Channel moves are triggered by changes to the BT_CHANNEL_POLICY
sockopt when an ERTM or streaming-mode channel is connected.

Moves are only started if enable_hs is true.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

When DEFER_SETUP is set defer() will trigger an authorization
request to the userspace.

l2cap_chan_no_defer() is meant to be used when one does not want to
support DEFER_SETUP (A2MP for example).
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

This is part of the move the parent socket usage to l2cap_sock.c

The change is safe when it comes to locking, bt_accept_enqueue() is still
protected by the parent socket lock inside the
l2cap_sock_new_connection_cb() code.
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Follow the net subsystem coding style
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Enable setting of flush timeout via setsockopt
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

We may currently attempt to free a channel which wasn't created due to
an error in the initialization path, this would cause a NULL ptr deref.

This would cause the following oops:

[   12.919073] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[   12.919131] IP: [<ffffffff836645c4>] l2cap_chan_put+0x34/0x50
[   12.919135] PGD 0
[   12.919138] Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[   12.919193] Dumping ftrace buffer:
[   12.919242]    (ftrace buffer empty)
[   12.919314] Modules linked in:
[   12.919318] CPU 1
[   12.919319] Pid: 6210, comm: krfcommd Tainted: G        W    3.6.0-next-20121004-sasha-00005-gb010653-dirty #30
[   12.919374] RIP: 0010:[<ffffffff836645c4>]  [<ffffffff836645c4>] l2cap_chan_put+0x34/0x50
[   12.919377] RSP: 0000:ffff880066933c38  EFLAGS: 00010246
[   12.919378] RAX: ffffffff8366c780 RBX: 0000000000000000 RCX: 6666666666666667
[   12.919379] RDX: 0000000000000fa0 RSI: ffffffff84d3f79e RDI: 0000000000000010
[   12.919381] RBP: ffff880066933c48 R08: ffffffff859989f8 R09: 0000000000000001
[   12.919382] R10: 0000000000000000 R11: 7fffffffffffffff R12: 0000000000000000
[   12.919383] R13: ffff88009b00a200 R14: ffff88009b00a200 R15: 0000000000000001
[   12.919385] FS:  0000000000000000(0000) GS:ffff880033600000(0000) knlGS:0000000000000000
[   12.919437] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   12.919440] CR2: 0000000000000010 CR3: 0000000005026000 CR4: 00000000000406e0
[   12.919446] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   12.919451] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   12.919504] Process krfcommd (pid: 6210, threadinfo ffff880066932000, task ffff880065c4b000)
[   12.919506] Stack:
[   12.919510]  ffff88009b00a200 ffff880032084000 ffff880066933c68 ffffffff8366c7bc
[   12.919513]  7fffffffffffffff ffff880032084000 ffff880066933c98 ffffffff833ae0ae
[   12.919516]  ffff880066933ca8 0000000000000000 0000000000000000 ffff88009b00a200
[   12.919517] Call Trace:
[   12.919522]  [<ffffffff8366c7bc>] l2cap_sock_destruct+0x3c/0x80
[   12.919527]  [<ffffffff833ae0ae>] __sk_free+0x1e/0x1f0
[   12.919530]  [<ffffffff833ae2f7>] sk_free+0x17/0x20
[   12.919585]  [<ffffffff8366ca4e>] l2cap_sock_alloc.constprop.5+0x9e/0xd0
[   12.919591]  [<ffffffff8366cb9e>] l2cap_sock_create+0x7e/0x100
[   12.919652]  [<ffffffff83a4f32a>] ? _raw_read_lock+0x6a/0x80
[   12.919658]  [<ffffffff836402c4>] ? bt_sock_create+0x74/0x110
[   12.919660]  [<ffffffff83640308>] bt_sock_create+0xb8/0x110
[   12.919664]  [<ffffffff833aa232>] __sock_create+0x282/0x3b0
[   12.919720]  [<ffffffff833aa0b0>] ? __sock_create+0x100/0x3b0
[   12.919725]  [<ffffffff836785b0>] ? rfcomm_process_sessions+0x17e0/0x17e0
[   12.919779]  [<ffffffff833aa37f>] sock_create_kern+0x1f/0x30
[   12.919784]  [<ffffffff83675714>] rfcomm_l2sock_create+0x44/0x70
[   12.919787]  [<ffffffff836785b0>] ? rfcomm_process_sessions+0x17e0/0x17e0
[   12.919790]  [<ffffffff836785fe>] rfcomm_run+0x4e/0x1f0
[   12.919846]  [<ffffffff836785b0>] ? rfcomm_process_sessions+0x17e0/0x17e0
[   12.919852]  [<ffffffff81138ee3>] kthread+0xe3/0xf0
[   12.919908]  [<ffffffff8117b12e>] ? put_lock_stats.isra.14+0xe/0x40
[   12.919914]  [<ffffffff81138e00>] ? flush_kthread_work+0x1f0/0x1f0
[   12.919968]  [<ffffffff83a5077c>] ret_from_fork+0x7c/0x90
[   12.919973]  [<ffffffff81138e00>] ? flush_kthread_work+0x1f0/0x1f0
[   12.920161] Code: 83 ec 08 f6 05 ff 58 44 02 04 74 1b 8b 4f 10 48 89 fa 48 c7 c6 d9 d7 d4 84 48 c7 c7 80 9e aa 85 31 c0 e8 80
ac 3a fe 48 8d 7b 10 <f0> 83 6b 10 01 0f 94 c0 84 c0 74 05 e8 8b e0 ff ff 48 83 c4 08
[   12.920165] RIP  [<ffffffff836645c4>] l2cap_chan_put+0x34/0x50
[   12.920166]  RSP <ffff880066933c38>
[   12.920167] CR2: 0000000000000010
[   12.920417] ---[ end trace 5a9114e8a158ab84 ]---

