projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
27/* Bluetooth L2CAP core and sockets. */
28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
dd135240 58#define VERSION "2.15"
44dd46de 59
894718a6 60static int disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
90ddc4f0 65static const struct proto_ops l2cap_sock_ops;
1da177e4 66
1890d36b
GP		 67static struct workqueue_struct *_busy_wq;
68
1da177e4 69static struct bt_sock_list l2cap_sk_list = {
d5fb2962 70 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 71};
72
1890d36b
GP		 73static void l2cap_busy_work(struct work_struct *work);
74
1da177e4
LT		 75static void __l2cap_sock_close(struct sock *sk, int reason);
76static void l2cap_sock_close(struct sock *sk);
77static void l2cap_sock_kill(struct sock *sk);
78
e9aeb2dd 79static int l2cap_build_conf_req(struct sock *sk, void *data);
1da177e4
LT		 80static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
81 u8 code, u8 ident, u16 dlen, void *data);
82
218bb9df
GP		 83static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
84
1da177e4 85/* ---- L2CAP timers ---- */
940a9eea
AE		 86static void l2cap_sock_set_timer(struct sock *sk, long timeout)
87{
88 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
89 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
90}
91
92static void l2cap_sock_clear_timer(struct sock *sk)
93{
94 BT_DBG("sock %p state %d", sk, sk->sk_state);
95 sk_stop_timer(sk, &sk->sk_timer);
96}
97
1da177e4
LT		 98static void l2cap_sock_timeout(unsigned long arg)
99{
100 struct sock *sk = (struct sock *) arg;
b1235d79 101 int reason;
1da177e4
LT		 102
103 BT_DBG("sock %p state %d", sk, sk->sk_state);
104
105 bh_lock_sock(sk);
b1235d79 106
940a9eea
AE		 107 if (sock_owned_by_user(sk)) {
108 /* sk is owned by user. Try again later */
109 l2cap_sock_set_timer(sk, HZ / 5);
110 bh_unlock_sock(sk);
111 sock_put(sk);
112 return;
113 }
114
f62e4323
MH		 115 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
116 reason = ECONNREFUSED;
117 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 118 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 119 reason = ECONNREFUSED;
120 else
121 reason = ETIMEDOUT;
122
123 __l2cap_sock_close(sk, reason);
124
1da177e4
LT		 125 bh_unlock_sock(sk);
126
127 l2cap_sock_kill(sk);
128 sock_put(sk);
129}
130
0139418c
MH		 131/* ---- L2CAP channels ---- */
132static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
133{
134 struct sock *s;
135 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
136 if (l2cap_pi(s)->dcid == cid)
137 break;
138 }
139 return s;
140}
141
142static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
143{
144 struct sock *s;
145 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
146 if (l2cap_pi(s)->scid == cid)
147 break;
148 }
149 return s;
150}
151
152/* Find channel with given SCID.
153 * Returns locked socket */
154static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
155{
156 struct sock *s;
157 read_lock(&l->lock);
158 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 159 if (s)
160 bh_lock_sock(s);
0139418c
MH		 161 read_unlock(&l->lock);
162 return s;
163}
164
165static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
166{
167 struct sock *s;
168 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
169 if (l2cap_pi(s)->ident == ident)
170 break;
171 }
172 return s;
173}
174
175static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
176{
177 struct sock *s;
178 read_lock(&l->lock);
179 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 180 if (s)
181 bh_lock_sock(s);
0139418c
MH		 182 read_unlock(&l->lock);
183 return s;
184}
185
186static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
187{
8db4dc46 188 u16 cid = L2CAP_CID_DYN_START;
0139418c 189
8db4dc46 190 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 191 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 192 return cid;
193 }
194
195 return 0;
196}
197
198static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
199{
200 sock_hold(sk);
201
202 if (l->head)
203 l2cap_pi(l->head)->prev_c = sk;
204
205 l2cap_pi(sk)->next_c = l->head;
206 l2cap_pi(sk)->prev_c = NULL;
207 l->head = sk;
208}
209
210static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
211{
212 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
213
fd1278d7 214 write_lock_bh(&l->lock);
0139418c
MH		 215 if (sk == l->head)
216 l->head = next;
217
218 if (next)
219 l2cap_pi(next)->prev_c = prev;
220 if (prev)
221 l2cap_pi(prev)->next_c = next;
fd1278d7 222 write_unlock_bh(&l->lock);
0139418c
MH		 223
224 __sock_put(sk);
225}
226
227static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
228{
229 struct l2cap_chan_list *l = &conn->chan_list;
230
af05b30b
GP		 231 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
232 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 233
2950f21a
MH		 234 conn->disc_reason = 0x13;
235
0139418c
MH		 236 l2cap_pi(sk)->conn = conn;
237
bd3c9e25 238 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 239 /* Alloc CID for connection-oriented socket */
240 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
241 } else if (sk->sk_type == SOCK_DGRAM) {
242 /* Connectionless socket */
8db4dc46
GP		 243 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
244 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 245 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
246 } else {
247 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 248 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
249 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 250 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
251 }
252
253 __l2cap_chan_link(l, sk);
254
255 if (parent)
256 bt_accept_enqueue(parent, sk);
257}
258
8e87d142 259/* Delete channel.
0139418c
MH		 260 * Must be called on the locked socket. */
261static void l2cap_chan_del(struct sock *sk, int err)
262{
263 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
264 struct sock *parent = bt_sk(sk)->parent;
265
266 l2cap_sock_clear_timer(sk);
267
268 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
269
8e87d142 270 if (conn) {
0139418c
MH		 271 /* Unlink from channel list */
272 l2cap_chan_unlink(&conn->chan_list, sk);
273 l2cap_pi(sk)->conn = NULL;
274 hci_conn_put(conn->hcon);
275 }
276
b1235d79 277 sk->sk_state = BT_CLOSED;
0139418c
MH		 278 sock_set_flag(sk, SOCK_ZAPPED);
279
280 if (err)
281 sk->sk_err = err;
282
283 if (parent) {
284 bt_accept_unlink(sk);
285 parent->sk_data_ready(parent, 0);
286 } else
287 sk->sk_state_change(sk);
c13ffa62
GP		 288
289 skb_queue_purge(TX_QUEUE(sk));
290
291 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
292 struct srej_list *l, *tmp;
293
294 del_timer(&l2cap_pi(sk)->retrans_timer);
295 del_timer(&l2cap_pi(sk)->monitor_timer);
296 del_timer(&l2cap_pi(sk)->ack_timer);
297
298 skb_queue_purge(SREJ_QUEUE(sk));
299 skb_queue_purge(BUSY_QUEUE(sk));
300
301 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
302 list_del(&l->list);
303 kfree(l);
304 }
305 }
0139418c
MH		 306}
307
79d554a6 308/* Service level security */
2af6b9d5 309static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 310{
311 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 312 __u8 auth_type;
313
00ae4af9
MH		 314 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
315 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
316 auth_type = HCI_AT_NO_BONDING_MITM;
317 else
af05b30b 318 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 319
320 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
321 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
322 } else {
323 switch (l2cap_pi(sk)->sec_level) {
324 case BT_SECURITY_HIGH:
325 auth_type = HCI_AT_GENERAL_BONDING_MITM;
326 break;
327 case BT_SECURITY_MEDIUM:
328 auth_type = HCI_AT_GENERAL_BONDING;
329 break;
330 default:
331 auth_type = HCI_AT_NO_BONDING;
332 break;
333 }
0684e5f9 334 }
79d554a6 335
0684e5f9
MH		 336 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
337 auth_type);
79d554a6
MH		 338}
339
4e8402a3
MH		 340static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
341{
342 u8 id;
343
344 /* Get next available identificator.
345 * 1 - 128 are used by kernel.
346 * 129 - 199 are reserved.
347 * 200 - 254 are used by utilities like l2ping, etc.
348 */
349
350 spin_lock_bh(&conn->lock);
351
352 if (++conn->tx_ident > 128)
353 conn->tx_ident = 1;
354
355 id = conn->tx_ident;
356
357 spin_unlock_bh(&conn->lock);
358
359 return id;
360}
361
9a9c6a34 362static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 363{
364 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
365
366 BT_DBG("code 0x%2.2x", code);
367
368 if (!skb)
9a9c6a34 369 return;
4e8402a3 370
9a9c6a34 371 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 372}
373
9a9c6a34 374static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 375{
376 struct sk_buff *skb;
377 struct l2cap_hdr *lh;
378 struct l2cap_conn *conn = pi->conn;
c13ffa62 379 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 380 int count, hlen = L2CAP_HDR_SIZE + 2;
381
c13ffa62
GP		 382 if (sk->sk_state != BT_CONNECTED)
383 return;
384
fcc203c3
GP		 385 if (pi->fcs == L2CAP_FCS_CRC16)
386 hlen += 2;
1c2acffb
GP		 387
388 BT_DBG("pi %p, control 0x%2.2x", pi, control);
389
fcc203c3 390 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 391 control |= L2CAP_CTRL_FRAME_TYPE;
392
9e917af1
GP		 393 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
394 control |= L2CAP_CTRL_FINAL;
395 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
396 }
397
f0946ccf
GP		 398 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
399 control |= L2CAP_CTRL_POLL;
400 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
401 }
402
1c2acffb
GP		 403 skb = bt_skb_alloc(count, GFP_ATOMIC);
404 if (!skb)
9a9c6a34 405 return;
1c2acffb
GP		 406
407 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 408 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 409 lh->cid = cpu_to_le16(pi->dcid);
410 put_unaligned_le16(control, skb_put(skb, 2));
411
fcc203c3
GP		 412 if (pi->fcs == L2CAP_FCS_CRC16) {
413 u16 fcs = crc16(0, (u8 *)lh, count - 2);
414 put_unaligned_le16(fcs, skb_put(skb, 2));
415 }
416
9a9c6a34 417 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 418}
419
9a9c6a34 420static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 421{
1890d36b 422 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 423 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 424 pi->conn_state |= L2CAP_CONN_RNR_SENT;
425 } else
7e743090
GP		 426 control |= L2CAP_SUPER_RCV_READY;
427
2ab25cdd
GP		 428 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
429
9a9c6a34 430 l2cap_send_sframe(pi, control);
7e743090
GP		 431}
432
e501d055
AE		 433static inline int __l2cap_no_conn_pending(struct sock *sk)
434{
435 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
436}
437
79d554a6
MH		 438static void l2cap_do_start(struct sock *sk)
439{
440 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
441
442 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 443 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
444 return;
445
e501d055 446 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 447 struct l2cap_conn_req req;
448 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
449 req.psm = l2cap_pi(sk)->psm;
79d554a6 450
b1235d79 451 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 452 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 453
b1235d79 454 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 455 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 456 }
79d554a6
MH		 457 } else {
458 struct l2cap_info_req req;
459 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
460
461 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
462 conn->info_ident = l2cap_get_ident(conn);
463
464 mod_timer(&conn->info_timer, jiffies +
465 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
466
467 l2cap_send_cmd(conn, conn->info_ident,
468 L2CAP_INFO_REQ, sizeof(req), &req);
469 }
470}
471
cf6c2c0b
GP		 472static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
473{
474 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 475 if (!disable_ertm)
cf6c2c0b
GP		 476 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
477
478 switch (mode) {
479 case L2CAP_MODE_ERTM:
480 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
481 case L2CAP_MODE_STREAMING:
482 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
483 default:
484 return 0x00;
485 }
486}
487
9b108fc0 488static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 489{
490 struct l2cap_disconn_req req;
491
c13ffa62
GP		 492 if (!conn)
493 return;
494
495 skb_queue_purge(TX_QUEUE(sk));
496
497 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
498 del_timer(&l2cap_pi(sk)->retrans_timer);
499 del_timer(&l2cap_pi(sk)->monitor_timer);
500 del_timer(&l2cap_pi(sk)->ack_timer);
501 }
502
22121fc9
GP		 503 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
504 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
505 l2cap_send_cmd(conn, l2cap_get_ident(conn),
506 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 507
508 sk->sk_state = BT_DISCONN;
9b108fc0 509 sk->sk_err = err;
22121fc9
GP		 510}
511
1da177e4 512/* ---- L2CAP connections ---- */
4e8402a3
MH		 513static void l2cap_conn_start(struct l2cap_conn *conn)
514{
515 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 516 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 517 struct sock *sk;
518
519 BT_DBG("conn %p", conn);
520
cf6c2c0b
GP		 521 INIT_LIST_HEAD(&del.list);
522
4e8402a3
MH		 523 read_lock(&l->lock);
524
525 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
526 bh_lock_sock(sk);
527
bd3c9e25
GP		 528 if (sk->sk_type != SOCK_SEQPACKET &&
529 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 530 bh_unlock_sock(sk);
531 continue;
532 }
533
534 if (sk->sk_state == BT_CONNECT) {
47731de7 535 struct l2cap_conn_req req;
79d554a6 536
47731de7
GP		 537 if (!l2cap_check_security(sk) ||
538 !__l2cap_no_conn_pending(sk)) {
539 bh_unlock_sock(sk);
540 continue;
541 }
79d554a6 542
47731de7
GP		 543 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
544 conn->feat_mask)
545 && l2cap_pi(sk)->conf_state &
546 L2CAP_CONF_STATE2_DEVICE) {
547 tmp1 = kzalloc(sizeof(struct sock_del_list),
548 GFP_ATOMIC);
549 tmp1->sk = sk;
550 list_add_tail(&tmp1->list, &del.list);
551 bh_unlock_sock(sk);
552 continue;
b1235d79 553 }
47731de7
GP		 554
555 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
556 req.psm = l2cap_pi(sk)->psm;
557
558 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
559 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
560
561 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
562 L2CAP_CONN_REQ, sizeof(req), &req);
563
79d554a6
MH		 564 } else if (sk->sk_state == BT_CONNECT2) {
565 struct l2cap_conn_rsp rsp;
e9aeb2dd 566 char buf[128];
79d554a6
MH		 567 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
568 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
569
2af6b9d5 570 if (l2cap_check_security(sk)) {
f66dc81f
MH		 571 if (bt_sk(sk)->defer_setup) {
572 struct sock *parent = bt_sk(sk)->parent;
573 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
574 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
575 parent->sk_data_ready(parent, 0);
576
577 } else {
578 sk->sk_state = BT_CONFIG;
579 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
580 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
581 }
79d554a6
MH		 582 } else {
583 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
584 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
585 }
586
587 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
588 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
e9aeb2dd
GP		 589
590 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
591 rsp.result != L2CAP_CR_SUCCESS) {
592 bh_unlock_sock(sk);
593 continue;
594 }
595
596 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
597 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
598 l2cap_build_conf_req(sk, buf), buf);
599 l2cap_pi(sk)->num_conf_req++;
4e8402a3
MH		 600 }
601
602 bh_unlock_sock(sk);
603 }
604
605 read_unlock(&l->lock);
cf6c2c0b
GP		 606
607 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
608 bh_lock_sock(tmp1->sk);
609 __l2cap_sock_close(tmp1->sk, ECONNRESET);
610 bh_unlock_sock(tmp1->sk);
611 list_del(&tmp1->list);
612 kfree(tmp1);
613 }
4e8402a3
MH		 614}
615
616static void l2cap_conn_ready(struct l2cap_conn *conn)
617{
79d554a6
MH		 618 struct l2cap_chan_list *l = &conn->chan_list;
619 struct sock *sk;
4e8402a3 620
79d554a6 621 BT_DBG("conn %p", conn);
4e8402a3 622
79d554a6 623 read_lock(&l->lock);
4e8402a3 624
79d554a6
MH		 625 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
626 bh_lock_sock(sk);
4e8402a3 627
bd3c9e25
GP		 628 if (sk->sk_type != SOCK_SEQPACKET &&
629 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 630 l2cap_sock_clear_timer(sk);
631 sk->sk_state = BT_CONNECTED;
632 sk->sk_state_change(sk);
633 } else if (sk->sk_state == BT_CONNECT)
634 l2cap_do_start(sk);
4e8402a3 635
79d554a6 636 bh_unlock_sock(sk);
4e8402a3 637 }
79d554a6
MH		 638
639 read_unlock(&l->lock);
4e8402a3
MH		 640}
641
642/* Notify sockets that we cannot guaranty reliability anymore */
643static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
644{
645 struct l2cap_chan_list *l = &conn->chan_list;
646 struct sock *sk;
647
648 BT_DBG("conn %p", conn);
649
650 read_lock(&l->lock);
651
652 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 653 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 654 sk->sk_err = err;
655 }
656
657 read_unlock(&l->lock);
658}
659
660static void l2cap_info_timeout(unsigned long arg)
661{
662 struct l2cap_conn *conn = (void *) arg;
663
984947dc 664 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 665 conn->info_ident = 0;
984947dc 666
4e8402a3
MH		 667 l2cap_conn_start(conn);
668}
669
1da177e4
LT		 670static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
671{
0139418c 672 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 673
0139418c 674 if (conn || status)
1da177e4
LT		 675 return conn;
676
0139418c
MH		 677 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
678 if (!conn)
1da177e4 679 return NULL;
1da177e4
LT		 680
681 hcon->l2cap_data = conn;
682 conn->hcon = hcon;
683
0139418c
MH		 684 BT_DBG("hcon %p conn %p", hcon, conn);
685
1da177e4
LT		 686 conn->mtu = hcon->hdev->acl_mtu;
687 conn->src = &hcon->hdev->bdaddr;
688 conn->dst = &hcon->dst;
689
4e8402a3
MH		 690 conn->feat_mask = 0;
691
1da177e4
LT		 692 spin_lock_init(&conn->lock);
693 rwlock_init(&conn->chan_list.lock);
694
45054dc1
DY		 695 setup_timer(&conn->info_timer, l2cap_info_timeout,
696 (unsigned long) conn);
697
2950f21a
MH		 698 conn->disc_reason = 0x13;
699
1da177e4
LT		 700 return conn;
701}
702
0139418c 703static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 704{
0139418c 705 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 706 struct sock *sk;
707
0139418c
MH		 708 if (!conn)
709 return;
1da177e4
LT		 710
711 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
712
7585b97a 713 kfree_skb(conn->rx_skb);
1da177e4
LT		 714
715 /* Kill channels */
716 while ((sk = conn->chan_list.head)) {
717 bh_lock_sock(sk);
718 l2cap_chan_del(sk, err);
719 bh_unlock_sock(sk);
720 l2cap_sock_kill(sk);
721 }
722
8e8440f5
DY		 723 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
724 del_timer_sync(&conn->info_timer);
3ab22731 725
1da177e4
LT		 726 hcon->l2cap_data = NULL;
727 kfree(conn);
1da177e4
LT		 728}
729
730static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
731{
732 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 733 write_lock_bh(&l->lock);
1da177e4 734 __l2cap_chan_add(conn, sk, parent);
fd1278d7 735 write_unlock_bh(&l->lock);
1da177e4
LT		 736}
737
1da177e4 738/* ---- Socket interface ---- */
8e036fc3 739static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 740{
741 struct sock *sk;
742 struct hlist_node *node;
743 sk_for_each(sk, node, &l2cap_sk_list.head)
744 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
745 goto found;
746 sk = NULL;
747found:
748 return sk;
749}
750
751/* Find socket with psm and source bdaddr.
