aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/bnep/bnep.h148
-rw-r--r--net/bluetooth/bnep/core.c71
-rw-r--r--net/bluetooth/bnep/sock.c2
-rw-r--r--net/bluetooth/cmtp/capi.c6
-rw-r--r--net/bluetooth/cmtp/cmtp.h11
-rw-r--r--net/bluetooth/cmtp/core.c25
-rw-r--r--net/bluetooth/cmtp/sock.c2
-rw-r--r--net/bluetooth/hci_core.c83
-rw-r--r--net/bluetooth/hci_event.c99
-rw-r--r--net/bluetooth/hci_sysfs.c40
-rw-r--r--net/bluetooth/hidp/core.c90
-rw-r--r--net/bluetooth/hidp/hidp.h6
-rw-r--r--net/bluetooth/hidp/sock.c7
-rw-r--r--net/bluetooth/l2cap_core.c1357
-rw-r--r--net/bluetooth/l2cap_sock.c72
-rw-r--r--net/bluetooth/mgmt.c518
16 files changed, 1598 insertions, 939 deletions
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 70672544db86..8e6c06158f8e 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -23,88 +23,88 @@
23#include <linux/crc32.h> 23#include <linux/crc32.h>
24#include <net/bluetooth/bluetooth.h> 24#include <net/bluetooth/bluetooth.h>
25 25
26// Limits 26/* Limits */
27#define BNEP_MAX_PROTO_FILTERS 5 27#define BNEP_MAX_PROTO_FILTERS 5
28#define BNEP_MAX_MULTICAST_FILTERS 20 28#define BNEP_MAX_MULTICAST_FILTERS 20
29 29
30// UUIDs 30/* UUIDs */
31#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB 31#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB
32#define BNEP_UUID16 0x02 32#define BNEP_UUID16 0x02
33#define BNEP_UUID32 0x04 33#define BNEP_UUID32 0x04
34#define BNEP_UUID128 0x16 34#define BNEP_UUID128 0x16
35 35
36#define BNEP_SVC_PANU 0x1115 36#define BNEP_SVC_PANU 0x1115
37#define BNEP_SVC_NAP 0x1116 37#define BNEP_SVC_NAP 0x1116
38#define BNEP_SVC_GN 0x1117 38#define BNEP_SVC_GN 0x1117
39 39
40// Packet types 40/* Packet types */
41#define BNEP_GENERAL 0x00 41#define BNEP_GENERAL 0x00
42#define BNEP_CONTROL 0x01 42#define BNEP_CONTROL 0x01
43#define BNEP_COMPRESSED 0x02 43#define BNEP_COMPRESSED 0x02
44#define BNEP_COMPRESSED_SRC_ONLY 0x03 44#define BNEP_COMPRESSED_SRC_ONLY 0x03
45#define BNEP_COMPRESSED_DST_ONLY 0x04 45#define BNEP_COMPRESSED_DST_ONLY 0x04
46 46
47// Control types 47/* Control types */
48#define BNEP_CMD_NOT_UNDERSTOOD 0x00 48#define BNEP_CMD_NOT_UNDERSTOOD 0x00
49#define BNEP_SETUP_CONN_REQ 0x01 49#define BNEP_SETUP_CONN_REQ 0x01
50#define BNEP_SETUP_CONN_RSP 0x02 50#define BNEP_SETUP_CONN_RSP 0x02
51#define BNEP_FILTER_NET_TYPE_SET 0x03 51#define BNEP_FILTER_NET_TYPE_SET 0x03
52#define BNEP_FILTER_NET_TYPE_RSP 0x04 52#define BNEP_FILTER_NET_TYPE_RSP 0x04
53#define BNEP_FILTER_MULTI_ADDR_SET 0x05 53#define BNEP_FILTER_MULTI_ADDR_SET 0x05
54#define BNEP_FILTER_MULTI_ADDR_RSP 0x06 54#define BNEP_FILTER_MULTI_ADDR_RSP 0x06
55 55
56// Extension types 56/* Extension types */
57#define BNEP_EXT_CONTROL 0x00 57#define BNEP_EXT_CONTROL 0x00
58 58
59// Response messages 59/* Response messages */
60#define BNEP_SUCCESS 0x00 60#define BNEP_SUCCESS 0x00
61 61
62#define BNEP_CONN_INVALID_DST 0x01 62#define BNEP_CONN_INVALID_DST 0x01
63#define BNEP_CONN_INVALID_SRC 0x02 63#define BNEP_CONN_INVALID_SRC 0x02
64#define BNEP_CONN_INVALID_SVC 0x03 64#define BNEP_CONN_INVALID_SVC 0x03
65#define BNEP_CONN_NOT_ALLOWED 0x04 65#define BNEP_CONN_NOT_ALLOWED 0x04
66 66
67#define BNEP_FILTER_UNSUPPORTED_REQ 0x01 67#define BNEP_FILTER_UNSUPPORTED_REQ 0x01
68#define BNEP_FILTER_INVALID_RANGE 0x02 68#define BNEP_FILTER_INVALID_RANGE 0x02
69#define BNEP_FILTER_INVALID_MCADDR 0x02 69#define BNEP_FILTER_INVALID_MCADDR 0x02
70#define BNEP_FILTER_LIMIT_REACHED 0x03 70#define BNEP_FILTER_LIMIT_REACHED 0x03
71#define BNEP_FILTER_DENIED_SECURITY 0x04 71#define BNEP_FILTER_DENIED_SECURITY 0x04
72 72
73// L2CAP settings 73/* L2CAP settings */
74#define BNEP_MTU 1691 74#define BNEP_MTU 1691
75#define BNEP_PSM 0x0f 75#define BNEP_PSM 0x0f
76#define BNEP_FLUSH_TO 0xffff 76#define BNEP_FLUSH_TO 0xffff
77#define BNEP_CONNECT_TO 15 77#define BNEP_CONNECT_TO 15
78#define BNEP_FILTER_TO 15 78#define BNEP_FILTER_TO 15
79 79
80// Headers 80/* Headers */
81#define BNEP_TYPE_MASK 0x7f 81#define BNEP_TYPE_MASK 0x7f
82#define BNEP_EXT_HEADER 0x80 82#define BNEP_EXT_HEADER 0x80
83 83
84struct bnep_setup_conn_req { 84struct bnep_setup_conn_req {
85 __u8 type; 85 __u8 type;
86 __u8 ctrl; 86 __u8 ctrl;
87 __u8 uuid_size; 87 __u8 uuid_size;
88 __u8 service[0]; 88 __u8 service[0];
89} __packed; 89} __packed;
90 90
91struct bnep_set_filter_req { 91struct bnep_set_filter_req {
92 __u8 type; 92 __u8 type;
93 __u8 ctrl; 93 __u8 ctrl;
94 __be16 len; 94 __be16 len;
95 __u8 list[0]; 95 __u8 list[0];
96} __packed; 96} __packed;
97 97
98struct bnep_control_rsp { 98struct bnep_control_rsp {
99 __u8 type; 99 __u8 type;
100 __u8 ctrl; 100 __u8 ctrl;
101 __be16 resp; 101 __be16 resp;
102} __packed; 102} __packed;
103 103
104struct bnep_ext_hdr { 104struct bnep_ext_hdr {
105 __u8 type; 105 __u8 type;
106 __u8 len; 106 __u8 len;
107 __u8 data[0]; 107 __u8 data[0];
108} __packed; 108} __packed;
109 109
110/* BNEP ioctl defines */ 110/* BNEP ioctl defines */
@@ -114,10 +114,10 @@ struct bnep_ext_hdr {
114#define BNEPGETCONNINFO _IOR('B', 211, int) 114#define BNEPGETCONNINFO _IOR('B', 211, int)
115 115
116struct bnep_connadd_req { 116struct bnep_connadd_req {
117 int sock; // Connected socket 117 int sock; /* Connected socket */
118 __u32 flags; 118 __u32 flags;
119 __u16 role; 119 __u16 role;
120 char device[16]; // Name of the Ethernet device 120 char device[16]; /* Name of the Ethernet device */
121}; 121};
122 122
123struct bnep_conndel_req { 123struct bnep_conndel_req {
@@ -148,14 +148,14 @@ int bnep_del_connection(struct bnep_conndel_req *req);
148int bnep_get_connlist(struct bnep_connlist_req *req); 148int bnep_get_connlist(struct bnep_connlist_req *req);
149int bnep_get_conninfo(struct bnep_conninfo *ci); 149int bnep_get_conninfo(struct bnep_conninfo *ci);
150 150
151// BNEP sessions 151/* BNEP sessions */
152struct bnep_session { 152struct bnep_session {
153 struct list_head list; 153 struct list_head list;
154 154
155 unsigned int role; 155 unsigned int role;
156 unsigned long state; 156 unsigned long state;
157 unsigned long flags; 157 unsigned long flags;
158 atomic_t killed; 158 struct task_struct *task;
159 159
160 struct ethhdr eh; 160 struct ethhdr eh;
161 struct msghdr msg; 161 struct msghdr msg;
@@ -173,7 +173,7 @@ void bnep_sock_cleanup(void);
173 173
174static inline int bnep_mc_hash(__u8 *addr) 174static inline int bnep_mc_hash(__u8 *addr)
175{ 175{
176 return (crc32_be(~0, addr, ETH_ALEN) >> 26); 176 return crc32_be(~0, addr, ETH_ALEN) >> 26;
177} 177}
178 178
179#endif 179#endif
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 03d4d1245d58..ca39fcf010ce 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -36,6 +36,7 @@
36#include <linux/errno.h> 36#include <linux/errno.h>
37#include <linux/net.h> 37#include <linux/net.h>
38#include <linux/slab.h> 38#include <linux/slab.h>
39#include <linux/kthread.h>
39#include <net/sock.h> 40#include <net/sock.h>
40 41
41#include <linux/socket.h> 42#include <linux/socket.h>
@@ -131,7 +132,8 @@ static int bnep_ctrl_set_netfilter(struct bnep_session *s, __be16 *data, int len
131 return -EILSEQ; 132 return -EILSEQ;
132 133
133 n = get_unaligned_be16(data); 134 n = get_unaligned_be16(data);
134 data++; len -= 2; 135 data++;
136 len -= 2;
135 137
136 if (len < n) 138 if (len < n)
137 return -EILSEQ; 139 return -EILSEQ;
@@ -176,7 +178,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
176 return -EILSEQ; 178 return -EILSEQ;
177 179
178 n = get_unaligned_be16(data); 180 n = get_unaligned_be16(data);
179 data += 2; len -= 2; 181 data += 2;
182 len -= 2;
180 183
181 if (len < n) 184 if (len < n)
182 return -EILSEQ; 185 return -EILSEQ;
@@ -187,6 +190,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
187 n /= (ETH_ALEN * 2); 190 n /= (ETH_ALEN * 2);
188 191
189 if (n > 0) { 192 if (n > 0) {
193 int i;
194
190 s->mc_filter = 0; 195 s->mc_filter = 0;
191 196
192 /* Always send broadcast */ 197 /* Always send broadcast */
@@ -196,18 +201,22 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
196 for (; n > 0; n--) { 201 for (; n > 0; n--) {
197 u8 a1[6], *a2; 202 u8 a1[6], *a2;
198 203
199 memcpy(a1, data, ETH_ALEN); data += ETH_ALEN; 204 memcpy(a1, data, ETH_ALEN);
200 a2 = data; data += ETH_ALEN; 205 data += ETH_ALEN;
206 a2 = data;
207 data += ETH_ALEN;
201 208
202 BT_DBG("mc filter %s -> %s", 209 BT_DBG("mc filter %s -> %s",
203 batostr((void *) a1), batostr((void *) a2)); 210 batostr((void *) a1), batostr((void *) a2));
204 211
205 #define INCA(a) { int i = 5; while (i >=0 && ++a[i--] == 0); }
206
207 /* Iterate from a1 to a2 */ 212 /* Iterate from a1 to a2 */
208 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 213 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
209 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) { 214 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
210 INCA(a1); 215 /* Increment a1 */
216 i = 5;
217 while (i >= 0 && ++a1[i--] == 0)
218 ;
219
211 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter); 220 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
212 } 221 }
213 } 222 }
@@ -227,7 +236,8 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
227 u8 cmd = *(u8 *)data; 236 u8 cmd = *(u8 *)data;
228 int err = 0; 237 int err = 0;
229 238
230 data++; len--; 239 data++;
240 len--;
231 241
232 switch (cmd) { 242 switch (cmd) {
233 case BNEP_CMD_NOT_UNDERSTOOD: 243 case BNEP_CMD_NOT_UNDERSTOOD:
@@ -302,7 +312,6 @@ static u8 __bnep_rx_hlen[] = {
302 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */ 312 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
303 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */ 313 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */
304}; 314};
305#define BNEP_RX_TYPES (sizeof(__bnep_rx_hlen) - 1)
306 315
307static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) 316static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
308{ 317{
@@ -312,9 +321,10 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
312 321
313 dev->stats.rx_bytes += skb->len; 322 dev->stats.rx_bytes += skb->len;
314 323
315 type = *(u8 *) skb->data; skb_pull(skb, 1); 324 type = *(u8 *) skb->data;
325 skb_pull(skb, 1);
316 326
317 if ((type & BNEP_TYPE_MASK) > BNEP_RX_TYPES) 327 if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
318 goto badframe; 328 goto badframe;
319 329
320 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) { 330 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
@@ -367,14 +377,14 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
367 377
368 case BNEP_COMPRESSED_DST_ONLY: 378 case BNEP_COMPRESSED_DST_ONLY:
369 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb), 379 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb),
370 ETH_ALEN); 380 ETH_ALEN);
371 memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source, 381 memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source,
372 ETH_ALEN + 2); 382 ETH_ALEN + 2);
373 break; 383 break;
374 384
375 case BNEP_GENERAL: 385 case BNEP_GENERAL:
376 memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb), 386 memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb),
377 ETH_ALEN * 2); 387 ETH_ALEN * 2);
378 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2)); 388 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
379 break; 389 break;
380 } 390 }
@@ -470,15 +480,14 @@ static int bnep_session(void *arg)
470 480
471 BT_DBG(""); 481 BT_DBG("");
472 482
473 daemonize("kbnepd %s", dev->name);
474 set_user_nice(current, -15); 483 set_user_nice(current, -15);
475 484
476 init_waitqueue_entry(&wait, current); 485 init_waitqueue_entry(&wait, current);
477 add_wait_queue(sk_sleep(sk), &wait); 486 add_wait_queue(sk_sleep(sk), &wait);
478 while (!atomic_read(&s->killed)) { 487 while (!kthread_should_stop()) {
479 set_current_state(TASK_INTERRUPTIBLE); 488 set_current_state(TASK_INTERRUPTIBLE);
480 489
481 // RX 490 /* RX */
482 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 491 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
483 skb_orphan(skb); 492 skb_orphan(skb);
484 bnep_rx_frame(s, skb); 493 bnep_rx_frame(s, skb);
@@ -487,7 +496,7 @@ static int bnep_session(void *arg)
487 if (sk->sk_state != BT_CONNECTED) 496 if (sk->sk_state != BT_CONNECTED)
488 break; 497 break;
489 498
490 // TX 499 /* TX */
491 while ((skb = skb_dequeue(&sk->sk_write_queue))) 500 while ((skb = skb_dequeue(&sk->sk_write_queue)))
492 if (bnep_tx_frame(s, skb)) 501 if (bnep_tx_frame(s, skb))
493 break; 502 break;
@@ -555,8 +564,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
555 564
556 /* session struct allocated as private part of net_device */ 565 /* session struct allocated as private part of net_device */
557 dev = alloc_netdev(sizeof(struct bnep_session), 566 dev = alloc_netdev(sizeof(struct bnep_session),
558 (*req->device) ? req->device : "bnep%d", 567 (*req->device) ? req->device : "bnep%d",
559 bnep_net_setup); 568 bnep_net_setup);
560 if (!dev) 569 if (!dev)
561 return -ENOMEM; 570 return -ENOMEM;
562 571
@@ -571,7 +580,7 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
571 s = netdev_priv(dev); 580 s = netdev_priv(dev);
572 581
573 /* This is rx header therefore addresses are swapped. 582 /* This is rx header therefore addresses are swapped.
574 * ie eh.h_dest is our local address. */ 583 * ie. eh.h_dest is our local address. */
575 memcpy(s->eh.h_dest, &src, ETH_ALEN); 584 memcpy(s->eh.h_dest, &src, ETH_ALEN);
576 memcpy(s->eh.h_source, &dst, ETH_ALEN); 585 memcpy(s->eh.h_source, &dst, ETH_ALEN);
577 memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN); 586 memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN);
@@ -597,17 +606,17 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
597 SET_NETDEV_DEVTYPE(dev, &bnep_type); 606 SET_NETDEV_DEVTYPE(dev, &bnep_type);
598 607
599 err = register_netdev(dev); 608 err = register_netdev(dev);
600 if (err) { 609 if (err)
601 goto failed; 610 goto failed;
602 }
603 611
604 __bnep_link_session(s); 612 __bnep_link_session(s);
605 613
606 err = kernel_thread(bnep_session, s, CLONE_KERNEL); 614 s->task = kthread_run(bnep_session, s, "kbnepd %s", dev->name);
607 if (err < 0) { 615 if (IS_ERR(s->task)) {
608 /* Session thread start failed, gotta cleanup. */ 616 /* Session thread start failed, gotta cleanup. */
609 unregister_netdev(dev); 617 unregister_netdev(dev);
610 __bnep_unlink_session(s); 618 __bnep_unlink_session(s);
619 err = PTR_ERR(s->task);
611 goto failed; 620 goto failed;
612 } 621 }
613 622
@@ -631,15 +640,9 @@ int bnep_del_connection(struct bnep_conndel_req *req)
631 down_read(&bnep_session_sem); 640 down_read(&bnep_session_sem);
632 641
633 s = __bnep_get_session(req->dst); 642 s = __bnep_get_session(req->dst);
634 if (s) { 643 if (s)
635 /* Wakeup user-space which is polling for socket errors. 644 kthread_stop(s->task);
636 * This is temporary hack until we have shutdown in L2CAP */ 645 else
637 s->sock->sk->sk_err = EUNATCH;
638
639 /* Kill session thread */
640 atomic_inc(&s->killed);
641 wake_up_interruptible(sk_sleep(s->sock->sk));
642 } else
643 err = -ENOENT; 646 err = -ENOENT;
644 647
645 up_read(&bnep_session_sem); 648 up_read(&bnep_session_sem);
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index d935da71ab3b..17800b1d28ea 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -39,10 +39,10 @@
39#include <linux/init.h> 39#include <linux/init.h>
40#include <linux/compat.h> 40#include <linux/compat.h>
41#include <linux/gfp.h> 41#include <linux/gfp.h>
42#include <linux/uaccess.h>
42#include <net/sock.h> 43#include <net/sock.h>
43 44
44#include <asm/system.h> 45#include <asm/system.h>
45#include <asm/uaccess.h>
46 46
47#include "bnep.h" 47#include "bnep.h"
48 48
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 67cff810c77d..744233cba244 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -35,6 +35,7 @@
35#include <linux/ioctl.h> 35#include <linux/ioctl.h>
36#include <linux/file.h> 36#include <linux/file.h>
37#include <linux/wait.h> 37#include <linux/wait.h>
38#include <linux/kthread.h>
38#include <net/sock.h> 39#include <net/sock.h>
39 40
40#include <linux/isdn/capilli.h> 41#include <linux/isdn/capilli.h>
@@ -143,7 +144,7 @@ static void cmtp_send_capimsg(struct cmtp_session *session, struct sk_buff *skb)
143 144
144 skb_queue_tail(&session->transmit, skb); 145 skb_queue_tail(&session->transmit, skb);
145 146
146 cmtp_schedule(session); 147 wake_up_interruptible(sk_sleep(session->sock->sk));
147} 148}
148 149
149static void cmtp_send_interopmsg(struct cmtp_session *session, 150static void cmtp_send_interopmsg(struct cmtp_session *session,
@@ -386,8 +387,7 @@ static void cmtp_reset_ctr(struct capi_ctr *ctrl)
386 387
387 capi_ctr_down(ctrl); 388 capi_ctr_down(ctrl);
388 389
389 atomic_inc(&session->terminate); 390 kthread_stop(session->task);
390 cmtp_schedule(session);
391} 391}
392 392
393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp) 393static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index 785e79e953c5..db43b54ac9af 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -37,7 +37,7 @@
37#define CMTP_LOOPBACK 0 37#define CMTP_LOOPBACK 0
38 38
39struct cmtp_connadd_req { 39struct cmtp_connadd_req {
40 int sock; // Connected socket 40 int sock; /* Connected socket */
41 __u32 flags; 41 __u32 flags;
42}; 42};
43 43
@@ -81,7 +81,7 @@ struct cmtp_session {
81 81
82 char name[BTNAMSIZ]; 82 char name[BTNAMSIZ];
83 83
84 atomic_t terminate; 84 struct task_struct *task;
85 85
86 wait_queue_head_t wait; 86 wait_queue_head_t wait;
87 87
@@ -121,13 +121,6 @@ void cmtp_detach_device(struct cmtp_session *session);
121 121
122void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb); 122void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb);
123 123
124static inline void cmtp_schedule(struct cmtp_session *session)
125{
126 struct sock *sk = session->sock->sk;
127
128 wake_up_interruptible(sk_sleep(sk));
129}
130
131/* CMTP init defines */ 124/* CMTP init defines */
132int cmtp_init_sockets(void); 125int cmtp_init_sockets(void);
133void cmtp_cleanup_sockets(void); 126void cmtp_cleanup_sockets(void);
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 964ea9126f9f..cce99b0919f5 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -35,6 +35,7 @@
35#include <linux/ioctl.h> 35#include <linux/ioctl.h>
36#include <linux/file.h> 36#include <linux/file.h>
37#include <linux/init.h> 37#include <linux/init.h>
38#include <linux/kthread.h>
38#include <net/sock.h> 39#include <net/sock.h>
39 40
40#include <linux/isdn/capilli.h> 41#include <linux/isdn/capilli.h>
@@ -235,9 +236,12 @@ static void cmtp_process_transmit(struct cmtp_session *session)
235 236
236 size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len); 237 size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len);
237 238
238 if ((scb->id < 0) && ((scb->id = cmtp_alloc_block_id(session)) < 0)) { 239 if (scb->id < 0) {
239 skb_queue_head(&session->transmit, skb); 240 scb->id = cmtp_alloc_block_id(session);
240 break; 241 if (scb->id < 0) {
242 skb_queue_head(&session->transmit, skb);
243 break;
244 }
241 } 245 }
242 246
243 if (size < 256) { 247 if (size < 256) {
@@ -284,12 +288,11 @@ static int cmtp_session(void *arg)
284 288
285 BT_DBG("session %p", session); 289 BT_DBG("session %p", session);
286 290
287 daemonize("kcmtpd_ctr_%d", session->num);
288 set_user_nice(current, -15); 291 set_user_nice(current, -15);
289 292
290 init_waitqueue_entry(&wait, current); 293 init_waitqueue_entry(&wait, current);
291 add_wait_queue(sk_sleep(sk), &wait); 294 add_wait_queue(sk_sleep(sk), &wait);
292 while (!atomic_read(&session->terminate)) { 295 while (!kthread_should_stop()) {
293 set_current_state(TASK_INTERRUPTIBLE); 296 set_current_state(TASK_INTERRUPTIBLE);
294 297
295 if (sk->sk_state != BT_CONNECTED) 298 if (sk->sk_state != BT_CONNECTED)
@@ -367,9 +370,12 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
367 370
368 __cmtp_link_session(session); 371 __cmtp_link_session(session);
369 372
370 err = kernel_thread(cmtp_session, session, CLONE_KERNEL); 373 session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
371 if (err < 0) 374 session->num);
375 if (IS_ERR(session->task)) {
376 err = PTR_ERR(session->task);
372 goto unlink; 377 goto unlink;
378 }
373 379
374 if (!(session->flags & (1 << CMTP_LOOPBACK))) { 380 if (!(session->flags & (1 << CMTP_LOOPBACK))) {
375 err = cmtp_attach_device(session); 381 err = cmtp_attach_device(session);
@@ -406,9 +412,8 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
406 /* Flush the transmit queue */ 412 /* Flush the transmit queue */
407 skb_queue_purge(&session->transmit); 413 skb_queue_purge(&session->transmit);
408 414
409 /* Kill session thread */ 415 /* Stop session thread */
410 atomic_inc(&session->terminate); 416 kthread_stop(session->task);
411 cmtp_schedule(session);
412 } else 417 } else
413 err = -ENOENT; 418 err = -ENOENT;
414 419
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 7ea1979a8e4f..3f2dd5c25ae5 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -34,12 +34,12 @@
34#include <linux/file.h> 34#include <linux/file.h>
35#include <linux/compat.h> 35#include <linux/compat.h>
36#include <linux/gfp.h> 36#include <linux/gfp.h>
37#include <linux/uaccess.h>
37#include <net/sock.h> 38#include <net/sock.h>
38 39
39#include <linux/isdn/capilli.h> 40#include <linux/isdn/capilli.h>
40 41
41#include <asm/system.h> 42#include <asm/system.h>
42#include <asm/uaccess.h>
43 43
44#include "cmtp.h" 44#include "cmtp.h"
45 45
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e7dced9080a5..98aa24b92c58 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -56,7 +56,6 @@
56static void hci_cmd_task(unsigned long arg); 56static void hci_cmd_task(unsigned long arg);
57static void hci_rx_task(unsigned long arg); 57static void hci_rx_task(unsigned long arg);
58static void hci_tx_task(unsigned long arg); 58static void hci_tx_task(unsigned long arg);
59static void hci_notify(struct hci_dev *hdev, int event);
60 59
61static DEFINE_RWLOCK(hci_task_lock); 60static DEFINE_RWLOCK(hci_task_lock);
62 61
@@ -587,6 +586,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
587 hci_req_cancel(hdev, ENODEV); 586 hci_req_cancel(hdev, ENODEV);
588 hci_req_lock(hdev); 587 hci_req_lock(hdev);
589 588
589 /* Stop timer, it might be running */
590 del_timer_sync(&hdev->cmd_timer);
591
590 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) { 592 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
591 del_timer_sync(&hdev->cmd_timer); 593 del_timer_sync(&hdev->cmd_timer);
592 hci_req_unlock(hdev); 594 hci_req_unlock(hdev);
@@ -627,7 +629,6 @@ static int hci_dev_do_close(struct hci_dev *hdev)
627 629
628 /* Drop last sent command */ 630 /* Drop last sent command */
629 if (hdev->sent_cmd) { 631 if (hdev->sent_cmd) {
630 del_timer_sync(&hdev->cmd_timer);
631 kfree_skb(hdev->sent_cmd); 632 kfree_skb(hdev->sent_cmd);
632 hdev->sent_cmd = NULL; 633 hdev->sent_cmd = NULL;
633 } 634 }
@@ -1082,6 +1083,70 @@ static void hci_cmd_timer(unsigned long arg)
1082 tasklet_schedule(&hdev->cmd_task); 1083 tasklet_schedule(&hdev->cmd_task);
1083} 1084}
1084 1085
1086struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1087 bdaddr_t *bdaddr)
1088{
1089 struct oob_data *data;
1090
1091 list_for_each_entry(data, &hdev->remote_oob_data, list)
1092 if (bacmp(bdaddr, &data->bdaddr) == 0)
1093 return data;
1094
1095 return NULL;
1096}
1097
1098int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1099{
1100 struct oob_data *data;
1101
1102 data = hci_find_remote_oob_data(hdev, bdaddr);
1103 if (!data)
1104 return -ENOENT;
1105
1106 BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1107
1108 list_del(&data->list);
1109 kfree(data);
1110
1111 return 0;
1112}
1113
1114int hci_remote_oob_data_clear(struct hci_dev *hdev)
1115{
1116 struct oob_data *data, *n;
1117
1118 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1119 list_del(&data->list);
1120 kfree(data);
1121 }
1122
1123 return 0;
1124}
1125
1126int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1127 u8 *randomizer)
1128{
1129 struct oob_data *data;
1130
1131 data = hci_find_remote_oob_data(hdev, bdaddr);
1132
1133 if (!data) {
1134 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1135 if (!data)
1136 return -ENOMEM;
1137
1138 bacpy(&data->bdaddr, bdaddr);
1139 list_add(&data->list, &hdev->remote_oob_data);
1140 }
1141
1142 memcpy(data->hash, hash, sizeof(data->hash));
1143 memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1144
1145 BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
1146
1147 return 0;
1148}
1149
1085/* Register HCI device */ 1150/* Register HCI device */
1086int hci_register_dev(struct hci_dev *hdev) 1151int hci_register_dev(struct hci_dev *hdev)
1087{ 1152{
@@ -1146,6 +1211,8 @@ int hci_register_dev(struct hci_dev *hdev)
1146 1211
1147 INIT_LIST_HEAD(&hdev->link_keys); 1212 INIT_LIST_HEAD(&hdev->link_keys);
1148 1213
1214 INIT_LIST_HEAD(&hdev->remote_oob_data);
1215
1149 INIT_WORK(&hdev->power_on, hci_power_on); 1216 INIT_WORK(&hdev->power_on, hci_power_on);
1150 INIT_WORK(&hdev->power_off, hci_power_off); 1217 INIT_WORK(&hdev->power_off, hci_power_off);
1151 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev); 1218 setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1225,6 +1292,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
1225 hci_blacklist_clear(hdev); 1292 hci_blacklist_clear(hdev);
1226 hci_uuids_clear(hdev); 1293 hci_uuids_clear(hdev);
1227 hci_link_keys_clear(hdev); 1294 hci_link_keys_clear(hdev);
1295 hci_remote_oob_data_clear(hdev);
1228 hci_dev_unlock_bh(hdev); 1296 hci_dev_unlock_bh(hdev);
1229 1297
1230 __hci_dev_put(hdev); 1298 __hci_dev_put(hdev);
@@ -1274,7 +1342,7 @@ int hci_recv_frame(struct sk_buff *skb)
