aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/Kconfig9
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/cmtp/capi.c3
-rw-r--r--net/bluetooth/hci_conn.c88
-rw-r--r--net/bluetooth/hci_core.c264
-rw-r--r--net/bluetooth/hci_event.c289
-rw-r--r--net/bluetooth/hci_sock.c70
-rw-r--r--net/bluetooth/hidp/core.c18
-rw-r--r--net/bluetooth/hidp/hidp.h1
-rw-r--r--net/bluetooth/l2cap_core.c1077
-rw-r--r--net/bluetooth/l2cap_sock.c442
-rw-r--r--net/bluetooth/lib.c23
-rw-r--r--net/bluetooth/mgmt.c281
-rw-r--r--net/bluetooth/rfcomm/sock.c6
-rw-r--r--net/bluetooth/sco.c4
-rw-r--r--net/bluetooth/smp.c702
16 files changed, 2365 insertions, 914 deletions
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 6ae5ec508587..bfb3dc03c9de 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -6,6 +6,7 @@ menuconfig BT
6 tristate "Bluetooth subsystem support" 6 tristate "Bluetooth subsystem support"
7 depends on NET && !S390 7 depends on NET && !S390
8 depends on RFKILL || !RFKILL 8 depends on RFKILL || !RFKILL
9 select CRYPTO
9 help 10 help
10 Bluetooth is low-cost, low-power, short-range wireless technology. 11 Bluetooth is low-cost, low-power, short-range wireless technology.
11 It was designed as a replacement for cables and other short-range 12 It was designed as a replacement for cables and other short-range
@@ -22,6 +23,7 @@ menuconfig BT
22 BNEP Module (Bluetooth Network Encapsulation Protocol) 23 BNEP Module (Bluetooth Network Encapsulation Protocol)
23 CMTP Module (CAPI Message Transport Protocol) 24 CMTP Module (CAPI Message Transport Protocol)
24 HIDP Module (Human Interface Device Protocol) 25 HIDP Module (Human Interface Device Protocol)
26 SMP Module (Security Manager Protocol)
25 27
26 Say Y here to compile Bluetooth support into the kernel or say M to 28 Say Y here to compile Bluetooth support into the kernel or say M to
27 compile it as module (bluetooth). 29 compile it as module (bluetooth).
@@ -36,11 +38,18 @@ if BT != n
36config BT_L2CAP 38config BT_L2CAP
37 bool "L2CAP protocol support" 39 bool "L2CAP protocol support"
38 select CRC16 40 select CRC16
41 select CRYPTO
42 select CRYPTO_BLKCIPHER
43 select CRYPTO_AES
44 select CRYPTO_ECB
39 help 45 help
40 L2CAP (Logical Link Control and Adaptation Protocol) provides 46 L2CAP (Logical Link Control and Adaptation Protocol) provides
41 connection oriented and connection-less data transport. L2CAP 47 connection oriented and connection-less data transport. L2CAP
42 support is required for most Bluetooth applications. 48 support is required for most Bluetooth applications.
43 49
50 Also included is support for SMP (Security Manager Protocol) which
51 is the security layer on top of LE (Low Energy) links.
52
44config BT_SCO 53config BT_SCO
45 bool "SCO links support" 54 bool "SCO links support"
46 help 55 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index f04fe9a9d634..9b67f3d08fa4 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -9,5 +9,5 @@ obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o 12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o 13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 744233cba244..040f67b12978 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -326,7 +326,7 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
326{ 326{
327 struct capi_ctr *ctrl = &session->ctrl; 327 struct capi_ctr *ctrl = &session->ctrl;
328 struct cmtp_application *application; 328 struct cmtp_application *application;
329 __u16 cmd, appl; 329 __u16 appl;
330 __u32 contr; 330 __u32 contr;
331 331
332 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 332 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
@@ -344,7 +344,6 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
344 return; 344 return;
345 } 345 }
346 346
347 cmd = CAPICMD(CAPIMSG_COMMAND(skb->data), CAPIMSG_SUBCOMMAND(skb->data));
348 appl = CAPIMSG_APPID(skb->data); 347 appl = CAPIMSG_APPID(skb->data);
349 contr = CAPIMSG_CONTROL(skb->data); 348 contr = CAPIMSG_CONTROL(skb->data);
350 349
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 3163330cd4f1..ea7f031f3b04 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -53,11 +53,13 @@ static void hci_le_connect(struct hci_conn *conn)
53 conn->state = BT_CONNECT; 53 conn->state = BT_CONNECT;
54 conn->out = 1; 54 conn->out = 1;
55 conn->link_mode |= HCI_LM_MASTER; 55 conn->link_mode |= HCI_LM_MASTER;
56 conn->sec_level = BT_SECURITY_LOW;
56 57
57 memset(&cp, 0, sizeof(cp)); 58 memset(&cp, 0, sizeof(cp));
58 cp.scan_interval = cpu_to_le16(0x0004); 59 cp.scan_interval = cpu_to_le16(0x0004);
59 cp.scan_window = cpu_to_le16(0x0004); 60 cp.scan_window = cpu_to_le16(0x0004);
60 bacpy(&cp.peer_addr, &conn->dst); 61 bacpy(&cp.peer_addr, &conn->dst);
62 cp.peer_addr_type = conn->dst_type;
61 cp.conn_interval_min = cpu_to_le16(0x0008); 63 cp.conn_interval_min = cpu_to_le16(0x0008);
62 cp.conn_interval_max = cpu_to_le16(0x0100); 64 cp.conn_interval_max = cpu_to_le16(0x0100);
63 cp.supervision_timeout = cpu_to_le16(0x0064); 65 cp.supervision_timeout = cpu_to_le16(0x0064);
@@ -203,6 +205,55 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
203} 205}
204EXPORT_SYMBOL(hci_le_conn_update); 206EXPORT_SYMBOL(hci_le_conn_update);
205 207
208void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
209 __u8 ltk[16])
210{
211 struct hci_dev *hdev = conn->hdev;
212 struct hci_cp_le_start_enc cp;
213
214 BT_DBG("%p", conn);
215
216 memset(&cp, 0, sizeof(cp));
217
218 cp.handle = cpu_to_le16(conn->handle);
219 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
220 cp.ediv = ediv;
221 memcpy(cp.rand, rand, sizeof(rand));
222
223 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
224}
225EXPORT_SYMBOL(hci_le_start_enc);
226
227void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16])
228{
229 struct hci_dev *hdev = conn->hdev;
230 struct hci_cp_le_ltk_reply cp;
231
232 BT_DBG("%p", conn);
233
234 memset(&cp, 0, sizeof(cp));
235
236 cp.handle = cpu_to_le16(conn->handle);
237 memcpy(cp.ltk, ltk, sizeof(ltk));
238
239 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
240}
241EXPORT_SYMBOL(hci_le_ltk_reply);
242
243void hci_le_ltk_neg_reply(struct hci_conn *conn)
244{
245 struct hci_dev *hdev = conn->hdev;
246 struct hci_cp_le_ltk_neg_reply cp;
247
248 BT_DBG("%p", conn);
249
250 memset(&cp, 0, sizeof(cp));
251
252 cp.handle = cpu_to_le16(conn->handle);
253
254 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(cp), &cp);
255}
256
206/* Device _must_ be locked */ 257/* Device _must_ be locked */
207void hci_sco_setup(struct hci_conn *conn, __u8 status) 258void hci_sco_setup(struct hci_conn *conn, __u8 status)
208{ 259{
@@ -393,6 +444,9 @@ int hci_conn_del(struct hci_conn *conn)
393 444
394 hci_dev_put(hdev); 445 hci_dev_put(hdev);
395 446
447 if (conn->handle == 0)
448 kfree(conn);
449
396 return 0; 450 return 0;
397} 451}
398 452
@@ -447,14 +501,23 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
447 BT_DBG("%s dst %s", hdev->name, batostr(dst)); 501 BT_DBG("%s dst %s", hdev->name, batostr(dst));
448 502
449 if (type == LE_LINK) { 503 if (type == LE_LINK) {
504 struct adv_entry *entry;
505
450 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 506 le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
451 if (le) 507 if (le)
452 return ERR_PTR(-EBUSY); 508 return ERR_PTR(-EBUSY);
509
510 entry = hci_find_adv_entry(hdev, dst);
511 if (!entry)
512 return ERR_PTR(-EHOSTUNREACH);
513
453 le = hci_conn_add(hdev, LE_LINK, dst); 514 le = hci_conn_add(hdev, LE_LINK, dst);
454 if (!le) 515 if (!le)
455 return ERR_PTR(-ENOMEM); 516 return ERR_PTR(-ENOMEM);
456 if (le->state == BT_OPEN) 517
457 hci_le_connect(le); 518 le->dst_type = entry->bdaddr_type;
519
520 hci_le_connect(le);
458 521
459 hci_conn_hold(le); 522 hci_conn_hold(le);
460 523
@@ -497,7 +560,7 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
497 if (acl->state == BT_CONNECTED && 560 if (acl->state == BT_CONNECTED &&
498 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 561 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
499 acl->power_save = 1; 562 acl->power_save = 1;
500 hci_conn_enter_active_mode(acl); 563 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
501 564
502 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) { 565 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->pend)) {
503 /* defer SCO setup until mode change completed */ 566 /* defer SCO setup until mode change completed */
@@ -548,6 +611,8 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
548 cp.handle = cpu_to_le16(conn->handle); 611 cp.handle = cpu_to_le16(conn->handle);
549 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 612 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
550 sizeof(cp), &cp); 613 sizeof(cp), &cp);
614 if (conn->key_type != 0xff)
615 set_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
551 } 616 }
552 617
553 return 0; 618 return 0;
@@ -608,11 +673,11 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
608 goto encrypt; 673 goto encrypt;
609 674
610auth: 675auth:
611 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) 676 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
612 return 0; 677 return 0;
613 678
614 hci_conn_auth(conn, sec_level, auth_type); 679 if (!hci_conn_auth(conn, sec_level, auth_type))
615 return 0; 680 return 0;
616 681
617encrypt: 682encrypt:
618 if (conn->link_mode & HCI_LM_ENCRYPT) 683 if (conn->link_mode & HCI_LM_ENCRYPT)
@@ -631,9 +696,7 @@ int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
631 if (sec_level != BT_SECURITY_HIGH) 696 if (sec_level != BT_SECURITY_HIGH)
632 return 1; /* Accept if non-secure is required */ 697 return 1; /* Accept if non-secure is required */
633 698
634 if (conn->key_type == HCI_LK_AUTH_COMBINATION || 699 if (conn->sec_level == BT_SECURITY_HIGH)
635 (conn->key_type == HCI_LK_COMBINATION &&
636 conn->pin_length == 16))
637 return 1; 700 return 1;
638 701
639 return 0; /* Reject not secure link */ 702 return 0; /* Reject not secure link */
@@ -676,7 +739,7 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
676EXPORT_SYMBOL(hci_conn_switch_role); 739EXPORT_SYMBOL(hci_conn_switch_role);
677 740
678/* Enter active mode */ 741/* Enter active mode */
679void hci_conn_enter_active_mode(struct hci_conn *conn) 742void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
680{ 743{
681 struct hci_dev *hdev = conn->hdev; 744 struct hci_dev *hdev = conn->hdev;
682 745
@@ -685,7 +748,10 @@ void hci_conn_enter_active_mode(struct hci_conn *conn)
685 if (test_bit(HCI_RAW, &hdev->flags)) 748 if (test_bit(HCI_RAW, &hdev->flags))
686 return; 749 return;
687 750
688 if (conn->mode != HCI_CM_SNIFF || !conn->power_save) 751 if (conn->mode != HCI_CM_SNIFF)
752 goto timer;
753
754 if (!conn->power_save && !force_active)
689 goto timer; 755 goto timer;
690 756
691 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) { 757 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 815269b07f20..ec0bc3f60f2e 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -42,6 +42,7 @@
42#include <linux/notifier.h> 42#include <linux/notifier.h>
43#include <linux/rfkill.h> 43#include <linux/rfkill.h>
44#include <linux/timer.h> 44#include <linux/timer.h>
45#include <linux/crypto.h>
45#include <net/sock.h> 46#include <net/sock.h>
46 47
47#include <asm/system.h> 48#include <asm/system.h>
@@ -145,7 +146,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
145 146
146 switch (hdev->req_status) { 147 switch (hdev->req_status) {
147 case HCI_REQ_DONE: 148 case HCI_REQ_DONE:
148 err = -bt_err(hdev->req_result); 149 err = -bt_to_errno(hdev->req_result);
149 break; 150 break;
150 151
151 case HCI_REQ_CANCELED: 152 case HCI_REQ_CANCELED:
@@ -539,7 +540,7 @@ int hci_dev_open(__u16 dev)
539 ret = __hci_request(hdev, hci_init_req, 0, 540 ret = __hci_request(hdev, hci_init_req, 0,
540 msecs_to_jiffies(HCI_INIT_TIMEOUT)); 541 msecs_to_jiffies(HCI_INIT_TIMEOUT));
541 542
542 if (lmp_le_capable(hdev)) 543 if (lmp_host_le_capable(hdev))
543 ret = __hci_request(hdev, hci_le_init_req, 0, 544 ret = __hci_request(hdev, hci_le_init_req, 0,
544 msecs_to_jiffies(HCI_INIT_TIMEOUT)); 545 msecs_to_jiffies(HCI_INIT_TIMEOUT));
545 546
@@ -1056,6 +1057,42 @@ static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1056 return 0; 1057 return 0;
1057} 1058}
1058 1059
1060struct link_key *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1061{
1062 struct link_key *k;
1063
1064 list_for_each_entry(k, &hdev->link_keys, list) {
1065 struct key_master_id *id;
1066
1067 if (k->type != HCI_LK_SMP_LTK)
1068 continue;
1069
1070 if (k->dlen != sizeof(*id))
1071 continue;
1072
1073 id = (void *) &k->data;
1074 if (id->ediv == ediv &&
1075 (memcmp(rand, id->rand, sizeof(id->rand)) == 0))
1076 return k;
1077 }
1078
1079 return NULL;
1080}
1081EXPORT_SYMBOL(hci_find_ltk);
1082
1083struct link_key *hci_find_link_key_type(struct hci_dev *hdev,
1084 bdaddr_t *bdaddr, u8 type)
1085{
1086 struct link_key *k;
1087
1088 list_for_each_entry(k, &hdev->link_keys, list)
1089 if (k->type == type && bacmp(bdaddr, &k->bdaddr) == 0)
1090 return k;
1091
1092 return NULL;
1093}
1094EXPORT_SYMBOL(hci_find_link_key_type);
1095
1059int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 1096int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1060 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len) 1097 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1061{ 1098{
@@ -1111,6 +1148,44 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1111 return 0; 1148 return 0;
1112} 1149}
1113 1150
1151int hci_add_ltk(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
1152 u8 key_size, __le16 ediv, u8 rand[8], u8 ltk[16])
1153{
1154 struct link_key *key, *old_key;
1155 struct key_master_id *id;
1156 u8 old_key_type;
1157
1158 BT_DBG("%s addr %s", hdev->name, batostr(bdaddr));
1159
1160 old_key = hci_find_link_key_type(hdev, bdaddr, HCI_LK_SMP_LTK);
1161 if (old_key) {
1162 key = old_key;
1163 old_key_type = old_key->type;
1164 } else {
1165 key = kzalloc(sizeof(*key) + sizeof(*id), GFP_ATOMIC);
1166 if (!key)
1167 return -ENOMEM;
1168 list_add(&key->list, &hdev->link_keys);
1169 old_key_type = 0xff;
1170 }
1171
1172 key->dlen = sizeof(*id);
1173
1174 bacpy(&key->bdaddr, bdaddr);
1175 memcpy(key->val, ltk, sizeof(key->val));
1176 key->type = HCI_LK_SMP_LTK;
1177 key->pin_len = key_size;
1178
1179 id = (void *) &key->data;
1180 id->ediv = ediv;
1181 memcpy(id->rand, rand, sizeof(id->rand));
1182
1183 if (new_key)
1184 mgmt_new_key(hdev->id, key, old_key_type);
1185
1186 return 0;
1187}
1188
1114int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1189int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1115{ 1190{
1116 struct link_key *key; 1191 struct link_key *key;
@@ -1202,6 +1277,169 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1202 return 0; 1277 return 0;
1203} 1278}
1204 1279
1280struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
1281 bdaddr_t *bdaddr)
1282{
1283 struct list_head *p;
1284
1285 list_for_each(p, &hdev->blacklist) {
1286 struct bdaddr_list *b;
1287
1288 b = list_entry(p, struct bdaddr_list, list);
1289
1290 if (bacmp(bdaddr, &b->bdaddr) == 0)
1291 return b;
1292 }
1293
1294 return NULL;
1295}
1296
1297int hci_blacklist_clear(struct hci_dev *hdev)
1298{
1299 struct list_head *p, *n;
1300
1301 list_for_each_safe(p, n, &hdev->blacklist) {
1302 struct bdaddr_list *b;
1303
1304 b = list_entry(p, struct bdaddr_list, list);
1305
1306 list_del(p);
1307 kfree(b);
1308 }
1309
1310 return 0;
1311}
1312
1313int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
1314{
1315 struct bdaddr_list *entry;
1316 int err;
1317
1318 if (bacmp(bdaddr, BDADDR_ANY) == 0)
1319 return -EBADF;
1320
1321 hci_dev_lock_bh(hdev);
1322
1323 if (hci_blacklist_lookup(hdev, bdaddr)) {
1324 err = -EEXIST;
1325 goto err;
1326 }
1327
1328 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1329 if (!entry) {
1330 return -ENOMEM;
1331 goto err;
1332 }
1333
1334 bacpy(&entry->bdaddr, bdaddr);
1335
1336 list_add(&entry->list, &hdev->blacklist);
1337
1338 err = 0;
1339
1340err:
1341 hci_dev_unlock_bh(hdev);
1342 return err;
1343}
1344
1345int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1346{
1347 struct bdaddr_list *entry;
1348 int err = 0;
1349
1350 hci_dev_lock_bh(hdev);
1351
1352 if (bacmp(bdaddr, BDADDR_ANY) == 0) {
1353 hci_blacklist_clear(hdev);
1354 goto done;
1355 }
1356
1357 entry = hci_blacklist_lookup(hdev, bdaddr);
1358 if (!entry) {
1359 err = -ENOENT;
1360 goto done;
1361 }
1362
1363 list_del(&entry->list);
1364 kfree(entry);
1365
1366done:
1367 hci_dev_unlock_bh(hdev);
1368 return err;
1369}
1370
1371static void hci_clear_adv_cache(unsigned long arg)
1372{
1373 struct hci_dev *hdev = (void *) arg;
1374
1375 hci_dev_lock(hdev);
1376
1377 hci_adv_entries_clear(hdev);
1378
1379 hci_dev_unlock(hdev);
1380}
1381
1382int hci_adv_entries_clear(struct hci_dev *hdev)
1383{
1384 struct adv_entry *entry, *tmp;
1385
1386 list_for_each_entry_safe(entry, tmp, &hdev->adv_entries, list) {
1387 list_del(&entry->list);
1388 kfree(entry);
1389 }
1390
1391 BT_DBG("%s adv cache cleared", hdev->name);
1392
1393 return 0;
1394}
1395
1396struct adv_entry *hci_find_adv_entry(struct hci_dev *hdev, bdaddr_t *bdaddr)
1397{
1398 struct adv_entry *entry;
1399
1400 list_for_each_entry(entry, &hdev->adv_entries, list)
1401 if (bacmp(bdaddr, &entry->bdaddr) == 0)
1402 return entry;
1403
1404 return NULL;
1405}
1406
1407static inline int is_connectable_adv(u8 evt_type)
1408{
1409 if (evt_type == ADV_IND || evt_type == ADV_DIRECT_IND)
1410 return 1;
1411
1412 return 0;
1413}
1414
1415int hci_add_adv_entry(struct hci_dev *hdev,
1416 struct hci_ev_le_advertising_info *ev)
1417{
1418 struct adv_entry *entry;
1419
1420 if (!is_connectable_adv(ev->evt_type))
1421 return -EINVAL;
1422
1423 /* Only new entries should be added to adv_entries. So, if
1424 * bdaddr was found, don't add it. */
1425 if (hci_find_adv_entry(hdev, &ev->bdaddr))
1426 return 0;
1427
1428 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
1429 if (!entry)
1430 return -ENOMEM;
1431
1432 bacpy(&entry->bdaddr, &ev->bdaddr);
1433 entry->bdaddr_type = ev->bdaddr_type;
1434
1435 list_add(&entry->list, &hdev->adv_entries);
1436
1437 BT_DBG("%s adv entry added: address %s type %u", hdev->name,
1438 batostr(&entry->bdaddr), entry->bdaddr_type);
1439
1440 return 0;
1441}
1442
1205/* Register HCI device */ 1443/* Register HCI device */
1206int hci_register_dev(struct hci_dev *hdev) 1444int hci_register_dev(struct hci_dev *hdev)
1207{ 1445{
@@ -1268,6 +1506,10 @@ int hci_register_dev(struct hci_dev *hdev)
1268 1506
1269 INIT_LIST_HEAD(&hdev->remote_oob_data); 1507 INIT_LIST_HEAD(&hdev->remote_oob_data);
1270 1508
1509 INIT_LIST_HEAD(&hdev->adv_entries);
1510 setup_timer(&hdev->adv_timer, hci_clear_adv_cache,
1511 (unsigned long) hdev);
1512
1271 INIT_WORK(&hdev->power_on, hci_power_on); 1513 INIT_WORK(&hdev->power_on, hci_power_on);
1272 INIT_WORK(&hdev->power_off, hci_power_off); 1514 INIT_WORK(&hdev->power_off, hci_power_off);
1273 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev); 1515 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1282,6 +1524,11 @@ int hci_register_dev(struct hci_dev *hdev)
1282 if (!hdev->workqueue) 1524 if (!hdev->workqueue)
1283 goto nomem; 1525 goto nomem;
1284 1526
1527 hdev->tfm = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1528 if (IS_ERR(hdev->tfm))
1529 BT_INFO("Failed to load transform for ecb(aes): %ld",
1530 PTR_ERR(hdev->tfm));
1531
1285 hci_register_sysfs(hdev); 1532 hci_register_sysfs(hdev);
1286 1533
1287 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 1534 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
@@ -1330,6 +1577,9 @@ int hci_unregister_dev(struct hci_dev *hdev)
1330 !test_bit(HCI_SETUP, &hdev->flags)) 1577 !test_bit(HCI_SETUP, &hdev->flags))
1331 mgmt_index_removed(hdev->id); 1578 mgmt_index_removed(hdev->id);
1332 1579
1580 if (!IS_ERR(hdev->tfm))
1581 crypto_free_blkcipher(hdev->tfm);
1582
1333 hci_notify(hdev, HCI_DEV_UNREG); 1583 hci_notify(hdev, HCI_DEV_UNREG);
1334 1584
1335 if (hdev->rfkill) { 1585 if (hdev->rfkill) {
@@ -1340,6 +1590,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1340 hci_unregister_sysfs(hdev); 1590 hci_unregister_sysfs(hdev);
1341 1591
1342 hci_del_off_timer(hdev); 1592 hci_del_off_timer(hdev);
1593 del_timer(&hdev->adv_timer);
1343 1594
1344 destroy_workqueue(hdev->workqueue); 1595 destroy_workqueue(hdev->workqueue);
1345 1596
@@ -1348,6 +1599,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1348 hci_uuids_clear(hdev); 1599 hci_uuids_clear(hdev);
1349 hci_link_keys_clear(hdev); 1600 hci_link_keys_clear(hdev);
1350 hci_remote_oob_data_clear(hdev); 1601 hci_remote_oob_data_clear(hdev);
1602 hci_adv_entries_clear(hdev);
1351 hci_dev_unlock_bh(hdev); 1603 hci_dev_unlock_bh(hdev);
1352 1604
1353 __hci_dev_put(hdev); 1605 __hci_dev_put(hdev);
@@ -1519,7 +1771,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1519 1771
1520 data += (count - rem); 1772 data += (count - rem);
1521 count = rem; 1773 count = rem;
1522 }; 1774 }
1523 1775
1524 return rem; 1776 return rem;
1525} 1777}
@@ -1554,7 +1806,7 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1554 1806
1555 data += (count - rem); 1807 data += (count - rem);
1556 count = rem; 1808 count = rem;
1557 }; 1809 }
1558 1810
1559 return rem; 1811 return rem;
1560} 1812}
@@ -1891,7 +2143,7 @@ static inline void hci_sched_acl(struct hci_dev *hdev)
1891 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 2143 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1892 BT_DBG("skb %p len %d", skb, skb->len); 2144 BT_DBG("skb %p len %d", skb, skb->len);
1893 2145
1894 hci_conn_enter_active_mode(conn); 2146 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
1895 2147
1896 hci_send_frame(skb); 2148 hci_send_frame(skb);
1897 hdev->acl_last_tx = jiffies; 2149 hdev->acl_last_tx = jiffies;
@@ -2030,7 +2282,7 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2030 if (conn) { 2282 if (conn) {
2031 register struct hci_proto *hp; 2283 register struct hci_proto *hp;
2032 2284
2033 hci_conn_enter_active_mode(conn); 2285 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2034 2286
2035 /* Send to upper protocol */ 2287 /* Send to upper protocol */
2036 hp = hci_proto[HCI_PROTO_L2CAP]; 2288 hp = hci_proto[HCI_PROTO_L2CAP];
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 77930aa522e3..a40170e022e8 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -45,6 +45,8 @@
45#include <net/bluetooth/bluetooth.h> 45#include <net/bluetooth/bluetooth.h>
46#include <net/bluetooth/hci_core.h> 46#include <net/bluetooth/hci_core.h>
47 47
48static int enable_le;
49
48/* Handle HCI Event packets */ 50/* Handle HCI Event packets */
49 51
50static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 52static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
@@ -525,6 +527,20 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
525 hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events); 527 hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
526} 528}
527 529
530static void hci_set_le_support(struct hci_dev *hdev)
531{
532 struct hci_cp_write_le_host_supported cp;
533
534 memset(&cp, 0, sizeof(cp));
535
536 if (enable_le) {
537 cp.le = 1;
538 cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
539 }
540
541 hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp), &cp);
542}
543
528static void hci_setup(struct hci_dev *hdev) 544static void hci_setup(struct hci_dev *hdev)
529{ 545{
530 hci_setup_event_mask(hdev); 546 hci_setup_event_mask(hdev);
@@ -542,6 +558,17 @@ static void hci_setup(struct hci_dev *hdev)
542 558
543 if (hdev->features[7] & LMP_INQ_TX_PWR) 559 if (hdev->features[7] & LMP_INQ_TX_PWR)
544 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL); 560 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
561
562 if (hdev->features[7] & LMP_EXTFEATURES) {
563 struct hci_cp_read_local_ext_features cp;
564
565 cp.page = 0x01;
566 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES,
567 sizeof(cp), &cp);
568 }
569
570 if (hdev->features[4] & LMP_LE)
571 hci_set_le_support(hdev);
545} 572}
546 573
547static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 574static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
