projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Implemented HCI frame reassembly for RX from stream
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
1da177e4
LT		 5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
8e87d142
YH		 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth L2CAP core and sockets. */
27
1da177e4
LT		 28#include <linux/module.h>
29
30#include <linux/types.h>
4fc268d2 31#include <linux/capability.h>
1da177e4
LT		 32#include <linux/errno.h>
33#include <linux/kernel.h>
1da177e4
LT		 34#include <linux/sched.h>
35#include <linux/slab.h>
36#include <linux/poll.h>
37#include <linux/fcntl.h>
38#include <linux/init.h>
39#include <linux/interrupt.h>
40#include <linux/socket.h>
41#include <linux/skbuff.h>
1da177e4 42#include <linux/list.h>
be9d1227 43#include <linux/device.h>
aef7d97c
MH		 44#include <linux/debugfs.h>
45#include <linux/seq_file.h>
af05b30b 46#include <linux/uaccess.h>
fcc203c3 47#include <linux/crc16.h>
1da177e4
LT		 48#include <net/sock.h>
49
50#include <asm/system.h>
1da177e4
LT		 51#include <asm/unaligned.h>
52
53#include <net/bluetooth/bluetooth.h>
54#include <net/bluetooth/hci_core.h>
55#include <net/bluetooth/l2cap.h>
56
dd135240 57#define VERSION "2.15"
44dd46de
MH		 58
59static int enable_ertm = 0;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
90ddc4f0 64static const struct proto_ops l2cap_sock_ops;
1da177e4 65
1890d36b
GP		 66static struct workqueue_struct *_busy_wq;
67
1da177e4 68static struct bt_sock_list l2cap_sk_list = {
d5fb2962 69 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 70};
71
1890d36b
GP		 72static void l2cap_busy_work(struct work_struct *work);
73
1da177e4
LT		 74static void __l2cap_sock_close(struct sock *sk, int reason);
75static void l2cap_sock_close(struct sock *sk);
76static void l2cap_sock_kill(struct sock *sk);
77
e9aeb2dd 78static int l2cap_build_conf_req(struct sock *sk, void *data);
1da177e4
LT		 79static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
80 u8 code, u8 ident, u16 dlen, void *data);
81
218bb9df
GP		 82static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
83
1da177e4
LT		 84/* ---- L2CAP timers ---- */
85static void l2cap_sock_timeout(unsigned long arg)
86{
87 struct sock *sk = (struct sock *) arg;
b1235d79 88 int reason;
1da177e4
LT		 89
90 BT_DBG("sock %p state %d", sk, sk->sk_state);
91
92 bh_lock_sock(sk);
b1235d79 93
f62e4323
MH		 94 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
95 reason = ECONNREFUSED;
96 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 97 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 98 reason = ECONNREFUSED;
99 else
100 reason = ETIMEDOUT;
101
102 __l2cap_sock_close(sk, reason);
103
1da177e4
LT		 104 bh_unlock_sock(sk);
105
106 l2cap_sock_kill(sk);
107 sock_put(sk);
108}
109
110static void l2cap_sock_set_timer(struct sock *sk, long timeout)
111{
112 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
113 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
114}
115
116static void l2cap_sock_clear_timer(struct sock *sk)
117{
118 BT_DBG("sock %p state %d", sk, sk->sk_state);
119 sk_stop_timer(sk, &sk->sk_timer);
120}
121
0139418c
MH		 122/* ---- L2CAP channels ---- */
123static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
124{
125 struct sock *s;
126 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
127 if (l2cap_pi(s)->dcid == cid)
128 break;
129 }
130 return s;
131}
132
133static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
134{
135 struct sock *s;
136 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
137 if (l2cap_pi(s)->scid == cid)
138 break;
139 }
140 return s;
141}
142
143/* Find channel with given SCID.
144 * Returns locked socket */
145static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
146{
147 struct sock *s;
148 read_lock(&l->lock);
149 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 150 if (s)
151 bh_lock_sock(s);
0139418c
MH		 152 read_unlock(&l->lock);
153 return s;
154}
155
156static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
157{
158 struct sock *s;
159 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
160 if (l2cap_pi(s)->ident == ident)
161 break;
162 }
163 return s;
164}
165
166static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
167{
168 struct sock *s;
169 read_lock(&l->lock);
170 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 171 if (s)
172 bh_lock_sock(s);
0139418c
MH		 173 read_unlock(&l->lock);
174 return s;
175}
176
177static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
178{
8db4dc46 179 u16 cid = L2CAP_CID_DYN_START;
0139418c 180
8db4dc46 181 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 182 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 183 return cid;
184 }
185
186 return 0;
187}
188
189static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
190{
191 sock_hold(sk);
192
193 if (l->head)
194 l2cap_pi(l->head)->prev_c = sk;
195
196 l2cap_pi(sk)->next_c = l->head;
197 l2cap_pi(sk)->prev_c = NULL;
198 l->head = sk;
199}
200
201static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
202{
203 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
204
fd1278d7 205 write_lock_bh(&l->lock);
0139418c
MH		 206 if (sk == l->head)
207 l->head = next;
208
209 if (next)
210 l2cap_pi(next)->prev_c = prev;
211 if (prev)
212 l2cap_pi(prev)->next_c = next;
fd1278d7 213 write_unlock_bh(&l->lock);
0139418c
MH		 214
215 __sock_put(sk);
216}
217
218static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
219{
220 struct l2cap_chan_list *l = &conn->chan_list;
221
af05b30b
GP		 222 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
223 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 224
2950f21a
MH		 225 conn->disc_reason = 0x13;
226
0139418c
MH		 227 l2cap_pi(sk)->conn = conn;
228
bd3c9e25 229 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 230 /* Alloc CID for connection-oriented socket */
231 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
232 } else if (sk->sk_type == SOCK_DGRAM) {
233 /* Connectionless socket */
8db4dc46
GP		 234 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
235 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 236 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
237 } else {
238 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 239 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
240 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 241 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
242 }
243
244 __l2cap_chan_link(l, sk);
245
246 if (parent)
247 bt_accept_enqueue(parent, sk);
248}
249
8e87d142 250/* Delete channel.
