aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--drivers/bluetooth/bfusb.c3
-rw-r--r--drivers/bluetooth/bt3c_cs.c4
-rw-r--r--drivers/bluetooth/btusb.c40
-rw-r--r--drivers/bluetooth/hci_h4.c3
-rw-r--r--drivers/bluetooth/hci_ll.c3
-rw-r--r--include/net/bluetooth/bluetooth.h12
-rw-r--r--include/net/bluetooth/hci.h8
-rw-r--r--include/net/bluetooth/hci_core.h84
-rw-r--r--include/net/bluetooth/l2cap.h13
-rw-r--r--include/net/bluetooth/rfcomm.h20
-rw-r--r--net/bluetooth/af_bluetooth.c17
-rw-r--r--net/bluetooth/cmtp/core.c3
-rw-r--r--net/bluetooth/hci_conn.c64
-rw-r--r--net/bluetooth/hci_core.c3
-rw-r--r--net/bluetooth/hci_event.c26
-rw-r--r--net/bluetooth/l2cap.c602
-rw-r--r--net/bluetooth/rfcomm/core.c179
-rw-r--r--net/bluetooth/rfcomm/sock.c189
-rw-r--r--net/bluetooth/sco.c57
19 files changed, 968 insertions, 362 deletions
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index d3f14bee0f19..2a00707aba3b 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -257,8 +257,7 @@ static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned ch
257 257
258 if (hdr & 0x10) { 258 if (hdr & 0x10) {
259 BT_ERR("%s error in block", data->hdev->name); 259 BT_ERR("%s error in block", data->hdev->name);
260 if (data->reassembly) 260 kfree_skb(data->reassembly);
261 kfree_skb(data->reassembly);
262 data->reassembly = NULL; 261 data->reassembly = NULL;
263 return -EIO; 262 return -EIO;
264 } 263 }
diff --git a/drivers/bluetooth/bt3c_cs.c b/drivers/bluetooth/bt3c_cs.c
index ff195c230825..d58e22b9f06a 100644
--- a/drivers/bluetooth/bt3c_cs.c
+++ b/drivers/bluetooth/bt3c_cs.c
@@ -359,9 +359,9 @@ static irqreturn_t bt3c_interrupt(int irq, void *dev_inst)
359 BT_ERR("Very strange (stat=0x%04x)", stat); 359 BT_ERR("Very strange (stat=0x%04x)", stat);
360 } else if ((stat & 0xff) != 0xff) { 360 } else if ((stat & 0xff) != 0xff) {
361 if (stat & 0x0020) { 361 if (stat & 0x0020) {
362 int stat = bt3c_read(iobase, 0x7002) & 0x10; 362 int status = bt3c_read(iobase, 0x7002) & 0x10;
363 BT_INFO("%s: Antenna %s", info->hdev->name, 363 BT_INFO("%s: Antenna %s", info->hdev->name,
364 stat ? "out" : "in"); 364 status ? "out" : "in");
365 } 365 }
366 if (stat & 0x0001) 366 if (stat & 0x0001)
367 bt3c_receive(info); 367 bt3c_receive(info);
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index b5fbda6d490a..e70c57ee4221 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -35,7 +35,7 @@
35#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/hci_core.h>
37 37
38#define VERSION "0.4" 38#define VERSION "0.5"
39 39
40static int ignore_dga; 40static int ignore_dga;
41static int ignore_csr; 41static int ignore_csr;
@@ -171,6 +171,7 @@ struct btusb_data {
171 171
172 __u8 cmdreq_type; 172 __u8 cmdreq_type;
173 173
174 unsigned int sco_num;
174 int isoc_altsetting; 175 int isoc_altsetting;
175 int suspend_count; 176 int suspend_count;
176}; 177};
@@ -496,11 +497,23 @@ static int btusb_open(struct hci_dev *hdev)
496 return 0; 497 return 0;
497 498
498 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 499 err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
500 if (err < 0)
501 goto failed;
502
503 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
499 if (err < 0) { 504 if (err < 0) {
500 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 505 usb_kill_anchored_urbs(&data->intr_anchor);
501 clear_bit(HCI_RUNNING, &hdev->flags); 506 goto failed;
502 } 507 }
503 508
509 set_bit(BTUSB_BULK_RUNNING, &data->flags);
510 btusb_submit_bulk_urb(hdev, GFP_KERNEL);
511
512 return 0;
513
514failed:
515 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
516 clear_bit(HCI_RUNNING, &hdev->flags);
504 return err; 517 return err;
505} 518}
506 519
@@ -655,19 +668,10 @@ static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
655 668
656 BT_DBG("%s evt %d", hdev->name, evt); 669 BT_DBG("%s evt %d", hdev->name, evt);
657 670
658 if (hdev->conn_hash.acl_num > 0) { 671 if (hdev->conn_hash.sco_num != data->sco_num) {
659 if (!test_and_set_bit(BTUSB_BULK_RUNNING, &data->flags)) { 672 data->sco_num = hdev->conn_hash.sco_num;
660 if (btusb_submit_bulk_urb(hdev, GFP_ATOMIC) < 0) 673 schedule_work(&data->work);
661 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
662 else
663 btusb_submit_bulk_urb(hdev, GFP_ATOMIC);
664 }
665 } else {
666 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
667 usb_unlink_anchored_urbs(&data->bulk_anchor);
668 } 674 }
669
670 schedule_work(&data->work);
671} 675}
672 676
673static int inline __set_isoc_interface(struct hci_dev *hdev, int altsetting) 677static int inline __set_isoc_interface(struct hci_dev *hdev, int altsetting)
@@ -982,9 +986,11 @@ static int btusb_resume(struct usb_interface *intf)
982 } 986 }
983 987
984 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 988 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
985 if (btusb_submit_bulk_urb(hdev, GFP_NOIO) < 0) 989 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
990 if (err < 0) {
986 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 991 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
987 else 992 return err;
993 } else
988 btusb_submit_bulk_urb(hdev, GFP_NOIO); 994 btusb_submit_bulk_urb(hdev, GFP_NOIO);
989 } 995 }
990 996
diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index b0fafb055996..c0ce8134814e 100644
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -102,8 +102,7 @@ static int h4_close(struct hci_uart *hu)
102 102
103 skb_queue_purge(&h4->txq); 103 skb_queue_purge(&h4->txq);
104 104
105 if (h4->rx_skb) 105 kfree_skb(h4->rx_skb);
106 kfree_skb(h4->rx_skb);
107 106
108 hu->priv = NULL; 107 hu->priv = NULL;
109 kfree(h4); 108 kfree(h4);
diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index b91d45a41b2f..5c65014635be 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -163,8 +163,7 @@ static int ll_close(struct hci_uart *hu)
163 skb_queue_purge(&ll->tx_wait_q); 163 skb_queue_purge(&ll->tx_wait_q);
164 skb_queue_purge(&ll->txq); 164 skb_queue_purge(&ll->txq);
165 165
166 if (ll->rx_skb) 166 kfree_skb(ll->rx_skb);
167 kfree_skb(ll->rx_skb);
168 167
169 hu->priv = NULL; 168 hu->priv = NULL;
170 169
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index a04f8463ac7e..3ad5390a4dd5 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -53,6 +53,17 @@
53#define SOL_SCO 17 53#define SOL_SCO 17
54#define SOL_RFCOMM 18 54#define SOL_RFCOMM 18
55 55
56#define BT_SECURITY 4
57struct bt_security {
58 __u8 level;
59};
60#define BT_SECURITY_SDP 0
61#define BT_SECURITY_LOW 1
62#define BT_SECURITY_MEDIUM 2
63#define BT_SECURITY_HIGH 3
64
65#define BT_DEFER_SETUP 7
66
56#define BT_INFO(fmt, arg...) printk(KERN_INFO "Bluetooth: " fmt "\n" , ## arg) 67#define BT_INFO(fmt, arg...) printk(KERN_INFO "Bluetooth: " fmt "\n" , ## arg)
57#define BT_ERR(fmt, arg...) printk(KERN_ERR "%s: " fmt "\n" , __func__ , ## arg) 68#define BT_ERR(fmt, arg...) printk(KERN_ERR "%s: " fmt "\n" , __func__ , ## arg)
58#define BT_DBG(fmt, arg...) pr_debug("%s: " fmt "\n" , __func__ , ## arg) 69#define BT_DBG(fmt, arg...) pr_debug("%s: " fmt "\n" , __func__ , ## arg)
@@ -108,6 +119,7 @@ struct bt_sock {
108 bdaddr_t dst; 119 bdaddr_t dst;
109 struct list_head accept_q; 120 struct list_head accept_q;
110 struct sock *parent; 121 struct sock *parent;
122 u32 defer_setup;
111}; 123};
112 124
113struct bt_sock_list { 125struct bt_sock_list {
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 3645139e68c7..f69f015bbcc0 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -133,8 +133,13 @@ enum {
133#define ESCO_EV3 0x0008 133#define ESCO_EV3 0x0008
134#define ESCO_EV4 0x0010 134#define ESCO_EV4 0x0010
135#define ESCO_EV5 0x0020 135#define ESCO_EV5 0x0020
136#define ESCO_2EV3 0x0040
137#define ESCO_3EV3 0x0080
138#define ESCO_2EV5 0x0100
139#define ESCO_3EV5 0x0200
136 140
137#define SCO_ESCO_MASK (ESCO_HV1 | ESCO_HV2 | ESCO_HV3) 141#define SCO_ESCO_MASK (ESCO_HV1 | ESCO_HV2 | ESCO_HV3)
142#define EDR_ESCO_MASK (ESCO_2EV3 | ESCO_3EV3 | ESCO_2EV5 | ESCO_3EV5)
138 143
139/* ACL flags */ 144/* ACL flags */
140#define ACL_CONT 0x01 145#define ACL_CONT 0x01
@@ -176,6 +181,9 @@ enum {
176#define LMP_EV5 0x02 181#define LMP_EV5 0x02
177 182
178#define LMP_SNIFF_SUBR 0x02 183#define LMP_SNIFF_SUBR 0x02
184#define LMP_EDR_ESCO_2M 0x20
185#define LMP_EDR_ESCO_3M 0x40
186#define LMP_EDR_3S_ESCO 0x80
179 187
180#define LMP_SIMPLE_PAIR 0x08 188#define LMP_SIMPLE_PAIR 0x08
181 189
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 46a43b721dd6..01f9316b4c23 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -169,6 +169,7 @@ struct hci_conn {
169 __u16 link_policy; 169 __u16 link_policy;
170 __u32 link_mode; 170 __u32 link_mode;
171 __u8 auth_type; 171 __u8 auth_type;
172 __u8 sec_level;
172 __u8 power_save; 173 __u8 power_save;
173 unsigned long pend; 174 unsigned long pend;
174 175
@@ -325,12 +326,11 @@ int hci_conn_del(struct hci_conn *conn);
325void hci_conn_hash_flush(struct hci_dev *hdev); 326void hci_conn_hash_flush(struct hci_dev *hdev);
326void hci_conn_check_pending(struct hci_dev *hdev); 327void hci_conn_check_pending(struct hci_dev *hdev);
327 328
328struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 auth_type); 329struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 sec_level, __u8 auth_type);
329int hci_conn_check_link_mode(struct hci_conn *conn); 330int hci_conn_check_link_mode(struct hci_conn *conn);
330int hci_conn_auth(struct hci_conn *conn); 331int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type);
331int hci_conn_encrypt(struct hci_conn *conn);
332int hci_conn_change_link_key(struct hci_conn *conn); 332int hci_conn_change_link_key(struct hci_conn *conn);
333int hci_conn_switch_role(struct hci_conn *conn, uint8_t role); 333int hci_conn_switch_role(struct hci_conn *conn, __u8 role);
334 334
335void hci_conn_enter_active_mode(struct hci_conn *conn); 335void hci_conn_enter_active_mode(struct hci_conn *conn);
336void hci_conn_enter_sniff_mode(struct hci_conn *conn); 336void hci_conn_enter_sniff_mode(struct hci_conn *conn);
@@ -470,26 +470,26 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
470 470
471/* ----- HCI protocols ----- */ 471/* ----- HCI protocols ----- */
472struct hci_proto { 472struct hci_proto {
473 char *name; 473 char *name;
474 unsigned int id; 474 unsigned int id;
475 unsigned long flags; 475 unsigned long flags;
476 476
477 void *priv; 477 void *priv;
478 478
479 int (*connect_ind) (struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type); 479 int (*connect_ind) (struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type);
480 int (*connect_cfm) (struct hci_conn *conn, __u8 status); 480 int (*connect_cfm) (struct hci_conn *conn, __u8 status);
481 int (*disconn_ind) (struct hci_conn *conn, __u8 reason); 481 int (*disconn_ind) (struct hci_conn *conn);
482 int (*disconn_cfm) (struct hci_conn *conn, __u8 reason);
482 int (*recv_acldata) (struct hci_conn *conn, struct sk_buff *skb, __u16 flags); 483 int (*recv_acldata) (struct hci_conn *conn, struct sk_buff *skb, __u16 flags);
483 int (*recv_scodata) (struct hci_conn *conn, struct sk_buff *skb); 484 int (*recv_scodata) (struct hci_conn *conn, struct sk_buff *skb);
484 int (*auth_cfm) (struct hci_conn *conn, __u8 status); 485 int (*security_cfm) (struct hci_conn *conn, __u8 status, __u8 encrypt);
485 int (*encrypt_cfm) (struct hci_conn *conn, __u8 status, __u8 encrypt);
486}; 486};
487 487
488static inline int hci_proto_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type) 488static inline int hci_proto_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type)
489{ 489{
490 register struct hci_proto *hp; 490 register struct hci_proto *hp;
491 int mask = 0; 491 int mask = 0;
492 492
493 hp = hci_proto[HCI_PROTO_L2CAP]; 493 hp = hci_proto[HCI_PROTO_L2CAP];
494 if (hp && hp->connect_ind) 494 if (hp && hp->connect_ind)
495 mask |= hp->connect_ind(hdev, bdaddr, type); 495 mask |= hp->connect_ind(hdev, bdaddr, type);
@@ -514,30 +514,52 @@ static inline void hci_proto_connect_cfm(struct hci_conn *conn, __u8 status)
514 hp->connect_cfm(conn, status); 514 hp->connect_cfm(conn, status);
515} 515}
516 516
517static inline void hci_proto_disconn_ind(struct hci_conn *conn, __u8 reason) 517static inline int hci_proto_disconn_ind(struct hci_conn *conn)
