgmt_pending_remove(cmd);
1041 1203
1042failed: 1204failed:
1043 hci_dev_unlock_bh(hdev); 1205 hci_dev_unlock(hdev);
1044 hci_dev_put(hdev); 1206 hci_dev_put(hdev);
1045 1207
1046 return err; 1208 return err;
@@ -1063,14 +1225,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
1063 if (!hdev) 1225 if (!hdev)
1064 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV); 1226 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
1065 1227
1066 hci_dev_lock_bh(hdev); 1228 hci_dev_lock(hdev);
1067 1229
1068 hdev->io_capability = cp->io_capability; 1230 hdev->io_capability = cp->io_capability;
1069 1231
1070 BT_DBG("%s IO capability set to 0x%02x", hdev->name, 1232 BT_DBG("%s IO capability set to 0x%02x", hdev->name,
1071 hdev->io_capability); 1233 hdev->io_capability);
1072 1234
1073 hci_dev_unlock_bh(hdev); 1235 hci_dev_unlock(hdev);
1074 hci_dev_put(hdev); 1236 hci_dev_put(hdev);
1075 1237
1076 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0); 1238 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1156,7 +1318,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1156 if (!hdev) 1318 if (!hdev)
1157 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV); 1319 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
1158 1320
1159 hci_dev_lock_bh(hdev); 1321 hci_dev_lock(hdev);
1160 1322
1161 if (cp->io_cap == 0x03) { 1323 if (cp->io_cap == 0x03) {
1162 sec_level = BT_SECURITY_MEDIUM; 1324 sec_level = BT_SECURITY_MEDIUM;
@@ -1198,7 +1360,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1198 err = 0; 1360 err = 0;
1199 1361
1200unlock: 1362unlock:
1201 hci_dev_unlock_bh(hdev); 1363 hci_dev_unlock(hdev);
1202 hci_dev_put(hdev); 1364 hci_dev_put(hdev);
1203 1365
1204 return err; 1366 return err;
@@ -1230,7 +1392,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1230 if (!hdev) 1392 if (!hdev)
1231 return cmd_status(sk, index, mgmt_op, ENODEV); 1393 return cmd_status(sk, index, mgmt_op, ENODEV);
1232 1394
1233 hci_dev_lock_bh(hdev); 1395 hci_dev_lock(hdev);
1234 1396
1235 if (!test_bit(HCI_UP, &hdev->flags)) { 1397 if (!test_bit(HCI_UP, &hdev->flags)) {
1236 err = cmd_status(sk, index, mgmt_op, ENETDOWN); 1398 err = cmd_status(sk, index, mgmt_op, ENETDOWN);
@@ -1248,6 +1410,231 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1248 mgmt_pending_remove(cmd); 1410 mgmt_pending_remove(cmd);
1249 1411
1250failed: 1412failed:
1413 hci_dev_unlock(hdev);
1414 hci_dev_put(hdev);
1415
1416 return err;
1417}
1418
1419static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1420 u16 len)
1421{
1422 struct mgmt_cp_set_local_name *mgmt_cp = (void *) data;
1423 struct hci_cp_write_local_name hci_cp;
1424 struct hci_dev *hdev;
1425 struct pending_cmd *cmd;
1426 int err;
1427
1428 BT_DBG("");
1429
1430 if (len != sizeof(*mgmt_cp))
1431 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, EINVAL);
1432
1433 hdev = hci_dev_get(index);
1434 if (!hdev)
1435 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
1436
1437 hci_dev_lock(hdev);
1438
1439 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
1440 if (!cmd) {
1441 err = -ENOMEM;
1442 goto failed;
1443 }
1444
1445 memcpy(hci_cp.name, mgmt_cp->name, sizeof(hci_cp.name));
1446 err = hci_send_cmd(hdev, HCI_OP_WRITE_LOCAL_NAME, sizeof(hci_cp),
1447 &hci_cp);
1448 if (err < 0)
1449 mgmt_pending_remove(cmd);
1450
1451failed:
1452 hci_dev_unlock(hdev);
1453 hci_dev_put(hdev);
1454
1455 return err;
1456}
1457
1458static int read_local_oob_data(struct sock *sk, u16 index)
1459{
1460 struct hci_dev *hdev;
1461 struct pending_cmd *cmd;
1462 int err;
1463
1464 BT_DBG("hci%u", index);