@@ -658,6 +685,21 @@ static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb
658 hdev->features[6], hdev->features[7]); 685 hdev->features[6], hdev->features[7]);
659} 686}
660 687
688static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
689 struct sk_buff *skb)
690{
691 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
692
693 BT_DBG("%s status 0x%x", hdev->name, rp->status);
694
695 if (rp->status)
696 return;
697
698 memcpy(hdev->extfeatures, rp->features, 8);
699
700 hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
701}
702
661static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 703static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662{ 704{
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 705 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
@@ -841,6 +883,72 @@ static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
841 rp->randomizer, rp->status); 883 rp->randomizer, rp->status);
842} 884}
843 885
886static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
887 struct sk_buff *skb)
888{
889 struct hci_cp_le_set_scan_enable *cp;
890 __u8 status = *((__u8 *) skb->data);
891
892 BT_DBG("%s status 0x%x", hdev->name, status);
893
894 if (status)
895 return;
896
897 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
898 if (!cp)
899 return;
900
901 hci_dev_lock(hdev);
902
903 if (cp->enable == 0x01) {
904 del_timer(&hdev->adv_timer);
905 hci_adv_entries_clear(hdev);
906 } else if (cp->enable == 0x00) {
907 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT);
908 }
909
910 hci_dev_unlock(hdev);
911}
912
913static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
914{
915 struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
916
917 BT_DBG("%s status 0x%x", hdev->name, rp->status);
918
919 if (rp->status)
920 return;
921
922 hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
923}
924
925static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
926{
927 struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
928
929 BT_DBG("%s status 0x%x", hdev->name, rp->status);
930
931 if (rp->status)
932 return;
933
934 hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
935}
936
937static inline void hci_cc_write_le_host_supported(struct hci_dev *hdev,
938 struct sk_buff *skb)
939{
940 struct hci_cp_read_local_ext_features cp;
941 __u8 status = *((__u8 *) skb->data);
942
943 BT_DBG("%s status 0x%x", hdev->name, status);
944
945 if (status)
946 return;
947
948 cp.page = 0x01;
949 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp), &cp);
950}
951
844static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 952static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
845{ 953{
846 BT_DBG("%s status 0x%x", hdev->name, status); 954 BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1209,16 +1317,23 @@ static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1209 } else { 1317 } else {
1210 if (!conn) { 1318 if (!conn) {
1211 conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr); 1319 conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr);
1212 if (conn) 1320 if (conn) {
1321 conn->dst_type = cp->peer_addr_type;
1213 conn->out = 1; 1322 conn->out = 1;
1214 else 1323 } else {
1215 BT_ERR("No memory for new connection"); 1324 BT_ERR("No memory for new connection");
1325 }
1216 } 1326 }
1217 } 1327 }
1218 1328
1219 hci_dev_unlock(hdev); 1329 hci_dev_unlock(hdev);
1220} 1330}
1221 1331
1332static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1333{
1334 BT_DBG("%s status 0x%x", hdev->name, status);
1335}
1336
1222static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1337static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1223{ 1338{
1224 __u8 status = *((__u8 *) skb->data); 1339 __u8 status = *((__u8 *) skb->data);
@@ -1462,51 +1577,58 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1462 hci_dev_lock(hdev); 1577 hci_dev_lock(hdev);
1463 1578
1464 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 1579 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1465 if (conn) { 1580 if (!conn)
1466 if (!ev->status) { 1581 goto unlock;
1582
1583 if (!ev->status) {
1584 if (!(conn->ssp_mode > 0 && hdev->ssp_mode > 0) &&
1585 test_bit(HCI_CONN_REAUTH_PEND, &conn->pend)) {
1586 BT_INFO("re-auth of legacy device is not possible.");
1587 } else {
1467 conn->link_mode |= HCI_LM_AUTH; 1588 conn->link_mode |= HCI_LM_AUTH;
1468 conn->sec_level = conn->pending_sec_level; 1589 conn->sec_level = conn->pending_sec_level;
1469 } else {
1470 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1471 } 1590 }
1591 } else {
1592 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1593 }
1472 1594
1473 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1595 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1596 clear_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
1474 1597
1475 if (conn->state == BT_CONFIG) { 1598 if (conn->state == BT_CONFIG) {
1476 if (!ev->status && hdev->ssp_mode > 0 && 1599 if (!ev->status && hdev->ssp_mode > 0 && conn->ssp_mode > 0) {
1477 conn->ssp_mode > 0) { 1600 struct hci_cp_set_conn_encrypt cp;
1478 struct hci_cp_set_conn_encrypt cp; 1601 cp.handle = ev->handle;
1479 cp.handle = ev->handle; 1602 cp.encrypt = 0x01;
1480 cp.encrypt = 0x01; 1603 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1481 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1604 &cp);
1482 sizeof(cp), &cp);
1483 } else {
1484 conn->state = BT_CONNECTED;
1485 hci_proto_connect_cfm(conn, ev->status);
1486 hci_conn_put(conn);
1487 }
1488 } else { 1605 } else {
1489 hci_auth_cfm(conn, ev->status); 1606 conn->state = BT_CONNECTED;
1490 1607 hci_proto_connect_cfm(conn, ev->status);
1491 hci_conn_hold(conn);
1492 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1493 hci_conn_put(conn); 1608 hci_conn_put(conn);
1494 } 1609 }
1610 } else {
1611 hci_auth_cfm(conn, ev->status);
1495 1612
1496 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) { 1613 hci_conn_hold(conn);
1497 if (!ev->status) { 1614 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1498 struct hci_cp_set_conn_encrypt cp; 1615 hci_conn_put(conn);
1499 cp.handle = ev->handle; 1616 }
1500 cp.encrypt = 0x01; 1617
1501 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, 1618 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
1502 sizeof(cp), &cp); 1619 if (!ev->status) {
1503 } else { 1620 struct hci_cp_set_conn_encrypt cp;
1504 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); 1621 cp.handle = ev->handle;
1505 hci_encrypt_cfm(conn, ev->status, 0x00); 1622 cp.encrypt = 0x01;
1506 } 1623 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1624 &cp);
1625 } else {
1626 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1627 hci_encrypt_cfm(conn, ev->status, 0x00);
1507 } 1628 }
1508 } 1629 }
1509 1630
1631unlock:
1510 hci_dev_unlock(hdev); 1632 hci_dev_unlock(hdev);
1511} 1633}
1512 1634
@@ -1557,6 +1679,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
1557 /* Encryption implies authentication */ 1679 /* Encryption implies authentication */
1558 conn->link_mode |= HCI_LM_AUTH; 1680 conn->link_mode |= HCI_LM_AUTH;
1559 conn->link_mode |= HCI_LM_ENCRYPT; 1681 conn->link_mode |= HCI_LM_ENCRYPT;
1682 conn->sec_level = conn->pending_sec_level;
1560 } else 1683 } else
1561 conn->link_mode &= ~HCI_LM_ENCRYPT; 1684 conn->link_mode &= ~HCI_LM_ENCRYPT;
1562 } 1685 }
@@ -1760,6 +1883,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1760 hci_cc_read_local_features(hdev, skb); 1883 hci_cc_read_local_features(hdev, skb);
1761 break; 1884 break;
1762 1885
1886 case HCI_OP_READ_LOCAL_EXT_FEATURES:
1887 hci_cc_read_local_ext_features(hdev, skb);
1888 break;
1889
1763 case HCI_OP_READ_BUFFER_SIZE: 1890 case HCI_OP_READ_BUFFER_SIZE:
1764 hci_cc_read_buffer_size(hdev, skb); 1891 hci_cc_read_buffer_size(hdev, skb);
1765 break; 1892 break;
@@ -1816,6 +1943,22 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1816 hci_cc_user_confirm_neg_reply(hdev, skb); 1943 hci_cc_user_confirm_neg_reply(hdev, skb);
1817 break; 1944 break;
1818 1945
1946 case HCI_OP_LE_SET_SCAN_ENABLE:
1947 hci_cc_le_set_scan_enable(hdev, skb);
1948 break;
1949
1950 case HCI_OP_LE_LTK_REPLY:
1951 hci_cc_le_ltk_reply(hdev, skb);
1952 break;
1953
1954 case HCI_OP_LE_LTK_NEG_REPLY:
1955 hci_cc_le_ltk_neg_reply(hdev, skb);
1956 break;
1957
1958 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
1959 hci_cc_write_le_host_supported(hdev, skb);
1960 break;
1961
1819 default: 1962 default:
1820 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 1963 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1821 break; 1964 break;
@@ -1894,6 +2037,10 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1894 hci_cs_le_create_conn(hdev, ev->status); 2037 hci_cs_le_create_conn(hdev, ev->status);
1895 break; 2038 break;
1896 2039
2040 case HCI_OP_LE_START_ENC:
2041 hci_cs_le_start_enc(hdev, ev->status);
2042 break;
2043
1897 default: 2044 default:
1898 BT_DBG("%s opcode 0x%x", hdev->name, opcode); 2045 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1899 break; 2046 break;
@@ -2658,6 +2805,8 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2658 hci_dev_unlock(hdev); 2805 hci_dev_unlock(hdev);
2659 return; 2806 return;
2660 } 2807 }
2808
2809 conn->dst_type = ev->bdaddr_type;
2661 } 2810 }
2662 2811
2663 if (ev->status) { 2812 if (ev->status) {
@@ -2670,6 +2819,7 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
2670 2819
2671 mgmt_connected(hdev->id, &ev->bdaddr); 2820 mgmt_connected(hdev->id, &ev->bdaddr);
2672 2821
2822 conn->sec_level = BT_SECURITY_LOW;
2673 conn->handle = __le16_to_cpu(ev->handle); 2823 conn->handle = __le16_to_cpu(ev->handle);
2674 conn->state = BT_CONNECTED; 2824 conn->state = BT_CONNECTED;
2675 2825
@@ -2682,6 +2832,64 @@ unlock:
2682 hci_dev_unlock(hdev); 2832 hci_dev_unlock(hdev);
2683} 2833}
2684 2834
2835static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2836 struct sk_buff *skb)
2837{
2838 struct hci_ev_le_advertising_info *ev;
2839 u8 num_reports;
2840
2841 num_reports = skb->data[0];
2842 ev = (void *) &skb->data[1];
2843
2844 hci_dev_lock(hdev);
2845
2846 hci_add_adv_entry(hdev, ev);
2847
2848 while (--num_reports) {
2849 ev = (void *) (ev->data + ev->length + 1);
2850 hci_add_adv_entry(hdev, ev);
2851 }
2852
2853 hci_dev_unlock(hdev);
2854}
2855
2856static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2857 struct sk_buff *skb)
2858{
2859 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2860 struct hci_cp_le_ltk_reply cp;
2861 struct hci_cp_le_ltk_neg_reply neg;
2862 struct hci_conn *conn;
2863 struct link_key *ltk;
2864
2865 BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2866
2867 hci_dev_lock(hdev);
2868
2869 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2870 if (conn == NULL)
2871 goto not_found;
2872
2873 ltk = hci_find_ltk(hdev, ev->ediv, ev->random);
2874 if (ltk == NULL)
2875 goto not_found;
2876
2877 memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
2878 cp.handle = cpu_to_le16(conn->handle);
2879 conn->pin_length = ltk->pin_len;
2880
2881 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2882
2883 hci_dev_unlock(hdev);
2884
2885 return;
2886
2887not_found:
2888 neg.handle = ev->handle;
2889 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
2890 hci_dev_unlock(hdev);
2891}
2892
2685static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 2893static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2686{ 2894{
2687 struct hci_ev_le_meta *le_ev = (void *) skb->data; 2895 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -2693,6 +2901,14 @@ static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2693 hci_le_conn_complete_evt(hdev, skb); 2901 hci_le_conn_complete_evt(hdev, skb);
2694 break; 2902 break;
2695 2903
2904 case HCI_EV_LE_ADVERTISING_REPORT:
2905 hci_le_adv_report_evt(hdev, skb);
2906 break;
2907
2908 case HCI_EV_LE_LTK_REQ:
2909 hci_le_ltk_request_evt(hdev, skb);
2910 break;
2911
2696 default: 2912 default:
2697 break; 2913 break;
2698 } 2914 }
@@ -2886,3 +3102,6 @@ void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
2886 hci_send_to_sock(hdev, skb, NULL); 3102 hci_send_to_sock(hdev, skb, NULL);
2887 kfree_skb(skb); 3103 kfree_skb(skb);
2888} 3104}
3105
3106module_param(enable_le, bool, 0444);
3107MODULE_PARM_DESC(enable_le, "Enable LE support");
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 295e4a88fff8..ff02cf5e77cc 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -180,82 +180,24 @@ static int hci_sock_release(struct socket *sock)
180 return 0; 180 return 0;
181} 181}
182 182
183struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr) 183static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
184{
185 struct list_head *p;
186
187 list_for_each(p, &hdev->blacklist) {
188 struct bdaddr_list *b;
189
190 b = list_entry(p, struct bdaddr_list, list);
191
192 if (bacmp(bdaddr, &b->bdaddr) == 0)
193 return b;
194 }
195
196 return NULL;
197}
198
199static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg)
200{ 184{
201 bdaddr_t bdaddr; 185 bdaddr_t bdaddr;
202 struct bdaddr_list *entry;
203 186
204 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 187 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
205 return -EFAULT; 188 return -EFAULT;
206 189
207 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 190 return hci_blacklist_add(hdev, &bdaddr);
208 return -EBADF;
209
210 if (hci_blacklist_lookup(hdev, &bdaddr))
211 return -EEXIST;
212
213 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
214 if (!entry)
215 return -ENOMEM;
216
217 bacpy(&entry->bdaddr, &bdaddr);
218
219 list_add(&entry->list, &hdev->blacklist);
220
221 return 0;
222}
223
224int hci_blacklist_clear(struct hci_dev *hdev)
225{
226 struct list_head *p, *n;
227
228 list_for_each_safe(p, n, &hdev->blacklist) {
229 struct bdaddr_list *b;
230
231 b = list_entry(p, struct bdaddr_list, list);
232
233 list_del(p);
234 kfree(b);
235 }
236
237 return 0;
238} 191}
239 192
240static int hci_blacklist_del(struct hci_dev *hdev, void __user *arg) 193static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
241{ 194{
242 bdaddr_t bdaddr; 195 bdaddr_t bdaddr;
243 struct bdaddr_list *entry;
244 196
245 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 197 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
246 return -EFAULT; 198 return -EFAULT;
247 199
248 if (bacmp(&bdaddr, BDADDR_ANY) == 0) 200 return hci_blacklist_del(hdev, &bdaddr);
249 return hci_blacklist_clear(hdev);
250
251 entry = hci_blacklist_lookup(hdev, &bdaddr);
252 if (!entry)
253 return -ENOENT;
254
255 list_del(&entry->list);
256 kfree(entry);
257
258 return 0;
259} 201}
260 202
261/* Ioctls that require bound socket */ 203/* Ioctls that require bound socket */
@@ -290,12 +232,12 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
290 case HCIBLOCKADDR: 232 case HCIBLOCKADDR:
291 if (!capable(CAP_NET_ADMIN)) 233 if (!capable(CAP_NET_ADMIN))
292 return -EACCES; 234 return -EACCES;
293 return hci_blacklist_add(hdev, (void __user *) arg); 235 return hci_sock_blacklist_add(hdev, (void __user *) arg);
294 236
295 case HCIUNBLOCKADDR: 237 case HCIUNBLOCKADDR:
296 if (!capable(CAP_NET_ADMIN)) 238 if (!capable(CAP_NET_ADMIN))
297 return -EACCES; 239 return -EACCES;
298 return hci_blacklist_del(hdev, (void __user *) arg); 240 return hci_sock_blacklist_del(hdev, (void __user *) arg);
299 241
300 default: 242 default:
301 if (hdev->ioctl) 243 if (hdev->ioctl)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index c405a954a603..43b4c2deb7cc 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -464,7 +464,8 @@ static void hidp_idle_timeout(unsigned long arg)
464{ 464{
465 struct hidp_session *session = (struct hidp_session *) arg; 465 struct hidp_session *session = (struct hidp_session *) arg;
466 466
467 kthread_stop(session->task); 467 atomic_inc(&session->terminate);
468 wake_up_process(session->task);
468} 469}
469 470
470static void hidp_set_timer(struct hidp_session *session) 471static void hidp_set_timer(struct hidp_session *session)
@@ -535,7 +536,8 @@ static void hidp_process_hid_control(struct hidp_session *session,
535 skb_queue_purge(&session->ctrl_transmit); 536 skb_queue_purge(&session->ctrl_transmit);
536 skb_queue_purge(&session->intr_transmit); 537 skb_queue_purge(&session->intr_transmit);
537 538
538 kthread_stop(session->task); 539 atomic_inc(&session->terminate);
540 wake_up_process(current);
539 } 541 }
540} 542}
541 543
@@ -706,9 +708,8 @@ static int hidp_session(void *arg)
706 add_wait_queue(sk_sleep(intr_sk), &intr_wait); 708 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
707 session->waiting_for_startup = 0; 709 session->waiting_for_startup = 0;
708 wake_up_interruptible(&session->startup_queue); 710 wake_up_interruptible(&session->startup_queue);
709 while (!kthread_should_stop()) { 711 set_current_state(TASK_INTERRUPTIBLE);
710 set_current_state(TASK_INTERRUPTIBLE); 712 while (!atomic_read(&session->terminate)) {
711
712 if (ctrl_sk->sk_state != BT_CONNECTED || 713 if (ctrl_sk->sk_state != BT_CONNECTED ||
713 intr_sk->sk_state != BT_CONNECTED) 714 intr_sk->sk_state != BT_CONNECTED)
714 break; 715 break;
@@ -726,6 +727,7 @@ static int hidp_session(void *arg)
726 hidp_process_transmit(session); 727 hidp_process_transmit(session);
727 728
728 schedule(); 729 schedule();
730 set_current_state(TASK_INTERRUPTIBLE);
729 } 731 }
730 set_current_state(TASK_RUNNING); 732 set_current_state(TASK_RUNNING);
731 remove_wait_queue(sk_sleep(intr_sk), &intr_wait); 733 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
@@ -1060,7 +1062,8 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1060err_add_device: 1062err_add_device:
1061 hid_destroy_device(session->hid); 1063 hid_destroy_device(session->hid);
1062 session->hid = NULL; 1064 session->hid = NULL;
1063 kthread_stop(session->task); 1065 atomic_inc(&session->terminate);
1066 wake_up_process(session->task);
1064 1067
1065unlink: 1068unlink:
1066 hidp_del_timer(session); 1069 hidp_del_timer(session);
@@ -1111,7 +1114,8 @@ int hidp_del_connection(struct hidp_conndel_req *req)
1111 skb_queue_purge(&session->ctrl_transmit); 1114 skb_queue_purge(&session->ctrl_transmit);
1112 skb_queue_purge(&session->intr_transmit); 1115 skb_queue_purge(&session->intr_transmit);
1113 1116
1114 kthread_stop(session->task); 1117 atomic_inc(&session->terminate);
1118 wake_up_process(session->task);
1115 } 1119 }
1116 } else 1120 } else
1117 err = -ENOENT; 1121 err = -ENOENT;
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 19e95004b286..af1bcc823f26 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -142,6 +142,7 @@ struct hidp_session {
142 uint ctrl_mtu; 142 uint ctrl_mtu;
143 uint intr_mtu; 143 uint intr_mtu;
144 144
145 atomic_t terminate;
145 struct task_struct *task; 146 struct task_struct *task;
146 147
147 unsigned char keys[8]; 148 unsigned char keys[8];
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e64a1c2df238..3204ba8a701c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -54,26 +54,39 @@
54#include <net/bluetooth/bluetooth.h> 54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
57#include <net/bluetooth/smp.h>
57 58
58int disable_ertm; 59int disable_ertm;
59 60
60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN; 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
61static u8 l2cap_fixed_chan[8] = { 0x02, }; 62static u8 l2cap_fixed_chan[8] = { 0x02, };
62 63
63static struct workqueue_struct *_busy_wq; 64static LIST_HEAD(chan_list);
64 65static DEFINE_RWLOCK(chan_list_lock);
65LIST_HEAD(chan_list);
66DEFINE_RWLOCK(chan_list_lock);
67
68static void l2cap_busy_work(struct work_struct *work);
69 66
70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data); 68 u8 code, u8 ident, u16 dlen, void *data);
69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data); 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
73 74
74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75 76
76/* ---- L2CAP channels ---- */ 77/* ---- L2CAP channels ---- */
78
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{ 91{
79 struct l2cap_chan *c; 92 struct l2cap_chan *c;
@@ -204,6 +217,62 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
204 return 0; 217 return 0;
205} 218}
206 219
220static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
221{
222 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
223
224 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
225 chan_hold(chan);
226}
227
228static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
229{
230 BT_DBG("chan %p state %d", chan, chan->state);
231
232 if (timer_pending(timer) && del_timer(timer))
233 chan_put(chan);
234}
235
236static void l2cap_state_change(struct l2cap_chan *chan, int state)
237{
238 chan->state = state;
239 chan->ops->state_change(chan->data, state);
240}
241
242static void l2cap_chan_timeout(unsigned long arg)
243{
244 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
245 struct sock *sk = chan->sk;
246 int reason;
247
248 BT_DBG("chan %p state %d", chan, chan->state);
249
250 bh_lock_sock(sk);
251
252 if (sock_owned_by_user(sk)) {
253 /* sk is owned by user. Try again later */
254 __set_chan_timer(chan, HZ / 5);
255 bh_unlock_sock(sk);
256 chan_put(chan);
257 return;
258 }
259
260 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
261 reason = ECONNREFUSED;
262 else if (chan->state == BT_CONNECT &&
263 chan->sec_level != BT_SECURITY_SDP)
264 reason = ECONNREFUSED;
265 else
266 reason = ETIMEDOUT;
267
268 l2cap_chan_close(chan, reason);
269
270 bh_unlock_sock(sk);
271
272 chan->ops->close(chan->data);
273 chan_put(chan);
274}
275
207struct l2cap_chan *l2cap_chan_create(struct sock *sk) 276struct l2cap_chan *l2cap_chan_create(struct sock *sk)
208{ 277{
209 struct l2cap_chan *chan; 278 struct l2cap_chan *chan;
@@ -218,6 +287,12 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
218 list_add(&chan->global_l, &chan_list); 287 list_add(&chan->global_l, &chan_list);
219 write_unlock_bh(&chan_list_lock); 288 write_unlock_bh(&chan_list_lock);
220 289
290 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
291
292 chan->state = BT_OPEN;
293
294 atomic_set(&chan->refcnt, 1);
295
221 return chan; 296 return chan;
222} 297}
223 298
@@ -227,13 +302,11 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
227 list_del(&chan->global_l); 302 list_del(&chan->global_l);
228 write_unlock_bh(&chan_list_lock); 303 write_unlock_bh(&chan_list_lock);
229 304
230 kfree(chan); 305 chan_put(chan);
231} 306}
232 307
233static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 308static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
234{ 309{
235 struct sock *sk = chan->sk;
236
237 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 310 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
238 chan->psm, chan->dcid); 311 chan->psm, chan->dcid);
239 312
@@ -241,7 +314,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
241 314
242 chan->conn = conn; 315 chan->conn = conn;
243 316
244 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) { 317 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
245 if (conn->hcon->type == LE_LINK) { 318 if (conn->hcon->type == LE_LINK) {
246 /* LE connection */ 319 /* LE connection */
247 chan->omtu = L2CAP_LE_DEFAULT_MTU; 320 chan->omtu = L2CAP_LE_DEFAULT_MTU;
@@ -252,7 +325,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
252 chan->scid = l2cap_alloc_cid(conn); 325 chan->scid = l2cap_alloc_cid(conn);
253 chan->omtu = L2CAP_DEFAULT_MTU; 326 chan->omtu = L2CAP_DEFAULT_MTU;
254 } 327 }
255 } else if (sk->sk_type == SOCK_DGRAM) { 328 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
256 /* Connectionless socket */ 329 /* Connectionless socket */
257 chan->scid = L2CAP_CID_CONN_LESS; 330 chan->scid = L2CAP_CID_CONN_LESS;
258 chan->dcid = L2CAP_CID_CONN_LESS; 331 chan->dcid = L2CAP_CID_CONN_LESS;
@@ -264,20 +337,20 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
264 chan->omtu = L2CAP_DEFAULT_MTU; 337 chan->omtu = L2CAP_DEFAULT_MTU;
265 } 338 }
266 339
267 sock_hold(sk); 340 chan_hold(chan);
268 341
269 list_add(&chan->list, &conn->chan_l); 342 list_add(&chan->list, &conn->chan_l);
270} 343}
271 344
272/* Delete channel. 345/* Delete channel.