518{ 518{
519 register struct hci_proto *hp; 519 register struct hci_proto *hp;
520 int reason = 0x13;
520 521
521 hp = hci_proto[HCI_PROTO_L2CAP]; 522 hp = hci_proto[HCI_PROTO_L2CAP];
522 if (hp && hp->disconn_ind) 523 if (hp && hp->disconn_ind)
523 hp->disconn_ind(conn, reason); 524 reason = hp->disconn_ind(conn);
524 525
525 hp = hci_proto[HCI_PROTO_SCO]; 526 hp = hci_proto[HCI_PROTO_SCO];
526 if (hp && hp->disconn_ind) 527 if (hp && hp->disconn_ind)
527 hp->disconn_ind(conn, reason); 528 reason = hp->disconn_ind(conn);
529
530 return reason;
531}
532
533static inline void hci_proto_disconn_cfm(struct hci_conn *conn, __u8 reason)
534{
535 register struct hci_proto *hp;
536
537 hp = hci_proto[HCI_PROTO_L2CAP];
538 if (hp && hp->disconn_cfm)
539 hp->disconn_cfm(conn, reason);
540
541 hp = hci_proto[HCI_PROTO_SCO];
542 if (hp && hp->disconn_cfm)
543 hp->disconn_cfm(conn, reason);
528} 544}
529 545
530static inline void hci_proto_auth_cfm(struct hci_conn *conn, __u8 status) 546static inline void hci_proto_auth_cfm(struct hci_conn *conn, __u8 status)
531{ 547{
532 register struct hci_proto *hp; 548 register struct hci_proto *hp;
549 __u8 encrypt;
550
551 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
552 return;
553
554 encrypt = (conn->link_mode & HCI_LM_ENCRYPT) ? 0x01 : 0x00;
533 555
534 hp = hci_proto[HCI_PROTO_L2CAP]; 556 hp = hci_proto[HCI_PROTO_L2CAP];
535 if (hp && hp->auth_cfm) 557 if (hp && hp->security_cfm)
536 hp->auth_cfm(conn, status); 558 hp->security_cfm(conn, status, encrypt);
537 559
538 hp = hci_proto[HCI_PROTO_SCO]; 560 hp = hci_proto[HCI_PROTO_SCO];
539 if (hp && hp->auth_cfm) 561 if (hp && hp->security_cfm)
540 hp->auth_cfm(conn, status); 562 hp->security_cfm(conn, status, encrypt);
541} 563}
542 564
543static inline void hci_proto_encrypt_cfm(struct hci_conn *conn, __u8 status, __u8 encrypt) 565static inline void hci_proto_encrypt_cfm(struct hci_conn *conn, __u8 status, __u8 encrypt)
@@ -545,12 +567,12 @@ static inline void hci_proto_encrypt_cfm(struct hci_conn *conn, __u8 status, __u
545 register struct hci_proto *hp; 567 register struct hci_proto *hp;
546 568
547 hp = hci_proto[HCI_PROTO_L2CAP]; 569 hp = hci_proto[HCI_PROTO_L2CAP];
548 if (hp && hp->encrypt_cfm) 570 if (hp && hp->security_cfm)
549 hp->encrypt_cfm(conn, status, encrypt); 571 hp->security_cfm(conn, status, encrypt);
550 572
551 hp = hci_proto[HCI_PROTO_SCO]; 573 hp = hci_proto[HCI_PROTO_SCO];
552 if (hp && hp->encrypt_cfm) 574 if (hp && hp->security_cfm)
553 hp->encrypt_cfm(conn, status, encrypt); 575 hp->security_cfm(conn, status, encrypt);
554} 576}
555 577
556int hci_register_proto(struct hci_proto *hproto); 578int hci_register_proto(struct hci_proto *hproto);
@@ -562,8 +584,7 @@ struct hci_cb {
562 584
563 char *name; 585 char *name;
564 586
565 void (*auth_cfm) (struct hci_conn *conn, __u8 status); 587 void (*security_cfm) (struct hci_conn *conn, __u8 status, __u8 encrypt);
566 void (*encrypt_cfm) (struct hci_conn *conn, __u8 status, __u8 encrypt);
567 void (*key_change_cfm) (struct hci_conn *conn, __u8 status); 588 void (*key_change_cfm) (struct hci_conn *conn, __u8 status);
568 void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role); 589 void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role);
569}; 590};
@@ -571,14 +592,20 @@ struct hci_cb {
571static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) 592static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status)
572{ 593{
573 struct list_head *p; 594 struct list_head *p;
595 __u8 encrypt;
574 596
575 hci_proto_auth_cfm(conn, status); 597 hci_proto_auth_cfm(conn, status);
576 598
599 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
600 return;
601
602 encrypt = (conn->link_mode & HCI_LM_ENCRYPT) ? 0x01 : 0x00;
603
577 read_lock_bh(&hci_cb_list_lock); 604 read_lock_bh(&hci_cb_list_lock);
578 list_for_each(p, &hci_cb_list) { 605 list_for_each(p, &hci_cb_list) {
579 struct hci_cb *cb = list_entry(p, struct hci_cb, list); 606 struct hci_cb *cb = list_entry(p, struct hci_cb, list);
580 if (cb->auth_cfm) 607 if (cb->security_cfm)
581 cb->auth_cfm(conn, status); 608 cb->security_cfm(conn, status, encrypt);
582 } 609 }
583 read_unlock_bh(&hci_cb_list_lock); 610 read_unlock_bh(&hci_cb_list_lock);
584} 611}
@@ -587,13 +614,16 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status, __u8 encr
587{ 614{
588 struct list_head *p; 615 struct list_head *p;
589 616
617 if (conn->sec_level == BT_SECURITY_SDP)
618 conn->sec_level = BT_SECURITY_LOW;
619
590 hci_proto_encrypt_cfm(conn, status, encrypt); 620 hci_proto_encrypt_cfm(conn, status, encrypt);
591 621
592 read_lock_bh(&hci_cb_list_lock); 622 read_lock_bh(&hci_cb_list_lock);
593 list_for_each(p, &hci_cb_list) { 623 list_for_each(p, &hci_cb_list) {
594 struct hci_cb *cb = list_entry(p, struct hci_cb, list); 624 struct hci_cb *cb = list_entry(p, struct hci_cb, list);
595 if (cb->encrypt_cfm) 625 if (cb->security_cfm)
596 cb->encrypt_cfm(conn, status, encrypt); 626 cb->security_cfm(conn, status, encrypt);
597 } 627 }
598 read_unlock_bh(&hci_cb_list_lock); 628 read_unlock_bh(&hci_cb_list_lock);
599} 629}
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 73e115bc12dd..f566aa1f0a4c 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -37,6 +37,7 @@ struct sockaddr_l2 {
37 sa_family_t l2_family; 37 sa_family_t l2_family;
38 __le16 l2_psm; 38 __le16 l2_psm;
39 bdaddr_t l2_bdaddr; 39 bdaddr_t l2_bdaddr;
40 __le16 l2_cid;
40}; 41};
41 42
42/* L2CAP socket options */ 43/* L2CAP socket options */
@@ -185,6 +186,7 @@ struct l2cap_info_rsp {
185/* info type */ 186/* info type */
186#define L2CAP_IT_CL_MTU 0x0001 187#define L2CAP_IT_CL_MTU 0x0001
187#define L2CAP_IT_FEAT_MASK 0x0002 188#define L2CAP_IT_FEAT_MASK 0x0002
189#define L2CAP_IT_FIXED_CHAN 0x0003
188 190
189/* info result */ 191/* info result */
190#define L2CAP_IR_SUCCESS 0x0000 192#define L2CAP_IR_SUCCESS 0x0000
@@ -219,11 +221,14 @@ struct l2cap_conn {
219 __u8 rx_ident; 221 __u8 rx_ident;
220 __u8 tx_ident; 222 __u8 tx_ident;
221 223
224 __u8 disc_reason;
225
222 struct l2cap_chan_list chan_list; 226 struct l2cap_chan_list chan_list;
223}; 227};
224 228
225#define L2CAP_INFO_CL_MTU_REQ_SENT 0x01 229#define L2CAP_INFO_CL_MTU_REQ_SENT 0x01
226#define L2CAP_INFO_FEAT_MASK_REQ_SENT 0x02 230#define L2CAP_INFO_FEAT_MASK_REQ_SENT 0x04
231#define L2CAP_INFO_FEAT_MASK_REQ_DONE 0x08
227 232
228/* ----- L2CAP channel and socket info ----- */ 233/* ----- L2CAP channel and socket info ----- */
229#define l2cap_pi(sk) ((struct l2cap_pinfo *) sk) 234#define l2cap_pi(sk) ((struct l2cap_pinfo *) sk)
@@ -237,8 +242,9 @@ struct l2cap_pinfo {
237 __u16 imtu; 242 __u16 imtu;
238 __u16 omtu; 243 __u16 omtu;
239 __u16 flush_to; 244 __u16 flush_to;
240 245 __u8 sec_level;
241 __u32 link_mode; 246 __u8 role_switch;
247 __u8 force_reliable;
242 248
243 __u8 conf_req[64]; 249 __u8 conf_req[64];
244 __u8 conf_len; 250 __u8 conf_len;
@@ -257,6 +263,7 @@ struct l2cap_pinfo {
257#define L2CAP_CONF_REQ_SENT 0x01 263#define L2CAP_CONF_REQ_SENT 0x01
258#define L2CAP_CONF_INPUT_DONE 0x02 264#define L2CAP_CONF_INPUT_DONE 0x02
259#define L2CAP_CONF_OUTPUT_DONE 0x04 265#define L2CAP_CONF_OUTPUT_DONE 0x04
266#define L2CAP_CONF_CONNECT_PEND 0x80
260 267
261#define L2CAP_CONF_MAX_RETRIES 2 268#define L2CAP_CONF_MAX_RETRIES 2
262 269
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 4dc8d92a4638..80072611d26a 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -183,8 +183,9 @@ struct rfcomm_dlc {
183 u8 remote_v24_sig; 183 u8 remote_v24_sig;
184 u8 mscex; 184 u8 mscex;
185 u8 out; 185 u8 out;
186 186 u8 sec_level;
187 u32 link_mode; 187 u8 role_switch;
188 u32 defer_setup;
188 189
189 uint mtu; 190 uint mtu;
190 uint cfc; 191 uint cfc;
@@ -202,10 +203,12 @@ struct rfcomm_dlc {
202#define RFCOMM_RX_THROTTLED 0 203#define RFCOMM_RX_THROTTLED 0
203#define RFCOMM_TX_THROTTLED 1 204#define RFCOMM_TX_THROTTLED 1
204#define RFCOMM_TIMED_OUT 2 205#define RFCOMM_TIMED_OUT 2
205#define RFCOMM_MSC_PENDING 3 206#define RFCOMM_MSC_PENDING 3
206#define RFCOMM_AUTH_PENDING 4 207#define RFCOMM_SEC_PENDING 4
207#define RFCOMM_AUTH_ACCEPT 5 208#define RFCOMM_AUTH_PENDING 5
208#define RFCOMM_AUTH_REJECT 6 209#define RFCOMM_AUTH_ACCEPT 6
210#define RFCOMM_AUTH_REJECT 7
211#define RFCOMM_DEFER_SETUP 8
209 212
210/* Scheduling flags and events */ 213/* Scheduling flags and events */
211#define RFCOMM_SCHED_STATE 0 214#define RFCOMM_SCHED_STATE 0
@@ -239,6 +242,7 @@ int rfcomm_dlc_close(struct rfcomm_dlc *d, int reason);
239int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb); 242int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb);
240int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig); 243int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig);
241int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig); 244int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig);
245void rfcomm_dlc_accept(struct rfcomm_dlc *d);
242 246
243#define rfcomm_dlc_lock(d) spin_lock(&d->lock) 247#define rfcomm_dlc_lock(d) spin_lock(&d->lock)
244#define rfcomm_dlc_unlock(d) spin_unlock(&d->lock) 248#define rfcomm_dlc_unlock(d) spin_unlock(&d->lock)
@@ -304,7 +308,8 @@ struct rfcomm_pinfo {
304 struct bt_sock bt; 308 struct bt_sock bt;
305 struct rfcomm_dlc *dlc; 309 struct rfcomm_dlc *dlc;
306 u8 channel; 310 u8 channel;
307 u32 link_mode; 311 u8 sec_level;
312 u8 role_switch;
308}; 313};
309 314
310int rfcomm_init_sockets(void); 315int rfcomm_init_sockets(void);
@@ -333,7 +338,6 @@ struct rfcomm_dev_req {
333 bdaddr_t src; 338 bdaddr_t src;
334 bdaddr_t dst; 339 bdaddr_t dst;
335 u8 channel; 340 u8 channel;
336
337}; 341};
338 342
339struct rfcomm_dev_info { 343struct rfcomm_dev_info {
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 744ed3f07ef3..02b9baa1930b 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -41,14 +41,13 @@
41 41
42#include <net/bluetooth/bluetooth.h> 42#include <net/bluetooth/bluetooth.h>
43 43
44#define VERSION "2.14" 44#define VERSION "2.15"
45 45
46/* Bluetooth sockets */ 46/* Bluetooth sockets */
47#define BT_MAX_PROTO 8 47#define BT_MAX_PROTO 8
48static struct net_proto_family *bt_proto[BT_MAX_PROTO]; 48static struct net_proto_family *bt_proto[BT_MAX_PROTO];
49static DEFINE_RWLOCK(bt_proto_lock); 49static DEFINE_RWLOCK(bt_proto_lock);
50 50
51#ifdef CONFIG_DEBUG_LOCK_ALLOC
52static struct lock_class_key bt_lock_key[BT_MAX_PROTO]; 51static struct lock_class_key bt_lock_key[BT_MAX_PROTO];
53static const char *bt_key_strings[BT_MAX_PROTO] = { 52static const char *bt_key_strings[BT_MAX_PROTO] = {
54 "sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP", 53 "sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP",
@@ -86,11 +85,6 @@ static inline void bt_sock_reclassify_lock(struct socket *sock, int proto)
86 bt_slock_key_strings[proto], &bt_slock_key[proto], 85 bt_slock_key_strings[proto], &bt_slock_key[proto],
87 bt_key_strings[proto], &bt_lock_key[proto]); 86 bt_key_strings[proto], &bt_lock_key[proto]);
88} 87}
89#else
90static inline void bt_sock_reclassify_lock(struct socket *sock, int proto)
91{
92}
93#endif
94 88
95int bt_sock_register(int proto, struct net_proto_family *ops) 89int bt_sock_register(int proto, struct net_proto_family *ops)
96{ 90{
@@ -217,7 +211,8 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
217 continue; 211 continue;
218 } 212 }
219 213
220 if (sk->sk_state == BT_CONNECTED || !newsock) { 214 if (sk->sk_state == BT_CONNECTED || !newsock ||
215 bt_sk(parent)->defer_setup) {
221 bt_accept_unlink(sk); 216 bt_accept_unlink(sk);
222 if (newsock) 217 if (newsock)
223 sock_graft(sk, newsock); 218 sock_graft(sk, newsock);
@@ -232,7 +227,7 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
232EXPORT_SYMBOL(bt_accept_dequeue); 227EXPORT_SYMBOL(bt_accept_dequeue);
233 228
234int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 229int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
235 struct msghdr *msg, size_t len, int flags) 230 struct msghdr *msg, size_t len, int flags)
236{ 231{
237 int noblock = flags & MSG_DONTWAIT; 232 int noblock = flags & MSG_DONTWAIT;
238 struct sock *sk = sock->sk; 233 struct sock *sk = sock->sk;
@@ -277,7 +272,9 @@ static inline unsigned int bt_accept_poll(struct sock *parent)