1465
1466 hdev = hci_dev_get(index);
1467 if (!hdev)
1468 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1469 ENODEV);
1470
1471 hci_dev_lock(hdev);
1472
1473 if (!test_bit(HCI_UP, &hdev->flags)) {
1474 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1475 ENETDOWN);
1476 goto unlock;
1477 }
1478
1479 if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
1480 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1481 EOPNOTSUPP);
1482 goto unlock;
1483 }
1484
1485 if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
1486 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
1487 goto unlock;
1488 }
1489
1490 cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
1491 if (!cmd) {
1492 err = -ENOMEM;
1493 goto unlock;
1494 }
1495
1496 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
1497 if (err < 0)
1498 mgmt_pending_remove(cmd);
1499
1500unlock:
1501 hci_dev_unlock(hdev);
1502 hci_dev_put(hdev);
1503
1504 return err;
1505}
1506
1507static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1508 u16 len)
1509{
1510 struct hci_dev *hdev;
1511 struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
1512 int err;
1513
1514 BT_DBG("hci%u ", index);
1515
1516 if (len != sizeof(*cp))
1517 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1518 EINVAL);
1519
1520 hdev = hci_dev_get(index);
1521 if (!hdev)
1522 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1523 ENODEV);
1524
1525 hci_dev_lock(hdev);
1526
1527 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
1528 cp->randomizer);
1529 if (err < 0)
1530 err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
1531 else
1532 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
1533 0);
1534
1535 hci_dev_unlock(hdev);
1536 hci_dev_put(hdev);
1537
1538 return err;
1539}
1540
1541static int remove_remote_oob_data(struct sock *sk, u16 index,
1542 unsigned char *data, u16 len)
1543{
1544 struct hci_dev *hdev;
1545 struct mgmt_cp_remove_remote_oob_data *cp = (void *) data;
1546 int err;
1547
1548 BT_DBG("hci%u ", index);
1549
1550 if (len != sizeof(*cp))
1551 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1552 EINVAL);
1553
1554 hdev = hci_dev_get(index);
1555 if (!hdev)
1556 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1557 ENODEV);
1558
1559 hci_dev_lock(hdev);
1560
1561 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
1562 if (err < 0)
1563 err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1564 -err);
1565 else
1566 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1567 NULL, 0);
1568
1569 hci_dev_unlock(hdev);
1570 hci_dev_put(hdev);
1571
1572 return err;
1573}
1574
1575static int start_discovery(struct sock *sk, u16 index)
1576{
1577 u8 lap[3] = { 0x33, 0x8b, 0x9e };
1578 struct hci_cp_inquiry cp;
1579 struct pending_cmd *cmd;
1580 struct hci_dev *hdev;
1581 int err;
1582
1583 BT_DBG("hci%u", index);
1584
1585 hdev = hci_dev_get(index);
1586 if (!hdev)
1587 return cmd_status(sk, index, MGMT_OP_START_DISCOVERY, ENODEV);
1588
1589 hci_dev_lock_bh(hdev);
1590
1591 cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, index, NULL, 0);
1592 if (!cmd) {
1593 err = -ENOMEM;
1594 goto failed;
1595 }
1596
1597 memset(&cp, 0, sizeof(cp));
1598 memcpy(&cp.lap, lap, 3);
1599 cp.length = 0x08;
1600 cp.num_rsp = 0x00;
1601
1602 err = hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
1603 if (err < 0)
1604 mgmt_pending_remove(cmd);
1605
1606failed:
1607 hci_dev_unlock_bh(hdev);
1608 hci_dev_put(hdev);
1609
1610 return err;
1611}
1612
1613static int stop_discovery(struct sock *sk, u16 index)
1614{
1615 struct hci_dev *hdev;