273 * Must be called on the locked socket. */ 346 * Must be called on the locked socket. */
274void l2cap_chan_del(struct l2cap_chan *chan, int err) 347static void l2cap_chan_del(struct l2cap_chan *chan, int err)
275{ 348{
276 struct sock *sk = chan->sk; 349 struct sock *sk = chan->sk;
277 struct l2cap_conn *conn = chan->conn; 350 struct l2cap_conn *conn = chan->conn;
278 struct sock *parent = bt_sk(sk)->parent; 351 struct sock *parent = bt_sk(sk)->parent;
279 352
280 l2cap_sock_clear_timer(sk); 353 __clear_chan_timer(chan);
281 354
282 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 355 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
283 356
@@ -286,13 +359,13 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
286 write_lock_bh(&conn->chan_lock); 359 write_lock_bh(&conn->chan_lock);
287 list_del(&chan->list); 360 list_del(&chan->list);
288 write_unlock_bh(&conn->chan_lock); 361 write_unlock_bh(&conn->chan_lock);
289 __sock_put(sk); 362 chan_put(chan);
290 363
291 chan->conn = NULL; 364 chan->conn = NULL;
292 hci_conn_put(conn->hcon); 365 hci_conn_put(conn->hcon);
293 } 366 }
294 367
295 sk->sk_state = BT_CLOSED; 368 l2cap_state_change(chan, BT_CLOSED);
296 sock_set_flag(sk, SOCK_ZAPPED); 369 sock_set_flag(sk, SOCK_ZAPPED);
297 370
298 if (err) 371 if (err)
@@ -304,8 +377,8 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
304 } else 377 } else
305 sk->sk_state_change(sk); 378 sk->sk_state_change(sk);
306 379
307 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE && 380 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
308 chan->conf_state & L2CAP_CONF_INPUT_DONE)) 381 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
309 return; 382 return;
310 383
311 skb_queue_purge(&chan->tx_q); 384 skb_queue_purge(&chan->tx_q);
@@ -313,12 +386,11 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
313 if (chan->mode == L2CAP_MODE_ERTM) { 386 if (chan->mode == L2CAP_MODE_ERTM) {
314 struct srej_list *l, *tmp; 387 struct srej_list *l, *tmp;
315 388
316 del_timer(&chan->retrans_timer); 389 __clear_retrans_timer(chan);
317 del_timer(&chan->monitor_timer); 390 __clear_monitor_timer(chan);
318 del_timer(&chan->ack_timer); 391 __clear_ack_timer(chan);
319 392
320 skb_queue_purge(&chan->srej_q); 393 skb_queue_purge(&chan->srej_q);
321 skb_queue_purge(&chan->busy_q);
322 394
323 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) { 395 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
324 list_del(&l->list); 396 list_del(&l->list);
@@ -327,11 +399,86 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
327 } 399 }
328} 400}
329 401
330static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 402static void l2cap_chan_cleanup_listen(struct sock *parent)
403{
404 struct sock *sk;
405
406 BT_DBG("parent %p", parent);
407
408 /* Close not yet accepted channels */
409 while ((sk = bt_accept_dequeue(parent, NULL))) {
410 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
411 __clear_chan_timer(chan);
412 lock_sock(sk);
413 l2cap_chan_close(chan, ECONNRESET);
414 release_sock(sk);
415 chan->ops->close(chan->data);
416 }
417}
418
419void l2cap_chan_close(struct l2cap_chan *chan, int reason)
331{ 420{
421 struct l2cap_conn *conn = chan->conn;
332 struct sock *sk = chan->sk; 422 struct sock *sk = chan->sk;
333 423
334 if (sk->sk_type == SOCK_RAW) { 424 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
425
426 switch (chan->state) {
427 case BT_LISTEN:
428 l2cap_chan_cleanup_listen(sk);
429
430 l2cap_state_change(chan, BT_CLOSED);
431 sock_set_flag(sk, SOCK_ZAPPED);
432 break;
433
434 case BT_CONNECTED:
435 case BT_CONFIG:
436 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
437 conn->hcon->type == ACL_LINK) {
438 __clear_chan_timer(chan);
439 __set_chan_timer(chan, sk->sk_sndtimeo);
440 l2cap_send_disconn_req(conn, chan, reason);
441 } else
442 l2cap_chan_del(chan, reason);
443 break;
444
445 case BT_CONNECT2:
446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
447 conn->hcon->type == ACL_LINK) {
448 struct l2cap_conn_rsp rsp;
449 __u16 result;
450
451 if (bt_sk(sk)->defer_setup)
452 result = L2CAP_CR_SEC_BLOCK;
453 else
454 result = L2CAP_CR_BAD_PSM;
455 l2cap_state_change(chan, BT_DISCONN);
456
457 rsp.scid = cpu_to_le16(chan->dcid);
458 rsp.dcid = cpu_to_le16(chan->scid);
459 rsp.result = cpu_to_le16(result);
460 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
461 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
462 sizeof(rsp), &rsp);
463 }
464
465 l2cap_chan_del(chan, reason);
466 break;
467
468 case BT_CONNECT:
469 case BT_DISCONN:
470 l2cap_chan_del(chan, reason);
471 break;
472
473 default:
474 sock_set_flag(sk, SOCK_ZAPPED);
475 break;
476 }
477}
478
479static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
480{
481 if (chan->chan_type == L2CAP_CHAN_RAW) {
335 switch (chan->sec_level) { 482 switch (chan->sec_level) {
336 case BT_SECURITY_HIGH: 483 case BT_SECURITY_HIGH:
337 return HCI_AT_DEDICATED_BONDING_MITM; 484 return HCI_AT_DEDICATED_BONDING_MITM;
@@ -371,7 +518,7 @@ static inline int l2cap_check_security(struct l2cap_chan *chan)
371 return hci_conn_security(conn->hcon, chan->sec_level, auth_type); 518 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
372} 519}
373 520
374u8 l2cap_get_ident(struct l2cap_conn *conn) 521static u8 l2cap_get_ident(struct l2cap_conn *conn)
375{ 522{
376 u8 id; 523 u8 id;
377 524
@@ -393,7 +540,7 @@ u8 l2cap_get_ident(struct l2cap_conn *conn)
393 return id; 540 return id;
394} 541}
395 542
396void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data) 543static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
397{ 544{
398 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 545 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
399 u8 flags; 546 u8 flags;
@@ -408,6 +555,8 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
408 else 555 else
409 flags = ACL_START; 556 flags = ACL_START;
410 557
558 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
559
411 hci_send_acl(conn->hcon, skb, flags); 560 hci_send_acl(conn->hcon, skb, flags);
412} 561}
413 562
@@ -415,13 +564,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
415{ 564{
416 struct sk_buff *skb; 565 struct sk_buff *skb;
417 struct l2cap_hdr *lh; 566 struct l2cap_hdr *lh;
418 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419 struct l2cap_conn *conn = chan->conn; 567 struct l2cap_conn *conn = chan->conn;
420 struct sock *sk = (struct sock *)pi;
421 int count, hlen = L2CAP_HDR_SIZE + 2; 568 int count, hlen = L2CAP_HDR_SIZE + 2;
422 u8 flags; 569 u8 flags;
423 570
424 if (sk->sk_state != BT_CONNECTED) 571 if (chan->state != BT_CONNECTED)
425 return; 572 return;
426 573
427 if (chan->fcs == L2CAP_FCS_CRC16) 574 if (chan->fcs == L2CAP_FCS_CRC16)
@@ -432,15 +579,11 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
432 count = min_t(unsigned int, conn->mtu, hlen); 579 count = min_t(unsigned int, conn->mtu, hlen);
433 control |= L2CAP_CTRL_FRAME_TYPE; 580 control |= L2CAP_CTRL_FRAME_TYPE;
434 581
435 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 582 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
436 control |= L2CAP_CTRL_FINAL; 583 control |= L2CAP_CTRL_FINAL;
437 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
438 }
439 584
440 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) { 585 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
441 control |= L2CAP_CTRL_POLL; 586 control |= L2CAP_CTRL_POLL;
442 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
443 }
444 587
445 skb = bt_skb_alloc(count, GFP_ATOMIC); 588 skb = bt_skb_alloc(count, GFP_ATOMIC);
446 if (!skb) 589 if (!skb)
@@ -461,14 +604,16 @@ static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
461 else 604 else
462 flags = ACL_START; 605 flags = ACL_START;
463 606
607 bt_cb(skb)->force_active = chan->force_active;
608
464 hci_send_acl(chan->conn->hcon, skb, flags); 609 hci_send_acl(chan->conn->hcon, skb, flags);
465} 610}
466 611
467static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control) 612static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
468{ 613{
469 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 614 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
470 control |= L2CAP_SUPER_RCV_NOT_READY; 615 control |= L2CAP_SUPER_RCV_NOT_READY;
471 chan->conn_state |= L2CAP_CONN_RNR_SENT; 616 set_bit(CONN_RNR_SENT, &chan->conn_state);
472 } else 617 } else
473 control |= L2CAP_SUPER_RCV_READY; 618 control |= L2CAP_SUPER_RCV_READY;
474 619
@@ -479,7 +624,7 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
479 624
480static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 625static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
481{ 626{
482 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND); 627 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
483} 628}
484 629
485static void l2cap_do_start(struct l2cap_chan *chan) 630static void l2cap_do_start(struct l2cap_chan *chan)
@@ -497,7 +642,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
497 req.psm = chan->psm; 642 req.psm = chan->psm;
498 643
499 chan->ident = l2cap_get_ident(conn); 644 chan->ident = l2cap_get_ident(conn);
500 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 645 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
501 646
502 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 647 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
503 sizeof(req), &req); 648 sizeof(req), &req);
@@ -533,7 +678,7 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
533 } 678 }
534} 679}
535 680
536void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err) 681static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
537{ 682{
538 struct sock *sk; 683 struct sock *sk;
539 struct l2cap_disconn_req req; 684 struct l2cap_disconn_req req;
@@ -544,9 +689,9 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
544 sk = chan->sk; 689 sk = chan->sk;
545 690
546 if (chan->mode == L2CAP_MODE_ERTM) { 691 if (chan->mode == L2CAP_MODE_ERTM) {
547 del_timer(&chan->retrans_timer); 692 __clear_retrans_timer(chan);
548 del_timer(&chan->monitor_timer); 693 __clear_monitor_timer(chan);
549 del_timer(&chan->ack_timer); 694 __clear_ack_timer(chan);
550 } 695 }
551 696
552 req.dcid = cpu_to_le16(chan->dcid); 697 req.dcid = cpu_to_le16(chan->dcid);
@@ -554,7 +699,7 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, in
554 l2cap_send_cmd(conn, l2cap_get_ident(conn), 699 l2cap_send_cmd(conn, l2cap_get_ident(conn),
555 L2CAP_DISCONN_REQ, sizeof(req), &req); 700 L2CAP_DISCONN_REQ, sizeof(req), &req);
556 701
557 sk->sk_state = BT_DISCONN; 702 l2cap_state_change(chan, BT_DISCONN);
558 sk->sk_err = err; 703 sk->sk_err = err;
559} 704}
560 705
@@ -572,13 +717,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
572 717
573 bh_lock_sock(sk); 718 bh_lock_sock(sk);
574 719
575 if (sk->sk_type != SOCK_SEQPACKET && 720 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
576 sk->sk_type != SOCK_STREAM) {
577 bh_unlock_sock(sk); 721 bh_unlock_sock(sk);
578 continue; 722 continue;
579 } 723 }
580 724
581 if (sk->sk_state == BT_CONNECT) { 725 if (chan->state == BT_CONNECT) {
582 struct l2cap_conn_req req; 726 struct l2cap_conn_req req;
583 727
584 if (!l2cap_check_security(chan) || 728 if (!l2cap_check_security(chan) ||
@@ -587,15 +731,14 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
587 continue; 731 continue;
588 } 732 }
589 733
590 if (!l2cap_mode_supported(chan->mode, 734 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
591 conn->feat_mask) 735 && test_bit(CONF_STATE2_DEVICE,
592 && chan->conf_state & 736 &chan->conf_state)) {
593 L2CAP_CONF_STATE2_DEVICE) { 737 /* l2cap_chan_close() calls list_del(chan)
594 /* __l2cap_sock_close() calls list_del(chan)
595 * so release the lock */ 738 * so release the lock */
596 read_unlock_bh(&conn->chan_lock); 739 read_unlock(&conn->chan_lock);
597 __l2cap_sock_close(sk, ECONNRESET); 740 l2cap_chan_close(chan, ECONNRESET);
598 read_lock_bh(&conn->chan_lock); 741 read_lock(&conn->chan_lock);
599 bh_unlock_sock(sk); 742 bh_unlock_sock(sk);
600 continue; 743 continue;
601 } 744 }
@@ -604,12 +747,12 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
604 req.psm = chan->psm; 747 req.psm = chan->psm;
605 748
606 chan->ident = l2cap_get_ident(conn); 749 chan->ident = l2cap_get_ident(conn);
607 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 750 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
608 751
609 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, 752 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
610 sizeof(req), &req); 753 sizeof(req), &req);
611 754
612 } else if (sk->sk_state == BT_CONNECT2) { 755 } else if (chan->state == BT_CONNECT2) {
613 struct l2cap_conn_rsp rsp; 756 struct l2cap_conn_rsp rsp;
614 char buf[128]; 757 char buf[128];
615 rsp.scid = cpu_to_le16(chan->dcid); 758 rsp.scid = cpu_to_le16(chan->dcid);
@@ -620,10 +763,11 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
620 struct sock *parent = bt_sk(sk)->parent; 763 struct sock *parent = bt_sk(sk)->parent;
621 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
622 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
623 parent->sk_data_ready(parent, 0); 766 if (parent)
767 parent->sk_data_ready(parent, 0);
624 768
625 } else { 769 } else {
626 sk->sk_state = BT_CONFIG; 770 l2cap_state_change(chan, BT_CONFIG);
627 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 771 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
628 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
629 } 773 }
@@ -635,13 +779,13 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
635 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
636 sizeof(rsp), &rsp); 780 sizeof(rsp), &rsp);
637 781
638 if (chan->conf_state & L2CAP_CONF_REQ_SENT || 782 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
639 rsp.result != L2CAP_CR_SUCCESS) { 783 rsp.result != L2CAP_CR_SUCCESS) {
640 bh_unlock_sock(sk); 784 bh_unlock_sock(sk);
641 continue; 785 continue;
642 } 786 }
643 787
644 chan->conf_state |= L2CAP_CONF_REQ_SENT; 788 set_bit(CONF_REQ_SENT, &chan->conf_state);
645 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 789 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
646 l2cap_build_conf_req(chan, buf), buf); 790 l2cap_build_conf_req(chan, buf), buf);
647 chan->num_conf_req++; 791 chan->num_conf_req++;
@@ -665,7 +809,7 @@ static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdadd
665 list_for_each_entry(c, &chan_list, global_l) { 809 list_for_each_entry(c, &chan_list, global_l) {
666 struct sock *sk = c->sk; 810 struct sock *sk = c->sk;
667 811
668 if (state && sk->sk_state != state) 812 if (state && c->state != state)
669 continue; 813 continue;
670 814
671 if (c->scid == cid) { 815 if (c->scid == cid) {
@@ -709,24 +853,16 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
709 goto clean; 853 goto clean;
710 } 854 }
711 855
712 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 856 chan = pchan->ops->new_connection(pchan->data);
713 if (!sk) 857 if (!chan)
714 goto clean;
715
716 chan = l2cap_chan_create(sk);
717 if (!chan) {
718 l2cap_sock_kill(sk);
719 goto clean; 858 goto clean;
720 }
721 859
722 l2cap_pi(sk)->chan = chan; 860 sk = chan->sk;
723 861
724 write_lock_bh(&conn->chan_lock); 862 write_lock_bh(&conn->chan_lock);
725 863
726 hci_conn_hold(conn->hcon); 864 hci_conn_hold(conn->hcon);
727 865
728 l2cap_sock_init(sk, parent);
729
730 bacpy(&bt_sk(sk)->src, conn->src); 866 bacpy(&bt_sk(sk)->src, conn->src);
731 bacpy(&bt_sk(sk)->dst, conn->dst); 867 bacpy(&bt_sk(sk)->dst, conn->dst);
732 868
@@ -734,9 +870,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
734 870
735 __l2cap_chan_add(conn, chan); 871 __l2cap_chan_add(conn, chan);
736 872
737 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 873 __set_chan_timer(chan, sk->sk_sndtimeo);
738 874
739 sk->sk_state = BT_CONNECTED; 875 l2cap_state_change(chan, BT_CONNECTED);
740 parent->sk_data_ready(parent, 0); 876 parent->sk_data_ready(parent, 0);
741 877
742 write_unlock_bh(&conn->chan_lock); 878 write_unlock_bh(&conn->chan_lock);
@@ -745,6 +881,23 @@ clean:
745 bh_unlock_sock(parent); 881 bh_unlock_sock(parent);
746} 882}
747 883
884static void l2cap_chan_ready(struct sock *sk)
885{
886 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
887 struct sock *parent = bt_sk(sk)->parent;
888
889 BT_DBG("sk %p, parent %p", sk, parent);
890
891 chan->conf_state = 0;
892 __clear_chan_timer(chan);
893
894 l2cap_state_change(chan, BT_CONNECTED);
895 sk->sk_state_change(sk);
896
897 if (parent)
898 parent->sk_data_ready(parent, 0);
899}
900
748static void l2cap_conn_ready(struct l2cap_conn *conn) 901static void l2cap_conn_ready(struct l2cap_conn *conn)
749{ 902{
750 struct l2cap_chan *chan; 903 struct l2cap_chan *chan;
@@ -762,17 +915,15 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
762 bh_lock_sock(sk); 915 bh_lock_sock(sk);
763 916
764 if (conn->hcon->type == LE_LINK) { 917 if (conn->hcon->type == LE_LINK) {
765 l2cap_sock_clear_timer(sk); 918 if (smp_conn_security(conn, chan->sec_level))
766 sk->sk_state = BT_CONNECTED; 919 l2cap_chan_ready(sk);
767 sk->sk_state_change(sk);
768 }
769 920
770 if (sk->sk_type != SOCK_SEQPACKET && 921 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
771 sk->sk_type != SOCK_STREAM) { 922 __clear_chan_timer(chan);
772 l2cap_sock_clear_timer(sk); 923 l2cap_state_change(chan, BT_CONNECTED);
773 sk->sk_state = BT_CONNECTED;
774 sk->sk_state_change(sk); 924 sk->sk_state_change(sk);
775 } else if (sk->sk_state == BT_CONNECT) 925
926 } else if (chan->state == BT_CONNECT)
776 l2cap_do_start(chan); 927 l2cap_do_start(chan);
777 928
778 bh_unlock_sock(sk); 929 bh_unlock_sock(sk);
@@ -810,6 +961,45 @@ static void l2cap_info_timeout(unsigned long arg)
810 l2cap_conn_start(conn); 961 l2cap_conn_start(conn);
811} 962}
812 963
964static void l2cap_conn_del(struct hci_conn *hcon, int err)
965{
966 struct l2cap_conn *conn = hcon->l2cap_data;
967 struct l2cap_chan *chan, *l;
968 struct sock *sk;
969
970 if (!conn)
971 return;
972
973 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
974
975 kfree_skb(conn->rx_skb);
976
977 /* Kill channels */
978 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
979 sk = chan->sk;
980 bh_lock_sock(sk);
981 l2cap_chan_del(chan, err);
982 bh_unlock_sock(sk);
983 chan->ops->close(chan->data);
984 }
985
986 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
987 del_timer_sync(&conn->info_timer);
988
989 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
990 del_timer(&conn->security_timer);
991
992 hcon->l2cap_data = NULL;
993 kfree(conn);
994}
995
996static void security_timeout(unsigned long arg)
997{
998 struct l2cap_conn *conn = (void *) arg;
999
1000 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1001}
1002
813static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1003static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
814{ 1004{
815 struct l2cap_conn *conn = hcon->l2cap_data; 1005 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -841,7 +1031,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
841 1031
842 INIT_LIST_HEAD(&conn->chan_l); 1032 INIT_LIST_HEAD(&conn->chan_l);
843 1033
844 if (hcon->type != LE_LINK) 1034 if (hcon->type == LE_LINK)
1035 setup_timer(&conn->security_timer, security_timeout,
1036 (unsigned long) conn);
1037 else
845 setup_timer(&conn->info_timer, l2cap_info_timeout, 1038 setup_timer(&conn->info_timer, l2cap_info_timeout,
846 (unsigned long) conn); 1039 (unsigned long) conn);
847 1040
@@ -850,35 +1043,6 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
850 return conn; 1043 return conn;
851} 1044}
852 1045
853static void l2cap_conn_del(struct hci_conn *hcon, int err)
854{
855 struct l2cap_conn *conn = hcon->l2cap_data;
856 struct l2cap_chan *chan, *l;
857 struct sock *sk;
858
859 if (!conn)
860 return;
861
862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
863
864 kfree_skb(conn->rx_skb);
865
866 /* Kill channels */
867 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
868 sk = chan->sk;
869 bh_lock_sock(sk);
870 l2cap_chan_del(chan, err);
871 bh_unlock_sock(sk);
872 l2cap_sock_kill(sk);
873 }
874
875 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
876 del_timer_sync(&conn->info_timer);
877
878 hcon->l2cap_data = NULL;
879 kfree(conn);
880}
881
882static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 1046static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
883{ 1047{
884 write_lock_bh(&conn->chan_lock); 1048 write_lock_bh(&conn->chan_lock);
@@ -900,7 +1064,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr
900 list_for_each_entry(c, &chan_list, global_l) { 1064 list_for_each_entry(c, &chan_list, global_l) {
901 struct sock *sk = c->sk; 1065 struct sock *sk = c->sk;
902 1066
903 if (state && sk->sk_state != state) 1067 if (state && c->state != state)
904 continue; 1068 continue;
905 1069
906 if (c->psm == psm) { 1070 if (c->psm == psm) {
@@ -967,15 +1131,14 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
967 1131
968 l2cap_chan_add(conn, chan); 1132 l2cap_chan_add(conn, chan);
969 1133
970 sk->sk_state = BT_CONNECT; 1134 l2cap_state_change(chan, BT_CONNECT);
971 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 1135 __set_chan_timer(chan, sk->sk_sndtimeo);
972 1136
973 if (hcon->state == BT_CONNECTED) { 1137 if (hcon->state == BT_CONNECTED) {
974 if (sk->sk_type != SOCK_SEQPACKET && 1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
975 sk->sk_type != SOCK_STREAM) { 1139 __clear_chan_timer(chan);
976 l2cap_sock_clear_timer(sk);
977 if (l2cap_check_security(chan)) 1140 if (l2cap_check_security(chan))
978 sk->sk_state = BT_CONNECTED; 1141 l2cap_state_change(chan, BT_CONNECTED);
979 } else 1142 } else
980 l2cap_do_start(chan); 1143 l2cap_do_start(chan);
981 } 1144 }
@@ -1035,7 +1198,7 @@ static void l2cap_monitor_timeout(unsigned long arg)
1035 } 1198 }
1036 1199
1037 chan->retry_count++; 1200 chan->retry_count++;
1038 __mod_monitor_timer(); 1201 __set_monitor_timer(chan);
1039 1202
1040 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1203 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1041 bh_unlock_sock(sk); 1204 bh_unlock_sock(sk);
@@ -1050,9 +1213,9 @@ static void l2cap_retrans_timeout(unsigned long arg)
1050 1213
1051 bh_lock_sock(sk); 1214 bh_lock_sock(sk);
1052 chan->retry_count = 1; 1215 chan->retry_count = 1;
1053 __mod_monitor_timer(); 1216 __set_monitor_timer(chan);
1054 1217
1055 chan->conn_state |= L2CAP_CONN_WAIT_F; 1218 set_bit(CONN_WAIT_F, &chan->conn_state);
1056 1219
1057 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1220 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1058 bh_unlock_sock(sk); 1221 bh_unlock_sock(sk);
@@ -1074,7 +1237,7 @@ static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1074 } 1237 }
1075 1238
1076 if (!chan->unacked_frames) 1239 if (!chan->unacked_frames)
1077 del_timer(&chan->retrans_timer); 1240 __clear_retrans_timer(chan);
1078} 1241}
1079 1242
1080void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 1243void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1089,6 +1252,7 @@ void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1089 else 1252 else
1090 flags = ACL_START; 1253 flags = ACL_START;
1091 1254
1255 bt_cb(skb)->force_active = chan->force_active;
1092 hci_send_acl(hcon, skb, flags); 1256 hci_send_acl(hcon, skb, flags);
1093} 1257}
1094 1258
@@ -1142,10 +1306,8 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1142 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1306 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1143 control &= L2CAP_CTRL_SAR; 1307 control &= L2CAP_CTRL_SAR;
1144 1308
1145 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1309 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1146 control |= L2CAP_CTRL_FINAL; 1310 control |= L2CAP_CTRL_FINAL;
1147 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1148 }
1149 1311
1150 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1312 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1151 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1313 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
@@ -1163,11 +1325,10 @@ static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1163int l2cap_ertm_send(struct l2cap_chan *chan) 1325int l2cap_ertm_send(struct l2cap_chan *chan)
1164{ 1326{
1165 struct sk_buff *skb, *tx_skb; 1327 struct sk_buff *skb, *tx_skb;
1166 struct sock *sk = chan->sk;
1167 u16 control, fcs; 1328 u16 control, fcs;
1168 int nsent = 0; 1329 int nsent = 0;
1169 1330
1170 if (sk->sk_state != BT_CONNECTED) 1331 if (chan->state != BT_CONNECTED)
1171 return -ENOTCONN; 1332 return -ENOTCONN;
1172 1333
1173 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) { 1334 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
@@ -1185,10 +1346,9 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1185 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1346 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1186 control &= L2CAP_CTRL_SAR; 1347 control &= L2CAP_CTRL_SAR;
1187 1348
1188 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) { 1349 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1189 control |= L2CAP_CTRL_FINAL; 1350 control |= L2CAP_CTRL_FINAL;
1190 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1351
1191 }
1192 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1352 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1193 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1353 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1194 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1354 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