752 * Returns closest match.
753 */
e0f0cb56 754static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 755{
756 struct sock *sk = NULL, *sk1 = NULL;
757 struct hlist_node *node;
758
e0f0cb56
GP		 759 read_lock(&l2cap_sk_list.lock);
760
1da177e4
LT		 761 sk_for_each(sk, node, &l2cap_sk_list.head) {
762 if (state && sk->sk_state != state)
763 continue;
764
765 if (l2cap_pi(sk)->psm == psm) {
766 /* Exact match. */
767 if (!bacmp(&bt_sk(sk)->src, src))
768 break;
769
770 /* Closest match */
771 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
772 sk1 = sk;
773 }
774 }
1da177e4 775
1da177e4 776 read_unlock(&l2cap_sk_list.lock);
e0f0cb56
GP		 777
778 return node ? sk : sk1;
1da177e4
LT		 779}
780
781static void l2cap_sock_destruct(struct sock *sk)
782{
783 BT_DBG("sk %p", sk);
784
785 skb_queue_purge(&sk->sk_receive_queue);
786 skb_queue_purge(&sk->sk_write_queue);
787}
788
789static void l2cap_sock_cleanup_listen(struct sock *parent)
790{
791 struct sock *sk;
792
793 BT_DBG("parent %p", parent);
794
795 /* Close not yet accepted channels */
796 while ((sk = bt_accept_dequeue(parent, NULL)))
797 l2cap_sock_close(sk);
798
b1235d79 799 parent->sk_state = BT_CLOSED;
1da177e4
LT		 800 sock_set_flag(parent, SOCK_ZAPPED);
801}
802
803/* Kill socket (only if zapped and orphan)
804 * Must be called on unlocked socket.
805 */
806static void l2cap_sock_kill(struct sock *sk)
807{
808 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
809 return;
810
811 BT_DBG("sk %p state %d", sk, sk->sk_state);
812
813 /* Kill poor orphan */
814 bt_sock_unlink(&l2cap_sk_list, sk);
815 sock_set_flag(sk, SOCK_DEAD);
816 sock_put(sk);
817}
818
819static void __l2cap_sock_close(struct sock *sk, int reason)
820{
821 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
822
823 switch (sk->sk_state) {
824 case BT_LISTEN:
825 l2cap_sock_cleanup_listen(sk);
826 break;
827
828 case BT_CONNECTED:
829 case BT_CONFIG:
bd3c9e25
GP		 830 if (sk->sk_type == SOCK_SEQPACKET ||
831 sk->sk_type == SOCK_STREAM) {
1da177e4 832 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 833
1da177e4 834 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 835 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 836 } else
1da177e4 837 l2cap_chan_del(sk, reason);
1da177e4
LT		 838 break;
839
f66dc81f 840 case BT_CONNECT2:
bd3c9e25
GP		 841 if (sk->sk_type == SOCK_SEQPACKET ||
842 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 843 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
844 struct l2cap_conn_rsp rsp;
845 __u16 result;
846
847 if (bt_sk(sk)->defer_setup)
848 result = L2CAP_CR_SEC_BLOCK;
849 else
850 result = L2CAP_CR_BAD_PSM;
851
852 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
853 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
854 rsp.result = cpu_to_le16(result);
855 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
856 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
857 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
858 } else
859 l2cap_chan_del(sk, reason);
860 break;
861
1da177e4
LT		 862 case BT_CONNECT:
863 case BT_DISCONN:
864 l2cap_chan_del(sk, reason);
865 break;
866
867 default:
868 sock_set_flag(sk, SOCK_ZAPPED);
869 break;
870 }
871}
872
873/* Must be called on unlocked socket. */
874static void l2cap_sock_close(struct sock *sk)
875{
876 l2cap_sock_clear_timer(sk);
877 lock_sock(sk);
878 __l2cap_sock_close(sk, ECONNRESET);
879 release_sock(sk);
880 l2cap_sock_kill(sk);
881}
882
883static void l2cap_sock_init(struct sock *sk, struct sock *parent)
884{
885 struct l2cap_pinfo *pi = l2cap_pi(sk);
886
887 BT_DBG("sk %p", sk);
888
889 if (parent) {
890 sk->sk_type = parent->sk_type;
f66dc81f
MH		 891 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
892
1da177e4
LT		 893 pi->imtu = l2cap_pi(parent)->imtu;
894 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 895 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 896 pi->mode = l2cap_pi(parent)->mode;
897 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 898 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 899 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 900 pi->sec_level = l2cap_pi(parent)->sec_level;
901 pi->role_switch = l2cap_pi(parent)->role_switch;
902 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 903 } else {
904 pi->imtu = L2CAP_DEFAULT_MTU;
905 pi->omtu = 0;
d1c4a17d 906 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 907 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 908 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
909 } else {
bd3c9e25 910 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 911 }
fd059b9b 912 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 913 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 914 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 915 pi->sec_level = BT_SECURITY_LOW;
916 pi->role_switch = 0;
917 pi->force_reliable = 0;
1da177e4
LT		 918 }
919
920 /* Default config options */
5dee9e7c 921 pi->conf_len = 0;
1da177e4 922 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 923 skb_queue_head_init(TX_QUEUE(sk));
924 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 925 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 926 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 927}
928
929static struct proto l2cap_proto = {
930 .name = "L2CAP",
931 .owner = THIS_MODULE,
932 .obj_size = sizeof(struct l2cap_pinfo)
933};
934
1b8d7ae4 935static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 936{
937 struct sock *sk;
938
6257ff21 939 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 940 if (!sk)
941 return NULL;
942
943 sock_init_data(sock, sk);
944 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
945
946 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 947 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 948
949 sock_reset_flag(sk, SOCK_ZAPPED);
950
951 sk->sk_protocol = proto;
b1235d79 952 sk->sk_state = BT_OPEN;
1da177e4 953
b1235d79 954 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 955
956 bt_sock_link(&l2cap_sk_list, sk);
957 return sk;
958}
959
3f378b68
EP		 960static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
961 int kern)
1da177e4
LT		 962{
963 struct sock *sk;
964
965 BT_DBG("sock %p", sock);
966
967 sock->state = SS_UNCONNECTED;
968
bd3c9e25 969 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 970 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
971 return -ESOCKTNOSUPPORT;
972
c84b3268 973 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 974 return -EPERM;
975
976 sock->ops = &l2cap_sock_ops;
977
1b8d7ae4 978 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 979 if (!sk)
980 return -ENOMEM;
981
982 l2cap_sock_init(sk, NULL);
983 return 0;
984}
985
f29972de 986static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 987{
1da177e4 988 struct sock *sk = sock->sk;
f29972de
MH		 989 struct sockaddr_l2 la;
990 int len, err = 0;
1da177e4 991
f29972de 992 BT_DBG("sk %p", sk);
1da177e4
LT		 993
994 if (!addr || addr->sa_family != AF_BLUETOOTH)
995 return -EINVAL;
996
f29972de
MH		 997 memset(&la, 0, sizeof(la));
998 len = min_t(unsigned int, sizeof(la), alen);
999 memcpy(&la, addr, len);
1000
2a517ca6
MH		 1001 if (la.l2_cid)
1002 return -EINVAL;
1003
1da177e4
LT		 1004 lock_sock(sk);
1005
1006 if (sk->sk_state != BT_OPEN) {
1007 err = -EBADFD;
1008 goto done;
1009 }
1010
0fba2558
MM		 1011 if (la.l2_psm) {
1012 __u16 psm = __le16_to_cpu(la.l2_psm);
1013
1014 /* PSM must be odd and lsb of upper byte must be 0 */
1015 if ((psm & 0x0101) != 0x0001) {
1016 err = -EINVAL;
1017 goto done;
1018 }
1019
1020 /* Restrict usage of well-known PSMs */
1021 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) {
1022 err = -EACCES;
1023 goto done;
1024 }
847641d7 1025 }
8e87d142 1026
1da177e4
LT		 1027 write_lock_bh(&l2cap_sk_list.lock);
1028
f29972de 1029 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 1030 err = -EADDRINUSE;
1031 } else {
1032 /* Save source address */
f29972de
MH		 1033 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1034 l2cap_pi(sk)->psm = la.l2_psm;
1035 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 1036 sk->sk_state = BT_BOUND;
2af6b9d5 1037
b4324b5d
MH		 1038 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1039 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 1040 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 1041 }
1042
1043 write_unlock_bh(&l2cap_sk_list.lock);
1044
1045done:
1046 release_sock(sk);
1047 return err;
1048}
1049
1050static int l2cap_do_connect(struct sock *sk)
1051{
1052 bdaddr_t *src = &bt_sk(sk)->src;
1053 bdaddr_t *dst = &bt_sk(sk)->dst;
1054 struct l2cap_conn *conn;
1055 struct hci_conn *hcon;
1056 struct hci_dev *hdev;
09ab6f4c 1057 __u8 auth_type;
44d0e48e 1058 int err;
1da177e4 1059
f29972de
MH		 1060 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1061 l2cap_pi(sk)->psm);
1da177e4 1062
af05b30b
GP		 1063 hdev = hci_get_route(dst, src);
1064 if (!hdev)
1da177e4
LT		 1065 return -EHOSTUNREACH;
1066
1067 hci_dev_lock_bh(hdev);
1068
1069 err = -ENOMEM;
1070
8c1b2355 1071 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1072 switch (l2cap_pi(sk)->sec_level) {
1073 case BT_SECURITY_HIGH:
8c1b2355 1074 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1075 break;
1076 case BT_SECURITY_MEDIUM:
8c1b2355 1077 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1078 break;
1079 default:
09ab6f4c 1080 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1081 break;
1082 }
8c1b2355 1083 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1084 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1085 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1086 else
8c1b2355 1087 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1088
1089 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1090 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1091 } else {
2af6b9d5
MH		 1092 switch (l2cap_pi(sk)->sec_level) {
1093 case BT_SECURITY_HIGH:
8c1b2355 1094 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1095 break;
1096 case BT_SECURITY_MEDIUM:
09ab6f4c 1097 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1098 break;
1099 default:
8c1b2355 1100 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1101 break;
1102 }
09ab6f4c
MH		 1103 }
1104
2af6b9d5
MH		 1105 hcon = hci_connect(hdev, ACL_LINK, dst,
1106 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1107 if (!hcon)
1108 goto done;
1109
1110 conn = l2cap_conn_add(hcon, 0);
1111 if (!conn) {
1112 hci_conn_put(hcon);
1113 goto done;
1114 }
1115
1116 err = 0;
1117
1118 /* Update source addr of the socket */
1119 bacpy(src, conn->src);
1120
1121 l2cap_chan_add(conn, sk, NULL);
1122
1123 sk->sk_state = BT_CONNECT;
1124 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1125
1126 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1127 if (sk->sk_type != SOCK_SEQPACKET &&
1128 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1129 l2cap_sock_clear_timer(sk);
1130 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1131 } else
1132 l2cap_do_start(sk);
1da177e4
LT		 1133 }
1134
1135done:
1136 hci_dev_unlock_bh(hdev);
1137 hci_dev_put(hdev);
1138 return err;
1139}
1140
1141static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1142{
1da177e4 1143 struct sock *sk = sock->sk;
f29972de
MH		 1144 struct sockaddr_l2 la;
1145 int len, err = 0;
1da177e4 1146
1da177e4
LT		 1147 BT_DBG("sk %p", sk);
1148
6503d961
CG		 1149 if (!addr || alen < sizeof(addr->sa_family) ||
1150 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1151 return -EINVAL;
1da177e4 1152
f29972de
MH		 1153 memset(&la, 0, sizeof(la));
1154 len = min_t(unsigned int, sizeof(la), alen);
1155 memcpy(&la, addr, len);
1156
2a517ca6
MH		 1157 if (la.l2_cid)
1158 return -EINVAL;
1159
1160 lock_sock(sk);
1161
bd3c9e25
GP		 1162 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1163 && !la.l2_psm) {
1da177e4
LT		 1164 err = -EINVAL;
1165 goto done;
1166 }
1167
c6b03cf9
MH		 1168 switch (l2cap_pi(sk)->mode) {
1169 case L2CAP_MODE_BASIC:
1170 break;
1171 case L2CAP_MODE_ERTM:
f2fcfcd6 1172 case L2CAP_MODE_STREAMING:
d1c4a17d 1173 if (!disable_ertm)
c6b03cf9
MH		 1174 break;
1175 /* fall through */
1176 default:
1177 err = -ENOTSUPP;
1178 goto done;
1179 }
1180
af05b30b 1181 switch (sk->sk_state) {
1da177e4
LT		 1182 case BT_CONNECT:
1183 case BT_CONNECT2:
1184 case BT_CONFIG:
1185 /* Already connecting */
1186 goto wait;
1187
1188 case BT_CONNECTED:
1189 /* Already connected */
8b0dc6dc 1190 err = -EISCONN;
1da177e4
LT		 1191 goto done;
1192
1193 case BT_OPEN:
1194 case BT_BOUND:
1195 /* Can connect */
1196 break;
1197
1198 default:
1199 err = -EBADFD;
1200 goto done;
1201 }
1202
0fba2558
MM		 1203 /* PSM must be odd and lsb of upper byte must be 0 */
1204 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 &&
1205 sk->sk_type != SOCK_RAW) {
1206 err = -EINVAL;
1207 goto done;
1208 }
1209
1da177e4 1210 /* Set destination address and psm */
f29972de
MH		 1211 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1212 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1213
af05b30b
GP		 1214 err = l2cap_do_connect(sk);
1215 if (err)
1da177e4
LT		 1216 goto done;
1217
1218wait:
1219 err = bt_sock_wait_state(sk, BT_CONNECTED,
1220 sock_sndtimeo(sk, flags & O_NONBLOCK));
1221done:
1222 release_sock(sk);
1223 return err;
1224}
1225
1226static int l2cap_sock_listen(struct socket *sock, int backlog)
1227{
1228 struct sock *sk = sock->sk;
1229 int err = 0;
1230
1231 BT_DBG("sk %p backlog %d", sk, backlog);
1232
1233 lock_sock(sk);
1234
bd3c9e25
GP		 1235 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1236 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1237 err = -EBADFD;
1238 goto done;
1239 }
1240
c6b03cf9
MH		 1241 switch (l2cap_pi(sk)->mode) {
1242 case L2CAP_MODE_BASIC:
1243 break;
1244 case L2CAP_MODE_ERTM:
f2fcfcd6 1245 case L2CAP_MODE_STREAMING:
d1c4a17d 1246 if (!disable_ertm)
c6b03cf9
MH		 1247 break;
1248 /* fall through */
1249 default:
1250 err = -ENOTSUPP;
1251 goto done;
1252 }
1253
1da177e4
LT		 1254 if (!l2cap_pi(sk)->psm) {
1255 bdaddr_t *src = &bt_sk(sk)->src;
1256 u16 psm;
1257
1258 err = -EINVAL;
1259
1260 write_lock_bh(&l2cap_sk_list.lock);
1261
1262 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1263 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1264 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1265 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1266 err = 0;
1267 break;
1268 }
1269
1270 write_unlock_bh(&l2cap_sk_list.lock);
1271
1272 if (err < 0)
1273 goto done;
1274 }
1275
1276 sk->sk_max_ack_backlog = backlog;
1277 sk->sk_ack_backlog = 0;
1278 sk->sk_state = BT_LISTEN;
1279
1280done:
1281 release_sock(sk);
1282 return err;
1283}
1284
1285static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1286{
1287 DECLARE_WAITQUEUE(wait, current);
1288 struct sock *sk = sock->sk, *nsk;
1289 long timeo;
1290 int err = 0;
1291
fcc70d5f 1292 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1293
1294 if (sk->sk_state != BT_LISTEN) {
1295 err = -EBADFD;
1296 goto done;
1297 }
1298
1299 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1300
1301 BT_DBG("sk %p timeo %ld", sk, timeo);
1302
1303 /* Wait for an incoming connection. (wake-one). */
aa395145 1304 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1305 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1306 set_current_state(TASK_INTERRUPTIBLE);
1307 if (!timeo) {
1308 err = -EAGAIN;
1309 break;
1310 }
1311
1312 release_sock(sk);
1313 timeo = schedule_timeout(timeo);
fcc70d5f 1314 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1315
1316 if (sk->sk_state != BT_LISTEN) {
1317 err = -EBADFD;
1318 break;
1319 }
1320
1321 if (signal_pending(current)) {
1322 err = sock_intr_errno(timeo);
1323 break;
1324 }
1325 }
1326 set_current_state(TASK_RUNNING);
aa395145 1327 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1328
1329 if (err)
1330 goto done;
1331
1332 newsock->state = SS_CONNECTED;
1333
1334 BT_DBG("new socket %p", nsk);
1335
1336done:
1337 release_sock(sk);
1338 return err;
1339}
1340
1341static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1342{
1343 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1344 struct sock *sk = sock->sk;
1345
1346 BT_DBG("sock %p, sk %p", sock, sk);
1347
1348 addr->sa_family = AF_BLUETOOTH;
1349 *len = sizeof(struct sockaddr_l2);
1350
f29972de
MH		 1351 if (peer) {
1352 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1353 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1354 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1355 } else {