1274EXPORT_SYMBOL(hci_recv_frame); 1342EXPORT_SYMBOL(hci_recv_frame);
1275 1343
1276static int hci_reassembly(struct hci_dev *hdev, int type, void *data, 1344static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1277 int count, __u8 index, gfp_t gfp_mask) 1345 int count, __u8 index)
1278{ 1346{
1279 int len = 0; 1347 int len = 0;
1280 int hlen = 0; 1348 int hlen = 0;
@@ -1304,7 +1372,7 @@ static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1304 break; 1372 break;
1305 } 1373 }
1306 1374
1307 skb = bt_skb_alloc(len, gfp_mask); 1375 skb = bt_skb_alloc(len, GFP_ATOMIC);
1308 if (!skb) 1376 if (!skb)
1309 return -ENOMEM; 1377 return -ENOMEM;
1310 1378
@@ -1390,8 +1458,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1390 return -EILSEQ; 1458 return -EILSEQ;
1391 1459
1392 while (count) { 1460 while (count) {
1393 rem = hci_reassembly(hdev, type, data, count, 1461 rem = hci_reassembly(hdev, type, data, count, type - 1);
1394 type - 1, GFP_ATOMIC);
1395 if (rem < 0) 1462 if (rem < 0)
1396 return rem; 1463 return rem;
1397 1464
@@ -1425,8 +1492,8 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1425 } else 1492 } else
1426 type = bt_cb(skb)->pkt_type; 1493 type = bt_cb(skb)->pkt_type;
1427 1494
1428 rem = hci_reassembly(hdev, type, data, 1495 rem = hci_reassembly(hdev, type, data, count,
1429 count, STREAM_REASSEMBLY, GFP_ATOMIC); 1496 STREAM_REASSEMBLY);
1430 if (rem < 0) 1497 if (rem < 0)
1431 return rem; 1498 return rem;
1432 1499
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b2570159a044..cb25628c0583 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -195,14 +195,17 @@ static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
195 195
196 BT_DBG("%s status 0x%x", hdev->name, status); 196 BT_DBG("%s status 0x%x", hdev->name, status);
197 197
198 if (status)
199 return;
200
201 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 198 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
202 if (!sent) 199 if (!sent)
203 return; 200 return;
204 201
205 memcpy(hdev->dev_name, sent, 248); 202 if (test_bit(HCI_MGMT, &hdev->flags))
203 mgmt_set_local_name_complete(hdev->id, sent, status);
204
205 if (status)
206 return;
207
208 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
206} 209}
207 210
208static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 211static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -214,7 +217,7 @@ static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
214 if (rp->status) 217 if (rp->status)
215 return; 218 return;
216 219
217 memcpy(hdev->dev_name, rp->name, 248); 220 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
218} 221}
219 222
220static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 223static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
@@ -821,6 +824,17 @@ static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
821 rp->status); 824 rp->status);
822} 825}
823 826
827static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
828 struct sk_buff *skb)
829{
830 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
831
832 BT_DBG("%s status 0x%x", hdev->name, rp->status);
833
834 mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
835 rp->randomizer, rp->status);
836}
837
824static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 838static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
825{ 839{
826 BT_DBG("%s status 0x%x", hdev->name, status); 840 BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1214,7 +1228,7 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
1214 1228
1215 hci_dev_lock(hdev); 1229 hci_dev_lock(hdev);
1216 1230
1217 for (; num_rsp; num_rsp--) { 1231 for (; num_rsp; num_rsp--, info++) {
1218 bacpy(&data.bdaddr, &info->bdaddr); 1232 bacpy(&data.bdaddr, &info->bdaddr);
1219 data.pscan_rep_mode = info->pscan_rep_mode; 1233 data.pscan_rep_mode = info->pscan_rep_mode;
1220 data.pscan_period_mode = info->pscan_period_mode; 1234 data.pscan_period_mode = info->pscan_period_mode;
@@ -1223,8 +1237,9 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
1223 data.clock_offset = info->clock_offset; 1237 data.clock_offset = info->clock_offset;
1224 data.rssi = 0x00; 1238 data.rssi = 0x00;
1225 data.ssp_mode = 0x00; 1239 data.ssp_mode = 0x00;
1226 info++;
1227 hci_inquiry_cache_update(hdev, &data); 1240 hci_inquiry_cache_update(hdev, &data);
1241 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
1242 NULL);
1228 } 1243 }
1229 1244
1230 hci_dev_unlock(hdev); 1245 hci_dev_unlock(hdev);
@@ -1482,6 +1497,9 @@ static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb
1482 1497
1483 hci_dev_lock(hdev); 1498 hci_dev_lock(hdev);
1484 1499
1500 if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
1501 mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
1502
1485 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 1503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
1486 if (conn && hci_outgoing_auth_needed(hdev, conn)) { 1504 if (conn && hci_outgoing_auth_needed(hdev, conn)) {
1487 struct hci_cp_auth_requested cp; 1505 struct hci_cp_auth_requested cp;
@@ -1751,6 +1769,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
1751 hci_cc_pin_code_neg_reply(hdev, skb); 1769 hci_cc_pin_code_neg_reply(hdev, skb);
1752 break; 1770 break;
1753 1771
1772 case HCI_OP_READ_LOCAL_OOB_DATA:
1773 hci_cc_read_local_oob_data_reply(hdev, skb);
1774 break;
1775
1754 case HCI_OP_LE_READ_BUFFER_SIZE: 1776 case HCI_OP_LE_READ_BUFFER_SIZE:
1755 hci_cc_le_read_buffer_size(hdev, skb); 1777 hci_cc_le_read_buffer_size(hdev, skb);
1756 break; 1778 break;
@@ -2140,7 +2162,7 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2140 struct inquiry_info_with_rssi_and_pscan_mode *info; 2162 struct inquiry_info_with_rssi_and_pscan_mode *info;
2141 info = (void *) (skb->data + 1); 2163 info = (void *) (skb->data + 1);
2142 2164
2143 for (; num_rsp; num_rsp--) { 2165 for (; num_rsp; num_rsp--, info++) {
2144 bacpy(&data.bdaddr, &info->bdaddr); 2166 bacpy(&data.bdaddr, &info->bdaddr);
2145 data.pscan_rep_mode = info->pscan_rep_mode; 2167 data.pscan_rep_mode = info->pscan_rep_mode;
2146 data.pscan_period_mode = info->pscan_period_mode; 2168 data.pscan_period_mode = info->pscan_period_mode;
@@ -2149,13 +2171,15 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2149 data.clock_offset = info->clock_offset; 2171 data.clock_offset = info->clock_offset;
2150 data.rssi = info->rssi; 2172 data.rssi = info->rssi;
2151 data.ssp_mode = 0x00; 2173 data.ssp_mode = 0x00;
2152 info++;
2153 hci_inquiry_cache_update(hdev, &data); 2174 hci_inquiry_cache_update(hdev, &data);
2175 mgmt_device_found(hdev->id, &info->bdaddr,
2176 info->dev_class, info->rssi,
2177 NULL);
2154 } 2178 }
2155 } else { 2179 } else {
2156 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 2180 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
2157 2181
2158 for (; num_rsp; num_rsp--) { 2182 for (; num_rsp; num_rsp--, info++) {
2159 bacpy(&data.bdaddr, &info->bdaddr); 2183 bacpy(&data.bdaddr, &info->bdaddr);
2160 data.pscan_rep_mode = info->pscan_rep_mode; 2184 data.pscan_rep_mode = info->pscan_rep_mode;
2161 data.pscan_period_mode = info->pscan_period_mode; 2185 data.pscan_period_mode = info->pscan_period_mode;
@@ -2164,8 +2188,10 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
2164 data.clock_offset = info->clock_offset; 2188 data.clock_offset = info->clock_offset;
2165 data.rssi = info->rssi; 2189 data.rssi = info->rssi;
2166 data.ssp_mode = 0x00; 2190 data.ssp_mode = 0x00;
2167 info++;
2168 hci_inquiry_cache_update(hdev, &data); 2191 hci_inquiry_cache_update(hdev, &data);
2192 mgmt_device_found(hdev->id, &info->bdaddr,
2193 info->dev_class, info->rssi,
2194 NULL);
2169 } 2195 }
2170 } 2196 }
2171 2197
@@ -2296,7 +2322,7 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
2296 2322
2297 hci_dev_lock(hdev); 2323 hci_dev_lock(hdev);
2298 2324
2299 for (; num_rsp; num_rsp--) { 2325 for (; num_rsp; num_rsp--, info++) {
2300 bacpy(&data.bdaddr, &info->bdaddr); 2326 bacpy(&data.bdaddr, &info->bdaddr);
2301 data.pscan_rep_mode = info->pscan_rep_mode; 2327 data.pscan_rep_mode = info->pscan_rep_mode;
2302 data.pscan_period_mode = info->pscan_period_mode; 2328 data.pscan_period_mode = info->pscan_period_mode;
@@ -2305,8 +2331,9 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
2305 data.clock_offset = info->clock_offset; 2331 data.clock_offset = info->clock_offset;
2306 data.rssi = info->rssi; 2332 data.rssi = info->rssi;
2307 data.ssp_mode = 0x01; 2333 data.ssp_mode = 0x01;
2308 info++;
2309 hci_inquiry_cache_update(hdev, &data); 2334 hci_inquiry_cache_update(hdev, &data);
2335 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
2336 info->rssi, info->data);
2310 } 2337 }
2311 2338
2312 hci_dev_unlock(hdev); 2339 hci_dev_unlock(hdev);
@@ -2355,9 +2382,14 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
2355 2382
2356 bacpy(&cp.bdaddr, &ev->bdaddr); 2383 bacpy(&cp.bdaddr, &ev->bdaddr);
2357 cp.capability = conn->io_capability; 2384 cp.capability = conn->io_capability;
2358 cp.oob_data = 0;
2359 cp.authentication = hci_get_auth_req(conn); 2385 cp.authentication = hci_get_auth_req(conn);
2360 2386
2387 if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
2388 hci_find_remote_oob_data(hdev, &conn->dst))
2389 cp.oob_data = 0x01;
2390 else
2391 cp.oob_data = 0x00;
2392
2361 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 2393 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
2362 sizeof(cp), &cp); 2394 sizeof(cp), &cp);
2363 } else { 2395 } else {
@@ -2453,6 +2485,41 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
2453 hci_dev_unlock(hdev); 2485 hci_dev_unlock(hdev);
2454} 2486}
2455 2487
2488static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
2489 struct sk_buff *skb)
2490{
2491 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
2492 struct oob_data *data;
2493
2494 BT_DBG("%s", hdev->name);
2495
2496 hci_dev_lock(hdev);
2497
2498 if (!test_bit(HCI_MGMT, &hdev->flags))
2499 goto unlock;
2500
2501 data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
2502 if (data) {
2503 struct hci_cp_remote_oob_data_reply cp;
2504
2505 bacpy(&cp.bdaddr, &ev->bdaddr);
2506 memcpy(cp.hash, data->hash, sizeof(cp.hash));
2507 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
2508
2509 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
2510 &cp);
2511 } else {
2512 struct hci_cp_remote_oob_data_neg_reply cp;
2513
2514 bacpy(&cp.bdaddr, &ev->bdaddr);
2515 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
2516 &cp);
2517 }
2518
2519unlock:
2520 hci_dev_unlock(hdev);
2521}
2522
2456static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2523static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2457{ 2524{
2458 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 2525 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -2655,6 +2722,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2655 hci_le_meta_evt(hdev, skb); 2722 hci_le_meta_evt(hdev, skb);
2656 break; 2723 break;
2657 2724
2725 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
2726 hci_remote_oob_data_request_evt(hdev, skb);
2727 break;
2728
2658 default: 2729 default:
2659 BT_DBG("%s event 0x%x", hdev->name, event); 2730 BT_DBG("%s event 0x%x", hdev->name, event);
2660 break; 2731 break;
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 3c838a65a75a..8775933ea837 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -216,13 +216,13 @@ static ssize_t show_type(struct device *dev, struct device_attribute *attr, char
216static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf) 216static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf)
217{ 217{
218 struct hci_dev *hdev = dev_get_drvdata(dev); 218 struct hci_dev *hdev = dev_get_drvdata(dev);
219 char name[249]; 219 char name[HCI_MAX_NAME_LENGTH + 1];
220 int i; 220 int i;
221 221
222 for (i = 0; i < 248; i++) 222 for (i = 0; i < HCI_MAX_NAME_LENGTH; i++)
223 name[i] = hdev->dev_name[i]; 223 name[i] = hdev->dev_name[i];
224 224
225 name[248] = '\0'; 225 name[HCI_MAX_NAME_LENGTH] = '\0';
226 return sprintf(buf, "%s\n", name); 226 return sprintf(buf, "%s\n", name);
227} 227}
228 228
@@ -277,10 +277,12 @@ static ssize_t show_idle_timeout(struct device *dev, struct device_attribute *at
277static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 277static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
278{ 278{
279 struct hci_dev *hdev = dev_get_drvdata(dev); 279 struct hci_dev *hdev = dev_get_drvdata(dev);
280 unsigned long val; 280 unsigned int val;
281 int rv;
281 282
282 if (strict_strtoul(buf, 0, &val) < 0) 283 rv = kstrtouint(buf, 0, &val);
283 return -EINVAL; 284 if (rv < 0)
285 return rv;
284 286
285 if (val != 0 && (val < 500 || val > 3600000)) 287 if (val != 0 && (val < 500 || val > 3600000))
286 return -EINVAL; 288 return -EINVAL;
@@ -299,15 +301,14 @@ static ssize_t show_sniff_max_interval(struct device *dev, struct device_attribu
299static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 301static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
300{ 302{
301 struct hci_dev *hdev = dev_get_drvdata(dev); 303 struct hci_dev *hdev = dev_get_drvdata(dev);
302 unsigned long val; 304 u16 val;
303 305 int rv;
304 if (strict_strtoul(buf, 0, &val) < 0)
305 return -EINVAL;
306 306
307 if (val < 0x0002 || val > 0xFFFE || val % 2) 307 rv = kstrtou16(buf, 0, &val);
308 return -EINVAL; 308 if (rv < 0)
309 return rv;
309 310
310 if (val < hdev->sniff_min_interval) 311 if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
311 return -EINVAL; 312 return -EINVAL;
312 313
313 hdev->sniff_max_interval = val; 314 hdev->sniff_max_interval = val;
@@ -324,15 +325,14 @@ static ssize_t show_sniff_min_interval(struct device *dev, struct device_attribu
324static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) 325static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
325{ 326{
326 struct hci_dev *hdev = dev_get_drvdata(dev); 327 struct hci_dev *hdev = dev_get_drvdata(dev);
327 unsigned long val; 328 u16 val;
329 int rv;
328 330
329 if (strict_strtoul(buf, 0, &val) < 0) 331 rv = kstrtou16(buf, 0, &val);
330 return -EINVAL; 332 if (rv < 0)
331 333 return rv;
332 if (val < 0x0002 || val > 0xFFFE || val % 2)
333 return -EINVAL;
334 334
335 if (val > hdev->sniff_max_interval) 335 if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
336 return -EINVAL; 336 return -EINVAL;
337 337
338 hdev->sniff_min_interval = val; 338 hdev->sniff_min_interval = val;
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 5ec12971af6b..ae6ebc6c3481 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -37,6 +37,7 @@
37#include <linux/init.h> 37#include <linux/init.h>
38#include <linux/wait.h> 38#include <linux/wait.h>
39#include <linux/mutex.h> 39#include <linux/mutex.h>
40#include <linux/kthread.h>
40#include <net/sock.h> 41#include <net/sock.h>
41 42
42#include <linux/input.h> 43#include <linux/input.h>
@@ -55,22 +56,24 @@ static DECLARE_RWSEM(hidp_session_sem);
55static LIST_HEAD(hidp_session_list); 56static LIST_HEAD(hidp_session_list);
56 57
57static unsigned char hidp_keycode[256] = { 58static unsigned char hidp_keycode[256] = {
58 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38, 59 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
59 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44, 2, 3, 60 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
60 4, 5, 6, 7, 8, 9, 10, 11, 28, 1, 14, 15, 57, 12, 13, 26, 61 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
61 27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64, 62 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
62 65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106, 63 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
63 105,108,103, 69, 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 64 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69,
64 72, 73, 82, 83, 86,127,116,117,183,184,185,186,187,188,189,190, 65 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73,
65 191,192,193,194,134,138,130,132,128,129,131,137,133,135,136,113, 66 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
66 115,114, 0, 0, 0,121, 0, 89, 93,124, 92, 94, 95, 0, 0, 0, 67 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
67 122,123, 90, 91, 85, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94,
68 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0,
69 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
70 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 71 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
71 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 72 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
72 29, 42, 56,125, 97, 54,100,126,164,166,165,163,161,115,114,113, 73 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
73 150,158,159,128,136,177,178,176,142,152,173,140 74 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
75 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115,
76 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
74}; 77};
75 78
76static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 79static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
@@ -461,8 +464,7 @@ static void hidp_idle_timeout(unsigned long arg)
461{ 464{
462 struct hidp_session *session = (struct hidp_session *) arg; 465 struct hidp_session *session = (struct hidp_session *) arg;
463 466
464 atomic_inc(&session->terminate); 467 kthread_stop(session->task);
465 hidp_schedule(session);
466} 468}
467 469
468static void hidp_set_timer(struct hidp_session *session) 470static void hidp_set_timer(struct hidp_session *session)
@@ -533,9 +535,7 @@ static void hidp_process_hid_control(struct hidp_session *session,
533 skb_queue_purge(&session->ctrl_transmit); 535 skb_queue_purge(&session->ctrl_transmit);
534 skb_queue_purge(&session->intr_transmit); 536 skb_queue_purge(&session->intr_transmit);
535 537
536 /* Kill session thread */ 538 kthread_stop(session->task);
537 atomic_inc(&session->terminate);
538 hidp_schedule(session);
539 } 539 }
540} 540}
541 541
@@ -694,22 +694,10 @@ static int hidp_session(void *arg)
694 struct sock *ctrl_sk = session->ctrl_sock->sk; 694 struct sock *ctrl_sk = session->ctrl_sock->sk;
695 struct sock *intr_sk = session->intr_sock->sk; 695 struct sock *intr_sk = session->intr_sock->sk;
696 struct sk_buff *skb; 696 struct sk_buff *skb;
697 int vendor = 0x0000, product = 0x0000;
698 wait_queue_t ctrl_wait, intr_wait; 697 wait_queue_t ctrl_wait, intr_wait;
699 698
700 BT_DBG("session %p", session); 699 BT_DBG("session %p", session);
701 700
702 if (session->input) {
703 vendor = session->input->id.vendor;
704 product = session->input->id.product;
705 }
706
707 if (session->hid) {
708 vendor = session->hid->vendor;
709 product = session->hid->product;
710 }
711
712 daemonize("khidpd_%04x%04x", vendor, product);
713 set_user_nice(current, -15); 701 set_user_nice(current, -15);
714 702
715 init_waitqueue_entry(&ctrl_wait, current); 703 init_waitqueue_entry(&ctrl_wait, current);
@@ -718,10 +706,11 @@ static int hidp_session(void *arg)
718 add_wait_queue(sk_sleep(intr_sk), &intr_wait); 706 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
719 session->waiting_for_startup = 0; 707 session->waiting_for_startup = 0;
720 wake_up_interruptible(&session->startup_queue); 708 wake_up_interruptible(&session->startup_queue);
721 while (!atomic_read(&session->terminate)) { 709 while (!kthread_should_stop()) {
722 set_current_state(TASK_INTERRUPTIBLE); 710 set_current_state(TASK_INTERRUPTIBLE);
723 711
724 if (ctrl_sk->sk_state != BT_CONNECTED || intr_sk->sk_state != BT_CONNECTED) 712 if (ctrl_sk->sk_state != BT_CONNECTED ||
713 intr_sk->sk_state != BT_CONNECTED)
725 break; 714 break;
726 715
727 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) { 716 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
@@ -965,6 +954,7 @@ fault:
965int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock) 954int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
966{ 955{
967 struct hidp_session *session, *s; 956 struct hidp_session *session, *s;
957 int vendor, product;
968 int err; 958 int err;
969 959
970 BT_DBG(""); 960 BT_DBG("");
@@ -1026,9 +1016,24 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1026 1016
1027 hidp_set_timer(session); 1017 hidp_set_timer(session);
1028 1018
1029 err = kernel_thread(hidp_session, session, CLONE_KERNEL); 1019 if (session->hid) {
1030 if (err < 0) 1020 vendor = session->hid->vendor;
1021 product = session->hid->product;
1022 } else if (session->input) {
1023 vendor = session->input->id.vendor;
1024 product = session->input->id.product;
1025 } else {
1026 vendor = 0x0000;
1027 product = 0x0000;
1028 }
1029
1030 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
1031 vendor, product);
1032 if (IS_ERR(session->task)) {
1033 err = PTR_ERR(session->task);
1031 goto unlink; 1034 goto unlink;
1035 }
1036
1032 while (session->waiting_for_startup) { 1037 while (session->waiting_for_startup) {
1033 wait_event_interruptible(session->startup_queue, 1038 wait_event_interruptible(session->startup_queue,
1034 !session->waiting_for_startup); 1039 !session->waiting_for_startup);
@@ -1053,8 +1058,7 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1053err_add_device: 1058err_add_device:
1054 hid_destroy_device(session->hid); 1059 hid_destroy_device(session->hid);
1055 session->hid = NULL; 1060 session->hid = NULL;
1056 atomic_inc(&session->terminate); 1061 kthread_stop(session->task);
1057 hidp_schedule(session);
1058 1062
1059unlink: 1063unlink:
1060 hidp_del_timer(session); 1064 hidp_del_timer(session);
@@ -1105,13 +1109,7 @@ int hidp_del_connection(struct hidp_conndel_req *req)
1105 skb_queue_purge(&session->ctrl_transmit); 1109 skb_queue_purge(&session->ctrl_transmit);
1106 skb_queue_purge(&session->intr_transmit); 1110 skb_queue_purge(&session->intr_transmit);
1107 1111
1108 /* Wakeup user-space polling for socket errors */ 1112 kthread_stop(session->task);
1109 session->intr_sock->sk->sk_err = EUNATCH;
1110 session->ctrl_sock->sk->sk_err = EUNATCH;
1111
1112 /* Kill session thread */
1113 atomic_inc(&session->terminate);
1114 hidp_schedule(session);
1115 } 1113 }
1116 } else 1114 } else
1117 err = -ENOENT; 1115 err = -ENOENT;
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 13de5fa03480..12822cde4b49 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -84,8 +84,8 @@
84#define HIDP_WAITING_FOR_SEND_ACK 11 84#define HIDP_WAITING_FOR_SEND_ACK 11
85 85
86struct hidp_connadd_req { 86struct hidp_connadd_req {
87 int ctrl_sock; // Connected control socket 87 int ctrl_sock; /* Connected control socket */
88 int intr_sock; // Connteted interrupt socket 88 int intr_sock; /* Connected interrupt socket */
89 __u16 parser; 89 __u16 parser;
90 __u16 rd_size; 90 __u16 rd_size;
91 __u8 __user *rd_data; 91 __u8 __user *rd_data;
@@ -142,7 +142,7 @@ struct hidp_session {
142 uint ctrl_mtu; 142 uint ctrl_mtu;
143 uint intr_mtu; 143 uint intr_mtu;
144 144
145 atomic_t terminate; 145 struct task_struct *task;
146 146
147 unsigned char keys[8]; 147 unsigned char keys[8];
148 unsigned char leds; 148 unsigned char leds;
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 250dfd46237d..178ac7f127ad 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -85,7 +85,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
85 return err; 85 return err;
86 } 86 }
87 87
88 if (csock->sk->sk_state != BT_CONNECTED || isock->sk->sk_state != BT_CONNECTED) { 88 if (csock->sk->sk_state != BT_CONNECTED ||
89 isock->sk->sk_state != BT_CONNECTED) {
89 sockfd_put(csock); 90 sockfd_put(csock);
90 sockfd_put(isock); 91 sockfd_put(isock);
91 return -EBADFD; 92 return -EBADFD;
@@ -140,8 +141,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
140 141
141#ifdef CONFIG_COMPAT 142#ifdef CONFIG_COMPAT
142struct compat_hidp_connadd_req { 143struct compat_hidp_connadd_req {
143 int ctrl_sock; // Connected control socket 144 int ctrl_sock; /* Connected control socket */
144 int intr_sock; // Connteted interrupt socket 145 int intr_sock; /* Connected interrupt socket */
145 __u16 parser; 146 __u16 parser;
146 __u16 rd_size; 147 __u16 rd_size;
147 compat_uptr_t rd_data; 148 compat_uptr_t rd_data;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c8dd4494c63..9e8dc136ef16 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -70,108 +70,101 @@ static void l2cap_busy_work(struct work_struct *work);
70 70
71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data); 72 u8 code, u8 ident, u16 dlen, void *data);
73static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 74
74static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb); 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75 76
76/* ---- L2CAP channels ---- */ 77/* ---- L2CAP channels ---- */
77static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid) 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{ 79{
79 struct sock *s; 80 struct l2cap_chan *c;
80 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 81
82 list_for_each_entry(c, &conn->chan_l, list) {
83 struct sock *s = c->sk;
81 if (l2cap_pi(s)->dcid == cid) 84 if (l2cap_pi(s)->dcid == cid)
82 break; 85 return c;
83 } 86 }
84 return s; 87 return NULL;
88
85} 89}
86 90
87static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid) 91static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
88{ 92{
89 struct sock *s; 93 struct l2cap_chan *c;
90 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 struct sock *s = c->sk;
91 if (l2cap_pi(s)->scid == cid) 97 if (l2cap_pi(s)->scid == cid)
92 break; 98 return c;
93 } 99 }
94 return s; 100 return NULL;
95} 101}
96 102
97/* Find channel with given SCID. 103/* Find channel with given SCID.