@@ -1201,7 +1361,7 @@ int l2cap_ertm_send(struct l2cap_chan *chan)
1201 1361
1202 l2cap_do_send(chan, tx_skb); 1362 l2cap_do_send(chan, tx_skb);
1203 1363
1204 __mod_retrans_timer(); 1364 __set_retrans_timer(chan);
1205 1365
1206 bt_cb(skb)->tx_seq = chan->next_tx_seq; 1366 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1207 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64; 1367 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
@@ -1240,9 +1400,9 @@ static void l2cap_send_ack(struct l2cap_chan *chan)
1240 1400
1241 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1401 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1242 1402
1243 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1403 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1244 control |= L2CAP_SUPER_RCV_NOT_READY; 1404 control |= L2CAP_SUPER_RCV_NOT_READY;
1245 chan->conn_state |= L2CAP_CONN_RNR_SENT; 1405 set_bit(CONN_RNR_SENT, &chan->conn_state);
1246 l2cap_send_sframe(chan, control); 1406 l2cap_send_sframe(chan, control);
1247 return; 1407 return;
1248 } 1408 }
@@ -1450,28 +1610,83 @@ int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t le
1450 return size; 1610 return size;
1451} 1611}
1452 1612
1453static void l2cap_chan_ready(struct sock *sk) 1613int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1454{ 1614{
1455 struct sock *parent = bt_sk(sk)->parent; 1615 struct sk_buff *skb;
1456 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1616 u16 control;
1617 int err;
1457 1618
1458 BT_DBG("sk %p, parent %p", sk, parent); 1619 /* Connectionless channel */
1620 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1621 skb = l2cap_create_connless_pdu(chan, msg, len);
1622 if (IS_ERR(skb))
1623 return PTR_ERR(skb);
1459 1624
1460 chan->conf_state = 0; 1625 l2cap_do_send(chan, skb);
1461 l2cap_sock_clear_timer(sk); 1626 return len;
1627 }
1462 1628
1463 if (!parent) { 1629 switch (chan->mode) {
1464 /* Outgoing channel. 1630 case L2CAP_MODE_BASIC:
1465 * Wake up socket sleeping on connect. 1631 /* Check outgoing MTU */
1466 */ 1632 if (len > chan->omtu)
1467 sk->sk_state = BT_CONNECTED; 1633 return -EMSGSIZE;
1468 sk->sk_state_change(sk); 1634
1469 } else { 1635 /* Create a basic PDU */
1470 /* Incoming channel. 1636 skb = l2cap_create_basic_pdu(chan, msg, len);
1471 * Wake up socket sleeping on accept. 1637 if (IS_ERR(skb))
1472 */ 1638 return PTR_ERR(skb);
1473 parent->sk_data_ready(parent, 0); 1639
1640 l2cap_do_send(chan, skb);
1641 err = len;
1642 break;
1643
1644 case L2CAP_MODE_ERTM:
1645 case L2CAP_MODE_STREAMING:
1646 /* Entire SDU fits into one PDU */
1647 if (len <= chan->remote_mps) {
1648 control = L2CAP_SDU_UNSEGMENTED;
1649 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1650 0);
1651 if (IS_ERR(skb))
1652 return PTR_ERR(skb);
1653
1654 __skb_queue_tail(&chan->tx_q, skb);
1655
1656 if (chan->tx_send_head == NULL)
1657 chan->tx_send_head = skb;
1658
1659 } else {
1660 /* Segment SDU into multiples PDUs */
1661 err = l2cap_sar_segment_sdu(chan, msg, len);
1662 if (err < 0)
1663 return err;
1664 }
1665
1666 if (chan->mode == L2CAP_MODE_STREAMING) {
1667 l2cap_streaming_send(chan);
1668 err = len;
1669 break;
1670 }
1671
1672 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1673 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1674 err = len;
1675 break;
1676 }
1677
1678 err = l2cap_ertm_send(chan);
1679 if (err >= 0)
1680 err = len;
1681
1682 break;
1683
1684 default:
1685 BT_DBG("bad state %1.1x", chan->mode);
1686 err = -EBADFD;
1474 } 1687 }
1688
1689 return err;
1475} 1690}
1476 1691
1477/* Copy frame to all raw sockets on that connection */ 1692/* Copy frame to all raw sockets on that connection */
@@ -1485,7 +1700,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1485 read_lock(&conn->chan_lock); 1700 read_lock(&conn->chan_lock);
1486 list_for_each_entry(chan, &conn->chan_l, list) { 1701 list_for_each_entry(chan, &conn->chan_l, list) {
1487 struct sock *sk = chan->sk; 1702 struct sock *sk = chan->sk;
1488 if (sk->sk_type != SOCK_RAW) 1703 if (chan->chan_type != L2CAP_CHAN_RAW)
1489 continue; 1704 continue;
1490 1705
1491 /* Don't send frame to the socket it came from */ 1706 /* Don't send frame to the socket it came from */
@@ -1495,7 +1710,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1495 if (!nskb) 1710 if (!nskb)
1496 continue; 1711 continue;
1497 1712
1498 if (sock_queue_rcv_skb(sk, nskb)) 1713 if (chan->ops->recv(chan->data, nskb))
1499 kfree_skb(nskb); 1714 kfree_skb(nskb);
1500 } 1715 }
1501 read_unlock(&conn->chan_lock); 1716 read_unlock(&conn->chan_lock);
@@ -1654,11 +1869,9 @@ static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1654 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan); 1869 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1655 1870
1656 skb_queue_head_init(&chan->srej_q); 1871 skb_queue_head_init(&chan->srej_q);
1657 skb_queue_head_init(&chan->busy_q);
1658 1872
1659 INIT_LIST_HEAD(&chan->srej_l); 1873 INIT_LIST_HEAD(&chan->srej_l);
1660 1874
1661 INIT_WORK(&chan->busy_work, l2cap_busy_work);
1662 1875
1663 sk->sk_backlog_rcv = l2cap_ertm_data_rcv; 1876 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1664} 1877}
@@ -1690,7 +1903,7 @@ static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1690 switch (chan->mode) { 1903 switch (chan->mode) {
1691 case L2CAP_MODE_STREAMING: 1904 case L2CAP_MODE_STREAMING:
1692 case L2CAP_MODE_ERTM: 1905 case L2CAP_MODE_ERTM:
1693 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE) 1906 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
1694 break; 1907 break;
1695 1908
1696 /* fall through */ 1909 /* fall through */
@@ -1737,7 +1950,7 @@ done:
1737 break; 1950 break;
1738 1951
1739 if (chan->fcs == L2CAP_FCS_NONE || 1952 if (chan->fcs == L2CAP_FCS_NONE ||
1740 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1953 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1741 chan->fcs = L2CAP_FCS_NONE; 1954 chan->fcs = L2CAP_FCS_NONE;
1742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1955 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1743 } 1956 }
@@ -1760,7 +1973,7 @@ done:
1760 break; 1973 break;
1761 1974
1762 if (chan->fcs == L2CAP_FCS_NONE || 1975 if (chan->fcs == L2CAP_FCS_NONE ||
1763 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) { 1976 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1764 chan->fcs = L2CAP_FCS_NONE; 1977 chan->fcs = L2CAP_FCS_NONE;
1765 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 1978 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1766 } 1979 }
@@ -1812,7 +2025,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1812 2025
1813 case L2CAP_CONF_FCS: 2026 case L2CAP_CONF_FCS:
1814 if (val == L2CAP_FCS_NONE) 2027 if (val == L2CAP_FCS_NONE)
1815 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV; 2028 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
1816 2029
1817 break; 2030 break;
1818 2031
@@ -1832,7 +2045,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1832 switch (chan->mode) { 2045 switch (chan->mode) {
1833 case L2CAP_MODE_STREAMING: 2046 case L2CAP_MODE_STREAMING:
1834 case L2CAP_MODE_ERTM: 2047 case L2CAP_MODE_ERTM:
1835 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) { 2048 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
1836 chan->mode = l2cap_select_mode(rfc.mode, 2049 chan->mode = l2cap_select_mode(rfc.mode,
1837 chan->conn->feat_mask); 2050 chan->conn->feat_mask);
1838 break; 2051 break;
@@ -1865,14 +2078,14 @@ done:
1865 result = L2CAP_CONF_UNACCEPT; 2078 result = L2CAP_CONF_UNACCEPT;
1866 else { 2079 else {
1867 chan->omtu = mtu; 2080 chan->omtu = mtu;
1868 chan->conf_state |= L2CAP_CONF_MTU_DONE; 2081 set_bit(CONF_MTU_DONE, &chan->conf_state);
1869 } 2082 }
1870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); 2083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1871 2084
1872 switch (rfc.mode) { 2085 switch (rfc.mode) {
1873 case L2CAP_MODE_BASIC: 2086 case L2CAP_MODE_BASIC:
1874 chan->fcs = L2CAP_FCS_NONE; 2087 chan->fcs = L2CAP_FCS_NONE;
1875 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2088 set_bit(CONF_MODE_DONE, &chan->conf_state);
1876 break; 2089 break;
1877 2090
1878 case L2CAP_MODE_ERTM: 2091 case L2CAP_MODE_ERTM:
@@ -1889,7 +2102,7 @@ done:
1889 rfc.monitor_timeout = 2102 rfc.monitor_timeout =
1890 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO); 2103 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1891 2104
1892 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2105 set_bit(CONF_MODE_DONE, &chan->conf_state);
1893 2106
1894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2107 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1895 sizeof(rfc), (unsigned long) &rfc); 2108 sizeof(rfc), (unsigned long) &rfc);
@@ -1902,7 +2115,7 @@ done:
1902 2115
1903 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size); 2116 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1904 2117
1905 chan->conf_state |= L2CAP_CONF_MODE_DONE; 2118 set_bit(CONF_MODE_DONE, &chan->conf_state);
1906 2119
1907 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1908 sizeof(rfc), (unsigned long) &rfc); 2121 sizeof(rfc), (unsigned long) &rfc);
@@ -1917,7 +2130,7 @@ done:
1917 } 2130 }
1918 2131
1919 if (result == L2CAP_CONF_SUCCESS) 2132 if (result == L2CAP_CONF_SUCCESS)
1920 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE; 2133 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
1921 } 2134 }
1922 rsp->scid = cpu_to_le16(chan->dcid); 2135 rsp->scid = cpu_to_le16(chan->dcid);
1923 rsp->result = cpu_to_le16(result); 2136 rsp->result = cpu_to_le16(result);
@@ -1959,7 +2172,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
1959 if (olen == sizeof(rfc)) 2172 if (olen == sizeof(rfc))
1960 memcpy(&rfc, (void *)val, olen); 2173 memcpy(&rfc, (void *)val, olen);
1961 2174
1962 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) && 2175 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
1963 rfc.mode != chan->mode) 2176 rfc.mode != chan->mode)
1964 return -ECONNREFUSED; 2177 return -ECONNREFUSED;
1965 2178
@@ -2021,10 +2234,9 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2021 l2cap_send_cmd(conn, chan->ident, 2234 l2cap_send_cmd(conn, chan->ident,
2022 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 2235 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2023 2236
2024 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2237 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2025 return; 2238 return;
2026 2239
2027 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2028 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2240 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2029 l2cap_build_conf_req(chan, buf), buf); 2241 l2cap_build_conf_req(chan, buf), buf);
2030 chan->num_conf_req++; 2242 chan->num_conf_req++;
@@ -2066,9 +2278,9 @@ done:
2066 2278
2067static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 2279static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2068{ 2280{
2069 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data; 2281 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2070 2282
2071 if (rej->reason != 0x0000) 2283 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2072 return 0; 2284 return 0;
2073 2285
2074 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 2286 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
@@ -2124,17 +2336,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2124 goto response; 2336 goto response;
2125 } 2337 }
2126 2338
2127 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC); 2339 chan = pchan->ops->new_connection(pchan->data);
2128 if (!sk) 2340 if (!chan)
2129 goto response;
2130
2131 chan = l2cap_chan_create(sk);
2132 if (!chan) {
2133 l2cap_sock_kill(sk);
2134 goto response; 2341 goto response;
2135 }
2136 2342
2137 l2cap_pi(sk)->chan = chan; 2343 sk = chan->sk;
2138 2344
2139 write_lock_bh(&conn->chan_lock); 2345 write_lock_bh(&conn->chan_lock);
2140 2346
@@ -2142,13 +2348,12 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2142 if (__l2cap_get_chan_by_dcid(conn, scid)) { 2348 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2143 write_unlock_bh(&conn->chan_lock); 2349 write_unlock_bh(&conn->chan_lock);
2144 sock_set_flag(sk, SOCK_ZAPPED); 2350 sock_set_flag(sk, SOCK_ZAPPED);
2145 l2cap_sock_kill(sk); 2351 chan->ops->close(chan->data);
2146 goto response; 2352 goto response;
2147 } 2353 }
2148 2354
2149 hci_conn_hold(conn->hcon); 2355 hci_conn_hold(conn->hcon);
2150 2356
2151 l2cap_sock_init(sk, parent);
2152 bacpy(&bt_sk(sk)->src, conn->src); 2357 bacpy(&bt_sk(sk)->src, conn->src);
2153 bacpy(&bt_sk(sk)->dst, conn->dst); 2358 bacpy(&bt_sk(sk)->dst, conn->dst);
2154 chan->psm = psm; 2359 chan->psm = psm;
@@ -2160,29 +2365,29 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2160 2365
2161 dcid = chan->scid; 2366 dcid = chan->scid;
2162 2367
2163 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 2368 __set_chan_timer(chan, sk->sk_sndtimeo);
2164 2369
2165 chan->ident = cmd->ident; 2370 chan->ident = cmd->ident;
2166 2371
2167 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2372 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2168 if (l2cap_check_security(chan)) { 2373 if (l2cap_check_security(chan)) {
2169 if (bt_sk(sk)->defer_setup) { 2374 if (bt_sk(sk)->defer_setup) {
2170 sk->sk_state = BT_CONNECT2; 2375 l2cap_state_change(chan, BT_CONNECT2);
2171 result = L2CAP_CR_PEND; 2376 result = L2CAP_CR_PEND;
2172 status = L2CAP_CS_AUTHOR_PEND; 2377 status = L2CAP_CS_AUTHOR_PEND;
2173 parent->sk_data_ready(parent, 0); 2378 parent->sk_data_ready(parent, 0);
2174 } else { 2379 } else {
2175 sk->sk_state = BT_CONFIG; 2380 l2cap_state_change(chan, BT_CONFIG);
2176 result = L2CAP_CR_SUCCESS; 2381 result = L2CAP_CR_SUCCESS;
2177 status = L2CAP_CS_NO_INFO; 2382 status = L2CAP_CS_NO_INFO;
2178 } 2383 }
2179 } else { 2384 } else {
2180 sk->sk_state = BT_CONNECT2; 2385 l2cap_state_change(chan, BT_CONNECT2);
2181 result = L2CAP_CR_PEND; 2386 result = L2CAP_CR_PEND;
2182 status = L2CAP_CS_AUTHEN_PEND; 2387 status = L2CAP_CS_AUTHEN_PEND;
2183 } 2388 }
2184 } else { 2389 } else {
2185 sk->sk_state = BT_CONNECT2; 2390 l2cap_state_change(chan, BT_CONNECT2);
2186 result = L2CAP_CR_PEND; 2391 result = L2CAP_CR_PEND;
2187 status = L2CAP_CS_NO_INFO; 2392 status = L2CAP_CS_NO_INFO;
2188 } 2393 }
@@ -2213,10 +2418,10 @@ sendresp:
2213 L2CAP_INFO_REQ, sizeof(info), &info); 2418 L2CAP_INFO_REQ, sizeof(info), &info);
2214 } 2419 }
2215 2420
2216 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) && 2421 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2217 result == L2CAP_CR_SUCCESS) { 2422 result == L2CAP_CR_SUCCESS) {
2218 u8 buf[128]; 2423 u8 buf[128];
2219 chan->conf_state |= L2CAP_CONF_REQ_SENT; 2424 set_bit(CONF_REQ_SENT, &chan->conf_state);
2220 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2425 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2221 l2cap_build_conf_req(chan, buf), buf); 2426 l2cap_build_conf_req(chan, buf), buf);
2222 chan->num_conf_req++; 2427 chan->num_conf_req++;
@@ -2254,31 +2459,29 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2254 2459
2255 switch (result) { 2460 switch (result) {
2256 case L2CAP_CR_SUCCESS: 2461 case L2CAP_CR_SUCCESS:
2257 sk->sk_state = BT_CONFIG; 2462 l2cap_state_change(chan, BT_CONFIG);
2258 chan->ident = 0; 2463 chan->ident = 0;
2259 chan->dcid = dcid; 2464 chan->dcid = dcid;
2260 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2465 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2261 2466
2262 if (chan->conf_state & L2CAP_CONF_REQ_SENT) 2467 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2263 break; 2468 break;
2264 2469
2265 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2266
2267 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2470 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2268 l2cap_build_conf_req(chan, req), req); 2471 l2cap_build_conf_req(chan, req), req);
2269 chan->num_conf_req++; 2472 chan->num_conf_req++;
2270 break; 2473 break;
2271 2474
2272 case L2CAP_CR_PEND: 2475 case L2CAP_CR_PEND:
2273 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 2476 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2274 break; 2477 break;
2275 2478
2276 default: 2479 default:
2277 /* don't delete l2cap channel if sk is owned by user */ 2480 /* don't delete l2cap channel if sk is owned by user */
2278 if (sock_owned_by_user(sk)) { 2481 if (sock_owned_by_user(sk)) {
2279 sk->sk_state = BT_DISCONN; 2482 l2cap_state_change(chan, BT_DISCONN);
2280 l2cap_sock_clear_timer(sk); 2483 __clear_chan_timer(chan);
2281 l2cap_sock_set_timer(sk, HZ / 5); 2484 __set_chan_timer(chan, HZ / 5);
2282 break; 2485 break;
2283 } 2486 }
2284 2487
@@ -2292,14 +2495,12 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2292 2495
2293static inline void set_default_fcs(struct l2cap_chan *chan) 2496static inline void set_default_fcs(struct l2cap_chan *chan)
2294{ 2497{
2295 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2296
2297 /* FCS is enabled only in ERTM or streaming mode, if one or both 2498 /* FCS is enabled only in ERTM or streaming mode, if one or both
2298 * sides request it. 2499 * sides request it.
2299 */ 2500 */
2300 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 2501 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2301 chan->fcs = L2CAP_FCS_NONE; 2502 chan->fcs = L2CAP_FCS_NONE;
2302 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV)) 2503 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2303 chan->fcs = L2CAP_FCS_CRC16; 2504 chan->fcs = L2CAP_FCS_CRC16;
2304} 2505}
2305 2506
@@ -2323,10 +2524,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2323 2524
2324 sk = chan->sk; 2525 sk = chan->sk;
2325 2526
2326 if (sk->sk_state != BT_CONFIG) { 2527 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2327 struct l2cap_cmd_rej rej; 2528 struct l2cap_cmd_rej_cid rej;
2529
2530 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2531 rej.scid = cpu_to_le16(chan->scid);
2532 rej.dcid = cpu_to_le16(chan->dcid);
2328 2533
2329 rej.reason = cpu_to_le16(0x0002);
2330 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 2534 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2331 sizeof(rej), &rej); 2535 sizeof(rej), &rej);
2332 goto unlock; 2536 goto unlock;
@@ -2334,7 +2538,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2334 2538
2335 /* Reject if config buffer is too small. */ 2539 /* Reject if config buffer is too small. */
2336 len = cmd_len - sizeof(*req); 2540 len = cmd_len - sizeof(*req);
2337 if (chan->conf_len + len > sizeof(chan->conf_req)) { 2541 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2338 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 2542 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2339 l2cap_build_conf_rsp(chan, rsp, 2543 l2cap_build_conf_rsp(chan, rsp,
2340 L2CAP_CONF_REJECT, flags), rsp); 2544 L2CAP_CONF_REJECT, flags), rsp);
@@ -2366,13 +2570,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2366 /* Reset config buffer. */ 2570 /* Reset config buffer. */
2367 chan->conf_len = 0; 2571 chan->conf_len = 0;
2368 2572
2369 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2573 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2370 goto unlock; 2574 goto unlock;
2371 2575
2372 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) { 2576 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2373 set_default_fcs(chan); 2577 set_default_fcs(chan);
2374 2578
2375 sk->sk_state = BT_CONNECTED; 2579 l2cap_state_change(chan, BT_CONNECTED);
2376 2580
2377 chan->next_tx_seq = 0; 2581 chan->next_tx_seq = 0;
2378 chan->expected_tx_seq = 0; 2582 chan->expected_tx_seq = 0;
@@ -2384,9 +2588,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2384 goto unlock; 2588 goto unlock;
2385 } 2589 }
2386 2590
2387 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) { 2591 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2388 u8 buf[64]; 2592 u8 buf[64];
2389 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2390 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2593 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2391 l2cap_build_conf_req(chan, buf), buf); 2594 l2cap_build_conf_req(chan, buf), buf);
2392 chan->num_conf_req++; 2595 chan->num_conf_req++;
@@ -2451,7 +2654,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2451 2654
2452 default: 2655 default:
2453 sk->sk_err = ECONNRESET; 2656 sk->sk_err = ECONNRESET;
2454 l2cap_sock_set_timer(sk, HZ * 5); 2657 __set_chan_timer(chan, HZ * 5);
2455 l2cap_send_disconn_req(conn, chan, ECONNRESET); 2658 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2456 goto done; 2659 goto done;
2457 } 2660 }
@@ -2459,12 +2662,12 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2459 if (flags & 0x01) 2662 if (flags & 0x01)
2460 goto done; 2663 goto done;
2461 2664
2462 chan->conf_state |= L2CAP_CONF_INPUT_DONE; 2665 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2463 2666
2464 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) { 2667 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2465 set_default_fcs(chan); 2668 set_default_fcs(chan);
2466 2669
2467 sk->sk_state = BT_CONNECTED; 2670 l2cap_state_change(chan, BT_CONNECTED);
2468 chan->next_tx_seq = 0; 2671 chan->next_tx_seq = 0;
2469 chan->expected_tx_seq = 0; 2672 chan->expected_tx_seq = 0;
2470 skb_queue_head_init(&chan->tx_q); 2673 skb_queue_head_init(&chan->tx_q);
@@ -2506,9 +2709,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2506 2709
2507 /* don't delete l2cap channel if sk is owned by user */ 2710 /* don't delete l2cap channel if sk is owned by user */
2508 if (sock_owned_by_user(sk)) { 2711 if (sock_owned_by_user(sk)) {
2509 sk->sk_state = BT_DISCONN; 2712 l2cap_state_change(chan, BT_DISCONN);
2510 l2cap_sock_clear_timer(sk); 2713 __clear_chan_timer(chan);
2511 l2cap_sock_set_timer(sk, HZ / 5); 2714 __set_chan_timer(chan, HZ / 5);
2512 bh_unlock_sock(sk); 2715 bh_unlock_sock(sk);
2513 return 0; 2716 return 0;
2514 } 2717 }
@@ -2516,7 +2719,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2516 l2cap_chan_del(chan, ECONNRESET); 2719 l2cap_chan_del(chan, ECONNRESET);
2517 bh_unlock_sock(sk); 2720 bh_unlock_sock(sk);
2518 2721
2519 l2cap_sock_kill(sk); 2722 chan->ops->close(chan->data);
2520 return 0; 2723 return 0;
2521} 2724}
2522 2725
@@ -2540,9 +2743,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2540 2743
2541 /* don't delete l2cap channel if sk is owned by user */ 2744 /* don't delete l2cap channel if sk is owned by user */
2542 if (sock_owned_by_user(sk)) { 2745 if (sock_owned_by_user(sk)) {
2543 sk->sk_state = BT_DISCONN; 2746 l2cap_state_change(chan,BT_DISCONN);
2544 l2cap_sock_clear_timer(sk); 2747 __clear_chan_timer(chan);
2545 l2cap_sock_set_timer(sk, HZ / 5); 2748 __set_chan_timer(chan, HZ / 5);
2546 bh_unlock_sock(sk); 2749 bh_unlock_sock(sk);
2547 return 0; 2750 return 0;
2548 } 2751 }
@@ -2550,7 +2753,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2550 l2cap_chan_del(chan, 0); 2753 l2cap_chan_del(chan, 0);
2551 bh_unlock_sock(sk); 2754 bh_unlock_sock(sk);
2552 2755
2553 l2cap_sock_kill(sk); 2756 chan->ops->close(chan->data);
2554 return 0; 2757 return 0;
2555} 2758}
2556 2759
@@ -2818,12 +3021,12 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2818 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data); 3021 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
2819 3022
2820 if (err) { 3023 if (err) {
2821 struct l2cap_cmd_rej rej; 3024 struct l2cap_cmd_rej_unk rej;
2822 3025
2823 BT_ERR("Wrong link type (%d)", err); 3026 BT_ERR("Wrong link type (%d)", err);
2824 3027
2825 /* FIXME: Map err to a valid reason */ 3028 /* FIXME: Map err to a valid reason */
2826 rej.reason = cpu_to_le16(0); 3029 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2827 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 3030 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2828 } 3031 }
2829 3032
@@ -2858,18 +3061,18 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2858 3061
2859 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3062 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2860 3063
2861 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3064 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
2862 control |= L2CAP_SUPER_RCV_NOT_READY; 3065 control |= L2CAP_SUPER_RCV_NOT_READY;
2863 l2cap_send_sframe(chan, control); 3066 l2cap_send_sframe(chan, control);
2864 chan->conn_state |= L2CAP_CONN_RNR_SENT; 3067 set_bit(CONN_RNR_SENT, &chan->conn_state);
2865 } 3068 }
2866 3069
2867 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY) 3070 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2868 l2cap_retransmit_frames(chan); 3071 l2cap_retransmit_frames(chan);
2869 3072
2870 l2cap_ertm_send(chan); 3073 l2cap_ertm_send(chan);
2871 3074
2872 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) && 3075 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2873 chan->frames_sent == 0) { 3076 chan->frames_sent == 0) {
2874 control |= L2CAP_SUPER_RCV_READY; 3077 control |= L2CAP_SUPER_RCV_READY;
2875 l2cap_send_sframe(chan, control); 3078 l2cap_send_sframe(chan, control);
@@ -2925,17 +3128,13 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2925 3128
2926 switch (control & L2CAP_CTRL_SAR) { 3129 switch (control & L2CAP_CTRL_SAR) {
2927 case L2CAP_SDU_UNSEGMENTED: 3130 case L2CAP_SDU_UNSEGMENTED:
2928 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3131 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2929 goto drop; 3132 goto drop;