277 272
278 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) { 273 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) {
279 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q); 274 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q);
280 if (sk->sk_state == BT_CONNECTED) 275 if (sk->sk_state == BT_CONNECTED ||
276 (bt_sk(parent)->defer_setup &&
277 sk->sk_state == BT_CONNECT2))
281 return POLLIN | POLLRDNORM; 278 return POLLIN | POLLRDNORM;
282 } 279 }
283 280
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index c9cac7719efe..0073ec8495da 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -126,8 +126,7 @@ static inline void cmtp_add_msgpart(struct cmtp_session *session, int id, const
126 126
127 session->reassembly[id] = nskb; 127 session->reassembly[id] = nskb;
128 128
129 if (skb) 129 kfree_skb(skb);
130 kfree_skb(skb);
131} 130}
132 131
133static inline int cmtp_recv_frame(struct cmtp_session *session, struct sk_buff *skb) 132static inline int cmtp_recv_frame(struct cmtp_session *session, struct sk_buff *skb)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index a4a789f24c8d..1181db08d9de 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -123,6 +123,8 @@ void hci_add_sco(struct hci_conn *conn, __u16 handle)
123 conn->state = BT_CONNECT; 123 conn->state = BT_CONNECT;
124 conn->out = 1; 124 conn->out = 1;
125 125
126 conn->attempt++;
127
126 cp.handle = cpu_to_le16(handle); 128 cp.handle = cpu_to_le16(handle);
127 cp.pkt_type = cpu_to_le16(conn->pkt_type); 129 cp.pkt_type = cpu_to_le16(conn->pkt_type);
128 130
@@ -139,6 +141,8 @@ void hci_setup_sync(struct hci_conn *conn, __u16 handle)
139 conn->state = BT_CONNECT; 141 conn->state = BT_CONNECT;
140 conn->out = 1; 142 conn->out = 1;
141 143
144 conn->attempt++;
145
142 cp.handle = cpu_to_le16(handle); 146 cp.handle = cpu_to_le16(handle);
143 cp.pkt_type = cpu_to_le16(conn->pkt_type); 147 cp.pkt_type = cpu_to_le16(conn->pkt_type);
144 148
@@ -155,6 +159,7 @@ static void hci_conn_timeout(unsigned long arg)
155{ 159{
156 struct hci_conn *conn = (void *) arg; 160 struct hci_conn *conn = (void *) arg;
157 struct hci_dev *hdev = conn->hdev; 161 struct hci_dev *hdev = conn->hdev;
162 __u8 reason;
158 163
159 BT_DBG("conn %p state %d", conn, conn->state); 164 BT_DBG("conn %p state %d", conn, conn->state);
160 165
@@ -173,7 +178,8 @@ static void hci_conn_timeout(unsigned long arg)
173 break; 178 break;
174 case BT_CONFIG: 179 case BT_CONFIG:
175 case BT_CONNECTED: 180 case BT_CONNECTED:
176 hci_acl_disconn(conn, 0x13); 181 reason = hci_proto_disconn_ind(conn);
182 hci_acl_disconn(conn, reason);
177 break; 183 break;
178 default: 184 default:
179 conn->state = BT_CLOSED; 185 conn->state = BT_CLOSED;
@@ -216,12 +222,13 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
216 break; 222 break;
217 case SCO_LINK: 223 case SCO_LINK:
218 if (lmp_esco_capable(hdev)) 224 if (lmp_esco_capable(hdev))
219 conn->pkt_type = hdev->esco_type & SCO_ESCO_MASK; 225 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
226 (hdev->esco_type & EDR_ESCO_MASK);
220 else 227 else
221 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 228 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
222 break; 229 break;
223 case ESCO_LINK: 230 case ESCO_LINK:
224 conn->pkt_type = hdev->esco_type; 231 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
225 break; 232 break;
226 } 233 }
227 234
@@ -280,6 +287,8 @@ int hci_conn_del(struct hci_conn *conn)
280 287
281 skb_queue_purge(&conn->data_q); 288 skb_queue_purge(&conn->data_q);
282 289
290 hci_conn_del_sysfs(conn);
291
283 return 0; 292 return 0;
284} 293}
285 294
@@ -325,7 +334,7 @@ EXPORT_SYMBOL(hci_get_route);
325 334
326/* Create SCO or ACL connection. 335/* Create SCO or ACL connection.
327 * Device _must_ be locked */ 336 * Device _must_ be locked */
328struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 auth_type) 337struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 sec_level, __u8 auth_type)
329{ 338{
330 struct hci_conn *acl; 339 struct hci_conn *acl;
331 struct hci_conn *sco; 340 struct hci_conn *sco;
@@ -340,6 +349,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
340 hci_conn_hold(acl); 349 hci_conn_hold(acl);
341 350
342 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 351 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
352 acl->sec_level = sec_level;
343 acl->auth_type = auth_type; 353 acl->auth_type = auth_type;
344 hci_acl_connect(acl); 354 hci_acl_connect(acl);
345 } 355 }
@@ -385,51 +395,59 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
385EXPORT_SYMBOL(hci_conn_check_link_mode); 395EXPORT_SYMBOL(hci_conn_check_link_mode);
386 396
387/* Authenticate remote device */ 397/* Authenticate remote device */
388int hci_conn_auth(struct hci_conn *conn) 398static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
389{ 399{
390 BT_DBG("conn %p", conn); 400 BT_DBG("conn %p", conn);
391 401
392 if (conn->ssp_mode > 0 && conn->hdev->ssp_mode > 0) { 402 if (sec_level > conn->sec_level)
393 if (!(conn->auth_type & 0x01)) { 403 conn->sec_level = sec_level;
394 conn->auth_type |= 0x01; 404 else if (conn->link_mode & HCI_LM_AUTH)
395 conn->link_mode &= ~HCI_LM_AUTH;
396 }
397 }
398
399 if (conn->link_mode & HCI_LM_AUTH)
400 return 1; 405 return 1;
401 406
407 conn->auth_type = auth_type;
408
402 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) { 409 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
403 struct hci_cp_auth_requested cp; 410 struct hci_cp_auth_requested cp;
404 cp.handle = cpu_to_le16(conn->handle); 411 cp.handle = cpu_to_le16(conn->handle);
405 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 412 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
406 sizeof(cp), &cp); 413 sizeof(cp), &cp);
407 } 414 }
415
408 return 0; 416 return 0;
409} 417}
410EXPORT_SYMBOL(hci_conn_auth);
411 418
412/* Enable encryption */ 419/* Enable security */
413int hci_conn_encrypt(struct hci_conn *conn) 420int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
414{ 421{
415 BT_DBG("conn %p", conn); 422 BT_DBG("conn %p", conn);
416 423
424 if (sec_level == BT_SECURITY_SDP)
425 return 1;
426
427 if (sec_level == BT_SECURITY_LOW) {
428 if (conn->ssp_mode > 0 && conn->hdev->ssp_mode > 0)
429 return hci_conn_auth(conn, sec_level, auth_type);
430 else
431 return 1;
432 }
433
417 if (conn->link_mode & HCI_LM_ENCRYPT) 434 if (conn->link_mode & HCI_LM_ENCRYPT)
418 return hci_conn_auth(conn); 435 return hci_conn_auth(conn, sec_level, auth_type);
419 436
420 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) 437 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
421 return 0; 438 return 0;
422 439
423 if (hci_conn_auth(conn)) { 440 if (hci_conn_auth(conn, sec_level, auth_type)) {
424 struct hci_cp_set_conn_encrypt cp; 441 struct hci_cp_set_conn_encrypt cp;
425 cp.handle = cpu_to_le16(conn->handle); 442 cp.handle = cpu_to_le16(conn->handle);
426 cp.encrypt = 1; 443 cp.encrypt = 1;
427 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, 444 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT,
428 sizeof(cp), &cp); 445 sizeof(cp), &cp);
429 } 446 }
447
430 return 0; 448 return 0;
431} 449}
432EXPORT_SYMBOL(hci_conn_encrypt); 450EXPORT_SYMBOL(hci_conn_security);
433 451
434/* Change link key */ 452/* Change link key */
435int hci_conn_change_link_key(struct hci_conn *conn) 453int hci_conn_change_link_key(struct hci_conn *conn)
@@ -442,12 +460,13 @@ int hci_conn_change_link_key(struct hci_conn *conn)
442 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY, 460 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
443 sizeof(cp), &cp); 461 sizeof(cp), &cp);
444 } 462 }
463
445 return 0; 464 return 0;
446} 465}
447EXPORT_SYMBOL(hci_conn_change_link_key); 466EXPORT_SYMBOL(hci_conn_change_link_key);
448 467
449/* Switch role */ 468/* Switch role */
450int hci_conn_switch_role(struct hci_conn *conn, uint8_t role) 469int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
451{ 470{
452 BT_DBG("conn %p", conn); 471 BT_DBG("conn %p", conn);
453 472
@@ -460,6 +479,7 @@ int hci_conn_switch_role(struct hci_conn *conn, uint8_t role)
460 cp.role = role; 479 cp.role = role;
461 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 480 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
462 } 481 }
482
463 return 0; 483 return 0;
464} 484}
465EXPORT_SYMBOL(hci_conn_switch_role); 485EXPORT_SYMBOL(hci_conn_switch_role);
@@ -542,9 +562,7 @@ void hci_conn_hash_flush(struct hci_dev *hdev)
542 562
543 c->state = BT_CLOSED; 563 c->state = BT_CLOSED;
544 564
545 hci_conn_del_sysfs(c); 565 hci_proto_disconn_cfm(c, 0x16);
546
547 hci_proto_disconn_ind(c, 0x16);
548 hci_conn_del(c); 566 hci_conn_del(c);
549 } 567 }
550} 568}
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index ba78cc1eb8d9..cd061510b6bd 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1565,8 +1565,7 @@ static void hci_cmd_task(unsigned long arg)
1565 1565
1566 /* Send queued commands */ 1566 /* Send queued commands */
1567 if (atomic_read(&hdev->cmd_cnt) && (skb = skb_dequeue(&hdev->cmd_q))) { 1567 if (atomic_read(&hdev->cmd_cnt) && (skb = skb_dequeue(&hdev->cmd_q))) {
1568 if (hdev->sent_cmd) 1568 kfree_skb(hdev->sent_cmd);
1569 kfree_skb(hdev->sent_cmd);
1570 1569
1571 if ((hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC))) { 1570 if ((hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC))) {
1572 atomic_dec(&hdev->cmd_cnt); 1571 atomic_dec(&hdev->cmd_cnt);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index f91ba690f5d2..55534244c3a0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -484,6 +484,15 @@ static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb
484 if (hdev->features[4] & LMP_EV5) 484 if (hdev->features[4] & LMP_EV5)
485 hdev->esco_type |= (ESCO_EV5); 485 hdev->esco_type |= (ESCO_EV5);
486 486
487 if (hdev->features[5] & LMP_EDR_ESCO_2M)
488 hdev->esco_type |= (ESCO_2EV3);
489
490 if (hdev->features[5] & LMP_EDR_ESCO_3M)
491 hdev->esco_type |= (ESCO_3EV3);
492
493 if (hdev->features[5] & LMP_EDR_3S_ESCO)
494 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
495
487 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name, 496 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
488 hdev->features[0], hdev->features[1], 497 hdev->features[0], hdev->features[1],
489 hdev->features[2], hdev->features[3], 498 hdev->features[2], hdev->features[3],
@@ -914,7 +923,8 @@ static inline void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *s
914 if (ev->status) { 923 if (ev->status) {
915 hci_proto_connect_cfm(conn, ev->status); 924 hci_proto_connect_cfm(conn, ev->status);
916 hci_conn_del(conn); 925 hci_conn_del(conn);
917 } 926 } else if (ev->link_type != ACL_LINK)
927 hci_proto_connect_cfm(conn, ev->status);
918 928
919unlock: 929unlock:
920 hci_dev_unlock(hdev); 930 hci_dev_unlock(hdev);
@@ -1009,9 +1019,7 @@ static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff
1009 if (conn) { 1019 if (conn) {
1010 conn->state = BT_CLOSED; 1020 conn->state = BT_CLOSED;
1011 1021
1012 hci_conn_del_sysfs(conn); 1022 hci_proto_disconn_cfm(conn, ev->reason);
1013
1014 hci_proto_disconn_ind(conn, ev->reason);
1015 hci_conn_del(conn); 1023 hci_conn_del(conn);
1016 } 1024 }
1017 1025
@@ -1600,7 +1608,8 @@ static inline void hci_remote_ext_features_evt(struct hci_dev *hdev, struct sk_b
1600 1608
1601 if (conn->state == BT_CONFIG) { 1609 if (conn->state == BT_CONFIG) {
1602 if (!ev->status && hdev->ssp_mode > 0 && 1610 if (!ev->status && hdev->ssp_mode > 0 &&
1603 conn->ssp_mode > 0 && conn->out) { 1611 conn->ssp_mode > 0 && conn->out &&
1612 conn->sec_level != BT_SECURITY_SDP) {
1604 struct hci_cp_auth_requested cp; 1613 struct hci_cp_auth_requested cp;
1605 cp.handle = ev->handle; 1614 cp.handle = ev->handle;
1606 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1615 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
@@ -1637,6 +1646,13 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
1637 conn->type = SCO_LINK; 1646 conn->type = SCO_LINK;
1638 } 1647 }
1639 1648
1649 if (conn->out && ev->status == 0x1c && conn->attempt < 2) {
1650 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1651 (hdev->esco_type & EDR_ESCO_MASK);
1652 hci_setup_sync(conn, conn->link->handle);