98 * Returns locked socket */ 104 * Returns locked socket */
99static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid) 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
100{ 106{
101 struct sock *s; 107 struct l2cap_chan *c;
102 read_lock(&l->lock); 108
103 s = __l2cap_get_chan_by_scid(l, cid); 109 read_lock(&conn->chan_lock);
104 if (s) 110 c = __l2cap_get_chan_by_scid(conn, cid);
105 bh_lock_sock(s); 111 if (c)
106 read_unlock(&l->lock); 112 bh_lock_sock(c->sk);
107 return s; 113 read_unlock(&conn->chan_lock);
114 return c;
108} 115}
109 116
110static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident) 117static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
111{ 118{
112 struct sock *s; 119 struct l2cap_chan *c;
113 for (s = l->head; s; s = l2cap_pi(s)->next_c) { 120
114 if (l2cap_pi(s)->ident == ident) 121 list_for_each_entry(c, &conn->chan_l, list) {
115 break; 122 if (c->ident == ident)
123 return c;
116 } 124 }
117 return s; 125 return NULL;
118} 126}
119 127
120static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident) 128static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
121{ 129{
122 struct sock *s; 130 struct l2cap_chan *c;
123 read_lock(&l->lock); 131
124 s = __l2cap_get_chan_by_ident(l, ident); 132 read_lock(&conn->chan_lock);
125 if (s) 133 c = __l2cap_get_chan_by_ident(conn, ident);
126 bh_lock_sock(s); 134 if (c)
127 read_unlock(&l->lock); 135 bh_lock_sock(c->sk);
128 return s; 136 read_unlock(&conn->chan_lock);
137 return c;
129} 138}
130 139
131static u16 l2cap_alloc_cid(struct l2cap_chan_list *l) 140static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
132{ 141{
133 u16 cid = L2CAP_CID_DYN_START; 142 u16 cid = L2CAP_CID_DYN_START;
134 143
135 for (; cid < L2CAP_CID_DYN_END; cid++) { 144 for (; cid < L2CAP_CID_DYN_END; cid++) {
136 if (!__l2cap_get_chan_by_scid(l, cid)) 145 if (!__l2cap_get_chan_by_scid(conn, cid))
137 return cid; 146 return cid;
138 } 147 }
139 148
140 return 0; 149 return 0;
141} 150}
142 151
143static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk) 152static struct l2cap_chan *l2cap_chan_alloc(struct sock *sk)
144{ 153{
145 sock_hold(sk); 154 struct l2cap_chan *chan;
146
147 if (l->head)
148 l2cap_pi(l->head)->prev_c = sk;
149 155
150 l2cap_pi(sk)->next_c = l->head; 156 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
151 l2cap_pi(sk)->prev_c = NULL; 157 if (!chan)
152 l->head = sk; 158 return NULL;
153}
154
155static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
156{
157 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
158
159 write_lock_bh(&l->lock);
160 if (sk == l->head)
161 l->head = next;
162 159
163 if (next) 160 chan->sk = sk;
164 l2cap_pi(next)->prev_c = prev;
165 if (prev)
166 l2cap_pi(prev)->next_c = next;
167 write_unlock_bh(&l->lock);
168 161
169 __sock_put(sk); 162 return chan;
170} 163}
171 164
172static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent) 165static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
173{ 166{
174 struct l2cap_chan_list *l = &conn->chan_list; 167 struct sock *sk = chan->sk;
175 168
176 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 169 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
177 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid); 170 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
@@ -188,7 +181,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct so
188 l2cap_pi(sk)->dcid = L2CAP_CID_LE_DATA; 181 l2cap_pi(sk)->dcid = L2CAP_CID_LE_DATA;
189 } else { 182 } else {
190 /* Alloc CID for connection-oriented socket */ 183 /* Alloc CID for connection-oriented socket */
191 l2cap_pi(sk)->scid = l2cap_alloc_cid(l); 184 l2cap_pi(sk)->scid = l2cap_alloc_cid(conn);
192 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU; 185 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
193 } 186 }
194 } else if (sk->sk_type == SOCK_DGRAM) { 187 } else if (sk->sk_type == SOCK_DGRAM) {
@@ -203,26 +196,30 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct so
203 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU; 196 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
204 } 197 }
205 198
206 __l2cap_chan_link(l, sk); 199 sock_hold(sk);
207 200
208 if (parent) 201 list_add(&chan->list, &conn->chan_l);
209 bt_accept_enqueue(parent, sk);
210} 202}
211 203
212/* Delete channel. 204/* Delete channel.
213 * Must be called on the locked socket. */ 205 * Must be called on the locked socket. */
214void l2cap_chan_del(struct sock *sk, int err) 206void l2cap_chan_del(struct l2cap_chan *chan, int err)
215{ 207{
208 struct sock *sk = chan->sk;
216 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 209 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
217 struct sock *parent = bt_sk(sk)->parent; 210 struct sock *parent = bt_sk(sk)->parent;
218 211
219 l2cap_sock_clear_timer(sk); 212 l2cap_sock_clear_timer(sk);
220 213
221 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 214 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
222 215
223 if (conn) { 216 if (conn) {
224 /* Unlink from channel list */ 217 /* Delete from channel list */
225 l2cap_chan_unlink(&conn->chan_list, sk); 218 write_lock_bh(&conn->chan_lock);
219 list_del(&chan->list);
220 write_unlock_bh(&conn->chan_lock);
221 __sock_put(sk);
222
226 l2cap_pi(sk)->conn = NULL; 223 l2cap_pi(sk)->conn = NULL;
227 hci_conn_put(conn->hcon); 224 hci_conn_put(conn->hcon);
228 } 225 }
@@ -239,23 +236,30 @@ void l2cap_chan_del(struct sock *sk, int err)
239 } else 236 } else
240 sk->sk_state_change(sk); 237 sk->sk_state_change(sk);
241 238
242 skb_queue_purge(TX_QUEUE(sk)); 239 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE &&
240 l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE))
241 goto free;
242
243 skb_queue_purge(&chan->tx_q);
243 244
244 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { 245 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
245 struct srej_list *l, *tmp; 246 struct srej_list *l, *tmp;
246 247
247 del_timer(&l2cap_pi(sk)->retrans_timer); 248 del_timer(&chan->retrans_timer);
248 del_timer(&l2cap_pi(sk)->monitor_timer); 249 del_timer(&chan->monitor_timer);
249 del_timer(&l2cap_pi(sk)->ack_timer); 250 del_timer(&chan->ack_timer);
250 251
251 skb_queue_purge(SREJ_QUEUE(sk)); 252 skb_queue_purge(&chan->srej_q);
252 skb_queue_purge(BUSY_QUEUE(sk)); 253 skb_queue_purge(&chan->busy_q);
253 254
254 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) { 255 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
255 list_del(&l->list); 256 list_del(&l->list);
256 kfree(l); 257 kfree(l);
257 } 258 }
258 } 259 }
260
261free:
262 kfree(chan);
259} 263}
260 264
261static inline u8 l2cap_get_auth_type(struct sock *sk) 265static inline u8 l2cap_get_auth_type(struct sock *sk)
@@ -341,10 +345,11 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
341 hci_send_acl(conn->hcon, skb, flags); 345 hci_send_acl(conn->hcon, skb, flags);
342} 346}
343 347
344static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control) 348static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
345{ 349{
346 struct sk_buff *skb; 350 struct sk_buff *skb;
347 struct l2cap_hdr *lh; 351 struct l2cap_hdr *lh;
352 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
348 struct l2cap_conn *conn = pi->conn; 353 struct l2cap_conn *conn = pi->conn;
349 struct sock *sk = (struct sock *)pi; 354 struct sock *sk = (struct sock *)pi;
350 int count, hlen = L2CAP_HDR_SIZE + 2; 355 int count, hlen = L2CAP_HDR_SIZE + 2;
@@ -356,19 +361,19 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
356 if (pi->fcs == L2CAP_FCS_CRC16) 361 if (pi->fcs == L2CAP_FCS_CRC16)
357 hlen += 2; 362 hlen += 2;
358 363
359 BT_DBG("pi %p, control 0x%2.2x", pi, control); 364 BT_DBG("chan %p, control 0x%2.2x", chan, control);
360 365
361 count = min_t(unsigned int, conn->mtu, hlen); 366 count = min_t(unsigned int, conn->mtu, hlen);
362 control |= L2CAP_CTRL_FRAME_TYPE; 367 control |= L2CAP_CTRL_FRAME_TYPE;
363 368
364 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 369 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
365 control |= L2CAP_CTRL_FINAL; 370 control |= L2CAP_CTRL_FINAL;
366 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 371 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
367 } 372 }
368 373
369 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) { 374 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
370 control |= L2CAP_CTRL_POLL; 375 control |= L2CAP_CTRL_POLL;
371 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT; 376 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
372 } 377 }
373 378
374 skb = bt_skb_alloc(count, GFP_ATOMIC); 379 skb = bt_skb_alloc(count, GFP_ATOMIC);
@@ -393,17 +398,17 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
393 hci_send_acl(pi->conn->hcon, skb, flags); 398 hci_send_acl(pi->conn->hcon, skb, flags);
394} 399}
395 400
396static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control) 401static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
397{ 402{
398 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 403 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
399 control |= L2CAP_SUPER_RCV_NOT_READY; 404 control |= L2CAP_SUPER_RCV_NOT_READY;
400 pi->conn_state |= L2CAP_CONN_RNR_SENT; 405 chan->conn_state |= L2CAP_CONN_RNR_SENT;
401 } else 406 } else
402 control |= L2CAP_SUPER_RCV_READY; 407 control |= L2CAP_SUPER_RCV_READY;
403 408
404 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 409 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
405 410
406 l2cap_send_sframe(pi, control); 411 l2cap_send_sframe(chan, control);
407} 412}
408 413
409static inline int __l2cap_no_conn_pending(struct sock *sk) 414static inline int __l2cap_no_conn_pending(struct sock *sk)
@@ -411,8 +416,9 @@ static inline int __l2cap_no_conn_pending(struct sock *sk)
411 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND); 416 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
412} 417}
413 418
414static void l2cap_do_start(struct sock *sk) 419static void l2cap_do_start(struct l2cap_chan *chan)
415{ 420{
421 struct sock *sk = chan->sk;
416 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 422 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
417 423
418 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) { 424 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
@@ -424,11 +430,11 @@ static void l2cap_do_start(struct sock *sk)
424 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 430 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
425 req.psm = l2cap_pi(sk)->psm; 431 req.psm = l2cap_pi(sk)->psm;
426 432
427 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 433 chan->ident = l2cap_get_ident(conn);
428 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 434 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
429 435
430 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 436 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
431 L2CAP_CONN_REQ, sizeof(req), &req); 437 sizeof(req), &req);
432 } 438 }
433 } else { 439 } else {
434 struct l2cap_info_req req; 440 struct l2cap_info_req req;
@@ -461,19 +467,20 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
461 } 467 }
462} 468}
463 469
464void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err) 470void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
465{ 471{
472 struct sock *sk;
466 struct l2cap_disconn_req req; 473 struct l2cap_disconn_req req;
467 474
468 if (!conn) 475 if (!conn)
469 return; 476 return;
470 477
471 skb_queue_purge(TX_QUEUE(sk)); 478 sk = chan->sk;
472 479
473 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { 480 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
474 del_timer(&l2cap_pi(sk)->retrans_timer); 481 del_timer(&chan->retrans_timer);
475 del_timer(&l2cap_pi(sk)->monitor_timer); 482 del_timer(&chan->monitor_timer);
476 del_timer(&l2cap_pi(sk)->ack_timer); 483 del_timer(&chan->ack_timer);
477 } 484 }
478 485
479 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid); 486 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
@@ -488,17 +495,15 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
488/* ---- L2CAP connections ---- */ 495/* ---- L2CAP connections ---- */
489static void l2cap_conn_start(struct l2cap_conn *conn) 496static void l2cap_conn_start(struct l2cap_conn *conn)
490{ 497{
491 struct l2cap_chan_list *l = &conn->chan_list; 498 struct l2cap_chan *chan, *tmp;
492 struct sock_del_list del, *tmp1, *tmp2;
493 struct sock *sk;
494 499
495 BT_DBG("conn %p", conn); 500 BT_DBG("conn %p", conn);
496 501
497 INIT_LIST_HEAD(&del.list); 502 read_lock(&conn->chan_lock);
498 503
499 read_lock(&l->lock); 504 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
505 struct sock *sk = chan->sk;
500 506
501 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
502 bh_lock_sock(sk); 507 bh_lock_sock(sk);
503 508
504 if (sk->sk_type != SOCK_SEQPACKET && 509 if (sk->sk_type != SOCK_SEQPACKET &&
@@ -520,10 +525,11 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
520 conn->feat_mask) 525 conn->feat_mask)
521 && l2cap_pi(sk)->conf_state & 526 && l2cap_pi(sk)->conf_state &
522 L2CAP_CONF_STATE2_DEVICE) { 527 L2CAP_CONF_STATE2_DEVICE) {
523 tmp1 = kzalloc(sizeof(struct sock_del_list), 528 /* __l2cap_sock_close() calls list_del(chan)
524 GFP_ATOMIC); 529 * so release the lock */
525 tmp1->sk = sk; 530 read_unlock_bh(&conn->chan_lock);
526 list_add_tail(&tmp1->list, &del.list); 531 __l2cap_sock_close(sk, ECONNRESET);
532 read_lock_bh(&conn->chan_lock);
527 bh_unlock_sock(sk); 533 bh_unlock_sock(sk);
528 continue; 534 continue;
529 } 535 }
@@ -531,11 +537,11 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
531 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 537 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
532 req.psm = l2cap_pi(sk)->psm; 538 req.psm = l2cap_pi(sk)->psm;
533 539
534 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 540 chan->ident = l2cap_get_ident(conn);
535 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 541 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
536 542
537 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 543 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
538 L2CAP_CONN_REQ, sizeof(req), &req); 544 sizeof(req), &req);
539 545
540 } else if (sk->sk_state == BT_CONNECT2) { 546 } else if (sk->sk_state == BT_CONNECT2) {
541 struct l2cap_conn_rsp rsp; 547 struct l2cap_conn_rsp rsp;
@@ -560,8 +566,8 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
560 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 566 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
561 } 567 }
562 568
563 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 569 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
564 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 570 sizeof(rsp), &rsp);
565 571
566 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT || 572 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
567 rsp.result != L2CAP_CR_SUCCESS) { 573 rsp.result != L2CAP_CR_SUCCESS) {
@@ -571,22 +577,14 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
571 577
572 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 578 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
573 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 579 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
574 l2cap_build_conf_req(sk, buf), buf); 580 l2cap_build_conf_req(chan, buf), buf);
575 l2cap_pi(sk)->num_conf_req++; 581 chan->num_conf_req++;
576 } 582 }
577 583
578 bh_unlock_sock(sk); 584 bh_unlock_sock(sk);
579 } 585 }
580 586
581 read_unlock(&l->lock); 587 read_unlock(&conn->chan_lock);
582
583 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
584 bh_lock_sock(tmp1->sk);
585 __l2cap_sock_close(tmp1->sk, ECONNRESET);
586 bh_unlock_sock(tmp1->sk);
587 list_del(&tmp1->list);
588 kfree(tmp1);
589 }
590} 588}
591 589
592/* Find socket with cid and source bdaddr. 590/* Find socket with cid and source bdaddr.