2930 3133
2931 err = sock_queue_rcv_skb(chan->sk, skb); 3134 return chan->ops->recv(chan->data, skb);
2932 if (!err)
2933 return err;
2934
2935 break;
2936 3135
2937 case L2CAP_SDU_START: 3136 case L2CAP_SDU_START:
2938 if (chan->conn_state & L2CAP_CONN_SAR_SDU) 3137 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
2939 goto drop; 3138 goto drop;
2940 3139
2941 chan->sdu_len = get_unaligned_le16(skb->data); 3140 chan->sdu_len = get_unaligned_le16(skb->data);
@@ -2954,12 +3153,12 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2954 3153
2955 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3154 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2956 3155
2957 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3156 set_bit(CONN_SAR_SDU, &chan->conn_state);
2958 chan->partial_sdu_len = skb->len; 3157 chan->partial_sdu_len = skb->len;
2959 break; 3158 break;
2960 3159
2961 case L2CAP_SDU_CONTINUE: 3160 case L2CAP_SDU_CONTINUE:
2962 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3161 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2963 goto disconnect; 3162 goto disconnect;
2964 3163
2965 if (!chan->sdu) 3164 if (!chan->sdu)
@@ -2974,39 +3173,34 @@ static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *sk
2974 break; 3173 break;
2975 3174
2976 case L2CAP_SDU_END: 3175 case L2CAP_SDU_END:
2977 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3176 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
2978 goto disconnect; 3177 goto disconnect;
2979 3178
2980 if (!chan->sdu) 3179 if (!chan->sdu)
2981 goto disconnect; 3180 goto disconnect;
2982 3181
2983 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) { 3182 chan->partial_sdu_len += skb->len;
2984 chan->partial_sdu_len += skb->len;
2985 3183
2986 if (chan->partial_sdu_len > chan->imtu) 3184 if (chan->partial_sdu_len > chan->imtu)
2987 goto drop; 3185 goto drop;
2988 3186
2989 if (chan->partial_sdu_len != chan->sdu_len) 3187 if (chan->partial_sdu_len != chan->sdu_len)
2990 goto drop; 3188 goto drop;
2991 3189
2992 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3190 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2993 }
2994 3191
2995 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3192 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2996 if (!_skb) { 3193 if (!_skb) {
2997 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2998 return -ENOMEM; 3194 return -ENOMEM;
2999 } 3195 }
3000 3196
3001 err = sock_queue_rcv_skb(chan->sk, _skb); 3197 err = chan->ops->recv(chan->data, _skb);
3002 if (err < 0) { 3198 if (err < 0) {
3003 kfree_skb(_skb); 3199 kfree_skb(_skb);
3004 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
3005 return err; 3200 return err;
3006 } 3201 }
3007 3202
3008 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY; 3203 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3009 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3010 3204
3011 kfree_skb(chan->sdu); 3205 kfree_skb(chan->sdu);
3012 break; 3206 break;
@@ -3025,128 +3219,55 @@ disconnect:
3025 return 0; 3219 return 0;
3026} 3220}
3027 3221
3028static int l2cap_try_push_rx_skb(struct l2cap_chan *chan) 3222static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3029{ 3223{
3030 struct sk_buff *skb;
3031 u16 control; 3224 u16 control;
3032 int err;
3033
3034 while ((skb = skb_dequeue(&chan->busy_q))) {
3035 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3036 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3037 if (err < 0) {
3038 skb_queue_head(&chan->busy_q, skb);
3039 return -EBUSY;
3040 }
3041 3225
3042 chan->buffer_seq = (chan->buffer_seq + 1) % 64; 3226 BT_DBG("chan %p, Enter local busy", chan);
3043 }
3044 3227
3045 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT)) 3228 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3046 goto done;
3047 3229
3048 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3230 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3049 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL; 3231 control |= L2CAP_SUPER_RCV_NOT_READY;
3050 l2cap_send_sframe(chan, control); 3232 l2cap_send_sframe(chan, control);
3051 chan->retry_count = 1;
3052 3233
3053 del_timer(&chan->retrans_timer); 3234 set_bit(CONN_RNR_SENT, &chan->conn_state);
3054 __mod_monitor_timer();
3055 3235
3056 chan->conn_state |= L2CAP_CONN_WAIT_F; 3236 __clear_ack_timer(chan);
3057
3058done:
3059 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3060 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
3061
3062 BT_DBG("chan %p, Exit local busy", chan);
3063
3064 return 0;
3065} 3237}
3066 3238
3067static void l2cap_busy_work(struct work_struct *work) 3239static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3068{ 3240{
3069 DECLARE_WAITQUEUE(wait, current); 3241 u16 control;
3070 struct l2cap_chan *chan =
3071 container_of(work, struct l2cap_chan, busy_work);
3072 struct sock *sk = chan->sk;
3073 int n_tries = 0, timeo = HZ/5, err;
3074 struct sk_buff *skb;
3075
3076 lock_sock(sk);
3077
3078 add_wait_queue(sk_sleep(sk), &wait);
3079 while ((skb = skb_peek(&chan->busy_q))) {
3080 set_current_state(TASK_INTERRUPTIBLE);
3081
3082 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3083 err = -EBUSY;
3084 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
3085 break;
3086 }
3087
3088 if (!timeo)
3089 timeo = HZ/5;
3090 3242
3091 if (signal_pending(current)) { 3243 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3092 err = sock_intr_errno(timeo); 3244 goto done;
3093 break;
3094 }
3095 3245
3096 release_sock(sk); 3246 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3097 timeo = schedule_timeout(timeo); 3247 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3098 lock_sock(sk); 3248 l2cap_send_sframe(chan, control);
3249 chan->retry_count = 1;
3099 3250
3100 err = sock_error(sk); 3251 __clear_retrans_timer(chan);
3101 if (err) 3252 __set_monitor_timer(chan);
3102 break;
3103 3253
3104 if (l2cap_try_push_rx_skb(chan) == 0) 3254 set_bit(CONN_WAIT_F, &chan->conn_state);
3105 break;
3106 }
3107 3255
3108 set_current_state(TASK_RUNNING); 3256done:
3109 remove_wait_queue(sk_sleep(sk), &wait); 3257 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3258 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3110 3259
3111 release_sock(sk); 3260 BT_DBG("chan %p, Exit local busy", chan);
3112} 3261}
3113 3262
3114static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control) 3263void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3115{ 3264{
3116 int sctrl, err; 3265 if (chan->mode == L2CAP_MODE_ERTM) {
3117 3266 if (busy)
3118 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3267 l2cap_ertm_enter_local_busy(chan);
3119 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3268 else
3120 __skb_queue_tail(&chan->busy_q, skb); 3269 l2cap_ertm_exit_local_busy(chan);
3121 return l2cap_try_push_rx_skb(chan);
3122
3123
3124 }
3125
3126 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3127 if (err >= 0) {
3128 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3129 return err;
3130 } 3270 }
3131
3132 /* Busy Condition */
3133 BT_DBG("chan %p, Enter local busy", chan);
3134
3135 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3136 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3137 __skb_queue_tail(&chan->busy_q, skb);
3138
3139 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3140 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3141 l2cap_send_sframe(chan, sctrl);
3142
3143 chan->conn_state |= L2CAP_CONN_RNR_SENT;
3144
3145 del_timer(&chan->ack_timer);
3146
3147 queue_work(_busy_wq, &chan->busy_work);
3148
3149 return err;
3150} 3271}
3151 3272
3152static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control) 3273static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
@@ -3161,19 +3282,19 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3161 3282
3162 switch (control & L2CAP_CTRL_SAR) { 3283 switch (control & L2CAP_CTRL_SAR) {
3163 case L2CAP_SDU_UNSEGMENTED: 3284 case L2CAP_SDU_UNSEGMENTED:
3164 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3285 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3165 kfree_skb(chan->sdu); 3286 kfree_skb(chan->sdu);
3166 break; 3287 break;
3167 } 3288 }
3168 3289
3169 err = sock_queue_rcv_skb(chan->sk, skb); 3290 err = chan->ops->recv(chan->data, skb);
3170 if (!err) 3291 if (!err)
3171 return 0; 3292 return 0;
3172 3293
3173 break; 3294 break;
3174 3295
3175 case L2CAP_SDU_START: 3296 case L2CAP_SDU_START:
3176 if (chan->conn_state & L2CAP_CONN_SAR_SDU) { 3297 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
3177 kfree_skb(chan->sdu); 3298 kfree_skb(chan->sdu);
3178 break; 3299 break;
3179 } 3300 }
@@ -3194,13 +3315,13 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3194 3315
3195 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3316 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3196 3317
3197 chan->conn_state |= L2CAP_CONN_SAR_SDU; 3318 set_bit(CONN_SAR_SDU, &chan->conn_state);
3198 chan->partial_sdu_len = skb->len; 3319 chan->partial_sdu_len = skb->len;
3199 err = 0; 3320 err = 0;
3200 break; 3321 break;
3201 3322
3202 case L2CAP_SDU_CONTINUE: 3323 case L2CAP_SDU_CONTINUE:
3203 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3324 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3204 break; 3325 break;
3205 3326
3206 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3327 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
@@ -3214,12 +3335,12 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3214 break; 3335 break;
3215 3336
3216 case L2CAP_SDU_END: 3337 case L2CAP_SDU_END:
3217 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU)) 3338 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
3218 break; 3339 break;
3219 3340
3220 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len); 3341 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3221 3342
3222 chan->conn_state &= ~L2CAP_CONN_SAR_SDU; 3343 clear_bit(CONN_SAR_SDU, &chan->conn_state);
3223 chan->partial_sdu_len += skb->len; 3344 chan->partial_sdu_len += skb->len;
3224 3345
3225 if (chan->partial_sdu_len > chan->imtu) 3346 if (chan->partial_sdu_len > chan->imtu)
@@ -3227,7 +3348,7 @@ static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buf
3227 3348
3228 if (chan->partial_sdu_len == chan->sdu_len) { 3349 if (chan->partial_sdu_len == chan->sdu_len) {
3229 _skb = skb_clone(chan->sdu, GFP_ATOMIC); 3350 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3230 err = sock_queue_rcv_skb(chan->sk, _skb); 3351 err = chan->ops->recv(chan->data, _skb);
3231 if (err < 0) 3352 if (err < 0)
3232 kfree_skb(_skb); 3353 kfree_skb(_skb);
3233 } 3354 }
@@ -3247,13 +3368,22 @@ static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3247 struct sk_buff *skb; 3368 struct sk_buff *skb;
3248 u16 control; 3369 u16 control;
3249 3370
3250 while ((skb = skb_peek(&chan->srej_q))) { 3371 while ((skb = skb_peek(&chan->srej_q)) &&
3372 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3373 int err;
3374
3251 if (bt_cb(skb)->tx_seq != tx_seq) 3375 if (bt_cb(skb)->tx_seq != tx_seq)
3252 break; 3376 break;
3253 3377
3254 skb = skb_dequeue(&chan->srej_q); 3378 skb = skb_dequeue(&chan->srej_q);
3255 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3379 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3256 l2cap_ertm_reassembly_sdu(chan, skb, control); 3380 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3381
3382 if (err < 0) {
3383 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3384 break;
3385 }
3386
3257 chan->buffer_seq_srej = 3387 chan->buffer_seq_srej =
3258 (chan->buffer_seq_srej + 1) % 64; 3388 (chan->buffer_seq_srej + 1) % 64;
3259 tx_seq = (tx_seq + 1) % 64; 3389 tx_seq = (tx_seq + 1) % 64;
@@ -3310,19 +3440,16 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3310 tx_seq, rx_control); 3440 tx_seq, rx_control);
3311 3441
3312 if (L2CAP_CTRL_FINAL & rx_control && 3442 if (L2CAP_CTRL_FINAL & rx_control &&
3313 chan->conn_state & L2CAP_CONN_WAIT_F) { 3443 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3314 del_timer(&chan->monitor_timer); 3444 __clear_monitor_timer(chan);
3315 if (chan->unacked_frames > 0) 3445 if (chan->unacked_frames > 0)
3316 __mod_retrans_timer(); 3446 __set_retrans_timer(chan);
3317 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3447 clear_bit(CONN_WAIT_F, &chan->conn_state);
3318 } 3448 }
3319 3449
3320 chan->expected_ack_seq = req_seq; 3450 chan->expected_ack_seq = req_seq;
3321 l2cap_drop_acked_frames(chan); 3451 l2cap_drop_acked_frames(chan);
3322 3452
3323 if (tx_seq == chan->expected_tx_seq)
3324 goto expected;
3325
3326 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64; 3453 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3327 if (tx_seq_offset < 0) 3454 if (tx_seq_offset < 0)
3328 tx_seq_offset += 64; 3455 tx_seq_offset += 64;
@@ -3333,10 +3460,13 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3333 goto drop; 3460 goto drop;
3334 } 3461 }
3335 3462
3336 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY) 3463 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3337 goto drop; 3464 goto drop;
3338 3465
3339 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3466 if (tx_seq == chan->expected_tx_seq)
3467 goto expected;
3468
3469 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3340 struct srej_list *first; 3470 struct srej_list *first;
3341 3471
3342 first = list_first_entry(&chan->srej_l, 3472 first = list_first_entry(&chan->srej_l,
@@ -3350,7 +3480,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3350 3480
3351 if (list_empty(&chan->srej_l)) { 3481 if (list_empty(&chan->srej_l)) {
3352 chan->buffer_seq = chan->buffer_seq_srej; 3482 chan->buffer_seq = chan->buffer_seq_srej;
3353 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3483 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3354 l2cap_send_ack(chan); 3484 l2cap_send_ack(chan);
3355 BT_DBG("chan %p, Exit SREJ_SENT", chan); 3485 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3356 } 3486 }
@@ -3379,7 +3509,7 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3379 if (tx_seq_offset < expected_tx_seq_offset) 3509 if (tx_seq_offset < expected_tx_seq_offset)
3380 goto drop; 3510 goto drop;
3381 3511
3382 chan->conn_state |= L2CAP_CONN_SREJ_SENT; 3512 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3383 3513
3384 BT_DBG("chan %p, Enter SREJ", chan); 3514 BT_DBG("chan %p, Enter SREJ", chan);
3385 3515
@@ -3387,39 +3517,39 @@ static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_cont
3387 chan->buffer_seq_srej = chan->buffer_seq; 3517 chan->buffer_seq_srej = chan->buffer_seq;
3388 3518
3389 __skb_queue_head_init(&chan->srej_q); 3519 __skb_queue_head_init(&chan->srej_q);
3390 __skb_queue_head_init(&chan->busy_q);
3391 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar); 3520 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3392 3521
3393 chan->conn_state |= L2CAP_CONN_SEND_PBIT; 3522 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3394 3523
3395 l2cap_send_srejframe(chan, tx_seq); 3524 l2cap_send_srejframe(chan, tx_seq);
3396 3525
3397 del_timer(&chan->ack_timer); 3526 __clear_ack_timer(chan);
3398 } 3527 }
3399 return 0; 3528 return 0;
3400 3529
3401expected: 3530expected:
3402 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64; 3531 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3403 3532
3404 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3533 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3405 bt_cb(skb)->tx_seq = tx_seq; 3534 bt_cb(skb)->tx_seq = tx_seq;
3406 bt_cb(skb)->sar = sar; 3535 bt_cb(skb)->sar = sar;
3407 __skb_queue_tail(&chan->srej_q, skb); 3536 __skb_queue_tail(&chan->srej_q, skb);
3408 return 0; 3537 return 0;
3409 } 3538 }
3410 3539
3411 err = l2cap_push_rx_skb(chan, skb, rx_control); 3540 err = l2cap_ertm_reassembly_sdu(chan, skb, rx_control);
3412 if (err < 0) 3541 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3413 return 0; 3542 if (err < 0) {
3543 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3544 return err;
3545 }
3414 3546
3415 if (rx_control & L2CAP_CTRL_FINAL) { 3547 if (rx_control & L2CAP_CTRL_FINAL) {
3416 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3548 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3417 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3418 else
3419 l2cap_retransmit_frames(chan); 3549 l2cap_retransmit_frames(chan);
3420 } 3550 }
3421 3551
3422 __mod_ack_timer(); 3552 __set_ack_timer(chan);
3423 3553
3424 chan->num_acked = (chan->num_acked + 1) % num_to_ack; 3554 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3425 if (chan->num_acked == num_to_ack - 1) 3555 if (chan->num_acked == num_to_ack - 1)
@@ -3441,33 +3571,31 @@ static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_co
3441 l2cap_drop_acked_frames(chan); 3571 l2cap_drop_acked_frames(chan);
3442 3572
3443 if (rx_control & L2CAP_CTRL_POLL) { 3573 if (rx_control & L2CAP_CTRL_POLL) {
3444 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3574 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3445 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) { 3575 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3446 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3576 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3447 (chan->unacked_frames > 0)) 3577 (chan->unacked_frames > 0))
3448 __mod_retrans_timer(); 3578 __set_retrans_timer(chan);
3449 3579
3450 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3580 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3451 l2cap_send_srejtail(chan); 3581 l2cap_send_srejtail(chan);
3452 } else { 3582 } else {
3453 l2cap_send_i_or_rr_or_rnr(chan); 3583 l2cap_send_i_or_rr_or_rnr(chan);
3454 } 3584 }
3455 3585
3456 } else if (rx_control & L2CAP_CTRL_FINAL) { 3586 } else if (rx_control & L2CAP_CTRL_FINAL) {
3457 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3587 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3458 3588
3459 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3589 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3460 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3461 else
3462 l2cap_retransmit_frames(chan); 3590 l2cap_retransmit_frames(chan);
3463 3591
3464 } else { 3592 } else {
3465 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3593 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3466 (chan->unacked_frames > 0)) 3594 (chan->unacked_frames > 0))
3467 __mod_retrans_timer(); 3595 __set_retrans_timer(chan);
3468 3596
3469 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3597 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3470 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) 3598 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3471 l2cap_send_ack(chan); 3599 l2cap_send_ack(chan);
3472 else 3600 else
3473 l2cap_ertm_send(chan); 3601 l2cap_ertm_send(chan);
@@ -3480,21 +3608,19 @@ static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_c
3480 3608
3481 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3609 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3482 3610
3483 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3611 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3484 3612
3485 chan->expected_ack_seq = tx_seq; 3613 chan->expected_ack_seq = tx_seq;
3486 l2cap_drop_acked_frames(chan); 3614 l2cap_drop_acked_frames(chan);
3487 3615
3488 if (rx_control & L2CAP_CTRL_FINAL) { 3616 if (rx_control & L2CAP_CTRL_FINAL) {
3489 if (chan->conn_state & L2CAP_CONN_REJ_ACT) 3617 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3490 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3491 else
3492 l2cap_retransmit_frames(chan); 3618 l2cap_retransmit_frames(chan);
3493 } else { 3619 } else {
3494 l2cap_retransmit_frames(chan); 3620 l2cap_retransmit_frames(chan);
3495 3621
3496 if (chan->conn_state & L2CAP_CONN_WAIT_F) 3622 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3497 chan->conn_state |= L2CAP_CONN_REJ_ACT; 3623 set_bit(CONN_REJ_ACT, &chan->conn_state);
3498 } 3624 }
3499} 3625}
3500static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control) 3626static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
@@ -3503,32 +3629,32 @@ static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_
3503 3629
3504 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3630 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3505 3631
3506 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3632 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3507 3633
3508 if (rx_control & L2CAP_CTRL_POLL) { 3634 if (rx_control & L2CAP_CTRL_POLL) {
3509 chan->expected_ack_seq = tx_seq; 3635 chan->expected_ack_seq = tx_seq;
3510 l2cap_drop_acked_frames(chan); 3636 l2cap_drop_acked_frames(chan);
3511 3637
3512 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3638 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3513 l2cap_retransmit_one_frame(chan, tx_seq); 3639 l2cap_retransmit_one_frame(chan, tx_seq);
3514 3640
3515 l2cap_ertm_send(chan); 3641 l2cap_ertm_send(chan);
3516 3642
3517 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3643 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3518 chan->srej_save_reqseq = tx_seq; 3644 chan->srej_save_reqseq = tx_seq;
3519 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3645 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3520 } 3646 }
3521 } else if (rx_control & L2CAP_CTRL_FINAL) { 3647 } else if (rx_control & L2CAP_CTRL_FINAL) {
3522 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) && 3648 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3523 chan->srej_save_reqseq == tx_seq) 3649 chan->srej_save_reqseq == tx_seq)
3524 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3650 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3525 else 3651 else
3526 l2cap_retransmit_one_frame(chan, tx_seq); 3652 l2cap_retransmit_one_frame(chan, tx_seq);
3527 } else { 3653 } else {
3528 l2cap_retransmit_one_frame(chan, tx_seq); 3654 l2cap_retransmit_one_frame(chan, tx_seq);
3529 if (chan->conn_state & L2CAP_CONN_WAIT_F) { 3655 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3530 chan->srej_save_reqseq = tx_seq; 3656 chan->srej_save_reqseq = tx_seq;
3531 chan->conn_state |= L2CAP_CONN_SREJ_ACT; 3657 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3532 } 3658 }
3533 } 3659 }
3534} 3660}
@@ -3539,15 +3665,15 @@ static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_c
3539 3665
3540 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control); 3666 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3541 3667
3542 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3668 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3543 chan->expected_ack_seq = tx_seq; 3669 chan->expected_ack_seq = tx_seq;
3544 l2cap_drop_acked_frames(chan); 3670 l2cap_drop_acked_frames(chan);
3545 3671
3546 if (rx_control & L2CAP_CTRL_POLL) 3672 if (rx_control & L2CAP_CTRL_POLL)
3547 chan->conn_state |= L2CAP_CONN_SEND_FBIT; 3673 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3548 3674
3549 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) { 3675 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3550 del_timer(&chan->retrans_timer); 3676 __clear_retrans_timer(chan);
3551 if (rx_control & L2CAP_CTRL_POLL) 3677 if (rx_control & L2CAP_CTRL_POLL)
3552 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL); 3678 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3553 return; 3679 return;
@@ -3564,11 +3690,11 @@ static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_cont
3564 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len); 3690 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3565 3691
3566 if (L2CAP_CTRL_FINAL & rx_control && 3692 if (L2CAP_CTRL_FINAL & rx_control &&
3567 chan->conn_state & L2CAP_CONN_WAIT_F) { 3693 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3568 del_timer(&chan->monitor_timer); 3694 __clear_monitor_timer(chan);
3569 if (chan->unacked_frames > 0) 3695 if (chan->unacked_frames > 0)
3570 __mod_retrans_timer(); 3696 __set_retrans_timer(chan);
3571 chan->conn_state &= ~L2CAP_CONN_WAIT_F; 3697 clear_bit(CONN_WAIT_F, &chan->conn_state);
3572 } 3698 }
3573 3699
3574 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3700 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
@@ -3667,7 +3793,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3667{ 3793{
3668 struct l2cap_chan *chan; 3794 struct l2cap_chan *chan;
3669 struct sock *sk = NULL; 3795 struct sock *sk = NULL;
3670 struct l2cap_pinfo *pi;
3671 u16 control; 3796 u16 control;
3672 u8 tx_seq; 3797 u8 tx_seq;
3673 int len; 3798 int len;
@@ -3679,11 +3804,10 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3679 } 3804 }
3680 3805
3681 sk = chan->sk; 3806 sk = chan->sk;
3682 pi = l2cap_pi(sk);
3683 3807
3684 BT_DBG("chan %p, len %d", chan, skb->len); 3808 BT_DBG("chan %p, len %d", chan, skb->len);
3685 3809
3686 if (sk->sk_state != BT_CONNECTED) 3810 if (chan->state != BT_CONNECTED)
3687 goto drop; 3811 goto drop;
3688 3812
3689 switch (chan->mode) { 3813 switch (chan->mode) {
@@ -3696,7 +3820,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3696 if (chan->imtu < skb->len) 3820 if (chan->imtu < skb->len)
3697 goto drop; 3821 goto drop;
3698 3822
3699 if (!sock_queue_rcv_skb(sk, skb)) 3823 if (!chan->ops->recv(chan->data, skb))
3700 goto done; 3824 goto done;
3701 break; 3825 break;
3702 3826
@@ -3768,13 +3892,13 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
3768 3892
3769 BT_DBG("sk %p, len %d", sk, skb->len); 3893 BT_DBG("sk %p, len %d", sk, skb->len);
3770 3894