Introduced in commit 61d6ef3e ("Bluetooth: Make better use of l2cap_chan
reference counting").
Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Move code dereferencing possible NULL pointer to the check branch.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

To make it clear that it may be called from contexts that may not have
any knowledge of L2CAP, we change the connection parameter, to receive
a hci_conn.

This also makes it clear that it is checking the security of the link.
Signed-off-by: NVinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

The L2CAP code fails to initialize the l2_bdaddr_type member of struct
sockaddr_l2 and the padding byte added for alignment. It that for leaks
two bytes kernel stack via the getsockname() syscall. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

If l2cap_chan_create() fails then it will return from l2cap_sock_kill
since zapped flag of sk is reset.
Signed-off-by: NJaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Added /proc/net/l2cap via bt_procfs_init().
Signed-off-by: NMasatake YAMATO <yamato@redhat.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Move the l2cap channel list chan->global_l under the refcnt
protection and free it based on the refcnt.
Signed-off-by: NJaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: NSyam Sidhardhan <s.syam@samsung.com>
Reviewed-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

This patch renames L2CAP_LE_DEFAULT_MTU macro to L2CAP_LE_MIN_MTU
since it represents the minimum MTU value, not the default MTU
value for LE.
Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

If user tries to set an invalid MTU value, l2cap_sock_setsockopt_old
should return -EINVAL.
Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Remove socket specific code from l2cap_core.c
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Acked-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

This move socket specific code to l2cap_sock.c.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

This remove a bit more of socket code from l2cap core, this calls set the
SOCK_ZAPPED and do some clean up depending on the socket state.
Reported-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Use chan instead of void * makes more sense here.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Define assigned Protocol and Service Multiplexor (PSM) identifiers
and use them instead of magic numbers.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Most of the include were unnecessary or already included by some other
header.
Replace module.h by export.h where possible.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

defer_setup and suspended are now flags into bt_sk().
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

During a security level elevation we need to keep track of the current
security level of a connection until the new one is not confirmed.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

The ERTM and streaming mode transmit queue must only be accessed while
the L2CAP channel lock is held.  Locking the channel before calling
l2cap_chan_send ensures that multiple threads cannot simultaneously
manipulate the queue when sending and receiving concurrently.

L2CAP channel locking had previously moved to the l2cap_chan struct
instead of the associated socket, so some of the old socket locking
can also be removed in this patch.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

It fixes L2CAP socket based security level elevation during a
connection. The HID profile needs this (for keyboards) and it is the only
way to achieve the security level elevation when using the management
interface to talk to the kernel (hence the management enabling patch
being the one that exposes this issue).

It enables the userspace a security level change when the socket is
already connected and create a way to notify the socket the result of the
request. At the moment of the request the socket is made non writable, if
the request fails the connections closes, otherwise the socket is made
writable again, POLL_OUT is emmited.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.

There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

In order to establish a LE connection we need the address type
information. User-space already pass this information to kernel
through struct sockaddr_l2.