@@ -594,7 +592,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
594 */ 592 */
595static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src) 593static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src)
596{ 594{
597 struct sock *s, *sk = NULL, *sk1 = NULL; 595 struct sock *sk = NULL, *sk1 = NULL;
598 struct hlist_node *node; 596 struct hlist_node *node;
599 597
600 read_lock(&l2cap_sk_list.lock); 598 read_lock(&l2cap_sk_list.lock);
@@ -613,18 +611,16 @@ static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src)
613 sk1 = sk; 611 sk1 = sk;
614 } 612 }
615 } 613 }
616 s = node ? sk : sk1; 614
617 if (s)
618 bh_lock_sock(s);
619 read_unlock(&l2cap_sk_list.lock); 615 read_unlock(&l2cap_sk_list.lock);
620 616
621 return s; 617 return node ? sk : sk1;
622} 618}
623 619
624static void l2cap_le_conn_ready(struct l2cap_conn *conn) 620static void l2cap_le_conn_ready(struct l2cap_conn *conn)
625{ 621{
626 struct l2cap_chan_list *list = &conn->chan_list; 622 struct sock *parent, *sk;
627 struct sock *parent, *uninitialized_var(sk); 623 struct l2cap_chan *chan;
628 624
629 BT_DBG(""); 625 BT_DBG("");
630 626
@@ -634,6 +630,8 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
634 if (!parent) 630 if (!parent)
635 return; 631 return;
636 632
633 bh_lock_sock(parent);
634
637 /* Check for backlog size */ 635 /* Check for backlog size */
638 if (sk_acceptq_is_full(parent)) { 636 if (sk_acceptq_is_full(parent)) {
639 BT_DBG("backlog full %d", parent->sk_ack_backlog); 637 BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -644,22 +642,33 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
644 if (!sk) 642 if (!sk)
645 goto clean; 643 goto clean;
646 644
647 write_lock_bh(&list->lock); 645 chan = l2cap_chan_alloc(sk);
646 if (!chan) {
647 l2cap_sock_kill(sk);
648 goto clean;
649 }
650
651 write_lock_bh(&conn->chan_lock);
648 652
649 hci_conn_hold(conn->hcon); 653 hci_conn_hold(conn->hcon);
650 654
651 l2cap_sock_init(sk, parent); 655 l2cap_sock_init(sk, parent);
656
652 bacpy(&bt_sk(sk)->src, conn->src); 657 bacpy(&bt_sk(sk)->src, conn->src);
653 bacpy(&bt_sk(sk)->dst, conn->dst); 658 bacpy(&bt_sk(sk)->dst, conn->dst);
654 659
655 __l2cap_chan_add(conn, sk, parent); 660 bt_accept_enqueue(parent, sk);
661
662 __l2cap_chan_add(conn, chan);
663
664 l2cap_pi(sk)->chan = chan;
656 665
657 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 666 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
658 667
659 sk->sk_state = BT_CONNECTED; 668 sk->sk_state = BT_CONNECTED;
660 parent->sk_data_ready(parent, 0); 669 parent->sk_data_ready(parent, 0);
661 670
662 write_unlock_bh(&list->lock); 671 write_unlock_bh(&conn->chan_lock);
663 672
664clean: 673clean:
665 bh_unlock_sock(parent); 674 bh_unlock_sock(parent);
@@ -667,17 +676,18 @@ clean:
667 676
668static void l2cap_conn_ready(struct l2cap_conn *conn) 677static void l2cap_conn_ready(struct l2cap_conn *conn)
669{ 678{
670 struct l2cap_chan_list *l = &conn->chan_list; 679 struct l2cap_chan *chan;
671 struct sock *sk;
672 680
673 BT_DBG("conn %p", conn); 681 BT_DBG("conn %p", conn);
674 682
675 if (!conn->hcon->out && conn->hcon->type == LE_LINK) 683 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
676 l2cap_le_conn_ready(conn); 684 l2cap_le_conn_ready(conn);
677 685
678 read_lock(&l->lock); 686 read_lock(&conn->chan_lock);
687
688 list_for_each_entry(chan, &conn->chan_l, list) {
689 struct sock *sk = chan->sk;
679 690
680 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
681 bh_lock_sock(sk); 691 bh_lock_sock(sk);
682 692
683 if (conn->hcon->type == LE_LINK) { 693 if (conn->hcon->type == LE_LINK) {
@@ -692,30 +702,31 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
692 sk->sk_state = BT_CONNECTED; 702 sk->sk_state = BT_CONNECTED;
693 sk->sk_state_change(sk); 703 sk->sk_state_change(sk);
694 } else if (sk->sk_state == BT_CONNECT) 704 } else if (sk->sk_state == BT_CONNECT)
695 l2cap_do_start(sk); 705 l2cap_do_start(chan);
696 706
697 bh_unlock_sock(sk); 707 bh_unlock_sock(sk);
698 } 708 }
699 709
700 read_unlock(&l->lock); 710 read_unlock(&conn->chan_lock);
701} 711}
702 712
703/* Notify sockets that we cannot guaranty reliability anymore */ 713/* Notify sockets that we cannot guaranty reliability anymore */
704static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 714static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
705{ 715{
706 struct l2cap_chan_list *l = &conn->chan_list; 716 struct l2cap_chan *chan;
707 struct sock *sk;
708 717
709 BT_DBG("conn %p", conn); 718 BT_DBG("conn %p", conn);
710 719
711 read_lock(&l->lock); 720 read_lock(&conn->chan_lock);
721
722 list_for_each_entry(chan, &conn->chan_l, list) {
723 struct sock *sk = chan->sk;
712 724
713 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
714 if (l2cap_pi(sk)->force_reliable) 725 if (l2cap_pi(sk)->force_reliable)
715 sk->sk_err = err; 726 sk->sk_err = err;
716 } 727 }
717 728
718 read_unlock(&l->lock); 729 read_unlock(&conn->chan_lock);
719} 730}
720 731
721static void l2cap_info_timeout(unsigned long arg) 732static void l2cap_info_timeout(unsigned long arg)
@@ -755,7 +766,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
755 conn->feat_mask = 0; 766 conn->feat_mask = 0;
756 767
757 spin_lock_init(&conn->lock); 768 spin_lock_init(&conn->lock);
758 rwlock_init(&conn->chan_list.lock); 769 rwlock_init(&conn->chan_lock);
770
771 INIT_LIST_HEAD(&conn->chan_l);
759 772
760 if (hcon->type != LE_LINK) 773 if (hcon->type != LE_LINK)
761 setup_timer(&conn->info_timer, l2cap_info_timeout, 774 setup_timer(&conn->info_timer, l2cap_info_timeout,
@@ -769,6 +782,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
769static void l2cap_conn_del(struct hci_conn *hcon, int err) 782static void l2cap_conn_del(struct hci_conn *hcon, int err)
770{ 783{
771 struct l2cap_conn *conn = hcon->l2cap_data; 784 struct l2cap_conn *conn = hcon->l2cap_data;
785 struct l2cap_chan *chan, *l;
772 struct sock *sk; 786 struct sock *sk;
773 787
774 if (!conn) 788 if (!conn)
@@ -779,9 +793,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
779 kfree_skb(conn->rx_skb); 793 kfree_skb(conn->rx_skb);
780 794
781 /* Kill channels */ 795 /* Kill channels */
782 while ((sk = conn->chan_list.head)) { 796 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
797 sk = chan->sk;
783 bh_lock_sock(sk); 798 bh_lock_sock(sk);
784 l2cap_chan_del(sk, err); 799 l2cap_chan_del(chan, err);
785 bh_unlock_sock(sk); 800 bh_unlock_sock(sk);
786 l2cap_sock_kill(sk); 801 l2cap_sock_kill(sk);
787 } 802 }
@@ -793,12 +808,11 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
793 kfree(conn); 808 kfree(conn);
794} 809}
795 810
796static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent) 811static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
797{ 812{
798 struct l2cap_chan_list *l = &conn->chan_list; 813 write_lock_bh(&conn->chan_lock);
799 write_lock_bh(&l->lock); 814 __l2cap_chan_add(conn, chan);
800 __l2cap_chan_add(conn, sk, parent); 815 write_unlock_bh(&conn->chan_lock);
801 write_unlock_bh(&l->lock);
802} 816}
803 817
804/* ---- Socket interface ---- */ 818/* ---- Socket interface ---- */
@@ -838,6 +852,7 @@ int l2cap_do_connect(struct sock *sk)
838 bdaddr_t *src = &bt_sk(sk)->src; 852 bdaddr_t *src = &bt_sk(sk)->src;
839 bdaddr_t *dst = &bt_sk(sk)->dst; 853 bdaddr_t *dst = &bt_sk(sk)->dst;
840 struct l2cap_conn *conn; 854 struct l2cap_conn *conn;
855 struct l2cap_chan *chan;
841 struct hci_conn *hcon; 856 struct hci_conn *hcon;
842 struct hci_dev *hdev; 857 struct hci_dev *hdev;
843 __u8 auth_type; 858 __u8 auth_type;
@@ -873,10 +888,19 @@ int l2cap_do_connect(struct sock *sk)
873 goto done; 888 goto done;
874 } 889 }
875 890
891 chan = l2cap_chan_alloc(sk);
892 if (!chan) {
893 hci_conn_put(hcon);
894 err = -ENOMEM;
895 goto done;
896 }
897
876 /* Update source addr of the socket */ 898 /* Update source addr of the socket */
877 bacpy(src, conn->src); 899 bacpy(src, conn->src);
878 900
879 l2cap_chan_add(conn, sk, NULL); 901 l2cap_chan_add(conn, chan);
902
903 l2cap_pi(sk)->chan = chan;
880 904
881 sk->sk_state = BT_CONNECT; 905 sk->sk_state = BT_CONNECT;
882 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 906 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -888,7 +912,7 @@ int l2cap_do_connect(struct sock *sk)
888 if (l2cap_check_security(sk)) 912 if (l2cap_check_security(sk))
889 sk->sk_state = BT_CONNECTED; 913 sk->sk_state = BT_CONNECTED;
890 } else 914 } else
891 l2cap_do_start(sk); 915 l2cap_do_start(chan);
892 } 916 }
893 917
894 err = 0; 918 err = 0;
@@ -906,7 +930,7 @@ int __l2cap_wait_ack(struct sock *sk)
906 int timeo = HZ/5; 930 int timeo = HZ/5;
907 931
908 add_wait_queue(sk_sleep(sk), &wait); 932 add_wait_queue(sk_sleep(sk), &wait);
909 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) { 933 while ((l2cap_pi(sk)->chan->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
910 set_current_state(TASK_INTERRUPTIBLE); 934 set_current_state(TASK_INTERRUPTIBLE);
911 935
912 if (!timeo) 936 if (!timeo)
@@ -932,57 +956,59 @@ int __l2cap_wait_ack(struct sock *sk)
932 956
933static void l2cap_monitor_timeout(unsigned long arg) 957static void l2cap_monitor_timeout(unsigned long arg)
934{ 958{
935 struct sock *sk = (void *) arg; 959 struct l2cap_chan *chan = (void *) arg;
960 struct sock *sk = chan->sk;
936 961
937 BT_DBG("sk %p", sk); 962 BT_DBG("chan %p", chan);
938 963
939 bh_lock_sock(sk); 964 bh_lock_sock(sk);
940 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { 965 if (chan->retry_count >= chan->remote_max_tx) {
941 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED); 966 l2cap_send_disconn_req(l2cap_pi(sk)->conn, chan, ECONNABORTED);
942 bh_unlock_sock(sk); 967 bh_unlock_sock(sk);
943 return; 968 return;
944 } 969 }
945 970
946 l2cap_pi(sk)->retry_count++; 971 chan->retry_count++;
947 __mod_monitor_timer(); 972 __mod_monitor_timer();
948 973
949 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL); 974 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
950 bh_unlock_sock(sk); 975 bh_unlock_sock(sk);
951} 976}
952 977
953static void l2cap_retrans_timeout(unsigned long arg) 978static void l2cap_retrans_timeout(unsigned long arg)
954{ 979{
955 struct sock *sk = (void *) arg; 980 struct l2cap_chan *chan = (void *) arg;
981 struct sock *sk = chan->sk;
956 982
957 BT_DBG("sk %p", sk); 983 BT_DBG("chan %p", chan);
958 984
959 bh_lock_sock(sk); 985 bh_lock_sock(sk);
960 l2cap_pi(sk)->retry_count = 1; 986 chan->retry_count = 1;
961 __mod_monitor_timer(); 987 __mod_monitor_timer();
962 988
963 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F; 989 chan->conn_state |= L2CAP_CONN_WAIT_F;
964 990
965 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL); 991 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
966 bh_unlock_sock(sk); 992 bh_unlock_sock(sk);
967} 993}
968 994
969static void l2cap_drop_acked_frames(struct sock *sk) 995static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
970{ 996{
971 struct sk_buff *skb; 997 struct sk_buff *skb;
972 998
973 while ((skb = skb_peek(TX_QUEUE(sk))) && 999 while ((skb = skb_peek(&chan->tx_q)) &&
974 l2cap_pi(sk)->unacked_frames) { 1000 chan->unacked_frames) {
975 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq) 1001 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
976 break; 1002 break;
977 1003
978 skb = skb_dequeue(TX_QUEUE(sk)); 1004 skb = skb_dequeue(&chan->tx_q);
979 kfree_skb(skb); 1005 kfree_skb(skb);
980 1006
981 l2cap_pi(sk)->unacked_frames--; 1007 chan->unacked_frames--;
982 } 1008 }
983 1009
984 if (!l2cap_pi(sk)->unacked_frames) 1010 if (!chan->unacked_frames)
985 del_timer(&l2cap_pi(sk)->retrans_timer); 1011 del_timer(&chan->retrans_timer);
986} 1012}
987 1013
988void l2cap_do_send(struct sock *sk, struct sk_buff *skb) 1014void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
@@ -1001,15 +1027,16 @@ void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1001 hci_send_acl(hcon, skb, flags); 1027 hci_send_acl(hcon, skb, flags);
1002} 1028}
1003 1029
1004void l2cap_streaming_send(struct sock *sk) 1030void l2cap_streaming_send(struct l2cap_chan *chan)
1005{ 1031{
1032 struct sock *sk = chan->sk;
1006 struct sk_buff *skb; 1033 struct sk_buff *skb;
1007 struct l2cap_pinfo *pi = l2cap_pi(sk); 1034 struct l2cap_pinfo *pi = l2cap_pi(sk);
1008 u16 control, fcs; 1035 u16 control, fcs;
1009 1036
1010 while ((skb = skb_dequeue(TX_QUEUE(sk)))) { 1037 while ((skb = skb_dequeue(&chan->tx_q))) {
1011 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE); 1038 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1012 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; 1039 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1013 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE); 1040 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1014 1041
1015 if (pi->fcs == L2CAP_FCS_CRC16) { 1042 if (pi->fcs == L2CAP_FCS_CRC16) {
@@ -1019,17 +1046,18 @@ void l2cap_streaming_send(struct sock *sk)
1019 1046
1020 l2cap_do_send(sk, skb); 1047 l2cap_do_send(sk, skb);
1021 1048
1022 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1049 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1023 } 1050 }
1024} 1051}
1025 1052
1026static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq) 1053static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1027{ 1054{
1055 struct sock *sk = chan->sk;
1028 struct l2cap_pinfo *pi = l2cap_pi(sk); 1056 struct l2cap_pinfo *pi = l2cap_pi(sk);
1029 struct sk_buff *skb, *tx_skb; 1057 struct sk_buff *skb, *tx_skb;
1030 u16 control, fcs; 1058 u16 control, fcs;
1031 1059
1032 skb = skb_peek(TX_QUEUE(sk)); 1060 skb = skb_peek(&chan->tx_q);
1033 if (!skb) 1061 if (!skb)
1034 return; 1062 return;
1035 1063
@@ -1037,14 +1065,14 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1037 if (bt_cb(skb)->tx_seq == tx_seq) 1065 if (bt_cb(skb)->tx_seq == tx_seq)
1038 break; 1066 break;
1039 1067
1040 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1068 if (skb_queue_is_last(&chan->tx_q, skb))
1041 return; 1069 return;
1042 1070
1043 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb))); 1071 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
1044 1072
1045 if (pi->remote_max_tx && 1073 if (chan->remote_max_tx &&
1046 bt_cb(skb)->retries == pi->remote_max_tx) { 1074 bt_cb(skb)->retries == chan->remote_max_tx) {
1047 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED); 1075 l2cap_send_disconn_req(pi->conn, chan, ECONNABORTED);
1048 return; 1076 return;
1049 } 1077 }
1050 1078
@@ -1053,12 +1081,12 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1053 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1081 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1054 control &= L2CAP_CTRL_SAR; 1082 control &= L2CAP_CTRL_SAR;
1055 1083
1056 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 1084 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1057 control |= L2CAP_CTRL_FINAL; 1085 control |= L2CAP_CTRL_FINAL;
1058 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1086 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1059 } 1087 }
1060 1088
1061 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1089 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1062 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1090 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1063 1091
1064 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1092 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
@@ -1071,9 +1099,10 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1071 l2cap_do_send(sk, tx_skb); 1099 l2cap_do_send(sk, tx_skb);
1072} 1100}
1073 1101
1074int l2cap_ertm_send(struct sock *sk) 1102int l2cap_ertm_send(struct l2cap_chan *chan)
1075{ 1103{
1076 struct sk_buff *skb, *tx_skb; 1104 struct sk_buff *skb, *tx_skb;
1105 struct sock *sk = chan->sk;
1077 struct l2cap_pinfo *pi = l2cap_pi(sk); 1106 struct l2cap_pinfo *pi = l2cap_pi(sk);
1078 u16 control, fcs; 1107 u16 control, fcs;
1079 int nsent = 0; 1108 int nsent = 0;
@@ -1081,11 +1110,11 @@ int l2cap_ertm_send(struct sock *sk)
1081 if (sk->sk_state != BT_CONNECTED) 1110 if (sk->sk_state != BT_CONNECTED)
1082 return -ENOTCONN; 1111 return -ENOTCONN;
1083 1112
1084 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) { 1113 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1085 1114
1086 if (pi->remote_max_tx && 1115 if (chan->remote_max_tx &&
1087 bt_cb(skb)->retries == pi->remote_max_tx) { 1116 bt_cb(skb)->retries == chan->remote_max_tx) {
1088 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED); 1117 l2cap_send_disconn_req(pi->conn, chan, ECONNABORTED);
1089 break; 1118 break;
1090 } 1119 }
1091 1120
@@ -1096,12 +1125,12 @@ int l2cap_ertm_send(struct sock *sk)
1096 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1125 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1097 control &= L2CAP_CTRL_SAR; 1126 control &= L2CAP_CTRL_SAR;
1098 1127
1099 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 1128 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1100 control |= L2CAP_CTRL_FINAL; 1129 control |= L2CAP_CTRL_FINAL;
1101 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1130 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1102 } 1131 }
1103 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1132 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1104 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1133 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1105 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1134 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1106 1135
1107 1136
@@ -1114,18 +1143,18 @@ int l2cap_ertm_send(struct sock *sk)
1114 1143
1115 __mod_retrans_timer(); 1144 __mod_retrans_timer();
1116 1145
1117 bt_cb(skb)->tx_seq = pi->next_tx_seq; 1146 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1118 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1147 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1119 1148
1120 if (bt_cb(skb)->retries == 1) 1149 if (bt_cb(skb)->retries == 1)
1121 pi->unacked_frames++; 1150 chan->unacked_frames++;
1122 1151
1123 pi->frames_sent++; 1152 chan->frames_sent++;
1124 1153
1125 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1154 if (skb_queue_is_last(&chan->tx_q, skb))
1126 sk->sk_send_head = NULL; 1155 chan->tx_send_head = NULL;
1127 else 1156 else
1128 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb); 1157 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1129 1158
1130 nsent++; 1159 nsent++;
1131 } 1160 }
@@ -1133,41 +1162,39 @@ int l2cap_ertm_send(struct sock *sk)
1133 return nsent; 1162 return nsent;
1134} 1163}
1135 1164
1136static int l2cap_retransmit_frames(struct sock *sk) 1165static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1137{ 1166{
1138 struct l2cap_pinfo *pi = l2cap_pi(sk);
1139 int ret; 1167 int ret;
1140 1168
1141 if (!skb_queue_empty(TX_QUEUE(sk))) 1169 if (!skb_queue_empty(&chan->tx_q))
1142 sk->sk_send_head = TX_QUEUE(sk)->next; 1170 chan->tx_send_head = chan->tx_q.next;
1143 1171
1144 pi->next_tx_seq = pi->expected_ack_seq; 1172 chan->next_tx_seq = chan->expected_ack_seq;
1145 ret = l2cap_ertm_send(sk); 1173 ret = l2cap_ertm_send(chan);
1146 return ret; 1174 return ret;
1147} 1175}
1148 1176
1149static void l2cap_send_ack(struct l2cap_pinfo *pi) 1177static void l2cap_send_ack(struct l2cap_chan *chan)
1150{ 1178{
1151 struct sock *sk = (struct sock *)pi;
1152 u16 control = 0; 1179 u16 control = 0;
1153 1180
1154 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1181 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1155 1182
1156 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 1183 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1157 control |= L2CAP_SUPER_RCV_NOT_READY; 1184 control |= L2CAP_SUPER_RCV_NOT_READY;
1158 pi->conn_state |= L2CAP_CONN_RNR_SENT; 1185 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1159 l2cap_send_sframe(pi, control); 1186 l2cap_send_sframe(chan, control);
1160 return; 1187 return;
1161 } 1188 }
1162 1189
1163 if (l2cap_ertm_send(sk) > 0) 1190 if (l2cap_ertm_send(chan) > 0)
1164 return; 1191 return;
1165 1192
1166 control |= L2CAP_SUPER_RCV_READY; 1193 control |= L2CAP_SUPER_RCV_READY;
1167 l2cap_send_sframe(pi, control); 1194 l2cap_send_sframe(chan, control);
1168} 1195}
1169 1196
1170static void l2cap_send_srejtail(struct sock *sk) 1197static void l2cap_send_srejtail(struct l2cap_chan *chan)
1171{ 1198{
1172 struct srej_list *tail; 1199 struct srej_list *tail;
1173 u16 control; 1200 u16 control;
@@ -1175,10 +1202,10 @@ static void l2cap_send_srejtail(struct sock *sk)
1175 control = L2CAP_SUPER_SELECT_REJECT; 1202 control = L2CAP_SUPER_SELECT_REJECT;
1176 control |= L2CAP_CTRL_FINAL; 1203 control |= L2CAP_CTRL_FINAL;
1177 1204
1178 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list); 1205 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1179 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1206 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1180 1207
1181 l2cap_send_sframe(l2cap_pi(sk), control); 1208 l2cap_send_sframe(chan, control);
1182} 1209}
1183 1210
1184static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb) 1211static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
@@ -1315,9 +1342,9 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
1315 return skb; 1342 return skb;
1316} 1343}
1317 1344
1318int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len) 1345int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1319{ 1346{
1320 struct l2cap_pinfo *pi = l2cap_pi(sk); 1347 struct sock *sk = chan->sk;
1321 struct sk_buff *skb; 1348 struct sk_buff *skb;
1322 struct sk_buff_head sar_queue; 1349 struct sk_buff_head sar_queue;
1323 u16 control; 1350 u16 control;
@@ -1325,20 +1352,20 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1325 1352
1326 skb_queue_head_init(&sar_queue); 1353 skb_queue_head_init(&sar_queue);
1327 control = L2CAP_SDU_START; 1354 control = L2CAP_SDU_START;
1328 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len); 1355 skb = l2cap_create_iframe_pdu(sk, msg, chan->remote_mps, control, len);
1329 if (IS_ERR(skb)) 1356 if (IS_ERR(skb))
1330 return PTR_ERR(skb); 1357 return PTR_ERR(skb);
1331 1358
1332 __skb_queue_tail(&sar_queue, skb); 1359 __skb_queue_tail(&sar_queue, skb);
1333 len -= pi->remote_mps; 1360 len -= chan->remote_mps;
1334 size += pi->remote_mps; 1361 size += chan->remote_mps;
1335 1362
1336 while (len > 0) { 1363 while (len > 0) {
1337 size_t buflen; 1364 size_t buflen;
1338 1365
1339 if (len > pi->remote_mps) { 1366 if (len > chan->remote_mps) {
1340 control = L2CAP_SDU_CONTINUE; 1367 control = L2CAP_SDU_CONTINUE;
1341 buflen = pi->remote_mps; 1368 buflen = chan->remote_mps;
1342 } else { 1369 } else {
1343 control = L2CAP_SDU_END; 1370 control = L2CAP_SDU_END;
1344 buflen = len; 1371 buflen = len;
@@ -1354,9 +1381,9 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1354 len -= buflen; 1381 len -= buflen;
1355 size += buflen; 1382 size += buflen;
1356 } 1383 }
1357 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk)); 1384 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1358 if (sk->sk_send_head == NULL) 1385 if (chan->tx_send_head == NULL)
1359 sk->sk_send_head = sar_queue.next; 1386 chan->tx_send_head = sar_queue.next;
1360 1387
1361 return size; 1388 return size;
1362} 1389}
@@ -1387,14 +1414,14 @@ static void l2cap_chan_ready(struct sock *sk)
1387/* Copy frame to all raw sockets on that connection */ 1414/* Copy frame to all raw sockets on that connection */
1388static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 1415static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1389{ 1416{
1390 struct l2cap_chan_list *l = &conn->chan_list;
1391 struct sk_buff *nskb; 1417 struct sk_buff *nskb;
1392 struct sock *sk; 1418 struct l2cap_chan *chan;
1393 1419
1394 BT_DBG("conn %p", conn); 1420 BT_DBG("conn %p", conn);
1395 1421
1396 read_lock(&l->lock); 1422 read_lock(&conn->chan_lock);
1397 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 1423 list_for_each_entry(chan, &conn->chan_l, list) {
1424 struct sock *sk = chan->sk;
1398 if (sk->sk_type != SOCK_RAW) 1425 if (sk->sk_type != SOCK_RAW)
1399 continue; 1426 continue;
1400 1427
@@ -1408,7 +1435,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1408 if (sock_queue_rcv_skb(sk, nskb)) 1435 if (sock_queue_rcv_skb(sk, nskb))
1409 kfree_skb(nskb); 1436 kfree_skb(nskb);
1410 } 1437 }
1411 read_unlock(&l->lock); 1438 read_unlock(&conn->chan_lock);
1412} 1439}
1413 1440
1414/* ---- L2CAP signalling commands ---- */ 1441/* ---- L2CAP signalling commands ---- */
@@ -1540,32 +1567,35 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1540 1567
1541static void l2cap_ack_timeout(unsigned long arg) 1568static void l2cap_ack_timeout(unsigned long arg)
1542{ 1569{
1543 struct sock *sk = (void *) arg; 1570 struct l2cap_chan *chan = (void *) arg;
1544 1571
1545 bh_lock_sock(sk); 1572 bh_lock_sock(chan->sk);
1546 l2cap_send_ack(l2cap_pi(sk)); 1573 l2cap_send_ack(chan);
1547 bh_unlock_sock(sk); 1574 bh_unlock_sock(chan->sk);
1548} 1575}
1549 1576
1550static inline void l2cap_ertm_init(struct sock *sk) 1577static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1551{ 1578{
1552 l2cap_pi(sk)->expected_ack_seq = 0; 1579 struct sock *sk = chan->sk;
1553 l2cap_pi(sk)->unacked_frames = 0; 1580
1554 l2cap_pi(sk)->buffer_seq = 0; 1581 chan->expected_ack_seq = 0;
1555 l2cap_pi(sk)->num_acked = 0; 1582 chan->unacked_frames = 0;
1556 l2cap_pi(sk)->frames_sent = 0; 1583 chan->buffer_seq = 0;
1584 chan->num_acked = 0;
1585 chan->frames_sent = 0;
1586
1587 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1588 (unsigned long) chan);
1589 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1590 (unsigned long) chan);
1591 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1557 1592
1558 setup_timer(&l2cap_pi(sk)->retrans_timer, 1593 skb_queue_head_init(&chan->srej_q);
1559 l2cap_retrans_timeout, (unsigned long) sk); 1594 skb_queue_head_init(&chan->busy_q);
1560 setup_timer(&l2cap_pi(sk)->monitor_timer,
1561 l2cap_monitor_timeout, (unsigned long) sk);
1562 setup_timer(&l2cap_pi(sk)->ack_timer,
1563 l2cap_ack_timeout, (unsigned long) sk);
1564 1595
1565 __skb_queue_head_init(SREJ_QUEUE(sk)); 1596 INIT_LIST_HEAD(&chan->srej_l);
1566 __skb_queue_head_init(BUSY_QUEUE(sk));
1567 1597
1568 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work); 1598 INIT_WORK(&chan->busy_work, l2cap_busy_work);
1569 1599
1570 sk->sk_backlog_rcv = l2cap_ertm_data_rcv; 1600 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1571} 1601}
@@ -1583,16 +1613,16 @@ static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1583 } 1613 }