3771 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3895 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3772 goto drop; 3896 goto drop;
3773 3897
3774 if (l2cap_pi(sk)->chan->imtu < skb->len) 3898 if (chan->imtu < skb->len)
3775 goto drop; 3899 goto drop;
3776 3900
3777 if (!sock_queue_rcv_skb(sk, skb)) 3901 if (!chan->ops->recv(chan->data, skb))
3778 goto done; 3902 goto done;
3779 3903
3780drop: 3904drop:
@@ -3801,13 +3925,13 @@ static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct
3801 3925
3802 BT_DBG("sk %p, len %d", sk, skb->len); 3926 BT_DBG("sk %p, len %d", sk, skb->len);
3803 3927
3804 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) 3928 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3805 goto drop; 3929 goto drop;
3806 3930
3807 if (l2cap_pi(sk)->chan->imtu < skb->len) 3931 if (chan->imtu < skb->len)
3808 goto drop; 3932 goto drop;
3809 3933
3810 if (!sock_queue_rcv_skb(sk, skb)) 3934 if (!chan->ops->recv(chan->data, skb))
3811 goto done; 3935 goto done;
3812 3936
3813drop: 3937drop:
@@ -3852,6 +3976,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3852 l2cap_att_channel(conn, cid, skb); 3976 l2cap_att_channel(conn, cid, skb);
3853 break; 3977 break;
3854 3978
3979 case L2CAP_CID_SMP:
3980 if (smp_sig_channel(conn, skb))
3981 l2cap_conn_del(conn->hcon, EACCES);
3982 break;
3983
3855 default: 3984 default:
3856 l2cap_data_channel(conn, cid, skb); 3985 l2cap_data_channel(conn, cid, skb);
3857 break; 3986 break;
@@ -3875,7 +4004,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3875 list_for_each_entry(c, &chan_list, global_l) { 4004 list_for_each_entry(c, &chan_list, global_l) {
3876 struct sock *sk = c->sk; 4005 struct sock *sk = c->sk;
3877 4006
3878 if (sk->sk_state != BT_LISTEN) 4007 if (c->state != BT_LISTEN)
3879 continue; 4008 continue;
3880 4009
3881 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 4010 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
@@ -3908,7 +4037,7 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3908 if (conn) 4037 if (conn)
3909 l2cap_conn_ready(conn); 4038 l2cap_conn_ready(conn);
3910 } else 4039 } else
3911 l2cap_conn_del(hcon, bt_err(status)); 4040 l2cap_conn_del(hcon, bt_to_errno(status));
3912 4041
3913 return 0; 4042 return 0;
3914} 4043}
@@ -3919,7 +4048,7 @@ static int l2cap_disconn_ind(struct hci_conn *hcon)
3919 4048
3920 BT_DBG("hcon %p", hcon); 4049 BT_DBG("hcon %p", hcon);
3921 4050
3922 if (hcon->type != ACL_LINK || !conn) 4051 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
3923 return 0x13; 4052 return 0x13;
3924 4053
3925 return conn->disc_reason; 4054 return conn->disc_reason;
@@ -3932,27 +4061,25 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3932 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK)) 4061 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3933 return -EINVAL; 4062 return -EINVAL;
3934 4063
3935 l2cap_conn_del(hcon, bt_err(reason)); 4064 l2cap_conn_del(hcon, bt_to_errno(reason));
3936 4065
3937 return 0; 4066 return 0;
3938} 4067}
3939 4068
3940static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 4069static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3941{ 4070{
3942 struct sock *sk = chan->sk; 4071 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
3943
3944 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3945 return; 4072 return;
3946 4073
3947 if (encrypt == 0x00) { 4074 if (encrypt == 0x00) {
3948 if (chan->sec_level == BT_SECURITY_MEDIUM) { 4075 if (chan->sec_level == BT_SECURITY_MEDIUM) {
3949 l2cap_sock_clear_timer(sk); 4076 __clear_chan_timer(chan);
3950 l2cap_sock_set_timer(sk, HZ * 5); 4077 __set_chan_timer(chan, HZ * 5);
3951 } else if (chan->sec_level == BT_SECURITY_HIGH) 4078 } else if (chan->sec_level == BT_SECURITY_HIGH)
3952 __l2cap_sock_close(sk, ECONNREFUSED); 4079 l2cap_chan_close(chan, ECONNREFUSED);
3953 } else { 4080 } else {
3954 if (chan->sec_level == BT_SECURITY_MEDIUM) 4081 if (chan->sec_level == BT_SECURITY_MEDIUM)
3955 l2cap_sock_clear_timer(sk); 4082 __clear_chan_timer(chan);
3956 } 4083 }
3957} 4084}
3958 4085
@@ -3973,50 +4100,74 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3973 4100
3974 bh_lock_sock(sk); 4101 bh_lock_sock(sk);
3975 4102
3976 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) { 4103 BT_DBG("chan->scid %d", chan->scid);
4104
4105 if (chan->scid == L2CAP_CID_LE_DATA) {
4106 if (!status && encrypt) {
4107 chan->sec_level = hcon->sec_level;
4108 del_timer(&conn->security_timer);
4109 l2cap_chan_ready(sk);
4110 smp_distribute_keys(conn, 0);
4111 }
4112
4113 bh_unlock_sock(sk);
4114 continue;
4115 }
4116
4117 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
3977 bh_unlock_sock(sk); 4118 bh_unlock_sock(sk);
3978 continue; 4119 continue;
3979 } 4120 }
3980 4121
3981 if (!status && (sk->sk_state == BT_CONNECTED || 4122 if (!status && (chan->state == BT_CONNECTED ||
3982 sk->sk_state == BT_CONFIG)) { 4123 chan->state == BT_CONFIG)) {
3983 l2cap_check_encryption(chan, encrypt); 4124 l2cap_check_encryption(chan, encrypt);
3984 bh_unlock_sock(sk); 4125 bh_unlock_sock(sk);
3985 continue; 4126 continue;
3986 } 4127 }
3987 4128
3988 if (sk->sk_state == BT_CONNECT) { 4129 if (chan->state == BT_CONNECT) {
3989 if (!status) { 4130 if (!status) {
3990 struct l2cap_conn_req req; 4131 struct l2cap_conn_req req;
3991 req.scid = cpu_to_le16(chan->scid); 4132 req.scid = cpu_to_le16(chan->scid);
3992 req.psm = chan->psm; 4133 req.psm = chan->psm;
3993 4134
3994 chan->ident = l2cap_get_ident(conn); 4135 chan->ident = l2cap_get_ident(conn);
3995 chan->conf_state |= L2CAP_CONF_CONNECT_PEND; 4136 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3996 4137
3997 l2cap_send_cmd(conn, chan->ident, 4138 l2cap_send_cmd(conn, chan->ident,
3998 L2CAP_CONN_REQ, sizeof(req), &req); 4139 L2CAP_CONN_REQ, sizeof(req), &req);
3999 } else { 4140 } else {
4000 l2cap_sock_clear_timer(sk); 4141 __clear_chan_timer(chan);
4001 l2cap_sock_set_timer(sk, HZ / 10); 4142 __set_chan_timer(chan, HZ / 10);
4002 } 4143 }
4003 } else if (sk->sk_state == BT_CONNECT2) { 4144 } else if (chan->state == BT_CONNECT2) {
4004 struct l2cap_conn_rsp rsp; 4145 struct l2cap_conn_rsp rsp;
4005 __u16 result; 4146 __u16 res, stat;
4006 4147
4007 if (!status) { 4148 if (!status) {
4008 sk->sk_state = BT_CONFIG; 4149 if (bt_sk(sk)->defer_setup) {
4009 result = L2CAP_CR_SUCCESS; 4150 struct sock *parent = bt_sk(sk)->parent;
4151 res = L2CAP_CR_PEND;
4152 stat = L2CAP_CS_AUTHOR_PEND;
4153 if (parent)
4154 parent->sk_data_ready(parent, 0);
4155 } else {
4156 l2cap_state_change(chan, BT_CONFIG);
4157 res = L2CAP_CR_SUCCESS;
4158 stat = L2CAP_CS_NO_INFO;
4159 }
4010 } else { 4160 } else {
4011 sk->sk_state = BT_DISCONN; 4161 l2cap_state_change(chan, BT_DISCONN);
4012 l2cap_sock_set_timer(sk, HZ / 10); 4162 __set_chan_timer(chan, HZ / 10);
4013 result = L2CAP_CR_SEC_BLOCK; 4163 res = L2CAP_CR_SEC_BLOCK;
4164 stat = L2CAP_CS_NO_INFO;
4014 } 4165 }
4015 4166
4016 rsp.scid = cpu_to_le16(chan->dcid); 4167 rsp.scid = cpu_to_le16(chan->dcid);
4017 rsp.dcid = cpu_to_le16(chan->scid); 4168 rsp.dcid = cpu_to_le16(chan->scid);
4018 rsp.result = cpu_to_le16(result); 4169 rsp.result = cpu_to_le16(res);
4019 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4170 rsp.status = cpu_to_le16(stat);
4020 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 4171 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4021 sizeof(rsp), &rsp); 4172 sizeof(rsp), &rsp);
4022 } 4173 }
@@ -4152,10 +4303,10 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4152 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 4303 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4153 batostr(&bt_sk(sk)->src), 4304 batostr(&bt_sk(sk)->src),
4154 batostr(&bt_sk(sk)->dst), 4305 batostr(&bt_sk(sk)->dst),
4155 sk->sk_state, __le16_to_cpu(c->psm), 4306 c->state, __le16_to_cpu(c->psm),
4156 c->scid, c->dcid, c->imtu, c->omtu, 4307 c->scid, c->dcid, c->imtu, c->omtu,
4157 c->sec_level, c->mode); 4308 c->sec_level, c->mode);
4158 } 4309}
4159 4310
4160 read_unlock_bh(&chan_list_lock); 4311 read_unlock_bh(&chan_list_lock);
4161 4312
@@ -4195,12 +4346,6 @@ int __init l2cap_init(void)
4195 if (err < 0) 4346 if (err < 0)
4196 return err; 4347 return err;
4197 4348
4198 _busy_wq = create_singlethread_workqueue("l2cap");
4199 if (!_busy_wq) {
4200 err = -ENOMEM;
4201 goto error;
4202 }
4203
4204 err = hci_register_proto(&l2cap_hci_proto); 4349 err = hci_register_proto(&l2cap_hci_proto);
4205 if (err < 0) { 4350 if (err < 0) {
4206 BT_ERR("L2CAP protocol registration failed"); 4351 BT_ERR("L2CAP protocol registration failed");
@@ -4218,7 +4363,6 @@ int __init l2cap_init(void)
4218 return 0; 4363 return 0;
4219 4364
4220error: 4365error:
4221 destroy_workqueue(_busy_wq);
4222 l2cap_cleanup_sockets(); 4366 l2cap_cleanup_sockets();
4223 return err; 4367 return err;
4224} 4368}
@@ -4227,9 +4371,6 @@ void l2cap_exit(void)
4227{ 4371{
4228 debugfs_remove(l2cap_debugfs); 4372 debugfs_remove(l2cap_debugfs);
4229 4373
4230 flush_workqueue(_busy_wq);
4231 destroy_workqueue(_busy_wq);
4232
4233 if (hci_unregister_proto(&l2cap_hci_proto) < 0) 4374 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4234 BT_ERR("L2CAP protocol unregistration failed"); 4375 BT_ERR("L2CAP protocol unregistration failed");
4235 4376
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8248303f44e8..5c36b3e8739c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -29,54 +29,11 @@
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h> 31#include <net/bluetooth/l2cap.h>
32#include <net/bluetooth/smp.h>
32 33
33static const struct proto_ops l2cap_sock_ops; 34static const struct proto_ops l2cap_sock_ops;
34 35static void l2cap_sock_init(struct sock *sk, struct sock *parent);
35/* ---- L2CAP timers ---- */ 36static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
36static void l2cap_sock_timeout(unsigned long arg)
37{
38 struct sock *sk = (struct sock *) arg;
39 int reason;
40
41 BT_DBG("sock %p state %d", sk, sk->sk_state);
42
43 bh_lock_sock(sk);
44
45 if (sock_owned_by_user(sk)) {
46 /* sk is owned by user. Try again later */
47 l2cap_sock_set_timer(sk, HZ / 5);
48 bh_unlock_sock(sk);
49 sock_put(sk);
50 return;
51 }
52
53 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
54 reason = ECONNREFUSED;
55 else if (sk->sk_state == BT_CONNECT &&
56 l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
57 reason = ECONNREFUSED;
58 else
59 reason = ETIMEDOUT;
60
61 __l2cap_sock_close(sk, reason);
62
63 bh_unlock_sock(sk);
64
65 l2cap_sock_kill(sk);
66 sock_put(sk);
67}
68
69void l2cap_sock_set_timer(struct sock *sk, long timeout)
70{
71 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
72 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
73}
74
75void l2cap_sock_clear_timer(struct sock *sk)
76{
77 BT_DBG("sock %p state %d", sk, sk->sk_state);
78 sk_stop_timer(sk, &sk->sk_timer);
79}
80 37
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 38static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{ 39{
@@ -133,6 +90,8 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
133 chan->sec_level = BT_SECURITY_SDP; 90 chan->sec_level = BT_SECURITY_SDP;
134 91
135 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr); 92 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
93
94 chan->state = BT_BOUND;
136 sk->sk_state = BT_BOUND; 95 sk->sk_state = BT_BOUND;
137 96
138done: 97done:
@@ -162,7 +121,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
162 121
163 lock_sock(sk); 122 lock_sock(sk);
164 123
165 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) 124 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED
166 && !(la.l2_psm || la.l2_cid)) { 125 && !(la.l2_psm || la.l2_cid)) {
167 err = -EINVAL; 126 err = -EINVAL;
168 goto done; 127 goto done;
@@ -204,8 +163,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
204 } 163 }
205 164
206 /* PSM must be odd and lsb of upper byte must be 0 */ 165 /* PSM must be odd and lsb of upper byte must be 0 */
207 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && 166 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && !la.l2_cid &&
208 sk->sk_type != SOCK_RAW && !la.l2_cid) { 167 chan->chan_type != L2CAP_CHAN_RAW) {
209 err = -EINVAL; 168 err = -EINVAL;
210 goto done; 169 goto done;
211 } 170 }
@@ -258,6 +217,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
258 217
259 sk->sk_max_ack_backlog = backlog; 218 sk->sk_max_ack_backlog = backlog;
260 sk->sk_ack_backlog = 0; 219 sk->sk_ack_backlog = 0;
220
221 chan->state = BT_LISTEN;
261 sk->sk_state = BT_LISTEN; 222 sk->sk_state = BT_LISTEN;
262 223
263done: 224done:
@@ -437,6 +398,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
437 struct sock *sk = sock->sk; 398 struct sock *sk = sock->sk;
438 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 399 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 struct bt_security sec; 400 struct bt_security sec;
401 struct bt_power pwr;
440 int len, err = 0; 402 int len, err = 0;
441 403
442 BT_DBG("sk %p", sk); 404 BT_DBG("sk %p", sk);
@@ -454,14 +416,18 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
454 416
455 switch (optname) { 417 switch (optname) {
456 case BT_SECURITY: 418 case BT_SECURITY:
457 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 419 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
458 && sk->sk_type != SOCK_RAW) { 420 chan->chan_type != L2CAP_CHAN_RAW) {
459 err = -EINVAL; 421 err = -EINVAL;
460 break; 422 break;
461 } 423 }
462 424
425 memset(&sec, 0, sizeof(sec));
463 sec.level = chan->sec_level; 426 sec.level = chan->sec_level;
464 427
428 if (sk->sk_state == BT_CONNECTED)
429 sec.key_size = chan->conn->hcon->enc_key_size;
430
465 len = min_t(unsigned int, len, sizeof(sec)); 431 len = min_t(unsigned int, len, sizeof(sec));
466 if (copy_to_user(optval, (char *) &sec, len)) 432 if (copy_to_user(optval, (char *) &sec, len))
467 err = -EFAULT; 433 err = -EFAULT;
@@ -485,6 +451,21 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
485 451
486 break; 452 break;
487 453
454 case BT_POWER:
455 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
456 && sk->sk_type != SOCK_RAW) {
457 err = -EINVAL;
458 break;
459 }
460
461 pwr.force_active = chan->force_active;
462
463 len = min_t(unsigned int, len, sizeof(pwr));
464 if (copy_to_user(optval, (char *) &pwr, len))
465 err = -EFAULT;
466
467 break;
468
488 default: 469 default:
489 err = -ENOPROTOOPT; 470 err = -ENOPROTOOPT;
490 break; 471 break;
@@ -535,7 +516,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
535 chan->mode = opts.mode; 516 chan->mode = opts.mode;
536 switch (chan->mode) { 517 switch (chan->mode) {
537 case L2CAP_MODE_BASIC: 518 case L2CAP_MODE_BASIC:
538 chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE; 519 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
539 break; 520 break;
540 case L2CAP_MODE_ERTM: 521 case L2CAP_MODE_ERTM:
541 case L2CAP_MODE_STREAMING: 522 case L2CAP_MODE_STREAMING:
@@ -585,6 +566,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
585 struct sock *sk = sock->sk; 566 struct sock *sk = sock->sk;
586 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 567 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
587 struct bt_security sec; 568 struct bt_security sec;
569 struct bt_power pwr;
570 struct l2cap_conn *conn;
588 int len, err = 0; 571 int len, err = 0;
589 u32 opt; 572 u32 opt;
590 573
@@ -600,8 +583,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
600 583
601 switch (optname) { 584 switch (optname) {
602 case BT_SECURITY: 585 case BT_SECURITY:
603 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 586 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
604 && sk->sk_type != SOCK_RAW) { 587 chan->chan_type != L2CAP_CHAN_RAW) {
605 err = -EINVAL; 588 err = -EINVAL;
606 break; 589 break;
607 } 590 }
@@ -621,6 +604,20 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
621 } 604 }
622 605
623 chan->sec_level = sec.level; 606 chan->sec_level = sec.level;
607
608 conn = chan->conn;
609 if (conn && chan->scid == L2CAP_CID_LE_DATA) {
610 if (!conn->hcon->out) {
611 err = -EINVAL;
612 break;
613 }
614
615 if (smp_conn_security(conn, sec.level))
616 break;
617
618 err = 0;
619 sk->sk_state = BT_CONFIG;
620 }
624 break; 621 break;
625 622
626 case BT_DEFER_SETUP: 623 case BT_DEFER_SETUP:
@@ -661,6 +658,23 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
661 chan->flushable = opt; 658 chan->flushable = opt;
662 break; 659 break;
663 660
661 case BT_POWER:
662 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
663 chan->chan_type != L2CAP_CHAN_RAW) {
664 err = -EINVAL;
665 break;
666 }
667
668 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
669
670 len = min_t(unsigned int, sizeof(pwr), optlen);
671 if (copy_from_user((char *) &pwr, optval, len)) {
672 err = -EFAULT;
673 break;
674 }
675 chan->force_active = pwr.force_active;
676 break;
677
664 default: 678 default:
665 err = -ENOPROTOOPT; 679 err = -ENOPROTOOPT;
666 break; 680 break;
@@ -674,8 +688,6 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
674{ 688{
675 struct sock *sk = sock->sk; 689 struct sock *sk = sock->sk;
676 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 690 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
677 struct sk_buff *skb;
678 u16 control;
679 int err; 691 int err;
680 692
681 BT_DBG("sock %p, sk %p", sock, sk); 693 BT_DBG("sock %p, sk %p", sock, sk);
@@ -690,87 +702,12 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
690 lock_sock(sk); 702 lock_sock(sk);
691 703
692 if (sk->sk_state != BT_CONNECTED) { 704 if (sk->sk_state != BT_CONNECTED) {
693 err = -ENOTCONN; 705 release_sock(sk);
694 goto done; 706 return -ENOTCONN;
695 }
696
697 /* Connectionless channel */
698 if (sk->sk_type == SOCK_DGRAM) {
699 skb = l2cap_create_connless_pdu(chan, msg, len);
700 if (IS_ERR(skb)) {
701 err = PTR_ERR(skb);
702 } else {
703 l2cap_do_send(chan, skb);
704 err = len;
705 }
706 goto done;
707 } 707 }
708 708
709 switch (chan->mode) { 709 err = l2cap_chan_send(chan, msg, len);
710 case L2CAP_MODE_BASIC:
711 /* Check outgoing MTU */
712 if (len > chan->omtu) {
713 err = -EMSGSIZE;
714 goto done;
715 }
716
717 /* Create a basic PDU */
718 skb = l2cap_create_basic_pdu(chan, msg, len);
719 if (IS_ERR(skb)) {
720 err = PTR_ERR(skb);
721 goto done;
722 }
723
724 l2cap_do_send(chan, skb);
725 err = len;
726 break;
727
728 case L2CAP_MODE_ERTM:
729 case L2CAP_MODE_STREAMING:
730 /* Entire SDU fits into one PDU */
731 if (len <= chan->remote_mps) {
732 control = L2CAP_SDU_UNSEGMENTED;
733 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
734 0);
735 if (IS_ERR(skb)) {
736 err = PTR_ERR(skb);
737 goto done;
738 }
739 __skb_queue_tail(&chan->tx_q, skb);
740
741 if (chan->tx_send_head == NULL)
742 chan->tx_send_head = skb;
743 710
744 } else {
745 /* Segment SDU into multiples PDUs */
746 err = l2cap_sar_segment_sdu(chan, msg, len);
747 if (err < 0)
748 goto done;
749 }
750
751 if (chan->mode == L2CAP_MODE_STREAMING) {
752 l2cap_streaming_send(chan);
753 err = len;
754 break;
755 }
756
757 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
758 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
759 err = len;
760 break;
761 }
762 err = l2cap_ertm_send(chan);
763
764 if (err >= 0)
765 err = len;
766 break;
767
768 default:
769 BT_DBG("bad state %1.1x", chan->mode);
770 err = -EBADFD;
771 }
772
773done:
774 release_sock(sk); 711 release_sock(sk);
775 return err; 712 return err;
776} 713}
@@ -778,13 +715,15 @@ done:
778static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags) 715static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
779{ 716{
780 struct sock *sk = sock->sk; 717 struct sock *sk = sock->sk;
718 struct l2cap_pinfo *pi = l2cap_pi(sk);
719 int err;
781 720
782 lock_sock(sk); 721 lock_sock(sk);
783 722
784 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 723 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
785 sk->sk_state = BT_CONFIG; 724 sk->sk_state = BT_CONFIG;
786 725
787 __l2cap_connect_rsp_defer(l2cap_pi(sk)->chan); 726 __l2cap_connect_rsp_defer(pi->chan);
788 release_sock(sk); 727 release_sock(sk);
789 return 0; 728 return 0;
790 } 729 }
@@ -792,15 +731,43 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
792 release_sock(sk); 731 release_sock(sk);
793 732
794 if (sock->type == SOCK_STREAM) 733 if (sock->type == SOCK_STREAM)
795 return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags); 734 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
735 else
736 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
796 737
797 return bt_sock_recvmsg(iocb, sock, msg, len, flags); 738 if (pi->chan->mode != L2CAP_MODE_ERTM)
739 return err;
740
741 /* Attempt to put pending rx data in the socket buffer */
742
743 lock_sock(sk);
744
745 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
746 goto done;
747
748 if (pi->rx_busy_skb) {
749 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
750 pi->rx_busy_skb = NULL;
751 else
752 goto done;
753 }
754
755 /* Restore data flow when half of the receive buffer is
756 * available. This avoids resending large numbers of
757 * frames.
758 */
759 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
760 l2cap_chan_busy(pi->chan, 0);
761
762done:
763 release_sock(sk);
764 return err;
798} 765}
799 766
800/* Kill socket (only if zapped and orphan) 767/* Kill socket (only if zapped and orphan)
801 * Must be called on unlocked socket. 768 * Must be called on unlocked socket.
802 */ 769 */
803void l2cap_sock_kill(struct sock *sk) 770static void l2cap_sock_kill(struct sock *sk)
804{ 771{
805 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 772 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
806 return; 773 return;
@@ -814,87 +781,6 @@ void l2cap_sock_kill(struct sock *sk)
814 sock_put(sk); 781 sock_put(sk);
815} 782}
816 783
817/* Must be called on unlocked socket. */
818static void l2cap_sock_close(struct sock *sk)
819{
820 l2cap_sock_clear_timer(sk);
821 lock_sock(sk);
822 __l2cap_sock_close(sk, ECONNRESET);
823 release_sock(sk);
824 l2cap_sock_kill(sk);
825}
826
827static void l2cap_sock_cleanup_listen(struct sock *parent)
828{
829 struct sock *sk;
830
831 BT_DBG("parent %p", parent);
832
833 /* Close not yet accepted channels */
834 while ((sk = bt_accept_dequeue(parent, NULL)))
835 l2cap_sock_close(sk);
836
837 parent->sk_state = BT_CLOSED;
838 sock_set_flag(parent, SOCK_ZAPPED);
839}
840
841void __l2cap_sock_close(struct sock *sk, int reason)
842{
843 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
844 struct l2cap_conn *conn = chan->conn;
845
846 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
847
848 switch (sk->sk_state) {
849 case BT_LISTEN:
850 l2cap_sock_cleanup_listen(sk);
851 break;
852
853 case BT_CONNECTED:
854 case BT_CONFIG:
855 if ((sk->sk_type == SOCK_SEQPACKET ||
856 sk->sk_type == SOCK_STREAM) &&
857 conn->hcon->type == ACL_LINK) {
858 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
859 l2cap_send_disconn_req(conn, chan, reason);
860 } else
861 l2cap_chan_del(chan, reason);
862 break;
863
864 case BT_CONNECT2:
865 if ((sk->sk_type == SOCK_SEQPACKET ||
866 sk->sk_type == SOCK_STREAM) &&
867 conn->hcon->type == ACL_LINK) {
868 struct l2cap_conn_rsp rsp;
869 __u16 result;
870
871 if (bt_sk(sk)->defer_setup)
872 result = L2CAP_CR_SEC_BLOCK;
873 else
874 result = L2CAP_CR_BAD_PSM;
875
876 rsp.scid = cpu_to_le16(chan->dcid);
877 rsp.dcid = cpu_to_le16(chan->scid);
878 rsp.result = cpu_to_le16(result);
879 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
880 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
881 sizeof(rsp), &rsp);
882 }
883
884 l2cap_chan_del(chan, reason);
885 break;
886
887 case BT_CONNECT:
888 case BT_DISCONN:
889 l2cap_chan_del(chan, reason);
890 break;
891
892 default:
893 sock_set_flag(sk, SOCK_ZAPPED);
894 break;
895 }
896}
897
898static int l2cap_sock_shutdown(struct socket *sock, int how) 784static int l2cap_sock_shutdown(struct socket *sock, int how)
899{ 785{
900 struct sock *sk = sock->sk; 786 struct sock *sk = sock->sk;
@@ -912,8 +798,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
912 err = __l2cap_wait_ack(sk); 798 err = __l2cap_wait_ack(sk);
913 799
914 sk->sk_shutdown = SHUTDOWN_MASK; 800 sk->sk_shutdown = SHUTDOWN_MASK;
915 l2cap_sock_clear_timer(sk); 801 l2cap_chan_close(chan, 0);
916 __l2cap_sock_close(sk, 0);
917 802
918 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime) 803 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
919 err = bt_sock_wait_state(sk, BT_CLOSED, 804 err = bt_sock_wait_state(sk, BT_CLOSED,
@@ -944,15 +829,85 @@ static int l2cap_sock_release(struct socket *sock)
944 return err; 829 return err;
945} 830}
946 831
832static struct l2cap_chan *l2cap_sock_new_connection_cb(void *data)
833{
834 struct sock *sk, *parent = data;
835
836 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
837 GFP_ATOMIC);
838 if (!sk)
839 return NULL;
840
841 l2cap_sock_init(sk, parent);
842
843 return l2cap_pi(sk)->chan;
844}
845
846static int l2cap_sock_recv_cb(void *data, struct sk_buff *skb)
847{
848 int err;
849 struct sock *sk = data;
850 struct l2cap_pinfo *pi = l2cap_pi(sk);
851
852 if (pi->rx_busy_skb)
853 return -ENOMEM;
854
855 err = sock_queue_rcv_skb(sk, skb);
856
857 /* For ERTM, handle one skb that doesn't fit into the recv
858 * buffer. This is important to do because the data frames
859 * have already been acked, so the skb cannot be discarded.
860 *
861 * Notify the l2cap core that the buffer is full, so the
862 * LOCAL_BUSY state is entered and no more frames are
863 * acked and reassembled until there is buffer space
864 * available.
