projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add backlog queue to ERTM code
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
58static int enable_ertm = 0;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
90ddc4f0 63static const struct proto_ops l2cap_sock_ops;
1da177e4 64
1890d36b
GP		 65static struct workqueue_struct *_busy_wq;
66
1da177e4 67static struct bt_sock_list l2cap_sk_list = {
d5fb2962 68 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 69};
70
1890d36b
GP		 71static void l2cap_busy_work(struct work_struct *work);
72
1da177e4
LT		 73static void __l2cap_sock_close(struct sock *sk, int reason);
74static void l2cap_sock_close(struct sock *sk);
75static void l2cap_sock_kill(struct sock *sk);
76
77static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
78 u8 code, u8 ident, u16 dlen, void *data);
79
218bb9df
GP		 80static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
81
1da177e4
LT		 82/* ---- L2CAP timers ---- */
83static void l2cap_sock_timeout(unsigned long arg)
84{
85 struct sock *sk = (struct sock *) arg;
b1235d79 86 int reason;
1da177e4
LT		 87
88 BT_DBG("sock %p state %d", sk, sk->sk_state);
89
90 bh_lock_sock(sk);
b1235d79 91
f62e4323
MH		 92 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
93 reason = ECONNREFUSED;
94 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 95 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 96 reason = ECONNREFUSED;
97 else
98 reason = ETIMEDOUT;
99
100 __l2cap_sock_close(sk, reason);
101
1da177e4
LT		 102 bh_unlock_sock(sk);
103
104 l2cap_sock_kill(sk);
105 sock_put(sk);
106}
107
108static void l2cap_sock_set_timer(struct sock *sk, long timeout)
109{
110 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
111 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
112}
113
114static void l2cap_sock_clear_timer(struct sock *sk)
115{
116 BT_DBG("sock %p state %d", sk, sk->sk_state);
117 sk_stop_timer(sk, &sk->sk_timer);
118}
119
0139418c
MH		 120/* ---- L2CAP channels ---- */
121static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
122{
123 struct sock *s;
124 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
125 if (l2cap_pi(s)->dcid == cid)
126 break;
127 }
128 return s;
129}
130
131static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
135 if (l2cap_pi(s)->scid == cid)
136 break;
137 }
138 return s;
139}
140
141/* Find channel with given SCID.
142 * Returns locked socket */
143static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
144{
145 struct sock *s;
146 read_lock(&l->lock);
147 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 148 if (s)
149 bh_lock_sock(s);
0139418c
MH		 150 read_unlock(&l->lock);
151 return s;
152}
153
154static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
155{
156 struct sock *s;
157 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
158 if (l2cap_pi(s)->ident == ident)
159 break;
160 }
161 return s;
162}
163
164static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
165{
166 struct sock *s;
167 read_lock(&l->lock);
168 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 169 if (s)
170 bh_lock_sock(s);
0139418c
MH		 171 read_unlock(&l->lock);
172 return s;
173}
174
175static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
176{
8db4dc46 177 u16 cid = L2CAP_CID_DYN_START;
0139418c 178
8db4dc46 179 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 180 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 181 return cid;
182 }
183
184 return 0;
185}
186
187static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
188{
189 sock_hold(sk);
190
191 if (l->head)
192 l2cap_pi(l->head)->prev_c = sk;
193
194 l2cap_pi(sk)->next_c = l->head;
195 l2cap_pi(sk)->prev_c = NULL;
196 l->head = sk;
197}
198
199static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
200{
201 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
202
fd1278d7 203 write_lock_bh(&l->lock);
0139418c
MH		 204 if (sk == l->head)
205 l->head = next;
206
207 if (next)
208 l2cap_pi(next)->prev_c = prev;
209 if (prev)
210 l2cap_pi(prev)->next_c = next;
fd1278d7 211 write_unlock_bh(&l->lock);
0139418c
MH		 212
213 __sock_put(sk);
214}
215
216static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
217{
218 struct l2cap_chan_list *l = &conn->chan_list;
219
af05b30b
GP		 220 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
221 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 222
2950f21a
MH		 223 conn->disc_reason = 0x13;
224
0139418c
MH		 225 l2cap_pi(sk)->conn = conn;
226
bd3c9e25 227 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 228 /* Alloc CID for connection-oriented socket */
229 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
230 } else if (sk->sk_type == SOCK_DGRAM) {
231 /* Connectionless socket */
8db4dc46
GP		 232 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
233 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 234 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
235 } else {
236 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 237 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
238 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 239 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
240 }
241
242 __l2cap_chan_link(l, sk);
243
244 if (parent)
245 bt_accept_enqueue(parent, sk);
246}
247
8e87d142 248/* Delete channel.
0139418c
MH		 249 * Must be called on the locked socket. */
250static void l2cap_chan_del(struct sock *sk, int err)
251{
252 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
253 struct sock *parent = bt_sk(sk)->parent;
254
255 l2cap_sock_clear_timer(sk);
256
257 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
258
8e87d142 259 if (conn) {
0139418c
MH		 260 /* Unlink from channel list */
261 l2cap_chan_unlink(&conn->chan_list, sk);
262 l2cap_pi(sk)->conn = NULL;
263 hci_conn_put(conn->hcon);
264 }
265
b1235d79 266 sk->sk_state = BT_CLOSED;
0139418c
MH		 267 sock_set_flag(sk, SOCK_ZAPPED);
268
269 if (err)
270 sk->sk_err = err;
271
272 if (parent) {
273 bt_accept_unlink(sk);
274 parent->sk_data_ready(parent, 0);
275 } else
276 sk->sk_state_change(sk);
c13ffa62
GP		 277
278 skb_queue_purge(TX_QUEUE(sk));
279
280 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
281 struct srej_list *l, *tmp;
282
283 del_timer(&l2cap_pi(sk)->retrans_timer);
284 del_timer(&l2cap_pi(sk)->monitor_timer);
285 del_timer(&l2cap_pi(sk)->ack_timer);
286
287 skb_queue_purge(SREJ_QUEUE(sk));
288 skb_queue_purge(BUSY_QUEUE(sk));
289
290 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
291 list_del(&l->list);
292 kfree(l);
293 }
294 }
0139418c
MH		 295}
296
79d554a6 297/* Service level security */
2af6b9d5 298static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 299{
300 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 301 __u8 auth_type;
302
00ae4af9
MH		 303 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
304 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
305 auth_type = HCI_AT_NO_BONDING_MITM;
306 else
af05b30b 307 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 308
309 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
310 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
311 } else {
312 switch (l2cap_pi(sk)->sec_level) {
313 case BT_SECURITY_HIGH:
314 auth_type = HCI_AT_GENERAL_BONDING_MITM;
315 break;
316 case BT_SECURITY_MEDIUM:
317 auth_type = HCI_AT_GENERAL_BONDING;
318 break;
319 default:
320 auth_type = HCI_AT_NO_BONDING;
321 break;
322 }
0684e5f9 323 }
79d554a6 324
0684e5f9
MH		 325 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
326 auth_type);
79d554a6
MH		 327}
328
4e8402a3
MH		 329static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
330{
331 u8 id;
332
333 /* Get next available identificator.
334 * 1 - 128 are used by kernel.
335 * 129 - 199 are reserved.
336 * 200 - 254 are used by utilities like l2ping, etc.
337 */
338
339 spin_lock_bh(&conn->lock);
340
341 if (++conn->tx_ident > 128)
342 conn->tx_ident = 1;
343
344 id = conn->tx_ident;
345
346 spin_unlock_bh(&conn->lock);
347
348 return id;
349}
350
9a9c6a34 351static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 352{
353 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
354
355 BT_DBG("code 0x%2.2x", code);
356
357 if (!skb)
9a9c6a34 358 return;
4e8402a3 359
9a9c6a34 360 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 361}
362
9a9c6a34 363static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 364{
365 struct sk_buff *skb;
366 struct l2cap_hdr *lh;
367 struct l2cap_conn *conn = pi->conn;
c13ffa62 368 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 369 int count, hlen = L2CAP_HDR_SIZE + 2;
370
c13ffa62
GP		 371 if (sk->sk_state != BT_CONNECTED)
372 return;
373
fcc203c3
GP		 374 if (pi->fcs == L2CAP_FCS_CRC16)
375 hlen += 2;
1c2acffb
GP		 376
377 BT_DBG("pi %p, control 0x%2.2x", pi, control);
378
fcc203c3 379 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 380 control |= L2CAP_CTRL_FRAME_TYPE;
381
9e917af1
GP		 382 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
383 control |= L2CAP_CTRL_FINAL;
384 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
385 }
386
f0946ccf
GP		 387 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
388 control |= L2CAP_CTRL_POLL;
389 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
390 }
391
1c2acffb
GP		 392 skb = bt_skb_alloc(count, GFP_ATOMIC);
393 if (!skb)
9a9c6a34 394 return;
1c2acffb
GP		 395
396 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 397 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 398 lh->cid = cpu_to_le16(pi->dcid);
399 put_unaligned_le16(control, skb_put(skb, 2));
400
fcc203c3
GP		 401 if (pi->fcs == L2CAP_FCS_CRC16) {
402 u16 fcs = crc16(0, (u8 *)lh, count - 2);
403 put_unaligned_le16(fcs, skb_put(skb, 2));
404 }
405
9a9c6a34 406 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 407}
408
9a9c6a34 409static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 410{
1890d36b 411 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 412 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 413 pi->conn_state |= L2CAP_CONN_RNR_SENT;
414 } else
7e743090
GP		 415 control |= L2CAP_SUPER_RCV_READY;
416
2ab25cdd
GP		 417 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
418
9a9c6a34 419 l2cap_send_sframe(pi, control);
7e743090
GP		 420}
421
e501d055
AE		 422static inline int __l2cap_no_conn_pending(struct sock *sk)
423{
424 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
425}
426
79d554a6
MH		 427static void l2cap_do_start(struct sock *sk)
428{
429 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
430
431 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 432 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
433 return;
434
e501d055 435 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 436 struct l2cap_conn_req req;
437 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
438 req.psm = l2cap_pi(sk)->psm;
79d554a6 439
b1235d79 440 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 441 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 442
b1235d79 443 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 444 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 445 }
79d554a6
MH		 446 } else {
447 struct l2cap_info_req req;
448 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
449
450 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
451 conn->info_ident = l2cap_get_ident(conn);
452
453 mod_timer(&conn->info_timer, jiffies +
454 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
455
456 l2cap_send_cmd(conn, conn->info_ident,
457 L2CAP_INFO_REQ, sizeof(req), &req);
458 }
459}
460
cf6c2c0b
GP		 461static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
462{
463 u32 local_feat_mask = l2cap_feat_mask;
464 if (enable_ertm)
465 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
466
467 switch (mode) {
468 case L2CAP_MODE_ERTM:
469 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
470 case L2CAP_MODE_STREAMING:
471 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
472 default:
473 return 0x00;
474 }
475}
476
9b108fc0 477static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 478{
479 struct l2cap_disconn_req req;
480
c13ffa62
GP		 481 if (!conn)
482 return;
483
484 skb_queue_purge(TX_QUEUE(sk));
485
486 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
487 del_timer(&l2cap_pi(sk)->retrans_timer);
488 del_timer(&l2cap_pi(sk)->monitor_timer);
489 del_timer(&l2cap_pi(sk)->ack_timer);
490 }
491
22121fc9
GP		 492 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
493 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
494 l2cap_send_cmd(conn, l2cap_get_ident(conn),
495 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 496
497 sk->sk_state = BT_DISCONN;
9b108fc0 498 sk->sk_err = err;
22121fc9
GP		 499}
500
1da177e4 501/* ---- L2CAP connections ---- */
4e8402a3
MH		 502static void l2cap_conn_start(struct l2cap_conn *conn)
503{
504 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 505 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 506 struct sock *sk;
507
508 BT_DBG("conn %p", conn);
509
cf6c2c0b
GP		 510 INIT_LIST_HEAD(&del.list);
511
4e8402a3
MH		 512 read_lock(&l->lock);
513
514 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
515 bh_lock_sock(sk);
516
bd3c9e25
GP		 517 if (sk->sk_type != SOCK_SEQPACKET &&
518 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 519 bh_unlock_sock(sk);
520 continue;
521 }
522
523 if (sk->sk_state == BT_CONNECT) {
e501d055
AE		 524 if (l2cap_check_security(sk) &&
525 __l2cap_no_conn_pending(sk)) {
b1235d79 526 struct l2cap_conn_req req;
cf6c2c0b
GP		 527
528 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
529 conn->feat_mask)
530 && l2cap_pi(sk)->conf_state &
531 L2CAP_CONF_STATE2_DEVICE) {
532 tmp1 = kzalloc(sizeof(struct srej_list),
533 GFP_ATOMIC);
534 tmp1->sk = sk;
535 list_add_tail(&tmp1->list, &del.list);
536 bh_unlock_sock(sk);
537 continue;
538 }
539
b1235d79
MH		 540 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
541 req.psm = l2cap_pi(sk)->psm;
79d554a6 542
b1235d79 543 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 544 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 545
b1235d79 546 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 547 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 548 }
79d554a6
MH		 549 } else if (sk->sk_state == BT_CONNECT2) {
550 struct l2cap_conn_rsp rsp;
551 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
552 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
553
2af6b9d5 554 if (l2cap_check_security(sk)) {
f66dc81f
MH		 555 if (bt_sk(sk)->defer_setup) {
556 struct sock *parent = bt_sk(sk)->parent;
557 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
558 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
559 parent->sk_data_ready(parent, 0);
560
561 } else {
562 sk->sk_state = BT_CONFIG;
563 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
564 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
565 }
79d554a6
MH		 566 } else {
567 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
568 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
569 }
570
571 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
572 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 573 }
574
575 bh_unlock_sock(sk);
576 }
577
578 read_unlock(&l->lock);
cf6c2c0b
GP		 579
580 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
581 bh_lock_sock(tmp1->sk);
582 __l2cap_sock_close(tmp1->sk, ECONNRESET);
583 bh_unlock_sock(tmp1->sk);
584 list_del(&tmp1->list);
585 kfree(tmp1);
586 }
4e8402a3
MH		 587}
588
589static void l2cap_conn_ready(struct l2cap_conn *conn)
590{
79d554a6
MH		 591 struct l2cap_chan_list *l = &conn->chan_list;
592 struct sock *sk;
4e8402a3 593
79d554a6 594 BT_DBG("conn %p", conn);
4e8402a3 595
79d554a6 596 read_lock(&l->lock);
4e8402a3 597
79d554a6
MH		 598 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
599 bh_lock_sock(sk);
4e8402a3 600
bd3c9e25
GP		 601 if (sk->sk_type != SOCK_SEQPACKET &&
602 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 603 l2cap_sock_clear_timer(sk);
604 sk->sk_state = BT_CONNECTED;
605 sk->sk_state_change(sk);
606 } else if (sk->sk_state == BT_CONNECT)
607 l2cap_do_start(sk);
4e8402a3 608
79d554a6 609 bh_unlock_sock(sk);
4e8402a3 610 }
79d554a6
MH		 611
612 read_unlock(&l->lock);
4e8402a3
MH		 613}
614
615/* Notify sockets that we cannot guaranty reliability anymore */
616static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
617{
618 struct l2cap_chan_list *l = &conn->chan_list;
619 struct sock *sk;
620
621 BT_DBG("conn %p", conn);
622
623 read_lock(&l->lock);
624
625 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 626 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 627 sk->sk_err = err;
628 }
629
630 read_unlock(&l->lock);
631}
632
633static void l2cap_info_timeout(unsigned long arg)
634{
635 struct l2cap_conn *conn = (void *) arg;
636
984947dc 637 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 638 conn->info_ident = 0;
984947dc 639
4e8402a3
MH		 640 l2cap_conn_start(conn);
641}
642
1da177e4
LT		 643static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
644{
0139418c 645 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 646
0139418c 647 if (conn || status)
1da177e4
LT		 648 return conn;
649
0139418c
MH		 650 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
651 if (!conn)
1da177e4 652 return NULL;
1da177e4
LT		 653
654 hcon->l2cap_data = conn;
655 conn->hcon = hcon;
656
0139418c
MH		 657 BT_DBG("hcon %p conn %p", hcon, conn);
658
1da177e4
LT		 659 conn->mtu = hcon->hdev->acl_mtu;
660 conn->src = &hcon->hdev->bdaddr;
661 conn->dst = &hcon->dst;
662
4e8402a3
MH		 663 conn->feat_mask = 0;
664
1da177e4
LT		 665 spin_lock_init(&conn->lock);
666 rwlock_init(&conn->chan_list.lock);
667
45054dc1
DY		 668 setup_timer(&conn->info_timer, l2cap_info_timeout,
669 (unsigned long) conn);
670
2950f21a
MH		 671 conn->disc_reason = 0x13;
672
1da177e4
LT		 673 return conn;
674}
675
0139418c 676static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 677{
0139418c 678 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 679 struct sock *sk;
680
0139418c
MH		 681 if (!conn)
682 return;
1da177e4
LT		 683
684 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
685
7585b97a 686 kfree_skb(conn->rx_skb);
1da177e4
LT		 687
688 /* Kill channels */
689 while ((sk = conn->chan_list.head)) {
690 bh_lock_sock(sk);
691 l2cap_chan_del(sk, err);
692 bh_unlock_sock(sk);
693 l2cap_sock_kill(sk);
694 }
695
8e8440f5
DY		 696 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
697 del_timer_sync(&conn->info_timer);
3ab22731 698
1da177e4
LT		 699 hcon->l2cap_data = NULL;
700 kfree(conn);
1da177e4
LT		 701}
702
703static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
704{
705 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 706 write_lock_bh(&l->lock);
1da177e4 707 __l2cap_chan_add(conn, sk, parent);
fd1278d7 708 write_unlock_bh(&l->lock);
1da177e4
LT		 709}
710
1da177e4 711/* ---- Socket interface ---- */
8e036fc3 712static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 713{
714 struct sock *sk;
715 struct hlist_node *node;
716 sk_for_each(sk, node, &l2cap_sk_list.head)
717 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
718 goto found;
719 sk = NULL;
720found:
721 return sk;
722}
723
724/* Find socket with psm and source bdaddr.