1356 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1357 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1358 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1359 }
1da177e4 1360
1da177e4
LT		 1361 return 0;
1362}
1363
6161c038
GP		 1364static int __l2cap_wait_ack(struct sock *sk)
1365{
1366 DECLARE_WAITQUEUE(wait, current);
1367 int err = 0;
1368 int timeo = HZ/5;
1369
2b0b05dd 1370 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1371 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1372 set_current_state(TASK_INTERRUPTIBLE);
1373
1374 if (!timeo)
1375 timeo = HZ/5;
1376
1377 if (signal_pending(current)) {
1378 err = sock_intr_errno(timeo);
1379 break;
1380 }
1381
1382 release_sock(sk);
1383 timeo = schedule_timeout(timeo);
1384 lock_sock(sk);
1385
1386 err = sock_error(sk);
1387 if (err)
1388 break;
1389 }
1390 set_current_state(TASK_RUNNING);
2b0b05dd 1391 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1392 return err;
1393}
1394
e90bac06
GP		 1395static void l2cap_monitor_timeout(unsigned long arg)
1396{
1397 struct sock *sk = (void *) arg;
e90bac06 1398
0e98958d
GP		 1399 BT_DBG("sk %p", sk);
1400
e686219a 1401 bh_lock_sock(sk);
e90bac06 1402 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1403 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1404 bh_unlock_sock(sk);
e90bac06
GP		 1405 return;
1406 }
1407
1408 l2cap_pi(sk)->retry_count++;
1409 __mod_monitor_timer();
1410
a2e12a2a 1411 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1412 bh_unlock_sock(sk);
e90bac06
GP		 1413}
1414
1415static void l2cap_retrans_timeout(unsigned long arg)
1416{
1417 struct sock *sk = (void *) arg;
e90bac06 1418
0e98958d
GP		 1419 BT_DBG("sk %p", sk);
1420
e686219a 1421 bh_lock_sock(sk);
e90bac06
GP		 1422 l2cap_pi(sk)->retry_count = 1;
1423 __mod_monitor_timer();
1424
1425 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1426
a2e12a2a 1427 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1428 bh_unlock_sock(sk);
e90bac06
GP		 1429}
1430
1c2acffb 1431static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1432{
1c2acffb 1433 struct sk_buff *skb;
1da177e4 1434
812e737e
GP		 1435 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1436 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1437 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1438 break;
1da177e4 1439
1c2acffb
GP		 1440 skb = skb_dequeue(TX_QUEUE(sk));
1441 kfree_skb(skb);
1da177e4 1442
1c2acffb
GP		 1443 l2cap_pi(sk)->unacked_frames--;
1444 }
1da177e4 1445
e90bac06
GP		 1446 if (!l2cap_pi(sk)->unacked_frames)
1447 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1448}
1da177e4 1449
9a9c6a34 1450static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1451{
1452 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1453
1454 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1455
9a9c6a34 1456 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1457}
1458
305682e8 1459static void l2cap_streaming_send(struct sock *sk)
6840ed07 1460{
ccbb84af 1461 struct sk_buff *skb;
6840ed07 1462 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1463 u16 control, fcs;
6840ed07 1464
ccbb84af
GP		 1465 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
1466 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
6840ed07 1467 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1468 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1469
e8235c6b 1470 if (pi->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1471 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1472 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1473 }
1474
ccbb84af 1475 l2cap_do_send(sk, skb);
6840ed07
GP		 1476
1477 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
6840ed07 1478 }
6840ed07
GP		 1479}
1480
dfc909be 1481static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1482{
1483 struct l2cap_pinfo *pi = l2cap_pi(sk);
1484 struct sk_buff *skb, *tx_skb;
1485 u16 control, fcs;
8f17154f
GP		 1486
1487 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1488 if (!skb)
1489 return;
8f17154f 1490
f11d676d
GP		 1491 do {
1492 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1493 break;
8f17154f 1494
f11d676d
GP		 1495 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1496 return;
8f17154f 1497
f11d676d 1498 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1499
f11d676d
GP		 1500 if (pi->remote_max_tx &&
1501 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1502 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1503 return;
1504 }
1505
1506 tx_skb = skb_clone(skb, GFP_ATOMIC);
1507 bt_cb(skb)->retries++;
1508 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1509
1510 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1511 control |= L2CAP_CTRL_FINAL;
1512 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1513 }
95ffa978 1514
f11d676d
GP		 1515 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1516 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1517
f11d676d
GP		 1518 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1519
1520 if (pi->fcs == L2CAP_FCS_CRC16) {
1521 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1522 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1523 }
1524
1525 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1526}
1527
1c2acffb
GP		 1528static int l2cap_ertm_send(struct sock *sk)
1529{
1530 struct sk_buff *skb, *tx_skb;
1531 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1532 u16 control, fcs;
9a9c6a34 1533 int nsent = 0;
1c2acffb 1534
c13ffa62
GP		 1535 if (sk->sk_state != BT_CONNECTED)
1536 return -ENOTCONN;
e90bac06 1537
6e2b6722 1538 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1539
e90bac06
GP		 1540 if (pi->remote_max_tx &&
1541 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1542 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1543 break;
1544 }
1545
e420aba3
AE		 1546 tx_skb = skb_clone(skb, GFP_ATOMIC);
1547
e90bac06
GP		 1548 bt_cb(skb)->retries++;
1549
1c2acffb 1550 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1551 control &= L2CAP_CTRL_SAR;
1552
d5392c8f
GP		 1553 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1554 control |= L2CAP_CTRL_FINAL;
1555 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1556 }
9f121a5a 1557 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1558 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1559 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1560
e90bac06 1561
e8235c6b 1562 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1563 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1564 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1565 }
1566
9a9c6a34
GP		 1567 l2cap_do_send(sk, tx_skb);
1568
e90bac06 1569 __mod_retrans_timer();
1c2acffb
GP		 1570
1571 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1572 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1573
1574 pi->unacked_frames++;
d5392c8f 1575 pi->frames_sent++;
1c2acffb
GP		 1576
1577 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1578 sk->sk_send_head = NULL;
1579 else
1580 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1581
1582 nsent++;
1c2acffb
GP		 1583 }
1584
9e917af1
GP		 1585 return nsent;
1586}
1587
dfc909be
GP		 1588static int l2cap_retransmit_frames(struct sock *sk)
1589{
1590 struct l2cap_pinfo *pi = l2cap_pi(sk);
1591 int ret;
1592
dfc909be
GP		 1593 if (!skb_queue_empty(TX_QUEUE(sk)))
1594 sk->sk_send_head = TX_QUEUE(sk)->next;
1595
1596 pi->next_tx_seq = pi->expected_ack_seq;
1597 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1598 return ret;
1599}
1600
9a9c6a34 1601static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1602{
1603 struct sock *sk = (struct sock *)pi;
1604 u16 control = 0;
1605
1606 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1607
1608 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1609 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1610 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1611 l2cap_send_sframe(pi, control);
1612 return;
9e917af1 1613 }
dfc909be 1614
e0f66218 1615 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1616 return;
1617
1618 control |= L2CAP_SUPER_RCV_READY;
1619 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1620}
1621
9a9c6a34 1622static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1623{
1624 struct srej_list *tail;
1625 u16 control;
1626
1627 control = L2CAP_SUPER_SELECT_REJECT;
1628 control |= L2CAP_CTRL_FINAL;
1629
1630 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1631 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1632
1633 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1634}
1635
1c2acffb
GP		 1636static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1637{
1638 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1639 struct sk_buff **frag;
1640 int err, sent = 0;
1da177e4 1641
59203a21 1642 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1643 return -EFAULT;
1da177e4
LT		 1644
1645 sent += count;
1646 len -= count;
1647
1648 /* Continuation fragments (no L2CAP header) */
1649 frag = &skb_shinfo(skb)->frag_list;
1650 while (len) {
1651 count = min_t(unsigned int, conn->mtu, len);
1652
1653 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1654 if (!*frag)
0175d629 1655 return err;
1c2acffb
GP		 1656 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1657 return -EFAULT;
1da177e4
LT		 1658
1659 sent += count;
1660 len -= count;
1661
1662 frag = &(*frag)->next;
1663 }
1da177e4
LT		 1664
1665 return sent;
1c2acffb 1666}
1da177e4 1667
1c2acffb
GP		 1668static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1669{
1670 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1671 struct sk_buff *skb;
1672 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1673 struct l2cap_hdr *lh;
1674
1675 BT_DBG("sk %p len %d", sk, (int)len);
1676
1677 count = min_t(unsigned int, (conn->mtu - hlen), len);
1678 skb = bt_skb_send_alloc(sk, count + hlen,
1679 msg->msg_flags & MSG_DONTWAIT, &err);
1680 if (!skb)
0175d629 1681 return ERR_PTR(err);
1c2acffb
GP		 1682
1683 /* Create L2CAP header */
1684 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1685 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1686 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1687 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1688
1689 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1690 if (unlikely(err < 0)) {
1691 kfree_skb(skb);
1692 return ERR_PTR(err);
1693 }
1694 return skb;
1695}
1696
1697static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1698{
1699 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1700 struct sk_buff *skb;
1701 int err, count, hlen = L2CAP_HDR_SIZE;
1702 struct l2cap_hdr *lh;
1703
1704 BT_DBG("sk %p len %d", sk, (int)len);
1705
1706 count = min_t(unsigned int, (conn->mtu - hlen), len);
1707 skb = bt_skb_send_alloc(sk, count + hlen,
1708 msg->msg_flags & MSG_DONTWAIT, &err);
1709 if (!skb)
0175d629 1710 return ERR_PTR(err);
1c2acffb
GP		 1711
1712 /* Create L2CAP header */
1713 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1714 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1715 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1716
1717 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1718 if (unlikely(err < 0)) {
1719 kfree_skb(skb);
1720 return ERR_PTR(err);
1721 }
1722 return skb;
1723}
1724
6840ed07 1725static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1726{
1727 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1728 struct sk_buff *skb;
1729 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1730 struct l2cap_hdr *lh;
1731
1732 BT_DBG("sk %p len %d", sk, (int)len);
1733
0ee0d208
GP		 1734 if (!conn)
1735 return ERR_PTR(-ENOTCONN);
1736
c74e560c
GP		 1737 if (sdulen)
1738 hlen += 2;
1739
fcc203c3
GP		 1740 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1741 hlen += 2;
1742
1c2acffb
GP		 1743 count = min_t(unsigned int, (conn->mtu - hlen), len);
1744 skb = bt_skb_send_alloc(sk, count + hlen,
1745 msg->msg_flags & MSG_DONTWAIT, &err);
1746 if (!skb)
0175d629 1747 return ERR_PTR(err);
1c2acffb
GP		 1748
1749 /* Create L2CAP header */
1750 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1751 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1752 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1753 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1754 if (sdulen)
1755 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1756
1757 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1758 if (unlikely(err < 0)) {
1759 kfree_skb(skb);
1760 return ERR_PTR(err);
1761 }
e90bac06 1762
fcc203c3
GP		 1763 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1764 put_unaligned_le16(0, skb_put(skb, 2));
1765
e90bac06 1766 bt_cb(skb)->retries = 0;
1c2acffb 1767 return skb;
1da177e4
LT		 1768}
1769
c74e560c
GP		 1770static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1771{
1772 struct l2cap_pinfo *pi = l2cap_pi(sk);
1773 struct sk_buff *skb;
1774 struct sk_buff_head sar_queue;
1775 u16 control;
1776 size_t size = 0;
1777
ff12fd64 1778 skb_queue_head_init(&sar_queue);
c74e560c 1779 control = L2CAP_SDU_START;
1c762159 1780 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1781 if (IS_ERR(skb))
1782 return PTR_ERR(skb);
1783
1784 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1785 len -= pi->remote_mps;
1786 size += pi->remote_mps;
c74e560c
GP		 1787
1788 while (len > 0) {
1789 size_t buflen;
1790
1c762159 1791 if (len > pi->remote_mps) {
44651b85 1792 control = L2CAP_SDU_CONTINUE;
1c762159 1793 buflen = pi->remote_mps;
c74e560c 1794 } else {
44651b85 1795 control = L2CAP_SDU_END;
c74e560c
GP		 1796 buflen = len;
1797 }
1798
6840ed07 1799 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1800 if (IS_ERR(skb)) {
1801 skb_queue_purge(&sar_queue);
1802 return PTR_ERR(skb);
1803 }
1804
1805 __skb_queue_tail(&sar_queue, skb);
1806 len -= buflen;
1807 size += buflen;
c74e560c
GP		 1808 }
1809 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1810 if (sk->sk_send_head == NULL)
1811 sk->sk_send_head = sar_queue.next;
1812
1813 return size;
1814}
1815
1da177e4
LT		 1816static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1817{
1818 struct sock *sk = sock->sk;
1c2acffb
GP		 1819 struct l2cap_pinfo *pi = l2cap_pi(sk);
1820 struct sk_buff *skb;
1821 u16 control;
1822 int err;
1da177e4
LT		 1823
1824 BT_DBG("sock %p, sk %p", sock, sk);
1825
c1cbe4b7
BL		 1826 err = sock_error(sk);
1827 if (err)
1828 return err;
1da177e4
LT		 1829
1830 if (msg->msg_flags & MSG_OOB)
1831 return -EOPNOTSUPP;
1832
1da177e4
LT		 1833 lock_sock(sk);
1834
1c2acffb 1835 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1836 err = -ENOTCONN;
1c2acffb
GP		 1837 goto done;
1838 }
1da177e4 1839
1c2acffb
GP		 1840 /* Connectionless channel */
1841 if (sk->sk_type == SOCK_DGRAM) {
1842 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1843 if (IS_ERR(skb)) {
477fffb0 1844 err = PTR_ERR(skb);
9a9c6a34
GP		 1845 } else {
1846 l2cap_do_send(sk, skb);
1847 err = len;
1848 }
1c2acffb
GP		 1849 goto done;
1850 }
1851
1852 switch (pi->mode) {
1853 case L2CAP_MODE_BASIC:
c69163e9
GP		 1854 /* Check outgoing MTU */
1855 if (len > pi->omtu) {
f9dd11b0 1856 err = -EMSGSIZE;
c69163e9
GP		 1857 goto done;
1858 }
1859
1c2acffb
GP		 1860 /* Create a basic PDU */
1861 skb = l2cap_create_basic_pdu(sk, msg, len);
1862 if (IS_ERR(skb)) {
1863 err = PTR_ERR(skb);
1864 goto done;
1865 }
1866
9a9c6a34
GP		 1867 l2cap_do_send(sk, skb);
1868 err = len;
1c2acffb
GP		 1869 break;
1870
1871 case L2CAP_MODE_ERTM:
6840ed07 1872 case L2CAP_MODE_STREAMING:
1c2acffb 1873 /* Entire SDU fits into one PDU */
1c762159 1874 if (len <= pi->remote_mps) {
1c2acffb 1875 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1876 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1877 if (IS_ERR(skb)) {
1878 err = PTR_ERR(skb);
1879 goto done;
1880 }
c74e560c 1881 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1882
c74e560c
GP		 1883 if (sk->sk_send_head == NULL)
1884 sk->sk_send_head = skb;
dfc909be 1885
1c2acffb 1886 } else {
c74e560c
GP		 1887 /* Segment SDU into multiples PDUs */
1888 err = l2cap_sar_segment_sdu(sk, msg, len);
1889 if (err < 0)
1890 goto done;
1c2acffb 1891 }
1c2acffb 1892
dfc909be 1893 if (pi->mode == L2CAP_MODE_STREAMING) {
305682e8 1894 l2cap_streaming_send(sk);
dfc909be 1895 } else {
6e2b6722
GP		 1896 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1897 pi->conn_state && L2CAP_CONN_WAIT_F) {
1898 err = len;
1899 break;
1900 }
6840ed07 1901 err = l2cap_ertm_send(sk);
dfc909be 1902 }
6840ed07 1903
9e917af1 1904 if (err >= 0)
1c2acffb
GP		 1905 err = len;
1906 break;
1907
1908 default:
1909 BT_DBG("bad state %1.1x", pi->mode);
bc766db2 1910 err = -EBADFD;
1c2acffb
GP		 1911 }
1912