0139418c
MH		 251 * Must be called on the locked socket. */
252static void l2cap_chan_del(struct sock *sk, int err)
253{
254 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
255 struct sock *parent = bt_sk(sk)->parent;
256
257 l2cap_sock_clear_timer(sk);
258
259 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
260
8e87d142 261 if (conn) {
0139418c
MH		 262 /* Unlink from channel list */
263 l2cap_chan_unlink(&conn->chan_list, sk);
264 l2cap_pi(sk)->conn = NULL;
265 hci_conn_put(conn->hcon);
266 }
267
b1235d79 268 sk->sk_state = BT_CLOSED;
0139418c
MH		 269 sock_set_flag(sk, SOCK_ZAPPED);
270
271 if (err)
272 sk->sk_err = err;
273
274 if (parent) {
275 bt_accept_unlink(sk);
276 parent->sk_data_ready(parent, 0);
277 } else
278 sk->sk_state_change(sk);
c13ffa62
GP		 279
280 skb_queue_purge(TX_QUEUE(sk));
281
282 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
283 struct srej_list *l, *tmp;
284
285 del_timer(&l2cap_pi(sk)->retrans_timer);
286 del_timer(&l2cap_pi(sk)->monitor_timer);
287 del_timer(&l2cap_pi(sk)->ack_timer);
288
289 skb_queue_purge(SREJ_QUEUE(sk));
290 skb_queue_purge(BUSY_QUEUE(sk));
291
292 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
293 list_del(&l->list);
294 kfree(l);
295 }
296 }
0139418c
MH		 297}
298
79d554a6 299/* Service level security */
2af6b9d5 300static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 301{
302 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 303 __u8 auth_type;
304
00ae4af9
MH		 305 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
306 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
307 auth_type = HCI_AT_NO_BONDING_MITM;
308 else
af05b30b 309 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 310
311 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
312 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
313 } else {
314 switch (l2cap_pi(sk)->sec_level) {
315 case BT_SECURITY_HIGH:
316 auth_type = HCI_AT_GENERAL_BONDING_MITM;
317 break;
318 case BT_SECURITY_MEDIUM:
319 auth_type = HCI_AT_GENERAL_BONDING;
320 break;
321 default:
322 auth_type = HCI_AT_NO_BONDING;
323 break;
324 }
0684e5f9 325 }
79d554a6 326
0684e5f9
MH		 327 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
328 auth_type);
79d554a6
MH		 329}
330
4e8402a3
MH		 331static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
332{
333 u8 id;
334
335 /* Get next available identificator.
336 * 1 - 128 are used by kernel.
337 * 129 - 199 are reserved.
338 * 200 - 254 are used by utilities like l2ping, etc.
339 */
340
341 spin_lock_bh(&conn->lock);
342
343 if (++conn->tx_ident > 128)
344 conn->tx_ident = 1;
345
346 id = conn->tx_ident;
347
348 spin_unlock_bh(&conn->lock);
349
350 return id;
351}
352
9a9c6a34 353static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 354{
355 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
356
357 BT_DBG("code 0x%2.2x", code);
358
359 if (!skb)
9a9c6a34 360 return;
4e8402a3 361
9a9c6a34 362 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 363}
364
9a9c6a34 365static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 366{
367 struct sk_buff *skb;
368 struct l2cap_hdr *lh;
369 struct l2cap_conn *conn = pi->conn;
c13ffa62 370 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 371 int count, hlen = L2CAP_HDR_SIZE + 2;
372
c13ffa62
GP		 373 if (sk->sk_state != BT_CONNECTED)
374 return;
375
fcc203c3
GP		 376 if (pi->fcs == L2CAP_FCS_CRC16)
377 hlen += 2;
1c2acffb
GP		 378
379 BT_DBG("pi %p, control 0x%2.2x", pi, control);
380
fcc203c3 381 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 382 control |= L2CAP_CTRL_FRAME_TYPE;
383
9e917af1
GP		 384 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
385 control |= L2CAP_CTRL_FINAL;
386 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
387 }
388
f0946ccf
GP		 389 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
390 control |= L2CAP_CTRL_POLL;
391 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
392 }
393
1c2acffb
GP		 394 skb = bt_skb_alloc(count, GFP_ATOMIC);
395 if (!skb)
9a9c6a34 396 return;
1c2acffb
GP		 397
398 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 399 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 400 lh->cid = cpu_to_le16(pi->dcid);
401 put_unaligned_le16(control, skb_put(skb, 2));
402
fcc203c3
GP		 403 if (pi->fcs == L2CAP_FCS_CRC16) {
404 u16 fcs = crc16(0, (u8 *)lh, count - 2);
405 put_unaligned_le16(fcs, skb_put(skb, 2));
406 }
407
9a9c6a34 408 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 409}
410
9a9c6a34 411static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 412{
1890d36b 413 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 414 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 415 pi->conn_state |= L2CAP_CONN_RNR_SENT;
416 } else
7e743090
GP		 417 control |= L2CAP_SUPER_RCV_READY;
418
2ab25cdd
GP		 419 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
420
9a9c6a34 421 l2cap_send_sframe(pi, control);
7e743090
GP		 422}
423
e501d055
AE		 424static inline int __l2cap_no_conn_pending(struct sock *sk)
425{
426 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
427}
428
79d554a6
MH		 429static void l2cap_do_start(struct sock *sk)
430{
431 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
432
433 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 434 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
435 return;
436
e501d055 437 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 438 struct l2cap_conn_req req;
439 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
440 req.psm = l2cap_pi(sk)->psm;
79d554a6 441
b1235d79 442 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 443 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 444
b1235d79 445 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 446 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 447 }
79d554a6
MH		 448 } else {
449 struct l2cap_info_req req;
450 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
451
452 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
453 conn->info_ident = l2cap_get_ident(conn);
454
455 mod_timer(&conn->info_timer, jiffies +
456 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
457
458 l2cap_send_cmd(conn, conn->info_ident,
459 L2CAP_INFO_REQ, sizeof(req), &req);
460 }
461}
462
cf6c2c0b
GP		 463static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
464{
465 u32 local_feat_mask = l2cap_feat_mask;
466 if (enable_ertm)
467 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
468
469 switch (mode) {
470 case L2CAP_MODE_ERTM:
471 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
472 case L2CAP_MODE_STREAMING:
473 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
474 default:
475 return 0x00;
476 }
477}
478
9b108fc0 479static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 480{
481 struct l2cap_disconn_req req;
482
c13ffa62
GP		 483 if (!conn)
484 return;
485
486 skb_queue_purge(TX_QUEUE(sk));
487
488 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
489 del_timer(&l2cap_pi(sk)->retrans_timer);
490 del_timer(&l2cap_pi(sk)->monitor_timer);
491 del_timer(&l2cap_pi(sk)->ack_timer);
492 }
493
22121fc9
GP		 494 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
495 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