725 * Returns closest match.
726 */
8e036fc3 727static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 728{
729 struct sock *sk = NULL, *sk1 = NULL;
730 struct hlist_node *node;
731
732 sk_for_each(sk, node, &l2cap_sk_list.head) {
733 if (state && sk->sk_state != state)
734 continue;
735
736 if (l2cap_pi(sk)->psm == psm) {
737 /* Exact match. */
738 if (!bacmp(&bt_sk(sk)->src, src))
739 break;
740
741 /* Closest match */
742 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
743 sk1 = sk;
744 }
745 }
746 return node ? sk : sk1;
747}
748
749/* Find socket with given address (psm, src).
750 * Returns locked socket */
8e036fc3 751static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 752{
753 struct sock *s;
754 read_lock(&l2cap_sk_list.lock);
755 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 756 if (s)
757 bh_lock_sock(s);
1da177e4
LT		 758 read_unlock(&l2cap_sk_list.lock);
759 return s;
760}
761
762static void l2cap_sock_destruct(struct sock *sk)
763{
764 BT_DBG("sk %p", sk);
765
766 skb_queue_purge(&sk->sk_receive_queue);
767 skb_queue_purge(&sk->sk_write_queue);
768}
769
770static void l2cap_sock_cleanup_listen(struct sock *parent)
771{
772 struct sock *sk;
773
774 BT_DBG("parent %p", parent);
775
776 /* Close not yet accepted channels */
777 while ((sk = bt_accept_dequeue(parent, NULL)))
778 l2cap_sock_close(sk);
779
b1235d79 780 parent->sk_state = BT_CLOSED;
1da177e4
LT		 781 sock_set_flag(parent, SOCK_ZAPPED);
782}
783
784/* Kill socket (only if zapped and orphan)
785 * Must be called on unlocked socket.
786 */
787static void l2cap_sock_kill(struct sock *sk)
788{
789 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
790 return;
791
792 BT_DBG("sk %p state %d", sk, sk->sk_state);
793
794 /* Kill poor orphan */
795 bt_sock_unlink(&l2cap_sk_list, sk);
796 sock_set_flag(sk, SOCK_DEAD);
797 sock_put(sk);
798}
799
800static void __l2cap_sock_close(struct sock *sk, int reason)
801{
802 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
803
804 switch (sk->sk_state) {
805 case BT_LISTEN:
806 l2cap_sock_cleanup_listen(sk);
807 break;
808
809 case BT_CONNECTED:
810 case BT_CONFIG:
bd3c9e25
GP		 811 if (sk->sk_type == SOCK_SEQPACKET ||
812 sk->sk_type == SOCK_STREAM) {
1da177e4 813 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 814
1da177e4 815 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 816 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 817 } else
1da177e4 818 l2cap_chan_del(sk, reason);
1da177e4
LT		 819 break;
820
f66dc81f 821 case BT_CONNECT2:
bd3c9e25
GP		 822 if (sk->sk_type == SOCK_SEQPACKET ||
823 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 824 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
825 struct l2cap_conn_rsp rsp;
826 __u16 result;
827
828 if (bt_sk(sk)->defer_setup)
829 result = L2CAP_CR_SEC_BLOCK;
830 else
831 result = L2CAP_CR_BAD_PSM;
832
833 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
834 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
835 rsp.result = cpu_to_le16(result);
836 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
837 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
838 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
839 } else
840 l2cap_chan_del(sk, reason);
841 break;
842
1da177e4
LT		 843 case BT_CONNECT:
844 case BT_DISCONN:
845 l2cap_chan_del(sk, reason);
846 break;
847
848 default:
849 sock_set_flag(sk, SOCK_ZAPPED);
850 break;
851 }
852}
853
854/* Must be called on unlocked socket. */
855static void l2cap_sock_close(struct sock *sk)
856{
857 l2cap_sock_clear_timer(sk);
858 lock_sock(sk);
859 __l2cap_sock_close(sk, ECONNRESET);
860 release_sock(sk);
861 l2cap_sock_kill(sk);
862}
863
864static void l2cap_sock_init(struct sock *sk, struct sock *parent)
865{
866 struct l2cap_pinfo *pi = l2cap_pi(sk);
867
868 BT_DBG("sk %p", sk);
869
870 if (parent) {
871 sk->sk_type = parent->sk_type;
f66dc81f
MH		 872 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
873
1da177e4
LT		 874 pi->imtu = l2cap_pi(parent)->imtu;
875 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 876 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 877 pi->mode = l2cap_pi(parent)->mode;
878 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 879 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 880 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 881 pi->sec_level = l2cap_pi(parent)->sec_level;
882 pi->role_switch = l2cap_pi(parent)->role_switch;
883 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 884 } else {
885 pi->imtu = L2CAP_DEFAULT_MTU;
886 pi->omtu = 0;
85eb53c6 887 if (enable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 888 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 889 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
890 } else {
bd3c9e25 891 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 892 }
fd059b9b 893 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 894 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 895 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 896 pi->sec_level = BT_SECURITY_LOW;
897 pi->role_switch = 0;
898 pi->force_reliable = 0;
1da177e4
LT		 899 }
900
901 /* Default config options */
5dee9e7c 902 pi->conf_len = 0;
1da177e4 903 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 904 skb_queue_head_init(TX_QUEUE(sk));
905 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 906 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 907 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 908}
909
910static struct proto l2cap_proto = {
911 .name = "L2CAP",
912 .owner = THIS_MODULE,
913 .obj_size = sizeof(struct l2cap_pinfo)
914};
915
1b8d7ae4 916static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 917{
918 struct sock *sk;
919
6257ff21 920 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 921 if (!sk)
922 return NULL;
923
924 sock_init_data(sock, sk);
925 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
926
927 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 928 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 929
930 sock_reset_flag(sk, SOCK_ZAPPED);
931
932 sk->sk_protocol = proto;
b1235d79 933 sk->sk_state = BT_OPEN;
1da177e4 934
b1235d79 935 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 936
937 bt_sock_link(&l2cap_sk_list, sk);
938 return sk;
939}
940
3f378b68
EP		 941static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
942 int kern)
1da177e4
LT		 943{
944 struct sock *sk;
945
946 BT_DBG("sock %p", sock);
947
948 sock->state = SS_UNCONNECTED;
949
bd3c9e25 950 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 951 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
952 return -ESOCKTNOSUPPORT;
953
c84b3268 954 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 955 return -EPERM;
956
957 sock->ops = &l2cap_sock_ops;
958
1b8d7ae4 959 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 960 if (!sk)
961 return -ENOMEM;
962
963 l2cap_sock_init(sk, NULL);
964 return 0;
965}
966
f29972de 967static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 968{
1da177e4 969 struct sock *sk = sock->sk;
f29972de
MH		 970 struct sockaddr_l2 la;
971 int len, err = 0;
1da177e4 972
f29972de 973 BT_DBG("sk %p", sk);
1da177e4
LT		 974
975 if (!addr || addr->sa_family != AF_BLUETOOTH)
976 return -EINVAL;
977
f29972de
MH		 978 memset(&la, 0, sizeof(la));
979 len = min_t(unsigned int, sizeof(la), alen);
980 memcpy(&la, addr, len);
981
2a517ca6
MH		 982 if (la.l2_cid)
983 return -EINVAL;
984
1da177e4
LT		 985 lock_sock(sk);
986
987 if (sk->sk_state != BT_OPEN) {
988 err = -EBADFD;
989 goto done;
990 }
991
b4324b5d 992 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 993 !capable(CAP_NET_BIND_SERVICE)) {
994 err = -EACCES;
995 goto done;
996 }
8e87d142 997
1da177e4
LT		 998 write_lock_bh(&l2cap_sk_list.lock);
999
f29972de 1000 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 1001 err = -EADDRINUSE;
1002 } else {
1003 /* Save source address */
f29972de
MH		 1004 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1005 l2cap_pi(sk)->psm = la.l2_psm;
1006 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 1007 sk->sk_state = BT_BOUND;
2af6b9d5 1008
b4324b5d
MH		 1009 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1010 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 1011 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 1012 }
1013
1014 write_unlock_bh(&l2cap_sk_list.lock);
1015
1016done:
1017 release_sock(sk);
1018 return err;
1019}
1020
1021static int l2cap_do_connect(struct sock *sk)
1022{
1023 bdaddr_t *src = &bt_sk(sk)->src;
1024 bdaddr_t *dst = &bt_sk(sk)->dst;
1025 struct l2cap_conn *conn;
1026 struct hci_conn *hcon;
1027 struct hci_dev *hdev;
09ab6f4c 1028 __u8 auth_type;
44d0e48e 1029 int err;
1da177e4 1030
f29972de
MH		 1031 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1032 l2cap_pi(sk)->psm);
1da177e4 1033
af05b30b
GP		 1034 hdev = hci_get_route(dst, src);
1035 if (!hdev)
1da177e4
LT		 1036 return -EHOSTUNREACH;
1037
1038 hci_dev_lock_bh(hdev);
1039
1040 err = -ENOMEM;
1041
8c1b2355 1042 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1043 switch (l2cap_pi(sk)->sec_level) {
1044 case BT_SECURITY_HIGH:
8c1b2355 1045 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1046 break;
1047 case BT_SECURITY_MEDIUM:
8c1b2355 1048 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1049 break;
1050 default:
09ab6f4c 1051 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1052 break;
1053 }
8c1b2355 1054 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1055 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1056 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1057 else
8c1b2355 1058 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1059
1060 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1061 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1062 } else {
2af6b9d5
MH		 1063 switch (l2cap_pi(sk)->sec_level) {
1064 case BT_SECURITY_HIGH:
8c1b2355 1065 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1066 break;
1067 case BT_SECURITY_MEDIUM:
09ab6f4c 1068 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1069 break;
1070 default:
8c1b2355 1071 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1072 break;
1073 }
09ab6f4c
MH		 1074 }
1075
2af6b9d5
MH		 1076 hcon = hci_connect(hdev, ACL_LINK, dst,
1077 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1078 if (!hcon)
1079 goto done;
1080
1081 conn = l2cap_conn_add(hcon, 0);
1082 if (!conn) {
1083 hci_conn_put(hcon);
1084 goto done;
1085 }
1086
1087 err = 0;
1088
1089 /* Update source addr of the socket */
1090 bacpy(src, conn->src);
1091
1092 l2cap_chan_add(conn, sk, NULL);
1093
1094 sk->sk_state = BT_CONNECT;
1095 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1096
1097 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1098 if (sk->sk_type != SOCK_SEQPACKET &&
1099 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1100 l2cap_sock_clear_timer(sk);
1101 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1102 } else
1103 l2cap_do_start(sk);
1da177e4
LT		 1104 }
1105
1106done:
1107 hci_dev_unlock_bh(hdev);
1108 hci_dev_put(hdev);
1109 return err;
1110}
1111
1112static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1113{
1da177e4 1114 struct sock *sk = sock->sk;
f29972de
MH		 1115 struct sockaddr_l2 la;
1116 int len, err = 0;
1da177e4 1117
1da177e4
LT		 1118 BT_DBG("sk %p", sk);
1119
6503d961
CG		 1120 if (!addr || alen < sizeof(addr->sa_family) ||
1121 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1122 return -EINVAL;
1da177e4 1123
f29972de
MH		 1124 memset(&la, 0, sizeof(la));
1125 len = min_t(unsigned int, sizeof(la), alen);
1126 memcpy(&la, addr, len);
1127
2a517ca6
MH		 1128 if (la.l2_cid)
1129 return -EINVAL;
1130
1131 lock_sock(sk);
1132
bd3c9e25
GP		 1133 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1134 && !la.l2_psm) {
1da177e4
LT		 1135 err = -EINVAL;
1136 goto done;
1137 }
1138
c6b03cf9
MH		 1139 switch (l2cap_pi(sk)->mode) {
1140 case L2CAP_MODE_BASIC:
1141 break;
1142 case L2CAP_MODE_ERTM:
f2fcfcd6 1143 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1144 if (enable_ertm)
1145 break;
1146 /* fall through */
1147 default:
1148 err = -ENOTSUPP;
1149 goto done;
1150 }
1151
af05b30b 1152 switch (sk->sk_state) {
1da177e4
LT		 1153 case BT_CONNECT:
1154 case BT_CONNECT2:
1155 case BT_CONFIG:
1156 /* Already connecting */
1157 goto wait;
1158
1159 case BT_CONNECTED:
1160 /* Already connected */
1161 goto done;
1162
1163 case BT_OPEN:
1164 case BT_BOUND:
1165 /* Can connect */
1166 break;
1167
1168 default:
1169 err = -EBADFD;
1170 goto done;
1171 }
1172
1173 /* Set destination address and psm */
f29972de
MH		 1174 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1175 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1176
af05b30b
GP		 1177 err = l2cap_do_connect(sk);
1178 if (err)
1da177e4
LT		 1179 goto done;
1180
1181wait:
1182 err = bt_sock_wait_state(sk, BT_CONNECTED,
1183 sock_sndtimeo(sk, flags & O_NONBLOCK));
1184done:
1185 release_sock(sk);
1186 return err;
1187}
1188
1189static int l2cap_sock_listen(struct socket *sock, int backlog)
1190{
1191 struct sock *sk = sock->sk;
1192 int err = 0;
1193
1194 BT_DBG("sk %p backlog %d", sk, backlog);
1195
1196 lock_sock(sk);
1197
bd3c9e25
GP		 1198 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1199 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1200 err = -EBADFD;
1201 goto done;
1202 }
1203
c6b03cf9
MH		 1204 switch (l2cap_pi(sk)->mode) {
1205 case L2CAP_MODE_BASIC:
1206 break;
1207 case L2CAP_MODE_ERTM:
f2fcfcd6 1208 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1209 if (enable_ertm)
1210 break;
1211 /* fall through */
1212 default:
1213 err = -ENOTSUPP;
1214 goto done;
1215 }
1216
1da177e4
LT		 1217 if (!l2cap_pi(sk)->psm) {
1218 bdaddr_t *src = &bt_sk(sk)->src;
1219 u16 psm;
1220
1221 err = -EINVAL;
1222
1223 write_lock_bh(&l2cap_sk_list.lock);
1224
1225 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1226 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1227 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1228 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1229 err = 0;
1230 break;
1231 }
1232
1233 write_unlock_bh(&l2cap_sk_list.lock);
1234
1235 if (err < 0)
1236 goto done;
1237 }
1238
1239 sk->sk_max_ack_backlog = backlog;