1913done:
1da177e4
LT		 1914 release_sock(sk);
1915 return err;
1916}
1917
f66dc81f
MH		 1918static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1919{
1920 struct sock *sk = sock->sk;
1921
1922 lock_sock(sk);
1923
1924 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1925 struct l2cap_conn_rsp rsp;
e9aeb2dd
GP		 1926 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1927 u8 buf[128];
f66dc81f
MH		 1928
1929 sk->sk_state = BT_CONFIG;
1930
1931 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1932 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1933 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1934 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1935 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1936 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1937
e9aeb2dd
GP		 1938 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1939 release_sock(sk);
1940 return 0;
1941 }
1942
1943 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1944 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1945 l2cap_build_conf_req(sk, buf), buf);
1946 l2cap_pi(sk)->num_conf_req++;
1947
f66dc81f
MH		 1948 release_sock(sk);
1949 return 0;
1950 }
1951
1952 release_sock(sk);
1953
6fdf482b
MM		 1954 if (sock->type == SOCK_STREAM)
1955 return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1956
f66dc81f
MH		 1957 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1958}
1959
b7058842 1960static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1961{
1962 struct sock *sk = sock->sk;
1963 struct l2cap_options opts;
f29972de 1964 int len, err = 0;
1da177e4
LT		 1965 u32 opt;
1966
1967 BT_DBG("sk %p", sk);
1968
1969 lock_sock(sk);
1970
1971 switch (optname) {
1972 case L2CAP_OPTIONS:
eaa71b31
GP		 1973 if (sk->sk_state == BT_CONNECTED) {
1974 err = -EINVAL;
1975 break;
1976 }
1977
0878b666
MH		 1978 opts.imtu = l2cap_pi(sk)->imtu;
1979 opts.omtu = l2cap_pi(sk)->omtu;
1980 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1981 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1982 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1983 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1984 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1985
1da177e4
LT		 1986 len = min_t(unsigned int, sizeof(opts), optlen);
1987 if (copy_from_user((char *) &opts, optval, len)) {
1988 err = -EFAULT;
1989 break;
1990 }
0878b666 1991
45d65c46
GP		 1992 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1993 err = -EINVAL;
1994 break;
1995 }
1996
0041ecfa
JPRV		 1997 l2cap_pi(sk)->mode = opts.mode;
1998 switch (l2cap_pi(sk)->mode) {
1999 case L2CAP_MODE_BASIC:
85eb53c6 2000 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 2001 break;
2002 case L2CAP_MODE_ERTM:
2003 case L2CAP_MODE_STREAMING:
d1c4a17d 2004 if (!disable_ertm)
0041ecfa
JPRV		 2005 break;
2006 /* fall through */
2007 default:
2008 err = -EINVAL;
2009 break;
2010 }
2011
c6b03cf9
MH		 2012 l2cap_pi(sk)->imtu = opts.imtu;
2013 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 2014 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 2015 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 2016 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 2017 break;
2018
2019 case L2CAP_LM:
2020 if (get_user(opt, (u32 __user *) optval)) {
2021 err = -EFAULT;
2022 break;
2023 }
2024
2af6b9d5
MH		 2025 if (opt & L2CAP_LM_AUTH)
2026 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
2027 if (opt & L2CAP_LM_ENCRYPT)
2028 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
2029 if (opt & L2CAP_LM_SECURE)
2030 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
2031
2032 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
2033 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 2034 break;
2035
2036 default:
2037 err = -ENOPROTOOPT;
2038 break;
2039 }
2040
2041 release_sock(sk);
2042 return err;
2043}
2044
b7058842 2045static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 2046{
2047 struct sock *sk = sock->sk;
2af6b9d5
MH		 2048 struct bt_security sec;
2049 int len, err = 0;
f66dc81f 2050 u32 opt;
d58daf42
MH		 2051
2052 BT_DBG("sk %p", sk);
2053
2054 if (level == SOL_L2CAP)
2055 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2056
0588d94f
MH		 2057 if (level != SOL_BLUETOOTH)
2058 return -ENOPROTOOPT;
2059
d58daf42
MH		 2060 lock_sock(sk);
2061
2062 switch (optname) {
2af6b9d5 2063 case BT_SECURITY:
bd3c9e25
GP		 2064 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2065 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2066 err = -EINVAL;
2067 break;
2068 }
2069
2af6b9d5
MH		 2070 sec.level = BT_SECURITY_LOW;
2071
2072 len = min_t(unsigned int, sizeof(sec), optlen);
2073 if (copy_from_user((char *) &sec, optval, len)) {
2074 err = -EFAULT;
2075 break;
2076 }
2077
2078 if (sec.level < BT_SECURITY_LOW ||
2079 sec.level > BT_SECURITY_HIGH) {
2080 err = -EINVAL;
2081 break;
2082 }
2083
2084 l2cap_pi(sk)->sec_level = sec.level;
2085 break;
2086
f66dc81f
MH		 2087 case BT_DEFER_SETUP:
2088 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2089 err = -EINVAL;
2090 break;
2091 }
2092
2093 if (get_user(opt, (u32 __user *) optval)) {
2094 err = -EFAULT;
2095 break;
2096 }
2097
2098 bt_sk(sk)->defer_setup = opt;
2099 break;
2100
d58daf42
MH		 2101 default:
2102 err = -ENOPROTOOPT;
2103 break;
2104 }
2105
2106 release_sock(sk);
2107 return err;
2108}
2109
2110static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2111{
2112 struct sock *sk = sock->sk;
2113 struct l2cap_options opts;
2114 struct l2cap_conninfo cinfo;
2115 int len, err = 0;
2af6b9d5 2116 u32 opt;
1da177e4
LT		 2117
2118 BT_DBG("sk %p", sk);
2119
2120 if (get_user(len, optlen))
2121 return -EFAULT;
2122
2123 lock_sock(sk);
2124
2125 switch (optname) {
2126 case L2CAP_OPTIONS:
2127 opts.imtu = l2cap_pi(sk)->imtu;
2128 opts.omtu = l2cap_pi(sk)->omtu;
2129 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2130 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2131 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2132 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2133 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2134
2135 len = min_t(unsigned int, len, sizeof(opts));
2136 if (copy_to_user(optval, (char *) &opts, len))
2137 err = -EFAULT;
2138
2139 break;
2140
2141 case L2CAP_LM:
2af6b9d5
MH		 2142 switch (l2cap_pi(sk)->sec_level) {
2143 case BT_SECURITY_LOW:
2144 opt = L2CAP_LM_AUTH;
2145 break;
2146 case BT_SECURITY_MEDIUM:
2147 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2148 break;
2149 case BT_SECURITY_HIGH:
2150 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2151 L2CAP_LM_SECURE;
2152 break;
2153 default:
2154 opt = 0;
2155 break;
2156 }
2157
2158 if (l2cap_pi(sk)->role_switch)
2159 opt |= L2CAP_LM_MASTER;
2160
2161 if (l2cap_pi(sk)->force_reliable)
2162 opt |= L2CAP_LM_RELIABLE;
2163
2164 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2165 err = -EFAULT;
2166 break;
2167
2168 case L2CAP_CONNINFO:
f66dc81f
MH		 2169 if (sk->sk_state != BT_CONNECTED &&
2170 !(sk->sk_state == BT_CONNECT2 &&
2171 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2172 err = -ENOTCONN;
2173 break;
2174 }
2175
2176 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2177 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2178
2179 len = min_t(unsigned int, len, sizeof(cinfo));
2180 if (copy_to_user(optval, (char *) &cinfo, len))
2181 err = -EFAULT;
2182
2183 break;
2184
2185 default:
2186 err = -ENOPROTOOPT;
2187 break;
2188 }
2189
2190 release_sock(sk);
2191 return err;
2192}
2193
d58daf42
MH		 2194static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2195{
2196 struct sock *sk = sock->sk;
2af6b9d5 2197 struct bt_security sec;
d58daf42
MH		 2198 int len, err = 0;
2199
2200 BT_DBG("sk %p", sk);
2201
2202 if (level == SOL_L2CAP)
2203 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2204
0588d94f
MH		 2205 if (level != SOL_BLUETOOTH)
2206 return -ENOPROTOOPT;
2207
d58daf42
MH		 2208 if (get_user(len, optlen))
2209 return -EFAULT;
2210
2211 lock_sock(sk);
2212
2213 switch (optname) {
2af6b9d5 2214 case BT_SECURITY:
bd3c9e25
GP		 2215 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2216 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2217 err = -EINVAL;
2218 break;
2219 }
2220
2af6b9d5
MH		 2221 sec.level = l2cap_pi(sk)->sec_level;
2222
2223 len = min_t(unsigned int, len, sizeof(sec));
2224 if (copy_to_user(optval, (char *) &sec, len))
2225 err = -EFAULT;
2226
2227 break;
2228
f66dc81f
MH		 2229 case BT_DEFER_SETUP:
2230 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2231 err = -EINVAL;
2232 break;
2233 }
2234
2235 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2236 err = -EFAULT;
2237
2238 break;
2239
d58daf42
MH		 2240 default:
2241 err = -ENOPROTOOPT;
2242 break;
2243 }
2244
2245 release_sock(sk);
2246 return err;
2247}
2248
1da177e4
LT		 2249static int l2cap_sock_shutdown(struct socket *sock, int how)
2250{
2251 struct sock *sk = sock->sk;
2252 int err = 0;
2253
2254 BT_DBG("sock %p, sk %p", sock, sk);
2255
2256 if (!sk)
2257 return 0;
2258
2259 lock_sock(sk);
2260 if (!sk->sk_shutdown) {
6161c038
GP		 2261 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2262 err = __l2cap_wait_ack(sk);
2263
1da177e4
LT		 2264 sk->sk_shutdown = SHUTDOWN_MASK;
2265 l2cap_sock_clear_timer(sk);
2266 __l2cap_sock_close(sk, 0);
2267
2268 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2269 err = bt_sock_wait_state(sk, BT_CLOSED,
2270 sk->sk_lingertime);
1da177e4 2271 }
9b108fc0
GP		 2272
2273 if (!err && sk->sk_err)
2274 err = -sk->sk_err;
2275
1da177e4
LT		 2276 release_sock(sk);
2277 return err;
2278}
2279
2280static int l2cap_sock_release(struct socket *sock)
2281{
2282 struct sock *sk = sock->sk;
2283 int err;
2284
2285 BT_DBG("sock %p, sk %p", sock, sk);
2286
2287 if (!sk)
2288 return 0;
2289
2290 err = l2cap_sock_shutdown(sock, 2);
2291
2292 sock_orphan(sk);
2293 l2cap_sock_kill(sk);
2294 return err;
2295}
2296
1da177e4
LT		 2297static void l2cap_chan_ready(struct sock *sk)
2298{
2299 struct sock *parent = bt_sk(sk)->parent;
2300
2301 BT_DBG("sk %p, parent %p", sk, parent);
2302
2303 l2cap_pi(sk)->conf_state = 0;
2304 l2cap_sock_clear_timer(sk);
2305
2306 if (!parent) {
2307 /* Outgoing channel.
2308 * Wake up socket sleeping on connect.
2309 */
2310 sk->sk_state = BT_CONNECTED;
2311 sk->sk_state_change(sk);
2312 } else {
2313 /* Incoming channel.
2314 * Wake up socket sleeping on accept.
2315 */
2316 parent->sk_data_ready(parent, 0);
2317 }
2318}
2319
2320/* Copy frame to all raw sockets on that connection */
2321static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2322{
2323 struct l2cap_chan_list *l = &conn->chan_list;
2324 struct sk_buff *nskb;
af05b30b 2325 struct sock *sk;
1da177e4
LT		 2326
2327 BT_DBG("conn %p", conn);
2328
2329 read_lock(&l->lock);
2330 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2331 if (sk->sk_type != SOCK_RAW)
2332 continue;
2333
2334 /* Don't send frame to the socket it came from */
2335 if (skb->sk == sk)
2336 continue;
af05b30b
GP		 2337 nskb = skb_clone(skb, GFP_ATOMIC);
2338 if (!nskb)
1da177e4
LT		 2339 continue;
2340
2341 if (sock_queue_rcv_skb(sk, nskb))
2342 kfree_skb(nskb);
2343 }
2344 read_unlock(&l->lock);
2345}
2346
2347/* ---- L2CAP signalling commands ---- */
2348static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2349 u8 code, u8 ident, u16 dlen, void *data)
2350{
2351 struct sk_buff *skb, **frag;
2352 struct l2cap_cmd_hdr *cmd;
2353 struct l2cap_hdr *lh;
2354 int len, count;
2355
af05b30b
GP		 2356 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2357 conn, code, ident, dlen);
1da177e4
LT		 2358
2359 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2360 count = min_t(unsigned int, conn->mtu, len);
2361
2362 skb = bt_skb_alloc(count, GFP_ATOMIC);
2363 if (!skb)
2364 return NULL;
2365
2366 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2367 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2368 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2369
2370 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2371 cmd->code = code;
2372 cmd->ident = ident;
aca3192c 2373 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2374
2375 if (dlen) {
2376 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2377 memcpy(skb_put(skb, count), data, count);
2378 data += count;
2379 }
2380
2381 len -= skb->len;
2382
2383 /* Continuation fragments (no L2CAP header) */
2384 frag = &skb_shinfo(skb)->frag_list;
2385 while (len) {
2386 count = min_t(unsigned int, conn->mtu, len);
2387
2388 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2389 if (!*frag)
2390 goto fail;
2391
2392 memcpy(skb_put(*frag, count), data, count);
2393
2394 len -= count;
2395 data += count;
2396
2397 frag = &(*frag)->next;
2398 }
2399
2400 return skb;
2401
2402fail:
2403 kfree_skb(skb);
2404 return NULL;
2405}
2406
2407static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2408{
2409 struct l2cap_conf_opt *opt = *ptr;
2410 int len;
2411
2412 len = L2CAP_CONF_OPT_SIZE + opt->len;
2413 *ptr += len;
2414
2415 *type = opt->type;
2416 *olen = opt->len;
2417
2418 switch (opt->len) {
2419 case 1:
2420 *val = *((u8 *) opt->val);
2421 break;
2422
2423 case 2:
bfaaeb3e 2424 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2425 break;
2426
2427 case 4:
bfaaeb3e 2428 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2429 break;
2430
2431 default:
2432 *val = (unsigned long) opt->val;
2433 break;
2434 }
2435
2436 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2437 return len;
2438}
2439
1da177e4
LT		 2440static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2441{
2442 struct l2cap_conf_opt *opt = *ptr;
2443
2444 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2445
2446 opt->type = type;
2447 opt->len = len;
2448
2449 switch (len) {
2450 case 1:
2451 *((u8 *) opt->val) = val;
2452 break;
2453
2454 case 2:
4f8b691c 2455 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2456 break;
2457
2458 case 4:
4f8b691c 2459 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2460 break;
2461
2462 default:
2463 memcpy(opt->val, (void *) val, len);
2464 break;
2465 }
2466
2467 *ptr += L2CAP_CONF_OPT_SIZE + len;
2468}
2469
c1b4f43b
GP		 2470static void l2cap_ack_timeout(unsigned long arg)
2471{
2472 struct sock *sk = (void *) arg;
2473
2474 bh_lock_sock(sk);
2475 l2cap_send_ack(l2cap_pi(sk));
2476 bh_unlock_sock(sk);
2477}
2478
0565c1c2
GP		 2479static inline void l2cap_ertm_init(struct sock *sk)
2480{
2481 l2cap_pi(sk)->expected_ack_seq = 0;
2482 l2cap_pi(sk)->unacked_frames = 0;
2483 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2484 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2485 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2486
2487 setup_timer(&l2cap_pi(sk)->retrans_timer,
2488 l2cap_retrans_timeout, (unsigned long) sk);
2489 setup_timer(&l2cap_pi(sk)->monitor_timer,
2490 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2491 setup_timer(&l2cap_pi(sk)->ack_timer,
2492 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2493
2494 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2495 __skb_queue_head_init(BUSY_QUEUE(sk));
2496
2497 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 2498
2499 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 2500}
2501
f2fcfcd6
GP		 2502static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2503{
2504 switch (mode) {
2505 case L2CAP_MODE_STREAMING:
2506 case L2CAP_MODE_ERTM:
2507 if (l2cap_mode_supported(mode, remote_feat_mask))
2508 return mode;
2509 /* fall through */
2510 default:
2511 return L2CAP_MODE_BASIC;
2512 }
2513}
2514
1da177e4
LT		 2515static int l2cap_build_conf_req(struct sock *sk, void *data)
2516{
2517 struct l2cap_pinfo *pi = l2cap_pi(sk);
2518 struct l2cap_conf_req *req = data;
bd3c9e25 2519 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2520 void *ptr = req->data;
2521
2522 BT_DBG("sk %p", sk);
2523
f2fcfcd6
GP		 2524 if (pi->num_conf_req || pi->num_conf_rsp)
2525 goto done;
2526
2527 switch (pi->mode) {
2528 case L2CAP_MODE_STREAMING:
2529 case L2CAP_MODE_ERTM:
2ba13ed6 2530 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2531 break;
85eb53c6 2532
2ba13ed6 2533 /* fall through */
f2fcfcd6
GP		 2534 default:
2535 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2536 break;
2537 }
2538
2539done:
65c7c491
MH		 2540 switch (pi->mode) {
2541 case L2CAP_MODE_BASIC:
2542 if (pi->imtu != L2CAP_DEFAULT_MTU)
2543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
62547752 2544
63406504
GP		 2545 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2546 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
2547 break;
2548
62547752