865 */
866 if (err < 0 && pi->chan->mode == L2CAP_MODE_ERTM) {
867 pi->rx_busy_skb = skb;
868 l2cap_chan_busy(pi->chan, 1);
869 err = 0;
870 }
871
872 return err;
873}
874
875static void l2cap_sock_close_cb(void *data)
876{
877 struct sock *sk = data;
878
879 l2cap_sock_kill(sk);
880}
881
882static void l2cap_sock_state_change_cb(void *data, int state)
883{
884 struct sock *sk = data;
885
886 sk->sk_state = state;
887}
888
889static struct l2cap_ops l2cap_chan_ops = {
890 .name = "L2CAP Socket Interface",
891 .new_connection = l2cap_sock_new_connection_cb,
892 .recv = l2cap_sock_recv_cb,
893 .close = l2cap_sock_close_cb,
894 .state_change = l2cap_sock_state_change_cb,
895};
896
947static void l2cap_sock_destruct(struct sock *sk) 897static void l2cap_sock_destruct(struct sock *sk)
948{ 898{
949 BT_DBG("sk %p", sk); 899 BT_DBG("sk %p", sk);
950 900
901 if (l2cap_pi(sk)->rx_busy_skb) {
902 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
903 l2cap_pi(sk)->rx_busy_skb = NULL;
904 }
905
951 skb_queue_purge(&sk->sk_receive_queue); 906 skb_queue_purge(&sk->sk_receive_queue);
952 skb_queue_purge(&sk->sk_write_queue); 907 skb_queue_purge(&sk->sk_write_queue);
953} 908}
954 909
955void l2cap_sock_init(struct sock *sk, struct sock *parent) 910static void l2cap_sock_init(struct sock *sk, struct sock *parent)
956{ 911{
957 struct l2cap_pinfo *pi = l2cap_pi(sk); 912 struct l2cap_pinfo *pi = l2cap_pi(sk);
958 struct l2cap_chan *chan = pi->chan; 913 struct l2cap_chan *chan = pi->chan;
@@ -965,6 +920,7 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
965 sk->sk_type = parent->sk_type; 920 sk->sk_type = parent->sk_type;
966 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup; 921 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
967 922
923 chan->chan_type = pchan->chan_type;
968 chan->imtu = pchan->imtu; 924 chan->imtu = pchan->imtu;
969 chan->omtu = pchan->omtu; 925 chan->omtu = pchan->omtu;
970 chan->conf_state = pchan->conf_state; 926 chan->conf_state = pchan->conf_state;
@@ -976,12 +932,27 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
976 chan->role_switch = pchan->role_switch; 932 chan->role_switch = pchan->role_switch;
977 chan->force_reliable = pchan->force_reliable; 933 chan->force_reliable = pchan->force_reliable;
978 chan->flushable = pchan->flushable; 934 chan->flushable = pchan->flushable;
935 chan->force_active = pchan->force_active;
979 } else { 936 } else {
937
938 switch (sk->sk_type) {
939 case SOCK_RAW:
940 chan->chan_type = L2CAP_CHAN_RAW;
941 break;
942 case SOCK_DGRAM:
943 chan->chan_type = L2CAP_CHAN_CONN_LESS;
944 break;
945 case SOCK_SEQPACKET:
946 case SOCK_STREAM:
947 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
948 break;
949 }
950
980 chan->imtu = L2CAP_DEFAULT_MTU; 951 chan->imtu = L2CAP_DEFAULT_MTU;
981 chan->omtu = 0; 952 chan->omtu = 0;
982 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 953 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
983 chan->mode = L2CAP_MODE_ERTM; 954 chan->mode = L2CAP_MODE_ERTM;
984 chan->conf_state |= L2CAP_CONF_STATE2_DEVICE; 955 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
985 } else { 956 } else {
986 chan->mode = L2CAP_MODE_BASIC; 957 chan->mode = L2CAP_MODE_BASIC;
987 } 958 }
@@ -992,10 +963,15 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
992 chan->role_switch = 0; 963 chan->role_switch = 0;
993 chan->force_reliable = 0; 964 chan->force_reliable = 0;
994 chan->flushable = BT_FLUSHABLE_OFF; 965 chan->flushable = BT_FLUSHABLE_OFF;
966 chan->force_active = BT_POWER_FORCE_ACTIVE_ON;
967
995 } 968 }
996 969
997 /* Default config options */ 970 /* Default config options */
998 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 971 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
972
973 chan->data = sk;
974 chan->ops = &l2cap_chan_ops;
999} 975}
1000 976
1001static struct proto l2cap_proto = { 977static struct proto l2cap_proto = {
@@ -1004,9 +980,10 @@ static struct proto l2cap_proto = {
1004 .obj_size = sizeof(struct l2cap_pinfo) 980 .obj_size = sizeof(struct l2cap_pinfo)
1005}; 981};
1006 982
1007struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio) 983static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1008{ 984{
1009 struct sock *sk; 985 struct sock *sk;
986 struct l2cap_chan *chan;
1010 987
1011 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto); 988 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1012 if (!sk) 989 if (!sk)
@@ -1023,7 +1000,13 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
1023 sk->sk_protocol = proto; 1000 sk->sk_protocol = proto;
1024 sk->sk_state = BT_OPEN; 1001 sk->sk_state = BT_OPEN;
1025 1002
1026 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk); 1003 chan = l2cap_chan_create(sk);
1004 if (!chan) {
1005 l2cap_sock_kill(sk);
1006 return NULL;
1007 }
1008
1009 l2cap_pi(sk)->chan = chan;
1027 1010
1028 return sk; 1011 return sk;
1029} 1012}
@@ -1032,7 +1015,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1032 int kern) 1015 int kern)
1033{ 1016{
1034 struct sock *sk; 1017 struct sock *sk;
1035 struct l2cap_chan *chan;
1036 1018
1037 BT_DBG("sock %p", sock); 1019 BT_DBG("sock %p", sock);
1038 1020
@@ -1051,14 +1033,6 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1051 if (!sk) 1033 if (!sk)
1052 return -ENOMEM; 1034 return -ENOMEM;
1053 1035
1054 chan = l2cap_chan_create(sk);
1055 if (!chan) {
1056 l2cap_sock_kill(sk);
1057 return -ENOMEM;
1058 }
1059
1060 l2cap_pi(sk)->chan = chan;
1061
1062 l2cap_sock_init(sk, NULL); 1036 l2cap_sock_init(sk, NULL);
1063 return 0; 1037 return 0;
1064} 1038}
diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
index b826d1bf10df..86a6bed229df 100644
--- a/net/bluetooth/lib.c
+++ b/net/bluetooth/lib.c
@@ -59,7 +59,7 @@ char *batostr(bdaddr_t *ba)
59EXPORT_SYMBOL(batostr); 59EXPORT_SYMBOL(batostr);
60 60
61/* Bluetooth error codes to Unix errno mapping */ 61/* Bluetooth error codes to Unix errno mapping */
62int bt_err(__u16 code) 62int bt_to_errno(__u16 code)
63{ 63{
64 switch (code) { 64 switch (code) {
65 case 0: 65 case 0:
@@ -149,4 +149,23 @@ int bt_err(__u16 code)
149 return ENOSYS; 149 return ENOSYS;
150 } 150 }
151} 151}
152EXPORT_SYMBOL(bt_err); 152EXPORT_SYMBOL(bt_to_errno);
153
154int bt_printk(const char *level, const char *format, ...)
155{
156 struct va_format vaf;
157 va_list args;
158 int r;
159
160 va_start(args, format);
161
162 vaf.fmt = format;
163 vaf.va = &args;
164
165 r = printk("%sBluetooth: %pV\n", level, &vaf);
166
167 va_end(args);
168
169 return r;
170}
171EXPORT_SYMBOL(bt_printk);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index dae382ce7020..53e109eb043e 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -41,7 +41,7 @@ struct pending_cmd {
41 void *user_data; 41 void *user_data;
42}; 42};
43 43
44LIST_HEAD(cmd_list); 44static LIST_HEAD(cmd_list);
45 45
46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status) 46static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
47{ 47{
@@ -179,7 +179,7 @@ static int read_controller_info(struct sock *sk, u16 index)
179 179
180 hci_del_off_timer(hdev); 180 hci_del_off_timer(hdev);
181 181
182 hci_dev_lock(hdev); 182 hci_dev_lock_bh(hdev);
183 183
184 set_bit(HCI_MGMT, &hdev->flags); 184 set_bit(HCI_MGMT, &hdev->flags);
185 185
@@ -208,7 +208,7 @@ static int read_controller_info(struct sock *sk, u16 index)
208 208
209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name)); 209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
210 210
211 hci_dev_unlock(hdev); 211 hci_dev_unlock_bh(hdev);
212 hci_dev_put(hdev); 212 hci_dev_put(hdev);
213 213
214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp)); 214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -316,7 +316,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
316 if (!hdev) 316 if (!hdev)
317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV); 317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
318 318
319 hci_dev_lock(hdev); 319 hci_dev_lock_bh(hdev);
320 320
321 up = test_bit(HCI_UP, &hdev->flags); 321 up = test_bit(HCI_UP, &hdev->flags);
322 if ((cp->val && up) || (!cp->val && !up)) { 322 if ((cp->val && up) || (!cp->val && !up)) {
@@ -343,7 +343,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
343 err = 0; 343 err = 0;
344 344
345failed: 345failed:
346 hci_dev_unlock(hdev); 346 hci_dev_unlock_bh(hdev);
347 hci_dev_put(hdev); 347 hci_dev_put(hdev);
348 return err; 348 return err;
349} 349}
@@ -368,7 +368,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
368 if (!hdev) 368 if (!hdev)
369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV); 369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
370 370
371 hci_dev_lock(hdev); 371 hci_dev_lock_bh(hdev);
372 372
373 if (!test_bit(HCI_UP, &hdev->flags)) { 373 if (!test_bit(HCI_UP, &hdev->flags)) {
374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN); 374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
@@ -403,7 +403,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
403 mgmt_pending_remove(cmd); 403 mgmt_pending_remove(cmd);
404 404
405failed: 405failed:
406 hci_dev_unlock(hdev); 406 hci_dev_unlock_bh(hdev);
407 hci_dev_put(hdev); 407 hci_dev_put(hdev);
408 408
409 return err; 409 return err;
@@ -429,7 +429,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
429 if (!hdev) 429 if (!hdev)
430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV); 430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
431 431
432 hci_dev_lock(hdev); 432 hci_dev_lock_bh(hdev);
433 433
434 if (!test_bit(HCI_UP, &hdev->flags)) { 434 if (!test_bit(HCI_UP, &hdev->flags)) {
435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN); 435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
@@ -463,7 +463,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
463 mgmt_pending_remove(cmd); 463 mgmt_pending_remove(cmd);
464 464
465failed: 465failed:
466 hci_dev_unlock(hdev); 466 hci_dev_unlock_bh(hdev);
467 hci_dev_put(hdev); 467 hci_dev_put(hdev);
468 468
469 return err; 469 return err;
@@ -522,7 +522,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
522 if (!hdev) 522 if (!hdev)
523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV); 523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
524 524
525 hci_dev_lock(hdev); 525 hci_dev_lock_bh(hdev);
526 526
527 if (cp->val) 527 if (cp->val)
528 set_bit(HCI_PAIRABLE, &hdev->flags); 528 set_bit(HCI_PAIRABLE, &hdev->flags);
@@ -538,7 +538,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk); 538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
539 539
540failed: 540failed:
541 hci_dev_unlock(hdev); 541 hci_dev_unlock_bh(hdev);
542 hci_dev_put(hdev); 542 hci_dev_put(hdev);
543 543
544 return err; 544 return err;
@@ -739,7 +739,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
739 if (!hdev) 739 if (!hdev)
740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV); 740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
741 741
742 hci_dev_lock(hdev); 742 hci_dev_lock_bh(hdev);
743 743
744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC); 744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
745 if (!uuid) { 745 if (!uuid) {
@@ -763,7 +763,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0); 763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
764 764
765failed: 765failed:
766 hci_dev_unlock(hdev); 766 hci_dev_unlock_bh(hdev);
767 hci_dev_put(hdev); 767 hci_dev_put(hdev);
768 768
769 return err; 769 return err;
@@ -788,7 +788,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
788 if (!hdev) 788 if (!hdev)
789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV); 789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
790 790
791 hci_dev_lock(hdev); 791 hci_dev_lock_bh(hdev);
792 792
793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
794 err = hci_uuids_clear(hdev); 794 err = hci_uuids_clear(hdev);
@@ -823,7 +823,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0); 823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
824 824
825unlock: 825unlock:
826 hci_dev_unlock(hdev); 826 hci_dev_unlock_bh(hdev);
827 hci_dev_put(hdev); 827 hci_dev_put(hdev);
828 828
829 return err; 829 return err;
@@ -847,7 +847,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
847 if (!hdev) 847 if (!hdev)
848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV); 848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
849 849
850 hci_dev_lock(hdev); 850 hci_dev_lock_bh(hdev);
851 851
852 hdev->major_class = cp->major; 852 hdev->major_class = cp->major;
853 hdev->minor_class = cp->minor; 853 hdev->minor_class = cp->minor;
@@ -857,7 +857,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
857 if (err == 0) 857 if (err == 0)
858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0); 858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
859 859
860 hci_dev_unlock(hdev); 860 hci_dev_unlock_bh(hdev);
861 hci_dev_put(hdev); 861 hci_dev_put(hdev);
862 862
863 return err; 863 return err;
@@ -879,7 +879,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
879 if (!hdev) 879 if (!hdev)
880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV); 880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
881 881
882 hci_dev_lock(hdev); 882 hci_dev_lock_bh(hdev);
883 883
884 BT_DBG("hci%u enable %d", index, cp->enable); 884 BT_DBG("hci%u enable %d", index, cp->enable);
885 885
@@ -897,7 +897,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL, 897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
898 0); 898 0);
899 899
900 hci_dev_unlock(hdev); 900 hci_dev_unlock_bh(hdev);
901 hci_dev_put(hdev); 901 hci_dev_put(hdev);
902 902
903 return err; 903 return err;
@@ -908,7 +908,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
908 struct hci_dev *hdev; 908 struct hci_dev *hdev;
909 struct mgmt_cp_load_keys *cp; 909 struct mgmt_cp_load_keys *cp;
910 u16 key_count, expected_len; 910 u16 key_count, expected_len;
911 int i; 911 int i, err;
912 912
913 cp = (void *) data; 913 cp = (void *) data;
914 914
@@ -918,9 +918,9 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
918 key_count = get_unaligned_le16(&cp->key_count); 918 key_count = get_unaligned_le16(&cp->key_count);
919 919
920 expected_len = sizeof(*cp) + key_count * sizeof(struct mgmt_key_info); 920 expected_len = sizeof(*cp) + key_count * sizeof(struct mgmt_key_info);
921 if (expected_len != len) { 921 if (expected_len > len) {
922 BT_ERR("load_keys: expected %u bytes, got %u bytes", 922 BT_ERR("load_keys: expected at least %u bytes, got %u bytes",
923 len, expected_len); 923 expected_len, len);
924 return -EINVAL; 924 return -EINVAL;
925 } 925 }
926 926
@@ -931,7 +931,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys, 931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
932 key_count); 932 key_count);
933 933
934 hci_dev_lock(hdev); 934 hci_dev_lock_bh(hdev);
935 935
936 hci_link_keys_clear(hdev); 936 hci_link_keys_clear(hdev);
937 937
@@ -942,17 +942,36 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
942 else 942 else
943 clear_bit(HCI_DEBUG_KEYS, &hdev->flags); 943 clear_bit(HCI_DEBUG_KEYS, &hdev->flags);
944 944
945 for (i = 0; i < key_count; i++) { 945 len -= sizeof(*cp);
946 struct mgmt_key_info *key = &cp->keys[i]; 946 i = 0;
947
948 while (i < len) {
949 struct mgmt_key_info *key = (void *) cp->keys + i;
950
951 i += sizeof(*key) + key->dlen;
952
953 if (key->type == HCI_LK_SMP_LTK) {
954 struct key_master_id *id = (void *) key->data;
955
956 if (key->dlen != sizeof(struct key_master_id))
957 continue;
958
959 hci_add_ltk(hdev, 0, &key->bdaddr, key->pin_len,
960 id->ediv, id->rand, key->val);
961
962 continue;
963 }
947 964
948 hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type, 965 hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type,
949 key->pin_len); 966 key->pin_len);
950 } 967 }
951 968
952 hci_dev_unlock(hdev); 969 err = cmd_complete(sk, index, MGMT_OP_LOAD_KEYS, NULL, 0);
970
971 hci_dev_unlock_bh(hdev);
953 hci_dev_put(hdev); 972 hci_dev_put(hdev);
954 973
955 return 0; 974 return err;
956} 975}
957 976
958static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len) 977static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
@@ -971,7 +990,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
971 if (!hdev) 990 if (!hdev)
972 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV); 991 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
973 992
974 hci_dev_lock(hdev); 993 hci_dev_lock_bh(hdev);
975 994
976 err = hci_remove_link_key(hdev, &cp->bdaddr); 995 err = hci_remove_link_key(hdev, &cp->bdaddr);
977 if (err < 0) { 996 if (err < 0) {
@@ -990,11 +1009,11 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
990 1009
991 put_unaligned_le16(conn->handle, &dc.handle); 1010 put_unaligned_le16(conn->handle, &dc.handle);
992 dc.reason = 0x13; /* Remote User Terminated Connection */ 1011 dc.reason = 0x13; /* Remote User Terminated Connection */
993 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, 0, NULL); 1012 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
994 } 1013 }
995 1014
996unlock: 1015unlock:
997 hci_dev_unlock(hdev); 1016 hci_dev_unlock_bh(hdev);
998 hci_dev_put(hdev); 1017 hci_dev_put(hdev);
999 1018
1000 return err; 1019 return err;
@@ -1020,7 +1039,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1020 if (!hdev) 1039 if (!hdev)
1021 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV); 1040 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
1022 1041
1023 hci_dev_lock(hdev); 1042 hci_dev_lock_bh(hdev);
1024 1043
1025 if (!test_bit(HCI_UP, &hdev->flags)) { 1044 if (!test_bit(HCI_UP, &hdev->flags)) {
1026 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN); 1045 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
@@ -1055,7 +1074,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1055 mgmt_pending_remove(cmd); 1074 mgmt_pending_remove(cmd);
1056 1075
1057failed: 1076failed:
1058 hci_dev_unlock(hdev); 1077 hci_dev_unlock_bh(hdev);
1059 hci_dev_put(hdev); 1078 hci_dev_put(hdev);
1060 1079
1061 return err; 1080 return err;
@@ -1076,7 +1095,7 @@ static int get_connections(struct sock *sk, u16 index)
1076 if (!hdev) 1095 if (!hdev)
1077 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV); 1096 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
1078 1097
1079 hci_dev_lock(hdev); 1098 hci_dev_lock_bh(hdev);
1080 1099
1081 count = 0; 1100 count = 0;
1082 list_for_each(p, &hdev->conn_hash.list) { 1101 list_for_each(p, &hdev->conn_hash.list) {
@@ -1092,8 +1111,6 @@ static int get_connections(struct sock *sk, u16 index)
1092 1111
1093 put_unaligned_le16(count, &rp->conn_count); 1112 put_unaligned_le16(count, &rp->conn_count);
1094 1113
1095 read_lock(&hci_dev_list_lock);
1096
1097 i = 0; 1114 i = 0;
1098 list_for_each(p, &hdev->conn_hash.list) { 1115 list_for_each(p, &hdev->conn_hash.list) {
1099 struct hci_conn *c = list_entry(p, struct hci_conn, list); 1116 struct hci_conn *c = list_entry(p, struct hci_conn, list);
@@ -1101,22 +1118,41 @@ static int get_connections(struct sock *sk, u16 index)
1101 bacpy(&rp->conn[i++], &c->dst); 1118 bacpy(&rp->conn[i++], &c->dst);
1102 } 1119 }
1103 1120
1104 read_unlock(&hci_dev_list_lock);
1105
1106 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len); 1121 err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len);
1107 1122
1108unlock: 1123unlock:
1109 kfree(rp); 1124 kfree(rp);
1110 hci_dev_unlock(hdev); 1125 hci_dev_unlock_bh(hdev);
1111 hci_dev_put(hdev); 1126 hci_dev_put(hdev);
1112 return err; 1127 return err;
1113} 1128}
1114 1129
1130static int send_pin_code_neg_reply(struct sock *sk, u16 index,
1131 struct hci_dev *hdev, struct mgmt_cp_pin_code_neg_reply *cp)
1132{
1133 struct pending_cmd *cmd;
1134 int err;
1135
1136 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, cp,
1137 sizeof(*cp));
1138 if (!cmd)
1139 return -ENOMEM;
1140
1141 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1142 &cp->bdaddr);
1143 if (err < 0)
1144 mgmt_pending_remove(cmd);
1145
1146 return err;
1147}
1148
1115static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data, 1149static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1116 u16 len) 1150 u16 len)
1117{ 1151{
1118 struct hci_dev *hdev; 1152 struct hci_dev *hdev;
1153 struct hci_conn *conn;
1119 struct mgmt_cp_pin_code_reply *cp; 1154 struct mgmt_cp_pin_code_reply *cp;
1155 struct mgmt_cp_pin_code_neg_reply ncp;
1120 struct hci_cp_pin_code_reply reply; 1156 struct hci_cp_pin_code_reply reply;
1121 struct pending_cmd *cmd; 1157 struct pending_cmd *cmd;
1122 int err; 1158 int err;
@@ -1132,13 +1168,32 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1132 if (!hdev) 1168 if (!hdev)
1133 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV); 1169 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
1134 1170
1135 hci_dev_lock(hdev); 1171 hci_dev_lock_bh(hdev);
1136 1172
1137 if (!test_bit(HCI_UP, &hdev->flags)) { 1173 if (!test_bit(HCI_UP, &hdev->flags)) {
1138 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN); 1174 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
1139 goto failed; 1175 goto failed;
1140 } 1176 }
1141 1177
1178 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1179 if (!conn) {
1180 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENOTCONN);
1181 goto failed;
1182 }
1183
1184 if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
1185 bacpy(&ncp.bdaddr, &cp->bdaddr);
1186
1187 BT_ERR("PIN code is not 16 bytes long");
1188
1189 err = send_pin_code_neg_reply(sk, index, hdev, &ncp);
1190 if (err >= 0)
1191 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY,
1192 EINVAL);
1193
1194 goto failed;
1195 }
1196
1142 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len); 1197 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len);
1143 if (!cmd) { 1198 if (!cmd) {
1144 err = -ENOMEM; 1199 err = -ENOMEM;
@@ -1147,14 +1202,14 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1147 1202
1148 bacpy(&reply.bdaddr, &cp->bdaddr); 1203 bacpy(&reply.bdaddr, &cp->bdaddr);
1149 reply.pin_len = cp->pin_len; 1204 reply.pin_len = cp->pin_len;
1150 memcpy(reply.pin_code, cp->pin_code, 16); 1205 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
1151 1206
1152 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply); 1207 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
1153 if (err < 0) 1208 if (err < 0)
1154 mgmt_pending_remove(cmd); 1209 mgmt_pending_remove(cmd);
1155 1210
1156failed: 1211failed:
1157 hci_dev_unlock(hdev); 1212 hci_dev_unlock_bh(hdev);
1158 hci_dev_put(hdev); 1213 hci_dev_put(hdev);
1159 1214
1160 return err; 1215 return err;
@@ -1165,7 +1220,6 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1165{ 1220{
1166 struct hci_dev *hdev; 1221 struct hci_dev *hdev;
1167 struct mgmt_cp_pin_code_neg_reply *cp; 1222 struct mgmt_cp_pin_code_neg_reply *cp;
1168 struct pending_cmd *cmd;
1169 int err; 1223 int err;
1170 1224
1171 BT_DBG(""); 1225 BT_DBG("");
@@ -1181,7 +1235,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1181 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1235 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
1182 ENODEV); 1236 ENODEV);
1183 1237
1184 hci_dev_lock(hdev); 1238 hci_dev_lock_bh(hdev);
1185 1239
1186 if (!test_bit(HCI_UP, &hdev->flags)) { 1240 if (!test_bit(HCI_UP, &hdev->flags)) {
1187 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1241 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1189,20 +1243,10 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1189 goto failed; 1243 goto failed;
1190 } 1244 }
1191 1245
1192 cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index, 1246 err = send_pin_code_neg_reply(sk, index, hdev, cp);
1193 data, len);
1194 if (!cmd) {
1195 err = -ENOMEM;
1196 goto failed;
1197 }
1198
1199 err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
1200 &cp->bdaddr);
1201 if (err < 0)
1202 mgmt_pending_remove(cmd);
1203 1247
1204failed: 1248failed:
1205 hci_dev_unlock(hdev); 1249 hci_dev_unlock_bh(hdev);
1206 hci_dev_put(hdev); 1250 hci_dev_put(hdev);
1207 1251
1208 return err; 1252 return err;
@@ -1225,14 +1269,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
1225 if (!hdev) 1269 if (!hdev)
1226 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV); 1270 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
1227 1271
1228 hci_dev_lock(hdev); 1272 hci_dev_lock_bh(hdev);
1229 1273
1230 hdev->io_capability = cp->io_capability; 1274 hdev->io_capability = cp->io_capability;
1231 1275
1232 BT_DBG("%s IO capability set to 0x%02x", hdev->name, 1276 BT_DBG("%s IO capability set to 0x%02x", hdev->name,
1233 hdev->io_capability); 1277 hdev->io_capability);
1234 1278
1235 hci_dev_unlock(hdev); 1279 hci_dev_unlock_bh(hdev);
1236 hci_dev_put(hdev); 1280 hci_dev_put(hdev);
1237 1281
1238 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0); 1282 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1318,7 +1362,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1318 if (!hdev) 1362 if (!hdev)
1319 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV); 1363 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
1320 1364
1321 hci_dev_lock(hdev); 1365 hci_dev_lock_bh(hdev);
1322 1366
1323 if (cp->io_cap == 0x03) { 1367 if (cp->io_cap == 0x03) {
1324 sec_level = BT_SECURITY_MEDIUM; 1368 sec_level = BT_SECURITY_MEDIUM;
@@ -1360,7 +1404,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1360 err = 0; 1404 err = 0;
1361 1405
1362unlock: 1406unlock:
1363 hci_dev_unlock(hdev); 1407 hci_dev_unlock_bh(hdev);
1364 hci_dev_put(hdev); 1408 hci_dev_put(hdev);
1365 1409
1366 return err; 1410 return err;
@@ -1392,7 +1436,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1392 if (!hdev) 1436 if (!hdev)
1393 return cmd_status(sk, index, mgmt_op, ENODEV); 1437 return cmd_status(sk, index, mgmt_op, ENODEV);
1394 1438
1395 hci_dev_lock(hdev); 1439 hci_dev_lock_bh(hdev);
1396 1440
1397 if (!test_bit(HCI_UP, &hdev->flags)) { 1441 if (!test_bit(HCI_UP, &hdev->flags)) {
1398 err = cmd_status(sk, index, mgmt_op, ENETDOWN); 1442 err = cmd_status(sk, index, mgmt_op, ENETDOWN);