496 l2cap_send_cmd(conn, l2cap_get_ident(conn),
497 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 498
499 sk->sk_state = BT_DISCONN;
9b108fc0 500 sk->sk_err = err;
22121fc9
GP		 501}
502
1da177e4 503/* ---- L2CAP connections ---- */
4e8402a3
MH		 504static void l2cap_conn_start(struct l2cap_conn *conn)
505{
506 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 507 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 508 struct sock *sk;
509
510 BT_DBG("conn %p", conn);
511
cf6c2c0b
GP		 512 INIT_LIST_HEAD(&del.list);
513
4e8402a3
MH		 514 read_lock(&l->lock);
515
516 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
517 bh_lock_sock(sk);
518
bd3c9e25
GP		 519 if (sk->sk_type != SOCK_SEQPACKET &&
520 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 521 bh_unlock_sock(sk);
522 continue;
523 }
524
525 if (sk->sk_state == BT_CONNECT) {
47731de7 526 struct l2cap_conn_req req;
79d554a6 527
47731de7
GP		 528 if (!l2cap_check_security(sk) ||
529 !__l2cap_no_conn_pending(sk)) {
530 bh_unlock_sock(sk);
531 continue;
532 }
79d554a6 533
47731de7
GP		 534 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
535 conn->feat_mask)
536 && l2cap_pi(sk)->conf_state &
537 L2CAP_CONF_STATE2_DEVICE) {
538 tmp1 = kzalloc(sizeof(struct sock_del_list),
539 GFP_ATOMIC);
540 tmp1->sk = sk;
541 list_add_tail(&tmp1->list, &del.list);
542 bh_unlock_sock(sk);
543 continue;
b1235d79 544 }
47731de7
GP		 545
546 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
547 req.psm = l2cap_pi(sk)->psm;
548
549 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
550 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
551
552 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
553 L2CAP_CONN_REQ, sizeof(req), &req);
554
79d554a6
MH		 555 } else if (sk->sk_state == BT_CONNECT2) {
556 struct l2cap_conn_rsp rsp;
e9aeb2dd 557 char buf[128];
79d554a6
MH		 558 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
559 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
560
2af6b9d5 561 if (l2cap_check_security(sk)) {
f66dc81f
MH		 562 if (bt_sk(sk)->defer_setup) {
563 struct sock *parent = bt_sk(sk)->parent;
564 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
565 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
566 parent->sk_data_ready(parent, 0);
567
568 } else {
569 sk->sk_state = BT_CONFIG;
570 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
571 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
572 }
79d554a6
MH		 573 } else {
574 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
575 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
576 }
577
578 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
579 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
e9aeb2dd
GP		 580
581 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
582 rsp.result != L2CAP_CR_SUCCESS) {
583 bh_unlock_sock(sk);
584 continue;
585 }
586
587 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
588 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
589 l2cap_build_conf_req(sk, buf), buf);
590 l2cap_pi(sk)->num_conf_req++;
4e8402a3
MH		 591 }
592
593 bh_unlock_sock(sk);
594 }
595
596 read_unlock(&l->lock);
cf6c2c0b
GP		 597
598 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
599 bh_lock_sock(tmp1->sk);
600 __l2cap_sock_close(tmp1->sk, ECONNRESET);
601 bh_unlock_sock(tmp1->sk);
602 list_del(&tmp1->list);
603 kfree(tmp1);
604 }
4e8402a3
MH		 605}
606
607static void l2cap_conn_ready(struct l2cap_conn *conn)
608{
79d554a6
MH		 609 struct l2cap_chan_list *l = &conn->chan_list;
610 struct sock *sk;
4e8402a3 611
79d554a6 612 BT_DBG("conn %p", conn);
4e8402a3 613
79d554a6 614 read_lock(&l->lock);
4e8402a3 615
79d554a6
MH		 616 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
617 bh_lock_sock(sk);
4e8402a3 618
bd3c9e25
GP		 619 if (sk->sk_type != SOCK_SEQPACKET &&
620 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 621 l2cap_sock_clear_timer(sk);
622 sk->sk_state = BT_CONNECTED;
623 sk->sk_state_change(sk);
624 } else if (sk->sk_state == BT_CONNECT)
625 l2cap_do_start(sk);
4e8402a3 626
79d554a6 627 bh_unlock_sock(sk);
4e8402a3 628 }
79d554a6
MH		 629
630 read_unlock(&l->lock);
4e8402a3
MH		 631}
632
633/* Notify sockets that we cannot guaranty reliability anymore */
634static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
635{
636 struct l2cap_chan_list *l = &conn->chan_list;
637 struct sock *sk;
638
639 BT_DBG("conn %p", conn);
640
641 read_lock(&l->lock);
642
643 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 644 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 645 sk->sk_err = err;
646 }
647
648 read_unlock(&l->lock);
649}
650
651static void l2cap_info_timeout(unsigned long arg)
652{
653 struct l2cap_conn *conn = (void *) arg;
654
984947dc 655 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 656 conn->info_ident = 0;
984947dc 657
4e8402a3
MH		 658 l2cap_conn_start(conn);
659}
660
1da177e4
LT		 661static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
662{
0139418c 663 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 664
0139418c 665 if (conn || status)
1da177e4
LT		 666 return conn;
667
0139418c
MH		 668 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
669 if (!conn)
1da177e4 670 return NULL;
1da177e4
LT		 671
672 hcon->l2cap_data = conn;
673 conn->hcon = hcon;
674
0139418c
MH		 675 BT_DBG("hcon %p conn %p", hcon, conn);
676
1da177e4
LT		 677 conn->mtu = hcon->hdev->acl_mtu;
678 conn->src = &hcon->hdev->bdaddr;
679 conn->dst = &hcon->dst;
680
4e8402a3
MH		 681 conn->feat_mask = 0;
682
1da177e4
LT		 683 spin_lock_init(&conn->lock);
684 rwlock_init(&conn->chan_list.lock);
685
45054dc1
DY		 686 setup_timer(&conn->info_timer, l2cap_info_timeout,
687 (unsigned long) conn);
688
2950f21a
MH		 689 conn->disc_reason = 0x13;
690
1da177e4
LT		 691 return conn;
692}
693
0139418c 694static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 695{
0139418c 696 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 697 struct sock *sk;
698
0139418c
MH		 699 if (!conn)
700 return;
1da177e4
LT		 701
702 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
703
7585b97a 704 kfree_skb(conn->rx_skb);
1da177e4
LT		 705
706 /* Kill channels */
707 while ((sk = conn->chan_list.head)) {
708 bh_lock_sock(sk);
709 l2cap_chan_del(sk, err);
710 bh_unlock_sock(sk);
711 l2cap_sock_kill(sk);
712 }
713
8e8440f5
DY		 714 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
715 del_timer_sync(&conn->info_timer);
3ab22731 716
1da177e4
LT		 717 hcon->l2cap_data = NULL;
718 kfree(conn);
1da177e4
LT		 719}
720
721static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
722{
723 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 724 write_lock_bh(&l->lock);
1da177e4 725 __l2cap_chan_add(conn, sk, parent);
fd1278d7 726 write_unlock_bh(&l->lock);
1da177e4
LT		 727}
728
1da177e4 729/* ---- Socket interface ---- */
8e036fc3 730static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 731{
732 struct sock *sk;
733 struct hlist_node *node;
734 sk_for_each(sk, node, &l2cap_sk_list.head)
735 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
736 goto found;
737 sk = NULL;
738found:
739 return sk;
740}
741
742/* Find socket with psm and source bdaddr.