1584} 1614}
1585 1615
1586int l2cap_build_conf_req(struct sock *sk, void *data) 1616static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1587{ 1617{
1588 struct l2cap_pinfo *pi = l2cap_pi(sk); 1618 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
1589 struct l2cap_conf_req *req = data; 1619 struct l2cap_conf_req *req = data;
1590 struct l2cap_conf_rfc rfc = { .mode = pi->mode }; 1620 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1591 void *ptr = req->data; 1621 void *ptr = req->data;
1592 1622
1593 BT_DBG("sk %p", sk); 1623 BT_DBG("chan %p", chan);
1594 1624
1595 if (pi->num_conf_req || pi->num_conf_rsp) 1625 if (chan->num_conf_req || chan->num_conf_rsp)
1596 goto done; 1626 goto done;
1597 1627
1598 switch (pi->mode) { 1628 switch (pi->mode) {
@@ -1681,20 +1711,20 @@ done:
1681 return ptr - data; 1711 return ptr - data;
1682} 1712}
1683 1713
1684static int l2cap_parse_conf_req(struct sock *sk, void *data) 1714static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1685{ 1715{
1686 struct l2cap_pinfo *pi = l2cap_pi(sk); 1716 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
1687 struct l2cap_conf_rsp *rsp = data; 1717 struct l2cap_conf_rsp *rsp = data;
1688 void *ptr = rsp->data; 1718 void *ptr = rsp->data;
1689 void *req = pi->conf_req; 1719 void *req = chan->conf_req;
1690 int len = pi->conf_len; 1720 int len = chan->conf_len;
1691 int type, hint, olen; 1721 int type, hint, olen;
1692 unsigned long val; 1722 unsigned long val;
1693 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 1723 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1694 u16 mtu = L2CAP_DEFAULT_MTU; 1724 u16 mtu = L2CAP_DEFAULT_MTU;
1695 u16 result = L2CAP_CONF_SUCCESS; 1725 u16 result = L2CAP_CONF_SUCCESS;
1696 1726
1697 BT_DBG("sk %p", sk); 1727 BT_DBG("chan %p", chan);
1698 1728
1699 while (len >= L2CAP_CONF_OPT_SIZE) { 1729 while (len >= L2CAP_CONF_OPT_SIZE) {
1700 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 1730 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
@@ -1735,7 +1765,7 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
1735 } 1765 }
1736 } 1766 }
1737 1767
1738 if (pi->num_conf_rsp || pi->num_conf_req > 1) 1768 if (chan->num_conf_rsp || chan->num_conf_req > 1)
1739 goto done; 1769 goto done;
1740 1770
1741 switch (pi->mode) { 1771 switch (pi->mode) {
@@ -1758,7 +1788,7 @@ done:
1758 result = L2CAP_CONF_UNACCEPT; 1788 result = L2CAP_CONF_UNACCEPT;
1759 rfc.mode = pi->mode; 1789 rfc.mode = pi->mode;
1760 1790
1761 if (pi->num_conf_rsp == 1) 1791 if (chan->num_conf_rsp == 1)
1762 return -ECONNREFUSED; 1792 return -ECONNREFUSED;
1763 1793
1764 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 1794 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
@@ -1785,13 +1815,13 @@ done:
1785 break; 1815 break;
1786 1816
1787 case L2CAP_MODE_ERTM: 1817 case L2CAP_MODE_ERTM:
1788 pi->remote_tx_win = rfc.txwin_size; 1818 chan->remote_tx_win = rfc.txwin_size;
1789 pi->remote_max_tx = rfc.max_transmit; 1819 chan->remote_max_tx = rfc.max_transmit;
1790 1820
1791 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) 1821 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1792 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1822 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1793 1823
1794 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); 1824 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1795 1825
1796 rfc.retrans_timeout = 1826 rfc.retrans_timeout =
1797 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO); 1827 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
@@ -1809,7 +1839,7 @@ done:
1809 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) 1839 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1810 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 1840 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1811 1841
1812 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); 1842 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1813 1843
1814 pi->conf_state |= L2CAP_CONF_MODE_DONE; 1844 pi->conf_state |= L2CAP_CONF_MODE_DONE;
1815 1845
@@ -1918,6 +1948,31 @@ static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 fla
1918 return ptr - data; 1948 return ptr - data;
1919} 1949}
1920 1950
1951void __l2cap_connect_rsp_defer(struct sock *sk)
1952{
1953 struct l2cap_conn_rsp rsp;
1954 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1955 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1956 u8 buf[128];
1957
1958 sk->sk_state = BT_CONFIG;
1959
1960 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1961 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1962 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1963 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1964 l2cap_send_cmd(conn, chan->ident,
1965 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1966
1967 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
1968 return;
1969
1970 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1971 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1972 l2cap_build_conf_req(chan, buf), buf);
1973 chan->num_conf_req++;
1974}
1975
1921static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len) 1976static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
1922{ 1977{
1923 struct l2cap_pinfo *pi = l2cap_pi(sk); 1978 struct l2cap_pinfo *pi = l2cap_pi(sk);
@@ -1975,9 +2030,9 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
1975 2030
1976static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 2031static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1977{ 2032{
1978 struct l2cap_chan_list *list = &conn->chan_list;
1979 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 2033 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1980 struct l2cap_conn_rsp rsp; 2034 struct l2cap_conn_rsp rsp;
2035 struct l2cap_chan *chan = NULL;
1981 struct sock *parent, *sk = NULL; 2036 struct sock *parent, *sk = NULL;
1982 int result, status = L2CAP_CS_NO_INFO; 2037 int result, status = L2CAP_CS_NO_INFO;
1983 2038
@@ -2015,11 +2070,17 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2015 if (!sk) 2070 if (!sk)
2016 goto response; 2071 goto response;
2017 2072
2018 write_lock_bh(&list->lock); 2073 chan = l2cap_chan_alloc(sk);
2074 if (!chan) {
2075 l2cap_sock_kill(sk);
2076 goto response;
2077 }
2078
2079 write_lock_bh(&conn->chan_lock);
2019 2080
2020 /* Check if we already have channel with that dcid */ 2081 /* Check if we already have channel with that dcid */
2021 if (__l2cap_get_chan_by_dcid(list, scid)) { 2082 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2022 write_unlock_bh(&list->lock); 2083 write_unlock_bh(&conn->chan_lock);
2023 sock_set_flag(sk, SOCK_ZAPPED); 2084 sock_set_flag(sk, SOCK_ZAPPED);
2024 l2cap_sock_kill(sk); 2085 l2cap_sock_kill(sk);
2025 goto response; 2086 goto response;
@@ -2033,12 +2094,17 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2033 l2cap_pi(sk)->psm = psm; 2094 l2cap_pi(sk)->psm = psm;
2034 l2cap_pi(sk)->dcid = scid; 2095 l2cap_pi(sk)->dcid = scid;
2035 2096
2036 __l2cap_chan_add(conn, sk, parent); 2097 bt_accept_enqueue(parent, sk);
2098
2099 __l2cap_chan_add(conn, chan);
2100
2101 l2cap_pi(sk)->chan = chan;
2102
2037 dcid = l2cap_pi(sk)->scid; 2103 dcid = l2cap_pi(sk)->scid;
2038 2104
2039 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 2105 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2040 2106
2041 l2cap_pi(sk)->ident = cmd->ident; 2107 chan->ident = cmd->ident;
2042 2108
2043 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 2109 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2044 if (l2cap_check_security(sk)) { 2110 if (l2cap_check_security(sk)) {
@@ -2063,7 +2129,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2063 status = L2CAP_CS_NO_INFO; 2129 status = L2CAP_CS_NO_INFO;
2064 } 2130 }
2065 2131
2066 write_unlock_bh(&list->lock); 2132 write_unlock_bh(&conn->chan_lock);
2067 2133
2068response: 2134response:
2069 bh_unlock_sock(parent); 2135 bh_unlock_sock(parent);
@@ -2089,13 +2155,13 @@ sendresp:
2089 L2CAP_INFO_REQ, sizeof(info), &info); 2155 L2CAP_INFO_REQ, sizeof(info), &info);
2090 } 2156 }
2091 2157
2092 if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && 2158 if (chan && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
2093 result == L2CAP_CR_SUCCESS) { 2159 result == L2CAP_CR_SUCCESS) {
2094 u8 buf[128]; 2160 u8 buf[128];
2095 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2161 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2096 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2162 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2097 l2cap_build_conf_req(sk, buf), buf); 2163 l2cap_build_conf_req(chan, buf), buf);
2098 l2cap_pi(sk)->num_conf_req++; 2164 chan->num_conf_req++;
2099 } 2165 }
2100 2166
2101 return 0; 2167 return 0;
@@ -2105,6 +2171,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2105{ 2171{
2106 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 2172 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2107 u16 scid, dcid, result, status; 2173 u16 scid, dcid, result, status;
2174 struct l2cap_chan *chan;
2108 struct sock *sk; 2175 struct sock *sk;
2109 u8 req[128]; 2176 u8 req[128];
2110 2177
@@ -2116,19 +2183,21 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2116 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status); 2183 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2117 2184
2118 if (scid) { 2185 if (scid) {
2119 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2186 chan = l2cap_get_chan_by_scid(conn, scid);
2120 if (!sk) 2187 if (!chan)
2121 return -EFAULT; 2188 return -EFAULT;
2122 } else { 2189 } else {
2123 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident); 2190 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2124 if (!sk) 2191 if (!chan)
2125 return -EFAULT; 2192 return -EFAULT;
2126 } 2193 }
2127 2194
2195 sk = chan->sk;
2196
2128 switch (result) { 2197 switch (result) {
2129 case L2CAP_CR_SUCCESS: 2198 case L2CAP_CR_SUCCESS:
2130 sk->sk_state = BT_CONFIG; 2199 sk->sk_state = BT_CONFIG;
2131 l2cap_pi(sk)->ident = 0; 2200 chan->ident = 0;
2132 l2cap_pi(sk)->dcid = dcid; 2201 l2cap_pi(sk)->dcid = dcid;
2133 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 2202 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2134 2203
@@ -2138,8 +2207,8 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2138 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2207 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2139 2208
2140 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2209 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2141 l2cap_build_conf_req(sk, req), req); 2210 l2cap_build_conf_req(chan, req), req);
2142 l2cap_pi(sk)->num_conf_req++; 2211 chan->num_conf_req++;
2143 break; 2212 break;
2144 2213
2145 case L2CAP_CR_PEND: 2214 case L2CAP_CR_PEND:
@@ -2155,7 +2224,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2155 break; 2224 break;
2156 } 2225 }
2157 2226
2158 l2cap_chan_del(sk, ECONNREFUSED); 2227 l2cap_chan_del(chan, ECONNREFUSED);
2159 break; 2228 break;
2160 } 2229 }
2161 2230
@@ -2179,6 +2248,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2179 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 2248 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2180 u16 dcid, flags; 2249 u16 dcid, flags;
2181 u8 rsp[64]; 2250 u8 rsp[64];
2251 struct l2cap_chan *chan;
2182 struct sock *sk; 2252 struct sock *sk;
2183 int len; 2253 int len;
2184 2254
@@ -2187,10 +2257,12 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2187 2257
2188 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 2258 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2189 2259
2190 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid); 2260 chan = l2cap_get_chan_by_scid(conn, dcid);
2191 if (!sk) 2261 if (!chan)
2192 return -ENOENT; 2262 return -ENOENT;
2193 2263
2264 sk = chan->sk;
2265
2194 if (sk->sk_state != BT_CONFIG) { 2266 if (sk->sk_state != BT_CONFIG) {
2195 struct l2cap_cmd_rej rej; 2267 struct l2cap_cmd_rej rej;
2196 2268
@@ -2202,7 +2274,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2202 2274
2203 /* Reject if config buffer is too small. */ 2275 /* Reject if config buffer is too small. */
2204 len = cmd_len - sizeof(*req); 2276 len = cmd_len - sizeof(*req);
2205 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { 2277 if (chan->conf_len + len > sizeof(chan->conf_req)) {
2206 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 2278 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2207 l2cap_build_conf_rsp(sk, rsp, 2279 l2cap_build_conf_rsp(sk, rsp,
2208 L2CAP_CONF_REJECT, flags), rsp); 2280 L2CAP_CONF_REJECT, flags), rsp);
@@ -2210,8 +2282,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2210 } 2282 }
2211 2283
2212 /* Store config. */ 2284 /* Store config. */
2213 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len); 2285 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2214 l2cap_pi(sk)->conf_len += len; 2286 chan->conf_len += len;
2215 2287
2216 if (flags & 0x0001) { 2288 if (flags & 0x0001) {
2217 /* Incomplete config. Send empty response. */ 2289 /* Incomplete config. Send empty response. */
@@ -2222,17 +2294,17 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2222 } 2294 }
2223 2295
2224 /* Complete config. */ 2296 /* Complete config. */
2225 len = l2cap_parse_conf_req(sk, rsp); 2297 len = l2cap_parse_conf_req(chan, rsp);
2226 if (len < 0) { 2298 if (len < 0) {
2227 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2299 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2228 goto unlock; 2300 goto unlock;
2229 } 2301 }
2230 2302
2231 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 2303 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2232 l2cap_pi(sk)->num_conf_rsp++; 2304 chan->num_conf_rsp++;
2233 2305
2234 /* Reset config buffer. */ 2306 /* Reset config buffer. */
2235 l2cap_pi(sk)->conf_len = 0; 2307 chan->conf_len = 0;
2236 2308
2237 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE)) 2309 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2238 goto unlock; 2310 goto unlock;
@@ -2242,11 +2314,11 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2242 2314
2243 sk->sk_state = BT_CONNECTED; 2315 sk->sk_state = BT_CONNECTED;
2244 2316
2245 l2cap_pi(sk)->next_tx_seq = 0; 2317 chan->next_tx_seq = 0;
2246 l2cap_pi(sk)->expected_tx_seq = 0; 2318 chan->expected_tx_seq = 0;
2247 __skb_queue_head_init(TX_QUEUE(sk)); 2319 skb_queue_head_init(&chan->tx_q);
2248 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) 2320 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2249 l2cap_ertm_init(sk); 2321 l2cap_ertm_init(chan);
2250 2322
2251 l2cap_chan_ready(sk); 2323 l2cap_chan_ready(sk);
2252 goto unlock; 2324 goto unlock;
@@ -2256,8 +2328,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2256 u8 buf[64]; 2328 u8 buf[64];
2257 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; 2329 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2258 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 2330 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2259 l2cap_build_conf_req(sk, buf), buf); 2331 l2cap_build_conf_req(chan, buf), buf);
2260 l2cap_pi(sk)->num_conf_req++; 2332 chan->num_conf_req++;
2261 } 2333 }
2262 2334
2263unlock: 2335unlock:
@@ -2269,6 +2341,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2269{ 2341{
2270 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 2342 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2271 u16 scid, flags, result; 2343 u16 scid, flags, result;
2344 struct l2cap_chan *chan;
2272 struct sock *sk; 2345 struct sock *sk;
2273 int len = cmd->len - sizeof(*rsp); 2346 int len = cmd->len - sizeof(*rsp);
2274 2347
@@ -2279,21 +2352,23 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2279 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x", 2352 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2280 scid, flags, result); 2353 scid, flags, result);
2281 2354
2282 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2355 chan = l2cap_get_chan_by_scid(conn, scid);
2283 if (!sk) 2356 if (!chan)
2284 return 0; 2357 return 0;
2285 2358
2359 sk = chan->sk;
2360
2286 switch (result) { 2361 switch (result) {
2287 case L2CAP_CONF_SUCCESS: 2362 case L2CAP_CONF_SUCCESS:
2288 l2cap_conf_rfc_get(sk, rsp->data, len); 2363 l2cap_conf_rfc_get(sk, rsp->data, len);
2289 break; 2364 break;
2290 2365
2291 case L2CAP_CONF_UNACCEPT: 2366 case L2CAP_CONF_UNACCEPT:
2292 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 2367 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2293 char req[64]; 2368 char req[64];
2294 2369
2295 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 2370 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2296 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2371 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2297 goto done; 2372 goto done;
2298 } 2373 }
2299 2374
@@ -2302,13 +2377,13 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2302 len = l2cap_parse_conf_rsp(sk, rsp->data, 2377 len = l2cap_parse_conf_rsp(sk, rsp->data,
2303 len, req, &result); 2378 len, req, &result);
2304 if (len < 0) { 2379 if (len < 0) {
2305 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2380 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2306 goto done; 2381 goto done;
2307 } 2382 }
2308 2383
2309 l2cap_send_cmd(conn, l2cap_get_ident(conn), 2384 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2310 L2CAP_CONF_REQ, len, req); 2385 L2CAP_CONF_REQ, len, req);
2311 l2cap_pi(sk)->num_conf_req++; 2386 chan->num_conf_req++;
2312 if (result != L2CAP_CONF_SUCCESS) 2387 if (result != L2CAP_CONF_SUCCESS)
2313 goto done; 2388 goto done;
2314 break; 2389 break;
@@ -2317,7 +2392,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2317 default: 2392 default:
2318 sk->sk_err = ECONNRESET; 2393 sk->sk_err = ECONNRESET;
2319 l2cap_sock_set_timer(sk, HZ * 5); 2394 l2cap_sock_set_timer(sk, HZ * 5);
2320 l2cap_send_disconn_req(conn, sk, ECONNRESET); 2395 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2321 goto done; 2396 goto done;
2322 } 2397 }
2323 2398
@@ -2330,11 +2405,11 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2330 set_default_fcs(l2cap_pi(sk)); 2405 set_default_fcs(l2cap_pi(sk));
2331 2406
2332 sk->sk_state = BT_CONNECTED; 2407 sk->sk_state = BT_CONNECTED;
2333 l2cap_pi(sk)->next_tx_seq = 0; 2408 chan->next_tx_seq = 0;
2334 l2cap_pi(sk)->expected_tx_seq = 0; 2409 chan->expected_tx_seq = 0;
2335 __skb_queue_head_init(TX_QUEUE(sk)); 2410 skb_queue_head_init(&chan->tx_q);
2336 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) 2411 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2337 l2cap_ertm_init(sk); 2412 l2cap_ertm_init(chan);
2338 2413
2339 l2cap_chan_ready(sk); 2414 l2cap_chan_ready(sk);
2340 } 2415 }
@@ -2349,6 +2424,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2349 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 2424 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2350 struct l2cap_disconn_rsp rsp; 2425 struct l2cap_disconn_rsp rsp;
2351 u16 dcid, scid; 2426 u16 dcid, scid;
2427 struct l2cap_chan *chan;
2352 struct sock *sk; 2428 struct sock *sk;
2353 2429
2354 scid = __le16_to_cpu(req->scid); 2430 scid = __le16_to_cpu(req->scid);
@@ -2356,10 +2432,12 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2356 2432
2357 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 2433 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2358 2434
2359 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid); 2435 chan = l2cap_get_chan_by_scid(conn, dcid);
2360 if (!sk) 2436 if (!chan)
2361 return 0; 2437 return 0;
2362 2438
2439 sk = chan->sk;
2440
2363 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 2441 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2364 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 2442 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2365 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 2443 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
@@ -2375,7 +2453,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2375 return 0; 2453 return 0;
2376 } 2454 }
2377 2455
2378 l2cap_chan_del(sk, ECONNRESET); 2456 l2cap_chan_del(chan, ECONNRESET);
2379 bh_unlock_sock(sk); 2457 bh_unlock_sock(sk);
2380 2458
2381 l2cap_sock_kill(sk); 2459 l2cap_sock_kill(sk);
@@ -2386,6 +2464,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2386{ 2464{
2387 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 2465 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2388 u16 dcid, scid; 2466 u16 dcid, scid;
2467 struct l2cap_chan *chan;
2389 struct sock *sk; 2468 struct sock *sk;
2390 2469
2391 scid = __le16_to_cpu(rsp->scid); 2470 scid = __le16_to_cpu(rsp->scid);
@@ -2393,10 +2472,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2393 2472
2394 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 2473 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2395 2474
2396 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 2475 chan = l2cap_get_chan_by_scid(conn, scid);
2397 if (!sk) 2476 if (!chan)
2398 return 0; 2477 return 0;
2399 2478
2479 sk = chan->sk;
2480
2400 /* don't delete l2cap channel if sk is owned by user */ 2481 /* don't delete l2cap channel if sk is owned by user */
2401 if (sock_owned_by_user(sk)) { 2482 if (sock_owned_by_user(sk)) {
2402 sk->sk_state = BT_DISCONN; 2483 sk->sk_state = BT_DISCONN;
@@ -2406,7 +2487,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2406 return 0; 2487 return 0;
2407 } 2488 }
2408 2489
2409 l2cap_chan_del(sk, 0); 2490 l2cap_chan_del(chan, 0);
2410 bh_unlock_sock(sk); 2491 bh_unlock_sock(sk);
2411 2492
2412 l2cap_sock_kill(sk); 2493 l2cap_sock_kill(sk);
@@ -2463,6 +2544,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
2463 2544
2464 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 2545 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2465 2546
2547 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2548 if (cmd->ident != conn->info_ident ||
2549 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2550 return 0;
2551
2466 del_timer(&conn->info_timer); 2552 del_timer(&conn->info_timer);
2467 2553
2468 if (result != L2CAP_IR_SUCCESS) { 2554 if (result != L2CAP_IR_SUCCESS) {
@@ -2673,7 +2759,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2673 2759
2674 if (err) { 2760 if (err) {
2675 struct l2cap_cmd_rej rej; 2761 struct l2cap_cmd_rej rej;
2676 BT_DBG("error %d", err); 2762
2763 BT_ERR("Wrong link type (%d)", err);
2677 2764
2678 /* FIXME: Map err to a valid reason */ 2765 /* FIXME: Map err to a valid reason */
2679 rej.reason = cpu_to_le16(0); 2766 rej.reason = cpu_to_le16(0);
@@ -2703,49 +2790,47 @@ static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
2703 return 0; 2790 return 0;
2704} 2791}
2705 2792
2706static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk) 2793static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2707{ 2794{
2708 struct l2cap_pinfo *pi = l2cap_pi(sk);
2709 u16 control = 0; 2795 u16 control = 0;
2710 2796
2711 pi->frames_sent = 0; 2797 chan->frames_sent = 0;
2712 2798
2713 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 2799 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2714 2800
2715 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 2801 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2716 control |= L2CAP_SUPER_RCV_NOT_READY; 2802 control |= L2CAP_SUPER_RCV_NOT_READY;
2717 l2cap_send_sframe(pi, control); 2803 l2cap_send_sframe(chan, control);
2718 pi->conn_state |= L2CAP_CONN_RNR_SENT; 2804 chan->conn_state |= L2CAP_CONN_RNR_SENT;
2719 } 2805 }
2720 2806
2721 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY) 2807 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
2722 l2cap_retransmit_frames(sk); 2808 l2cap_retransmit_frames(chan);
2723 2809
2724 l2cap_ertm_send(sk); 2810 l2cap_ertm_send(chan);
2725 2811
2726 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) && 2812 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
2727 pi->frames_sent == 0) { 2813 chan->frames_sent == 0) {
2728 control |= L2CAP_SUPER_RCV_READY; 2814 control |= L2CAP_SUPER_RCV_READY;
2729 l2cap_send_sframe(pi, control); 2815 l2cap_send_sframe(chan, control);
2730 } 2816 }
2731} 2817}
2732 2818
2733static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) 2819static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
2734{ 2820{
2735 struct sk_buff *next_skb; 2821 struct sk_buff *next_skb;
2736 struct l2cap_pinfo *pi = l2cap_pi(sk);
2737 int tx_seq_offset, next_tx_seq_offset; 2822 int tx_seq_offset, next_tx_seq_offset;
2738 2823
2739 bt_cb(skb)->tx_seq = tx_seq; 2824 bt_cb(skb)->tx_seq = tx_seq;
2740 bt_cb(skb)->sar = sar; 2825 bt_cb(skb)->sar = sar;
2741 2826
2742 next_skb = skb_peek(SREJ_QUEUE(sk)); 2827 next_skb = skb_peek(&chan->srej_q);
2743 if (!next_skb) { 2828 if (!next_skb) {
2744 __skb_queue_tail(SREJ_QUEUE(sk), skb); 2829 __skb_queue_tail(&chan->srej_q, skb);
2745 return 0; 2830 return 0;
2746 } 2831 }
2747 2832
2748 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; 2833 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
2749 if (tx_seq_offset < 0) 2834 if (tx_seq_offset < 0)
2750 tx_seq_offset += 64; 2835 tx_seq_offset += 64;
2751 2836
@@ -2754,53 +2839,53 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
2754 return -EINVAL; 2839 return -EINVAL;
2755 2840
2756 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq - 2841 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
2757 pi->buffer_seq) % 64; 2842 chan->buffer_seq) % 64;
2758 if (next_tx_seq_offset < 0) 2843 if (next_tx_seq_offset < 0)
2759 next_tx_seq_offset += 64; 2844 next_tx_seq_offset += 64;
2760 2845
2761 if (next_tx_seq_offset > tx_seq_offset) { 2846 if (next_tx_seq_offset > tx_seq_offset) {
2762 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); 2847 __skb_queue_before(&chan->srej_q, next_skb, skb);
2763 return 0; 2848 return 0;
2764 } 2849 }
2765 2850
2766 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb)) 2851 if (skb_queue_is_last(&chan->srej_q, next_skb))
2767 break; 2852 break;
2768 2853
2769 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb))); 2854 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
2770 2855
2771 __skb_queue_tail(SREJ_QUEUE(sk), skb); 2856 __skb_queue_tail(&chan->srej_q, skb);
2772 2857
2773 return 0; 2858 return 0;
2774} 2859}
2775 2860
2776static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control) 2861static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2777{ 2862{
2778 struct l2cap_pinfo *pi = l2cap_pi(sk); 2863 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2779 struct sk_buff *_skb; 2864 struct sk_buff *_skb;