1616 struct pending_cmd *cmd;
1617 int err;
1618
1619 BT_DBG("hci%u", index);
1620
1621 hdev = hci_dev_get(index);
1622 if (!hdev)
1623 return cmd_status(sk, index, MGMT_OP_STOP_DISCOVERY, ENODEV);
1624
1625 hci_dev_lock_bh(hdev);
1626
1627 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, index, NULL, 0);
1628 if (!cmd) {
1629 err = -ENOMEM;
1630 goto failed;
1631 }
1632
1633 err = hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
1634 if (err < 0)
1635 mgmt_pending_remove(cmd);
1636
1637failed:
1251 hci_dev_unlock_bh(hdev); 1638 hci_dev_unlock_bh(hdev);
1252 hci_dev_put(hdev); 1639 hci_dev_put(hdev);
1253 1640
@@ -1266,7 +1653,7 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1266 if (msglen < sizeof(*hdr)) 1653 if (msglen < sizeof(*hdr))
1267 return -EINVAL; 1654 return -EINVAL;
1268 1655
1269 buf = kmalloc(msglen, GFP_ATOMIC); 1656 buf = kmalloc(msglen, GFP_KERNEL);
1270 if (!buf) 1657 if (!buf)
1271 return -ENOMEM; 1658 return -ENOMEM;
1272 1659
@@ -1349,6 +1736,25 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1349 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1736 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1350 err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0); 1737 err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0);
1351 break; 1738 break;
1739 case MGMT_OP_SET_LOCAL_NAME:
1740 err = set_local_name(sk, index, buf + sizeof(*hdr), len);
1741 break;
1742 case MGMT_OP_READ_LOCAL_OOB_DATA:
1743 err = read_local_oob_data(sk, index);
1744 break;
1745 case MGMT_OP_ADD_REMOTE_OOB_DATA:
1746 err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
1747 break;
1748 case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
1749 err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
1750 len);
1751 break;
1752 case MGMT_OP_START_DISCOVERY:
1753 err = start_discovery(sk, index);
1754 break;
1755 case MGMT_OP_STOP_DISCOVERY:
1756 err = stop_discovery(sk, index);
1757 break;
1352 default: 1758 default:
1353 BT_DBG("Unknown op %u", opcode); 1759 BT_DBG("Unknown op %u", opcode);
1354 err = cmd_status(sk, index, opcode, 0x01); 1760 err = cmd_status(sk, index, opcode, 0x01);
@@ -1382,7 +1788,7 @@ struct cmd_lookup {
1382 1788
1383static void mode_rsp(struct pending_cmd *cmd, void *data) 1789static void mode_rsp(struct pending_cmd *cmd, void *data)
1384{ 1790{
1385 struct mgmt_mode *cp = cmd->cmd; 1791 struct mgmt_mode *cp = cmd->param;
1386 struct cmd_lookup *match = data; 1792 struct cmd_lookup *match = data;
1387 1793
1388 if (cp->val != match->val) 1794 if (cp->val != match->val)
@@ -1455,17 +1861,17 @@ int mgmt_connectable(u16 index, u8 connectable)
1455 return ret; 1861 return ret;
1456} 1862}
1457 1863
1458int mgmt_new_key(u16 index, struct link_key *key, u8 old_key_type) 1864int mgmt_new_key(u16 index, struct link_key *key, u8 persistent)
1459{ 1865{
1460 struct mgmt_ev_new_key ev; 1866 struct mgmt_ev_new_key ev;
1461 1867
1462 memset(&ev, 0, sizeof(ev)); 1868 memset(&ev, 0, sizeof(ev));
1463 1869
1870 ev.store_hint = persistent;
1464 bacpy(&ev.key.bdaddr, &key->bdaddr); 1871 bacpy(&ev.key.bdaddr, &key->bdaddr);
1465 ev.key.type = key->type; 1872 ev.key.type = key->type;
1466 memcpy(ev.key.val, key->val, 16); 1873 memcpy(ev.key.val, key->val, 16);
1467 ev.key.pin_len = key->pin_len; 1874 ev.key.pin_len = key->pin_len;
1468 ev.old_key_type = old_key_type;
1469 1875
1470 return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL); 1876 return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL);
1471} 1877}
@@ -1481,7 +1887,7 @@ int mgmt_connected(u16 index, bdaddr_t *bdaddr)