1240 sk->sk_ack_backlog = 0;
1241 sk->sk_state = BT_LISTEN;
1242
1243done:
1244 release_sock(sk);
1245 return err;
1246}
1247
1248static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1249{
1250 DECLARE_WAITQUEUE(wait, current);
1251 struct sock *sk = sock->sk, *nsk;
1252 long timeo;
1253 int err = 0;
1254
fcc70d5f 1255 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1256
1257 if (sk->sk_state != BT_LISTEN) {
1258 err = -EBADFD;
1259 goto done;
1260 }
1261
1262 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1263
1264 BT_DBG("sk %p timeo %ld", sk, timeo);
1265
1266 /* Wait for an incoming connection. (wake-one). */
aa395145 1267 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1268 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1269 set_current_state(TASK_INTERRUPTIBLE);
1270 if (!timeo) {
1271 err = -EAGAIN;
1272 break;
1273 }
1274
1275 release_sock(sk);
1276 timeo = schedule_timeout(timeo);
fcc70d5f 1277 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1278
1279 if (sk->sk_state != BT_LISTEN) {
1280 err = -EBADFD;
1281 break;
1282 }
1283
1284 if (signal_pending(current)) {
1285 err = sock_intr_errno(timeo);
1286 break;
1287 }
1288 }
1289 set_current_state(TASK_RUNNING);
aa395145 1290 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1291
1292 if (err)
1293 goto done;
1294
1295 newsock->state = SS_CONNECTED;
1296
1297 BT_DBG("new socket %p", nsk);
1298
1299done:
1300 release_sock(sk);
1301 return err;
1302}
1303
1304static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1305{
1306 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1307 struct sock *sk = sock->sk;
1308
1309 BT_DBG("sock %p, sk %p", sock, sk);
1310
1311 addr->sa_family = AF_BLUETOOTH;
1312 *len = sizeof(struct sockaddr_l2);
1313
f29972de
MH		 1314 if (peer) {
1315 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1316 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1317 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1318 } else {
1319 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1320 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1321 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1322 }
1da177e4 1323
1da177e4
LT		 1324 return 0;
1325}
1326
6161c038
GP		 1327static int __l2cap_wait_ack(struct sock *sk)
1328{
1329 DECLARE_WAITQUEUE(wait, current);
1330 int err = 0;
1331 int timeo = HZ/5;
1332
2b0b05dd 1333 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1334 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1335 set_current_state(TASK_INTERRUPTIBLE);
1336
1337 if (!timeo)
1338 timeo = HZ/5;
1339
1340 if (signal_pending(current)) {
1341 err = sock_intr_errno(timeo);
1342 break;
1343 }
1344
1345 release_sock(sk);
1346 timeo = schedule_timeout(timeo);
1347 lock_sock(sk);
1348
1349 err = sock_error(sk);
1350 if (err)
1351 break;
1352 }
1353 set_current_state(TASK_RUNNING);
2b0b05dd 1354 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1355 return err;
1356}
1357
e90bac06
GP		 1358static void l2cap_monitor_timeout(unsigned long arg)
1359{
1360 struct sock *sk = (void *) arg;
e90bac06 1361
0e98958d
GP		 1362 BT_DBG("sk %p", sk);
1363
e686219a 1364 bh_lock_sock(sk);
e90bac06 1365 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1366 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1367 bh_unlock_sock(sk);
e90bac06
GP		 1368 return;
1369 }
1370
1371 l2cap_pi(sk)->retry_count++;
1372 __mod_monitor_timer();
1373
a2e12a2a 1374 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1375 bh_unlock_sock(sk);
e90bac06
GP		 1376}
1377
1378static void l2cap_retrans_timeout(unsigned long arg)
1379{
1380 struct sock *sk = (void *) arg;
e90bac06 1381
0e98958d
GP		 1382 BT_DBG("sk %p", sk);
1383
e686219a 1384 bh_lock_sock(sk);
e90bac06
GP		 1385 l2cap_pi(sk)->retry_count = 1;
1386 __mod_monitor_timer();
1387
1388 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1389
a2e12a2a 1390 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1391 bh_unlock_sock(sk);
e90bac06
GP		 1392}
1393
1c2acffb 1394static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1395{
1c2acffb 1396 struct sk_buff *skb;
1da177e4 1397
812e737e
GP		 1398 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1399 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1400 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1401 break;
1da177e4 1402
1c2acffb
GP		 1403 skb = skb_dequeue(TX_QUEUE(sk));
1404 kfree_skb(skb);
1da177e4 1405
1c2acffb
GP		 1406 l2cap_pi(sk)->unacked_frames--;
1407 }
1da177e4 1408
e90bac06
GP		 1409 if (!l2cap_pi(sk)->unacked_frames)
1410 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1411}
1da177e4 1412
9a9c6a34 1413static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1414{
1415 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1416
1417 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1418
9a9c6a34 1419 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1420}
1421
6840ed07
GP		 1422static int l2cap_streaming_send(struct sock *sk)
1423{
1424 struct sk_buff *skb, *tx_skb;
1425 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1426 u16 control, fcs;
6840ed07
GP		 1427
1428 while ((skb = sk->sk_send_head)) {
1429 tx_skb = skb_clone(skb, GFP_ATOMIC);
1430
1431 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1432 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1433 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1434
e8235c6b 1435 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1436 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1437 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1438 }
1439
9a9c6a34 1440 l2cap_do_send(sk, tx_skb);
6840ed07
GP		 1441
1442 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1443
1444 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1445 sk->sk_send_head = NULL;
1446 else
1447 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1448
1449 skb = skb_dequeue(TX_QUEUE(sk));
1450 kfree_skb(skb);
1451 }
1452 return 0;
1453}
1454
dfc909be 1455static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1456{
1457 struct l2cap_pinfo *pi = l2cap_pi(sk);
1458 struct sk_buff *skb, *tx_skb;
1459 u16 control, fcs;
8f17154f
GP		 1460
1461 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1462 if (!skb)
1463 return;
8f17154f 1464
f11d676d
GP		 1465 do {
1466 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1467 break;
8f17154f 1468
f11d676d
GP		 1469 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1470 return;
8f17154f 1471
f11d676d 1472 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1473
f11d676d
GP		 1474 if (pi->remote_max_tx &&
1475 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1476 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1477 return;
1478 }
1479
1480 tx_skb = skb_clone(skb, GFP_ATOMIC);
1481 bt_cb(skb)->retries++;
1482 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1483
1484 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1485 control |= L2CAP_CTRL_FINAL;
1486 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1487 }
95ffa978 1488
f11d676d
GP		 1489 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1490 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1491
f11d676d
GP		 1492 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1493
1494 if (pi->fcs == L2CAP_FCS_CRC16) {
1495 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1496 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1497 }
1498
1499 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1500}
1501
1c2acffb
GP		 1502static int l2cap_ertm_send(struct sock *sk)
1503{
1504 struct sk_buff *skb, *tx_skb;
1505 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1506 u16 control, fcs;
9a9c6a34 1507 int nsent = 0;
1c2acffb 1508
c13ffa62
GP		 1509 if (sk->sk_state != BT_CONNECTED)
1510 return -ENOTCONN;
e90bac06 1511
6e2b6722 1512 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1513
e90bac06
GP		 1514 if (pi->remote_max_tx &&
1515 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1516 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1517 break;
1518 }
1519
e420aba3
AE		 1520 tx_skb = skb_clone(skb, GFP_ATOMIC);
1521
e90bac06
GP		 1522 bt_cb(skb)->retries++;
1523
1c2acffb 1524 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1525 control &= L2CAP_CTRL_SAR;
1526
d5392c8f
GP		 1527 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1528 control |= L2CAP_CTRL_FINAL;
1529 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1530 }
9f121a5a 1531 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1532 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1533 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1534
e90bac06 1535
e8235c6b 1536 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1537 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1538 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1539 }
1540
9a9c6a34
GP		 1541 l2cap_do_send(sk, tx_skb);
1542
e90bac06 1543 __mod_retrans_timer();
1c2acffb
GP		 1544
1545 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1546 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1547
1548 pi->unacked_frames++;
d5392c8f 1549 pi->frames_sent++;
1c2acffb
GP		 1550
1551 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1552 sk->sk_send_head = NULL;
1553 else
1554 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1555
1556 nsent++;
1c2acffb
GP		 1557 }
1558
9e917af1
GP		 1559 return nsent;
1560}
1561
dfc909be
GP		 1562static int l2cap_retransmit_frames(struct sock *sk)
1563{
1564 struct l2cap_pinfo *pi = l2cap_pi(sk);
1565 int ret;
1566
dfc909be
GP		 1567 if (!skb_queue_empty(TX_QUEUE(sk)))
1568 sk->sk_send_head = TX_QUEUE(sk)->next;
1569
1570 pi->next_tx_seq = pi->expected_ack_seq;
1571 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1572 return ret;
1573}
1574
9a9c6a34 1575static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1576{
1577 struct sock *sk = (struct sock *)pi;
1578 u16 control = 0;
1579
1580 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1581
1582 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1583 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1584 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1585 l2cap_send_sframe(pi, control);
1586 return;
9e917af1 1587 }
dfc909be 1588
e0f66218 1589 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1590 return;
1591
1592 control |= L2CAP_SUPER_RCV_READY;
1593 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1594}
1595
9a9c6a34 1596static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1597{
1598 struct srej_list *tail;
1599 u16 control;
1600
1601 control = L2CAP_SUPER_SELECT_REJECT;
1602 control |= L2CAP_CTRL_FINAL;
1603
1604 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1605 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1606
1607 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1608}
1609
1c2acffb
GP		 1610static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1611{
1612 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1613 struct sk_buff **frag;
1614 int err, sent = 0;
1da177e4 1615
59203a21 1616 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1617 return -EFAULT;
1da177e4
LT		 1618
1619 sent += count;
1620 len -= count;
1621
1622 /* Continuation fragments (no L2CAP header) */
1623 frag = &skb_shinfo(skb)->frag_list;
1624 while (len) {
1625 count = min_t(unsigned int, conn->mtu, len);
1626
1627 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1628 if (!*frag)
1c2acffb
GP		 1629 return -EFAULT;
1630 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1631 return -EFAULT;
1da177e4
LT		 1632
1633 sent += count;
1634 len -= count;
1635
1636 frag = &(*frag)->next;
1637 }
1da177e4
LT		 1638
1639 return sent;
1c2acffb 1640}
1da177e4 1641
1c2acffb
GP		 1642static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1643{
1644 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1645 struct sk_buff *skb;
1646 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1647 struct l2cap_hdr *lh;
1648
1649 BT_DBG("sk %p len %d", sk, (int)len);
1650
1651 count = min_t(unsigned int, (conn->mtu - hlen), len);
1652 skb = bt_skb_send_alloc(sk, count + hlen,
1653 msg->msg_flags & MSG_DONTWAIT, &err);
1654 if (!skb)
1655 return ERR_PTR(-ENOMEM);
1656
1657 /* Create L2CAP header */
1658 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1659 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1660 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1661 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1662
1663 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1664 if (unlikely(err < 0)) {
1665 kfree_skb(skb);
1666 return ERR_PTR(err);
1667 }
1668 return skb;
1669}
1670
1671static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1672{
1673 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1674 struct sk_buff *skb;
1675 int err, count, hlen = L2CAP_HDR_SIZE;
1676 struct l2cap_hdr *lh;
1677
1678 BT_DBG("sk %p len %d", sk, (int)len);
1679
1680 count = min_t(unsigned int, (conn->mtu - hlen), len);
1681 skb = bt_skb_send_alloc(sk, count + hlen,
1682 msg->msg_flags & MSG_DONTWAIT, &err);
1683 if (!skb)
1684 return ERR_PTR(-ENOMEM);
1685
1686 /* Create L2CAP header */
1687 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1688 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1689 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1690
1691 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1692 if (unlikely(err < 0)) {
1693 kfree_skb(skb);
1694 return ERR_PTR(err);
1695 }
1696 return skb;
1697}
1698
6840ed07 1699static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1700{
1701 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1702 struct sk_buff *skb;
1703 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1704 struct l2cap_hdr *lh;
1705
1706 BT_DBG("sk %p len %d", sk, (int)len);
1707
0ee0d208
GP		 1708 if (!conn)
1709 return ERR_PTR(-ENOTCONN);
1710
c74e560c
GP		 1711 if (sdulen)
1712 hlen += 2;
1713
fcc203c3
GP		 1714 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1715 hlen += 2;
1716
1c2acffb
GP		 1717 count = min_t(unsigned int, (conn->mtu - hlen), len);
1718 skb = bt_skb_send_alloc(sk, count + hlen,
1719 msg->msg_flags & MSG_DONTWAIT, &err);
1720 if (!skb)
1721 return ERR_PTR(-ENOMEM);
1722
1723 /* Create L2CAP header */