GP		 2549 rfc.mode = L2CAP_MODE_BASIC;
2550 rfc.txwin_size = 0;
2551 rfc.max_transmit = 0;
2552 rfc.retrans_timeout = 0;
2553 rfc.monitor_timeout = 0;
2554 rfc.max_pdu_size = 0;
2555
63406504
GP		 2556 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2557 (unsigned long) &rfc);
65c7c491
MH		 2558 break;
2559
2560 case L2CAP_MODE_ERTM:
2561 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2562 rfc.txwin_size = pi->tx_win;
68d7f0ce 2563 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2564 rfc.retrans_timeout = 0;
2565 rfc.monitor_timeout = 0;
c74e560c 2566 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2567 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2568 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2569
63406504
GP		 2570 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2571 (unsigned long) &rfc);
2572
fcc203c3
GP		 2573 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2574 break;
2575
2576 if (pi->fcs == L2CAP_FCS_NONE ||
2577 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2578 pi->fcs = L2CAP_FCS_NONE;
2579 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2580 }
f2fcfcd6
GP		 2581 break;
2582
2583 case L2CAP_MODE_STREAMING:
2584 rfc.mode = L2CAP_MODE_STREAMING;
2585 rfc.txwin_size = 0;
2586 rfc.max_transmit = 0;
2587 rfc.retrans_timeout = 0;
2588 rfc.monitor_timeout = 0;
c74e560c 2589 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2590 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2591 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2592
63406504
GP		 2593 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2594 (unsigned long) &rfc);
2595
fcc203c3
GP		 2596 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2597 break;
2598
2599 if (pi->fcs == L2CAP_FCS_NONE ||
2600 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2601 pi->fcs = L2CAP_FCS_NONE;
2602 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2603 }
65c7c491
MH		 2604 break;
2605 }
1da177e4
LT		 2606
2607 /* FIXME: Need actual value of the flush timeout */
2608 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2609 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2610
aca3192c
YH		 2611 req->dcid = cpu_to_le16(pi->dcid);
2612 req->flags = cpu_to_le16(0);
1da177e4
LT		 2613
2614 return ptr - data;
2615}
2616
5dee9e7c 2617static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2618{
2619 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2620 struct l2cap_conf_rsp *rsp = data;
2621 void *ptr = rsp->data;
2622 void *req = pi->conf_req;
2623 int len = pi->conf_len;
2624 int type, hint, olen;
2625 unsigned long val;
6464f35f 2626 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2627 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2628 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2629
5dee9e7c 2630 BT_DBG("sk %p", sk);
820ae1b8 2631
5dee9e7c
MH		 2632 while (len >= L2CAP_CONF_OPT_SIZE) {
2633 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2634
589d2746 2635 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2636 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2637
2638 switch (type) {
2639 case L2CAP_CONF_MTU:
861d6882 2640 mtu = val;
5dee9e7c
MH		 2641 break;
2642
2643 case L2CAP_CONF_FLUSH_TO:
2644 pi->flush_to = val;
2645 break;
2646
2647 case L2CAP_CONF_QOS:
2648 break;
2649
6464f35f
MH		 2650 case L2CAP_CONF_RFC:
2651 if (olen == sizeof(rfc))
2652 memcpy(&rfc, (void *) val, olen);
2653 break;
2654
fcc203c3
GP		 2655 case L2CAP_CONF_FCS:
2656 if (val == L2CAP_FCS_NONE)
2657 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2658
2659 break;
2660
5dee9e7c
MH		 2661 default:
2662 if (hint)
2663 break;
2664
2665 result = L2CAP_CONF_UNKNOWN;
2666 *((u8 *) ptr++) = type;
2667 break;
2668 }
2669 }
2670
e9aeb2dd 2671 if (pi->num_conf_rsp || pi->num_conf_req > 1)
f2fcfcd6
GP		 2672 goto done;
2673
2674 switch (pi->mode) {
2675 case L2CAP_MODE_STREAMING:
2676 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2677 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2678 pi->mode = l2cap_select_mode(rfc.mode,
2679 pi->conn->feat_mask);
2680 break;
2681 }
2682
742e519b 2683 if (pi->mode != rfc.mode)
f2fcfcd6 2684 return -ECONNREFUSED;
742e519b 2685
f2fcfcd6 2686 break;
f2fcfcd6
GP		 2687 }
2688
2689done:
2690 if (pi->mode != rfc.mode) {
2691 result = L2CAP_CONF_UNACCEPT;
2692 rfc.mode = pi->mode;
2693
2694 if (pi->num_conf_rsp == 1)
2695 return -ECONNREFUSED;
2696
2697 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2698 sizeof(rfc), (unsigned long) &rfc);
2699 }
2700
2701
5dee9e7c
MH		 2702 if (result == L2CAP_CONF_SUCCESS) {
2703 /* Configure output options and let the other side know
2704 * which ones we don't like. */
2705
f2fcfcd6
GP		 2706 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2707 result = L2CAP_CONF_UNACCEPT;
2708 else {
2709 pi->omtu = mtu;
2710 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2711 }
2712 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2713
f2fcfcd6
GP		 2714 switch (rfc.mode) {
2715 case L2CAP_MODE_BASIC:
2716 pi->fcs = L2CAP_FCS_NONE;
2717 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2718 break;
2719
2720 case L2CAP_MODE_ERTM:
2721 pi->remote_tx_win = rfc.txwin_size;
2722 pi->remote_max_tx = rfc.max_transmit;
86b1b263
MM		 2723
2724 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2725 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2726
2727 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2728
10467e9e
GP		 2729 rfc.retrans_timeout =
2730 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2731 rfc.monitor_timeout =
2732 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2733
2734 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2735
2736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2737 sizeof(rfc), (unsigned long) &rfc);
2738
f2fcfcd6
GP		 2739 break;
2740
2741 case L2CAP_MODE_STREAMING:
86b1b263
MM		 2742 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2743 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2744
2745 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2746
2747 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2748
2749 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2750 sizeof(rfc), (unsigned long) &rfc);
2751
f2fcfcd6
GP		 2752 break;
2753
2754 default:
5dee9e7c 2755 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2756
6464f35f 2757 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2758 rfc.mode = pi->mode;
2759 }
6464f35f 2760
f2fcfcd6
GP		 2761 if (result == L2CAP_CONF_SUCCESS)
2762 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2763 }
5dee9e7c
MH		 2764 rsp->scid = cpu_to_le16(pi->dcid);
2765 rsp->result = cpu_to_le16(result);
2766 rsp->flags = cpu_to_le16(0x0000);
2767
2768 return ptr - data;
1da177e4
LT		 2769}
2770
f2fcfcd6
GP		 2771static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2772{
2773 struct l2cap_pinfo *pi = l2cap_pi(sk);
2774 struct l2cap_conf_req *req = data;
2775 void *ptr = req->data;
2776 int type, olen;
2777 unsigned long val;
2778 struct l2cap_conf_rfc rfc;
2779
2780 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2781
2782 while (len >= L2CAP_CONF_OPT_SIZE) {
2783 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2784
2785 switch (type) {
2786 case L2CAP_CONF_MTU:
2787 if (val < L2CAP_DEFAULT_MIN_MTU) {
2788 *result = L2CAP_CONF_UNACCEPT;
8183b775 2789 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2790 } else
8183b775
AE		 2791 pi->imtu = val;
2792 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
f2fcfcd6
GP		 2793 break;
2794
2795 case L2CAP_CONF_FLUSH_TO:
2796 pi->flush_to = val;
2797 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2798 2, pi->flush_to);
2799 break;
2800
2801 case L2CAP_CONF_RFC:
2802 if (olen == sizeof(rfc))
2803 memcpy(&rfc, (void *)val, olen);
2804
2805 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2806 rfc.mode != pi->mode)
2807 return -ECONNREFUSED;
2808
f2fcfcd6
GP		 2809 pi->fcs = 0;
2810
2811 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2812 sizeof(rfc), (unsigned long) &rfc);
2813 break;
2814 }
2815 }
2816
6c2ea7a8
GP		 2817 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2818 return -ECONNREFUSED;
2819
2820 pi->mode = rfc.mode;
2821
f2fcfcd6
GP		 2822 if (*result == L2CAP_CONF_SUCCESS) {
2823 switch (rfc.mode) {
2824 case L2CAP_MODE_ERTM:
10467e9e
GP		 2825 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2826 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2827 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2828 break;
2829 case L2CAP_MODE_STREAMING:
1c762159 2830 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2831 }
2832 }
2833
2834 req->dcid = cpu_to_le16(pi->dcid);
2835 req->flags = cpu_to_le16(0x0000);
2836
2837 return ptr - data;
2838}
2839
5dee9e7c 2840static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2841{
2842 struct l2cap_conf_rsp *rsp = data;
2843 void *ptr = rsp->data;
1da177e4 2844
5dee9e7c 2845 BT_DBG("sk %p", sk);
1da177e4 2846
aca3192c 2847 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2848 rsp->result = cpu_to_le16(result);
aca3192c 2849 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2850
2851 return ptr - data;
2852}
2853
7b1c0049
GP		 2854static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2855{
2856 struct l2cap_pinfo *pi = l2cap_pi(sk);
2857 int type, olen;
2858 unsigned long val;
2859 struct l2cap_conf_rfc rfc;
2860
2861 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2862
2863 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2864 return;
2865
2866 while (len >= L2CAP_CONF_OPT_SIZE) {
2867 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2868
2869 switch (type) {
2870 case L2CAP_CONF_RFC:
2871 if (olen == sizeof(rfc))
2872 memcpy(&rfc, (void *)val, olen);
2873 goto done;
2874 }
2875 }
2876
2877done:
2878 switch (rfc.mode) {
2879 case L2CAP_MODE_ERTM:
10467e9e
GP		 2880 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2881 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2882 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2883 break;
2884 case L2CAP_MODE_STREAMING:
2885 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2886 }
2887}
2888
4e8402a3
MH		 2889static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2890{
2891 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2892
2893 if (rej->reason != 0x0000)
2894 return 0;
2895
2896 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2897 cmd->ident == conn->info_ident) {
4e8402a3 2898 del_timer(&conn->info_timer);
984947dc
MH		 2899
2900 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2901 conn->info_ident = 0;
984947dc 2902
4e8402a3
MH		 2903 l2cap_conn_start(conn);
2904 }
2905
2906 return 0;
2907}
2908
1da177e4
LT		 2909static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2910{
2911 struct l2cap_chan_list *list = &conn->chan_list;
2912 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2913 struct l2cap_conn_rsp rsp;
d793fe8c 2914 struct sock *parent, *sk = NULL;
e7c29cb1 2915 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2916
2917 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2918 __le16 psm = req->psm;
1da177e4
LT		 2919
2920 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2921
2922 /* Check if we have socket listening on psm */
2923 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2924 if (!parent) {
2925 result = L2CAP_CR_BAD_PSM;
2926 goto sendresp;
2927 }
2928
e0f0cb56
GP		 2929 bh_lock_sock(parent);
2930
e7c29cb1
MH		 2931 /* Check if the ACL is secure enough (if not SDP) */
2932 if (psm != cpu_to_le16(0x0001) &&
2933 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2934 conn->disc_reason = 0x05;
e7c29cb1
MH		 2935 result = L2CAP_CR_SEC_BLOCK;
2936 goto response;
2937 }
2938
1da177e4
LT		 2939 result = L2CAP_CR_NO_MEM;
2940
2941 /* Check for backlog size */
2942 if (sk_acceptq_is_full(parent)) {
8e87d142 2943 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2944 goto response;
2945 }
2946
3b1e0a65 2947 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2948 if (!sk)
2949 goto response;
2950
fd1278d7 2951 write_lock_bh(&list->lock);
1da177e4
LT		 2952
2953 /* Check if we already have channel with that dcid */
2954 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2955 write_unlock_bh(&list->lock);
1da177e4
LT		 2956 sock_set_flag(sk, SOCK_ZAPPED);
2957 l2cap_sock_kill(sk);
2958 goto response;
2959 }
2960
2961 hci_conn_hold(conn->hcon);
2962
2963 l2cap_sock_init(sk, parent);
2964 bacpy(&bt_sk(sk)->src, conn->src);
2965 bacpy(&bt_sk(sk)->dst, conn->dst);
2966 l2cap_pi(sk)->psm = psm;
2967 l2cap_pi(sk)->dcid = scid;
2968
2969 __l2cap_chan_add(conn, sk, parent);
2970 dcid = l2cap_pi(sk)->scid;
2971
2972 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2973
1da177e4
LT		 2974 l2cap_pi(sk)->ident = cmd->ident;
2975
984947dc 2976 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2977 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2978 if (bt_sk(sk)->defer_setup) {
2979 sk->sk_state = BT_CONNECT2;
2980 result = L2CAP_CR_PEND;
2981 status = L2CAP_CS_AUTHOR_PEND;
2982 parent->sk_data_ready(parent, 0);
2983 } else {
2984 sk->sk_state = BT_CONFIG;
2985 result = L2CAP_CR_SUCCESS;
2986 status = L2CAP_CS_NO_INFO;
2987 }
79d554a6
MH		 2988 } else {
2989 sk->sk_state = BT_CONNECT2;
2990 result = L2CAP_CR_PEND;
2991 status = L2CAP_CS_AUTHEN_PEND;
2992 }
2993 } else {
2994 sk->sk_state = BT_CONNECT2;
2995 result = L2CAP_CR_PEND;
2996 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2997 }
2998
fd1278d7 2999 write_unlock_bh(&list->lock);
1da177e4
LT		 3000
3001response:
3002 bh_unlock_sock(parent);
3003
3004sendresp:
aca3192c
YH		 3005 rsp.scid = cpu_to_le16(scid);
3006 rsp.dcid = cpu_to_le16(dcid);
3007 rsp.result = cpu_to_le16(result);
3008 rsp.status = cpu_to_le16(status);
1da177e4 3009 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3010
3011 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3012 struct l2cap_info_req info;
3013 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3014
3015 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3016 conn->info_ident = l2cap_get_ident(conn);
3017
3018 mod_timer(&conn->info_timer, jiffies +
3019 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
3020
3021 l2cap_send_cmd(conn, conn->info_ident,
3022 L2CAP_INFO_REQ, sizeof(info), &info);
3023 }
3024
d793fe8c 3025 if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 3026 result == L2CAP_CR_SUCCESS) {
3027 u8 buf[128];
3028 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3029 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3030 l2cap_build_conf_req(sk, buf), buf);
3031 l2cap_pi(sk)->num_conf_req++;
3032 }
3033
1da177e4
LT		 3034 return 0;
3035}
3036
3037static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3038{
3039 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3040 u16 scid, dcid, result, status;
3041 struct sock *sk;
3042 u8 req[128];
3043
3044 scid = __le16_to_cpu(rsp->scid);
3045 dcid = __le16_to_cpu(rsp->dcid);
3046 result = __le16_to_cpu(rsp->result);
3047 status = __le16_to_cpu(rsp->status);
3048
3049 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
3050
3051 if (scid) {
af05b30b
GP		 3052 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3053 if (!sk)
57d3b22b 3054 return -EFAULT;
1da177e4 3055 } else {
af05b30b
GP		 3056 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
3057 if (!sk)
57d3b22b 3058 return -EFAULT;
1da177e4
LT		 3059 }
3060
3061 switch (result) {
3062 case L2CAP_CR_SUCCESS:
3063 sk->sk_state = BT_CONFIG;
3064 l2cap_pi(sk)->ident = 0;
3065 l2cap_pi(sk)->dcid = dcid;
6a8d3010
MH		 3066 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
3067
e9aeb2dd
GP		 3068 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3069 break;
3070
3071 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3072
1da177e4
LT		 3073 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3074 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 3075 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3076 break;
3077
3078 case L2CAP_CR_PEND:
6a8d3010 3079 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 3080 break;
3081
3082 default:
a49184c2
AE		 3083 /* don't delete l2cap channel if sk is owned by user */
3084 if (sock_owned_by_user(sk)) {
3085 sk->sk_state = BT_DISCONN;
3086 l2cap_sock_clear_timer(sk);
3087 l2cap_sock_set_timer(sk, HZ / 5);
3088 break;
3089 }
3090
1da177e4
LT		 3091 l2cap_chan_del(sk, ECONNREFUSED);
3092 break;
3093 }
3094
3095 bh_unlock_sock(sk);
3096 return 0;
3097}
3098
8c462b60
MM		 3099static inline void set_default_fcs(struct l2cap_pinfo *pi)
3100{
3101 /* FCS is enabled only in ERTM or streaming mode, if one or both
3102 * sides request it.