1481 1887
1482static void disconnect_rsp(struct pending_cmd *cmd, void *data) 1888static void disconnect_rsp(struct pending_cmd *cmd, void *data)
1483{ 1889{
1484 struct mgmt_cp_disconnect *cp = cmd->cmd; 1890 struct mgmt_cp_disconnect *cp = cmd->param;
1485 struct sock **sk = data; 1891 struct sock **sk = data;
1486 struct mgmt_rp_disconnect rp; 1892 struct mgmt_rp_disconnect rp;
1487 1893
@@ -1539,11 +1945,12 @@ int mgmt_connect_failed(u16 index, bdaddr_t *bdaddr, u8 status)
1539 return mgmt_event(MGMT_EV_CONNECT_FAILED, index, &ev, sizeof(ev), NULL); 1945 return mgmt_event(MGMT_EV_CONNECT_FAILED, index, &ev, sizeof(ev), NULL);
1540} 1946}
1541 1947
1542int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr) 1948int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr, u8 secure)
1543{ 1949{
1544 struct mgmt_ev_pin_code_request ev; 1950 struct mgmt_ev_pin_code_request ev;
1545 1951
1546 bacpy(&ev.bdaddr, bdaddr); 1952 bacpy(&ev.bdaddr, bdaddr);
1953 ev.secure = secure;
1547 1954
1548 return mgmt_event(MGMT_EV_PIN_CODE_REQUEST, index, &ev, sizeof(ev), 1955 return mgmt_event(MGMT_EV_PIN_CODE_REQUEST, index, &ev, sizeof(ev),
1549 NULL); 1956 NULL);
@@ -1591,13 +1998,15 @@ int mgmt_pin_code_neg_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
1591 return err; 1998 return err;
1592} 1999}
1593 2000
1594int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value) 2001int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value,
2002 u8 confirm_hint)
1595{ 2003{
1596 struct mgmt_ev_user_confirm_request ev; 2004 struct mgmt_ev_user_confirm_request ev;
1597 2005
1598 BT_DBG("hci%u", index); 2006 BT_DBG("hci%u", index);
1599 2007
1600 bacpy(&ev.bdaddr, bdaddr); 2008 bacpy(&ev.bdaddr, bdaddr);
2009 ev.confirm_hint = confirm_hint;
1601 put_unaligned_le32(value, &ev.value); 2010 put_unaligned_le32(value, &ev.value);
1602 2011
1603 return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, index, &ev, sizeof(ev), 2012 return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, index, &ev, sizeof(ev),
@@ -1645,3 +2054,110 @@ int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status)
1645 2054
1646 return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL); 2055 return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL);
1647} 2056}
2057
2058int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status)
2059{
2060 struct pending_cmd *cmd;
2061 struct hci_dev *hdev;
2062 struct mgmt_cp_set_local_name ev;
2063 int err;
2064
2065 memset(&ev, 0, sizeof(ev));
2066 memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
2067
2068 cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, index);
2069 if (!cmd)
2070 goto send_event;
2071
2072 if (status) {
2073 err = cmd_status(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, EIO);
2074 goto failed;
2075 }
2076
2077 hdev = hci_dev_get(index);
2078 if (hdev) {
2079 hci_dev_lock_bh(hdev);
2080 update_eir(hdev);
2081 hci_dev_unlock_bh(hdev);
2082 hci_dev_put(hdev);
2083 }
2084
2085 err = cmd_complete(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, &ev,
2086 sizeof(ev));
2087 if (err < 0)
2088 goto failed;
2089
2090send_event:
2091 err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, index, &ev, sizeof(ev),
2092 cmd ? cmd->sk : NULL);
2093
2094failed:
2095 if (cmd)
2096 mgmt_pending_remove(cmd);
2097 return err;
2098}
2099
2100int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
2101 u8 status)
2102{
2103 struct pending_cmd *cmd;
2104 int err;
2105
2106 BT_DBG("hci%u status %u", index, status);
2107