1724 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1725 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1726 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1727 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1728 if (sdulen)
1729 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1730
1731 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1732 if (unlikely(err < 0)) {
1733 kfree_skb(skb);
1734 return ERR_PTR(err);
1735 }
e90bac06 1736
fcc203c3
GP		 1737 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1738 put_unaligned_le16(0, skb_put(skb, 2));
1739
e90bac06 1740 bt_cb(skb)->retries = 0;
1c2acffb 1741 return skb;
1da177e4
LT		 1742}
1743
c74e560c
GP		 1744static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1745{
1746 struct l2cap_pinfo *pi = l2cap_pi(sk);
1747 struct sk_buff *skb;
1748 struct sk_buff_head sar_queue;
1749 u16 control;
1750 size_t size = 0;
1751
ff12fd64 1752 skb_queue_head_init(&sar_queue);
c74e560c 1753 control = L2CAP_SDU_START;
1c762159 1754 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1755 if (IS_ERR(skb))
1756 return PTR_ERR(skb);
1757
1758 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1759 len -= pi->remote_mps;
1760 size += pi->remote_mps;
c74e560c
GP		 1761
1762 while (len > 0) {
1763 size_t buflen;
1764
1c762159 1765 if (len > pi->remote_mps) {
44651b85 1766 control = L2CAP_SDU_CONTINUE;
1c762159 1767 buflen = pi->remote_mps;
c74e560c 1768 } else {
44651b85 1769 control = L2CAP_SDU_END;
c74e560c
GP		 1770 buflen = len;
1771 }
1772
6840ed07 1773 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1774 if (IS_ERR(skb)) {
1775 skb_queue_purge(&sar_queue);
1776 return PTR_ERR(skb);
1777 }
1778
1779 __skb_queue_tail(&sar_queue, skb);
1780 len -= buflen;
1781 size += buflen;
c74e560c
GP		 1782 }
1783 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1784 if (sk->sk_send_head == NULL)
1785 sk->sk_send_head = sar_queue.next;
1786
1787 return size;
1788}
1789
1da177e4
LT		 1790static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1791{
1792 struct sock *sk = sock->sk;
1c2acffb
GP		 1793 struct l2cap_pinfo *pi = l2cap_pi(sk);
1794 struct sk_buff *skb;
1795 u16 control;
1796 int err;
1da177e4
LT		 1797
1798 BT_DBG("sock %p, sk %p", sock, sk);
1799
c1cbe4b7
BL		 1800 err = sock_error(sk);
1801 if (err)
1802 return err;
1da177e4
LT		 1803
1804 if (msg->msg_flags & MSG_OOB)
1805 return -EOPNOTSUPP;
1806
1da177e4
LT		 1807 lock_sock(sk);
1808
1c2acffb 1809 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1810 err = -ENOTCONN;
1c2acffb
GP		 1811 goto done;
1812 }
1da177e4 1813
1c2acffb
GP		 1814 /* Connectionless channel */
1815 if (sk->sk_type == SOCK_DGRAM) {
1816 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1817 if (IS_ERR(skb)) {
477fffb0 1818 err = PTR_ERR(skb);
9a9c6a34
GP		 1819 } else {
1820 l2cap_do_send(sk, skb);
1821 err = len;
1822 }
1c2acffb
GP		 1823 goto done;
1824 }
1825
1826 switch (pi->mode) {
1827 case L2CAP_MODE_BASIC:
c69163e9
GP		 1828 /* Check outgoing MTU */
1829 if (len > pi->omtu) {
1830 err = -EINVAL;
1831 goto done;
1832 }
1833
1c2acffb
GP		 1834 /* Create a basic PDU */
1835 skb = l2cap_create_basic_pdu(sk, msg, len);
1836 if (IS_ERR(skb)) {
1837 err = PTR_ERR(skb);
1838 goto done;
1839 }
1840
9a9c6a34
GP		 1841 l2cap_do_send(sk, skb);
1842 err = len;
1c2acffb
GP		 1843 break;
1844
1845 case L2CAP_MODE_ERTM:
6840ed07 1846 case L2CAP_MODE_STREAMING:
1c2acffb 1847 /* Entire SDU fits into one PDU */
1c762159 1848 if (len <= pi->remote_mps) {
1c2acffb 1849 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1850 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1851 if (IS_ERR(skb)) {
1852 err = PTR_ERR(skb);
1853 goto done;
1854 }
c74e560c 1855 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1856
c74e560c
GP		 1857 if (sk->sk_send_head == NULL)
1858 sk->sk_send_head = skb;
dfc909be 1859
1c2acffb 1860 } else {
c74e560c
GP		 1861 /* Segment SDU into multiples PDUs */
1862 err = l2cap_sar_segment_sdu(sk, msg, len);
1863 if (err < 0)
1864 goto done;
1c2acffb 1865 }
1c2acffb 1866
dfc909be 1867 if (pi->mode == L2CAP_MODE_STREAMING) {
6840ed07 1868 err = l2cap_streaming_send(sk);
dfc909be 1869 } else {
6e2b6722
GP		 1870 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1871 pi->conn_state && L2CAP_CONN_WAIT_F) {
1872 err = len;
1873 break;
1874 }
6840ed07 1875 err = l2cap_ertm_send(sk);
dfc909be 1876 }
6840ed07 1877
9e917af1 1878 if (err >= 0)
1c2acffb
GP		 1879 err = len;
1880 break;
1881
1882 default:
1883 BT_DBG("bad state %1.1x", pi->mode);
1884 err = -EINVAL;
1885 }
1886
1887done:
1da177e4
LT		 1888 release_sock(sk);
1889 return err;
1890}
1891
f66dc81f
MH		 1892static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1893{
1894 struct sock *sk = sock->sk;
1895
1896 lock_sock(sk);
1897
1898 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1899 struct l2cap_conn_rsp rsp;
1900
1901 sk->sk_state = BT_CONFIG;
1902
1903 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1904 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1905 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1906 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1907 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1908 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1909
1910 release_sock(sk);
1911 return 0;
1912 }
1913
1914 release_sock(sk);
1915
1916 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1917}
1918
b7058842 1919static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1920{
1921 struct sock *sk = sock->sk;
1922 struct l2cap_options opts;
f29972de 1923 int len, err = 0;
1da177e4
LT		 1924 u32 opt;
1925
1926 BT_DBG("sk %p", sk);
1927
1928 lock_sock(sk);
1929
1930 switch (optname) {
1931 case L2CAP_OPTIONS:
0878b666
MH		 1932 opts.imtu = l2cap_pi(sk)->imtu;
1933 opts.omtu = l2cap_pi(sk)->omtu;
1934 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1935 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1936 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1937 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1938 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1939
1da177e4
LT		 1940 len = min_t(unsigned int, sizeof(opts), optlen);
1941 if (copy_from_user((char *) &opts, optval, len)) {
1942 err = -EFAULT;
1943 break;
1944 }
0878b666 1945
45d65c46
GP		 1946 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1947 err = -EINVAL;
1948 break;
1949 }
1950
0041ecfa
JPRV		 1951 l2cap_pi(sk)->mode = opts.mode;
1952 switch (l2cap_pi(sk)->mode) {
1953 case L2CAP_MODE_BASIC:
85eb53c6 1954 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1955 break;
1956 case L2CAP_MODE_ERTM:
1957 case L2CAP_MODE_STREAMING:
1958 if (enable_ertm)
1959 break;
1960 /* fall through */
1961 default:
1962 err = -EINVAL;
1963 break;
1964 }
1965
c6b03cf9
MH		 1966 l2cap_pi(sk)->imtu = opts.imtu;
1967 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1968 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1969 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1970 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1971 break;
1972
1973 case L2CAP_LM:
1974 if (get_user(opt, (u32 __user *) optval)) {
1975 err = -EFAULT;
1976 break;
1977 }
1978
2af6b9d5
MH		 1979 if (opt & L2CAP_LM_AUTH)
1980 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1981 if (opt & L2CAP_LM_ENCRYPT)
1982 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1983 if (opt & L2CAP_LM_SECURE)
1984 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1985
1986 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1987 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1988 break;
1989
1990 default:
1991 err = -ENOPROTOOPT;
1992 break;
1993 }
1994
1995 release_sock(sk);
1996 return err;
1997}
1998
b7058842 1999static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 2000{
2001 struct sock *sk = sock->sk;
2af6b9d5
MH		 2002 struct bt_security sec;
2003 int len, err = 0;
f66dc81f 2004 u32 opt;
d58daf42
MH		 2005
2006 BT_DBG("sk %p", sk);
2007
2008 if (level == SOL_L2CAP)
2009 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2010
0588d94f
MH		 2011 if (level != SOL_BLUETOOTH)
2012 return -ENOPROTOOPT;
2013
d58daf42
MH		 2014 lock_sock(sk);
2015
2016 switch (optname) {
2af6b9d5 2017 case BT_SECURITY:
bd3c9e25
GP		 2018 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2019 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2020 err = -EINVAL;
2021 break;
2022 }
2023
2af6b9d5
MH		 2024 sec.level = BT_SECURITY_LOW;
2025
2026 len = min_t(unsigned int, sizeof(sec), optlen);
2027 if (copy_from_user((char *) &sec, optval, len)) {
2028 err = -EFAULT;
2029 break;
2030 }
2031
2032 if (sec.level < BT_SECURITY_LOW ||
2033 sec.level > BT_SECURITY_HIGH) {
2034 err = -EINVAL;
2035 break;
2036 }
2037
2038 l2cap_pi(sk)->sec_level = sec.level;
2039 break;
2040
f66dc81f
MH		 2041 case BT_DEFER_SETUP:
2042 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2043 err = -EINVAL;
2044 break;
2045 }
2046
2047 if (get_user(opt, (u32 __user *) optval)) {
2048 err = -EFAULT;
2049 break;
2050 }
2051
2052 bt_sk(sk)->defer_setup = opt;
2053 break;
2054
d58daf42
MH		 2055 default:
2056 err = -ENOPROTOOPT;
2057 break;
2058 }
2059
2060 release_sock(sk);
2061 return err;
2062}
2063
2064static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2065{
2066 struct sock *sk = sock->sk;
2067 struct l2cap_options opts;
2068 struct l2cap_conninfo cinfo;
2069 int len, err = 0;
2af6b9d5 2070 u32 opt;
1da177e4
LT		 2071
2072 BT_DBG("sk %p", sk);
2073
2074 if (get_user(len, optlen))
2075 return -EFAULT;
2076
2077 lock_sock(sk);
2078
2079 switch (optname) {
2080 case L2CAP_OPTIONS:
2081 opts.imtu = l2cap_pi(sk)->imtu;
2082 opts.omtu = l2cap_pi(sk)->omtu;
2083 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2084 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2085 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2086 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2087 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2088
2089 len = min_t(unsigned int, len, sizeof(opts));
2090 if (copy_to_user(optval, (char *) &opts, len))
2091 err = -EFAULT;
2092
2093 break;
2094
2095 case L2CAP_LM:
2af6b9d5
MH		 2096 switch (l2cap_pi(sk)->sec_level) {
2097 case BT_SECURITY_LOW:
2098 opt = L2CAP_LM_AUTH;
2099 break;
2100 case BT_SECURITY_MEDIUM:
2101 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2102 break;
2103 case BT_SECURITY_HIGH:
2104 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2105 L2CAP_LM_SECURE;
2106 break;
2107 default:
2108 opt = 0;
2109 break;
2110 }
2111
2112 if (l2cap_pi(sk)->role_switch)
2113 opt |= L2CAP_LM_MASTER;
2114
2115 if (l2cap_pi(sk)->force_reliable)
2116 opt |= L2CAP_LM_RELIABLE;
2117
2118 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2119 err = -EFAULT;
2120 break;
2121
2122 case L2CAP_CONNINFO:
f66dc81f
MH		 2123 if (sk->sk_state != BT_CONNECTED &&
2124 !(sk->sk_state == BT_CONNECT2 &&
2125 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2126 err = -ENOTCONN;
2127 break;
2128 }
2129
2130 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2131 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2132
2133 len = min_t(unsigned int, len, sizeof(cinfo));
2134 if (copy_to_user(optval, (char *) &cinfo, len))
2135 err = -EFAULT;
2136
2137 break;
2138
2139 default:
2140 err = -ENOPROTOOPT;
2141 break;
2142 }
2143
2144 release_sock(sk);
2145 return err;
2146}
2147
d58daf42
MH		 2148static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2149{
2150 struct sock *sk = sock->sk;
2af6b9d5 2151 struct bt_security sec;
d58daf42
MH		 2152 int len, err = 0;
2153
2154 BT_DBG("sk %p", sk);
2155
2156 if (level == SOL_L2CAP)
2157 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2158
0588d94f
MH		 2159 if (level != SOL_BLUETOOTH)
2160 return -ENOPROTOOPT;
2161
d58daf42
MH		 2162 if (get_user(len, optlen))
2163 return -EFAULT;
2164
2165 lock_sock(sk);
2166
2167 switch (optname) {
2af6b9d5 2168 case BT_SECURITY:
bd3c9e25
GP		 2169 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2170 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2171 err = -EINVAL;
2172 break;
2173 }
2174
2af6b9d5
MH		 2175 sec.level = l2cap_pi(sk)->sec_level;
2176
2177 len = min_t(unsigned int, len, sizeof(sec));
2178 if (copy_to_user(optval, (char *) &sec, len))
2179 err = -EFAULT;
2180
2181 break;
2182
f66dc81f
MH		 2183 case BT_DEFER_SETUP:
2184 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2185 err = -EINVAL;
2186 break;
2187 }
2188
2189 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2190 err = -EFAULT;
2191
2192 break;
2193
d58daf42
MH		 2194 default:
2195 err = -ENOPROTOOPT;
2196 break;
2197 }
2198
2199 release_sock(sk);
2200 return err;
2201}
2202
1da177e4
LT		 2203static int l2cap_sock_shutdown(struct socket *sock, int how)
2204{
2205 struct sock *sk = sock->sk;
2206 int err = 0;
2207
2208 BT_DBG("sock %p, sk %p", sock, sk);
2209
2210 if (!sk)
2211 return 0;
2212
2213 lock_sock(sk);
2214 if (!sk->sk_shutdown) {
6161c038
GP		 2215 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2216 err = __l2cap_wait_ack(sk);
2217
1da177e4
LT		 2218 sk->sk_shutdown = SHUTDOWN_MASK;
2219 l2cap_sock_clear_timer(sk);
2220 __l2cap_sock_close(sk, 0);
2221
2222 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2223 err = bt_sock_wait_state(sk, BT_CLOSED,
2224 sk->sk_lingertime);
1da177e4 2225 }
9b108fc0
GP		 2226
2227 if (!err && sk->sk_err)
2228 err = -sk->sk_err;
2229
1da177e4
LT		 2230 release_sock(sk);
2231 return err;
2232}
2233
2234static int l2cap_sock_release(struct socket *sock)
2235{
2236 struct sock *sk = sock->sk;
2237 int err;
2238
2239 BT_DBG("sock %p, sk %p", sock, sk);
2240
2241 if (!sk)
2242 return 0;
2243
2244 err = l2cap_sock_shutdown(sock, 2);
2245
2246 sock_orphan(sk);
2247 l2cap_sock_kill(sk);
2248 return err;
2249}
2250
1da177e4
LT		 2251static void l2cap_chan_ready(struct sock *sk)
2252{
2253 struct sock *parent = bt_sk(sk)->parent;
2254
2255 BT_DBG("sk %p, parent %p", sk, parent);
2256
2257 l2cap_pi(sk)->conf_state = 0;
2258 l2cap_sock_clear_timer(sk);
2259
2260 if (!parent) {
2261 /* Outgoing channel.
2262 * Wake up socket sleeping on connect.
2263 */
2264 sk->sk_state = BT_CONNECTED;
2265 sk->sk_state_change(sk);
2266 } else {
2267 /* Incoming channel.
2268 * Wake up socket sleeping on accept.