2780 int err; 2865 int err;
2781 2866
2782 switch (control & L2CAP_CTRL_SAR) { 2867 switch (control & L2CAP_CTRL_SAR) {
2783 case L2CAP_SDU_UNSEGMENTED: 2868 case L2CAP_SDU_UNSEGMENTED:
2784 if (pi->conn_state & L2CAP_CONN_SAR_SDU) 2869 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2785 goto drop; 2870 goto drop;
2786 2871
2787 err = sock_queue_rcv_skb(sk, skb); 2872 err = sock_queue_rcv_skb(chan->sk, skb);
2788 if (!err) 2873 if (!err)
2789 return err; 2874 return err;
2790 2875
2791 break; 2876 break;
2792 2877
2793 case L2CAP_SDU_START: 2878 case L2CAP_SDU_START:
2794 if (pi->conn_state & L2CAP_CONN_SAR_SDU) 2879 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2795 goto drop; 2880 goto drop;
2796 2881
2797 pi->sdu_len = get_unaligned_le16(skb->data); 2882 chan->sdu_len = get_unaligned_le16(skb->data);
2798 2883
2799 if (pi->sdu_len > pi->imtu) 2884 if (chan->sdu_len > pi->imtu)
2800 goto disconnect; 2885 goto disconnect;
2801 2886
2802 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); 2887 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
2803 if (!pi->sdu) 2888 if (!chan->sdu)
2804 return -ENOMEM; 2889 return -ENOMEM;
2805 2890
2806 /* pull sdu_len bytes only after alloc, because of Local Busy 2891 /* pull sdu_len bytes only after alloc, because of Local Busy
@@ -2808,63 +2893,63 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
2808 * only once, i.e., when alloc does not fail */ 2893 * only once, i.e., when alloc does not fail */
2809 skb_pull(skb, 2); 2894 skb_pull(skb, 2);
2810 2895
2811 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2896 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2812 2897
2813 pi->conn_state |= L2CAP_CONN_SAR_SDU; 2898 chan->conn_state |= L2CAP_CONN_SAR_SDU;
2814 pi->partial_sdu_len = skb->len; 2899 chan->partial_sdu_len = skb->len;
2815 break; 2900 break;
2816 2901
2817 case L2CAP_SDU_CONTINUE: 2902 case L2CAP_SDU_CONTINUE:
2818 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 2903 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2819 goto disconnect; 2904 goto disconnect;
2820 2905
2821 if (!pi->sdu) 2906 if (!chan->sdu)
2822 goto disconnect; 2907 goto disconnect;
2823 2908
2824 pi->partial_sdu_len += skb->len; 2909 chan->partial_sdu_len += skb->len;
2825 if (pi->partial_sdu_len > pi->sdu_len) 2910 if (chan->partial_sdu_len > chan->sdu_len)
2826 goto drop; 2911 goto drop;
2827 2912
2828 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2913 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2829 2914
2830 break; 2915 break;
2831 2916
2832 case L2CAP_SDU_END: 2917 case L2CAP_SDU_END:
2833 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 2918 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2834 goto disconnect; 2919 goto disconnect;
2835 2920
2836 if (!pi->sdu) 2921 if (!chan->sdu)
2837 goto disconnect; 2922 goto disconnect;
2838 2923
2839 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) { 2924 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
2840 pi->partial_sdu_len += skb->len; 2925 chan->partial_sdu_len += skb->len;
2841 2926
2842 if (pi->partial_sdu_len > pi->imtu) 2927 if (chan->partial_sdu_len > pi->imtu)
2843 goto drop; 2928 goto drop;
2844 2929
2845 if (pi->partial_sdu_len != pi->sdu_len) 2930 if (chan->partial_sdu_len != chan->sdu_len)
2846 goto drop; 2931 goto drop;
2847 2932
2848 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 2933 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2849 } 2934 }
2850 2935
2851 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 2936 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2852 if (!_skb) { 2937 if (!_skb) {
2853 pi->conn_state |= L2CAP_CONN_SAR_RETRY; 2938 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2854 return -ENOMEM; 2939 return -ENOMEM;
2855 } 2940 }
2856 2941
2857 err = sock_queue_rcv_skb(sk, _skb); 2942 err = sock_queue_rcv_skb(chan->sk, _skb);
2858 if (err < 0) { 2943 if (err < 0) {
2859 kfree_skb(_skb); 2944 kfree_skb(_skb);
2860 pi->conn_state |= L2CAP_CONN_SAR_RETRY; 2945 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2861 return err; 2946 return err;
2862 } 2947 }
2863 2948
2864 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY; 2949 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
2865 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 2950 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
2866 2951
2867 kfree_skb(pi->sdu); 2952 kfree_skb(chan->sdu);
2868 break; 2953 break;
2869 } 2954 }
2870 2955
@@ -2872,51 +2957,50 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
2872 return 0; 2957 return 0;
2873 2958
2874drop: 2959drop:
2875 kfree_skb(pi->sdu); 2960 kfree_skb(chan->sdu);
2876 pi->sdu = NULL; 2961 chan->sdu = NULL;
2877 2962
2878disconnect: 2963disconnect:
2879 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 2964 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
2880 kfree_skb(skb); 2965 kfree_skb(skb);
2881 return 0; 2966 return 0;
2882} 2967}
2883 2968
2884static int l2cap_try_push_rx_skb(struct sock *sk) 2969static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
2885{ 2970{
2886 struct l2cap_pinfo *pi = l2cap_pi(sk);
2887 struct sk_buff *skb; 2971 struct sk_buff *skb;
2888 u16 control; 2972 u16 control;
2889 int err; 2973 int err;
2890 2974
2891 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) { 2975 while ((skb = skb_dequeue(&chan->busy_q))) {
2892 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 2976 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
2893 err = l2cap_ertm_reassembly_sdu(sk, skb, control); 2977 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
2894 if (err < 0) { 2978 if (err < 0) {
2895 skb_queue_head(BUSY_QUEUE(sk), skb); 2979 skb_queue_head(&chan->busy_q, skb);
2896 return -EBUSY; 2980 return -EBUSY;
2897 } 2981 }
2898 2982
2899 pi->buffer_seq = (pi->buffer_seq + 1) % 64; 2983 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
2900 } 2984 }
2901 2985
2902 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT)) 2986 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
2903 goto done; 2987 goto done;
2904 2988
2905 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 2989 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2906 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL; 2990 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
2907 l2cap_send_sframe(pi, control); 2991 l2cap_send_sframe(chan, control);
2908 l2cap_pi(sk)->retry_count = 1; 2992 chan->retry_count = 1;
2909 2993
2910 del_timer(&pi->retrans_timer); 2994 del_timer(&chan->retrans_timer);
2911 __mod_monitor_timer(); 2995 __mod_monitor_timer();
2912 2996
2913 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F; 2997 chan->conn_state |= L2CAP_CONN_WAIT_F;
2914 2998
2915done: 2999done:
2916 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY; 3000 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
2917 pi->conn_state &= ~L2CAP_CONN_RNR_SENT; 3001 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
2918 3002
2919 BT_DBG("sk %p, Exit local busy", sk); 3003 BT_DBG("chan %p, Exit local busy", chan);
2920 3004
2921 return 0; 3005 return 0;
2922} 3006}
@@ -2924,21 +3008,21 @@ done:
2924static void l2cap_busy_work(struct work_struct *work) 3008static void l2cap_busy_work(struct work_struct *work)
2925{ 3009{
2926 DECLARE_WAITQUEUE(wait, current); 3010 DECLARE_WAITQUEUE(wait, current);
2927 struct l2cap_pinfo *pi = 3011 struct l2cap_chan *chan =
2928 container_of(work, struct l2cap_pinfo, busy_work); 3012 container_of(work, struct l2cap_chan, busy_work);
2929 struct sock *sk = (struct sock *)pi; 3013 struct sock *sk = chan->sk;
2930 int n_tries = 0, timeo = HZ/5, err; 3014 int n_tries = 0, timeo = HZ/5, err;
2931 struct sk_buff *skb; 3015 struct sk_buff *skb;
2932 3016
2933 lock_sock(sk); 3017 lock_sock(sk);
2934 3018
2935 add_wait_queue(sk_sleep(sk), &wait); 3019 add_wait_queue(sk_sleep(sk), &wait);
2936 while ((skb = skb_peek(BUSY_QUEUE(sk)))) { 3020 while ((skb = skb_peek(&chan->busy_q))) {
2937 set_current_state(TASK_INTERRUPTIBLE); 3021 set_current_state(TASK_INTERRUPTIBLE);
2938 3022
2939 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) { 3023 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
2940 err = -EBUSY; 3024 err = -EBUSY;
2941 l2cap_send_disconn_req(pi->conn, sk, EBUSY); 3025 l2cap_send_disconn_req(l2cap_pi(sk)->conn, chan, EBUSY);
2942 break; 3026 break;
2943 } 3027 }
2944 3028
@@ -2958,7 +3042,7 @@ static void l2cap_busy_work(struct work_struct *work)
2958 if (err) 3042 if (err)
2959 break; 3043 break;
2960 3044
2961 if (l2cap_try_push_rx_skb(sk) == 0) 3045 if (l2cap_try_push_rx_skb(chan) == 0)
2962 break; 3046 break;
2963 } 3047 }
2964 3048
@@ -2968,48 +3052,47 @@ static void l2cap_busy_work(struct work_struct *work)
2968 release_sock(sk); 3052 release_sock(sk);
2969} 3053}
2970 3054
2971static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control) 3055static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2972{ 3056{
2973 struct l2cap_pinfo *pi = l2cap_pi(sk);
2974 int sctrl, err; 3057 int sctrl, err;
2975 3058
2976 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3059 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2977 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3060 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2978 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3061 __skb_queue_tail(&chan->busy_q, skb);
2979 return l2cap_try_push_rx_skb(sk); 3062 return l2cap_try_push_rx_skb(chan);
2980 3063
2981 3064
2982 } 3065 }
2983 3066
2984 err = l2cap_ertm_reassembly_sdu(sk, skb, control); 3067 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
2985 if (err >= 0) { 3068 if (err >= 0) {
2986 pi->buffer_seq = (pi->buffer_seq + 1) % 64; 3069 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
2987 return err; 3070 return err;
2988 } 3071 }
2989 3072
2990 /* Busy Condition */ 3073 /* Busy Condition */
2991 BT_DBG("sk %p, Enter local busy", sk); 3074 BT_DBG("chan %p, Enter local busy", chan);
2992 3075
2993 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY; 3076 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
2994 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3077 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2995 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3078 __skb_queue_tail(&chan->busy_q, skb);
2996 3079
2997 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3080 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2998 sctrl |= L2CAP_SUPER_RCV_NOT_READY; 3081 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
2999 l2cap_send_sframe(pi, sctrl); 3082 l2cap_send_sframe(chan, sctrl);
3000 3083
3001 pi->conn_state |= L2CAP_CONN_RNR_SENT; 3084 chan->conn_state |= L2CAP_CONN_RNR_SENT;
3002 3085
3003 del_timer(&pi->ack_timer); 3086 del_timer(&chan->ack_timer);
3004 3087
3005 queue_work(_busy_wq, &pi->busy_work); 3088 queue_work(_busy_wq, &chan->busy_work);
3006 3089
3007 return err; 3090 return err;
3008} 3091}
3009 3092
3010static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control) 3093static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3011{ 3094{
3012 struct l2cap_pinfo *pi = l2cap_pi(sk); 3095 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
3013 struct sk_buff *_skb; 3096 struct sk_buff *_skb;
3014 int err = -EINVAL; 3097 int err = -EINVAL;
3015 3098
@@ -3020,80 +3103,80 @@ static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb,
3020 3103
3021 switch (control & L2CAP_CTRL_SAR) { 3104 switch (control & L2CAP_CTRL_SAR) {
3022 case L2CAP_SDU_UNSEGMENTED: 3105 case L2CAP_SDU_UNSEGMENTED:
3023 if (pi->conn_state & L2CAP_CONN_SAR_SDU) { 3106 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3024 kfree_skb(pi->sdu); 3107 kfree_skb(chan->sdu);
3025 break; 3108 break;
3026 } 3109 }
3027 3110
3028 err = sock_queue_rcv_skb(sk, skb); 3111 err = sock_queue_rcv_skb(chan->sk, skb);
3029 if (!err) 3112 if (!err)
3030 return 0; 3113 return 0;
3031 3114
3032 break; 3115 break;
3033 3116
3034 case L2CAP_SDU_START: 3117 case L2CAP_SDU_START:
3035 if (pi->conn_state & L2CAP_CONN_SAR_SDU) { 3118 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3036 kfree_skb(pi->sdu); 3119 kfree_skb(chan->sdu);
3037 break; 3120 break;
3038 } 3121 }
3039 3122
3040 pi->sdu_len = get_unaligned_le16(skb->data); 3123 chan->sdu_len = get_unaligned_le16(skb->data);
3041 skb_pull(skb, 2); 3124 skb_pull(skb, 2);
3042 3125
3043 if (pi->sdu_len > pi->imtu) { 3126 if (chan->sdu_len > pi->imtu) {
3044 err = -EMSGSIZE; 3127 err = -EMSGSIZE;
3045 break; 3128 break;
3046 } 3129 }
3047 3130
3048 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); 3131 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3049 if (!pi->sdu) { 3132 if (!chan->sdu) {
3050 err = -ENOMEM; 3133 err = -ENOMEM;
3051 break; 3134 break;
3052 } 3135 }
3053 3136
3054 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3137 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3055 3138
3056 pi->conn_state |= L2CAP_CONN_SAR_SDU; 3139 chan->conn_state |= L2CAP_CONN_SAR_SDU;
3057 pi->partial_sdu_len = skb->len; 3140 chan->partial_sdu_len = skb->len;
3058 err = 0; 3141 err = 0;
3059 break; 3142 break;
3060 3143
3061 case L2CAP_SDU_CONTINUE: 3144 case L2CAP_SDU_CONTINUE:
3062 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 3145 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3063 break; 3146 break;
3064 3147
3065 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3148 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3066 3149
3067 pi->partial_sdu_len += skb->len; 3150 chan->partial_sdu_len += skb->len;
3068 if (pi->partial_sdu_len > pi->sdu_len) 3151 if (chan->partial_sdu_len > chan->sdu_len)
3069 kfree_skb(pi->sdu); 3152 kfree_skb(chan->sdu);
3070 else 3153 else
3071 err = 0; 3154 err = 0;
3072 3155
3073 break; 3156 break;
3074 3157
3075 case L2CAP_SDU_END: 3158 case L2CAP_SDU_END:
3076 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU)) 3159 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3077 break; 3160 break;
3078 3161
3079 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len); 3162 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3080 3163
3081 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 3164 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3082 pi->partial_sdu_len += skb->len; 3165 chan->partial_sdu_len += skb->len;
3083 3166
3084 if (pi->partial_sdu_len > pi->imtu) 3167 if (chan->partial_sdu_len > pi->imtu)
3085 goto drop; 3168 goto drop;
3086 3169
3087 if (pi->partial_sdu_len == pi->sdu_len) { 3170 if (chan->partial_sdu_len == chan->sdu_len) {
3088 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 3171 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3089 err = sock_queue_rcv_skb(sk, _skb); 3172 err = sock_queue_rcv_skb(chan->sk, _skb);
3090 if (err < 0) 3173 if (err < 0)
3091 kfree_skb(_skb); 3174 kfree_skb(_skb);
3092 } 3175 }
3093 err = 0; 3176 err = 0;
3094 3177
3095drop: 3178drop:
3096 kfree_skb(pi->sdu); 3179 kfree_skb(chan->sdu);
3097 break; 3180 break;
3098 } 3181 }
3099 3182
@@ -3101,31 +3184,30 @@ drop:
3101 return err; 3184 return err;
3102} 3185}
3103 3186
3104static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq) 3187static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3105{ 3188{
3106 struct sk_buff *skb; 3189 struct sk_buff *skb;
3107 u16 control; 3190 u16 control;
3108 3191
3109 while ((skb = skb_peek(SREJ_QUEUE(sk)))) { 3192 while ((skb = skb_peek(&chan->srej_q))) {
3110 if (bt_cb(skb)->tx_seq != tx_seq) 3193 if (bt_cb(skb)->tx_seq != tx_seq)
3111 break; 3194 break;
3112 3195
3113 skb = skb_dequeue(SREJ_QUEUE(sk)); 3196 skb = skb_dequeue(&chan->srej_q);
3114 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3197 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3115 l2cap_ertm_reassembly_sdu(sk, skb, control); 3198 l2cap_ertm_reassembly_sdu(chan, skb, control);
3116 l2cap_pi(sk)->buffer_seq_srej = 3199 chan->buffer_seq_srej =
3117 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64; 3200 (chan->buffer_seq_srej + 1) % 64;
3118 tx_seq = (tx_seq + 1) % 64; 3201 tx_seq = (tx_seq + 1) % 64;
3119 } 3202 }
3120} 3203}
3121 3204
3122static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq) 3205static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3123{ 3206{
3124 struct l2cap_pinfo *pi = l2cap_pi(sk);
3125 struct srej_list *l, *tmp; 3207 struct srej_list *l, *tmp;
3126 u16 control; 3208 u16 control;
3127 3209
3128 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) { 3210 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3129 if (l->tx_seq == tx_seq) { 3211 if (l->tx_seq == tx_seq) {
3130 list_del(&l->list); 3212 list_del(&l->list);
3131 kfree(l); 3213 kfree(l);
@@ -3133,34 +3215,33 @@ static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3133 } 3215 }
3134 control = L2CAP_SUPER_SELECT_REJECT; 3216 control = L2CAP_SUPER_SELECT_REJECT;
3135 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3217 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3136 l2cap_send_sframe(pi, control); 3218 l2cap_send_sframe(chan, control);
3137 list_del(&l->list); 3219 list_del(&l->list);
3138 list_add_tail(&l->list, SREJ_LIST(sk)); 3220 list_add_tail(&l->list, &chan->srej_l);
3139 } 3221 }
3140} 3222}
3141 3223
3142static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq) 3224static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3143{ 3225{
3144 struct l2cap_pinfo *pi = l2cap_pi(sk);
3145 struct srej_list *new; 3226 struct srej_list *new;
3146 u16 control; 3227 u16 control;
3147 3228
3148 while (tx_seq != pi->expected_tx_seq) { 3229 while (tx_seq != chan->expected_tx_seq) {
3149 control = L2CAP_SUPER_SELECT_REJECT; 3230 control = L2CAP_SUPER_SELECT_REJECT;
3150 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3231 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3151 l2cap_send_sframe(pi, control); 3232 l2cap_send_sframe(chan, control);
3152 3233
3153 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC); 3234 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3154 new->tx_seq = pi->expected_tx_seq; 3235 new->tx_seq = chan->expected_tx_seq;
3155 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3236 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3156 list_add_tail(&new->list, SREJ_LIST(sk)); 3237 list_add_tail(&new->list, &chan->srej_l);
3157 } 3238 }
3158 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3239 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3159} 3240}
3160 3241
3161static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3242static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3162{ 3243{
3163 struct l2cap_pinfo *pi = l2cap_pi(sk); 3244 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
3164 u8 tx_seq = __get_txseq(rx_control); 3245 u8 tx_seq = __get_txseq(rx_control);
3165 u8 req_seq = __get_reqseq(rx_control); 3246 u8 req_seq = __get_reqseq(rx_control);
3166 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT; 3247 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
@@ -3168,72 +3249,72 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3168 int num_to_ack = (pi->tx_win/6) + 1; 3249 int num_to_ack = (pi->tx_win/6) + 1;
3169 int err = 0; 3250 int err = 0;
3170 3251
3171 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq, 3252 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3172 rx_control); 3253 tx_seq, rx_control);
3173 3254
3174 if (L2CAP_CTRL_FINAL & rx_control && 3255 if (L2CAP_CTRL_FINAL & rx_control &&
3175 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) { 3256 chan->conn_state & L2CAP_CONN_WAIT_F) {
3176 del_timer(&pi->monitor_timer); 3257 del_timer(&chan->monitor_timer);
3177 if (pi->unacked_frames > 0) 3258 if (chan->unacked_frames > 0)
3178 __mod_retrans_timer(); 3259 __mod_retrans_timer();
3179 pi->conn_state &= ~L2CAP_CONN_WAIT_F; 3260 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3180 } 3261 }
3181 3262
3182 pi->expected_ack_seq = req_seq; 3263 chan->expected_ack_seq = req_seq;
3183 l2cap_drop_acked_frames(sk); 3264 l2cap_drop_acked_frames(chan);
3184 3265
3185 if (tx_seq == pi->expected_tx_seq) 3266 if (tx_seq == chan->expected_tx_seq)
3186 goto expected; 3267 goto expected;
3187 3268
3188 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64; 3269 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3189 if (tx_seq_offset < 0) 3270 if (tx_seq_offset < 0)
3190 tx_seq_offset += 64; 3271 tx_seq_offset += 64;
3191 3272
3192 /* invalid tx_seq */ 3273 /* invalid tx_seq */
3193 if (tx_seq_offset >= pi->tx_win) { 3274 if (tx_seq_offset >= pi->tx_win) {
3194 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3275 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
3195 goto drop; 3276 goto drop;
3196 } 3277 }
3197 3278
3198 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY) 3279 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
3199 goto drop; 3280 goto drop;
3200 3281
3201 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3282 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3202 struct srej_list *first; 3283 struct srej_list *first;
3203 3284
3204 first = list_first_entry(SREJ_LIST(sk), 3285 first = list_first_entry(&chan->srej_l,
3205 struct srej_list, list); 3286 struct srej_list, list);
3206 if (tx_seq == first->tx_seq) { 3287 if (tx_seq == first->tx_seq) {
3207 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 3288 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3208 l2cap_check_srej_gap(sk, tx_seq); 3289 l2cap_check_srej_gap(chan, tx_seq);
3209 3290
3210 list_del(&first->list); 3291 list_del(&first->list);
3211 kfree(first); 3292 kfree(first);
3212 3293
3213 if (list_empty(SREJ_LIST(sk))) { 3294 if (list_empty(&chan->srej_l)) {
3214 pi->buffer_seq = pi->buffer_seq_srej; 3295 chan->buffer_seq = chan->buffer_seq_srej;
3215 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3296 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3216 l2cap_send_ack(pi); 3297 l2cap_send_ack(chan);
3217 BT_DBG("sk %p, Exit SREJ_SENT", sk); 3298 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3218 } 3299 }
3219 } else { 3300 } else {
3220 struct srej_list *l; 3301 struct srej_list *l;
3221 3302
3222 /* duplicated tx_seq */ 3303 /* duplicated tx_seq */
3223 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0) 3304 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3224 goto drop; 3305 goto drop;
3225 3306
3226 list_for_each_entry(l, SREJ_LIST(sk), list) { 3307 list_for_each_entry(l, &chan->srej_l, list) {
3227 if (l->tx_seq == tx_seq) { 3308 if (l->tx_seq == tx_seq) {
3228 l2cap_resend_srejframe(sk, tx_seq); 3309 l2cap_resend_srejframe(chan, tx_seq);
3229 return 0; 3310 return 0;
3230 } 3311 }
3231 } 3312 }
3232 l2cap_send_srejframe(sk, tx_seq); 3313 l2cap_send_srejframe(chan, tx_seq);
3233 } 3314 }
3234 } else { 3315 } else {
3235 expected_tx_seq_offset = 3316 expected_tx_seq_offset =
3236 (pi->expected_tx_seq - pi->buffer_seq) % 64; 3317 (chan->expected_tx_seq - chan->buffer_seq) % 64;
3237 if (expected_tx_seq_offset < 0) 3318 if (expected_tx_seq_offset < 0)
3238 expected_tx_seq_offset += 64; 3319 expected_tx_seq_offset += 64;
3239 3320
@@ -3241,51 +3322,51 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3241 if (tx_seq_offset < expected_tx_seq_offset) 3322 if (tx_seq_offset < expected_tx_seq_offset)
3242 goto drop; 3323 goto drop;
3243 3324
3244 pi->conn_state |= L2CAP_CONN_SREJ_SENT; 3325 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
3245 3326
3246 BT_DBG("sk %p, Enter SREJ", sk); 3327 BT_DBG("chan %p, Enter SREJ", chan);
3247 3328
3248 INIT_LIST_HEAD(SREJ_LIST(sk)); 3329 INIT_LIST_HEAD(&chan->srej_l);
3249 pi->buffer_seq_srej = pi->buffer_seq; 3330 chan->buffer_seq_srej = chan->buffer_seq;
3250 3331
3251 __skb_queue_head_init(SREJ_QUEUE(sk)); 3332 __skb_queue_head_init(&chan->srej_q);
3252 __skb_queue_head_init(BUSY_QUEUE(sk)); 3333 __skb_queue_head_init(&chan->busy_q);
3253 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 3334 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3254 3335
3255 pi->conn_state |= L2CAP_CONN_SEND_PBIT; 3336 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
3256 3337
3257 l2cap_send_srejframe(sk, tx_seq); 3338 l2cap_send_srejframe(chan, tx_seq);
3258 3339
3259 del_timer(&pi->ack_timer); 3340 del_timer(&chan->ack_timer);
3260 } 3341 }
3261 return 0; 3342 return 0;
3262 3343
3263expected: 3344expected:
3264 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3345 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3265 3346
3266 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3347 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3267 bt_cb(skb)->tx_seq = tx_seq; 3348 bt_cb(skb)->tx_seq = tx_seq;
3268 bt_cb(skb)->sar = sar; 3349 bt_cb(skb)->sar = sar;
3269 __skb_queue_tail(SREJ_QUEUE(sk), skb); 3350 __skb_queue_tail(&chan->srej_q, skb);
3270 return 0; 3351 return 0;
3271 } 3352 }
3272 3353
3273 err = l2cap_push_rx_skb(sk, skb, rx_control); 3354 err = l2cap_push_rx_skb(chan, skb, rx_control);
3274 if (err < 0) 3355 if (err < 0)
3275 return 0; 3356 return 0;
3276 3357
3277 if (rx_control & L2CAP_CTRL_FINAL) { 3358 if (rx_control & L2CAP_CTRL_FINAL) {
3278 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3359 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3279 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3360 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3280 else 3361 else
3281 l2cap_retransmit_frames(sk); 3362 l2cap_retransmit_frames(chan);
3282 } 3363 }
3283 3364
3284 __mod_ack_timer(); 3365 __mod_ack_timer();
3285 3366
3286 pi->num_acked = (pi->num_acked + 1) % num_to_ack; 3367 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3287 if (pi->num_acked == num_to_ack - 1) 3368 if (chan->num_acked == num_to_ack - 1)
3288 l2cap_send_ack(pi); 3369 l2cap_send_ack(chan);
3289 3370
3290 return 0; 3371 return 0;
3291 3372
@@ -3294,165 +3375,160 @@ drop:
3294 return 0; 3375 return 0;
3295} 3376}
3296 3377
3297static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control) 3378static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
3298{ 3379{
3299 struct l2cap_pinfo *pi = l2cap_pi(sk); 3380 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
3300
3301 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
3302 rx_control); 3381 rx_control);
3303 3382
3304 pi->expected_ack_seq = __get_reqseq(rx_control); 3383 chan->expected_ack_seq = __get_reqseq(rx_control);
3305 l2cap_drop_acked_frames(sk); 3384 l2cap_drop_acked_frames(chan);
3306 3385
3307 if (rx_control & L2CAP_CTRL_POLL) { 3386 if (rx_control & L2CAP_CTRL_POLL) {