3103 */
3104 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
3105 pi->fcs = L2CAP_FCS_NONE;
3106 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
3107 pi->fcs = L2CAP_FCS_CRC16;
3108}
3109
88219a0f 3110static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3111{
3112 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3113 u16 dcid, flags;
3114 u8 rsp[64];
3115 struct sock *sk;
5dee9e7c 3116 int len;
1da177e4
LT		 3117
3118 dcid = __le16_to_cpu(req->dcid);
3119 flags = __le16_to_cpu(req->flags);
3120
3121 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3122
af05b30b
GP		 3123 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3124 if (!sk)
1da177e4
LT		 3125 return -ENOENT;
3126
b0239c80 3127 if (sk->sk_state == BT_DISCONN)
354f60a9
MH		 3128 goto unlock;
3129
5dee9e7c 3130 /* Reject if config buffer is too small. */
88219a0f 3131 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3132 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3133 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3134 l2cap_build_conf_rsp(sk, rsp,
3135 L2CAP_CONF_REJECT, flags), rsp);
3136 goto unlock;
3137 }
3138
3139 /* Store config. */
3140 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3141 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3142
3143 if (flags & 0x0001) {
3144 /* Incomplete config. Send empty response. */
3145 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3146 l2cap_build_conf_rsp(sk, rsp,
3147 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3148 goto unlock;
3149 }
3150
3151 /* Complete config. */
5dee9e7c 3152 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3153 if (len < 0) {
9b108fc0 3154 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3155 goto unlock;
f2fcfcd6 3156 }
1da177e4 3157
5dee9e7c 3158 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3159 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3160
5dee9e7c
MH		 3161 /* Reset config buffer. */
3162 l2cap_pi(sk)->conf_len = 0;
3163
876d9484
MH		 3164 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3165 goto unlock;
3166
1da177e4 3167 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
8c462b60 3168 set_default_fcs(l2cap_pi(sk));
fcc203c3 3169
1da177e4 3170 sk->sk_state = BT_CONNECTED;
e90bac06 3171
0565c1c2
GP		 3172 l2cap_pi(sk)->next_tx_seq = 0;
3173 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3174 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3175 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3176 l2cap_ertm_init(sk);
3177
1da177e4 3178 l2cap_chan_ready(sk);
876d9484
MH		 3179 goto unlock;
3180 }
3181
3182 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3183 u8 buf[64];
ab3e5715 3184 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 3185 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3186 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3187 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3188 }
3189
3190unlock:
3191 bh_unlock_sock(sk);
3192 return 0;
3193}
3194
3195static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3196{
3197 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3198 u16 scid, flags, result;
3199 struct sock *sk;
7b1c0049 3200 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3201
3202 scid = __le16_to_cpu(rsp->scid);
3203 flags = __le16_to_cpu(rsp->flags);
3204 result = __le16_to_cpu(rsp->result);
3205
af05b30b
GP		 3206 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3207 scid, flags, result);
1da177e4 3208
af05b30b
GP		 3209 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3210 if (!sk)
1da177e4
LT		 3211 return 0;
3212
3213 switch (result) {
3214 case L2CAP_CONF_SUCCESS:
7b1c0049 3215 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3216 break;
3217
3218 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3219 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3220 char req[64];
3221
c2c77ec8 3222 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3223 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3224 goto done;
3225 }
3226
f2fcfcd6
GP		 3227 /* throw out any old stored conf requests */
3228 result = L2CAP_CONF_SUCCESS;
3229 len = l2cap_parse_conf_rsp(sk, rsp->data,
3230 len, req, &result);
3231 if (len < 0) {
9b108fc0 3232 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3233 goto done;
3234 }
3235
3236 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3237 L2CAP_CONF_REQ, len, req);
3238 l2cap_pi(sk)->num_conf_req++;
3239 if (result != L2CAP_CONF_SUCCESS)
3240 goto done;
3241 break;
1da177e4
LT		 3242 }
3243
8e87d142 3244 default:
b1235d79 3245 sk->sk_err = ECONNRESET;
1da177e4 3246 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3247 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3248 goto done;
3249 }
3250
3251 if (flags & 0x01)
3252 goto done;
3253
1da177e4
LT		 3254 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3255
3256 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
8c462b60 3257 set_default_fcs(l2cap_pi(sk));
fcc203c3 3258
1da177e4 3259 sk->sk_state = BT_CONNECTED;
0565c1c2 3260 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3261 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3262 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3263 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3264 l2cap_ertm_init(sk);
3265
1da177e4
LT		 3266 l2cap_chan_ready(sk);
3267 }
3268
3269done:
3270 bh_unlock_sock(sk);
3271 return 0;
3272}
3273
3274static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3275{
3276 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3277 struct l2cap_disconn_rsp rsp;
3278 u16 dcid, scid;
3279 struct sock *sk;
3280
3281 scid = __le16_to_cpu(req->scid);
3282 dcid = __le16_to_cpu(req->dcid);
3283
3284 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3285
af05b30b
GP		 3286 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3287 if (!sk)
1da177e4
LT		 3288 return 0;
3289
aca3192c
YH		 3290 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3291 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3292 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3293
3294 sk->sk_shutdown = SHUTDOWN_MASK;
3295
a49184c2
AE		 3296 /* don't delete l2cap channel if sk is owned by user */
3297 if (sock_owned_by_user(sk)) {
3298 sk->sk_state = BT_DISCONN;
3299 l2cap_sock_clear_timer(sk);
3300 l2cap_sock_set_timer(sk, HZ / 5);
3301 bh_unlock_sock(sk);
3302 return 0;
3303 }
3304
1da177e4
LT		 3305 l2cap_chan_del(sk, ECONNRESET);
3306 bh_unlock_sock(sk);
3307
3308 l2cap_sock_kill(sk);
3309 return 0;
3310}
3311
3312static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3313{
3314 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3315 u16 dcid, scid;
3316 struct sock *sk;
3317
3318 scid = __le16_to_cpu(rsp->scid);
3319 dcid = __le16_to_cpu(rsp->dcid);
3320
3321 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3322
af05b30b
GP		 3323 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3324 if (!sk)
1da177e4
LT		 3325 return 0;
3326
a49184c2
AE		 3327 /* don't delete l2cap channel if sk is owned by user */
3328 if (sock_owned_by_user(sk)) {
3329 sk->sk_state = BT_DISCONN;
3330 l2cap_sock_clear_timer(sk);
3331 l2cap_sock_set_timer(sk, HZ / 5);
3332 bh_unlock_sock(sk);
3333 return 0;
3334 }
3335
1da177e4
LT		 3336 l2cap_chan_del(sk, 0);
3337 bh_unlock_sock(sk);
3338
3339 l2cap_sock_kill(sk);
3340 return 0;
3341}
3342
3343static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3344{
3345 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3346 u16 type;
3347
3348 type = __le16_to_cpu(req->type);
3349
3350 BT_DBG("type 0x%4.4x", type);
3351
f0709e03
MH		 3352 if (type == L2CAP_IT_FEAT_MASK) {
3353 u8 buf[8];
44dd46de 3354 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3355 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3356 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3357 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3358 if (!disable_ertm)
fcc203c3
GP		 3359 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3360 | L2CAP_FEAT_FCS;
1b7bf4ed 3361 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3362 l2cap_send_cmd(conn, cmd->ident,
3363 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3364 } else if (type == L2CAP_IT_FIXED_CHAN) {
3365 u8 buf[12];
3366 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3367 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3368 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3369 memcpy(buf + 4, l2cap_fixed_chan, 8);
3370 l2cap_send_cmd(conn, cmd->ident,
3371 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3372 } else {
3373 struct l2cap_info_rsp rsp;
3374 rsp.type = cpu_to_le16(type);
3375 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3376 l2cap_send_cmd(conn, cmd->ident,
3377 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3378 }
1da177e4
LT		 3379
3380 return 0;
3381}
3382
3383static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3384{
3385 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3386 u16 type, result;
3387
3388 type = __le16_to_cpu(rsp->type);
3389 result = __le16_to_cpu(rsp->result);
3390
3391 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3392
4e8402a3
MH		 3393 del_timer(&conn->info_timer);
3394
adb08ede
VT		 3395 if (result != L2CAP_IR_SUCCESS) {
3396 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3397 conn->info_ident = 0;
3398
3399 l2cap_conn_start(conn);
3400
3401 return 0;
3402 }
3403
984947dc 3404 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3405 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3406
47ec1dcd 3407 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3408 struct l2cap_info_req req;
3409 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3410
3411 conn->info_ident = l2cap_get_ident(conn);
3412
3413 l2cap_send_cmd(conn, conn->info_ident,
3414 L2CAP_INFO_REQ, sizeof(req), &req);
3415 } else {
3416 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3417 conn->info_ident = 0;
3418
3419 l2cap_conn_start(conn);
3420 }
3421 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3422 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3423 conn->info_ident = 0;
984947dc
MH		 3424
3425 l2cap_conn_start(conn);
3426 }
4e8402a3 3427
1da177e4
LT		 3428 return 0;
3429}
3430
3431static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3432{
3433 u8 *data = skb->data;
3434 int len = skb->len;
3435 struct l2cap_cmd_hdr cmd;
3436 int err = 0;
3437
3438 l2cap_raw_recv(conn, skb);
3439
3440 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3441 u16 cmd_len;
1da177e4
LT		 3442 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3443 data += L2CAP_CMD_HDR_SIZE;
3444 len -= L2CAP_CMD_HDR_SIZE;
3445
88219a0f 3446 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3447
88219a0f 3448 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3449
88219a0f 3450 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3451 BT_DBG("corrupted command");
3452 break;
3453 }
3454
3455 switch (cmd.code) {
3456 case L2CAP_COMMAND_REJ:
4e8402a3 3457 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3458 break;
3459
3460 case L2CAP_CONN_REQ:
3461 err = l2cap_connect_req(conn, &cmd, data);
3462 break;
3463
3464 case L2CAP_CONN_RSP:
3465 err = l2cap_connect_rsp(conn, &cmd, data);
3466 break;
3467
3468 case L2CAP_CONF_REQ:
88219a0f 3469 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3470 break;
3471
3472 case L2CAP_CONF_RSP:
3473 err = l2cap_config_rsp(conn, &cmd, data);
3474 break;
3475
3476 case L2CAP_DISCONN_REQ:
3477 err = l2cap_disconnect_req(conn, &cmd, data);
3478 break;
3479
3480 case L2CAP_DISCONN_RSP:
3481 err = l2cap_disconnect_rsp(conn, &cmd, data);
3482 break;
3483
3484 case L2CAP_ECHO_REQ:
88219a0f 3485 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3486 break;
3487
3488 case L2CAP_ECHO_RSP:
3489 break;
3490
3491 case L2CAP_INFO_REQ:
3492 err = l2cap_information_req(conn, &cmd, data);
3493 break;
3494
3495 case L2CAP_INFO_RSP:
3496 err = l2cap_information_rsp(conn, &cmd, data);
3497 break;
3498
3499 default:
3500 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3501 err = -EINVAL;
3502 break;
3503 }
3504
3505 if (err) {
3506 struct l2cap_cmd_rej rej;
3507 BT_DBG("error %d", err);
3508
3509 /* FIXME: Map err to a valid reason */
aca3192c 3510 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3511 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3512 }
3513
88219a0f
AV		 3514 data += cmd_len;
3515 len -= cmd_len;
1da177e4
LT		 3516 }
3517
3518 kfree_skb(skb);
3519}
3520
fcc203c3
GP		 3521static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3522{
3523 u16 our_fcs, rcv_fcs;
3524 int hdr_size = L2CAP_HDR_SIZE + 2;
3525
3526 if (pi->fcs == L2CAP_FCS_CRC16) {
3527 skb_trim(skb, skb->len - 2);
3528 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3529 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3530
3531 if (our_fcs != rcv_fcs)
7a560e5c 3532 return -EBADMSG;
fcc203c3
GP		 3533 }
3534 return 0;
3535}
3536
d5392c8f
GP		 3537static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3538{
3539 struct l2cap_pinfo *pi = l2cap_pi(sk);
3540 u16 control = 0;
3541
3542 pi->frames_sent = 0;
d5392c8f
GP		 3543
3544 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3545
3546 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3547 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3548 l2cap_send_sframe(pi, control);
1890d36b 3549 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3550 }
3551
4ea727ef
GP		 3552 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3553 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3554
3555 l2cap_ertm_send(sk);
3556
3557 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3558 pi->frames_sent == 0) {
3559 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3560 l2cap_send_sframe(pi, control);
3561 }
3562}
3563
9b53350d 3564static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3565{
3566 struct sk_buff *next_skb;
bfbacc11
JPRV		 3567 struct l2cap_pinfo *pi = l2cap_pi(sk);
3568 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3569
3570 bt_cb(skb)->tx_seq = tx_seq;
3571 bt_cb(skb)->sar = sar;
3572
3573 next_skb = skb_peek(SREJ_QUEUE(sk));
3574 if (!next_skb) {
3575 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3576 return 0;
8f17154f
GP		 3577 }
3578
bfbacc11
JPRV		 3579 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3580 if (tx_seq_offset < 0)
3581 tx_seq_offset += 64;
3582
8f17154f 3583 do {
9b53350d
JPRV		 3584 if (bt_cb(next_skb)->tx_seq == tx_seq)
3585 return -EINVAL;
3586
bfbacc11
JPRV		 3587 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3588 pi->buffer_seq) % 64;
3589 if (next_tx_seq_offset < 0)
3590 next_tx_seq_offset += 64;
3591
3592 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3593 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3594 return 0;
8f17154f
GP		 3595 }
3596
3597 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3598 break;
3599
59203a21 3600 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3601
3602 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3603
3604 return 0;
8f17154f
GP		 3605}
3606
18778a63
GP		 3607static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3608{
3609 struct l2cap_pinfo *pi = l2cap_pi(sk);
3610 struct sk_buff *_skb;
1890d36b 3611 int err;
18778a63
GP		 3612
3613 switch (control & L2CAP_CTRL_SAR) {
3614 case L2CAP_SDU_UNSEGMENTED:
3615 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3616 goto drop;
3617
3618 err = sock_queue_rcv_skb(sk, skb);
3619 if (!err)
3620 return err;
3621
3622 break;
3623
3624 case L2CAP_SDU_START:
3625 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3626 goto drop;
3627
3628 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3629
3630 if (pi->sdu_len > pi->imtu)
3631 goto disconnect;
3632
3633 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3634 if (!pi->sdu)
3635 return -ENOMEM;
3636
3637 /* pull sdu_len bytes only after alloc, because of Local Busy
3638 * condition we have to be sure that this will be executed
3639 * only once, i.e., when alloc does not fail */
3640 skb_pull(skb, 2);
18778a63
GP		 3641
3642 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3643
3644 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3645 pi->partial_sdu_len = skb->len;
3646 break;
3647
3648 case L2CAP_SDU_CONTINUE:
3649 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3650 goto disconnect;
3651
3652 if (!pi->sdu)
3653 goto disconnect;
3654
18778a63
GP		 3655 pi->partial_sdu_len += skb->len;
3656 if (pi->partial_sdu_len > pi->sdu_len)
3657 goto drop;
3658
4178ba46
GP		 3659 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3660
18778a63
GP		 3661 break;
3662
3663 case L2CAP_SDU_END:
3664 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3665 goto disconnect;
3666
3667 if (!pi->sdu)
3668 goto disconnect;
3669
1890d36b 3670 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3671 pi->partial_sdu_len += skb->len;
18778a63 3672
1890d36b
GP		 3673 if (pi->partial_sdu_len > pi->imtu)
3674 goto drop;
18778a63 3675
1890d36b
GP		 3676 if (pi->partial_sdu_len != pi->sdu_len)
3677 goto drop;
4178ba46
GP		 3678
3679 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3680 }
18778a63
GP		 3681
3682 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3683 if (!_skb) {
3684 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3685 return -ENOMEM;
3686 }
3687
18778a63 3688 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3689 if (err < 0) {
18778a63 3690 kfree_skb(_skb);
1890d36b
GP		 3691 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3692 return err;
3693 }
3694
3695 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3696 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3697
3698 kfree_skb(pi->sdu);
3699 break;
3700 }
3701
3702 kfree_skb(skb);
1890d36b 3703 return 0;
18778a63
GP		 3704
3705drop:
3706 kfree_skb(pi->sdu);
3707 pi->sdu = NULL;
3708
3709disconnect:
9b108fc0 3710 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3711 kfree_skb(skb);
3712 return 0;
3713}
3714
712132eb
GP		 3715static int l2cap_try_push_rx_skb(struct sock *sk)
3716{
3717 struct l2cap_pinfo *pi = l2cap_pi(sk);
3718 struct sk_buff *skb;
3719 u16 control;
3720 int err;
3721
3722 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3723 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3724 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3725 if (err < 0) {
3726 skb_queue_head(BUSY_QUEUE(sk), skb);
3727 return -EBUSY;
3728 }
3729
3730 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3731 }
3732
3733 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3734 goto done;
3735
3736 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3737 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3738 l2cap_send_sframe(pi, control);
3739 l2cap_pi(sk)->retry_count = 1;
3740
3741 del_timer(&pi->retrans_timer);
3742 __mod_monitor_timer();
3743
3744 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3745
3746done:
3747 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3748 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3749
3750 BT_DBG("sk %p, Exit local busy", sk);
3751
3752 return 0;
3753}
3754
1890d36b
GP		 3755static void l2cap_busy_work(struct work_struct *work)
3756{
3757 DECLARE_WAITQUEUE(wait, current);
3758 struct l2cap_pinfo *pi =
3759 container_of(work, struct l2cap_pinfo, busy_work);
3760 struct sock *sk = (struct sock *)pi;
3761 int n_tries = 0, timeo = HZ/5, err;
3762 struct sk_buff *skb;
1890d36b
GP		 3763
3764 lock_sock(sk);
3765
2b0b05dd 3766 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3767 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3768 set_current_state(TASK_INTERRUPTIBLE);
3769
3770 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3771 err = -EBUSY;
9b108fc0 3772 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
712132eb 3773 break;
1890d36b
GP		 3774 }
3775
3776 if (!timeo)
3777 timeo = HZ/5;
3778
3779 if (signal_pending(current)) {
3780 err = sock_intr_errno(timeo);
712132eb 3781 break;
1890d36b
GP		 3782 }
3783
3784 release_sock(sk);
3785 timeo = schedule_timeout(timeo);
3786 lock_sock(sk);
3787
3788 err = sock_error(sk);
3789 if (err)
712132eb 3790 break;
1890d36b 3791
712132eb 3792 if (l2cap_try_push_rx_skb(sk) == 0)
1890d36b
GP		 3793 break;
3794 }
3795
1890d36b 3796 set_current_state(TASK_RUNNING);
2b0b05dd 3797 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3798
3799 release_sock(sk);
3800}
3801
3802static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3803{
3804 struct l2cap_pinfo *pi = l2cap_pi(sk);
3805 int sctrl, err;
3806
3807 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3808 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3809 __skb_queue_tail(BUSY_QUEUE(sk), skb);
712132eb
GP		 3810 return l2cap_try_push_rx_skb(sk);
3811
3812
1890d36b
GP		 3813 }
3814
3815 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3816 if (err >= 0) {
3817 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3818 return err;
3819 }
3820
3821 /* Busy Condition */
0e98958d
GP		 3822 BT_DBG("sk %p, Enter local busy", sk);
3823
1890d36b
GP		 3824 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3825 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3826 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3827
3828 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3829 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3830 l2cap_send_sframe(pi, sctrl);
3831
3832 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3833
7fe9b298
GP		 3834 del_timer(&pi->ack_timer);
3835
1890d36b
GP		 3836 queue_work(_busy_wq, &pi->busy_work);
3837
3838 return err;
3839}
3840
18778a63 3841static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3842{
3843 struct l2cap_pinfo *pi = l2cap_pi(sk);
3844 struct sk_buff *_skb;
3845 int err = -EINVAL;
3846
18778a63
GP		 3847 /*
3848 * TODO: We have to notify the userland if some data is lost with the
3849 * Streaming Mode.