2269 */
2270 parent->sk_data_ready(parent, 0);
2271 }
2272}
2273
2274/* Copy frame to all raw sockets on that connection */
2275static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2276{
2277 struct l2cap_chan_list *l = &conn->chan_list;
2278 struct sk_buff *nskb;
af05b30b 2279 struct sock *sk;
1da177e4
LT		 2280
2281 BT_DBG("conn %p", conn);
2282
2283 read_lock(&l->lock);
2284 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2285 if (sk->sk_type != SOCK_RAW)
2286 continue;
2287
2288 /* Don't send frame to the socket it came from */
2289 if (skb->sk == sk)
2290 continue;
af05b30b
GP		 2291 nskb = skb_clone(skb, GFP_ATOMIC);
2292 if (!nskb)
1da177e4
LT		 2293 continue;
2294
2295 if (sock_queue_rcv_skb(sk, nskb))
2296 kfree_skb(nskb);
2297 }
2298 read_unlock(&l->lock);
2299}
2300
2301/* ---- L2CAP signalling commands ---- */
2302static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2303 u8 code, u8 ident, u16 dlen, void *data)
2304{
2305 struct sk_buff *skb, **frag;
2306 struct l2cap_cmd_hdr *cmd;
2307 struct l2cap_hdr *lh;
2308 int len, count;
2309
af05b30b
GP		 2310 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2311 conn, code, ident, dlen);
1da177e4
LT		 2312
2313 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2314 count = min_t(unsigned int, conn->mtu, len);
2315
2316 skb = bt_skb_alloc(count, GFP_ATOMIC);
2317 if (!skb)
2318 return NULL;
2319
2320 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2321 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2322 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2323
2324 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2325 cmd->code = code;
2326 cmd->ident = ident;
aca3192c 2327 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2328
2329 if (dlen) {
2330 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2331 memcpy(skb_put(skb, count), data, count);
2332 data += count;
2333 }
2334
2335 len -= skb->len;
2336
2337 /* Continuation fragments (no L2CAP header) */
2338 frag = &skb_shinfo(skb)->frag_list;
2339 while (len) {
2340 count = min_t(unsigned int, conn->mtu, len);
2341
2342 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2343 if (!*frag)
2344 goto fail;
2345
2346 memcpy(skb_put(*frag, count), data, count);
2347
2348 len -= count;
2349 data += count;
2350
2351 frag = &(*frag)->next;
2352 }
2353
2354 return skb;
2355
2356fail:
2357 kfree_skb(skb);
2358 return NULL;
2359}
2360
2361static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2362{
2363 struct l2cap_conf_opt *opt = *ptr;
2364 int len;
2365
2366 len = L2CAP_CONF_OPT_SIZE + opt->len;
2367 *ptr += len;
2368
2369 *type = opt->type;
2370 *olen = opt->len;
2371
2372 switch (opt->len) {
2373 case 1:
2374 *val = *((u8 *) opt->val);
2375 break;
2376
2377 case 2:
861d6882 2378 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2379 break;
2380
2381 case 4:
861d6882 2382 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2383 break;
2384
2385 default:
2386 *val = (unsigned long) opt->val;
2387 break;
2388 }
2389
2390 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2391 return len;
2392}
2393
1da177e4
LT		 2394static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2395{
2396 struct l2cap_conf_opt *opt = *ptr;
2397
2398 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2399
2400 opt->type = type;
2401 opt->len = len;
2402
2403 switch (len) {
2404 case 1:
2405 *((u8 *) opt->val) = val;
2406 break;
2407
2408 case 2:
8e036fc3 2409 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2410 break;
2411
2412 case 4:
8e036fc3 2413 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2414 break;
2415
2416 default:
2417 memcpy(opt->val, (void *) val, len);
2418 break;
2419 }
2420
2421 *ptr += L2CAP_CONF_OPT_SIZE + len;
2422}
2423
c1b4f43b
GP		 2424static void l2cap_ack_timeout(unsigned long arg)
2425{
2426 struct sock *sk = (void *) arg;
2427
2428 bh_lock_sock(sk);
2429 l2cap_send_ack(l2cap_pi(sk));
2430 bh_unlock_sock(sk);
2431}
2432
0565c1c2
GP		 2433static inline void l2cap_ertm_init(struct sock *sk)
2434{
2435 l2cap_pi(sk)->expected_ack_seq = 0;
2436 l2cap_pi(sk)->unacked_frames = 0;
2437 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2438 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2439 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2440
2441 setup_timer(&l2cap_pi(sk)->retrans_timer,
2442 l2cap_retrans_timeout, (unsigned long) sk);
2443 setup_timer(&l2cap_pi(sk)->monitor_timer,
2444 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2445 setup_timer(&l2cap_pi(sk)->ack_timer,
2446 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2447
2448 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2449 __skb_queue_head_init(BUSY_QUEUE(sk));
2450
2451 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 2452
2453 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 2454}
2455
f2fcfcd6
GP		 2456static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2457{
2458 switch (mode) {
2459 case L2CAP_MODE_STREAMING:
2460 case L2CAP_MODE_ERTM:
2461 if (l2cap_mode_supported(mode, remote_feat_mask))
2462 return mode;
2463 /* fall through */
2464 default:
2465 return L2CAP_MODE_BASIC;
2466 }
2467}
2468
1da177e4
LT		 2469static int l2cap_build_conf_req(struct sock *sk, void *data)
2470{
2471 struct l2cap_pinfo *pi = l2cap_pi(sk);
2472 struct l2cap_conf_req *req = data;
bd3c9e25 2473 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2474 void *ptr = req->data;
2475
2476 BT_DBG("sk %p", sk);
2477
f2fcfcd6
GP		 2478 if (pi->num_conf_req || pi->num_conf_rsp)
2479 goto done;
2480
2481 switch (pi->mode) {
2482 case L2CAP_MODE_STREAMING:
2483 case L2CAP_MODE_ERTM:
2ba13ed6 2484 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2485 break;
85eb53c6 2486
2ba13ed6 2487 /* fall through */
f2fcfcd6
GP		 2488 default:
2489 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2490 break;
2491 }
2492
2493done:
65c7c491
MH		 2494 switch (pi->mode) {
2495 case L2CAP_MODE_BASIC:
2496 if (pi->imtu != L2CAP_DEFAULT_MTU)
2497 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
62547752
GP		 2498
2499 rfc.mode = L2CAP_MODE_BASIC;
2500 rfc.txwin_size = 0;
2501 rfc.max_transmit = 0;
2502 rfc.retrans_timeout = 0;
2503 rfc.monitor_timeout = 0;
2504 rfc.max_pdu_size = 0;
2505
65c7c491
MH		 2506 break;
2507
2508 case L2CAP_MODE_ERTM:
2509 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2510 rfc.txwin_size = pi->tx_win;
68d7f0ce 2511 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2512 rfc.retrans_timeout = 0;
2513 rfc.monitor_timeout = 0;
c74e560c 2514 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2515 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2516 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2517
fcc203c3
GP		 2518 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2519 break;
2520
2521 if (pi->fcs == L2CAP_FCS_NONE ||
2522 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2523 pi->fcs = L2CAP_FCS_NONE;
2524 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2525 }
f2fcfcd6
GP		 2526 break;
2527
2528 case L2CAP_MODE_STREAMING:
2529 rfc.mode = L2CAP_MODE_STREAMING;
2530 rfc.txwin_size = 0;
2531 rfc.max_transmit = 0;
2532 rfc.retrans_timeout = 0;
2533 rfc.monitor_timeout = 0;
c74e560c 2534 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2535 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2536 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2537
fcc203c3
GP		 2538 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2539 break;
2540
2541 if (pi->fcs == L2CAP_FCS_NONE ||
2542 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2543 pi->fcs = L2CAP_FCS_NONE;
2544 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2545 }
65c7c491
MH		 2546 break;
2547 }
1da177e4 2548
62547752
GP		 2549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2550 (unsigned long) &rfc);
2551
1da177e4
LT		 2552 /* FIXME: Need actual value of the flush timeout */
2553 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2554 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2555
aca3192c
YH		 2556 req->dcid = cpu_to_le16(pi->dcid);
2557 req->flags = cpu_to_le16(0);
1da177e4
LT		 2558
2559 return ptr - data;
2560}
2561
5dee9e7c 2562static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2563{
2564 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2565 struct l2cap_conf_rsp *rsp = data;
2566 void *ptr = rsp->data;
2567 void *req = pi->conf_req;
2568 int len = pi->conf_len;
2569 int type, hint, olen;
2570 unsigned long val;
6464f35f 2571 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2572 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2573 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2574
5dee9e7c 2575 BT_DBG("sk %p", sk);
820ae1b8 2576
5dee9e7c
MH		 2577 while (len >= L2CAP_CONF_OPT_SIZE) {
2578 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2579
589d2746 2580 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2581 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2582
2583 switch (type) {
2584 case L2CAP_CONF_MTU:
861d6882 2585 mtu = val;
5dee9e7c
MH		 2586 break;
2587
2588 case L2CAP_CONF_FLUSH_TO:
2589 pi->flush_to = val;
2590 break;
2591
2592 case L2CAP_CONF_QOS:
2593 break;
2594
6464f35f
MH		 2595 case L2CAP_CONF_RFC:
2596 if (olen == sizeof(rfc))
2597 memcpy(&rfc, (void *) val, olen);
2598 break;
2599
fcc203c3
GP		 2600 case L2CAP_CONF_FCS:
2601 if (val == L2CAP_FCS_NONE)
2602 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2603
2604 break;
2605
5dee9e7c
MH		 2606 default:
2607 if (hint)
2608 break;
2609
2610 result = L2CAP_CONF_UNKNOWN;
2611 *((u8 *) ptr++) = type;
2612 break;
2613 }
2614 }
2615
f2fcfcd6
GP		 2616 if (pi->num_conf_rsp || pi->num_conf_req)
2617 goto done;
2618
2619 switch (pi->mode) {
2620 case L2CAP_MODE_STREAMING:
2621 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2622 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2623 pi->mode = l2cap_select_mode(rfc.mode,
2624 pi->conn->feat_mask);
2625 break;
2626 }
2627
742e519b 2628 if (pi->mode != rfc.mode)
f2fcfcd6 2629 return -ECONNREFUSED;
742e519b 2630
f2fcfcd6 2631 break;
f2fcfcd6
GP		 2632 }
2633
2634done:
2635 if (pi->mode != rfc.mode) {
2636 result = L2CAP_CONF_UNACCEPT;
2637 rfc.mode = pi->mode;
2638
2639 if (pi->num_conf_rsp == 1)
2640 return -ECONNREFUSED;
2641
2642 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2643 sizeof(rfc), (unsigned long) &rfc);
2644 }
2645
2646
5dee9e7c
MH		 2647 if (result == L2CAP_CONF_SUCCESS) {
2648 /* Configure output options and let the other side know
2649 * which ones we don't like. */
2650
f2fcfcd6
GP		 2651 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2652 result = L2CAP_CONF_UNACCEPT;
2653 else {
2654 pi->omtu = mtu;
2655 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2656 }
2657 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2658
f2fcfcd6
GP		 2659 switch (rfc.mode) {
2660 case L2CAP_MODE_BASIC:
2661 pi->fcs = L2CAP_FCS_NONE;
2662 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2663 break;
2664
2665 case L2CAP_MODE_ERTM:
2666 pi->remote_tx_win = rfc.txwin_size;
2667 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2668 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2669 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2670
2671 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2672
10467e9e
GP		 2673 rfc.retrans_timeout =
2674 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2675 rfc.monitor_timeout =
2676 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2677
2678 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2679
2680 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2681 sizeof(rfc), (unsigned long) &rfc);
2682
f2fcfcd6
GP		 2683 break;
2684
2685 case L2CAP_MODE_STREAMING:
1c762159
GP		 2686 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2687 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2688
2689 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2690
2691 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2692
2693 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2694 sizeof(rfc), (unsigned long) &rfc);
2695
f2fcfcd6
GP		 2696 break;
2697
2698 default:
5dee9e7c 2699 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2700
6464f35f 2701 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2702 rfc.mode = pi->mode;
2703 }
6464f35f 2704
f2fcfcd6
GP		 2705 if (result == L2CAP_CONF_SUCCESS)
2706 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2707 }
5dee9e7c
MH		 2708 rsp->scid = cpu_to_le16(pi->dcid);
2709 rsp->result = cpu_to_le16(result);
2710 rsp->flags = cpu_to_le16(0x0000);
2711
2712 return ptr - data;
1da177e4
LT		 2713}
2714
f2fcfcd6
GP		 2715static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2716{
2717 struct l2cap_pinfo *pi = l2cap_pi(sk);
2718 struct l2cap_conf_req *req = data;
2719 void *ptr = req->data;
2720 int type, olen;
2721 unsigned long val;
2722 struct l2cap_conf_rfc rfc;
2723
2724 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2725
2726 while (len >= L2CAP_CONF_OPT_SIZE) {
2727 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2728
2729 switch (type) {
2730 case L2CAP_CONF_MTU:
2731 if (val < L2CAP_DEFAULT_MIN_MTU) {
2732 *result = L2CAP_CONF_UNACCEPT;
2733 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2734 } else
2735 pi->omtu = val;
2736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2737 break;
2738
2739 case L2CAP_CONF_FLUSH_TO:
2740 pi->flush_to = val;
2741 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2742 2, pi->flush_to);
2743 break;
2744
2745 case L2CAP_CONF_RFC:
2746 if (olen == sizeof(rfc))
2747 memcpy(&rfc, (void *)val, olen);
2748
2749 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2750 rfc.mode != pi->mode)
2751 return -ECONNREFUSED;
2752
f2fcfcd6
GP		 2753 pi->fcs = 0;
2754
2755 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2756 sizeof(rfc), (unsigned long) &rfc);
2757 break;
2758 }
2759 }
2760
6c2ea7a8
GP		 2761 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2762 return -ECONNREFUSED;
2763
2764 pi->mode = rfc.mode;
2765
f2fcfcd6
GP		 2766 if (*result == L2CAP_CONF_SUCCESS) {
2767 switch (rfc.mode) {
2768 case L2CAP_MODE_ERTM:
2769 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2770 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2771 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2772 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2773 break;
2774 case L2CAP_MODE_STREAMING:
1c762159 2775 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2776 }
2777 }
2778
2779 req->dcid = cpu_to_le16(pi->dcid);
2780 req->flags = cpu_to_le16(0x0000);
2781
2782 return ptr - data;
2783}
2784
5dee9e7c 2785static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2786{
2787 struct l2cap_conf_rsp *rsp = data;
2788 void *ptr = rsp->data;
1da177e4 2789
5dee9e7c 2790 BT_DBG("sk %p", sk);
1da177e4 2791
aca3192c 2792 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2793 rsp->result = cpu_to_le16(result);
aca3192c 2794 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2795
2796 return ptr - data;
2797}
2798
7b1c0049
GP		 2799static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2800{
2801 struct l2cap_pinfo *pi = l2cap_pi(sk);
2802 int type, olen;
2803 unsigned long val;
2804 struct l2cap_conf_rfc rfc;
2805
2806 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2807
2808 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2809 return;
2810
2811 while (len >= L2CAP_CONF_OPT_SIZE) {
2812 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2813
2814 switch (type) {
2815 case L2CAP_CONF_RFC:
2816 if (olen == sizeof(rfc))
2817 memcpy(&rfc, (void *)val, olen);
2818 goto done;
2819 }
2820 }
2821
2822done:
2823 switch (rfc.mode) {
2824 case L2CAP_MODE_ERTM:
2825 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2826 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2827 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2828 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2829 break;
2830 case L2CAP_MODE_STREAMING:
2831 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2832 }
2833}
2834
4e8402a3
MH		 2835static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2836{
2837 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2838
2839 if (rej->reason != 0x0000)
2840 return 0;
2841
2842 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2843 cmd->ident == conn->info_ident) {
4e8402a3 2844 del_timer(&conn->info_timer);
984947dc
MH		 2845
2846 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2847 conn->info_ident = 0;
984947dc 2848
4e8402a3
MH		 2849 l2cap_conn_start(conn);
2850 }
2851
2852 return 0;
2853}
2854
1da177e4
LT		 2855static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2856{
2857 struct l2cap_chan_list *list = &conn->chan_list;
2858 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2859 struct l2cap_conn_rsp rsp;
2860 struct sock *sk, *parent;
e7c29cb1 2861 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2862
2863 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2864 __le16 psm = req->psm;
1da177e4
LT		 2865
2866 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2867
2868 /* Check if we have socket listening on psm */
2869 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2870 if (!parent) {
2871 result = L2CAP_CR_BAD_PSM;
2872 goto sendresp;
2873 }
2874
e7c29cb1
MH		 2875 /* Check if the ACL is secure enough (if not SDP) */
2876 if (psm != cpu_to_le16(0x0001) &&
2877 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2878 conn->disc_reason = 0x05;
e7c29cb1
MH		 2879 result = L2CAP_CR_SEC_BLOCK;
2880 goto response;
2881 }
2882
1da177e4
LT		 2883 result = L2CAP_CR_NO_MEM;
2884
2885 /* Check for backlog size */
2886 if (sk_acceptq_is_full(parent)) {
8e87d142 2887 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2888 goto response;
2889 }
2890
3b1e0a65 2891 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2892 if (!sk)
2893 goto response;
2894
fd1278d7 2895 write_lock_bh(&list->lock);
1da177e4
LT		 2896
2897 /* Check if we already have channel with that dcid */
2898 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2899 write_unlock_bh(&list->lock);
1da177e4
LT		 2900 sock_set_flag(sk, SOCK_ZAPPED);
2901 l2cap_sock_kill(sk);
2902 goto response;
2903 }
2904
2905 hci_conn_hold(conn->hcon);
2906
2907 l2cap_sock_init(sk, parent);
2908 bacpy(&bt_sk(sk)->src, conn->src);
2909 bacpy(&bt_sk(sk)->dst, conn->dst);
2910 l2cap_pi(sk)->psm = psm;
2911 l2cap_pi(sk)->dcid = scid;
2912
2913 __l2cap_chan_add(conn, sk, parent);
2914 dcid = l2cap_pi(sk)->scid;
2915
2916 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2917
1da177e4
LT		 2918 l2cap_pi(sk)->ident = cmd->ident;
2919
984947dc 2920 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2921 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2922 if (bt_sk(sk)->defer_setup) {
2923 sk->sk_state = BT_CONNECT2;
2924 result = L2CAP_CR_PEND;
2925 status = L2CAP_CS_AUTHOR_PEND;
2926 parent->sk_data_ready(parent, 0);
2927 } else {
2928 sk->sk_state = BT_CONFIG;
2929 result = L2CAP_CR_SUCCESS;
2930 status = L2CAP_CS_NO_INFO;
2931 }
79d554a6
MH		 2932 } else {
2933 sk->sk_state = BT_CONNECT2;
2934 result = L2CAP_CR_PEND;
2935 status = L2CAP_CS_AUTHEN_PEND;
2936 }
2937 } else {
2938 sk->sk_state = BT_CONNECT2;
2939 result = L2CAP_CR_PEND;
2940 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2941 }
2942
fd1278d7 2943 write_unlock_bh(&list->lock);
1da177e4
LT		 2944
2945response:
2946 bh_unlock_sock(parent);
2947
2948sendresp:
aca3192c
YH		 2949 rsp.scid = cpu_to_le16(scid);
2950 rsp.dcid = cpu_to_le16(dcid);
2951 rsp.result = cpu_to_le16(result);
2952 rsp.status = cpu_to_le16(status);
1da177e4 2953 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2954
2955 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2956 struct l2cap_info_req info;
2957 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2958
2959 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2960 conn->info_ident = l2cap_get_ident(conn);
2961
2962 mod_timer(&conn->info_timer, jiffies +
2963 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2964
2965 l2cap_send_cmd(conn, conn->info_ident,
2966 L2CAP_INFO_REQ, sizeof(info), &info);
2967 }
2968
1da177e4
LT		 2969 return 0;
2970}
2971
2972static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2973{
2974 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2975 u16 scid, dcid, result, status;
2976 struct sock *sk;
2977 u8 req[128];
2978
2979 scid = __le16_to_cpu(rsp->scid);
2980 dcid = __le16_to_cpu(rsp->dcid);
2981 result = __le16_to_cpu(rsp->result);
2982 status = __le16_to_cpu(rsp->status);
2983
2984 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2985
2986 if (scid) {
af05b30b
GP		 2987 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2988 if (!sk)
1da177e4
LT		 2989 return 0;
2990 } else {
af05b30b
GP		 2991 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2992 if (!sk)
1da177e4
LT		 2993 return 0;
2994 }
2995
2996 switch (result) {
2997 case L2CAP_CR_SUCCESS:
2998 sk->sk_state = BT_CONFIG;
2999 l2cap_pi(sk)->ident = 0;
3000 l2cap_pi(sk)->dcid = dcid;
3001 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
6a8d3010
MH		 3002 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
3003
1da177e4