3308 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3387 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3309 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3388 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3310 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3389 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3311 (pi->unacked_frames > 0)) 3390 (chan->unacked_frames > 0))
3312 __mod_retrans_timer(); 3391 __mod_retrans_timer();
3313 3392
3314 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3393 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3315 l2cap_send_srejtail(sk); 3394 l2cap_send_srejtail(chan);
3316 } else { 3395 } else {
3317 l2cap_send_i_or_rr_or_rnr(sk); 3396 l2cap_send_i_or_rr_or_rnr(chan);
3318 } 3397 }
3319 3398
3320 } else if (rx_control & L2CAP_CTRL_FINAL) { 3399 } else if (rx_control & L2CAP_CTRL_FINAL) {
3321 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3400 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3322 3401
3323 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3402 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3324 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3403 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3325 else 3404 else
3326 l2cap_retransmit_frames(sk); 3405 l2cap_retransmit_frames(chan);
3327 3406
3328 } else { 3407 } else {
3329 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 3408 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3330 (pi->unacked_frames > 0)) 3409 (chan->unacked_frames > 0))
3331 __mod_retrans_timer(); 3410 __mod_retrans_timer();
3332 3411
3333 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3412 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3334 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) 3413 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3335 l2cap_send_ack(pi); 3414 l2cap_send_ack(chan);
3336 else 3415 else
3337 l2cap_ertm_send(sk); 3416 l2cap_ertm_send(chan);
3338 } 3417 }
3339} 3418}
3340 3419
3341static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control) 3420static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
3342{ 3421{
3343 struct l2cap_pinfo *pi = l2cap_pi(sk);
3344 u8 tx_seq = __get_reqseq(rx_control); 3422 u8 tx_seq = __get_reqseq(rx_control);
3345 3423
3346 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3424 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3347 3425
3348 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3426 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3349 3427
3350 pi->expected_ack_seq = tx_seq; 3428 chan->expected_ack_seq = tx_seq;
3351 l2cap_drop_acked_frames(sk); 3429 l2cap_drop_acked_frames(chan);
3352 3430
3353 if (rx_control & L2CAP_CTRL_FINAL) { 3431 if (rx_control & L2CAP_CTRL_FINAL) {
3354 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 3432 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3355 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 3433 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3356 else 3434 else
3357 l2cap_retransmit_frames(sk); 3435 l2cap_retransmit_frames(chan);
3358 } else { 3436 } else {
3359 l2cap_retransmit_frames(sk); 3437 l2cap_retransmit_frames(chan);
3360 3438
3361 if (pi->conn_state & L2CAP_CONN_WAIT_F) 3439 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3362 pi->conn_state |= L2CAP_CONN_REJ_ACT; 3440 chan->conn_state |= L2CAP_CONN_REJ_ACT;
3363 } 3441 }
3364} 3442}
3365static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control) 3443static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
3366{ 3444{
3367 struct l2cap_pinfo *pi = l2cap_pi(sk);
3368 u8 tx_seq = __get_reqseq(rx_control); 3445 u8 tx_seq = __get_reqseq(rx_control);
3369 3446
3370 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3447 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3371 3448
3372 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 3449 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3373 3450
3374 if (rx_control & L2CAP_CTRL_POLL) { 3451 if (rx_control & L2CAP_CTRL_POLL) {
3375 pi->expected_ack_seq = tx_seq; 3452 chan->expected_ack_seq = tx_seq;
3376 l2cap_drop_acked_frames(sk); 3453 l2cap_drop_acked_frames(chan);
3377 3454
3378 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3455 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3379 l2cap_retransmit_one_frame(sk, tx_seq); 3456 l2cap_retransmit_one_frame(chan, tx_seq);
3380 3457
3381 l2cap_ertm_send(sk); 3458 l2cap_ertm_send(chan);
3382 3459
3383 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 3460 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3384 pi->srej_save_reqseq = tx_seq; 3461 chan->srej_save_reqseq = tx_seq;
3385 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 3462 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3386 } 3463 }
3387 } else if (rx_control & L2CAP_CTRL_FINAL) { 3464 } else if (rx_control & L2CAP_CTRL_FINAL) {
3388 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) && 3465 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
3389 pi->srej_save_reqseq == tx_seq) 3466 chan->srej_save_reqseq == tx_seq)
3390 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT; 3467 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3391 else 3468 else
3392 l2cap_retransmit_one_frame(sk, tx_seq); 3469 l2cap_retransmit_one_frame(chan, tx_seq);
3393 } else { 3470 } else {
3394 l2cap_retransmit_one_frame(sk, tx_seq); 3471 l2cap_retransmit_one_frame(chan, tx_seq);
3395 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 3472 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3396 pi->srej_save_reqseq = tx_seq; 3473 chan->srej_save_reqseq = tx_seq;
3397 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 3474 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3398 } 3475 }
3399 } 3476 }
3400} 3477}
3401 3478
3402static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control) 3479static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
3403{ 3480{
3404 struct l2cap_pinfo *pi = l2cap_pi(sk);
3405 u8 tx_seq = __get_reqseq(rx_control); 3481 u8 tx_seq = __get_reqseq(rx_control);
3406 3482
3407 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control); 3483 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3408 3484
3409 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY; 3485 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3410 pi->expected_ack_seq = tx_seq; 3486 chan->expected_ack_seq = tx_seq;
3411 l2cap_drop_acked_frames(sk); 3487 l2cap_drop_acked_frames(chan);
3412 3488
3413 if (rx_control & L2CAP_CTRL_POLL) 3489 if (rx_control & L2CAP_CTRL_POLL)
3414 pi->conn_state |= L2CAP_CONN_SEND_FBIT; 3490 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3415 3491
3416 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) { 3492 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
3417 del_timer(&pi->retrans_timer); 3493 del_timer(&chan->retrans_timer);
3418 if (rx_control & L2CAP_CTRL_POLL) 3494 if (rx_control & L2CAP_CTRL_POLL)
3419 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL); 3495 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3420 return; 3496 return;
3421 } 3497 }
3422 3498
3423 if (rx_control & L2CAP_CTRL_POLL) 3499 if (rx_control & L2CAP_CTRL_POLL)
3424 l2cap_send_srejtail(sk); 3500 l2cap_send_srejtail(chan);
3425 else 3501 else
3426 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY); 3502 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
3427} 3503}
3428 3504
3429static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3505static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3430{ 3506{
3431 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len); 3507 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3432 3508
3433 if (L2CAP_CTRL_FINAL & rx_control && 3509 if (L2CAP_CTRL_FINAL & rx_control &&
3434 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) { 3510 chan->conn_state & L2CAP_CONN_WAIT_F) {
3435 del_timer(&l2cap_pi(sk)->monitor_timer); 3511 del_timer(&chan->monitor_timer);
3436 if (l2cap_pi(sk)->unacked_frames > 0) 3512 if (chan->unacked_frames > 0)
3437 __mod_retrans_timer(); 3513 __mod_retrans_timer();
3438 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F; 3514 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3439 } 3515 }
3440 3516
3441 switch (rx_control & L2CAP_CTRL_SUPERVISE) { 3517 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3442 case L2CAP_SUPER_RCV_READY: 3518 case L2CAP_SUPER_RCV_READY:
3443 l2cap_data_channel_rrframe(sk, rx_control); 3519 l2cap_data_channel_rrframe(chan, rx_control);
3444 break; 3520 break;
3445 3521
3446 case L2CAP_SUPER_REJECT: 3522 case L2CAP_SUPER_REJECT:
3447 l2cap_data_channel_rejframe(sk, rx_control); 3523 l2cap_data_channel_rejframe(chan, rx_control);
3448 break; 3524 break;
3449 3525
3450 case L2CAP_SUPER_SELECT_REJECT: 3526 case L2CAP_SUPER_SELECT_REJECT:
3451 l2cap_data_channel_srejframe(sk, rx_control); 3527 l2cap_data_channel_srejframe(chan, rx_control);
3452 break; 3528 break;
3453 3529
3454 case L2CAP_SUPER_RCV_NOT_READY: 3530 case L2CAP_SUPER_RCV_NOT_READY:
3455 l2cap_data_channel_rnrframe(sk, rx_control); 3531 l2cap_data_channel_rnrframe(chan, rx_control);
3456 break; 3532 break;
3457 } 3533 }
3458 3534
@@ -3462,6 +3538,7 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
3462 3538
3463static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb) 3539static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3464{ 3540{
3541 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3465 struct l2cap_pinfo *pi = l2cap_pi(sk); 3542 struct l2cap_pinfo *pi = l2cap_pi(sk);
3466 u16 control; 3543 u16 control;
3467 u8 req_seq; 3544 u8 req_seq;
@@ -3486,41 +3563,41 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3486 len -= 2; 3563 len -= 2;
3487 3564
3488 if (len > pi->mps) { 3565 if (len > pi->mps) {
3489 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3566 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
3490 goto drop; 3567 goto drop;
3491 } 3568 }
3492 3569
3493 req_seq = __get_reqseq(control); 3570 req_seq = __get_reqseq(control);
3494 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64; 3571 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
3495 if (req_seq_offset < 0) 3572 if (req_seq_offset < 0)
3496 req_seq_offset += 64; 3573 req_seq_offset += 64;
3497 3574
3498 next_tx_seq_offset = 3575 next_tx_seq_offset =
3499 (pi->next_tx_seq - pi->expected_ack_seq) % 64; 3576 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
3500 if (next_tx_seq_offset < 0) 3577 if (next_tx_seq_offset < 0)
3501 next_tx_seq_offset += 64; 3578 next_tx_seq_offset += 64;
3502 3579
3503 /* check for invalid req-seq */ 3580 /* check for invalid req-seq */
3504 if (req_seq_offset > next_tx_seq_offset) { 3581 if (req_seq_offset > next_tx_seq_offset) {
3505 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3582 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
3506 goto drop; 3583 goto drop;
3507 } 3584 }
3508 3585
3509 if (__is_iframe(control)) { 3586 if (__is_iframe(control)) {
3510 if (len < 0) { 3587 if (len < 0) {
3511 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3588 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
3512 goto drop; 3589 goto drop;
3513 } 3590 }
3514 3591
3515 l2cap_data_channel_iframe(sk, control, skb); 3592 l2cap_data_channel_iframe(chan, control, skb);
3516 } else { 3593 } else {
3517 if (len != 0) { 3594 if (len != 0) {
3518 BT_ERR("%d", len); 3595 BT_ERR("%d", len);
3519 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET); 3596 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
3520 goto drop; 3597 goto drop;
3521 } 3598 }
3522 3599
3523 l2cap_data_channel_sframe(sk, control, skb); 3600 l2cap_data_channel_sframe(chan, control, skb);
3524 } 3601 }
3525 3602
3526 return 0; 3603 return 0;
@@ -3532,21 +3609,23 @@ drop:
3532 3609
3533static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb) 3610static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3534{ 3611{
3612 struct l2cap_chan *chan;
3535 struct sock *sk; 3613 struct sock *sk;
3536 struct l2cap_pinfo *pi; 3614 struct l2cap_pinfo *pi;
3537 u16 control; 3615 u16 control;
3538 u8 tx_seq; 3616 u8 tx_seq;
3539 int len; 3617 int len;
3540 3618
3541 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 3619 chan = l2cap_get_chan_by_scid(conn, cid);
3542 if (!sk) { 3620 if (!chan) {
3543 BT_DBG("unknown cid 0x%4.4x", cid); 3621 BT_DBG("unknown cid 0x%4.4x", cid);
3544 goto drop; 3622 goto drop;
3545 } 3623 }
3546 3624
3625 sk = chan->sk;
3547 pi = l2cap_pi(sk); 3626 pi = l2cap_pi(sk);
3548 3627
3549 BT_DBG("sk %p, len %d", sk, skb->len); 3628 BT_DBG("chan %p, len %d", chan, skb->len);
3550 3629
3551 if (sk->sk_state != BT_CONNECTED) 3630 if (sk->sk_state != BT_CONNECTED)
3552 goto drop; 3631 goto drop;
@@ -3594,17 +3673,17 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3594 3673
3595 tx_seq = __get_txseq(control); 3674 tx_seq = __get_txseq(control);
3596 3675
3597 if (pi->expected_tx_seq == tx_seq) 3676 if (chan->expected_tx_seq == tx_seq)
3598 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 3677 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3599 else 3678 else
3600 pi->expected_tx_seq = (tx_seq + 1) % 64; 3679 chan->expected_tx_seq = (tx_seq + 1) % 64;
3601 3680
3602 l2cap_streaming_reassembly_sdu(sk, skb, control); 3681 l2cap_streaming_reassembly_sdu(chan, skb, control);
3603 3682
3604 goto done; 3683 goto done;
3605 3684
3606 default: 3685 default:
3607 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode); 3686 BT_DBG("chan %p: bad mode 0x%2.2x", chan, pi->mode);
3608 break; 3687 break;
3609 } 3688 }
3610 3689
@@ -3648,6 +3727,36 @@ done:
3648 return 0; 3727 return 0;
3649} 3728}
3650 3729
3730static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3731{
3732 struct sock *sk;
3733
3734 sk = l2cap_get_sock_by_scid(0, cid, conn->src);
3735 if (!sk)
3736 goto drop;
3737
3738 bh_lock_sock(sk);
3739
3740 BT_DBG("sk %p, len %d", sk, skb->len);
3741
3742 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3743 goto drop;
3744
3745 if (l2cap_pi(sk)->imtu < skb->len)
3746 goto drop;
3747
3748 if (!sock_queue_rcv_skb(sk, skb))
3749 goto done;
3750
3751drop:
3752 kfree_skb(skb);
3753
3754done:
3755 if (sk)
3756 bh_unlock_sock(sk);
3757 return 0;
3758}
3759
3651static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 3760static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3652{ 3761{
3653 struct l2cap_hdr *lh = (void *) skb->data; 3762 struct l2cap_hdr *lh = (void *) skb->data;
@@ -3677,6 +3786,10 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3677 l2cap_conless_channel(conn, psm, skb); 3786 l2cap_conless_channel(conn, psm, skb);
3678 break; 3787 break;
3679 3788
3789 case L2CAP_CID_LE_DATA:
3790 l2cap_att_channel(conn, cid, skb);
3791 break;
3792
3680 default: 3793 default:
3681 l2cap_data_channel(conn, cid, skb); 3794 l2cap_data_channel(conn, cid, skb);
3682 break; 3795 break;
@@ -3780,20 +3893,19 @@ static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3780 3893
3781static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 3894static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3782{ 3895{
3783 struct l2cap_chan_list *l;
3784 struct l2cap_conn *conn = hcon->l2cap_data; 3896 struct l2cap_conn *conn = hcon->l2cap_data;
3785 struct sock *sk; 3897 struct l2cap_chan *chan;
3786 3898
3787 if (!conn) 3899 if (!conn)
3788 return 0; 3900 return 0;
3789 3901
3790 l = &conn->chan_list;
3791
3792 BT_DBG("conn %p", conn); 3902 BT_DBG("conn %p", conn);
3793 3903
3794 read_lock(&l->lock); 3904 read_lock(&conn->chan_lock);
3905
3906 list_for_each_entry(chan, &conn->chan_l, list) {
3907 struct sock *sk = chan->sk;
3795 3908
3796 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3797 bh_lock_sock(sk); 3909 bh_lock_sock(sk);
3798 3910
3799 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) { 3911 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
@@ -3814,10 +3926,10 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3814 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 3926 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3815 req.psm = l2cap_pi(sk)->psm; 3927 req.psm = l2cap_pi(sk)->psm;
3816 3928
3817 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 3929 chan->ident = l2cap_get_ident(conn);
3818 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; 3930 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
3819 3931
3820 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 3932 l2cap_send_cmd(conn, chan->ident,
3821 L2CAP_CONN_REQ, sizeof(req), &req); 3933 L2CAP_CONN_REQ, sizeof(req), &req);
3822 } else { 3934 } else {
3823 l2cap_sock_clear_timer(sk); 3935 l2cap_sock_clear_timer(sk);
@@ -3840,14 +3952,14 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3840 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 3952 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3841 rsp.result = cpu_to_le16(result); 3953 rsp.result = cpu_to_le16(result);
3842 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 3954 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3843 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 3955 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
3844 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 3956 sizeof(rsp), &rsp);
3845 } 3957 }
3846 3958
3847 bh_unlock_sock(sk); 3959 bh_unlock_sock(sk);
3848 } 3960 }
3849 3961
3850 read_unlock(&l->lock); 3962 read_unlock(&conn->chan_lock);
3851 3963
3852 return 0; 3964 return 0;
3853} 3965}
@@ -3866,7 +3978,7 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
3866 3978
3867 if (!(flags & ACL_CONT)) { 3979 if (!(flags & ACL_CONT)) {
3868 struct l2cap_hdr *hdr; 3980 struct l2cap_hdr *hdr;
3869 struct sock *sk; 3981 struct l2cap_chan *chan;
3870 u16 cid; 3982 u16 cid;
3871 int len; 3983 int len;
3872 3984
@@ -3904,18 +4016,21 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
3904 goto drop; 4016 goto drop;
3905 } 4017 }
3906 4018
3907 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 4019 chan = l2cap_get_chan_by_scid(conn, cid);
3908 4020
3909 if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) { 4021 if (chan && chan->sk) {
3910 BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)", 4022 struct sock *sk = chan->sk;
3911 len, l2cap_pi(sk)->imtu);
3912 bh_unlock_sock(sk);
3913 l2cap_conn_unreliable(conn, ECOMM);
3914 goto drop;
3915 }
3916 4023
3917 if (sk) 4024 if (l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
4025 BT_ERR("Frame exceeding recv MTU (len %d, "
4026 "MTU %d)", len,
4027 l2cap_pi(sk)->imtu);
4028 bh_unlock_sock(sk);
4029 l2cap_conn_unreliable(conn, ECOMM);
4030 goto drop;
4031 }
3918 bh_unlock_sock(sk); 4032 bh_unlock_sock(sk);
4033 }
3919 4034
3920 /* Allocate skb for the complete frame (with header) */ 4035 /* Allocate skb for the complete frame (with header) */
3921 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC); 4036 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index f77308e63e58..473e5973d8fe 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -269,7 +269,7 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
269 goto done; 269 goto done;
270 } 270 }
271 271
272 if (!l2cap_pi(sk)->psm && !l2cap_pi(sk)->dcid) { 272 if (!l2cap_pi(sk)->psm && !l2cap_pi(sk)->scid) {
273 bdaddr_t *src = &bt_sk(sk)->src; 273 bdaddr_t *src = &bt_sk(sk)->src;
274 u16 psm; 274 u16 psm;
275 275
@@ -757,35 +757,37 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
757 case L2CAP_MODE_ERTM: 757 case L2CAP_MODE_ERTM:
758 case L2CAP_MODE_STREAMING: 758 case L2CAP_MODE_STREAMING:
759 /* Entire SDU fits into one PDU */ 759 /* Entire SDU fits into one PDU */
760 if (len <= pi->remote_mps) { 760 if (len <= pi->chan->remote_mps) {
761 control = L2CAP_SDU_UNSEGMENTED; 761 control = L2CAP_SDU_UNSEGMENTED;
762 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0); 762 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
763 if (IS_ERR(skb)) { 763 if (IS_ERR(skb)) {
764 err = PTR_ERR(skb); 764 err = PTR_ERR(skb);
765 goto done; 765 goto done;
766 } 766 }
767 __skb_queue_tail(TX_QUEUE(sk), skb); 767 __skb_queue_tail(&pi->chan->tx_q, skb);
768 768
769 if (sk->sk_send_head == NULL) 769 if (pi->chan->tx_send_head == NULL)
770 sk->sk_send_head = skb; 770 pi->chan->tx_send_head = skb;
771 771
772 } else { 772 } else {
773 /* Segment SDU into multiples PDUs */ 773 /* Segment SDU into multiples PDUs */
774 err = l2cap_sar_segment_sdu(sk, msg, len); 774 err = l2cap_sar_segment_sdu(pi->chan, msg, len);
775 if (err < 0) 775 if (err < 0)
776 goto done; 776 goto done;
777 } 777 }
778 778
779 if (pi->mode == L2CAP_MODE_STREAMING) { 779 if (pi->mode == L2CAP_MODE_STREAMING) {
780 l2cap_streaming_send(sk); 780 l2cap_streaming_send(pi->chan);
781 } else { 781 err = len;
782 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 782 break;
783 (pi->conn_state & L2CAP_CONN_WAIT_F)) { 783 }
784 err = len; 784
785 break; 785 if ((pi->chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
786 } 786 (pi->chan->conn_state & L2CAP_CONN_WAIT_F)) {
787 err = l2cap_ertm_send(sk); 787 err = len;
788 break;
788 } 789 }
790 err = l2cap_ertm_send(pi->chan);
789 791
790 if (err >= 0) 792 if (err >= 0)
791 err = len; 793 err = len;
@@ -808,29 +810,7 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
808 lock_sock(sk); 810 lock_sock(sk);
809 811
810 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 812 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
811 struct l2cap_conn_rsp rsp; 813 __l2cap_connect_rsp_defer(sk);
812 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
813 u8 buf[128];
814
815 sk->sk_state = BT_CONFIG;
816
817 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
818 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
819 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
820 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
821 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
822 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
823
824 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
825 release_sock(sk);
826 return 0;
827 }
828
829 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
830 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
831 l2cap_build_conf_req(sk, buf), buf);
832 l2cap_pi(sk)->num_conf_req++;
833
834 release_sock(sk); 814 release_sock(sk);
835 return 0; 815 return 0;
836 } 816 }
@@ -886,6 +866,7 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
886void __l2cap_sock_close(struct sock *sk, int reason) 866void __l2cap_sock_close(struct sock *sk, int reason)
887{ 867{
888 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 868 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
869 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
889 870
890 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 871 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
891 872
@@ -900,9 +881,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
900 sk->sk_type == SOCK_STREAM) && 881 sk->sk_type == SOCK_STREAM) &&
901 conn->hcon->type == ACL_LINK) { 882 conn->hcon->type == ACL_LINK) {
902 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 883 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
903 l2cap_send_disconn_req(conn, sk, reason); 884 l2cap_send_disconn_req(conn, chan, reason);
904 } else 885 } else
905 l2cap_chan_del(sk, reason); 886 l2cap_chan_del(chan, reason);
906 break; 887 break;
907 888
908 case BT_CONNECT2: 889 case BT_CONNECT2:
@@ -921,16 +902,16 @@ void __l2cap_sock_close(struct sock *sk, int reason)
921 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 902 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
922 rsp.result = cpu_to_le16(result); 903 rsp.result = cpu_to_le16(result);
923 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 904 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
924 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 905 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
925 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 906 sizeof(rsp), &rsp);
926 } 907 }
927 908
928 l2cap_chan_del(sk, reason); 909 l2cap_chan_del(chan, reason);
929 break; 910 break;
930 911
931 case BT_CONNECT: 912 case BT_CONNECT:
932 case BT_DISCONN: 913 case BT_DISCONN:
933 l2cap_chan_del(sk, reason); 914 l2cap_chan_del(chan, reason);
934 break; 915 break;
935 916
936 default: 917 default:
@@ -1035,12 +1016,7 @@ void l2cap_sock_init(struct sock *sk, struct sock *parent)
1035 } 1016 }
1036 1017
1037 /* Default config options */ 1018 /* Default config options */
1038 pi->conf_len = 0;
1039 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1019 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1040 skb_queue_head_init(TX_QUEUE(sk));
1041 skb_queue_head_init(SREJ_QUEUE(sk));
1042 skb_queue_head_init(BUSY_QUEUE(sk));
1043 INIT_LIST_HEAD(SREJ_LIST(sk));
1044} 1020}
1045 1021
1046static struct proto l2cap_proto = { 1022static struct proto l2cap_proto = {
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 4476d8e3c0f2..c304688252b8 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -36,7 +36,7 @@ struct pending_cmd {
36 struct list_head list; 36 struct list_head list;
37 __u16 opcode; 37 __u16 opcode;
38 int index; 38 int index;
39 void *cmd; 39 void *param;
40 struct sock *sk; 40 struct sock *sk;
41 void *user_data; 41 void *user_data;
42}; 42};
@@ -179,10 +179,12 @@ static int read_controller_info(struct sock *sk, u16 index)
179 179
180 hci_del_off_timer(hdev); 180 hci_del_off_timer(hdev);
181 181
182 hci_dev_lock_bh(hdev); 182 hci_dev_lock(hdev);
183 183
184 set_bit(HCI_MGMT, &hdev->flags); 184 set_bit(HCI_MGMT, &hdev->flags);
185 185
186 memset(&rp, 0, sizeof(rp));
187
186 rp.type = hdev->dev_type; 188 rp.type = hdev->dev_type;
187 189
188 rp.powered = test_bit(HCI_UP, &hdev->flags); 190 rp.powered = test_bit(HCI_UP, &hdev->flags);
@@ -204,7 +206,9 @@ static int read_controller_info(struct sock *sk, u16 index)
204 rp.hci_ver = hdev->hci_ver; 206 rp.hci_ver = hdev->hci_ver;
205 put_unaligned_le16(hdev->hci_rev, &rp.hci_rev); 207 put_unaligned_le16(hdev->hci_rev, &rp.hci_rev);
206 208
207 hci_dev_unlock_bh(hdev); 209 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
210
211 hci_dev_unlock(hdev);
208 hci_dev_put(hdev); 212 hci_dev_put(hdev);
209 213
210 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp)); 214 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -213,7 +217,7 @@ static int read_controller_info(struct sock *sk, u16 index)
213static void mgmt_pending_free(struct pending_cmd *cmd) 217static void mgmt_pending_free(struct pending_cmd *cmd)
214{ 218{
215 sock_put(cmd->sk); 219 sock_put(cmd->sk);
216 kfree(cmd->cmd); 220 kfree(cmd->param);
217 kfree(cmd); 221 kfree(cmd);
218} 222}
219 223
@@ -229,13 +233,14 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