743 * Returns closest match.
744 */
8e036fc3 745static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 746{
747 struct sock *sk = NULL, *sk1 = NULL;
748 struct hlist_node *node;
749
750 sk_for_each(sk, node, &l2cap_sk_list.head) {
751 if (state && sk->sk_state != state)
752 continue;
753
754 if (l2cap_pi(sk)->psm == psm) {
755 /* Exact match. */
756 if (!bacmp(&bt_sk(sk)->src, src))
757 break;
758
759 /* Closest match */
760 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
761 sk1 = sk;
762 }
763 }
764 return node ? sk : sk1;
765}
766
767/* Find socket with given address (psm, src).
768 * Returns locked socket */
8e036fc3 769static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 770{
771 struct sock *s;
772 read_lock(&l2cap_sk_list.lock);
773 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 774 if (s)
775 bh_lock_sock(s);
1da177e4
LT		 776 read_unlock(&l2cap_sk_list.lock);
777 return s;
778}
779
780static void l2cap_sock_destruct(struct sock *sk)
781{
782 BT_DBG("sk %p", sk);
783
784 skb_queue_purge(&sk->sk_receive_queue);
785 skb_queue_purge(&sk->sk_write_queue);
786}
787
788static void l2cap_sock_cleanup_listen(struct sock *parent)
789{
790 struct sock *sk;
791
792 BT_DBG("parent %p", parent);
793
794 /* Close not yet accepted channels */
795 while ((sk = bt_accept_dequeue(parent, NULL)))
796 l2cap_sock_close(sk);
797
b1235d79 798 parent->sk_state = BT_CLOSED;
1da177e4
LT		 799 sock_set_flag(parent, SOCK_ZAPPED);
800}
801
802/* Kill socket (only if zapped and orphan)
803 * Must be called on unlocked socket.
804 */
805static void l2cap_sock_kill(struct sock *sk)
806{
807 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
808 return;
809
810 BT_DBG("sk %p state %d", sk, sk->sk_state);
811
812 /* Kill poor orphan */
813 bt_sock_unlink(&l2cap_sk_list, sk);
814 sock_set_flag(sk, SOCK_DEAD);
815 sock_put(sk);
816}
817
818static void __l2cap_sock_close(struct sock *sk, int reason)
819{
820 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
821
822 switch (sk->sk_state) {
823 case BT_LISTEN:
824 l2cap_sock_cleanup_listen(sk);
825 break;
826
827 case BT_CONNECTED:
828 case BT_CONFIG:
bd3c9e25
GP		 829 if (sk->sk_type == SOCK_SEQPACKET ||
830 sk->sk_type == SOCK_STREAM) {
1da177e4 831 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 832
1da177e4 833 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 834 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 835 } else
1da177e4 836 l2cap_chan_del(sk, reason);
1da177e4
LT		 837 break;
838
f66dc81f 839 case BT_CONNECT2:
bd3c9e25
GP		 840 if (sk->sk_type == SOCK_SEQPACKET ||
841 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 842 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
843 struct l2cap_conn_rsp rsp;
844 __u16 result;
845
846 if (bt_sk(sk)->defer_setup)
847 result = L2CAP_CR_SEC_BLOCK;
848 else
849 result = L2CAP_CR_BAD_PSM;
850
851 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
852 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
853 rsp.result = cpu_to_le16(result);
854 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
855 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
856 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
857 } else
858 l2cap_chan_del(sk, reason);
859 break;
860
1da177e4
LT		 861 case BT_CONNECT:
862 case BT_DISCONN:
863 l2cap_chan_del(sk, reason);
864 break;
865
866 default:
867 sock_set_flag(sk, SOCK_ZAPPED);
868 break;
869 }
870}
871
872/* Must be called on unlocked socket. */
873static void l2cap_sock_close(struct sock *sk)
874{
875 l2cap_sock_clear_timer(sk);
876 lock_sock(sk);
877 __l2cap_sock_close(sk, ECONNRESET);
878 release_sock(sk);
879 l2cap_sock_kill(sk);
880}
881
882static void l2cap_sock_init(struct sock *sk, struct sock *parent)
883{
884 struct l2cap_pinfo *pi = l2cap_pi(sk);
885
886 BT_DBG("sk %p", sk);
887
888 if (parent) {
889 sk->sk_type = parent->sk_type;
f66dc81f
MH		 890 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
891
1da177e4
LT		 892 pi->imtu = l2cap_pi(parent)->imtu;
893 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 894 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 895 pi->mode = l2cap_pi(parent)->mode;
896 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 897 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 898 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 899 pi->sec_level = l2cap_pi(parent)->sec_level;
900 pi->role_switch = l2cap_pi(parent)->role_switch;
901 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 902 } else {
903 pi->imtu = L2CAP_DEFAULT_MTU;
904 pi->omtu = 0;
85eb53c6 905 if (enable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 906 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 907 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
908 } else {
bd3c9e25 909 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 910 }
fd059b9b 911 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 912 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 913 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 914 pi->sec_level = BT_SECURITY_LOW;
915 pi->role_switch = 0;
916 pi->force_reliable = 0;
1da177e4
LT		 917 }
918
919 /* Default config options */
5dee9e7c 920 pi->conf_len = 0;
1da177e4 921 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 922 skb_queue_head_init(TX_QUEUE(sk));
923 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 924 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 925 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 926}
927
928static struct proto l2cap_proto = {
929 .name = "L2CAP",
930 .owner = THIS_MODULE,
931 .obj_size = sizeof(struct l2cap_pinfo)
932};
933
1b8d7ae4 934static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 935{
936 struct sock *sk;
937
6257ff21 938 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 939 if (!sk)
940 return NULL;
941
942 sock_init_data(sock, sk);
943 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
944
945 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 946 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 947
948 sock_reset_flag(sk, SOCK_ZAPPED);
949
950 sk->sk_protocol = proto;
b1235d79 951 sk->sk_state = BT_OPEN;
1da177e4 952
b1235d79 953 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 954
955 bt_sock_link(&l2cap_sk_list, sk);
956 return sk;
957}
958
3f378b68
EP		 959static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