3850 */
3851
c74e560c
GP		 3852 switch (control & L2CAP_CTRL_SAR) {
3853 case L2CAP_SDU_UNSEGMENTED:
3854 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3855 kfree_skb(pi->sdu);
3856 break;
3857 }
3858
3859 err = sock_queue_rcv_skb(sk, skb);
3860 if (!err)
3861 return 0;
3862
3863 break;
3864
3865 case L2CAP_SDU_START:
3866 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3867 kfree_skb(pi->sdu);
3868 break;
3869 }
3870
3871 pi->sdu_len = get_unaligned_le16(skb->data);
3872 skb_pull(skb, 2);
3873
052897ca
GP		 3874 if (pi->sdu_len > pi->imtu) {
3875 err = -EMSGSIZE;
3876 break;
3877 }
3878
c74e560c
GP		 3879 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3880 if (!pi->sdu) {
3881 err = -ENOMEM;
3882 break;
3883 }
3884
3885 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3886
3887 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3888 pi->partial_sdu_len = skb->len;
3889 err = 0;
3890 break;
3891
3892 case L2CAP_SDU_CONTINUE:
3893 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3894 break;
3895
3896 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3897
3898 pi->partial_sdu_len += skb->len;
3899 if (pi->partial_sdu_len > pi->sdu_len)
3900 kfree_skb(pi->sdu);
3901 else
3902 err = 0;
3903
3904 break;
3905
3906 case L2CAP_SDU_END:
3907 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3908 break;
3909
3910 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3911
3912 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3913 pi->partial_sdu_len += skb->len;
3914
36f2fd58
GP		 3915 if (pi->partial_sdu_len > pi->imtu)
3916 goto drop;
3917
c74e560c
GP		 3918 if (pi->partial_sdu_len == pi->sdu_len) {
3919 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3920 err = sock_queue_rcv_skb(sk, _skb);
3921 if (err < 0)
3922 kfree_skb(_skb);
3923 }
c74e560c
GP		 3924 err = 0;
3925
36f2fd58
GP		 3926drop:
3927 kfree_skb(pi->sdu);
c74e560c
GP		 3928 break;
3929 }
3930
3931 kfree_skb(skb);
3932 return err;
3933}
3934
8f17154f
GP		 3935static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3936{
3937 struct sk_buff *skb;
afefdbc4 3938 u16 control;
8f17154f 3939
59203a21 3940 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3941 if (bt_cb(skb)->tx_seq != tx_seq)
3942 break;
3943
3944 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3945 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3946 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3947 l2cap_pi(sk)->buffer_seq_srej =
3948 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3949 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3950 }
3951}
3952
3953static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3954{
3955 struct l2cap_pinfo *pi = l2cap_pi(sk);
3956 struct srej_list *l, *tmp;
3957 u16 control;
3958
59203a21 3959 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3960 if (l->tx_seq == tx_seq) {
3961 list_del(&l->list);
3962 kfree(l);
3963 return;
3964 }
3965 control = L2CAP_SUPER_SELECT_REJECT;
3966 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3967 l2cap_send_sframe(pi, control);
3968 list_del(&l->list);
3969 list_add_tail(&l->list, SREJ_LIST(sk));
3970 }
3971}
3972
3973static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3974{
3975 struct l2cap_pinfo *pi = l2cap_pi(sk);
3976 struct srej_list *new;
3977 u16 control;
3978
3979 while (tx_seq != pi->expected_tx_seq) {
3980 control = L2CAP_SUPER_SELECT_REJECT;
3981 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3982 l2cap_send_sframe(pi, control);
3983
3984 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3985 new->tx_seq = pi->expected_tx_seq;
3986 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3987 list_add_tail(&new->list, SREJ_LIST(sk));
3988 }
8ff50ec0 3989 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3990}
3991
1c2acffb
GP		 3992static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3993{
3994 struct l2cap_pinfo *pi = l2cap_pi(sk);
3995 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3996 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3997 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3998 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3999 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 4000 int err = 0;
4001
0e98958d
GP		 4002 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
4003 rx_control);
1c2acffb 4004
9b16dc65
GP		 4005 if (L2CAP_CTRL_FINAL & rx_control &&
4006 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 4007 del_timer(&pi->monitor_timer);
4008 if (pi->unacked_frames > 0)
4009 __mod_retrans_timer();
4010 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
4011 }
4012
9f121a5a
GP		 4013 pi->expected_ack_seq = req_seq;
4014 l2cap_drop_acked_frames(sk);
4015
8f17154f
GP		 4016 if (tx_seq == pi->expected_tx_seq)
4017 goto expected;
1c2acffb 4018
9b53350d
JPRV		 4019 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
4020 if (tx_seq_offset < 0)
4021 tx_seq_offset += 64;
4022
4023 /* invalid tx_seq */
4024 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 4025 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 4026 goto drop;
4027 }
4028
1890d36b
GP		 4029 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
4030 goto drop;
4031
8f17154f
GP		 4032 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4033 struct srej_list *first;
30afb5b2 4034
8f17154f
GP		 4035 first = list_first_entry(SREJ_LIST(sk),
4036 struct srej_list, list);
4037 if (tx_seq == first->tx_seq) {
4038 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
4039 l2cap_check_srej_gap(sk, tx_seq);
4040
4041 list_del(&first->list);
4042 kfree(first);
4043
4044 if (list_empty(SREJ_LIST(sk))) {
4045 pi->buffer_seq = pi->buffer_seq_srej;
4046 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 4047 l2cap_send_ack(pi);
0e98958d 4048 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 4049 }
4050 } else {
4051 struct srej_list *l;
9b53350d
JPRV		 4052
4053 /* duplicated tx_seq */
4054 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
4055 goto drop;
8f17154f
GP		 4056
4057 list_for_each_entry(l, SREJ_LIST(sk), list) {
4058 if (l->tx_seq == tx_seq) {
4059 l2cap_resend_srejframe(sk, tx_seq);
4060 return 0;
4061 }
4062 }
4063 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 4064 }
4065 } else {
9b53350d
JPRV		 4066 expected_tx_seq_offset =
4067 (pi->expected_tx_seq - pi->buffer_seq) % 64;
4068 if (expected_tx_seq_offset < 0)
4069 expected_tx_seq_offset += 64;
4070
4071 /* duplicated tx_seq */
4072 if (tx_seq_offset < expected_tx_seq_offset)
4073 goto drop;
4074
8f17154f 4075 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 4076
0e98958d
GP		 4077 BT_DBG("sk %p, Enter SREJ", sk);
4078
8f17154f
GP		 4079 INIT_LIST_HEAD(SREJ_LIST(sk));
4080 pi->buffer_seq_srej = pi->buffer_seq;
4081
4082 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 4083 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 4084 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
4085
ef54fd93
GP		 4086 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
4087
8f17154f 4088 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 4089
4090 del_timer(&pi->ack_timer);
1c2acffb 4091 }
30afb5b2
GP		 4092 return 0;
4093
8f17154f
GP		 4094expected:
4095 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4096
4097 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 4098 bt_cb(skb)->tx_seq = tx_seq;
4099 bt_cb(skb)->sar = sar;
4100 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 4101 return 0;
4102 }
4103
2ece3684
GP		 4104 err = l2cap_push_rx_skb(sk, skb, rx_control);
4105 if (err < 0)
4106 return 0;
4107
4ec10d97
GP		 4108 if (rx_control & L2CAP_CTRL_FINAL) {
4109 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4110 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4111 else
4112 l2cap_retransmit_frames(sk);
4ec10d97
GP		 4113 }
4114
c1b4f43b
GP		 4115 __mod_ack_timer();
4116
803020c6
GP		 4117 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
4118 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 4119 l2cap_send_ack(pi);
4120
8f17154f 4121 return 0;
9b53350d
JPRV		 4122
4123drop:
4124 kfree_skb(skb);
4125 return 0;
1c2acffb
GP		 4126}
4127
e072745f 4128static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 4129{
4130 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 4131
0e98958d
GP		 4132 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4133 rx_control);
4134
6e3a5981
GP		 4135 pi->expected_ack_seq = __get_reqseq(rx_control);
4136 l2cap_drop_acked_frames(sk);
1c2acffb 4137
e072745f 4138 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4139 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4140 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4141 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4142 (pi->unacked_frames > 0))
4143 __mod_retrans_timer();
4144
4145 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4146 l2cap_send_srejtail(sk);
4147 } else {
4148 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4149 }
1d8f5d16 4150
e072745f
GP		 4151 } else if (rx_control & L2CAP_CTRL_FINAL) {
4152 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4153
e072745f
GP		 4154 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4155 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4156 else
4157 l2cap_retransmit_frames(sk);
2246b2f1 4158
e072745f 4159 } else {
e072745f
GP		 4160 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4161 (pi->unacked_frames > 0))
4162 __mod_retrans_timer();
1c2acffb 4163
2246b2f1 4164 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
894718a6 4165 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
e072745f 4166 l2cap_send_ack(pi);
894718a6 4167 else
e072745f
GP		 4168 l2cap_ertm_send(sk);
4169 }
4170}
2246b2f1 4171
e072745f
GP		 4172static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4173{
4174 struct l2cap_pinfo *pi = l2cap_pi(sk);
4175 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4176
0e98958d
GP		 4177 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4178
e072745f
GP		 4179 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4180
8abb52ee 4181 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4182 l2cap_drop_acked_frames(sk);
4183
4184 if (rx_control & L2CAP_CTRL_FINAL) {
4185 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4186 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4187 else
4188 l2cap_retransmit_frames(sk);
e072745f 4189 } else {
dfc909be 4190 l2cap_retransmit_frames(sk);
30afb5b2 4191
0301ef04 4192 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4193 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4194 }
4195}
4196static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4197{
4198 struct l2cap_pinfo *pi = l2cap_pi(sk);
4199 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4200
0e98958d
GP		 4201 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4202
e072745f 4203 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4204
e072745f
GP		 4205 if (rx_control & L2CAP_CTRL_POLL) {
4206 pi->expected_ack_seq = tx_seq;
4207 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4208
4209 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4210 l2cap_retransmit_one_frame(sk, tx_seq);
4211
e072745f 4212 l2cap_ertm_send(sk);
dfc909be 4213
e072745f
GP		 4214 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4215 pi->srej_save_reqseq = tx_seq;
4216 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4217 }
e072745f
GP		 4218 } else if (rx_control & L2CAP_CTRL_FINAL) {
4219 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4220 pi->srej_save_reqseq == tx_seq)
4221 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4222 else
dfc909be 4223 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4224 } else {
dfc909be 4225 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4226 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4227 pi->srej_save_reqseq = tx_seq;
4228 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4229 }
e072745f
GP		 4230 }
4231}
4232
4233static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4234{
4235 struct l2cap_pinfo *pi = l2cap_pi(sk);
4236 u8 tx_seq = __get_reqseq(rx_control);
4237
0e98958d
GP		 4238 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4239
e072745f
GP		 4240 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4241 pi->expected_ack_seq = tx_seq;
4242 l2cap_drop_acked_frames(sk);
4243
3cb123d1
GP		 4244 if (rx_control & L2CAP_CTRL_POLL)
4245 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4246
99b0d4b7
GP		 4247 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4248 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4249 if (rx_control & L2CAP_CTRL_POLL)
4250 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4251 return;
e072745f 4252 }
99b0d4b7
GP		 4253
4254 if (rx_control & L2CAP_CTRL_POLL)
4255 l2cap_send_srejtail(sk);
4256 else
4257 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4258}
4259
4260static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4261{
4262 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4263
9b16dc65
GP		 4264 if (L2CAP_CTRL_FINAL & rx_control &&
4265 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4266 del_timer(&l2cap_pi(sk)->monitor_timer);
4267 if (l2cap_pi(sk)->unacked_frames > 0)
4268 __mod_retrans_timer();
4269 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4270 }
4271
4272 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4273 case L2CAP_SUPER_RCV_READY:
4274 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4275 break;
4276
e072745f
GP		 4277 case L2CAP_SUPER_REJECT:
4278 l2cap_data_channel_rejframe(sk, rx_control);
4279 break;
2246b2f1 4280
e072745f
GP		 4281 case L2CAP_SUPER_SELECT_REJECT:
4282 l2cap_data_channel_srejframe(sk, rx_control);
4283 break;
4284
4285 case L2CAP_SUPER_RCV_NOT_READY:
4286 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4287 break;
4288 }
4289
faaebd19 4290 kfree_skb(skb);
1c2acffb
GP		 4291 return 0;
4292}
4293
218bb9df
GP		 4294static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4295{
4296 struct l2cap_pinfo *pi = l2cap_pi(sk);
4297 u16 control;
4298 u8 req_seq;
4299 int len, next_tx_seq_offset, req_seq_offset;
4300
4301 control = get_unaligned_le16(skb->data);
4302 skb_pull(skb, 2);
4303 len = skb->len;
4304
4305 /*
4306 * We can just drop the corrupted I-frame here.
4307 * Receiver will miss it and start proper recovery
4308 * procedures and ask retransmission.
4309 */
4310 if (l2cap_check_fcs(pi, skb))
4311 goto drop;
4312
4313 if (__is_sar_start(control) && __is_iframe(control))
4314 len -= 2;
4315
4316 if (pi->fcs == L2CAP_FCS_CRC16)
4317 len -= 2;
4318
4319 if (len > pi->mps) {
4320 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4321 goto drop;
4322 }
4323
4324 req_seq = __get_reqseq(control);
4325 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4326 if (req_seq_offset < 0)
4327 req_seq_offset += 64;
4328
4329 next_tx_seq_offset =
4330 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4331 if (next_tx_seq_offset < 0)
4332 next_tx_seq_offset += 64;
4333
4334 /* check for invalid req-seq */
4335 if (req_seq_offset > next_tx_seq_offset) {
4336 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4337 goto drop;
4338 }
4339
4340 if (__is_iframe(control)) {
4341 if (len < 0) {
4342 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4343 goto drop;
4344 }
4345
4346 l2cap_data_channel_iframe(sk, control, skb);
4347 } else {
4348 if (len != 0) {
4349 BT_ERR("%d", len);
4350 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4351 goto drop;
4352 }
4353
4354 l2cap_data_channel_sframe(sk, control, skb);
4355 }
4356
4357 return 0;
4358
4359drop:
4360 kfree_skb(skb);
4361 return 0;
4362}
4363
1da177e4
LT		 4364static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4365{
4366 struct sock *sk;
6840ed07 4367 struct l2cap_pinfo *pi;
51893f88 4368 u16 control;
218bb9df
GP		 4369 u8 tx_seq;
4370 int len;
1da177e4
LT		 4371
4372 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4373 if (!sk) {
4374 BT_DBG("unknown cid 0x%4.4x", cid);
4375 goto drop;
4376 }
4377
6840ed07
GP		 4378 pi = l2cap_pi(sk);
4379
1da177e4
LT		 4380 BT_DBG("sk %p, len %d", sk, skb->len);
4381
4382 if (sk->sk_state != BT_CONNECTED)
4383 goto drop;
4384
6840ed07 4385 switch (pi->mode) {
1c2acffb
GP		 4386 case L2CAP_MODE_BASIC:
4387 /* If socket recv buffers overflows we drop data here
4388 * which is *bad* because L2CAP has to be reliable.