229 cmd->opcode = opcode; 233 cmd->opcode = opcode;
230 cmd->index = index; 234 cmd->index = index;
231 235
232 cmd->cmd = kmalloc(len, GFP_ATOMIC); 236 cmd->param = kmalloc(len, GFP_ATOMIC);
233 if (!cmd->cmd) { 237 if (!cmd->param) {
234 kfree(cmd); 238 kfree(cmd);
235 return NULL; 239 return NULL;
236 } 240 }
237 241
238 memcpy(cmd->cmd, data, len); 242 if (data)
243 memcpy(cmd->param, data, len);
239 244
240 cmd->sk = sk; 245 cmd->sk = sk;
241 sock_hold(sk); 246 sock_hold(sk);
@@ -311,7 +316,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
311 if (!hdev) 316 if (!hdev)
312 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV); 317 return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
313 318
314 hci_dev_lock_bh(hdev); 319 hci_dev_lock(hdev);
315 320
316 up = test_bit(HCI_UP, &hdev->flags); 321 up = test_bit(HCI_UP, &hdev->flags);
317 if ((cp->val && up) || (!cp->val && !up)) { 322 if ((cp->val && up) || (!cp->val && !up)) {
@@ -338,7 +343,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
338 err = 0; 343 err = 0;
339 344
340failed: 345failed:
341 hci_dev_unlock_bh(hdev); 346 hci_dev_unlock(hdev);
342 hci_dev_put(hdev); 347 hci_dev_put(hdev);
343 return err; 348 return err;
344} 349}
@@ -363,7 +368,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
363 if (!hdev) 368 if (!hdev)
364 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV); 369 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
365 370
366 hci_dev_lock_bh(hdev); 371 hci_dev_lock(hdev);
367 372
368 if (!test_bit(HCI_UP, &hdev->flags)) { 373 if (!test_bit(HCI_UP, &hdev->flags)) {
369 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN); 374 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
@@ -398,7 +403,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
398 mgmt_pending_remove(cmd); 403 mgmt_pending_remove(cmd);
399 404
400failed: 405failed:
401 hci_dev_unlock_bh(hdev); 406 hci_dev_unlock(hdev);
402 hci_dev_put(hdev); 407 hci_dev_put(hdev);
403 408
404 return err; 409 return err;
@@ -424,7 +429,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
424 if (!hdev) 429 if (!hdev)
425 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV); 430 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
426 431
427 hci_dev_lock_bh(hdev); 432 hci_dev_lock(hdev);
428 433
429 if (!test_bit(HCI_UP, &hdev->flags)) { 434 if (!test_bit(HCI_UP, &hdev->flags)) {
430 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN); 435 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
@@ -458,7 +463,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
458 mgmt_pending_remove(cmd); 463 mgmt_pending_remove(cmd);
459 464
460failed: 465failed:
461 hci_dev_unlock_bh(hdev); 466 hci_dev_unlock(hdev);
462 hci_dev_put(hdev); 467 hci_dev_put(hdev);
463 468
464 return err; 469 return err;
@@ -517,7 +522,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
517 if (!hdev) 522 if (!hdev)
518 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV); 523 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
519 524
520 hci_dev_lock_bh(hdev); 525 hci_dev_lock(hdev);
521 526
522 if (cp->val) 527 if (cp->val)
523 set_bit(HCI_PAIRABLE, &hdev->flags); 528 set_bit(HCI_PAIRABLE, &hdev->flags);
@@ -533,12 +538,156 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
533 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk); 538 err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
534 539
535failed: 540failed:
536 hci_dev_unlock_bh(hdev); 541 hci_dev_unlock(hdev);
537 hci_dev_put(hdev); 542 hci_dev_put(hdev);
538 543
539 return err; 544 return err;
540} 545}
541 546
547#define EIR_FLAGS 0x01 /* flags */
548#define EIR_UUID16_SOME 0x02 /* 16-bit UUID, more available */
549#define EIR_UUID16_ALL 0x03 /* 16-bit UUID, all listed */
550#define EIR_UUID32_SOME 0x04 /* 32-bit UUID, more available */
551#define EIR_UUID32_ALL 0x05 /* 32-bit UUID, all listed */
552#define EIR_UUID128_SOME 0x06 /* 128-bit UUID, more available */
553#define EIR_UUID128_ALL 0x07 /* 128-bit UUID, all listed */
554#define EIR_NAME_SHORT 0x08 /* shortened local name */
555#define EIR_NAME_COMPLETE 0x09 /* complete local name */
556#define EIR_TX_POWER 0x0A /* transmit power level */
557#define EIR_DEVICE_ID 0x10 /* device ID */
558
559#define PNP_INFO_SVCLASS_ID 0x1200
560
561static u8 bluetooth_base_uuid[] = {
562 0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
563 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
564};
565
566static u16 get_uuid16(u8 *uuid128)
567{
568 u32 val;
569 int i;
570
571 for (i = 0; i < 12; i++) {
572 if (bluetooth_base_uuid[i] != uuid128[i])
573 return 0;
574 }
575
576 memcpy(&val, &uuid128[12], 4);
577
578 val = le32_to_cpu(val);
579 if (val > 0xffff)
580 return 0;
581
582 return (u16) val;
583}
584
585static void create_eir(struct hci_dev *hdev, u8 *data)
586{
587 u8 *ptr = data;
588 u16 eir_len = 0;
589 u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
590 int i, truncated = 0;
591 struct list_head *p;
592 size_t name_len;
593
594 name_len = strlen(hdev->dev_name);
595
596 if (name_len > 0) {
597 /* EIR Data type */
598 if (name_len > 48) {
599 name_len = 48;
600 ptr[1] = EIR_NAME_SHORT;
601 } else
602 ptr[1] = EIR_NAME_COMPLETE;
603
604 /* EIR Data length */
605 ptr[0] = name_len + 1;
606
607 memcpy(ptr + 2, hdev->dev_name, name_len);
608
609 eir_len += (name_len + 2);
610 ptr += (name_len + 2);
611 }
612
613 memset(uuid16_list, 0, sizeof(uuid16_list));
614
615 /* Group all UUID16 types */
616 list_for_each(p, &hdev->uuids) {
617 struct bt_uuid *uuid = list_entry(p, struct bt_uuid, list);
618 u16 uuid16;
619
620 uuid16 = get_uuid16(uuid->uuid);
621 if (uuid16 == 0)
622 return;
623
624 if (uuid16 < 0x1100)
625 continue;
626
627 if (uuid16 == PNP_INFO_SVCLASS_ID)
628 continue;
629
630 /* Stop if not enough space to put next UUID */
631 if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
632 truncated = 1;
633 break;
634 }
635
636 /* Check for duplicates */
637 for (i = 0; uuid16_list[i] != 0; i++)
638 if (uuid16_list[i] == uuid16)
639 break;
640
641 if (uuid16_list[i] == 0) {
642 uuid16_list[i] = uuid16;
643 eir_len += sizeof(u16);
644 }
645 }
646
647 if (uuid16_list[0] != 0) {
648 u8 *length = ptr;
649
650 /* EIR Data type */
651 ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
652
653 ptr += 2;
654 eir_len += 2;
655
656 for (i = 0; uuid16_list[i] != 0; i++) {
657 *ptr++ = (uuid16_list[i] & 0x00ff);
658 *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
659 }
660
661 /* EIR Data length */
662 *length = (i * sizeof(u16)) + 1;
663 }
664}
665
666static int update_eir(struct hci_dev *hdev)
667{
668 struct hci_cp_write_eir cp;
669
670 if (!(hdev->features[6] & LMP_EXT_INQ))
671 return 0;
672
673 if (hdev->ssp_mode == 0)
674 return 0;
675
676 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
677 return 0;
678
679 memset(&cp, 0, sizeof(cp));
680
681 create_eir(hdev, cp.data);
682
683 if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
684 return 0;
685
686 memcpy(hdev->eir, cp.data, sizeof(cp.data));
687
688 return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
689}
690
542static u8 get_service_classes(struct hci_dev *hdev) 691static u8 get_service_classes(struct hci_dev *hdev)
543{ 692{
544 struct list_head *p; 693 struct list_head *p;
@@ -590,7 +739,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
590 if (!hdev) 739 if (!hdev)
591 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV); 740 return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
592 741
593 hci_dev_lock_bh(hdev); 742 hci_dev_lock(hdev);
594 743
595 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC); 744 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
596 if (!uuid) { 745 if (!uuid) {
@@ -607,10 +756,14 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
607 if (err < 0) 756 if (err < 0)
608 goto failed; 757 goto failed;
609 758
759 err = update_eir(hdev);
760 if (err < 0)
761 goto failed;
762
610 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0); 763 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
611 764
612failed: 765failed:
613 hci_dev_unlock_bh(hdev); 766 hci_dev_unlock(hdev);
614 hci_dev_put(hdev); 767 hci_dev_put(hdev);
615 768
616 return err; 769 return err;
@@ -635,7 +788,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
635 if (!hdev) 788 if (!hdev)
636 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV); 789 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
637 790
638 hci_dev_lock_bh(hdev); 791 hci_dev_lock(hdev);
639 792
640 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 793 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
641 err = hci_uuids_clear(hdev); 794 err = hci_uuids_clear(hdev);
@@ -663,10 +816,14 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
663 if (err < 0) 816 if (err < 0)
664 goto unlock; 817 goto unlock;
665 818
819 err = update_eir(hdev);
820 if (err < 0)
821 goto unlock;
822
666 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0); 823 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
667 824
668unlock: 825unlock:
669 hci_dev_unlock_bh(hdev); 826 hci_dev_unlock(hdev);
670 hci_dev_put(hdev); 827 hci_dev_put(hdev);
671 828
672 return err; 829 return err;
@@ -690,7 +847,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
690 if (!hdev) 847 if (!hdev)
691 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV); 848 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
692 849
693 hci_dev_lock_bh(hdev); 850 hci_dev_lock(hdev);
694 851
695 hdev->major_class = cp->major; 852 hdev->major_class = cp->major;
696 hdev->minor_class = cp->minor; 853 hdev->minor_class = cp->minor;
@@ -700,7 +857,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
700 if (err == 0) 857 if (err == 0)
701 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0); 858 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
702 859
703 hci_dev_unlock_bh(hdev); 860 hci_dev_unlock(hdev);
704 hci_dev_put(hdev); 861 hci_dev_put(hdev);
705 862
706 return err; 863 return err;
@@ -722,7 +879,7 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
722 if (!hdev) 879 if (!hdev)
723 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV); 880 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
724 881
725 hci_dev_lock_bh(hdev); 882 hci_dev_lock(hdev);
726 883
727 BT_DBG("hci%u enable %d", index, cp->enable); 884 BT_DBG("hci%u enable %d", index, cp->enable);
728 885
@@ -732,13 +889,15 @@ static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
732 } else { 889 } else {
733 clear_bit(HCI_SERVICE_CACHE, &hdev->flags); 890 clear_bit(HCI_SERVICE_CACHE, &hdev->flags);
734 err = update_class(hdev); 891 err = update_class(hdev);
892 if (err == 0)
893 err = update_eir(hdev);
735 } 894 }
736 895
737 if (err == 0) 896 if (err == 0)
738 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL, 897 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
739 0); 898 0);
740 899
741 hci_dev_unlock_bh(hdev); 900 hci_dev_unlock(hdev);
742 hci_dev_put(hdev); 901 hci_dev_put(hdev);
743 902
744 return err; 903 return err;
@@ -772,7 +931,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
772 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys, 931 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
773 key_count); 932 key_count);
774 933
775 hci_dev_lock_bh(hdev); 934 hci_dev_lock(hdev);
776 935
777 hci_link_keys_clear(hdev); 936 hci_link_keys_clear(hdev);
778 937
@@ -790,7 +949,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
790 key->pin_len); 949 key->pin_len);
791 } 950 }
792 951
793 hci_dev_unlock_bh(hdev); 952 hci_dev_unlock(hdev);
794 hci_dev_put(hdev); 953 hci_dev_put(hdev);
795 954
796 return 0; 955 return 0;
@@ -812,7 +971,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
812 if (!hdev) 971 if (!hdev)
813 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV); 972 return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
814 973
815 hci_dev_lock_bh(hdev); 974 hci_dev_lock(hdev);
816 975
817 err = hci_remove_link_key(hdev, &cp->bdaddr); 976 err = hci_remove_link_key(hdev, &cp->bdaddr);
818 if (err < 0) { 977 if (err < 0) {
@@ -835,7 +994,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
835 } 994 }
836 995
837unlock: 996unlock:
838 hci_dev_unlock_bh(hdev); 997 hci_dev_unlock(hdev);
839 hci_dev_put(hdev); 998 hci_dev_put(hdev);
840 999
841 return err; 1000 return err;
@@ -861,7 +1020,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
861 if (!hdev) 1020 if (!hdev)
862 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV); 1021 return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
863 1022
864 hci_dev_lock_bh(hdev); 1023 hci_dev_lock(hdev);
865 1024
866 if (!test_bit(HCI_UP, &hdev->flags)) { 1025 if (!test_bit(HCI_UP, &hdev->flags)) {
867 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN); 1026 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
@@ -893,7 +1052,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
893 mgmt_pending_remove(cmd); 1052 mgmt_pending_remove(cmd);
894 1053
895failed: 1054failed:
896 hci_dev_unlock_bh(hdev); 1055 hci_dev_unlock(hdev);
897 hci_dev_put(hdev); 1056 hci_dev_put(hdev);
898 1057
899 return err; 1058 return err;
@@ -914,7 +1073,7 @@ static int get_connections(struct sock *sk, u16 index)
914 if (!hdev) 1073 if (!hdev)
915 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV); 1074 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
916 1075
917 hci_dev_lock_bh(hdev); 1076 hci_dev_lock(hdev);
918 1077
919 count = 0; 1078 count = 0;
920 list_for_each(p, &hdev->conn_hash.list) { 1079 list_for_each(p, &hdev->conn_hash.list) {
@@ -945,7 +1104,7 @@ static int get_connections(struct sock *sk, u16 index)
945 1104
946unlock: 1105unlock:
947 kfree(rp); 1106 kfree(rp);
948 hci_dev_unlock_bh(hdev); 1107 hci_dev_unlock(hdev);
949 hci_dev_put(hdev); 1108 hci_dev_put(hdev);
950 return err; 1109 return err;
951} 1110}
@@ -970,7 +1129,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
970 if (!hdev) 1129 if (!hdev)
971 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV); 1130 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
972 1131
973 hci_dev_lock_bh(hdev); 1132 hci_dev_lock(hdev);
974 1133
975 if (!test_bit(HCI_UP, &hdev->flags)) { 1134 if (!test_bit(HCI_UP, &hdev->flags)) {
976 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN); 1135 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
@@ -992,7 +1151,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
992 mgmt_pending_remove(cmd); 1151 mgmt_pending_remove(cmd);
993 1152
994failed: 1153failed:
995 hci_dev_unlock_bh(hdev); 1154 hci_dev_unlock(hdev);
996 hci_dev_put(hdev); 1155 hci_dev_put(hdev);
997 1156
998 return err; 1157 return err;
@@ -1019,7 +1178,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1019 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1178 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
1020 ENODEV); 1179 ENODEV);
1021 1180
1022 hci_dev_lock_bh(hdev); 1181 hci_dev_lock(hdev);
1023 1182
1024 if (!test_bit(HCI_UP, &hdev->flags)) { 1183 if (!test_bit(HCI_UP, &hdev->flags)) {
1025 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1184 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1040,7 +1199,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1040 mgmt_pending_remove(cmd); 1199 mgmt_pending_remove(cmd);
1041 1200
1042failed: 1201failed:
1043 hci_dev_unlock_bh(hdev); 1202 hci_dev_unlock(hdev);
1044 hci_dev_put(hdev); 1203 hci_dev_put(hdev);
1045 1204
1046 return err; 1205 return err;
@@ -1063,14 +1222,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
1063 if (!hdev) 1222 if (!hdev)
1064 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV); 1223 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
1065 1224
1066 hci_dev_lock_bh(hdev); 1225 hci_dev_lock(hdev);
1067 1226
1068 hdev->io_capability = cp->io_capability; 1227 hdev->io_capability = cp->io_capability;
1069 1228
1070 BT_DBG("%s IO capability set to 0x%02x", hdev->name, 1229 BT_DBG("%s IO capability set to 0x%02x", hdev->name,
1071 hdev->io_capability); 1230 hdev->io_capability);
1072 1231
1073 hci_dev_unlock_bh(hdev); 1232 hci_dev_unlock(hdev);
1074 hci_dev_put(hdev); 1233 hci_dev_put(hdev);
1075 1234
1076 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0); 1235 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1156,7 +1315,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1156 if (!hdev) 1315 if (!hdev)
1157 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV); 1316 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
1158 1317
1159 hci_dev_lock_bh(hdev); 1318 hci_dev_lock(hdev);
1160 1319
1161 if (cp->io_cap == 0x03) { 1320 if (cp->io_cap == 0x03) {
1162 sec_level = BT_SECURITY_MEDIUM; 1321 sec_level = BT_SECURITY_MEDIUM;
@@ -1198,7 +1357,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1198 err = 0; 1357 err = 0;
1199 1358
1200unlock: 1359unlock:
1201 hci_dev_unlock_bh(hdev); 1360 hci_dev_unlock(hdev);
1202 hci_dev_put(hdev); 1361 hci_dev_put(hdev);
1203 1362
1204 return err; 1363 return err;
@@ -1230,7 +1389,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1230 if (!hdev) 1389 if (!hdev)
1231 return cmd_status(sk, index, mgmt_op, ENODEV); 1390 return cmd_status(sk, index, mgmt_op, ENODEV);
1232 1391
1233 hci_dev_lock_bh(hdev); 1392 hci_dev_lock(hdev);
1234 1393
1235 if (!test_bit(HCI_UP, &hdev->flags)) { 1394 if (!test_bit(HCI_UP, &hdev->flags)) {
1236 err = cmd_status(sk, index, mgmt_op, ENETDOWN); 1395 err = cmd_status(sk, index, mgmt_op, ENETDOWN);
@@ -1248,7 +1407,163 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1248 mgmt_pending_remove(cmd); 1407 mgmt_pending_remove(cmd);
1249 1408
1250failed: 1409failed:
1251 hci_dev_unlock_bh(hdev); 1410 hci_dev_unlock(hdev);
1411 hci_dev_put(hdev);
1412
1413 return err;
1414}
1415
1416static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1417 u16 len)
1418{
1419 struct mgmt_cp_set_local_name *mgmt_cp = (void *) data;
1420 struct hci_cp_write_local_name hci_cp;
1421 struct hci_dev *hdev;
1422 struct pending_cmd *cmd;
1423 int err;
1424
1425 BT_DBG("");
1426
1427 if (len != sizeof(*mgmt_cp))
1428 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, EINVAL);
1429
1430 hdev = hci_dev_get(index);
1431 if (!hdev)
1432 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
1433
1434 hci_dev_lock(hdev);
1435
1436 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
1437 if (!cmd) {
1438 err = -ENOMEM;
1439 goto failed;
1440 }
1441
1442 memcpy(hci_cp.name, mgmt_cp->name, sizeof(hci_cp.name));
1443 err = hci_send_cmd(hdev, HCI_OP_WRITE_LOCAL_NAME, sizeof(hci_cp),
1444 &hci_cp);
1445 if (err < 0)
1446 mgmt_pending_remove(cmd);
1447
1448failed:
1449 hci_dev_unlock(hdev);
1450 hci_dev_put(hdev);
1451
1452 return err;
1453}
1454
1455static int read_local_oob_data(struct sock *sk, u16 index)
1456{
1457 struct hci_dev *hdev;
1458 struct pending_cmd *cmd;
1459 int err;
1460
1461 BT_DBG("hci%u", index);
1462
1463 hdev = hci_dev_get(index);
1464 if (!hdev)
1465 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1466 ENODEV);
1467
1468 hci_dev_lock(hdev);
1469
1470 if (!test_bit(HCI_UP, &hdev->flags)) {
1471 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1472 ENETDOWN);
1473 goto unlock;
1474 }
1475
1476 if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
1477 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1478 EOPNOTSUPP);
1479 goto unlock;
1480 }
1481
1482 if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
1483 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
1484 goto unlock;
1485 }
1486
1487 cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
1488 if (!cmd) {
1489 err = -ENOMEM;
1490 goto unlock;
1491 }
1492
1493 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
1494 if (err < 0)
1495 mgmt_pending_remove(cmd);
1496
1497unlock:
1498 hci_dev_unlock(hdev);
1499 hci_dev_put(hdev);
1500
1501 return err;
1502}
1503
1504static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1505 u16 len)
1506{
1507 struct hci_dev *hdev;
1508 struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
1509 int err;
1510
1511 BT_DBG("hci%u ", index);
1512
1513 if (len != sizeof(*cp))
1514 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1515 EINVAL);
1516
1517 hdev = hci_dev_get(index);
1518 if (!hdev)
1519 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1520 ENODEV);
1521
1522 hci_dev_lock(hdev);
1523
1524 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
1525 cp->randomizer);
1526 if (err < 0)
1527 err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
1528 else
1529 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
1530 0);
1531
1532 hci_dev_unlock(hdev);
1533 hci_dev_put(hdev);
1534
1535 return err;
1536}
1537
1538static int remove_remote_oob_data(struct sock *sk, u16 index,
1539 unsigned char *data, u16 len)
1540{
1541 struct hci_dev *hdev;
1542 struct mgmt_cp_remove_remote_oob_data *cp = (void *) data;
1543 int err;
1544
1545 BT_DBG("hci%u ", index);
1546
1547 if (len != sizeof(*cp))
1548 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1549 EINVAL);
1550
1551 hdev = hci_dev_get(index);
1552 if (!hdev)
1553 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1554 ENODEV);
1555
1556 hci_dev_lock(hdev);
1557
1558 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
1559 if (err < 0)
1560 err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1561 -err);
1562 else
1563 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1564 NULL, 0);
1565
1566 hci_dev_unlock(hdev);
1252 hci_dev_put(hdev); 1567 hci_dev_put(hdev);
1253 1568
1254 return err; 1569 return err;
@@ -1266,7 +1581,7 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1266 if (msglen < sizeof(*hdr)) 1581 if (msglen < sizeof(*hdr))
1267 return -EINVAL; 1582 return -EINVAL;
1268 1583
1269 buf = kmalloc(msglen, GFP_ATOMIC); 1584 buf = kmalloc(msglen, GFP_KERNEL);
1270 if (!buf) 1585 if (!buf)
1271 return -ENOMEM; 1586 return -ENOMEM;
1272 1587
@@ -1349,6 +1664,20 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
1349 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1664 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1350 err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0); 1665 err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0);
1351 break; 1666 break;
1667 case MGMT_OP_SET_LOCAL_NAME:
1668 err = set_local_name(sk, index, buf + sizeof(*hdr), len);
1669 break;
1670 case MGMT_OP_READ_LOCAL_OOB_DATA:
1671 err = read_local_oob_data(sk, index);
1672 break;
1673 case MGMT_OP_ADD_REMOTE_OOB_DATA:
1674 err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
1675 break;
1676 case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
1677 err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
1678 len);
1679 break;
1680
1352 default: 1681 default:
1353 BT_DBG("Unknown op %u", opcode); 1682 BT_DBG("Unknown op %u", opcode);
1354 err = cmd_status(sk, index, opcode, 0x01); 1683 err = cmd_status(sk, index, opcode, 0x01);
@@ -1382,7 +1711,7 @@ struct cmd_lookup {
1382 1711
1383static void mode_rsp(struct pending_cmd *cmd, void *data) 1712static void mode_rsp(struct pending_cmd *cmd, void *data)
1384{ 1713{
1385 struct mgmt_mode *cp = cmd->cmd; 1714 struct mgmt_mode *cp = cmd->param;
1386 struct cmd_lookup *match = data; 1715 struct cmd_lookup *match = data;
1387 1716
1388 if (cp->val != match->val) 1717 if (cp->val != match->val)
@@ -1481,7 +1810,7 @@ int mgmt_connected(u16 index, bdaddr_t *bdaddr)
1481 1810
1482static void disconnect_rsp(struct pending_cmd *cmd, void *data) 1811static void disconnect_rsp(struct pending_cmd *cmd, void *data)
1483{ 1812{
1484 struct mgmt_cp_disconnect *cp = cmd->cmd; 1813 struct mgmt_cp_disconnect *cp = cmd->param;
1485 struct sock **sk = data; 1814 struct sock **sk = data;
1486 struct mgmt_rp_disconnect rp; 1815 struct mgmt_rp_disconnect rp;
1487 1816
@@ -1645,3 +1974,104 @@ int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status)
1645 1974
1646 return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL); 1975 return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL);
1647} 1976}
1977
1978int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status)
1979{
1980 struct pending_cmd *cmd;
1981 struct hci_dev *hdev;
1982 struct mgmt_cp_set_local_name ev;
1983 int err;
1984
1985 memset(&ev, 0, sizeof(ev));
1986 memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
1987
1988 cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, index);
1989 if (!cmd)
1990 goto send_event;
1991
1992 if (status) {
1993 err = cmd_status(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, EIO);
1994 goto failed;
1995 }
1996
1997 hdev = hci_dev_get(index);
1998 if (hdev) {
1999 hci_dev_lock_bh(hdev);
2000 update_eir(hdev);
2001 hci_dev_unlock_bh(hdev);
2002 hci_dev_put(hdev);
2003 }
2004
2005 err = cmd_complete(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, &ev,
2006 sizeof(ev));
2007 if (err < 0)
2008 goto failed;
2009
2010send_event:
2011 err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, index, &ev, sizeof(ev),
2012 cmd ? cmd->sk : NULL);
2013
2014failed:
2015 if (cmd)
2016 mgmt_pending_remove(cmd);
2017 return err;
2018}
2019
2020int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
2021 u8 status)
2022{
2023 struct pending_cmd *cmd;
2024 int err;
2025
2026 BT_DBG("hci%u status %u", index, status);
2027
2028 cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
2029 if (!cmd)
2030 return -ENOENT;
2031
2032 if (status) {
2033 err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
2034 EIO);
2035 } else {
2036 struct mgmt_rp_read_local_oob_data rp;
2037
2038 memcpy(rp.hash, hash, sizeof(rp.hash));
2039 memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));
2040
2041 err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
2042 &rp, sizeof(rp));
2043 }
2044
2045 mgmt_pending_remove(cmd);
2046
2047 return err;
2048}
2049
2050int mgmt_device_found(u16 index, bdaddr_t *bdaddr, u8 *dev_class, s8 rssi,
2051 u8 *eir)
2052{
2053 struct mgmt_ev_device_found ev;
2054
2055 memset(&ev, 0, sizeof(ev));
2056
2057 bacpy(&ev.bdaddr, bdaddr);
2058 memcpy(ev.dev_class, dev_class, sizeof(ev.dev_class));
2059 ev.rssi = rssi;
2060
2061 if (eir)
2062 memcpy(ev.eir, eir, sizeof(ev.eir));
2063
2064 return mgmt_event(MGMT_EV_DEVICE_FOUND, index, &ev, sizeof(ev), NULL);
2065}
2066
2067int mgmt_remote_name(u16 index, bdaddr_t *bdaddr, u8 *name)
2068{
2069 struct mgmt_ev_remote_name ev;
2070
2071 memset(&ev, 0, sizeof(ev));
2072
2073 bacpy(&ev.bdaddr, bdaddr);
2074 memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
2075
2076 return mgmt_event(MGMT_EV_REMOTE_NAME, index, &ev, sizeof(ev), NULL);
2077}
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-26 22:53:34 -0500