960 int kern)
1da177e4
LT		 961{
962 struct sock *sk;
963
964 BT_DBG("sock %p", sock);
965
966 sock->state = SS_UNCONNECTED;
967
bd3c9e25 968 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 969 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
970 return -ESOCKTNOSUPPORT;
971
c84b3268 972 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 973 return -EPERM;
974
975 sock->ops = &l2cap_sock_ops;
976
1b8d7ae4 977 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 978 if (!sk)
979 return -ENOMEM;
980
981 l2cap_sock_init(sk, NULL);
982 return 0;
983}
984
f29972de 985static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 986{
1da177e4 987 struct sock *sk = sock->sk;
f29972de
MH		 988 struct sockaddr_l2 la;
989 int len, err = 0;
1da177e4 990
f29972de 991 BT_DBG("sk %p", sk);
1da177e4
LT		 992
993 if (!addr || addr->sa_family != AF_BLUETOOTH)
994 return -EINVAL;
995
f29972de
MH		 996 memset(&la, 0, sizeof(la));
997 len = min_t(unsigned int, sizeof(la), alen);
998 memcpy(&la, addr, len);
999
2a517ca6
MH		 1000 if (la.l2_cid)
1001 return -EINVAL;
1002
1da177e4
LT		 1003 lock_sock(sk);
1004
1005 if (sk->sk_state != BT_OPEN) {
1006 err = -EBADFD;
1007 goto done;
1008 }
1009
b4324b5d 1010 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 1011 !capable(CAP_NET_BIND_SERVICE)) {
1012 err = -EACCES;
1013 goto done;
1014 }
8e87d142 1015
1da177e4
LT		 1016 write_lock_bh(&l2cap_sk_list.lock);
1017
f29972de 1018 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 1019 err = -EADDRINUSE;
1020 } else {
1021 /* Save source address */
f29972de
MH		 1022 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1023 l2cap_pi(sk)->psm = la.l2_psm;
1024 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 1025 sk->sk_state = BT_BOUND;
2af6b9d5 1026
b4324b5d
MH		 1027 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1028 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 1029 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 1030 }
1031
1032 write_unlock_bh(&l2cap_sk_list.lock);
1033
1034done:
1035 release_sock(sk);
1036 return err;
1037}
1038
1039static int l2cap_do_connect(struct sock *sk)
1040{
1041 bdaddr_t *src = &bt_sk(sk)->src;
1042 bdaddr_t *dst = &bt_sk(sk)->dst;
1043 struct l2cap_conn *conn;
1044 struct hci_conn *hcon;
1045 struct hci_dev *hdev;
09ab6f4c 1046 __u8 auth_type;
44d0e48e 1047 int err;
1da177e4 1048
f29972de
MH		 1049 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1050 l2cap_pi(sk)->psm);
1da177e4 1051
af05b30b
GP		 1052 hdev = hci_get_route(dst, src);
1053 if (!hdev)
1da177e4
LT		 1054 return -EHOSTUNREACH;
1055
1056 hci_dev_lock_bh(hdev);
1057
1058 err = -ENOMEM;
1059
8c1b2355 1060 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1061 switch (l2cap_pi(sk)->sec_level) {
1062 case BT_SECURITY_HIGH:
8c1b2355 1063 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1064 break;
1065 case BT_SECURITY_MEDIUM:
8c1b2355 1066 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1067 break;
1068 default:
09ab6f4c 1069 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1070 break;
1071 }
8c1b2355 1072 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1073 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1074 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1075 else
8c1b2355 1076 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1077
1078 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1079 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1080 } else {
2af6b9d5
MH		 1081 switch (l2cap_pi(sk)->sec_level) {
1082 case BT_SECURITY_HIGH:
8c1b2355 1083 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1084 break;
1085 case BT_SECURITY_MEDIUM:
09ab6f4c 1086 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1087 break;
1088 default:
8c1b2355 1089 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1090 break;
1091 }
09ab6f4c
MH		 1092 }
1093
2af6b9d5
MH		 1094 hcon = hci_connect(hdev, ACL_LINK, dst,
1095 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1096 if (!hcon)
1097 goto done;
1098
1099 conn = l2cap_conn_add(hcon, 0);
1100 if (!conn) {
1101 hci_conn_put(hcon);
1102 goto done;
1103 }
1104
1105 err = 0;
1106
1107 /* Update source addr of the socket */
1108 bacpy(src, conn->src);
1109
1110 l2cap_chan_add(conn, sk, NULL);
1111
1112 sk->sk_state = BT_CONNECT;
1113 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1114
1115 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1116 if (sk->sk_type != SOCK_SEQPACKET &&
1117 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1118 l2cap_sock_clear_timer(sk);
1119 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1120 } else
1121 l2cap_do_start(sk);
1da177e4
LT		 1122 }
1123
1124done:
1125 hci_dev_unlock_bh(hdev);
1126 hci_dev_put(hdev);
1127 return err;
1128}
1129
1130static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1131{
1da177e4 1132 struct sock *sk = sock->sk;
f29972de
MH		 1133 struct sockaddr_l2 la;
1134 int len, err = 0;
1da177e4 1135
1da177e4
LT		 1136 BT_DBG("sk %p", sk);
1137
6503d961
CG		 1138 if (!addr || alen < sizeof(addr->sa_family) ||
1139 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1140 return -EINVAL;
1da177e4 1141
f29972de
MH		 1142 memset(&la, 0, sizeof(la));
1143 len = min_t(unsigned int, sizeof(la), alen);
1144 memcpy(&la, addr, len);
1145
2a517ca6
MH		 1146 if (la.l2_cid)
1147 return -EINVAL;
1148
1149 lock_sock(sk);
1150
bd3c9e25
GP		 1151 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1152 && !la.l2_psm) {
1da177e4
LT		 1153 err = -EINVAL;
1154 goto done;
1155 }
1156
c6b03cf9
MH		 1157 switch (l2cap_pi(sk)->mode) {
1158 case L2CAP_MODE_BASIC:
1159 break;
1160 case L2CAP_MODE_ERTM:
f2fcfcd6 1161 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1162 if (enable_ertm)
1163 break;
1164 /* fall through */
1165 default:
1166 err = -ENOTSUPP;
1167 goto done;
1168 }
1169
af05b30b 1170 switch (sk->sk_state) {
1da177e4
LT		 1171 case BT_CONNECT:
1172 case BT_CONNECT2:
1173 case BT_CONFIG:
1174 /* Already connecting */
1175 goto wait;
1176
1177 case BT_CONNECTED:
1178 /* Already connected */
8b0dc6dc 1179 err = -EISCONN;
1da177e4
LT		 1180 goto done;
1181
1182 case BT_OPEN:
1183 case BT_BOUND:
1184 /* Can connect */
1185 break;
1186
1187 default:
1188 err = -EBADFD;
1189 goto done;
1190 }
1191
1192 /* Set destination address and psm */
f29972de