LT		 3004 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3005 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 3006 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3007 break;
3008
3009 case L2CAP_CR_PEND:
6a8d3010 3010 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 3011 break;
3012
3013 default:
3014 l2cap_chan_del(sk, ECONNREFUSED);
3015 break;
3016 }
3017
3018 bh_unlock_sock(sk);
3019 return 0;
3020}
3021
88219a0f 3022static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3023{
3024 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3025 u16 dcid, flags;
3026 u8 rsp[64];
3027 struct sock *sk;
5dee9e7c 3028 int len;
1da177e4
LT		 3029
3030 dcid = __le16_to_cpu(req->dcid);
3031 flags = __le16_to_cpu(req->flags);
3032
3033 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3034
af05b30b
GP		 3035 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3036 if (!sk)
1da177e4
LT		 3037 return -ENOENT;
3038
8cb8e6f1
GP		 3039 if (sk->sk_state != BT_CONFIG) {
3040 struct l2cap_cmd_rej rej;
3041
3042 rej.reason = cpu_to_le16(0x0002);
3043 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3044 sizeof(rej), &rej);
354f60a9 3045 goto unlock;
8cb8e6f1 3046 }
354f60a9 3047
5dee9e7c 3048 /* Reject if config buffer is too small. */
88219a0f 3049 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3050 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3051 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3052 l2cap_build_conf_rsp(sk, rsp,
3053 L2CAP_CONF_REJECT, flags), rsp);
3054 goto unlock;
3055 }
3056
3057 /* Store config. */
3058 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3059 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3060
3061 if (flags & 0x0001) {
3062 /* Incomplete config. Send empty response. */
3063 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3064 l2cap_build_conf_rsp(sk, rsp,
3065 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3066 goto unlock;
3067 }
3068
3069 /* Complete config. */
5dee9e7c 3070 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3071 if (len < 0) {
9b108fc0 3072 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3073 goto unlock;
f2fcfcd6 3074 }
1da177e4 3075
5dee9e7c 3076 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3077 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3078
5dee9e7c
MH		 3079 /* Reset config buffer. */
3080 l2cap_pi(sk)->conf_len = 0;
3081
876d9484
MH		 3082 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3083 goto unlock;
3084
1da177e4 3085 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 3086 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3087 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3088 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3089
1da177e4 3090 sk->sk_state = BT_CONNECTED;
e90bac06 3091
0565c1c2
GP		 3092 l2cap_pi(sk)->next_tx_seq = 0;
3093 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3094 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3095 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3096 l2cap_ertm_init(sk);
3097
1da177e4 3098 l2cap_chan_ready(sk);
876d9484
MH		 3099 goto unlock;
3100 }
3101
3102 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3103 u8 buf[64];
1da177e4 3104 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3105 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3106 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3107 }
3108
3109unlock:
3110 bh_unlock_sock(sk);
3111 return 0;
3112}
3113
3114static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3115{
3116 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3117 u16 scid, flags, result;
3118 struct sock *sk;
7b1c0049 3119 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3120
3121 scid = __le16_to_cpu(rsp->scid);
3122 flags = __le16_to_cpu(rsp->flags);
3123 result = __le16_to_cpu(rsp->result);
3124
af05b30b
GP		 3125 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3126 scid, flags, result);
1da177e4 3127
af05b30b
GP		 3128 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3129 if (!sk)
1da177e4
LT		 3130 return 0;
3131
3132 switch (result) {
3133 case L2CAP_CONF_SUCCESS:
7b1c0049 3134 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3135 break;
3136
3137 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3138 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3139 char req[64];
3140
c2c77ec8 3141 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3142 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3143 goto done;
3144 }
3145
f2fcfcd6
GP		 3146 /* throw out any old stored conf requests */
3147 result = L2CAP_CONF_SUCCESS;
3148 len = l2cap_parse_conf_rsp(sk, rsp->data,
3149 len, req, &result);
3150 if (len < 0) {
9b108fc0 3151 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3152 goto done;
3153 }
3154
3155 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3156 L2CAP_CONF_REQ, len, req);
3157 l2cap_pi(sk)->num_conf_req++;
3158 if (result != L2CAP_CONF_SUCCESS)
3159 goto done;
3160 break;
1da177e4
LT		 3161 }
3162
8e87d142 3163 default:
b1235d79 3164 sk->sk_err = ECONNRESET;
1da177e4 3165 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3166 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3167 goto done;
3168 }
3169
3170 if (flags & 0x01)
3171 goto done;
3172
1da177e4
LT		 3173 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3174
3175 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3176 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3177 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3178 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3179
1da177e4 3180 sk->sk_state = BT_CONNECTED;
0565c1c2 3181 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3182 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3183 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3184 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3185 l2cap_ertm_init(sk);
3186
1da177e4
LT		 3187 l2cap_chan_ready(sk);
3188 }
3189
3190done:
3191 bh_unlock_sock(sk);
3192 return 0;
3193}
3194
3195static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3196{
3197 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3198 struct l2cap_disconn_rsp rsp;
3199 u16 dcid, scid;
3200 struct sock *sk;
3201
3202 scid = __le16_to_cpu(req->scid);
3203 dcid = __le16_to_cpu(req->dcid);
3204
3205 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3206
af05b30b
GP		 3207 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3208 if (!sk)
1da177e4
LT		 3209 return 0;
3210
aca3192c
YH		 3211 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3212 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3213 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3214
3215 sk->sk_shutdown = SHUTDOWN_MASK;
3216
3217 l2cap_chan_del(sk, ECONNRESET);
3218 bh_unlock_sock(sk);
3219
3220 l2cap_sock_kill(sk);
3221 return 0;
3222}
3223
3224static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3225{
3226 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3227 u16 dcid, scid;
3228 struct sock *sk;
3229
3230 scid = __le16_to_cpu(rsp->scid);
3231 dcid = __le16_to_cpu(rsp->dcid);
3232
3233 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3234
af05b30b
GP		 3235 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3236 if (!sk)
1da177e4
LT		 3237 return 0;
3238
3239 l2cap_chan_del(sk, 0);
3240 bh_unlock_sock(sk);
3241
3242 l2cap_sock_kill(sk);
3243 return 0;
3244}
3245
3246static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3247{
3248 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3249 u16 type;
3250
3251 type = __le16_to_cpu(req->type);
3252
3253 BT_DBG("type 0x%4.4x", type);
3254
f0709e03
MH		 3255 if (type == L2CAP_IT_FEAT_MASK) {
3256 u8 buf[8];
44dd46de 3257 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3258 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3259 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3260 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3261 if (enable_ertm)
fcc203c3
GP		 3262 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3263 | L2CAP_FEAT_FCS;
1b7bf4ed 3264 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3265 l2cap_send_cmd(conn, cmd->ident,
3266 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3267 } else if (type == L2CAP_IT_FIXED_CHAN) {
3268 u8 buf[12];
3269 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3270 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3271 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3272 memcpy(buf + 4, l2cap_fixed_chan, 8);
3273 l2cap_send_cmd(conn, cmd->ident,
3274 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3275 } else {
3276 struct l2cap_info_rsp rsp;
3277 rsp.type = cpu_to_le16(type);
3278 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3279 l2cap_send_cmd(conn, cmd->ident,
3280 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3281 }
1da177e4
LT		 3282
3283 return 0;
3284}
3285
3286static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3287{
3288 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3289 u16 type, result;
3290
3291 type = __le16_to_cpu(rsp->type);
3292 result = __le16_to_cpu(rsp->result);
3293
3294 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3295
4e8402a3
MH		 3296 del_timer(&conn->info_timer);
3297
984947dc 3298 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3299 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3300
47ec1dcd 3301 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3302 struct l2cap_info_req req;
3303 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3304
3305 conn->info_ident = l2cap_get_ident(conn);
3306
3307 l2cap_send_cmd(conn, conn->info_ident,
3308 L2CAP_INFO_REQ, sizeof(req), &req);
3309 } else {
3310 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3311 conn->info_ident = 0;
3312
3313 l2cap_conn_start(conn);
3314 }
3315 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3316 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3317 conn->info_ident = 0;
984947dc
MH		 3318
3319 l2cap_conn_start(conn);
3320 }
4e8402a3 3321
1da177e4
LT		 3322 return 0;
3323}
3324
3325static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3326{
3327 u8 *data = skb->data;
3328 int len = skb->len;
3329 struct l2cap_cmd_hdr cmd;
3330 int err = 0;
3331
3332 l2cap_raw_recv(conn, skb);
3333
3334 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3335 u16 cmd_len;
1da177e4
LT		 3336 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3337 data += L2CAP_CMD_HDR_SIZE;
3338 len -= L2CAP_CMD_HDR_SIZE;
3339
88219a0f 3340 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3341
88219a0f 3342 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3343
88219a0f 3344 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3345 BT_DBG("corrupted command");
3346 break;
3347 }
3348
3349 switch (cmd.code) {
3350 case L2CAP_COMMAND_REJ:
4e8402a3 3351 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3352 break;
3353
3354 case L2CAP_CONN_REQ:
3355 err = l2cap_connect_req(conn, &cmd, data);
3356 break;
3357
3358 case L2CAP_CONN_RSP:
3359 err = l2cap_connect_rsp(conn, &cmd, data);
3360 break;
3361
3362 case L2CAP_CONF_REQ:
88219a0f 3363 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3364 break;
3365
3366 case L2CAP_CONF_RSP:
3367 err = l2cap_config_rsp(conn, &cmd, data);
3368 break;
3369
3370 case L2CAP_DISCONN_REQ:
3371 err = l2cap_disconnect_req(conn, &cmd, data);
3372 break;
3373
3374 case L2CAP_DISCONN_RSP:
3375 err = l2cap_disconnect_rsp(conn, &cmd, data);
3376 break;
3377
3378 case L2CAP_ECHO_REQ:
88219a0f 3379 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3380 break;
3381
3382 case L2CAP_ECHO_RSP:
3383 break;
3384
3385 case L2CAP_INFO_REQ:
3386 err = l2cap_information_req(conn, &cmd, data);
3387 break;
3388
3389 case L2CAP_INFO_RSP:
3390 err = l2cap_information_rsp(conn, &cmd, data);
3391 break;
3392
3393 default:
3394 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3395 err = -EINVAL;
3396 break;
3397 }
3398
3399 if (err) {
3400 struct l2cap_cmd_rej rej;
3401 BT_DBG("error %d", err);
3402
3403 /* FIXME: Map err to a valid reason */
aca3192c 3404 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3405 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3406 }
3407
88219a0f
AV		 3408 data += cmd_len;
3409 len -= cmd_len;
1da177e4
LT		 3410 }
3411
3412 kfree_skb(skb);
3413}
3414
fcc203c3
GP		 3415static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3416{
3417 u16 our_fcs, rcv_fcs;
3418 int hdr_size = L2CAP_HDR_SIZE + 2;
3419
3420 if (pi->fcs == L2CAP_FCS_CRC16) {
3421 skb_trim(skb, skb->len - 2);
3422 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3423 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3424
3425 if (our_fcs != rcv_fcs)
3426 return -EINVAL;
3427 }
3428 return 0;
3429}
3430
d5392c8f
GP		 3431static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3432{
3433 struct l2cap_pinfo *pi = l2cap_pi(sk);
3434 u16 control = 0;
3435
3436 pi->frames_sent = 0;
d5392c8f
GP		 3437
3438 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3439
3440 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3441 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3442 l2cap_send_sframe(pi, control);
1890d36b 3443 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3444 }
3445
4ea727ef
GP		 3446 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3447 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3448
3449 l2cap_ertm_send(sk);
3450
3451 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3452 pi->frames_sent == 0) {
3453 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3454 l2cap_send_sframe(pi, control);
3455 }
3456}
3457
9b53350d 3458static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3459{
3460 struct sk_buff *next_skb;
bfbacc11
JPRV		 3461 struct l2cap_pinfo *pi = l2cap_pi(sk);
3462 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3463
3464 bt_cb(skb)->tx_seq = tx_seq;
3465 bt_cb(skb)->sar = sar;
3466
3467 next_skb = skb_peek(SREJ_QUEUE(sk));
3468 if (!next_skb) {
3469 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3470 return 0;
8f17154f
GP		 3471 }
3472
bfbacc11
JPRV		 3473 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3474 if (tx_seq_offset < 0)
3475 tx_seq_offset += 64;
3476
8f17154f 3477 do {
9b53350d
JPRV		 3478 if (bt_cb(next_skb)->tx_seq == tx_seq)
3479 return -EINVAL;
3480
bfbacc11
JPRV		 3481 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3482 pi->buffer_seq) % 64;
3483 if (next_tx_seq_offset < 0)
3484 next_tx_seq_offset += 64;
3485
3486 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3487 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3488 return 0;
8f17154f
GP		 3489 }
3490
3491 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3492 break;
3493
59203a21 3494 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3495
3496 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3497
3498 return 0;
8f17154f
GP		 3499}
3500
18778a63
GP		 3501static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3502{
3503 struct l2cap_pinfo *pi = l2cap_pi(sk);
3504 struct sk_buff *_skb;
1890d36b 3505 int err;
18778a63
GP		 3506
3507 switch (control & L2CAP_CTRL_SAR) {
3508 case L2CAP_SDU_UNSEGMENTED:
3509 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3510 goto drop;
3511
3512 err = sock_queue_rcv_skb(sk, skb);
3513 if (!err)
3514 return err;
3515
3516 break;
3517
3518 case L2CAP_SDU_START:
3519 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3520 goto drop;
3521
3522 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3523
3524 if (pi->sdu_len > pi->imtu)
3525 goto disconnect;
3526
3527 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3528 if (!pi->sdu)
3529 return -ENOMEM;
3530
3531 /* pull sdu_len bytes only after alloc, because of Local Busy
3532 * condition we have to be sure that this will be executed
3533 * only once, i.e., when alloc does not fail */
3534 skb_pull(skb, 2);
18778a63
GP		 3535
3536 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3537
3538 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3539 pi->partial_sdu_len = skb->len;
3540 break;
3541
3542 case L2CAP_SDU_CONTINUE:
3543 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3544 goto disconnect;
3545
3546 if (!pi->sdu)
3547 goto disconnect;
3548
18778a63
GP		 3549 pi->partial_sdu_len += skb->len;
3550 if (pi->partial_sdu_len > pi->sdu_len)
3551 goto drop;
3552
4178ba46
GP		 3553 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3554
18778a63
GP		 3555 break;
3556
3557 case L2CAP_SDU_END:
3558 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3559 goto disconnect;
3560
3561 if (!pi->sdu)
3562 goto disconnect;
3563
1890d36b 3564 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3565 pi->partial_sdu_len += skb->len;
18778a63 3566
1890d36b
GP		 3567 if (pi->partial_sdu_len > pi->imtu)
3568 goto drop;
18778a63 3569
1890d36b
GP		 3570 if (pi->partial_sdu_len != pi->sdu_len)
3571 goto drop;
4178ba46
GP		 3572
3573 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3574 }
18778a63
GP		 3575
3576 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3577 if (!_skb) {
3578 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3579 return -ENOMEM;
3580 }
3581
18778a63 3582 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3583 if (err < 0) {
18778a63 3584 kfree_skb(_skb);
1890d36b
GP		 3585 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3586 return err;
3587 }
3588
3589 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3590 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3591
3592 kfree_skb(pi->sdu);
3593 break;
3594 }
3595
3596 kfree_skb(skb);
1890d36b 3597 return 0;
18778a63
GP		 3598
3599drop:
3600 kfree_skb(pi->sdu);
3601 pi->sdu = NULL;
3602
3603disconnect:
9b108fc0 3604 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3605 kfree_skb(skb);
3606 return 0;
3607}
3608
1890d36b
GP		 3609static void l2cap_busy_work(struct work_struct *work)
3610{
3611 DECLARE_WAITQUEUE(wait, current);
3612 struct l2cap_pinfo *pi =
3613 container_of(work, struct l2cap_pinfo, busy_work);
3614 struct sock *sk = (struct sock *)pi;
3615 int n_tries = 0, timeo = HZ/5, err;
3616 struct sk_buff *skb;
3617 u16 control;
3618
3619 lock_sock(sk);
3620
2b0b05dd 3621 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3622 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3623 set_current_state(TASK_INTERRUPTIBLE);
3624
3625 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3626 err = -EBUSY;
9b108fc0 3627 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
1890d36b
GP		 3628 goto done;
3629 }
3630
3631 if (!timeo)
3632 timeo = HZ/5;
3633
3634 if (signal_pending(current)) {
3635 err = sock_intr_errno(timeo);
3636 goto done;
3637 }
3638
3639 release_sock(sk);
3640 timeo = schedule_timeout(timeo);
3641 lock_sock(sk);
3642
3643 err = sock_error(sk);
3644 if (err)
3645 goto done;
3646
3647 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3648 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3649 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3650 if (err < 0) {
3651 skb_queue_head(BUSY_QUEUE(sk), skb);
3652 break;
3653 }
3654
3655 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3656 }
3657
3658 if (!skb)
3659 break;
3660 }
3661
3662 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3663 goto done;
3664
3665 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3666 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3667 l2cap_send_sframe(pi, control);
3668 l2cap_pi(sk)->retry_count = 1;
3669
3670 del_timer(&pi->retrans_timer);
3671 __mod_monitor_timer();
3672
3673 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3674
3675done:
3676 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3677 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3678
0e98958d
GP		 3679 BT_DBG("sk %p, Exit local busy", sk);
3680
1890d36b 3681 set_current_state(TASK_RUNNING);
2b0b05dd 3682 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3683
3684 release_sock(sk);
3685}
3686
3687static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3688{
3689 struct l2cap_pinfo *pi = l2cap_pi(sk);
3690 int sctrl, err;
3691
3692 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3693 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3694 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3695 return -EBUSY;
3696 }
3697
3698 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3699 if (err >= 0) {
3700 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3701 return err;
3702 }
3703
3704 /* Busy Condition */
0e98958d
GP		 3705 BT_DBG("sk %p, Enter local busy", sk);
3706
1890d36b
GP		 3707 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3708 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3709 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3710
3711 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3712 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3713 l2cap_send_sframe(pi, sctrl);
3714
3715 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3716
7fe9b298
GP		 3717 del_timer(&pi->ack_timer);
3718
1890d36b
GP		 3719 queue_work(_busy_wq, &pi->busy_work);
3720
3721 return err;
3722}
3723
18778a63 3724static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3725{
3726 struct l2cap_pinfo *pi = l2cap_pi(sk);
3727 struct sk_buff *_skb;
3728 int err = -EINVAL;
3729
18778a63
GP		 3730 /*
3731 * TODO: We have to notify the userland if some data is lost with the
3732 * Streaming Mode.