@@ -1410,7 +1454,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1410 mgmt_pending_remove(cmd); 1454 mgmt_pending_remove(cmd);
1411 1455
1412failed: 1456failed:
1413 hci_dev_unlock(hdev); 1457 hci_dev_unlock_bh(hdev);
1414 hci_dev_put(hdev); 1458 hci_dev_put(hdev);
1415 1459
1416 return err; 1460 return err;
@@ -1434,7 +1478,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1434 if (!hdev) 1478 if (!hdev)
1435 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV); 1479 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
1436 1480
1437 hci_dev_lock(hdev); 1481 hci_dev_lock_bh(hdev);
1438 1482
1439 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len); 1483 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
1440 if (!cmd) { 1484 if (!cmd) {
@@ -1449,7 +1493,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1449 mgmt_pending_remove(cmd); 1493 mgmt_pending_remove(cmd);
1450 1494
1451failed: 1495failed:
1452 hci_dev_unlock(hdev); 1496 hci_dev_unlock_bh(hdev);
1453 hci_dev_put(hdev); 1497 hci_dev_put(hdev);
1454 1498
1455 return err; 1499 return err;
@@ -1468,7 +1512,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1468 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1512 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1469 ENODEV); 1513 ENODEV);
1470 1514
1471 hci_dev_lock(hdev); 1515 hci_dev_lock_bh(hdev);
1472 1516
1473 if (!test_bit(HCI_UP, &hdev->flags)) { 1517 if (!test_bit(HCI_UP, &hdev->flags)) {
1474 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1518 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
@@ -1498,7 +1542,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1498 mgmt_pending_remove(cmd); 1542 mgmt_pending_remove(cmd);
1499 1543
1500unlock: 1544unlock:
1501 hci_dev_unlock(hdev); 1545 hci_dev_unlock_bh(hdev);
1502 hci_dev_put(hdev); 1546 hci_dev_put(hdev);
1503 1547
1504 return err; 1548 return err;
@@ -1522,7 +1566,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1522 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, 1566 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1523 ENODEV); 1567 ENODEV);
1524 1568
1525 hci_dev_lock(hdev); 1569 hci_dev_lock_bh(hdev);
1526 1570
1527 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash, 1571 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
1528 cp->randomizer); 1572 cp->randomizer);
@@ -1532,7 +1576,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1532 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL, 1576 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
1533 0); 1577 0);
1534 1578
1535 hci_dev_unlock(hdev); 1579 hci_dev_unlock_bh(hdev);
1536 hci_dev_put(hdev); 1580 hci_dev_put(hdev);
1537 1581
1538 return err; 1582 return err;
@@ -1556,7 +1600,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1556 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1600 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1557 ENODEV); 1601 ENODEV);
1558 1602
1559 hci_dev_lock(hdev); 1603 hci_dev_lock_bh(hdev);
1560 1604
1561 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr); 1605 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
1562 if (err < 0) 1606 if (err < 0)
@@ -1566,7 +1610,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1566 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1610 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1567 NULL, 0); 1611 NULL, 0);
1568 1612
1569 hci_dev_unlock(hdev); 1613 hci_dev_unlock_bh(hdev);
1570 hci_dev_put(hdev); 1614 hci_dev_put(hdev);
1571 1615
1572 return err; 1616 return err;
@@ -1641,6 +1685,70 @@ failed:
1641 return err; 1685 return err;
1642} 1686}
1643 1687
1688static int block_device(struct sock *sk, u16 index, unsigned char *data,
1689 u16 len)
1690{
1691 struct hci_dev *hdev;
1692 struct mgmt_cp_block_device *cp;
1693 int err;
1694
1695 BT_DBG("hci%u", index);
1696
1697 cp = (void *) data;
1698
1699 if (len != sizeof(*cp))
1700 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1701 EINVAL);
1702
1703 hdev = hci_dev_get(index);
1704 if (!hdev)
1705 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1706 ENODEV);
1707
1708 err = hci_blacklist_add(hdev, &cp->bdaddr);
1709
1710 if (err < 0)
1711 err = cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE, -err);
1712 else
1713 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE,
1714 NULL, 0);
1715 hci_dev_put(hdev);
1716
1717 return err;
1718}
1719
1720static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1721 u16 len)
1722{
1723 struct hci_dev *hdev;
1724 struct mgmt_cp_unblock_device *cp;
1725 int err;
1726
1727 BT_DBG("hci%u", index);
1728
1729 cp = (void *) data;
1730
1731 if (len != sizeof(*cp))
1732 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1733 EINVAL);
1734
1735 hdev = hci_dev_get(index);
1736 if (!hdev)
1737 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1738 ENODEV);
1739
1740 err = hci_blacklist_del(hdev, &cp->bdaddr);
1741
1742 if (err < 0)
1743 err = cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE, -err);
1744 else
1745 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1746 NULL, 0);
1747 hci_dev_put(hdev);
1748
1749 return err;
1750}
1751
1644int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 1752int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1645{ 1753{
1646 unsigned char *buf; 1754 unsigned char *buf;
@@ -1755,6 +1863,12 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1755 case MGMT_OP_STOP_DISCOVERY: 1863 case MGMT_OP_STOP_DISCOVERY:
1756 err = stop_discovery(sk, index); 1864 err = stop_discovery(sk, index);
1757 break; 1865 break;
1866 case MGMT_OP_BLOCK_DEVICE:
1867 err = block_device(sk, index, buf + sizeof(*hdr), len);
1868 break;
1869 case MGMT_OP_UNBLOCK_DEVICE:
1870 err = unblock_device(sk, index, buf + sizeof(*hdr), len);
1871 break;
1758 default: 1872 default:
1759 BT_DBG("Unknown op %u", opcode); 1873 BT_DBG("Unknown op %u", opcode);
1760 err = cmd_status(sk, index, opcode, 0x01); 1874 err = cmd_status(sk, index, opcode, 0x01);
@@ -1863,17 +1977,28 @@ int mgmt_connectable(u16 index, u8 connectable)
1863 1977
1864int mgmt_new_key(u16 index, struct link_key *key, u8 persistent) 1978int mgmt_new_key(u16 index, struct link_key *key, u8 persistent)
1865{ 1979{
1866 struct mgmt_ev_new_key ev; 1980 struct mgmt_ev_new_key *ev;
1981 int err, total;
1867 1982
1868 memset(&ev, 0, sizeof(ev)); 1983 total = sizeof(struct mgmt_ev_new_key) + key->dlen;
1984 ev = kzalloc(total, GFP_ATOMIC);
1985 if (!ev)
1986 return -ENOMEM;
1869 1987
1870 ev.store_hint = persistent; 1988 bacpy(&ev->key.bdaddr, &key->bdaddr);
1871 bacpy(&ev.key.bdaddr, &key->bdaddr); 1989 ev->key.type = key->type;
1872 ev.key.type = key->type; 1990 memcpy(ev->key.val, key->val, 16);
1873 memcpy(ev.key.val, key->val, 16); 1991 ev->key.pin_len = key->pin_len;
1874 ev.key.pin_len = key->pin_len; 1992 ev->key.dlen = key->dlen;
1993 ev->store_hint = persistent;
1875 1994
1876 return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL); 1995 memcpy(ev->key.data, key->data, key->dlen);
1996
1997 err = mgmt_event(MGMT_EV_NEW_KEY, index, ev, total, NULL);
1998
1999 kfree(ev);
2000
2001 return err;
1877} 2002}
1878 2003
1879int mgmt_connected(u16 index, bdaddr_t *bdaddr) 2004int mgmt_connected(u16 index, bdaddr_t *bdaddr)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 1b10727ce523..8f01e6b11a70 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -679,7 +679,8 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
679{ 679{
680 struct sock *sk = sock->sk; 680 struct sock *sk = sock->sk;
681 struct bt_security sec; 681 struct bt_security sec;
682 int len, err = 0; 682 int err = 0;
683 size_t len;
683 u32 opt; 684 u32 opt;
684 685
685 BT_DBG("sk %p", sk); 686 BT_DBG("sk %p", sk);
@@ -741,7 +742,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
741static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 742static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
742{ 743{
743 struct sock *sk = sock->sk; 744 struct sock *sk = sock->sk;
744 struct sock *l2cap_sk;
745 struct rfcomm_conninfo cinfo; 745 struct rfcomm_conninfo cinfo;
746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 746 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
747 int len, err = 0; 747 int len, err = 0;
@@ -786,8 +786,6 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
786 break; 786 break;
787 } 787 }
788 788
789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
790
791 memset(&cinfo, 0, sizeof(cinfo)); 789 memset(&cinfo, 0, sizeof(cinfo));
792 cinfo.hci_handle = conn->hcon->handle; 790 cinfo.hci_handle = conn->hcon->handle;
793 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 791 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index cb4fb7837e5c..4c3621b5e0aa 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -932,7 +932,7 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
932 if (conn) 932 if (conn)
933 sco_conn_ready(conn); 933 sco_conn_ready(conn);
934 } else 934 } else
935 sco_conn_del(hcon, bt_err(status)); 935 sco_conn_del(hcon, bt_to_errno(status));
936 936
937 return 0; 937 return 0;
938} 938}
@@ -944,7 +944,7 @@ static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
944 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) 944 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
945 return -EINVAL; 945 return -EINVAL;
946 946
947 sco_conn_del(hcon, bt_err(reason)); 947 sco_conn_del(hcon, bt_to_errno(reason));
948 948
949 return 0; 949 return 0;
950} 950}
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
new file mode 100644
index 000000000000..391888b88a92
--- /dev/null
+++ b/net/bluetooth/smp.c
@@ -0,0 +1,702 @@
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/smp.h>
27#include <linux/crypto.h>
28#include <linux/scatterlist.h>
29#include <crypto/b128ops.h>
30
31#define SMP_TIMEOUT 30000 /* 30 seconds */
32
33static inline void swap128(u8 src[16], u8 dst[16])
34{
35 int i;
36 for (i = 0; i < 16; i++)
37 dst[15 - i] = src[i];
38}
39
40static inline void swap56(u8 src[7], u8 dst[7])
41{
42 int i;
43 for (i = 0; i < 7; i++)
44 dst[6 - i] = src[i];
45}
46
47static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
48{
49 struct blkcipher_desc desc;
50 struct scatterlist sg;
51 int err, iv_len;
52 unsigned char iv[128];
53
54 if (tfm == NULL) {
55 BT_ERR("tfm %p", tfm);
56 return -EINVAL;
57 }
58
59 desc.tfm = tfm;
60 desc.flags = 0;
61
62 err = crypto_blkcipher_setkey(tfm, k, 16);
63 if (err) {
64 BT_ERR("cipher setkey failed: %d", err);
65 return err;
66 }
67
68 sg_init_one(&sg, r, 16);
69
70 iv_len = crypto_blkcipher_ivsize(tfm);
71 if (iv_len) {
72 memset(&iv, 0xff, iv_len);
73 crypto_blkcipher_set_iv(tfm, iv, iv_len);
74 }
75
76 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
77 if (err)
78 BT_ERR("Encrypt data error %d", err);
79
80 return err;
81}
82
83static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
84 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
85 u8 _rat, bdaddr_t *ra, u8 res[16])
86{
87 u8 p1[16], p2[16];
88 int err;
89
90 memset(p1, 0, 16);
91
92 /* p1 = pres || preq || _rat || _iat */
93 swap56(pres, p1);
94 swap56(preq, p1 + 7);
95 p1[14] = _rat;
96 p1[15] = _iat;
97
98 memset(p2, 0, 16);
99
100 /* p2 = padding || ia || ra */
101 baswap((bdaddr_t *) (p2 + 4), ia);
102 baswap((bdaddr_t *) (p2 + 10), ra);
103
104 /* res = r XOR p1 */
105 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
106
107 /* res = e(k, res) */
108 err = smp_e(tfm, k, res);
109 if (err) {
110 BT_ERR("Encrypt data error");
111 return err;
112 }
113
114 /* res = res XOR p2 */
115 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
116
117 /* res = e(k, res) */
118 err = smp_e(tfm, k, res);
119 if (err)
120 BT_ERR("Encrypt data error");
121
122 return err;
123}
124
125static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
126 u8 r1[16], u8 r2[16], u8 _r[16])
127{
128 int err;
129
130 /* Just least significant octets from r1 and r2 are considered */
131 memcpy(_r, r1 + 8, 8);
132 memcpy(_r + 8, r2 + 8, 8);
133
134 err = smp_e(tfm, k, _r);
135 if (err)
136 BT_ERR("Encrypt data error");
137
138 return err;
139}
140
141static int smp_rand(u8 *buf)
142{
143 get_random_bytes(buf, 16);
144
145 return 0;
146}
147
148static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
149 u16 dlen, void *data)
150{
151 struct sk_buff *skb;
152 struct l2cap_hdr *lh;
153 int len;
154
155 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
156
157 if (len > conn->mtu)
158 return NULL;
159
160 skb = bt_skb_alloc(len, GFP_ATOMIC);
161 if (!skb)
162 return NULL;
163
164 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
165 lh->len = cpu_to_le16(sizeof(code) + dlen);
166 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
167
168 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
169
170 memcpy(skb_put(skb, dlen), data, dlen);
171
172 return skb;
173}
174
175static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
176{
177 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
178
179 BT_DBG("code 0x%2.2x", code);
180
181 if (!skb)
182 return;
183
184 hci_send_acl(conn->hcon, skb, 0);
185}
186
187static __u8 seclevel_to_authreq(__u8 level)
188{
189 switch (level) {
190 case BT_SECURITY_HIGH:
191 /* Right now we don't support bonding */
192 return SMP_AUTH_MITM;
193
194 default:
195 return SMP_AUTH_NONE;
196 }
197}
198
199static void build_pairing_cmd(struct l2cap_conn *conn,
200 struct smp_cmd_pairing *req,
201 struct smp_cmd_pairing *rsp,
202 __u8 authreq)
203{
204 u8 dist_keys;
205
206 dist_keys = 0;
207 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) {
208 dist_keys = SMP_DIST_ENC_KEY | SMP_DIST_ID_KEY | SMP_DIST_SIGN;
209 authreq |= SMP_AUTH_BONDING;
210 }
211
212 if (rsp == NULL) {
213 req->io_capability = conn->hcon->io_capability;
214 req->oob_flag = SMP_OOB_NOT_PRESENT;
215 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
216 req->init_key_dist = dist_keys;
217 req->resp_key_dist = dist_keys;
218 req->auth_req = authreq;
219 return;
220 }
221
222 rsp->io_capability = conn->hcon->io_capability;
223 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
224 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
225 rsp->init_key_dist = req->init_key_dist & dist_keys;
226 rsp->resp_key_dist = req->resp_key_dist & dist_keys;
227 rsp->auth_req = authreq;
228}
229
230static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
231{
232 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
233 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
234 return SMP_ENC_KEY_SIZE;
235
236 conn->smp_key_size = max_key_size;
237
238 return 0;
239}
240
241static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
242{
243 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
244 u8 key_size;
245
246 BT_DBG("conn %p", conn);
247
248 conn->preq[0] = SMP_CMD_PAIRING_REQ;
249 memcpy(&conn->preq[1], req, sizeof(*req));
250 skb_pull(skb, sizeof(*req));
251
252 if (req->oob_flag)
253 return SMP_OOB_NOT_AVAIL;
254
255 /* We didn't start the pairing, so no requirements */
256 build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE);
257
258 key_size = min(req->max_key_size, rsp.max_key_size);
259 if (check_enc_key_size(conn, key_size))
260 return SMP_ENC_KEY_SIZE;
261
262 /* Just works */
263 memset(conn->tk, 0, sizeof(conn->tk));
264
265 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
266 memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
267
268 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
269
270 mod_timer(&conn->security_timer, jiffies +
271 msecs_to_jiffies(SMP_TIMEOUT));
272
273 return 0;
274}
275
276static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
277{
278 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
279 struct smp_cmd_pairing_confirm cp;
280 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
281 int ret;
282 u8 res[16], key_size;
283
284 BT_DBG("conn %p", conn);
285
286 skb_pull(skb, sizeof(*rsp));
287
288 req = (void *) &conn->preq[1];
289
290 key_size = min(req->max_key_size, rsp->max_key_size);
291 if (check_enc_key_size(conn, key_size))
292 return SMP_ENC_KEY_SIZE;
293
294 if (rsp->oob_flag)
295 return SMP_OOB_NOT_AVAIL;
296
297 /* Just works */
298 memset(conn->tk, 0, sizeof(conn->tk));
299
300 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
301 memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
302
303 ret = smp_rand(conn->prnd);
304 if (ret)
305 return SMP_UNSPECIFIED;
306
307 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
308 conn->src, conn->hcon->dst_type, conn->dst, res);
309 if (ret)
310 return SMP_UNSPECIFIED;
311
312 swap128(res, cp.confirm_val);
313
314 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
315
316 return 0;
317}
318
319static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
320{
321 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
322
323 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
324
325 memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
326 skb_pull(skb, sizeof(conn->pcnf));
327
328 if (conn->hcon->out) {
329 u8 random[16];
330
331 swap128(conn->prnd, random);
332 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
333 random);
334 } else {
335 struct smp_cmd_pairing_confirm cp;
336 int ret;
337 u8 res[16];
338
339 ret = smp_rand(conn->prnd);
340 if (ret)
341 return SMP_UNSPECIFIED;
342
343 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
344 conn->hcon->dst_type, conn->dst,
345 0, conn->src, res);
346 if (ret)
347 return SMP_CONFIRM_FAILED;
348
349 swap128(res, cp.confirm_val);
350
351 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
352 }
353
354 mod_timer(&conn->security_timer, jiffies +
355 msecs_to_jiffies(SMP_TIMEOUT));
356
357 return 0;
358}
359
360static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
361{
362 struct hci_conn *hcon = conn->hcon;
363 struct crypto_blkcipher *tfm = hcon->hdev->tfm;
364 int ret;
365 u8 key[16], res[16], random[16], confirm[16];
366
367 swap128(skb->data, random);
368 skb_pull(skb, sizeof(random));
369
370 if (conn->hcon->out)
371 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
372 conn->src, conn->hcon->dst_type, conn->dst,
373 res);
374 else
375 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
376 conn->hcon->dst_type, conn->dst, 0, conn->src,
377 res);
378 if (ret)
379 return SMP_UNSPECIFIED;
380
381 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
382
383 swap128(res, confirm);
384
385 if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
386 BT_ERR("Pairing failed (confirmation values mismatch)");
387 return SMP_CONFIRM_FAILED;
388 }
389
390 if (conn->hcon->out) {
391 u8 stk[16], rand[8];
392 __le16 ediv;
393
394 memset(rand, 0, sizeof(rand));
395 ediv = 0;
396
397 smp_s1(tfm, conn->tk, random, conn->prnd, key);
398 swap128(key, stk);
399
400 memset(stk + conn->smp_key_size, 0,
401 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
402
403 hci_le_start_enc(hcon, ediv, rand, stk);
404 hcon->enc_key_size = conn->smp_key_size;
405 } else {
406 u8 stk[16], r[16], rand[8];
407 __le16 ediv;
408
409 memset(rand, 0, sizeof(rand));
410 ediv = 0;
411
412 swap128(conn->prnd, r);
413 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
414
415 smp_s1(tfm, conn->tk, conn->prnd, random, key);
416 swap128(key, stk);
417
418 memset(stk + conn->smp_key_size, 0,
419 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
420
421 hci_add_ltk(conn->hcon->hdev, 0, conn->dst, conn->smp_key_size,
422 ediv, rand, stk);
423 }
424
425 return 0;
426}
427
428static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
429{
430 struct smp_cmd_security_req *rp = (void *) skb->data;
431 struct smp_cmd_pairing cp;
432 struct hci_conn *hcon = conn->hcon;
433
434 BT_DBG("conn %p", conn);
435
436 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
437 return 0;
438
439 skb_pull(skb, sizeof(*rp));
440
441 memset(&cp, 0, sizeof(cp));
442 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
443
444 conn->preq[0] = SMP_CMD_PAIRING_REQ;
445 memcpy(&conn->preq[1], &cp, sizeof(cp));
446
447 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
448
449 mod_timer(&conn->security_timer, jiffies +
450 msecs_to_jiffies(SMP_TIMEOUT));
451
452 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
453
454 return 0;
455}
456
457int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
458{
459 struct hci_conn *hcon = conn->hcon;
460 __u8 authreq;
461
462 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
463
464 if (!lmp_host_le_capable(hcon->hdev))
465 return 1;
466
467 if (IS_ERR(hcon->hdev->tfm))
468 return 1;
469
470 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
471 return 0;
472
473 if (sec_level == BT_SECURITY_LOW)
474 return 1;
475
476 if (hcon->sec_level >= sec_level)
477 return 1;
478
479 authreq = seclevel_to_authreq(sec_level);
480
481 if (hcon->link_mode & HCI_LM_MASTER) {
482 struct smp_cmd_pairing cp;
483 struct link_key *key;
484
485 key = hci_find_link_key_type(hcon->hdev, conn->dst,
486 HCI_LK_SMP_LTK);
487 if (key) {
488 struct key_master_id *master = (void *) key->data;
489
490 hci_le_start_enc(hcon, master->ediv, master->rand,
491 key->val);
492 hcon->enc_key_size = key->pin_len;
493
494 goto done;
495 }
496
497 build_pairing_cmd(conn, &cp, NULL, authreq);
498 conn->preq[0] = SMP_CMD_PAIRING_REQ;
499 memcpy(&conn->preq[1], &cp, sizeof(cp));
500
501 mod_timer(&conn->security_timer, jiffies +
502 msecs_to_jiffies(SMP_TIMEOUT));
503
504 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
505 } else {
506 struct smp_cmd_security_req cp;
507 cp.auth_req = authreq;
508 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
509 }
510
511done:
512 hcon->pending_sec_level = sec_level;
513 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
514
515 return 0;
516}
517
518static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
519{
520 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
521
522 skb_pull(skb, sizeof(*rp));
523
524 memcpy(conn->tk, rp->ltk, sizeof(conn->tk));
525
526 return 0;
527}
528
529static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
530{
531 struct smp_cmd_master_ident *rp = (void *) skb->data;
532
533 skb_pull(skb, sizeof(*rp));
534
535 hci_add_ltk(conn->hcon->hdev, 1, conn->src, conn->smp_key_size,
536 rp->ediv, rp->rand, conn->tk);
537
538 smp_distribute_keys(conn, 1);
539
540 return 0;
541}
542
543int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
544{
545 __u8 code = skb->data[0];
546 __u8 reason;
547 int err = 0;
548
549 if (!lmp_host_le_capable(conn->hcon->hdev)) {
550 err = -ENOTSUPP;
551 reason = SMP_PAIRING_NOTSUPP;
552 goto done;
553 }
554
555 if (IS_ERR(conn->hcon->hdev->tfm)) {
556 err = PTR_ERR(conn->hcon->hdev->tfm);
557 reason = SMP_PAIRING_NOTSUPP;
558 goto done;
559 }
560
561 skb_pull(skb, sizeof(code));
562
563 switch (code) {
564 case SMP_CMD_PAIRING_REQ:
565 reason = smp_cmd_pairing_req(conn, skb);
566 break;
567
568 case SMP_CMD_PAIRING_FAIL:
569 reason = 0;
570 err = -EPERM;
571 break;
572
573 case SMP_CMD_PAIRING_RSP:
574 reason = smp_cmd_pairing_rsp(conn, skb);
575 break;
576
577 case SMP_CMD_SECURITY_REQ:
578 reason = smp_cmd_security_req(conn, skb);
579 break;
580
581 case SMP_CMD_PAIRING_CONFIRM:
582 reason = smp_cmd_pairing_confirm(conn, skb);
583 break;
584
585 case SMP_CMD_PAIRING_RANDOM:
586 reason = smp_cmd_pairing_random(conn, skb);
587 break;
588
589 case SMP_CMD_ENCRYPT_INFO:
590 reason = smp_cmd_encrypt_info(conn, skb);
591 break;
592
593 case SMP_CMD_MASTER_IDENT:
594 reason = smp_cmd_master_ident(conn, skb);
595 break;
596
597 case SMP_CMD_IDENT_INFO:
598 case SMP_CMD_IDENT_ADDR_INFO:
599 case SMP_CMD_SIGN_INFO:
600 /* Just ignored */
601 reason = 0;
602 break;
603
604 default:
605 BT_DBG("Unknown command code 0x%2.2x", code);
606
607 reason = SMP_CMD_NOTSUPP;
608 err = -EOPNOTSUPP;
609 goto done;
610 }
611
612done:
613 if (reason)
614 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
615 &reason);
616
617 kfree_skb(skb);
618 return err;
619}
620
621int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
622{
623 struct smp_cmd_pairing *req, *rsp;
624 __u8 *keydist;
625
626 BT_DBG("conn %p force %d", conn, force);
627
628 if (IS_ERR(conn->hcon->hdev->tfm))
629 return PTR_ERR(conn->hcon->hdev->tfm);
630
631 rsp = (void *) &conn->prsp[1];
632
633 /* The responder sends its keys first */
634 if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07))
635 return 0;
636
637 req = (void *) &conn->preq[1];
638
639 if (conn->hcon->out) {
640 keydist = &rsp->init_key_dist;
641 *keydist &= req->init_key_dist;
642 } else {
643 keydist = &rsp->resp_key_dist;
644 *keydist &= req->resp_key_dist;
645 }
646
647
648 BT_DBG("keydist 0x%x", *keydist);
649
650 if (*keydist & SMP_DIST_ENC_KEY) {
651 struct smp_cmd_encrypt_info enc;
652 struct smp_cmd_master_ident ident;
653 __le16 ediv;
654
655 get_random_bytes(enc.ltk, sizeof(enc.ltk));
656 get_random_bytes(&ediv, sizeof(ediv));
657 get_random_bytes(ident.rand, sizeof(ident.rand));
658
659 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
660
661 hci_add_ltk(conn->hcon->hdev, 1, conn->dst, conn->smp_key_size,
662 ediv, ident.rand, enc.ltk);
663
664 ident.ediv = cpu_to_le16(ediv);
665
666 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
667
668 *keydist &= ~SMP_DIST_ENC_KEY;
669 }
670
671 if (*keydist & SMP_DIST_ID_KEY) {
672 struct smp_cmd_ident_addr_info addrinfo;
673 struct smp_cmd_ident_info idinfo;
674
675 /* Send a dummy key */
676 get_random_bytes(idinfo.irk, sizeof(idinfo.irk));
677
678 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
679
680 /* Just public address */
681 memset(&addrinfo, 0, sizeof(addrinfo));
682 bacpy(&addrinfo.bdaddr, conn->src);
683
684 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
685 &addrinfo);
686
687 *keydist &= ~SMP_DIST_ID_KEY;
688 }
689
690 if (*keydist & SMP_DIST_SIGN) {
691 struct smp_cmd_sign_info sign;
692
693 /* Send a dummy key */
694 get_random_bytes(sign.csrk, sizeof(sign.csrk));
695
696 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
697
698 *keydist &= ~SMP_DIST_SIGN;
699 }
700
701 return 0;
702}
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-10 13:45:31 -0500