MH		 1193 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1194 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1195
af05b30b
GP		 1196 err = l2cap_do_connect(sk);
1197 if (err)
1da177e4
LT		 1198 goto done;
1199
1200wait:
1201 err = bt_sock_wait_state(sk, BT_CONNECTED,
1202 sock_sndtimeo(sk, flags & O_NONBLOCK));
1203done:
1204 release_sock(sk);
1205 return err;
1206}
1207
1208static int l2cap_sock_listen(struct socket *sock, int backlog)
1209{
1210 struct sock *sk = sock->sk;
1211 int err = 0;
1212
1213 BT_DBG("sk %p backlog %d", sk, backlog);
1214
1215 lock_sock(sk);
1216
bd3c9e25
GP		 1217 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1218 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1219 err = -EBADFD;
1220 goto done;
1221 }
1222
c6b03cf9
MH		 1223 switch (l2cap_pi(sk)->mode) {
1224 case L2CAP_MODE_BASIC:
1225 break;
1226 case L2CAP_MODE_ERTM:
f2fcfcd6 1227 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1228 if (enable_ertm)
1229 break;
1230 /* fall through */
1231 default:
1232 err = -ENOTSUPP;
1233 goto done;
1234 }
1235
1da177e4
LT		 1236 if (!l2cap_pi(sk)->psm) {
1237 bdaddr_t *src = &bt_sk(sk)->src;
1238 u16 psm;
1239
1240 err = -EINVAL;
1241
1242 write_lock_bh(&l2cap_sk_list.lock);
1243
1244 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1245 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1246 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1247 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1248 err = 0;
1249 break;
1250 }
1251
1252 write_unlock_bh(&l2cap_sk_list.lock);
1253
1254 if (err < 0)
1255 goto done;
1256 }
1257
1258 sk->sk_max_ack_backlog = backlog;
1259 sk->sk_ack_backlog = 0;
1260 sk->sk_state = BT_LISTEN;
1261
1262done:
1263 release_sock(sk);
1264 return err;
1265}
1266
1267static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1268{
1269 DECLARE_WAITQUEUE(wait, current);
1270 struct sock *sk = sock->sk, *nsk;
1271 long timeo;
1272 int err = 0;
1273
fcc70d5f 1274 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1275
1276 if (sk->sk_state != BT_LISTEN) {
1277 err = -EBADFD;
1278 goto done;
1279 }
1280
1281 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1282
1283 BT_DBG("sk %p timeo %ld", sk, timeo);
1284
1285 /* Wait for an incoming connection. (wake-one). */
aa395145 1286 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1287 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1288 set_current_state(TASK_INTERRUPTIBLE);
1289 if (!timeo) {
1290 err = -EAGAIN;
1291 break;
1292 }
1293
1294 release_sock(sk);
1295 timeo = schedule_timeout(timeo);
fcc70d5f 1296 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1297
1298 if (sk->sk_state != BT_LISTEN) {
1299 err = -EBADFD;
1300 break;
1301 }
1302
1303 if (signal_pending(current)) {
1304 err = sock_intr_errno(timeo);
1305 break;
1306 }
1307 }
1308 set_current_state(TASK_RUNNING);
aa395145 1309 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1310
1311 if (err)
1312 goto done;
1313
1314 newsock->state = SS_CONNECTED;
1315
1316 BT_DBG("new socket %p", nsk);
1317
1318done:
1319 release_sock(sk);
1320 return err;
1321}
1322
1323static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1324{
1325 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1326 struct sock *sk = sock->sk;
1327
1328 BT_DBG("sock %p, sk %p", sock, sk);
1329
1330 addr->sa_family = AF_BLUETOOTH;
1331 *len = sizeof(struct sockaddr_l2);
1332
f29972de
MH		 1333 if (peer) {
1334 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1335 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1336 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1337 } else {
1338 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1339 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1340 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1341 }
1da177e4 1342
1da177e4
LT		 1343 return 0;
1344}
1345
6161c038
GP		 1346static int __l2cap_wait_ack(struct sock *sk)
1347{
1348 DECLARE_WAITQUEUE(wait, current);
1349 int err = 0;
1350 int timeo = HZ/5;
1351
2b0b05dd 1352 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1353 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1354 set_current_state(TASK_INTERRUPTIBLE);
1355
1356 if (!timeo)
1357 timeo = HZ/5;
1358
1359 if (signal_pending(current)) {
1360 err = sock_intr_errno(timeo);
1361 break;
1362 }
1363
1364 release_sock(sk);
1365 timeo = schedule_timeout(timeo);
1366 lock_sock(sk);
1367
1368 err = sock_error(sk);
1369 if (err)
1370 break;
1371 }
1372 set_current_state(TASK_RUNNING);
2b0b05dd 1373 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1374 return err;
1375}
1376
e90bac06
GP		 1377static void l2cap_monitor_timeout(unsigned long arg)
1378{
1379 struct sock *sk = (void *) arg;
e90bac06 1380
0e98958d
GP		 1381 BT_DBG("sk %p", sk);
1382
e686219a 1383 bh_lock_sock(sk);
e90bac06 1384 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1385 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1386 bh_unlock_sock(sk);
e90bac06
GP		 1387 return;
1388 }
1389
1390 l2cap_pi(sk)->retry_count++;
1391 __mod_monitor_timer();
1392
a2e12a2a 1393 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1394 bh_unlock_sock(sk);
e90bac06
GP		 1395}
1396
1397static void l2cap_retrans_timeout(unsigned long arg)
1398{
1399 struct sock *sk = (void *) arg;
e90bac06 1400
0e98958d
GP		 1401 BT_DBG("sk %p", sk);
1402
e686219a 1403 bh_lock_sock(sk);
e90bac06
GP		 1404 l2cap_pi(sk)->retry_count = 1;
1405 __mod_monitor_timer();
1406
1407 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1408
a2e12a2a 1409 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1410 bh_unlock_sock(sk);
e90bac06
GP		 1411}
1412
1c2acffb 1413static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1414{
1c2acffb 1415 struct sk_buff *skb;
1da177e4 1416
812e737e
GP		 1417 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1418 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1419 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1420 break;
1da177e4 1421
1c2acffb
GP		 1422 skb = skb_dequeue(TX_QUEUE(sk));
1423 kfree_skb(skb);
1da177e4 1424
1c2acffb
GP		 1425 l2cap_pi(sk)->unacked_frames--;
1426 }
1da177e4 1427
e90bac06
GP		 1428 if (!l2cap_pi(sk)->unacked_frames)
1429 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1430}
1da177e4 1431
9a9c6a34 1432static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1433{