4389 * But we don't have any other choice. L2CAP doesn't
4390 * provide flow control mechanism. */
1da177e4 4391
6840ed07 4392 if (pi->imtu < skb->len)
1c2acffb 4393 goto drop;
1da177e4 4394
1c2acffb
GP		 4395 if (!sock_queue_rcv_skb(sk, skb))
4396 goto done;
4397 break;
4398
4399 case L2CAP_MODE_ERTM:
218bb9df
GP		 4400 if (!sock_owned_by_user(sk)) {
4401 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4402 } else {
218bb9df 4403 if (sk_add_backlog(sk, skb))
277ffbe3 4404 goto drop;
277ffbe3 4405 }
1c2acffb 4406
fcafde2e 4407 goto done;
1c2acffb 4408
6840ed07
GP		 4409 case L2CAP_MODE_STREAMING:
4410 control = get_unaligned_le16(skb->data);
4411 skb_pull(skb, 2);
4412 len = skb->len;
4413
26000089
GP		 4414 if (l2cap_check_fcs(pi, skb))
4415 goto drop;
4416
6840ed07
GP		 4417 if (__is_sar_start(control))
4418 len -= 2;
4419
fcc203c3
GP		 4420 if (pi->fcs == L2CAP_FCS_CRC16)
4421 len -= 2;
4422
51893f88 4423 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4424 goto drop;
4425
4426 tx_seq = __get_txseq(control);
4427
4428 if (pi->expected_tx_seq == tx_seq)
4429 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4430 else
7dffe421 4431 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4432
18778a63 4433 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4434
4435 goto done;
4436
1c2acffb 4437 default:
e8235c6b 4438 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4439 break;
4440 }
1da177e4
LT		 4441
4442drop:
4443 kfree_skb(skb);
4444
4445done:
0139418c
MH		 4446 if (sk)
4447 bh_unlock_sock(sk);
4448
1da177e4
LT		 4449 return 0;
4450}
4451
8e036fc3 4452static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4453{
4454 struct sock *sk;
4455
4456 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4457 if (!sk)
4458 goto drop;
4459
e0f0cb56
GP		 4460 bh_lock_sock(sk);
4461
1da177e4
LT		 4462 BT_DBG("sk %p, len %d", sk, skb->len);
4463
4464 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4465 goto drop;
4466
4467 if (l2cap_pi(sk)->imtu < skb->len)
4468 goto drop;
4469
4470 if (!sock_queue_rcv_skb(sk, skb))
4471 goto done;
4472
4473drop:
4474 kfree_skb(skb);
4475
4476done:
af05b30b
GP		 4477 if (sk)
4478 bh_unlock_sock(sk);
1da177e4
LT		 4479 return 0;
4480}
4481
4482static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4483{
4484 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4485 u16 cid, len;
4486 __le16 psm;
1da177e4
LT		 4487
4488 skb_pull(skb, L2CAP_HDR_SIZE);
4489 cid = __le16_to_cpu(lh->cid);
4490 len = __le16_to_cpu(lh->len);
4491
1c2acffb
GP		 4492 if (len != skb->len) {
4493 kfree_skb(skb);
4494 return;
4495 }
4496
1da177e4
LT		 4497 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4498
4499 switch (cid) {
8db4dc46 4500 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4501 l2cap_sig_channel(conn, skb);
4502 break;
4503
8db4dc46 4504 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4505 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4506 skb_pull(skb, 2);
4507 l2cap_conless_channel(conn, psm, skb);
4508 break;
4509
4510 default:
4511 l2cap_data_channel(conn, cid, skb);
4512 break;
4513 }
4514}
4515
4516/* ---- L2CAP interface with lower layer (HCI) ---- */
4517
4518static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4519{
4520 int exact = 0, lm1 = 0, lm2 = 0;
4521 register struct sock *sk;
4522 struct hlist_node *node;
4523
4524 if (type != ACL_LINK)
963cf687 4525 return -EINVAL;
1da177e4
LT		 4526
4527 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4528
4529 /* Find listening sockets and check their link_mode */
4530 read_lock(&l2cap_sk_list.lock);
4531 sk_for_each(sk, node, &l2cap_sk_list.head) {
4532 if (sk->sk_state != BT_LISTEN)
4533 continue;
4534
4535 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4536 lm1 |= HCI_LM_ACCEPT;
4537 if (l2cap_pi(sk)->role_switch)
4538 lm1 |= HCI_LM_MASTER;
1da177e4 4539 exact++;
2af6b9d5
MH		 4540 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4541 lm2 |= HCI_LM_ACCEPT;
4542 if (l2cap_pi(sk)->role_switch)
4543 lm2 |= HCI_LM_MASTER;
4544 }
1da177e4
LT		 4545 }
4546 read_unlock(&l2cap_sk_list.lock);
4547
4548 return exact ? lm1 : lm2;
4549}
4550
4551static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4552{
0139418c
MH		 4553 struct l2cap_conn *conn;
4554
1da177e4
LT		 4555 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4556
4557 if (hcon->type != ACL_LINK)
963cf687 4558 return -EINVAL;
1da177e4
LT		 4559
4560 if (!status) {
1da177e4
LT		 4561 conn = l2cap_conn_add(hcon, status);
4562 if (conn)
4563 l2cap_conn_ready(conn);
0139418c 4564 } else
1da177e4
LT		 4565 l2cap_conn_del(hcon, bt_err(status));
4566
4567 return 0;
4568}
4569
2950f21a
MH		 4570static int l2cap_disconn_ind(struct hci_conn *hcon)
4571{
4572 struct l2cap_conn *conn = hcon->l2cap_data;
4573
4574 BT_DBG("hcon %p", hcon);
4575
4576 if (hcon->type != ACL_LINK || !conn)
4577 return 0x13;
4578
4579 return conn->disc_reason;
4580}
4581
4582static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4583{
4584 BT_DBG("hcon %p reason %d", hcon, reason);
4585
4586 if (hcon->type != ACL_LINK)
963cf687 4587 return -EINVAL;
1da177e4
LT		 4588
4589 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4590
1da177e4
LT		 4591 return 0;
4592}
4593
f62e4323
MH		 4594static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4595{
bd3c9e25 4596 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4597 return;
4598
f62e4323
MH		 4599 if (encrypt == 0x00) {
4600 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4601 l2cap_sock_clear_timer(sk);
4602 l2cap_sock_set_timer(sk, HZ * 5);
4603 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4604 __l2cap_sock_close(sk, ECONNREFUSED);
4605 } else {
4606 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4607 l2cap_sock_clear_timer(sk);
4608 }
4609}
4610
8c1b2355 4611static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4612{
4613 struct l2cap_chan_list *l;
0139418c 4614 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4615 struct sock *sk;
1da177e4 4616
0139418c 4617 if (!conn)
1da177e4 4618 return 0;
0139418c 4619
1da177e4
LT		 4620 l = &conn->chan_list;
4621
4622 BT_DBG("conn %p", conn);
4623
4624 read_lock(&l->lock);
4625
4626 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4627 bh_lock_sock(sk);
4628
6a8d3010
MH		 4629 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4630 bh_unlock_sock(sk);
4631 continue;
4632 }
4633
f62e4323 4634 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4635 sk->sk_state == BT_CONFIG)) {
f62e4323 4636 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4637 bh_unlock_sock(sk);
4638 continue;
4639 }
4640
b1235d79
MH		 4641 if (sk->sk_state == BT_CONNECT) {
4642 if (!status) {
4643 struct l2cap_conn_req req;
4644 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4645 req.psm = l2cap_pi(sk)->psm;
1da177e4 4646
b1235d79 4647 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4648 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4649
b1235d79
MH		 4650 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4651 L2CAP_CONN_REQ, sizeof(req), &req);
4652 } else {
4653 l2cap_sock_clear_timer(sk);
4654 l2cap_sock_set_timer(sk, HZ / 10);
4655 }
4656 } else if (sk->sk_state == BT_CONNECT2) {
4657 struct l2cap_conn_rsp rsp;
4658 __u16 result;
1da177e4 4659
b1235d79
MH		 4660 if (!status) {
4661 sk->sk_state = BT_CONFIG;
4662 result = L2CAP_CR_SUCCESS;
4663 } else {
4664 sk->sk_state = BT_DISCONN;
4665 l2cap_sock_set_timer(sk, HZ / 10);
4666 result = L2CAP_CR_SEC_BLOCK;
4667 }
4668
4669 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4670 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4671 rsp.result = cpu_to_le16(result);
e7c29cb1 4672 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4673 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4674 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4675 }
1da177e4
LT		 4676
4677 bh_unlock_sock(sk);
4678 }
4679
4680 read_unlock(&l->lock);
b1235d79 4681
1da177e4
LT		 4682 return 0;
4683}
4684
4685static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4686{
4687 struct l2cap_conn *conn = hcon->l2cap_data;
4688
4689 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4690 goto drop;
4691
4692 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4693
4694 if (flags & ACL_START) {
4695 struct l2cap_hdr *hdr;
89794813
AE		 4696 struct sock *sk;
4697 u16 cid;
1da177e4
LT		 4698 int len;
4699
4700 if (conn->rx_len) {
4701 BT_ERR("Unexpected start frame (len %d)", skb->len);
4702 kfree_skb(conn->rx_skb);
4703 conn->rx_skb = NULL;
4704 conn->rx_len = 0;
4705 l2cap_conn_unreliable(conn, ECOMM);
4706 }
4707
aae7fe22
AE		 4708 /* Start fragment always begin with Basic L2CAP header */
4709 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4710 BT_ERR("Frame is too short (len %d)", skb->len);
4711 l2cap_conn_unreliable(conn, ECOMM);
4712 goto drop;
4713 }
4714
4715 hdr = (struct l2cap_hdr *) skb->data;
4716 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4717 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4718
4719 if (len == skb->len) {
4720 /* Complete frame received */
4721 l2cap_recv_frame(conn, skb);
4722 return 0;
4723 }
4724
4725 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4726
4727 if (skb->len > len) {
4728 BT_ERR("Frame is too long (len %d, expected len %d)",
4729 skb->len, len);
4730 l2cap_conn_unreliable(conn, ECOMM);
4731 goto drop;
4732 }
4733
89794813
AE		 4734 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4735
4736 if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
4737 BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)",
4738 len, l2cap_pi(sk)->imtu);
4739 bh_unlock_sock(sk);
4740 l2cap_conn_unreliable(conn, ECOMM);
4741 goto drop;
4742 }
4743
4744 if (sk)
4745 bh_unlock_sock(sk);
4746
1da177e4 4747 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4748 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4749 if (!conn->rx_skb)
1da177e4
LT		 4750 goto drop;
4751
d626f62b 4752 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4753 skb->len);
1da177e4
LT		 4754 conn->rx_len = len - skb->len;
4755 } else {
4756 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4757
4758 if (!conn->rx_len) {
4759 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4760 l2cap_conn_unreliable(conn, ECOMM);
4761 goto drop;
4762 }
4763
4764 if (skb->len > conn->rx_len) {
4765 BT_ERR("Fragment is too long (len %d, expected %d)",
4766 skb->len, conn->rx_len);
4767 kfree_skb(conn->rx_skb);
4768 conn->rx_skb = NULL;
4769 conn->rx_len = 0;
4770 l2cap_conn_unreliable(conn, ECOMM);
4771 goto drop;
4772 }
4773
d626f62b 4774 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4775 skb->len);
1da177e4
LT		 4776 conn->rx_len -= skb->len;
4777
4778 if (!conn->rx_len) {
4779 /* Complete frame received */
4780 l2cap_recv_frame(conn, conn->rx_skb);
4781 conn->rx_skb = NULL;
4782 }
4783 }
4784
4785drop:
4786 kfree_skb(skb);
4787 return 0;
4788}
4789
aef7d97c 4790static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4791{
4792 struct sock *sk;
4793 struct hlist_node *node;
1da177e4
LT		 4794
4795 read_lock_bh(&l2cap_sk_list.lock);
4796
be9d1227
MH		 4797 sk_for_each(sk, node, &l2cap_sk_list.head) {
4798 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4799
aef7d97c
MH		 4800 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4801 batostr(&bt_sk(sk)->src),
4802 batostr(&bt_sk(sk)->dst),
4803 sk->sk_state, __le16_to_cpu(pi->psm),
4804 pi->scid, pi->dcid,
4805 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4806 }
1da177e4 4807
1da177e4 4808 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4809
aef7d97c 4810 return 0;
1da177e4
LT		 4811}
4812
aef7d97c
MH		 4813static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4814{
4815 return single_open(file, l2cap_debugfs_show, inode->i_private);
4816}
4817
4818static const struct file_operations l2cap_debugfs_fops = {
4819 .open = l2cap_debugfs_open,
4820 .read = seq_read,
4821 .llseek = seq_lseek,
4822 .release = single_release,
4823};
4824
4825static struct dentry *l2cap_debugfs;
1da177e4 4826
90ddc4f0 4827static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4828 .family = PF_BLUETOOTH,
4829 .owner = THIS_MODULE,
4830 .release = l2cap_sock_release,
4831 .bind = l2cap_sock_bind,
4832 .connect = l2cap_sock_connect,
4833 .listen = l2cap_sock_listen,
4834 .accept = l2cap_sock_accept,
4835 .getname = l2cap_sock_getname,
4836 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4837 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4838 .poll = bt_sock_poll,
3241ad82 4839 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4840 .mmap = sock_no_mmap,
4841 .socketpair = sock_no_socketpair,
1da177e4
LT		 4842 .shutdown = l2cap_sock_shutdown,
4843 .setsockopt = l2cap_sock_setsockopt,
4844 .getsockopt = l2cap_sock_getsockopt
4845};
4846
ec1b4cf7 4847static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4848 .family = PF_BLUETOOTH,
4849 .owner = THIS_MODULE,
4850 .create = l2cap_sock_create,
4851};
4852
4853static struct hci_proto l2cap_hci_proto = {
4854 .name = "L2CAP",
4855 .id = HCI_PROTO_L2CAP,
4856 .connect_ind = l2cap_connect_ind,
4857 .connect_cfm = l2cap_connect_cfm,
4858 .disconn_ind = l2cap_disconn_ind,
2950f21a 4859 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4860 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4861 .recv_acldata = l2cap_recv_acldata
4862};
4863
4864static int __init l2cap_init(void)
4865{
4866 int err;
be9d1227 4867
1da177e4
LT		 4868 err = proto_register(&l2cap_proto, 0);
4869 if (err < 0)
4870 return err;
4871
1890d36b 4872 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f
AL		 4873 if (!_busy_wq) {
4874 proto_unregister(&l2cap_proto);
4875 return -ENOMEM;
4876 }
1890d36b 4877
1da177e4
LT		 4878 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4879 if (err < 0) {
4880 BT_ERR("L2CAP socket registration failed");
4881 goto error;
4882 }
4883
4884 err = hci_register_proto(&l2cap_hci_proto);
4885 if (err < 0) {
4886 BT_ERR("L2CAP protocol registration failed");
4887 bt_sock_unregister(BTPROTO_L2CAP);
4888 goto error;
4889 }
4890
aef7d97c
MH		 4891 if (bt_debugfs) {
4892 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4893 bt_debugfs, NULL, &l2cap_debugfs_fops);
4894 if (!l2cap_debugfs)
4895 BT_ERR("Failed to create L2CAP debug file");
4896 }
1da177e4
LT		 4897
4898 BT_INFO("L2CAP ver %s", VERSION);
4899 BT_INFO("L2CAP socket layer initialized");
4900
4901 return 0;
4902
4903error:
b78d7b4f 4904 destroy_workqueue(_busy_wq);
1da177e4
LT		 4905 proto_unregister(&l2cap_proto);
4906 return err;
4907}
4908
4909static void __exit l2cap_exit(void)
4910{
aef7d97c 4911 debugfs_remove(l2cap_debugfs);
1da177e4 4912
1890d36b
GP		 4913 flush_workqueue(_busy_wq);
4914 destroy_workqueue(_busy_wq);
4915
1da177e4
LT		 4916 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4917 BT_ERR("L2CAP socket unregistration failed");
4918
4919 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4920 BT_ERR("L2CAP protocol unregistration failed");
4921
4922 proto_unregister(&l2cap_proto);
4923}
4924
4925void l2cap_load(void)
4926{
4927 /* Dummy function to trigger automatic L2CAP module loading by
4928 * other modules that use L2CAP sockets but don't use any other
4929 * symbols from it. */
1da177e4
LT		 4930}
4931EXPORT_SYMBOL(l2cap_load);
4932
4933module_init(l2cap_init);
4934module_exit(l2cap_exit);
4935
d1c4a17d
GP		 4936module_param(disable_ertm, bool, 0644);
4937MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
44dd46de 4938
63fbd24e 4939MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4940MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4941MODULE_VERSION(VERSION);
4942MODULE_LICENSE("GPL");
4943MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)