This patch adds the dst_type parameter to l2cap_chan_connect so we
are able to pass the address type info from user-space down to
hci_conn layer.
Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Split the checks for sk->sk_state and sk->sk_type for L2CAP listen
sockets. This makes the code more readable.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Use ERR_PTR maginc instead.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Some parameters in L2CAP chan are set to default similar way in
socket based channels and A2MP channels. Adds common function which
sets all defaults.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Remove zero initialization since channel is allocated with kzalloc
in l2cap_chan_create.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Following the separation if core and sock code this change avoid
manipulation of sk inside l2cap_chan_create().
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Fix network to host endian conversion for L2CAP chan id.
Signed-off-by: NSantosh Nayak <santoshprasadnayak@gmail.com>
Acked-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

The L2CAP timeout constants are always used in form of jiffies. So just
include the conversion from msecs in the define itself. This has the
advantage of making the code where the timeout is used more readable.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Simplify code so that we do not need to check whether socket is locked.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Change sk lock to chan lock in l2cap core and move sk locks
to l2cap sock code. bh_locks were used because of being RCU
critical section. When needed use explicit socket locks.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Reviewed-by: NUlisses Furquim <ulisses@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Usage of RCU list looks not reasonalbe for a number of reasons:
our code sleep and we had to use socket spinlocks. Most parts
of code are updaters thus there is little sense to use RCU.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Reviewed-by: NUlisses Furquim <ulisses@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Use state_to_string function in debug statements.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Since bluetooth uses multiple protocols types, to avoid lockdep
warnings, we need to use different lockdep classes (one for each
protocol type).

This is already done in bt_sock_create but it misses a couple of cases
when new connections are created. This patch corrects that to fix the
following warning:

<4>[ 1864.732366] =======================================================
<4>[ 1864.733030] [ INFO: possible circular locking dependency detected ]
<4>[ 1864.733544] 3.0.16-mid3-00007-gc9a0f62 #3
<4>[ 1864.733883] -------------------------------------------------------
<4>[ 1864.734408] t.android.btclc/4204 is trying to acquire lock:
<4>[ 1864.734869]  (rfcomm_mutex){+.+.+.}, at: [<c14970ea>] rfcomm_dlc_close+0x15/0x30
<4>[ 1864.735541]
<4>[ 1864.735549] but task is already holding lock:
<4>[ 1864.736045]  (sk_lock-AF_BLUETOOTH){+.+.+.}, at: [<c1498bf7>] lock_sock+0xa/0xc
<4>[ 1864.736732]
<4>[ 1864.736740] which lock already depends on the new lock.
<4>[ 1864.736750]
<4>[ 1864.737428]
<4>[ 1864.737437] the existing dependency chain (in reverse order) is:
<4>[ 1864.738016]
<4>[ 1864.738023] -> #1 (sk_lock-AF_BLUETOOTH){+.+.+.}:
<4>[ 1864.738549]        [<c1062273>] lock_acquire+0x104/0x140
<4>[ 1864.738977]        [<c13d35c1>] lock_sock_nested+0x58/0x68
<4>[ 1864.739411]        [<c1493c33>] l2cap_sock_sendmsg+0x3e/0x76
<4>[ 1864.739858]        [<c13d06c3>] __sock_sendmsg+0x50/0x59
<4>[ 1864.740279]        [<c13d0ea2>] sock_sendmsg+0x94/0xa8
<4>[ 1864.740687]        [<c13d0ede>] kernel_sendmsg+0x28/0x37
<4>[ 1864.741106]        [<c14969ca>] rfcomm_send_frame+0x30/0x38
<4>[ 1864.741542]        [<c1496a2a>] rfcomm_send_ua+0x58/0x5a
<4>[ 1864.741959]        [<c1498447>] rfcomm_run+0x441/0xb52
<4>[ 1864.742365]        [<c104f095>] kthread+0x63/0x68
<4>[ 1864.742742]        [<c14d5182>] kernel_thread_helper+0x6/0xd
<4>[ 1864.743187]
<4>[ 1864.743193] -> #0 (rfcomm_mutex){+.+.+.}:
<4>[ 1864.743667]        [<c1061ada>] __lock_acquire+0x988/0xc00
<4>[ 1864.744100]        [<c1062273>] lock_acquire+0x104/0x140
<4>[ 1864.744519]        [<c14d2c70>] __mutex_lock_common+0x3b/0x33f
<4>[ 1864.744975]        [<c14d303e>] mutex_lock_nested+0x2d/0x36
<4>[ 1864.745412]        [<c14970ea>] rfcomm_dlc_close+0x15/0x30
<4>[ 1864.745842]        [<c14990d9>] __rfcomm_sock_close+0x5f/0x6b
<4>[ 1864.746288]        [<c1499114>] rfcomm_sock_shutdown+0x2f/0x62
<4>[ 1864.746737]        [<c13d275d>] sys_socketcall+0x1db/0x422
<4>[ 1864.747165]        [<c14d42f0>] syscall_call+0x7/0xb
Signed-off-by: NOctavian Purdila <octavian.purdila@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>