1653 goto unlock;
1654 }
1655
1640 if (!ev->status) { 1656 if (!ev->status) {
1641 conn->handle = __le16_to_cpu(ev->handle); 1657 conn->handle = __le16_to_cpu(ev->handle);
1642 conn->state = BT_CONNECTED; 1658 conn->state = BT_CONNECTED;
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index b93748e224ff..ca4d3b40d5ce 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -50,9 +50,10 @@
50#include <net/bluetooth/hci_core.h> 50#include <net/bluetooth/hci_core.h>
51#include <net/bluetooth/l2cap.h> 51#include <net/bluetooth/l2cap.h>
52 52
53#define VERSION "2.11" 53#define VERSION "2.13"
54 54
55static u32 l2cap_feat_mask = 0x0000; 55static u32 l2cap_feat_mask = 0x0080;
56static u8 l2cap_fixed_chan[8] = { 0x02, };
56 57
57static const struct proto_ops l2cap_sock_ops; 58static const struct proto_ops l2cap_sock_ops;
58 59
@@ -77,9 +78,10 @@ static void l2cap_sock_timeout(unsigned long arg)
77 78
78 bh_lock_sock(sk); 79 bh_lock_sock(sk);
79 80
80 if (sk->sk_state == BT_CONNECT && 81 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
81 (l2cap_pi(sk)->link_mode & (L2CAP_LM_AUTH | 82 reason = ECONNREFUSED;
82 L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE))) 83 else if (sk->sk_state == BT_CONNECT &&
84 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
83 reason = ECONNREFUSED; 85 reason = ECONNREFUSED;
84 else 86 else
85 reason = ETIMEDOUT; 87 reason = ETIMEDOUT;
@@ -204,6 +206,8 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct so
204 206
205 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid); 207 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
206 208
209 conn->disc_reason = 0x13;
210
207 l2cap_pi(sk)->conn = conn; 211 l2cap_pi(sk)->conn = conn;
208 212
209 if (sk->sk_type == SOCK_SEQPACKET) { 213 if (sk->sk_type == SOCK_SEQPACKET) {
@@ -259,18 +263,35 @@ static void l2cap_chan_del(struct sock *sk, int err)
259} 263}
260 264
261/* Service level security */ 265/* Service level security */
262static inline int l2cap_check_link_mode(struct sock *sk) 266static inline int l2cap_check_security(struct sock *sk)
263{ 267{
264 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 268 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
269 __u8 auth_type;
265 270
266 if ((l2cap_pi(sk)->link_mode & L2CAP_LM_ENCRYPT) || 271 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
267 (l2cap_pi(sk)->link_mode & L2CAP_LM_SECURE)) 272 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
268 return hci_conn_encrypt(conn->hcon); 273 auth_type = HCI_AT_NO_BONDING_MITM;
274 else
275 auth_type = HCI_AT_NO_BONDING;
269 276
270 if (l2cap_pi(sk)->link_mode & L2CAP_LM_AUTH) 277 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
271 return hci_conn_auth(conn->hcon); 278 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
279 } else {
280 switch (l2cap_pi(sk)->sec_level) {
281 case BT_SECURITY_HIGH:
282 auth_type = HCI_AT_GENERAL_BONDING_MITM;
283 break;
284 case BT_SECURITY_MEDIUM:
285 auth_type = HCI_AT_GENERAL_BONDING;
286 break;
287 default:
288 auth_type = HCI_AT_NO_BONDING;
289 break;
290 }
291 }
272 292
273 return 1; 293 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
294 auth_type);
274} 295}
275 296
276static inline u8 l2cap_get_ident(struct l2cap_conn *conn) 297static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
@@ -312,7 +333,10 @@ static void l2cap_do_start(struct sock *sk)
312 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 333 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
313 334
314 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) { 335 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
315 if (l2cap_check_link_mode(sk)) { 336 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
337 return;
338
339 if (l2cap_check_security(sk)) {
316 struct l2cap_conn_req req; 340 struct l2cap_conn_req req;
317 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 341 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
318 req.psm = l2cap_pi(sk)->psm; 342 req.psm = l2cap_pi(sk)->psm;
@@ -356,7 +380,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
356 } 380 }
357 381
358 if (sk->sk_state == BT_CONNECT) { 382 if (sk->sk_state == BT_CONNECT) {
359 if (l2cap_check_link_mode(sk)) { 383 if (l2cap_check_security(sk)) {
360 struct l2cap_conn_req req; 384 struct l2cap_conn_req req;
361 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 385 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
362 req.psm = l2cap_pi(sk)->psm; 386 req.psm = l2cap_pi(sk)->psm;
@@ -371,10 +395,18 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
371 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 395 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
372 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 396 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
373 397
374 if (l2cap_check_link_mode(sk)) { 398 if (l2cap_check_security(sk)) {
375 sk->sk_state = BT_CONFIG; 399 if (bt_sk(sk)->defer_setup) {
376 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 400 struct sock *parent = bt_sk(sk)->parent;
377 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 401 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
402 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
403 parent->sk_data_ready(parent, 0);
404
405 } else {
406 sk->sk_state = BT_CONFIG;
407 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
408 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
409 }
378 } else { 410 } else {
379 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 411 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
380 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 412 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
@@ -426,7 +458,7 @@ static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
426 read_lock(&l->lock); 458 read_lock(&l->lock);
427 459
428 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 460 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
429 if (l2cap_pi(sk)->link_mode & L2CAP_LM_RELIABLE) 461 if (l2cap_pi(sk)->force_reliable)
430 sk->sk_err = err; 462 sk->sk_err = err;
431 } 463 }
432 464
@@ -437,6 +469,7 @@ static void l2cap_info_timeout(unsigned long arg)
437{ 469{
438 struct l2cap_conn *conn = (void *) arg; 470 struct l2cap_conn *conn = (void *) arg;
439 471
472 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
440 conn->info_ident = 0; 473 conn->info_ident = 0;
441 474
442 l2cap_conn_start(conn); 475 l2cap_conn_start(conn);
@@ -470,6 +503,8 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
470 spin_lock_init(&conn->lock); 503 spin_lock_init(&conn->lock);
471 rwlock_init(&conn->chan_list.lock); 504 rwlock_init(&conn->chan_list.lock);
472 505
506 conn->disc_reason = 0x13;
507
473 return conn; 508 return conn;
474} 509}
475 510
@@ -483,8 +518,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
483 518
484 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 519 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
485 520
486 if (conn->rx_skb) 521 kfree_skb(conn->rx_skb);
487 kfree_skb(conn->rx_skb);
488 522
489 /* Kill channels */ 523 /* Kill channels */
490 while ((sk = conn->chan_list.head)) { 524 while ((sk = conn->chan_list.head)) {
@@ -608,7 +642,6 @@ static void __l2cap_sock_close(struct sock *sk, int reason)
608 642
609 case BT_CONNECTED: 643 case BT_CONNECTED:
610 case BT_CONFIG: 644 case BT_CONFIG:
611 case BT_CONNECT2:
612 if (sk->sk_type == SOCK_SEQPACKET) { 645 if (sk->sk_type == SOCK_SEQPACKET) {
613 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 646 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
614 struct l2cap_disconn_req req; 647 struct l2cap_disconn_req req;
@@ -624,6 +657,27 @@ static void __l2cap_sock_close(struct sock *sk, int reason)
624 l2cap_chan_del(sk, reason); 657 l2cap_chan_del(sk, reason);
625 break; 658 break;
626 659
660 case BT_CONNECT2:
661 if (sk->sk_type == SOCK_SEQPACKET) {
662 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
663 struct l2cap_conn_rsp rsp;
664 __u16 result;
665
666 if (bt_sk(sk)->defer_setup)
667 result = L2CAP_CR_SEC_BLOCK;
668 else
669 result = L2CAP_CR_BAD_PSM;
670
671 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
672 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
673 rsp.result = cpu_to_le16(result);
674 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
675 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
676 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
677 } else
678 l2cap_chan_del(sk, reason);
679 break;
680
627 case BT_CONNECT: 681 case BT_CONNECT:
628 case BT_DISCONN: 682 case BT_DISCONN:
629 l2cap_chan_del(sk, reason); 683 l2cap_chan_del(sk, reason);
@@ -653,13 +707,19 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
653 707
654 if (parent) { 708 if (parent) {
655 sk->sk_type = parent->sk_type; 709 sk->sk_type = parent->sk_type;
710 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
711
656 pi->imtu = l2cap_pi(parent)->imtu; 712 pi->imtu = l2cap_pi(parent)->imtu;
657 pi->omtu = l2cap_pi(parent)->omtu; 713 pi->omtu = l2cap_pi(parent)->omtu;
658 pi->link_mode = l2cap_pi(parent)->link_mode; 714 pi->sec_level = l2cap_pi(parent)->sec_level;
715 pi->role_switch = l2cap_pi(parent)->role_switch;
716 pi->force_reliable = l2cap_pi(parent)->force_reliable;
659 } else { 717 } else {
660 pi->imtu = L2CAP_DEFAULT_MTU; 718 pi->imtu = L2CAP_DEFAULT_MTU;
661 pi->omtu = 0; 719 pi->omtu = 0;
662 pi->link_mode = 0; 720 pi->sec_level = BT_SECURITY_LOW;
721 pi->role_switch = 0;
722 pi->force_reliable = 0;
663 } 723 }
664 724
665 /* Default config options */ 725 /* Default config options */
@@ -723,17 +783,24 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
723 return 0; 783 return 0;
724} 784}
725 785
726static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 786static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
727{ 787{
728 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
729 struct sock *sk = sock->sk; 788 struct sock *sk = sock->sk;
730 int err = 0; 789 struct sockaddr_l2 la;
790 int len, err = 0;
731 791
732 BT_DBG("sk %p, %s %d", sk, batostr(&la->l2_bdaddr), la->l2_psm); 792 BT_DBG("sk %p", sk);
733 793
734 if (!addr || addr->sa_family != AF_BLUETOOTH) 794 if (!addr || addr->sa_family != AF_BLUETOOTH)
735 return -EINVAL; 795 return -EINVAL;
736 796
797 memset(&la, 0, sizeof(la));
798 len = min_t(unsigned int, sizeof(la), alen);
799 memcpy(&la, addr, len);
800
801 if (la.l2_cid)
802 return -EINVAL;
803
737 lock_sock(sk); 804 lock_sock(sk);
738 805
739 if (sk->sk_state != BT_OPEN) { 806 if (sk->sk_state != BT_OPEN) {
@@ -741,7 +808,7 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_
741 goto done; 808 goto done;
742 } 809 }
743 810
744 if (la->l2_psm && btohs(la->l2_psm) < 0x1001 && 811 if (la.l2_psm && btohs(la.l2_psm) < 0x1001 &&
745 !capable(CAP_NET_BIND_SERVICE)) { 812 !capable(CAP_NET_BIND_SERVICE)) {
746 err = -EACCES; 813 err = -EACCES;
747 goto done; 814 goto done;
@@ -749,14 +816,17 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_
749 816
750 write_lock_bh(&l2cap_sk_list.lock); 817 write_lock_bh(&l2cap_sk_list.lock);
751 818
752 if (la->l2_psm && __l2cap_get_sock_by_addr(la->l2_psm, &la->l2_bdaddr)) { 819 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
753 err = -EADDRINUSE; 820 err = -EADDRINUSE;
754 } else { 821 } else {
755 /* Save source address */ 822 /* Save source address */
756 bacpy(&bt_sk(sk)->src, &la->l2_bdaddr); 823 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
757 l2cap_pi(sk)->psm = la->l2_psm; 824 l2cap_pi(sk)->psm = la.l2_psm;
758 l2cap_pi(sk)->sport = la->l2_psm; 825 l2cap_pi(sk)->sport = la.l2_psm;
759 sk->sk_state = BT_BOUND; 826 sk->sk_state = BT_BOUND;
827
828 if (btohs(la.l2_psm) == 0x0001 || btohs(la.l2_psm) == 0x0003)
829 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
760 } 830 }
761 831
762 write_unlock_bh(&l2cap_sk_list.lock); 832 write_unlock_bh(&l2cap_sk_list.lock);
@@ -776,7 +846,8 @@ static int l2cap_do_connect(struct sock *sk)
776 __u8 auth_type; 846 __u8 auth_type;
777 int err = 0; 847 int err = 0;
778 848
779 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst), l2cap_pi(sk)->psm); 849 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
850 l2cap_pi(sk)->psm);
780 851