1434 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1435
1436 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1437
9a9c6a34 1438 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1439}
1440
305682e8 1441static void l2cap_streaming_send(struct sock *sk)
6840ed07
GP		 1442{
1443 struct sk_buff *skb, *tx_skb;
1444 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1445 u16 control, fcs;
6840ed07
GP		 1446
1447 while ((skb = sk->sk_send_head)) {
1448 tx_skb = skb_clone(skb, GFP_ATOMIC);
1449
1450 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1451 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1452 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1453
e8235c6b 1454 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1455 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1456 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1457 }
1458
9a9c6a34 1459 l2cap_do_send(sk, tx_skb);
6840ed07
GP		 1460
1461 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1462
1463 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1464 sk->sk_send_head = NULL;
1465 else
1466 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1467
1468 skb = skb_dequeue(TX_QUEUE(sk));
1469 kfree_skb(skb);
1470 }
6840ed07
GP		 1471}
1472
dfc909be 1473static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1474{
1475 struct l2cap_pinfo *pi = l2cap_pi(sk);
1476 struct sk_buff *skb, *tx_skb;
1477 u16 control, fcs;
8f17154f
GP		 1478
1479 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1480 if (!skb)
1481 return;
8f17154f 1482
f11d676d
GP		 1483 do {
1484 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1485 break;
8f17154f 1486
f11d676d
GP		 1487 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1488 return;
8f17154f 1489
f11d676d 1490 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1491
f11d676d
GP		 1492 if (pi->remote_max_tx &&
1493 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1494 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1495 return;
1496 }
1497
1498 tx_skb = skb_clone(skb, GFP_ATOMIC);
1499 bt_cb(skb)->retries++;
1500 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1501
1502 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1503 control |= L2CAP_CTRL_FINAL;
1504 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1505 }
95ffa978 1506
f11d676d
GP		 1507 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1508 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1509
f11d676d
GP		 1510 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1511
1512 if (pi->fcs == L2CAP_FCS_CRC16) {
1513 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1514 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1515 }
1516
1517 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1518}
1519
1c2acffb
GP		 1520static int l2cap_ertm_send(struct sock *sk)
1521{
1522 struct sk_buff *skb, *tx_skb;
1523 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1524 u16 control, fcs;
9a9c6a34 1525 int nsent = 0;
1c2acffb 1526
c13ffa62
GP		 1527 if (sk->sk_state != BT_CONNECTED)
1528 return -ENOTCONN;
e90bac06 1529
6e2b6722 1530 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1531
e90bac06
GP		 1532 if (pi->remote_max_tx &&
1533 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1534 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1535 break;
1536 }
1537
e420aba3
AE		 1538 tx_skb = skb_clone(skb, GFP_ATOMIC);
1539
e90bac06
GP		 1540 bt_cb(skb)->retries++;
1541
1c2acffb 1542 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1543 control &= L2CAP_CTRL_SAR;
1544
d5392c8f
GP		 1545 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1546 control |= L2CAP_CTRL_FINAL;
1547 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1548 }
9f121a5a 1549 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1550 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1551 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1552
e90bac06 1553
e8235c6b 1554 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1555 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1556 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1557 }
1558
9a9c6a34
GP		 1559 l2cap_do_send(sk, tx_skb);
1560
e90bac06 1561 __mod_retrans_timer();
1c2acffb
GP		 1562
1563 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1564 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1565
1566 pi->unacked_frames++;
d5392c8f 1567 pi->frames_sent++;
1c2acffb
GP		 1568
1569 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1570 sk->sk_send_head = NULL;
1571 else
1572 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1573
1574 nsent++;
1c2acffb
GP		 1575 }
1576
9e917af1
GP		 1577 return nsent;
1578}
1579
dfc909be
GP		 1580static int l2cap_retransmit_frames(struct sock *sk)
1581{
1582 struct l2cap_pinfo *pi = l2cap_pi(sk);
1583 int ret;
1584
dfc909be
GP		 1585 if (!skb_queue_empty(TX_QUEUE(sk)))
1586 sk->sk_send_head = TX_QUEUE(sk)->next;
1587
1588 pi->next_tx_seq = pi->expected_ack_seq;
1589 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1590 return ret;
1591}
1592
9a9c6a34 1593static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1594{
1595 struct sock *sk = (struct sock *)pi;
1596 u16 control = 0;
1597
1598 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1599
1600 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1601 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1602 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1603 l2cap_send_sframe(pi, control);
1604 return;
9e917af1 1605 }
dfc909be 1606
e0f66218 1607 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1608 return;
1609
1610 control |= L2CAP_SUPER_RCV_READY;
1611 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1612}
1613
9a9c6a34 1614static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1615{
1616 struct srej_list *tail;
1617 u16 control;
1618
1619 control = L2CAP_SUPER_SELECT_REJECT;
1620 control |= L2CAP_CTRL_FINAL;
1621
1622 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1623 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1624
1625 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1626}
1627
1c2acffb
GP		 1628static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1629{
1630 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1631 struct sk_buff **frag;
1632 int err, sent = 0;
1da177e4 1633