3733 */
3734
c74e560c
GP		 3735 switch (control & L2CAP_CTRL_SAR) {
3736 case L2CAP_SDU_UNSEGMENTED:
3737 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3738 kfree_skb(pi->sdu);
3739 break;
3740 }
3741
3742 err = sock_queue_rcv_skb(sk, skb);
3743 if (!err)
3744 return 0;
3745
3746 break;
3747
3748 case L2CAP_SDU_START:
3749 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3750 kfree_skb(pi->sdu);
3751 break;
3752 }
3753
3754 pi->sdu_len = get_unaligned_le16(skb->data);
3755 skb_pull(skb, 2);
3756
052897ca
GP		 3757 if (pi->sdu_len > pi->imtu) {
3758 err = -EMSGSIZE;
3759 break;
3760 }
3761
c74e560c
GP		 3762 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3763 if (!pi->sdu) {
3764 err = -ENOMEM;
3765 break;
3766 }
3767
3768 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3769
3770 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3771 pi->partial_sdu_len = skb->len;
3772 err = 0;
3773 break;
3774
3775 case L2CAP_SDU_CONTINUE:
3776 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3777 break;
3778
3779 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3780
3781 pi->partial_sdu_len += skb->len;
3782 if (pi->partial_sdu_len > pi->sdu_len)
3783 kfree_skb(pi->sdu);
3784 else
3785 err = 0;
3786
3787 break;
3788
3789 case L2CAP_SDU_END:
3790 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3791 break;
3792
3793 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3794
3795 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3796 pi->partial_sdu_len += skb->len;
3797
36f2fd58
GP		 3798 if (pi->partial_sdu_len > pi->imtu)
3799 goto drop;
3800
c74e560c
GP		 3801 if (pi->partial_sdu_len == pi->sdu_len) {
3802 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3803 err = sock_queue_rcv_skb(sk, _skb);
3804 if (err < 0)
3805 kfree_skb(_skb);
3806 }
c74e560c
GP		 3807 err = 0;
3808
36f2fd58
GP		 3809drop:
3810 kfree_skb(pi->sdu);
c74e560c
GP		 3811 break;
3812 }
3813
3814 kfree_skb(skb);
3815 return err;
3816}
3817
8f17154f
GP		 3818static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3819{
3820 struct sk_buff *skb;
afefdbc4 3821 u16 control;
8f17154f 3822
59203a21 3823 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3824 if (bt_cb(skb)->tx_seq != tx_seq)
3825 break;
3826
3827 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3828 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3829 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3830 l2cap_pi(sk)->buffer_seq_srej =
3831 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3832 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3833 }
3834}
3835
3836static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3837{
3838 struct l2cap_pinfo *pi = l2cap_pi(sk);
3839 struct srej_list *l, *tmp;
3840 u16 control;
3841
59203a21 3842 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3843 if (l->tx_seq == tx_seq) {
3844 list_del(&l->list);
3845 kfree(l);
3846 return;
3847 }
3848 control = L2CAP_SUPER_SELECT_REJECT;
3849 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3850 l2cap_send_sframe(pi, control);
3851 list_del(&l->list);
3852 list_add_tail(&l->list, SREJ_LIST(sk));
3853 }
3854}
3855
3856static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3857{
3858 struct l2cap_pinfo *pi = l2cap_pi(sk);
3859 struct srej_list *new;
3860 u16 control;
3861
3862 while (tx_seq != pi->expected_tx_seq) {
3863 control = L2CAP_SUPER_SELECT_REJECT;
3864 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3865 l2cap_send_sframe(pi, control);
3866
3867 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3868 new->tx_seq = pi->expected_tx_seq;
3869 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3870 list_add_tail(&new->list, SREJ_LIST(sk));
3871 }
8ff50ec0 3872 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3873}
3874
1c2acffb
GP		 3875static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3876{
3877 struct l2cap_pinfo *pi = l2cap_pi(sk);
3878 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3879 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3880 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3881 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3882 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3883 int err = 0;
3884
0e98958d
GP		 3885 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3886 rx_control);
1c2acffb 3887
9b16dc65
GP		 3888 if (L2CAP_CTRL_FINAL & rx_control &&
3889 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3890 del_timer(&pi->monitor_timer);
3891 if (pi->unacked_frames > 0)
3892 __mod_retrans_timer();
3893 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3894 }
3895
9f121a5a
GP		 3896 pi->expected_ack_seq = req_seq;
3897 l2cap_drop_acked_frames(sk);
3898
8f17154f
GP		 3899 if (tx_seq == pi->expected_tx_seq)
3900 goto expected;
1c2acffb 3901
9b53350d
JPRV		 3902 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3903 if (tx_seq_offset < 0)
3904 tx_seq_offset += 64;
3905
3906 /* invalid tx_seq */
3907 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3908 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3909 goto drop;
3910 }
3911
1890d36b
GP		 3912 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3913 goto drop;
3914
8f17154f
GP		 3915 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3916 struct srej_list *first;
30afb5b2 3917
8f17154f
GP		 3918 first = list_first_entry(SREJ_LIST(sk),
3919 struct srej_list, list);
3920 if (tx_seq == first->tx_seq) {
3921 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3922 l2cap_check_srej_gap(sk, tx_seq);
3923
3924 list_del(&first->list);
3925 kfree(first);
3926
3927 if (list_empty(SREJ_LIST(sk))) {
3928 pi->buffer_seq = pi->buffer_seq_srej;
3929 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3930 l2cap_send_ack(pi);
0e98958d 3931 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3932 }
3933 } else {
3934 struct srej_list *l;
9b53350d
JPRV		 3935
3936 /* duplicated tx_seq */
3937 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3938 goto drop;
8f17154f
GP		 3939
3940 list_for_each_entry(l, SREJ_LIST(sk), list) {
3941 if (l->tx_seq == tx_seq) {
3942 l2cap_resend_srejframe(sk, tx_seq);
3943 return 0;
3944 }
3945 }
3946 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3947 }
3948 } else {
9b53350d
JPRV		 3949 expected_tx_seq_offset =
3950 (pi->expected_tx_seq - pi->buffer_seq) % 64;
3951 if (expected_tx_seq_offset < 0)
3952 expected_tx_seq_offset += 64;
3953
3954 /* duplicated tx_seq */
3955 if (tx_seq_offset < expected_tx_seq_offset)
3956 goto drop;
3957
8f17154f 3958 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3959
0e98958d
GP		 3960 BT_DBG("sk %p, Enter SREJ", sk);
3961
8f17154f
GP		 3962 INIT_LIST_HEAD(SREJ_LIST(sk));
3963 pi->buffer_seq_srej = pi->buffer_seq;
3964
3965 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 3966 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 3967 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3968
ef54fd93
GP		 3969 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3970
8f17154f 3971 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 3972
3973 del_timer(&pi->ack_timer);
1c2acffb 3974 }
30afb5b2
GP		 3975 return 0;
3976
8f17154f
GP		 3977expected:
3978 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3979
3980 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3981 bt_cb(skb)->tx_seq = tx_seq;
3982 bt_cb(skb)->sar = sar;
3983 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3984 return 0;
3985 }
3986
2ece3684
GP		 3987 err = l2cap_push_rx_skb(sk, skb, rx_control);
3988 if (err < 0)
3989 return 0;
3990
4ec10d97
GP		 3991 if (rx_control & L2CAP_CTRL_FINAL) {
3992 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3993 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3994 else
3995 l2cap_retransmit_frames(sk);
4ec10d97
GP		 3996 }
3997
c1b4f43b
GP		 3998 __mod_ack_timer();
3999
803020c6
GP		 4000 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
4001 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 4002 l2cap_send_ack(pi);
4003
8f17154f 4004 return 0;
9b53350d
JPRV		 4005
4006drop:
4007 kfree_skb(skb);
4008 return 0;
1c2acffb
GP		 4009}
4010
e072745f 4011static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 4012{
4013 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 4014
0e98958d
GP		 4015 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4016 rx_control);
4017
6e3a5981
GP		 4018 pi->expected_ack_seq = __get_reqseq(rx_control);
4019 l2cap_drop_acked_frames(sk);
1c2acffb 4020
e072745f 4021 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4022 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4023 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4024 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4025 (pi->unacked_frames > 0))
4026 __mod_retrans_timer();
4027
4028 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4029 l2cap_send_srejtail(sk);
4030 } else {
4031 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4032 }
1d8f5d16 4033
e072745f
GP		 4034 } else if (rx_control & L2CAP_CTRL_FINAL) {
4035 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4036
e072745f
GP		 4037 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4038 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4039 else
4040 l2cap_retransmit_frames(sk);
2246b2f1 4041
e072745f 4042 } else {
e072745f
GP		 4043 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4044 (pi->unacked_frames > 0))
4045 __mod_retrans_timer();
1c2acffb 4046
2246b2f1 4047 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
dfc909be 4048 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
e072745f 4049 l2cap_send_ack(pi);
dfc909be 4050 } else {
e072745f 4051 l2cap_ertm_send(sk);
dfc909be 4052 }
e072745f
GP		 4053 }
4054}
2246b2f1 4055
e072745f
GP		 4056static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4057{
4058 struct l2cap_pinfo *pi = l2cap_pi(sk);
4059 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4060
0e98958d
GP		 4061 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4062
e072745f
GP		 4063 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4064
8abb52ee 4065 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4066 l2cap_drop_acked_frames(sk);
4067
4068 if (rx_control & L2CAP_CTRL_FINAL) {
4069 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4070 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4071 else
4072 l2cap_retransmit_frames(sk);
e072745f 4073 } else {
dfc909be 4074 l2cap_retransmit_frames(sk);
30afb5b2 4075
0301ef04 4076 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4077 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4078 }
4079}
4080static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4081{
4082 struct l2cap_pinfo *pi = l2cap_pi(sk);
4083 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4084
0e98958d
GP		 4085 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4086
e072745f 4087 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4088
e072745f
GP		 4089 if (rx_control & L2CAP_CTRL_POLL) {
4090 pi->expected_ack_seq = tx_seq;
4091 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4092
4093 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4094 l2cap_retransmit_one_frame(sk, tx_seq);
4095
e072745f 4096 l2cap_ertm_send(sk);
dfc909be 4097
e072745f
GP		 4098 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4099 pi->srej_save_reqseq = tx_seq;
4100 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4101 }
e072745f
GP		 4102 } else if (rx_control & L2CAP_CTRL_FINAL) {
4103 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4104 pi->srej_save_reqseq == tx_seq)
4105 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4106 else
dfc909be 4107 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4108 } else {
dfc909be 4109 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4110 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4111 pi->srej_save_reqseq = tx_seq;
4112 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4113 }
e072745f
GP		 4114 }
4115}
4116
4117static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4118{
4119 struct l2cap_pinfo *pi = l2cap_pi(sk);
4120 u8 tx_seq = __get_reqseq(rx_control);
4121
0e98958d
GP		 4122 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4123
e072745f
GP		 4124 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4125 pi->expected_ack_seq = tx_seq;
4126 l2cap_drop_acked_frames(sk);
4127
3cb123d1
GP		 4128 if (rx_control & L2CAP_CTRL_POLL)
4129 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4130
99b0d4b7
GP		 4131 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4132 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4133 if (rx_control & L2CAP_CTRL_POLL)
4134 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4135 return;
e072745f 4136 }
99b0d4b7
GP		 4137
4138 if (rx_control & L2CAP_CTRL_POLL)
4139 l2cap_send_srejtail(sk);
4140 else
4141 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4142}
4143
4144static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4145{
4146 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4147
9b16dc65
GP		 4148 if (L2CAP_CTRL_FINAL & rx_control &&
4149 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4150 del_timer(&l2cap_pi(sk)->monitor_timer);
4151 if (l2cap_pi(sk)->unacked_frames > 0)
4152 __mod_retrans_timer();
4153 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4154 }
4155
4156 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4157 case L2CAP_SUPER_RCV_READY:
4158 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4159 break;
4160
e072745f
GP		 4161 case L2CAP_SUPER_REJECT:
4162 l2cap_data_channel_rejframe(sk, rx_control);
4163 break;
2246b2f1 4164
e072745f
GP		 4165 case L2CAP_SUPER_SELECT_REJECT:
4166 l2cap_data_channel_srejframe(sk, rx_control);
4167 break;
4168
4169 case L2CAP_SUPER_RCV_NOT_READY:
4170 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4171 break;
4172 }
4173
faaebd19 4174 kfree_skb(skb);
1c2acffb
GP		 4175 return 0;
4176}
4177
218bb9df
GP		 4178static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4179{
4180 struct l2cap_pinfo *pi = l2cap_pi(sk);
4181 u16 control;
4182 u8 req_seq;
4183 int len, next_tx_seq_offset, req_seq_offset;
4184
4185 control = get_unaligned_le16(skb->data);
4186 skb_pull(skb, 2);
4187 len = skb->len;
4188
4189 /*
4190 * We can just drop the corrupted I-frame here.
4191 * Receiver will miss it and start proper recovery
4192 * procedures and ask retransmission.
4193 */
4194 if (l2cap_check_fcs(pi, skb))
4195 goto drop;
4196
4197 if (__is_sar_start(control) && __is_iframe(control))
4198 len -= 2;
4199
4200 if (pi->fcs == L2CAP_FCS_CRC16)
4201 len -= 2;
4202
4203 if (len > pi->mps) {
4204 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4205 goto drop;
4206 }
4207
4208 req_seq = __get_reqseq(control);
4209 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4210 if (req_seq_offset < 0)
4211 req_seq_offset += 64;
4212
4213 next_tx_seq_offset =
4214 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4215 if (next_tx_seq_offset < 0)
4216 next_tx_seq_offset += 64;
4217
4218 /* check for invalid req-seq */
4219 if (req_seq_offset > next_tx_seq_offset) {
4220 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4221 goto drop;
4222 }
4223
4224 if (__is_iframe(control)) {
4225 if (len < 0) {
4226 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4227 goto drop;
4228 }
4229
4230 l2cap_data_channel_iframe(sk, control, skb);
4231 } else {
4232 if (len != 0) {
4233 BT_ERR("%d", len);
4234 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4235 goto drop;
4236 }
4237
4238 l2cap_data_channel_sframe(sk, control, skb);
4239 }
4240
4241 return 0;
4242
4243drop:
4244 kfree_skb(skb);
4245 return 0;
4246}
4247
1da177e4
LT		 4248static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4249{
4250 struct sock *sk;
6840ed07 4251 struct l2cap_pinfo *pi;
51893f88 4252 u16 control;
218bb9df
GP		 4253 u8 tx_seq;
4254 int len;
1da177e4
LT		 4255
4256 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4257 if (!sk) {
4258 BT_DBG("unknown cid 0x%4.4x", cid);
4259 goto drop;
4260 }
4261
6840ed07
GP		 4262 pi = l2cap_pi(sk);
4263
1da177e4
LT		 4264 BT_DBG("sk %p, len %d", sk, skb->len);
4265
4266 if (sk->sk_state != BT_CONNECTED)
4267 goto drop;
4268
6840ed07 4269 switch (pi->mode) {
1c2acffb
GP		 4270 case L2CAP_MODE_BASIC:
4271 /* If socket recv buffers overflows we drop data here
4272 * which is *bad* because L2CAP has to be reliable.