781 if (!(hdev = hci_get_route(dst, src))) 852 if (!(hdev = hci_get_route(dst, src)))
782 return -EHOSTUNREACH; 853 return -EHOSTUNREACH;
@@ -785,21 +856,42 @@ static int l2cap_do_connect(struct sock *sk)
785 856
786 err = -ENOMEM; 857 err = -ENOMEM;
787 858
788 if (l2cap_pi(sk)->link_mode & L2CAP_LM_AUTH || 859 if (sk->sk_type == SOCK_RAW) {
789 l2cap_pi(sk)->link_mode & L2CAP_LM_ENCRYPT || 860 switch (l2cap_pi(sk)->sec_level) {
790 l2cap_pi(sk)->link_mode & L2CAP_LM_SECURE) { 861 case BT_SECURITY_HIGH:
791 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) 862 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
863 break;
864 case BT_SECURITY_MEDIUM:
865 auth_type = HCI_AT_DEDICATED_BONDING;
866 break;
867 default:
868 auth_type = HCI_AT_NO_BONDING;
869 break;
870 }
871 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
872 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
792 auth_type = HCI_AT_NO_BONDING_MITM; 873 auth_type = HCI_AT_NO_BONDING_MITM;
793 else 874 else
794 auth_type = HCI_AT_GENERAL_BONDING_MITM;
795 } else {
796 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001))
797 auth_type = HCI_AT_NO_BONDING; 875 auth_type = HCI_AT_NO_BONDING;
798 else 876
877 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
878 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
879 } else {
880 switch (l2cap_pi(sk)->sec_level) {
881 case BT_SECURITY_HIGH:
882 auth_type = HCI_AT_GENERAL_BONDING_MITM;
883 break;
884 case BT_SECURITY_MEDIUM:
799 auth_type = HCI_AT_GENERAL_BONDING; 885 auth_type = HCI_AT_GENERAL_BONDING;
886 break;
887 default:
888 auth_type = HCI_AT_NO_BONDING;
889 break;
890 }
800 } 891 }
801 892
802 hcon = hci_connect(hdev, ACL_LINK, dst, auth_type); 893 hcon = hci_connect(hdev, ACL_LINK, dst,
894 l2cap_pi(sk)->sec_level, auth_type);
803 if (!hcon) 895 if (!hcon)
804 goto done; 896 goto done;
805 897
@@ -835,20 +927,25 @@ done:
835 927
836static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 928static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
837{ 929{
838 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
839 struct sock *sk = sock->sk; 930 struct sock *sk = sock->sk;
840 int err = 0; 931 struct sockaddr_l2 la;
841 932 int len, err = 0;
842 lock_sock(sk);
843 933
844 BT_DBG("sk %p", sk); 934 BT_DBG("sk %p", sk);
845 935
846 if (addr->sa_family != AF_BLUETOOTH || alen < sizeof(struct sockaddr_l2)) { 936 if (!addr || addr->sa_family != AF_BLUETOOTH)
847 err = -EINVAL; 937 return -EINVAL;
848 goto done; 938
849 } 939 memset(&la, 0, sizeof(la));
940 len = min_t(unsigned int, sizeof(la), alen);
941 memcpy(&la, addr, len);
942
943 if (la.l2_cid)
944 return -EINVAL;
945
946 lock_sock(sk);
850 947
851 if (sk->sk_type == SOCK_SEQPACKET && !la->l2_psm) { 948 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
852 err = -EINVAL; 949 err = -EINVAL;
853 goto done; 950 goto done;
854 } 951 }
@@ -875,8 +972,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
875 } 972 }
876 973
877 /* Set destination address and psm */ 974 /* Set destination address and psm */
878 bacpy(&bt_sk(sk)->dst, &la->l2_bdaddr); 975 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
879 l2cap_pi(sk)->psm = la->l2_psm; 976 l2cap_pi(sk)->psm = la.l2_psm;
880 977
881 if ((err = l2cap_do_connect(sk))) 978 if ((err = l2cap_do_connect(sk)))
882 goto done; 979 goto done;
@@ -1000,12 +1097,16 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
1000 addr->sa_family = AF_BLUETOOTH; 1097 addr->sa_family = AF_BLUETOOTH;
1001 *len = sizeof(struct sockaddr_l2); 1098 *len = sizeof(struct sockaddr_l2);
1002 1099
1003 if (peer) 1100 if (peer) {
1101 la->l2_psm = l2cap_pi(sk)->psm;
1004 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst); 1102 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1005 else 1103 la->l2_cid = htobs(l2cap_pi(sk)->dcid);
1104 } else {
1105 la->l2_psm = l2cap_pi(sk)->sport;
1006 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src); 1106 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1107 la->l2_cid = htobs(l2cap_pi(sk)->scid);
1108 }
1007 1109
1008 la->l2_psm = l2cap_pi(sk)->psm;
1009 return 0; 1110 return 0;
1010} 1111}
1011 1112
@@ -1106,11 +1207,38 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1106 return err; 1207 return err;
1107} 1208}
1108 1209
1109static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen) 1210static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1211{
1212 struct sock *sk = sock->sk;
1213
1214 lock_sock(sk);
1215
1216 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1217 struct l2cap_conn_rsp rsp;
1218
1219 sk->sk_state = BT_CONFIG;
1220
1221 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1222 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1223 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1224 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1225 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1226 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1227
1228 release_sock(sk);
1229 return 0;
1230 }
1231
1232 release_sock(sk);
1233
1234 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1235}
1236
1237static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1110{ 1238{
1111 struct sock *sk = sock->sk; 1239 struct sock *sk = sock->sk;
1112 struct l2cap_options opts; 1240 struct l2cap_options opts;
1113 int err = 0, len; 1241 int len, err = 0;
1114 u32 opt; 1242 u32 opt;
1115 1243
1116 BT_DBG("sk %p", sk); 1244 BT_DBG("sk %p", sk);
@@ -1140,7 +1268,15 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
1140 break; 1268 break;
1141 } 1269 }
1142 1270
1143 l2cap_pi(sk)->link_mode = opt; 1271 if (opt & L2CAP_LM_AUTH)
1272 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1273 if (opt & L2CAP_LM_ENCRYPT)
1274 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1275 if (opt & L2CAP_LM_SECURE)
1276 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1277
1278 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1279 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1144 break; 1280 break;
1145 1281
1146 default: 1282 default:
@@ -1152,12 +1288,77 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
1152 return err; 1288 return err;
1153} 1289}
1154 1290
1155static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 1291static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1292{
1293 struct sock *sk = sock->sk;
1294 struct bt_security sec;
1295 int len, err = 0;
1296 u32 opt;
1297
1298 BT_DBG("sk %p", sk);
1299
1300 if (level == SOL_L2CAP)
1301 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1302
1303 if (level != SOL_BLUETOOTH)
1304 return -ENOPROTOOPT;
1305
1306 lock_sock(sk);
1307
1308 switch (optname) {
1309 case BT_SECURITY:
1310 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1311 err = -EINVAL;
1312 break;
1313 }
1314
1315 sec.level = BT_SECURITY_LOW;
1316
1317 len = min_t(unsigned int, sizeof(sec), optlen);
1318 if (copy_from_user((char *) &sec, optval, len)) {
1319 err = -EFAULT;
1320 break;
1321 }
1322
1323 if (sec.level < BT_SECURITY_LOW ||
1324 sec.level > BT_SECURITY_HIGH) {
1325 err = -EINVAL;
1326 break;
1327 }
1328
1329 l2cap_pi(sk)->sec_level = sec.level;
1330 break;
1331
1332 case BT_DEFER_SETUP:
1333 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1334 err = -EINVAL;
1335 break;
1336 }
1337
1338 if (get_user(opt, (u32 __user *) optval)) {
1339 err = -EFAULT;
1340 break;
1341 }
1342
1343 bt_sk(sk)->defer_setup = opt;
1344 break;
1345
1346 default:
1347 err = -ENOPROTOOPT;
1348 break;
1349 }
1350
1351 release_sock(sk);
1352 return err;
1353}
1354
1355static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1156{ 1356{
1157 struct sock *sk = sock->sk; 1357 struct sock *sk = sock->sk;
1158 struct l2cap_options opts; 1358 struct l2cap_options opts;
1159 struct l2cap_conninfo cinfo; 1359 struct l2cap_conninfo cinfo;
1160 int len, err = 0; 1360 int len, err = 0;
1361 u32 opt;
1161 1362
1162 BT_DBG("sk %p", sk); 1363 BT_DBG("sk %p", sk);
1163 1364
@@ -1180,12 +1381,36 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
1180 break; 1381 break;
1181 1382
1182 case L2CAP_LM: 1383 case L2CAP_LM:
1183 if (put_user(l2cap_pi(sk)->link_mode, (u32 __user *) optval)) 1384 switch (l2cap_pi(sk)->sec_level) {
1385 case BT_SECURITY_LOW:
1386 opt = L2CAP_LM_AUTH;
1387 break;
1388 case BT_SECURITY_MEDIUM:
1389 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1390 break;
1391 case BT_SECURITY_HIGH:
1392 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1393 L2CAP_LM_SECURE;
1394 break;
1395 default:
1396 opt = 0;
1397 break;
1398 }
1399
1400 if (l2cap_pi(sk)->role_switch)
1401 opt |= L2CAP_LM_MASTER;
1402
1403 if (l2cap_pi(sk)->force_reliable)
1404 opt |= L2CAP_LM_RELIABLE;
1405
1406 if (put_user(opt, (u32 __user *) optval))
1184 err = -EFAULT; 1407 err = -EFAULT;
1185 break; 1408 break;
1186 1409
1187 case L2CAP_CONNINFO: 1410 case L2CAP_CONNINFO:
1188 if (sk->sk_state != BT_CONNECTED) { 1411 if (sk->sk_state != BT_CONNECTED &&
1412 !(sk->sk_state == BT_CONNECT2 &&
1413 bt_sk(sk)->defer_setup)) {
1189 err = -ENOTCONN; 1414 err = -ENOTCONN;
1190 break; 1415 break;
1191 } 1416 }
@@ -1208,6 +1433,60 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
1208 return err; 1433 return err;
1209} 1434}
1210 1435
1436static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1437{
1438 struct sock *sk = sock->sk;
1439 struct bt_security sec;
1440 int len, err = 0;
1441
1442 BT_DBG("sk %p", sk);
1443
1444 if (level == SOL_L2CAP)
1445 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1446
1447 if (level != SOL_BLUETOOTH)
1448 return -ENOPROTOOPT;
1449
1450 if (get_user(len, optlen))
1451 return -EFAULT;
1452
1453 lock_sock(sk);
1454
1455 switch (optname) {
1456 case BT_SECURITY:
1457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1458 err = -EINVAL;
1459 break;
1460 }
1461
1462 sec.level = l2cap_pi(sk)->sec_level;
1463
1464 len = min_t(unsigned int, len, sizeof(sec));
1465 if (copy_to_user(optval, (char *) &sec, len))
1466 err = -EFAULT;
1467
1468 break;
1469
1470 case BT_DEFER_SETUP:
1471 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1472 err = -EINVAL;
1473 break;
1474 }
1475
1476 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1477 err = -EFAULT;
1478
1479 break;
1480
1481 default:
1482 err = -ENOPROTOOPT;
1483 break;
1484 }
1485
1486 release_sock(sk);
1487 return err;
1488}
1489
1211static int l2cap_sock_shutdown(struct socket *sock, int how) 1490static int l2cap_sock_shutdown(struct socket *sock, int how)
1212{ 1491{
1213 struct sock *sk = sock->sk; 1492 struct sock *sk = sock->sk;
@@ -1270,11 +1549,6 @@ static void l2cap_chan_ready(struct sock *sk)
1270 */ 1549 */
1271 parent->sk_data_ready(parent, 0); 1550 parent->sk_data_ready(parent, 0);
1272 } 1551 }
1273
1274 if (l2cap_pi(sk)->link_mode & L2CAP_LM_SECURE) {
1275 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1276 hci_conn_change_link_key(conn->hcon);
1277 }
1278} 1552}
1279 1553
1280/* Copy frame to all raw sockets on that connection */ 1554/* Copy frame to all raw sockets on that connection */
@@ -1549,8 +1823,11 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
1549 1823
1550 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 1824 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1551 cmd->ident == conn->info_ident) { 1825 cmd->ident == conn->info_ident) {
1552 conn->info_ident = 0;
1553 del_timer(&conn->info_timer); 1826 del_timer(&conn->info_timer);
1827
1828 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1829 conn->info_ident = 0;
1830
1554 l2cap_conn_start(conn); 1831 l2cap_conn_start(conn);
1555 } 1832 }
1556 1833
@@ -1580,6 +1857,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
1580 /* Check if the ACL is secure enough (if not SDP) */ 1857 /* Check if the ACL is secure enough (if not SDP) */
1581 if (psm != cpu_to_le16(0x0001) && 1858 if (psm != cpu_to_le16(0x0001) &&
1582 !hci_conn_check_link_mode(conn->hcon)) { 1859 !hci_conn_check_link_mode(conn->hcon)) {
1860 conn->disc_reason = 0x05;
1583 result = L2CAP_CR_SEC_BLOCK; 1861 result = L2CAP_CR_SEC_BLOCK;
1584 goto response; 1862 goto response;
1585 } 1863 }
@@ -1621,11 +1899,18 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
1621 1899
1622 l2cap_pi(sk)->ident = cmd->ident; 1900 l2cap_pi(sk)->ident = cmd->ident;