2108 cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
2109 if (!cmd)
2110 return -ENOENT;
2111
2112 if (status) {
2113 err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
2114 EIO);
2115 } else {
2116 struct mgmt_rp_read_local_oob_data rp;
2117
2118 memcpy(rp.hash, hash, sizeof(rp.hash));
2119 memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));
2120
2121 err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
2122 &rp, sizeof(rp));
2123 }
2124
2125 mgmt_pending_remove(cmd);
2126
2127 return err;
2128}
2129
2130int mgmt_device_found(u16 index, bdaddr_t *bdaddr, u8 *dev_class, s8 rssi,
2131 u8 *eir)
2132{
2133 struct mgmt_ev_device_found ev;
2134
2135 memset(&ev, 0, sizeof(ev));
2136
2137 bacpy(&ev.bdaddr, bdaddr);
2138 memcpy(ev.dev_class, dev_class, sizeof(ev.dev_class));
2139 ev.rssi = rssi;
2140
2141 if (eir)
2142 memcpy(ev.eir, eir, sizeof(ev.eir));
2143
2144 return mgmt_event(MGMT_EV_DEVICE_FOUND, index, &ev, sizeof(ev), NULL);
2145}
2146
2147int mgmt_remote_name(u16 index, bdaddr_t *bdaddr, u8 *name)
2148{
2149 struct mgmt_ev_remote_name ev;
2150
2151 memset(&ev, 0, sizeof(ev));
2152
2153 bacpy(&ev.bdaddr, bdaddr);
2154 memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
2155
2156 return mgmt_event(MGMT_EV_REMOTE_NAME, index, &ev, sizeof(ev), NULL);
2157}
2158
2159int mgmt_discovering(u16 index, u8 discovering)
2160{
2161 return mgmt_event(MGMT_EV_DISCOVERING, index, &discovering,
2162 sizeof(discovering), NULL);
2163}
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index c9973932456f..5759bb7054f7 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -232,6 +232,8 @@ static int rfcomm_l2sock_create(struct socket **sock)
232static inline int rfcomm_check_security(struct rfcomm_dlc *d) 232static inline int rfcomm_check_security(struct rfcomm_dlc *d)
233{ 233{
234 struct sock *sk = d->session->sock->sk; 234 struct sock *sk = d->session->sock->sk;
235 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
236
235 __u8 auth_type; 237 __u8 auth_type;
236 238
237 switch (d->sec_level) { 239 switch (d->sec_level) {
@@ -246,8 +248,7 @@ static inline int rfcomm_check_security(struct rfcomm_dlc *d)
246 break; 248 break;
247 } 249 }
248 250
249 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level, 251 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 auth_type);
251} 252}
252 253
253static void rfcomm_session_timeout(unsigned long arg) 254static void rfcomm_session_timeout(unsigned long arg)
@@ -710,10 +711,10 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
710 /* Set L2CAP options */ 711 /* Set L2CAP options */
711 sk = sock->sk; 712 sk = sock->sk;
712 lock_sock(sk); 713 lock_sock(sk);
713 l2cap_pi(sk)->imtu = l2cap_mtu; 714 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
714 l2cap_pi(sk)->sec_level = sec_level; 715 l2cap_pi(sk)->chan->sec_level = sec_level;
715 if (l2cap_ertm) 716 if (l2cap_ertm)
716 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM; 717 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
717 release_sock(sk); 718 release_sock(sk);
718 719
719 s = rfcomm_session_add(sock, BT_BOUND); 720 s = rfcomm_session_add(sock, BT_BOUND);
@@ -1241,6 +1242,7 @@ static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1241void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1242void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1242{ 1243{
1243 struct sock *sk = d->session->sock->sk; 1244 struct sock *sk = d->session->sock->sk;
1245 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1244 1246
1245 BT_DBG("dlc %p", d); 1247 BT_DBG("dlc %p", d);
1246 1248