4273 * But we don't have any other choice. L2CAP doesn't
4274 * provide flow control mechanism. */
1da177e4 4275
6840ed07 4276 if (pi->imtu < skb->len)
1c2acffb 4277 goto drop;
1da177e4 4278
1c2acffb
GP		 4279 if (!sock_queue_rcv_skb(sk, skb))
4280 goto done;
4281 break;
4282
4283 case L2CAP_MODE_ERTM:
218bb9df
GP		 4284 if (!sock_owned_by_user(sk)) {
4285 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4286 } else {
218bb9df 4287 if (sk_add_backlog(sk, skb))
277ffbe3 4288 goto drop;
277ffbe3 4289 }
1c2acffb 4290
fcafde2e 4291 goto done;
1c2acffb 4292
6840ed07
GP		 4293 case L2CAP_MODE_STREAMING:
4294 control = get_unaligned_le16(skb->data);
4295 skb_pull(skb, 2);
4296 len = skb->len;
4297
26000089
GP		 4298 if (l2cap_check_fcs(pi, skb))
4299 goto drop;
4300
6840ed07
GP		 4301 if (__is_sar_start(control))
4302 len -= 2;
4303
fcc203c3
GP		 4304 if (pi->fcs == L2CAP_FCS_CRC16)
4305 len -= 2;
4306
51893f88 4307 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4308 goto drop;
4309
4310 tx_seq = __get_txseq(control);
4311
4312 if (pi->expected_tx_seq == tx_seq)
4313 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4314 else
7dffe421 4315 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4316
18778a63 4317 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4318
4319 goto done;
4320
1c2acffb 4321 default:
e8235c6b 4322 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4323 break;
4324 }
1da177e4
LT		 4325
4326drop:
4327 kfree_skb(skb);
4328
4329done:
0139418c
MH		 4330 if (sk)
4331 bh_unlock_sock(sk);
4332
1da177e4
LT		 4333 return 0;
4334}
4335
8e036fc3 4336static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4337{
4338 struct sock *sk;
4339
4340 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4341 if (!sk)
4342 goto drop;
4343
4344 BT_DBG("sk %p, len %d", sk, skb->len);
4345
4346 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4347 goto drop;
4348
4349 if (l2cap_pi(sk)->imtu < skb->len)
4350 goto drop;
4351
4352 if (!sock_queue_rcv_skb(sk, skb))
4353 goto done;
4354
4355drop:
4356 kfree_skb(skb);
4357
4358done:
af05b30b
GP		 4359 if (sk)
4360 bh_unlock_sock(sk);
1da177e4
LT		 4361 return 0;
4362}
4363
4364static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4365{
4366 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4367 u16 cid, len;
4368 __le16 psm;
1da177e4
LT		 4369
4370 skb_pull(skb, L2CAP_HDR_SIZE);
4371 cid = __le16_to_cpu(lh->cid);
4372 len = __le16_to_cpu(lh->len);
4373
1c2acffb
GP		 4374 if (len != skb->len) {
4375 kfree_skb(skb);
4376 return;
4377 }
4378
1da177e4
LT		 4379 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4380
4381 switch (cid) {
8db4dc46 4382 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4383 l2cap_sig_channel(conn, skb);
4384 break;
4385
8db4dc46 4386 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4387 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4388 skb_pull(skb, 2);
4389 l2cap_conless_channel(conn, psm, skb);
4390 break;
4391
4392 default:
4393 l2cap_data_channel(conn, cid, skb);
4394 break;
4395 }
4396}
4397
4398/* ---- L2CAP interface with lower layer (HCI) ---- */
4399
4400static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4401{
4402 int exact = 0, lm1 = 0, lm2 = 0;
4403 register struct sock *sk;
4404 struct hlist_node *node;
4405
4406 if (type != ACL_LINK)
4407 return 0;
4408
4409 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4410
4411 /* Find listening sockets and check their link_mode */
4412 read_lock(&l2cap_sk_list.lock);
4413 sk_for_each(sk, node, &l2cap_sk_list.head) {
4414 if (sk->sk_state != BT_LISTEN)
4415 continue;
4416
4417 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4418 lm1 |= HCI_LM_ACCEPT;
4419 if (l2cap_pi(sk)->role_switch)
4420 lm1 |= HCI_LM_MASTER;
1da177e4 4421 exact++;
2af6b9d5
MH		 4422 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4423 lm2 |= HCI_LM_ACCEPT;
4424 if (l2cap_pi(sk)->role_switch)
4425 lm2 |= HCI_LM_MASTER;
4426 }
1da177e4
LT		 4427 }
4428 read_unlock(&l2cap_sk_list.lock);
4429
4430 return exact ? lm1 : lm2;
4431}
4432
4433static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4434{
0139418c
MH		 4435 struct l2cap_conn *conn;
4436
1da177e4
LT		 4437 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4438
4439 if (hcon->type != ACL_LINK)
4440 return 0;
4441
4442 if (!status) {
1da177e4
LT		 4443 conn = l2cap_conn_add(hcon, status);
4444 if (conn)
4445 l2cap_conn_ready(conn);
0139418c 4446 } else
1da177e4
LT		 4447 l2cap_conn_del(hcon, bt_err(status));
4448
4449 return 0;
4450}
4451
2950f21a
MH		 4452static int l2cap_disconn_ind(struct hci_conn *hcon)
4453{
4454 struct l2cap_conn *conn = hcon->l2cap_data;
4455
4456 BT_DBG("hcon %p", hcon);
4457
4458 if (hcon->type != ACL_LINK || !conn)
4459 return 0x13;
4460
4461 return conn->disc_reason;
4462}
4463
4464static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4465{
4466 BT_DBG("hcon %p reason %d", hcon, reason);
4467
4468 if (hcon->type != ACL_LINK)
4469 return 0;
4470
4471 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4472
1da177e4
LT		 4473 return 0;
4474}
4475
f62e4323
MH		 4476static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4477{
bd3c9e25 4478 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4479 return;
4480
f62e4323
MH		 4481 if (encrypt == 0x00) {
4482 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4483 l2cap_sock_clear_timer(sk);
4484 l2cap_sock_set_timer(sk, HZ * 5);
4485 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4486 __l2cap_sock_close(sk, ECONNREFUSED);
4487 } else {
4488 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4489 l2cap_sock_clear_timer(sk);
4490 }
4491}
4492
8c1b2355 4493static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4494{
4495 struct l2cap_chan_list *l;
0139418c 4496 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4497 struct sock *sk;
1da177e4 4498
0139418c 4499 if (!conn)
1da177e4 4500 return 0;
0139418c 4501
1da177e4
LT		 4502 l = &conn->chan_list;
4503
4504 BT_DBG("conn %p", conn);
4505
4506 read_lock(&l->lock);
4507
4508 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4509 bh_lock_sock(sk);
4510
6a8d3010
MH		 4511 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4512 bh_unlock_sock(sk);
4513 continue;
4514 }
4515
f62e4323 4516 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4517 sk->sk_state == BT_CONFIG)) {
f62e4323 4518 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4519 bh_unlock_sock(sk);
4520 continue;
4521 }
4522
b1235d79
MH		 4523 if (sk->sk_state == BT_CONNECT) {
4524 if (!status) {
4525 struct l2cap_conn_req req;
4526 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4527 req.psm = l2cap_pi(sk)->psm;
1da177e4 4528
b1235d79 4529 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4530 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4531
b1235d79
MH		 4532 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4533 L2CAP_CONN_REQ, sizeof(req), &req);
4534 } else {
4535 l2cap_sock_clear_timer(sk);
4536 l2cap_sock_set_timer(sk, HZ / 10);
4537 }
4538 } else if (sk->sk_state == BT_CONNECT2) {
4539 struct l2cap_conn_rsp rsp;
4540 __u16 result;
1da177e4 4541
b1235d79
MH		 4542 if (!status) {
4543 sk->sk_state = BT_CONFIG;
4544 result = L2CAP_CR_SUCCESS;
4545 } else {
4546 sk->sk_state = BT_DISCONN;
4547 l2cap_sock_set_timer(sk, HZ / 10);
4548 result = L2CAP_CR_SEC_BLOCK;
4549 }
4550
4551 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4552 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4553 rsp.result = cpu_to_le16(result);
e7c29cb1 4554 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4555 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4556 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4557 }
1da177e4
LT		 4558
4559 bh_unlock_sock(sk);
4560 }
4561
4562 read_unlock(&l->lock);
b1235d79 4563
1da177e4
LT		 4564 return 0;
4565}
4566
4567static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4568{
4569 struct l2cap_conn *conn = hcon->l2cap_data;
4570
4571 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4572 goto drop;
4573
4574 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4575
4576 if (flags & ACL_START) {
4577 struct l2cap_hdr *hdr;
4578 int len;
4579
4580 if (conn->rx_len) {
4581 BT_ERR("Unexpected start frame (len %d)", skb->len);
4582 kfree_skb(conn->rx_skb);
4583 conn->rx_skb = NULL;
4584 conn->rx_len = 0;
4585 l2cap_conn_unreliable(conn, ECOMM);
4586 }
4587
4588 if (skb->len < 2) {
4589 BT_ERR("Frame is too short (len %d)", skb->len);
4590 l2cap_conn_unreliable(conn, ECOMM);
4591 goto drop;
4592 }
4593
4594 hdr = (struct l2cap_hdr *) skb->data;
4595 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4596
4597 if (len == skb->len) {
4598 /* Complete frame received */
4599 l2cap_recv_frame(conn, skb);
4600 return 0;
4601 }
4602
4603 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4604
4605 if (skb->len > len) {
4606 BT_ERR("Frame is too long (len %d, expected len %d)",
4607 skb->len, len);
4608 l2cap_conn_unreliable(conn, ECOMM);
4609 goto drop;
4610 }
4611
4612 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4613 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4614 if (!conn->rx_skb)
1da177e4
LT		 4615 goto drop;
4616
d626f62b 4617 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4618 skb->len);
1da177e4
LT		 4619 conn->rx_len = len - skb->len;
4620 } else {
4621 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4622
4623 if (!conn->rx_len) {
4624 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4625 l2cap_conn_unreliable(conn, ECOMM);
4626 goto drop;
4627 }
4628
4629 if (skb->len > conn->rx_len) {
4630 BT_ERR("Fragment is too long (len %d, expected %d)",
4631 skb->len, conn->rx_len);
4632 kfree_skb(conn->rx_skb);
4633 conn->rx_skb = NULL;
4634 conn->rx_len = 0;
4635 l2cap_conn_unreliable(conn, ECOMM);
4636 goto drop;
4637 }
4638
d626f62b 4639 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4640 skb->len);
1da177e4
LT		 4641 conn->rx_len -= skb->len;
4642
4643 if (!conn->rx_len) {
4644 /* Complete frame received */
4645 l2cap_recv_frame(conn, conn->rx_skb);
4646 conn->rx_skb = NULL;
4647 }
4648 }
4649
4650drop:
4651 kfree_skb(skb);
4652 return 0;
4653}
4654
aef7d97c 4655static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4656{
4657 struct sock *sk;
4658 struct hlist_node *node;
1da177e4
LT		 4659
4660 read_lock_bh(&l2cap_sk_list.lock);
4661
be9d1227
MH		 4662 sk_for_each(sk, node, &l2cap_sk_list.head) {
4663 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4664
aef7d97c
MH		 4665 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4666 batostr(&bt_sk(sk)->src),
4667 batostr(&bt_sk(sk)->dst),
4668 sk->sk_state, __le16_to_cpu(pi->psm),
4669 pi->scid, pi->dcid,
4670 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4671 }
1da177e4 4672
1da177e4 4673 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4674
aef7d97c 4675 return 0;
1da177e4
LT		 4676}
4677
aef7d97c
MH		 4678static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4679{
4680 return single_open(file, l2cap_debugfs_show, inode->i_private);
4681}
4682
4683static const struct file_operations l2cap_debugfs_fops = {
4684 .open = l2cap_debugfs_open,
4685 .read = seq_read,
4686 .llseek = seq_lseek,
4687 .release = single_release,
4688};
4689
4690static struct dentry *l2cap_debugfs;
1da177e4 4691
90ddc4f0 4692static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4693 .family = PF_BLUETOOTH,
4694 .owner = THIS_MODULE,
4695 .release = l2cap_sock_release,
4696 .bind = l2cap_sock_bind,
4697 .connect = l2cap_sock_connect,
4698 .listen = l2cap_sock_listen,
4699 .accept = l2cap_sock_accept,
4700 .getname = l2cap_sock_getname,
4701 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4702 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4703 .poll = bt_sock_poll,
3241ad82 4704 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4705 .mmap = sock_no_mmap,
4706 .socketpair = sock_no_socketpair,
1da177e4
LT		 4707 .shutdown = l2cap_sock_shutdown,
4708 .setsockopt = l2cap_sock_setsockopt,
4709 .getsockopt = l2cap_sock_getsockopt
4710};
4711
ec1b4cf7 4712static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4713 .family = PF_BLUETOOTH,
4714 .owner = THIS_MODULE,
4715 .create = l2cap_sock_create,
4716};
4717
4718static struct hci_proto l2cap_hci_proto = {
4719 .name = "L2CAP",
4720 .id = HCI_PROTO_L2CAP,
4721 .connect_ind = l2cap_connect_ind,
4722 .connect_cfm = l2cap_connect_cfm,
4723 .disconn_ind = l2cap_disconn_ind,
2950f21a 4724 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4725 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4726 .recv_acldata = l2cap_recv_acldata
4727};
4728
4729static int __init l2cap_init(void)
4730{
4731 int err;
be9d1227 4732
1da177e4
LT		 4733 err = proto_register(&l2cap_proto, 0);
4734 if (err < 0)
4735 return err;
4736
1890d36b
GP		 4737 _busy_wq = create_singlethread_workqueue("l2cap");
4738 if (!_busy_wq)
4739 goto error;
4740
1da177e4
LT		 4741 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4742 if (err < 0) {
4743 BT_ERR("L2CAP socket registration failed");
4744 goto error;
4745 }
4746
4747 err = hci_register_proto(&l2cap_hci_proto);
4748 if (err < 0) {
4749 BT_ERR("L2CAP protocol registration failed");
4750 bt_sock_unregister(BTPROTO_L2CAP);
4751 goto error;
4752 }
4753
aef7d97c
MH		 4754 if (bt_debugfs) {
4755 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4756 bt_debugfs, NULL, &l2cap_debugfs_fops);
4757 if (!l2cap_debugfs)
4758 BT_ERR("Failed to create L2CAP debug file");
4759 }
1da177e4
LT		 4760
4761 BT_INFO("L2CAP ver %s", VERSION);
4762 BT_INFO("L2CAP socket layer initialized");
4763
4764 return 0;
4765
4766error:
4767 proto_unregister(&l2cap_proto);
4768 return err;
4769}
4770
4771static void __exit l2cap_exit(void)
4772{
aef7d97c 4773 debugfs_remove(l2cap_debugfs);
1da177e4 4774
1890d36b
GP		 4775 flush_workqueue(_busy_wq);
4776 destroy_workqueue(_busy_wq);
4777
1da177e4
LT		 4778 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4779 BT_ERR("L2CAP socket unregistration failed");
4780
4781 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4782 BT_ERR("L2CAP protocol unregistration failed");
4783
4784 proto_unregister(&l2cap_proto);
4785}
4786
4787void l2cap_load(void)
4788{
4789 /* Dummy function to trigger automatic L2CAP module loading by
4790 * other modules that use L2CAP sockets but don't use any other
4791 * symbols from it. */
1da177e4
LT		 4792}
4793EXPORT_SYMBOL(l2cap_load);
4794
4795module_init(l2cap_init);
4796module_exit(l2cap_exit);
4797
44dd46de
MH		 4798module_param(enable_ertm, bool, 0644);
4799MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4800
63fbd24e 4801MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4802MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4803MODULE_VERSION(VERSION);
4804MODULE_LICENSE("GPL");
4805MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)