1623 1901
1624 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) { 1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
1625 if (l2cap_check_link_mode(sk)) { 1903 if (l2cap_check_security(sk)) {
1626 sk->sk_state = BT_CONFIG; 1904 if (bt_sk(sk)->defer_setup) {
1627 result = L2CAP_CR_SUCCESS; 1905 sk->sk_state = BT_CONNECT2;
1628 status = L2CAP_CS_NO_INFO; 1906 result = L2CAP_CR_PEND;
1907 status = L2CAP_CS_AUTHOR_PEND;
1908 parent->sk_data_ready(parent, 0);
1909 } else {
1910 sk->sk_state = BT_CONFIG;
1911 result = L2CAP_CR_SUCCESS;
1912 status = L2CAP_CS_NO_INFO;
1913 }
1629 } else { 1914 } else {
1630 sk->sk_state = BT_CONNECT2; 1915 sk->sk_state = BT_CONNECT2;
1631 result = L2CAP_CR_PEND; 1916 result = L2CAP_CR_PEND;
@@ -1695,11 +1980,14 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
1695 l2cap_pi(sk)->dcid = dcid; 1980 l2cap_pi(sk)->dcid = dcid;
1696 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 1981 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1697 1982
1983 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
1984
1698 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1985 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1699 l2cap_build_conf_req(sk, req), req); 1986 l2cap_build_conf_req(sk, req), req);
1700 break; 1987 break;
1701 1988
1702 case L2CAP_CR_PEND: 1989 case L2CAP_CR_PEND:
1990 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1703 break; 1991 break;
1704 1992
1705 default: 1993 default:
@@ -1908,6 +2196,14 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
1908 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data); 2196 put_unaligned(cpu_to_le32(l2cap_feat_mask), (__le32 *) rsp->data);
1909 l2cap_send_cmd(conn, cmd->ident, 2197 l2cap_send_cmd(conn, cmd->ident,
1910 L2CAP_INFO_RSP, sizeof(buf), buf); 2198 L2CAP_INFO_RSP, sizeof(buf), buf);
2199 } else if (type == L2CAP_IT_FIXED_CHAN) {
2200 u8 buf[12];
2201 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2202 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2203 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2204 memcpy(buf + 4, l2cap_fixed_chan, 8);
2205 l2cap_send_cmd(conn, cmd->ident,
2206 L2CAP_INFO_RSP, sizeof(buf), buf);
1911 } else { 2207 } else {
1912 struct l2cap_info_rsp rsp; 2208 struct l2cap_info_rsp rsp;
1913 rsp.type = cpu_to_le16(type); 2209 rsp.type = cpu_to_le16(type);
@@ -1929,14 +2225,31 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
1929 2225
1930 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 2226 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
1931 2227
1932 conn->info_ident = 0;
1933
1934 del_timer(&conn->info_timer); 2228 del_timer(&conn->info_timer);
1935 2229
1936 if (type == L2CAP_IT_FEAT_MASK) 2230 if (type == L2CAP_IT_FEAT_MASK) {
1937 conn->feat_mask = get_unaligned_le32(rsp->data); 2231 conn->feat_mask = get_unaligned_le32(rsp->data);
1938 2232
1939 l2cap_conn_start(conn); 2233 if (conn->feat_mask & 0x0080) {
2234 struct l2cap_info_req req;
2235 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2236
2237 conn->info_ident = l2cap_get_ident(conn);
2238
2239 l2cap_send_cmd(conn, conn->info_ident,
2240 L2CAP_INFO_REQ, sizeof(req), &req);
2241 } else {
2242 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2243 conn->info_ident = 0;
2244
2245 l2cap_conn_start(conn);
2246 }
2247 } else if (type == L2CAP_IT_FIXED_CHAN) {
2248 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2249 conn->info_ident = 0;
2250
2251 l2cap_conn_start(conn);
2252 }
1940 2253
1941 return 0; 2254 return 0;
1942} 2255}
@@ -2143,10 +2456,15 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2143 continue; 2456 continue;
2144 2457
2145 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 2458 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2146 lm1 |= (HCI_LM_ACCEPT | l2cap_pi(sk)->link_mode); 2459 lm1 |= HCI_LM_ACCEPT;
2460 if (l2cap_pi(sk)->role_switch)
2461 lm1 |= HCI_LM_MASTER;
2147 exact++; 2462 exact++;
2148 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) 2463 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
2149 lm2 |= (HCI_LM_ACCEPT | l2cap_pi(sk)->link_mode); 2464 lm2 |= HCI_LM_ACCEPT;
2465 if (l2cap_pi(sk)->role_switch)
2466 lm2 |= HCI_LM_MASTER;
2467 }
2150 } 2468 }
2151 read_unlock(&l2cap_sk_list.lock); 2469 read_unlock(&l2cap_sk_list.lock);
2152 2470
@@ -2172,89 +2490,48 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
2172 return 0; 2490 return 0;
2173} 2491}
2174 2492
2175static int l2cap_disconn_ind(struct hci_conn *hcon, u8 reason) 2493static int l2cap_disconn_ind(struct hci_conn *hcon)
2176{ 2494{
2177 BT_DBG("hcon %p reason %d", hcon, reason); 2495 struct l2cap_conn *conn = hcon->l2cap_data;
2178 2496
2179 if (hcon->type != ACL_LINK) 2497 BT_DBG("hcon %p", hcon);
2180 return 0;
2181 2498
2182 l2cap_conn_del(hcon, bt_err(reason)); 2499 if (hcon->type != ACL_LINK || !conn)
2500 return 0x13;
2183 2501
2184 return 0; 2502 return conn->disc_reason;
2185} 2503}
2186 2504
2187static int l2cap_auth_cfm(struct hci_conn *hcon, u8 status) 2505static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
2188{ 2506{
2189 struct l2cap_chan_list *l; 2507 BT_DBG("hcon %p reason %d", hcon, reason);
2190 struct l2cap_conn *conn = hcon->l2cap_data;
2191 struct sock *sk;
2192 2508
2193 if (!conn) 2509 if (hcon->type != ACL_LINK)
2194 return 0; 2510 return 0;
2195 2511
2196 l = &conn->chan_list; 2512 l2cap_conn_del(hcon, bt_err(reason));
2197
2198 BT_DBG("conn %p", conn);
2199
2200 read_lock(&l->lock);
2201
2202 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2203 struct l2cap_pinfo *pi = l2cap_pi(sk);
2204
2205 bh_lock_sock(sk);
2206
2207 if ((pi->link_mode & (L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE)) &&
2208 !(hcon->link_mode & HCI_LM_ENCRYPT) &&
2209 !status) {
2210 bh_unlock_sock(sk);
2211 continue;
2212 }
2213
2214 if (sk->sk_state == BT_CONNECT) {
2215 if (!status) {
2216 struct l2cap_conn_req req;
2217 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
2218 req.psm = l2cap_pi(sk)->psm;
2219
2220 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
2221
2222 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2223 L2CAP_CONN_REQ, sizeof(req), &req);
2224 } else {
2225 l2cap_sock_clear_timer(sk);
2226 l2cap_sock_set_timer(sk, HZ / 10);
2227 }
2228 } else if (sk->sk_state == BT_CONNECT2) {
2229 struct l2cap_conn_rsp rsp;
2230 __u16 result;
2231 2513
2232 if (!status) { 2514 return 0;
2233 sk->sk_state = BT_CONFIG; 2515}
2234 result = L2CAP_CR_SUCCESS;
2235 } else {
2236 sk->sk_state = BT_DISCONN;
2237 l2cap_sock_set_timer(sk, HZ / 10);
2238 result = L2CAP_CR_SEC_BLOCK;
2239 }
2240 2516
2241 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 2517static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
2242 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 2518{
2243 rsp.result = cpu_to_le16(result); 2519 if (sk->sk_type != SOCK_SEQPACKET)
2244 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 2520 return;
2245 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
2246 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2247 }
2248 2521
2249 bh_unlock_sock(sk); 2522 if (encrypt == 0x00) {
2523 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
2524 l2cap_sock_clear_timer(sk);
2525 l2cap_sock_set_timer(sk, HZ * 5);
2526 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
2527 __l2cap_sock_close(sk, ECONNREFUSED);
2528 } else {
2529 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
2530 l2cap_sock_clear_timer(sk);
2250 } 2531 }
2251
2252 read_unlock(&l->lock);
2253
2254 return 0;
2255} 2532}
2256 2533
2257static int l2cap_encrypt_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 2534static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2258{ 2535{
2259 struct l2cap_chan_list *l; 2536 struct l2cap_chan_list *l;
2260 struct l2cap_conn *conn = hcon->l2cap_data; 2537 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -2270,15 +2547,16 @@ static int l2cap_encrypt_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
2270 read_lock(&l->lock); 2547 read_lock(&l->lock);
2271 2548
2272 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 2549 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2273 struct l2cap_pinfo *pi = l2cap_pi(sk);
2274
2275 bh_lock_sock(sk); 2550 bh_lock_sock(sk);
2276 2551
2277 if ((pi->link_mode & (L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE)) && 2552 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
2278 (sk->sk_state == BT_CONNECTED || 2553 bh_unlock_sock(sk);
2279 sk->sk_state == BT_CONFIG) && 2554 continue;
2280 !status && encrypt == 0x00) { 2555 }
2281 __l2cap_sock_close(sk, ECONNREFUSED); 2556
2557 if (!status && (sk->sk_state == BT_CONNECTED ||
2558 sk->sk_state == BT_CONFIG)) {
2559 l2cap_check_encryption(sk, encrypt);
2282 bh_unlock_sock(sk); 2560 bh_unlock_sock(sk);
2283 continue; 2561 continue;
2284 } 2562 }
@@ -2376,7 +2654,7 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
2376 goto drop; 2654 goto drop;
2377 2655
2378 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2656 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2379 skb->len); 2657 skb->len);
2380 conn->rx_len = len - skb->len; 2658 conn->rx_len = len - skb->len;
2381 } else { 2659 } else {
2382 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len); 2660 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
@@ -2398,7 +2676,7 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
2398 } 2676 }
2399 2677
2400 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2678 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2401 skb->len); 2679 skb->len);
2402 conn->rx_len -= skb->len; 2680 conn->rx_len -= skb->len;
2403 2681
2404 if (!conn->rx_len) { 2682 if (!conn->rx_len) {
@@ -2424,10 +2702,10 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
2424 sk_for_each(sk, node, &l2cap_sk_list.head) { 2702 sk_for_each(sk, node, &l2cap_sk_list.head) {
2425 struct l2cap_pinfo *pi = l2cap_pi(sk); 2703 struct l2cap_pinfo *pi = l2cap_pi(sk);
2426 2704
2427 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n", 2705 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
2428 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), 2706 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2429 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid, 2707 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
2430 pi->imtu, pi->omtu, pi->link_mode); 2708 pi->imtu, pi->omtu, pi->sec_level);
2431 } 2709 }
2432 2710
2433 read_unlock_bh(&l2cap_sk_list.lock); 2711 read_unlock_bh(&l2cap_sk_list.lock);
@@ -2447,7 +2725,7 @@ static const struct proto_ops l2cap_sock_ops = {
2447 .accept = l2cap_sock_accept, 2725 .accept = l2cap_sock_accept,
2448 .getname = l2cap_sock_getname, 2726 .getname = l2cap_sock_getname,
2449 .sendmsg = l2cap_sock_sendmsg, 2727 .sendmsg = l2cap_sock_sendmsg,
2450 .recvmsg = bt_sock_recvmsg, 2728 .recvmsg = l2cap_sock_recvmsg,
2451 .poll = bt_sock_poll, 2729 .poll = bt_sock_poll,
2452 .ioctl = bt_sock_ioctl, 2730 .ioctl = bt_sock_ioctl,
2453 .mmap = sock_no_mmap, 2731 .mmap = sock_no_mmap,
@@ -2469,8 +2747,8 @@ static struct hci_proto l2cap_hci_proto = {
2469 .connect_ind = l2cap_connect_ind, 2747 .connect_ind = l2cap_connect_ind,
2470 .connect_cfm = l2cap_connect_cfm, 2748 .connect_cfm = l2cap_connect_cfm,
2471 .disconn_ind = l2cap_disconn_ind, 2749 .disconn_ind = l2cap_disconn_ind,
2472 .auth_cfm = l2cap_auth_cfm, 2750 .disconn_cfm = l2cap_disconn_cfm,
2473 .encrypt_cfm = l2cap_encrypt_cfm, 2751 .security_cfm = l2cap_security_cfm,
2474 .recv_acldata = l2cap_recv_acldata 2752 .recv_acldata = l2cap_recv_acldata
2475}; 2753};
2476 2754
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index acd84fd524b8..1d0fb0f23c63 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -46,7 +46,7 @@
46#include <net/bluetooth/l2cap.h> 46#include <net/bluetooth/l2cap.h>
47#include <net/bluetooth/rfcomm.h> 47#include <net/bluetooth/rfcomm.h>
48 48
49#define VERSION "1.10" 49#define VERSION "1.11"
50 50
51static int disable_cfc = 0; 51static int disable_cfc = 0;
52static int channel_mtu = -1; 52static int channel_mtu = -1;
@@ -223,19 +223,25 @@ static int rfcomm_l2sock_create(struct socket **sock)
223 return err; 223 return err;
224} 224}
225 225