@@ -1254,7 +1256,7 @@ void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1254 rfcomm_dlc_unlock(d); 1256 rfcomm_dlc_unlock(d);
1255 1257
1256 if (d->role_switch) 1258 if (d->role_switch)
1257 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00); 1259 hci_conn_switch_role(conn->hcon, 0x00);
1258 1260
1259 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1261 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1260} 1262}
@@ -1890,7 +1892,8 @@ static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1890 1892
1891 /* We should adjust MTU on incoming sessions. 1893 /* We should adjust MTU on incoming sessions.
1892 * L2CAP MTU minus UIH header and FCS. */ 1894 * L2CAP MTU minus UIH header and FCS. */
1893 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5; 1895 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1896 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1894 1897
1895 rfcomm_schedule(); 1898 rfcomm_schedule();
1896 } else 1899 } else
@@ -1909,7 +1912,7 @@ static inline void rfcomm_check_connection(struct rfcomm_session *s)
1909 1912
1910 /* We can adjust MTU on outgoing sessions. 1913 /* We can adjust MTU on outgoing sessions.
1911 * L2CAP MTU minus UIH header and FCS. */ 1914 * L2CAP MTU minus UIH header and FCS. */
1912 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5; 1915 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1913 1916
1914 rfcomm_send_sabm(s, 0); 1917 rfcomm_send_sabm(s, 0);
1915 break; 1918 break;
@@ -1992,7 +1995,7 @@ static int rfcomm_add_listener(bdaddr_t *ba)
1992 /* Set L2CAP options */ 1995 /* Set L2CAP options */
1993 sk = sock->sk; 1996 sk = sock->sk;
1994 lock_sock(sk); 1997 lock_sock(sk);
1995 l2cap_pi(sk)->imtu = l2cap_mtu; 1998 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1996 release_sock(sk); 1999 release_sock(sk);
1997 2000
1998 /* Start listening on the socket */ 2001 /* Start listening on the socket */
@@ -2093,7 +2096,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2093 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2096 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2094 continue; 2097 continue;
2095 2098
2096 if (!status) 2099 if (!status && hci_conn_check_secure(conn, d->sec_level))
2097 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2100 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2098 else 2101 else
2099 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2102 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 66cc1f0c3df8..386cfaffd4b7 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -743,6 +743,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
743 struct sock *sk = sock->sk; 743 struct sock *sk = sock->sk;
744 struct sock *l2cap_sk; 744 struct sock *l2cap_sk;
745 struct rfcomm_conninfo cinfo; 745 struct rfcomm_conninfo cinfo;
746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
746 int len, err = 0; 747 int len, err = 0;
747 u32 opt; 748 u32 opt;
748 749
@@ -787,8 +788,8 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
787 788
788 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
789 790
790 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; 791 cinfo.hci_handle = conn->hcon->handle;
791 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); 792 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
792 793
793 len = min_t(unsigned int, len, sizeof(cinfo)); 794 len = min_t(unsigned int, len, sizeof(cinfo));
794 if (copy_to_user(optval, (char *) &cinfo, len)) 795 if (copy_to_user(optval, (char *) &cinfo, len))
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-27 17:28:44 -0500