226static inline int rfcomm_check_link_mode(struct rfcomm_dlc *d) 226static inline int rfcomm_check_security(struct rfcomm_dlc *d)
227{ 227{
228 struct sock *sk = d->session->sock->sk; 228 struct sock *sk = d->session->sock->sk;
229 __u8 auth_type;
229 230
230 if (d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) { 231 switch (d->sec_level) {
231 if (!hci_conn_encrypt(l2cap_pi(sk)->conn->hcon)) 232 case BT_SECURITY_HIGH:
232 return 1; 233 auth_type = HCI_AT_GENERAL_BONDING_MITM;
233 } else if (d->link_mode & RFCOMM_LM_AUTH) { 234 break;
234 if (!hci_conn_auth(l2cap_pi(sk)->conn->hcon)) 235 case BT_SECURITY_MEDIUM:
235 return 1; 236 auth_type = HCI_AT_GENERAL_BONDING;
237 break;
238 default:
239 auth_type = HCI_AT_NO_BONDING;
240 break;
236 } 241 }
237 242
238 return 0; 243 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
244 auth_type);
239} 245}
240 246
241/* ---- RFCOMM DLCs ---- */ 247/* ---- RFCOMM DLCs ---- */
@@ -388,10 +394,10 @@ static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
388 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 394 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
389 395
390 if (s->state == BT_CONNECTED) { 396 if (s->state == BT_CONNECTED) {
391 if (rfcomm_check_link_mode(d)) 397 if (rfcomm_check_security(d))
392 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
393 else
394 rfcomm_send_pn(s, 1, d); 398 rfcomm_send_pn(s, 1, d);
399 else
400 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
395 } 401 }
396 402
397 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 403 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
@@ -421,9 +427,16 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
421 d, d->state, d->dlci, err, s); 427 d, d->state, d->dlci, err, s);
422 428
423 switch (d->state) { 429 switch (d->state) {
424 case BT_CONNECTED:
425 case BT_CONFIG:
426 case BT_CONNECT: 430 case BT_CONNECT:
431 case BT_CONFIG:
432 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
433 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
434 rfcomm_schedule(RFCOMM_SCHED_AUTH);
435 break;
436 }
437 /* Fall through */
438
439 case BT_CONNECTED:
427 d->state = BT_DISCONN; 440 d->state = BT_DISCONN;
428 if (skb_queue_empty(&d->tx_queue)) { 441 if (skb_queue_empty(&d->tx_queue)) {
429 rfcomm_send_disc(s, d->dlci); 442 rfcomm_send_disc(s, d->dlci);
@@ -434,6 +447,15 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
434 } 447 }
435 break; 448 break;
436 449
450 case BT_OPEN:
451 case BT_CONNECT2:
452 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454 rfcomm_schedule(RFCOMM_SCHED_AUTH);
455 break;
456 }
457 /* Fall through */
458
437 default: 459 default:
438 rfcomm_dlc_clear_timer(d); 460 rfcomm_dlc_clear_timer(d);
439 461
@@ -636,6 +658,7 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst
636 bacpy(&addr.l2_bdaddr, src); 658 bacpy(&addr.l2_bdaddr, src);
637 addr.l2_family = AF_BLUETOOTH; 659 addr.l2_family = AF_BLUETOOTH;
638 addr.l2_psm = 0; 660 addr.l2_psm = 0;
661 addr.l2_cid = 0;
639 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 662 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
640 if (*err < 0) 663 if (*err < 0)
641 goto failed; 664 goto failed;
@@ -657,6 +680,7 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst
657 bacpy(&addr.l2_bdaddr, dst); 680 bacpy(&addr.l2_bdaddr, dst);
658 addr.l2_family = AF_BLUETOOTH; 681 addr.l2_family = AF_BLUETOOTH;
659 addr.l2_psm = htobs(RFCOMM_PSM); 682 addr.l2_psm = htobs(RFCOMM_PSM);
683 addr.l2_cid = 0;
660 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 684 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
661 if (*err == 0 || *err == -EINPROGRESS) 685 if (*err == 0 || *err == -EINPROGRESS)
662 return s; 686 return s;
@@ -1162,7 +1186,7 @@ static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1162 return 0; 1186 return 0;
1163} 1187}
1164 1188
1165static void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1189void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1166{ 1190{
1167 struct sock *sk = d->session->sock->sk; 1191 struct sock *sk = d->session->sock->sk;
1168 1192
@@ -1175,12 +1199,31 @@ static void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1175 d->state_change(d, 0); 1199 d->state_change(d, 0);
1176 rfcomm_dlc_unlock(d); 1200 rfcomm_dlc_unlock(d);
1177 1201
1178 if (d->link_mode & RFCOMM_LM_MASTER) 1202 if (d->role_switch)
1179 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00); 1203 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1180 1204
1181 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1205 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1182} 1206}
1183 1207
1208static void rfcomm_check_accept(struct rfcomm_dlc *d)
1209{
1210 if (rfcomm_check_security(d)) {
1211 if (d->defer_setup) {
1212 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1213 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1214
1215 rfcomm_dlc_lock(d);
1216 d->state = BT_CONNECT2;
1217 d->state_change(d, 0);
1218 rfcomm_dlc_unlock(d);
1219 } else
1220 rfcomm_dlc_accept(d);
1221 } else {
1222 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1223 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1224 }
1225}
1226
1184static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1227static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1185{ 1228{
1186 struct rfcomm_dlc *d; 1229 struct rfcomm_dlc *d;
@@ -1203,11 +1246,7 @@ static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1203 if (d) { 1246 if (d) {
1204 if (d->state == BT_OPEN) { 1247 if (d->state == BT_OPEN) {
1205 /* DLC was previously opened by PN request */ 1248 /* DLC was previously opened by PN request */
1206 if (rfcomm_check_link_mode(d)) { 1249 rfcomm_check_accept(d);
1207 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1208 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1209 } else
1210 rfcomm_dlc_accept(d);
1211 } 1250 }
1212 return 0; 1251 return 0;
1213 } 1252 }
@@ -1219,11 +1258,7 @@ static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1219 d->addr = __addr(s->initiator, dlci); 1258 d->addr = __addr(s->initiator, dlci);
1220 rfcomm_dlc_link(s, d); 1259 rfcomm_dlc_link(s, d);
1221 1260
1222 if (rfcomm_check_link_mode(d)) { 1261 rfcomm_check_accept(d);
1223 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1224 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1225 } else
1226 rfcomm_dlc_accept(d);
1227 } else { 1262 } else {
1228 rfcomm_send_dm(s, dlci); 1263 rfcomm_send_dm(s, dlci);
1229 } 1264 }
@@ -1637,11 +1672,12 @@ static void rfcomm_process_connect(struct rfcomm_session *s)
1637 d = list_entry(p, struct rfcomm_dlc, list); 1672 d = list_entry(p, struct rfcomm_dlc, list);
1638 if (d->state == BT_CONFIG) { 1673 if (d->state == BT_CONFIG) {
1639 d->mtu = s->mtu; 1674 d->mtu = s->mtu;
1640 if (rfcomm_check_link_mode(d)) { 1675 if (rfcomm_check_security(d)) {
1676 rfcomm_send_pn(s, 1, d);
1677 } else {
1641 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1678 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1642 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1679 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1643 } else 1680 }
1644 rfcomm_send_pn(s, 1, d);
1645 } 1681 }
1646 } 1682 }
1647} 1683}
@@ -1717,11 +1753,17 @@ static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1717 if (d->out) { 1753 if (d->out) {
1718 rfcomm_send_pn(s, 1, d); 1754 rfcomm_send_pn(s, 1, d);
1719 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1755 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1720 } else 1756 } else {
1721 rfcomm_dlc_accept(d); 1757 if (d->defer_setup) {
1722 if (d->link_mode & RFCOMM_LM_SECURE) { 1758 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1723 struct sock *sk = s->sock->sk; 1759 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1724 hci_conn_change_link_key(l2cap_pi(sk)->conn->hcon); 1760
1761 rfcomm_dlc_lock(d);
1762 d->state = BT_CONNECT2;
1763 d->state_change(d, 0);
1764 rfcomm_dlc_unlock(d);
1765 } else
1766 rfcomm_dlc_accept(d);
1725 } 1767 }
1726 continue; 1768 continue;
1727 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1769 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
@@ -1734,6 +1776,9 @@ static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1734 continue; 1776 continue;
1735 } 1777 }
1736 1778
1779 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1780 continue;
1781
1737 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1782 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1738 continue; 1783 continue;
1739 1784
@@ -1876,6 +1921,7 @@ static int rfcomm_add_listener(bdaddr_t *ba)
1876 bacpy(&addr.l2_bdaddr, ba); 1921 bacpy(&addr.l2_bdaddr, ba);
1877 addr.l2_family = AF_BLUETOOTH; 1922 addr.l2_family = AF_BLUETOOTH;
1878 addr.l2_psm = htobs(RFCOMM_PSM); 1923 addr.l2_psm = htobs(RFCOMM_PSM);
1924 addr.l2_cid = 0;
1879 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1925 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1880 if (err < 0) { 1926 if (err < 0) {
1881 BT_ERR("Bind failed %d", err); 1927 BT_ERR("Bind failed %d", err);
@@ -1947,42 +1993,7 @@ static int rfcomm_run(void *unused)
1947 return 0; 1993 return 0;
1948} 1994}
1949 1995
1950static void rfcomm_auth_cfm(struct hci_conn *conn, u8 status) 1996static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1951{
1952 struct rfcomm_session *s;
1953 struct rfcomm_dlc *d;
1954 struct list_head *p, *n;
1955
1956 BT_DBG("conn %p status 0x%02x", conn, status);
1957
1958 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
1959 if (!s)
1960 return;
1961
1962 rfcomm_session_hold(s);
1963
1964 list_for_each_safe(p, n, &s->dlcs) {
1965 d = list_entry(p, struct rfcomm_dlc, list);
1966
1967 if ((d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) &&
1968 !(conn->link_mode & HCI_LM_ENCRYPT) && !status)
1969 continue;
1970
1971 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
1972 continue;
1973
1974 if (!status)
1975 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
1976 else
1977 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
1978 }
1979
1980 rfcomm_session_put(s);
1981
1982 rfcomm_schedule(RFCOMM_SCHED_AUTH);
1983}
1984
1985static void rfcomm_encrypt_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1986{ 1997{
1987 struct rfcomm_session *s; 1998 struct rfcomm_session *s;
1988 struct rfcomm_dlc *d; 1999 struct rfcomm_dlc *d;
@@ -1999,18 +2010,29 @@ static void rfcomm_encrypt_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1999 list_for_each_safe(p, n, &s->dlcs) { 2010 list_for_each_safe(p, n, &s->dlcs) {
2000 d = list_entry(p, struct rfcomm_dlc, list); 2011 d = list_entry(p, struct rfcomm_dlc, list);
2001 2012
2002 if ((d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) && 2013 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2003 (d->state == BT_CONNECTED || 2014 rfcomm_dlc_clear_timer(d);
2004 d->state == BT_CONFIG) && 2015 if (status || encrypt == 0x00) {
2005 !status && encrypt == 0x00) { 2016 __rfcomm_dlc_close(d, ECONNREFUSED);
2006 __rfcomm_dlc_close(d, ECONNREFUSED); 2017 continue;
2007 continue; 2018 }
2019 }
2020
2021 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2022 if (d->sec_level == BT_SECURITY_MEDIUM) {
2023 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2024 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2025 continue;
2026 } else if (d->sec_level == BT_SECURITY_HIGH) {
2027 __rfcomm_dlc_close(d, ECONNREFUSED);
2028 continue;
2029 }
2008 } 2030 }
2009 2031
2010 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2032 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2011 continue; 2033 continue;
2012 2034
2013 if (!status && encrypt) 2035 if (!status)
2014 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2036 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2015 else 2037 else
2016 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2038 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
@@ -2023,8 +2045,7 @@ static void rfcomm_encrypt_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2023 2045
2024static struct hci_cb rfcomm_cb = { 2046static struct hci_cb rfcomm_cb = {
2025 .name = "RFCOMM", 2047 .name = "RFCOMM",
2026 .auth_cfm = rfcomm_auth_cfm, 2048 .security_cfm = rfcomm_security_cfm
2027 .encrypt_cfm = rfcomm_encrypt_cfm
2028}; 2049};
2029 2050
2030static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf) 2051static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index d3fc6fca38d0..7f482784e9f7 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -261,12 +261,19 @@ static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
261 261
262 if (parent) { 262 if (parent) {
263 sk->sk_type = parent->sk_type; 263 sk->sk_type = parent->sk_type;
264 pi->link_mode = rfcomm_pi(parent)->link_mode; 264 pi->dlc->defer_setup = bt_sk(parent)->defer_setup;
265
266 pi->sec_level = rfcomm_pi(parent)->sec_level;
267 pi->role_switch = rfcomm_pi(parent)->role_switch;
265 } else { 268 } else {
266 pi->link_mode = 0; 269 pi->dlc->defer_setup = 0;
270
271 pi->sec_level = BT_SECURITY_LOW;
272 pi->role_switch = 0;
267 } 273 }
268 274
269 pi->dlc->link_mode = pi->link_mode; 275 pi->dlc->sec_level = pi->sec_level;
276 pi->dlc->role_switch = pi->role_switch;
270} 277}
271 278
272static struct proto rfcomm_proto = { 279static struct proto rfcomm_proto = {
@@ -406,7 +413,8 @@ static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int a
406 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr); 413 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
407 rfcomm_pi(sk)->channel = sa->rc_channel; 414 rfcomm_pi(sk)->channel = sa->rc_channel;
408 415
409 d->link_mode = rfcomm_pi(sk)->link_mode; 416 d->sec_level = rfcomm_pi(sk)->sec_level;
417 d->role_switch = rfcomm_pi(sk)->role_switch;
410 418
411 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel); 419 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel);
412 if (!err) 420 if (!err)
@@ -554,6 +562,9 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
554 struct sk_buff *skb; 562 struct sk_buff *skb;
555 int sent = 0; 563 int sent = 0;
556 564
565 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
566 return -ENOTCONN;
567
557 if (msg->msg_flags & MSG_OOB) 568 if (msg->msg_flags & MSG_OOB)
558 return -EOPNOTSUPP; 569 return -EOPNOTSUPP;
559 570
@@ -570,8 +581,11 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
570 581
571 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, 582 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
572 msg->msg_flags & MSG_DONTWAIT, &err); 583 msg->msg_flags & MSG_DONTWAIT, &err);
573 if (!skb) 584 if (!skb) {
585 if (sent == 0)
586 sent = err;
574 break; 587 break;
588 }
575 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE); 589 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
576 590
577 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); 591 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -630,10 +644,16 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
630 struct msghdr *msg, size_t size, int flags) 644 struct msghdr *msg, size_t size, int flags)
631{ 645{
632 struct sock *sk = sock->sk; 646 struct sock *sk = sock->sk;
647 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
633 int err = 0; 648 int err = 0;
634 size_t target, copied = 0; 649 size_t target, copied = 0;
635 long timeo; 650 long timeo;
636 651
652 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
653 rfcomm_dlc_accept(d);
654 return 0;
655 }
656
637 if (flags & MSG_OOB) 657 if (flags & MSG_OOB)
638 return -EOPNOTSUPP; 658 return -EOPNOTSUPP;
639 659
@@ -710,7 +730,7 @@ out:
710 return copied ? : err; 730 return copied ? : err;
711} 731}
712 732
713static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen) 733static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
714{ 734{
715 struct sock *sk = sock->sk; 735 struct sock *sk = sock->sk;
716 int err = 0; 736 int err = 0;
@@ -727,7 +747,14 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
727 break; 747 break;
728 } 748 }
729 749
730 rfcomm_pi(sk)->link_mode = opt; 750 if (opt & RFCOMM_LM_AUTH)
751 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
752 if (opt & RFCOMM_LM_ENCRYPT)
753 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
754 if (opt & RFCOMM_LM_SECURE)
755 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
756
757 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
731 break; 758 break;
732 759
733 default: 760 default:
@@ -739,12 +766,76 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
739 return err; 766 return err;
740} 767}
741 768
742static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 769static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
770{
771 struct sock *sk = sock->sk;
772 struct bt_security sec;
773 int len, err = 0;
774 u32 opt;
775
776 BT_DBG("sk %p", sk);
777
778 if (level == SOL_RFCOMM)
779 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
780
781 if (level != SOL_BLUETOOTH)
782 return -ENOPROTOOPT;
783
784 lock_sock(sk);
785
786 switch (optname) {
787 case BT_SECURITY:
788 if (sk->sk_type != SOCK_STREAM) {
789 err = -EINVAL;
790 break;
791 }
792
793 sec.level = BT_SECURITY_LOW;
794
795 len = min_t(unsigned int, sizeof(sec), optlen);
796 if (copy_from_user((char *) &sec, optval, len)) {
797 err = -EFAULT;
798 break;
799 }
800
801 if (sec.level > BT_SECURITY_HIGH) {
802 err = -EINVAL;
803 break;
804 }
805
806 rfcomm_pi(sk)->sec_level = sec.level;
807 break;
808
809 case BT_DEFER_SETUP:
810 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
811 err = -EINVAL;
812 break;
813 }
814
815 if (get_user(opt, (u32 __user *) optval)) {
816 err = -EFAULT;
817 break;
818 }
819
820 bt_sk(sk)->defer_setup = opt;
821 break;
822
823 default:
824 err = -ENOPROTOOPT;
825 break;
826 }
827
828 release_sock(sk);
829 return err;
830}
831
832static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
743{ 833{
744 struct sock *sk = sock->sk; 834 struct sock *sk = sock->sk;
745 struct sock *l2cap_sk; 835 struct sock *l2cap_sk;
746 struct rfcomm_conninfo cinfo; 836 struct rfcomm_conninfo cinfo;
747 int len, err = 0; 837 int len, err = 0;
838 u32 opt;
748 839
749 BT_DBG("sk %p", sk); 840 BT_DBG("sk %p", sk);
750 841
@@ -755,12 +846,32 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
755 846
756 switch (optname) { 847 switch (optname) {
757 case RFCOMM_LM: 848 case RFCOMM_LM:
758 if (put_user(rfcomm_pi(sk)->link_mode, (u32 __user *) optval)) 849 switch (rfcomm_pi(sk)->sec_level) {
850 case BT_SECURITY_LOW:
851 opt = RFCOMM_LM_AUTH;
852 break;
853 case BT_SECURITY_MEDIUM:
854 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
855 break;
856 case BT_SECURITY_HIGH:
857 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
858 RFCOMM_LM_SECURE;
859 break;
860 default:
861 opt = 0;
862 break;
863 }
864
865 if (rfcomm_pi(sk)->role_switch)
866 opt |= RFCOMM_LM_MASTER;
867
868 if (put_user(opt, (u32 __user *) optval))
759 err = -EFAULT; 869 err = -EFAULT;
760 break; 870 break;
761 871
762 case RFCOMM_CONNINFO: 872 case RFCOMM_CONNINFO:
763 if (sk->sk_state != BT_CONNECTED) { 873 if (sk->sk_state != BT_CONNECTED &&
874 !rfcomm_pi(sk)->dlc->defer_setup) {
764 err = -ENOTCONN; 875 err = -ENOTCONN;
765 break; 876 break;
766 } 877 }
@@ -785,6 +896,60 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
785 return err; 896 return err;
786} 897}
787 898
899static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
900{
901 struct sock *sk = sock->sk;
902 struct bt_security sec;
903 int len, err = 0;
904
905 BT_DBG("sk %p", sk);
906
907 if (level == SOL_RFCOMM)
908 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
909
910 if (level != SOL_BLUETOOTH)
911 return -ENOPROTOOPT;
912
913 if (get_user(len, optlen))
914 return -EFAULT;
915
916 lock_sock(sk);
917
918 switch (optname) {
919 case BT_SECURITY:
920 if (sk->sk_type != SOCK_STREAM) {
921 err = -EINVAL;
922 break;
923 }
924
925 sec.level = rfcomm_pi(sk)->sec_level;
926
927 len = min_t(unsigned int, len, sizeof(sec));
928 if (copy_to_user(optval, (char *) &sec, len))
929 err = -EFAULT;
930
931 break;
932
933 case BT_DEFER_SETUP:
934 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
935 err = -EINVAL;
936 break;
937 }
938
939 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
940 err = -EFAULT;
941
942 break;
943
944 default:
945 err = -ENOPROTOOPT;
946 break;
947 }
948
949 release_sock(sk);
950 return err;
951}
952
788static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 953static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
789{ 954{
790 struct sock *sk __maybe_unused = sock->sk; 955 struct sock *sk __maybe_unused = sock->sk;
@@ -888,6 +1053,10 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
888 1053
889done: 1054done:
890 bh_unlock_sock(parent); 1055 bh_unlock_sock(parent);
1056
1057 if (bt_sk(parent)->defer_setup)
1058 parent->sk_state_change(parent);
1059
891 return result; 1060 return result;
892} 1061}
893 1062
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 46fd8bf9a690..51ae0c3e470a 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -195,7 +195,7 @@ static int sco_connect(struct sock *sk)
195 else 195 else
196 type = SCO_LINK; 196 type = SCO_LINK;
197 197
198 hcon = hci_connect(hdev, type, dst, HCI_AT_NO_BONDING); 198 hcon = hci_connect(hdev, type, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
199 if (!hcon) 199 if (!hcon)
200 goto done; 200 goto done;
201 201
@@ -668,7 +668,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, char
668 return err; 668 return err;
669} 669}
670 670
671static int sco_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 671static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
672{ 672{
673 struct sock *sk = sock->sk; 673 struct sock *sk = sock->sk;
674 struct sco_options opts; 674 struct sco_options opts;
@@ -723,6 +723,31 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, char
723 return err; 723 return err;
724} 724}
725 725
726static int sco_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
727{
728 struct sock *sk = sock->sk;
729 int len, err = 0;
730
731 BT_DBG("sk %p", sk);
732
733 if (level == SOL_SCO)
734 return sco_sock_getsockopt_old(sock, optname, optval, optlen);
735
736 if (get_user(len, optlen))
737 return -EFAULT;
738
739 lock_sock(sk);
740
741 switch (optname) {
742 default:
743 err = -ENOPROTOOPT;
744 break;
745 }
746
747 release_sock(sk);
748 return err;
749}
750
726static int sco_sock_release(struct socket *sock) 751static int sco_sock_release(struct socket *sock)
727{ 752{
728 struct sock *sk = sock->sk; 753 struct sock *sk = sock->sk;
@@ -832,10 +857,30 @@ done:
832/* ----- SCO interface with lower layer (HCI) ----- */ 857/* ----- SCO interface with lower layer (HCI) ----- */
833static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type) 858static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type)
834{ 859{
860 register struct sock *sk;
861 struct hlist_node *node;
862 int lm = 0;
863
864 if (type != SCO_LINK && type != ESCO_LINK)
865 return 0;
866
835 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 867 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
836 868
837 /* Always accept connection */ 869 /* Find listening sockets */
838 return HCI_LM_ACCEPT; 870 read_lock(&sco_sk_list.lock);
871 sk_for_each(sk, node, &sco_sk_list.head) {
872 if (sk->sk_state != BT_LISTEN)
873 continue;
874
875 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr) ||
876 !bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
877 lm |= HCI_LM_ACCEPT;
878 break;
879 }
880 }
881 read_unlock(&sco_sk_list.lock);
882
883 return lm;
839} 884}
840 885
841static int sco_connect_cfm(struct hci_conn *hcon, __u8 status) 886static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
@@ -857,7 +902,7 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
857 return 0; 902 return 0;
858} 903}
859 904
860static int sco_disconn_ind(struct hci_conn *hcon, __u8 reason) 905static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
861{ 906{
862 BT_DBG("hcon %p reason %d", hcon, reason); 907 BT_DBG("hcon %p reason %d", hcon, reason);
863 908
@@ -940,7 +985,7 @@ static struct hci_proto sco_hci_proto = {
940 .id = HCI_PROTO_SCO, 985 .id = HCI_PROTO_SCO,
941 .connect_ind = sco_connect_ind, 986 .connect_ind = sco_connect_ind,
942 .connect_cfm = sco_connect_cfm, 987 .connect_cfm = sco_connect_cfm,
943 .disconn_ind = sco_disconn_ind, 988 .disconn_cfm = sco_disconn_cfm,
944 .recv_scodata = sco_recv_scodata 989 .recv_scodata = sco_recv_scodata
945}; 990};
946 991