59203a21 1634 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1635 return -EFAULT;
1da177e4
LT		 1636
1637 sent += count;
1638 len -= count;
1639
1640 /* Continuation fragments (no L2CAP header) */
1641 frag = &skb_shinfo(skb)->frag_list;
1642 while (len) {
1643 count = min_t(unsigned int, conn->mtu, len);
1644
1645 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1646 if (!*frag)
1c2acffb
GP		 1647 return -EFAULT;
1648 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1649 return -EFAULT;
1da177e4
LT		 1650
1651 sent += count;
1652 len -= count;
1653
1654 frag = &(*frag)->next;
1655 }
1da177e4
LT		 1656
1657 return sent;
1c2acffb 1658}
1da177e4 1659
1c2acffb
GP		 1660static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1661{
1662 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1663 struct sk_buff *skb;
1664 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1665 struct l2cap_hdr *lh;
1666
1667 BT_DBG("sk %p len %d", sk, (int)len);
1668
1669 count = min_t(unsigned int, (conn->mtu - hlen), len);
1670 skb = bt_skb_send_alloc(sk, count + hlen,
1671 msg->msg_flags & MSG_DONTWAIT, &err);
1672 if (!skb)
1673 return ERR_PTR(-ENOMEM);
1674
1675 /* Create L2CAP header */
1676 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1677 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1678 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1679 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1680
1681 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1682 if (unlikely(err < 0)) {
1683 kfree_skb(skb);
1684 return ERR_PTR(err);
1685 }
1686 return skb;
1687}
1688
1689static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1690{
1691 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1692 struct sk_buff *skb;
1693 int err, count, hlen = L2CAP_HDR_SIZE;
1694 struct l2cap_hdr *lh;
1695
1696 BT_DBG("sk %p len %d", sk, (int)len);
1697
1698 count = min_t(unsigned int, (conn->mtu - hlen), len);
1699 skb = bt_skb_send_alloc(sk, count + hlen,
1700 msg->msg_flags & MSG_DONTWAIT, &err);
1701 if (!skb)
1702 return ERR_PTR(-ENOMEM);
1703
1704 /* Create L2CAP header */
1705 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1706 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1707 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1708
1709 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1710 if (unlikely(err < 0)) {
1711 kfree_skb(skb);
1712 return ERR_PTR(err);
1713 }
1714 return skb;
1715}
1716
6840ed07 1717static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1718{
1719 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1720 struct sk_buff *skb;
1721 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1722 struct l2cap_hdr *lh;
1723
1724 BT_DBG("sk %p len %d", sk, (int)len);
1725
0ee0d208
GP		 1726 if (!conn)
1727 return ERR_PTR(-ENOTCONN);
1728
c74e560c
GP		 1729 if (sdulen)
1730 hlen += 2;
1731
fcc203c3
GP		 1732 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1733 hlen += 2;
1734
1c2acffb
GP		 1735 count = min_t(unsigned int, (conn->mtu - hlen), len);
1736 skb = bt_skb_send_alloc(sk, count + hlen,
1737 msg->msg_flags & MSG_DONTWAIT, &err);
1738 if (!skb)
1739 return ERR_PTR(-ENOMEM);
1740
1741 /* Create L2CAP header */
1742 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1743 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1744 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1745 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1746 if (sdulen)
1747 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1748
1749 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1750 if (unlikely(err < 0)) {
1751 kfree_skb(skb);
1752 return ERR_PTR(err);
1753 }
e90bac06 1754
fcc203c3
GP		 1755 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1756 put_unaligned_le16(0, skb_put(skb, 2));
1757
e90bac06 1758 bt_cb(skb)->retries = 0;
1c2acffb 1759 return skb;
1da177e4
LT		 1760}
1761
c74e560c
GP		 1762static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1763{
1764 struct l2cap_pinfo *pi = l2cap_pi(sk);
1765 struct sk_buff *skb;
1766 struct sk_buff_head sar_queue;
1767 u16 control;
1768 size_t size = 0;
1769
ff12fd64 1770 skb_queue_head_init(&sar_queue);
c74e560c 1771 control = L2CAP_SDU_START;
1c762159 1772 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1773 if (IS_ERR(skb))
1774 return PTR_ERR(skb);
1775
1776 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1777 len -= pi->remote_mps;
1778 size += pi->remote_mps;
c74e560c
GP		 1779
1780 while (len > 0) {
1781 size_t buflen;
1782
1c762159 1783 if (len > pi->remote_mps) {
44651b85 1784 control = L2CAP_SDU_CONTINUE;
1c762159 1785 buflen = pi->remote_mps;
c74e560c 1786 } else {
44651b85 1787 control = L2CAP_SDU_END;
c74e560c
GP		 1788 buflen = len;
1789 }
1790
6840ed07 1791 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1792 if (IS_ERR(skb)) {
1793 skb_queue_purge(&sar_queue);
1794 return PTR_ERR(skb);
1795 }
1796
1797 __skb_queue_tail(&sar_queue, skb);
1798 len -= buflen;
1799 size += buflen;
c74e560c
GP		 1800 }
1801 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1802 if (sk->sk_send_head == NULL)
1803 sk->sk_send_head = sar_queue.next;
1804
1805 return size;
1806}
1807
1da177e4
LT		 1808static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1809{
1810 struct sock *sk = sock->sk;
1c2acffb
GP		 1811 struct l2cap_pinfo *pi = l2cap_pi(sk);
1812 struct sk_buff *skb;
1813 u16 control;
1814 int err;
1da177e4
LT		 1815
1816 BT_DBG("sock %p, sk %p", sock, sk);
1817
c1cbe4b7
BL		 1818 err = sock_error(sk);
1819 if (err)
1820 return err;
1da177e4
LT		 1821
1822 if (msg->msg_flags & MSG_OOB)
1823 return -EOPNOTSUPP;
1824
1da177e4
LT		 1825 lock_sock(sk);
1826
1c2acffb 1827 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1828 err = -ENOTCONN;
1c2acffb
GP		 1829 goto done;
1830 }
1da177e4 1831
1c2acffb
GP		 1832 /* Connectionless channel */
1833 if (sk->sk_type == SOCK_DGRAM) {
1834 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1835 if (IS_ERR(skb)) {
477fffb0 1836 err = PTR_ERR(skb);
9a9c6a34
GP		 1837 } else {
1838 l2cap_do_send(sk, skb);
1839 err = len;
1840 }
1c2acffb
GP		 1841 goto done;
1842 }
1843
1844 switch (pi->mode) {
1845 case L2CAP_MODE_BASIC:
c69163e9
GP		 1846 /* Check outgoing MTU */
1847 if (len > pi->omtu) {
f9dd11b0 1848 err = -EMSGSIZE;
c69163e9
GP		 1849 goto done;
1850 }
1851
1c2acffb
GP		 1852 /* Create a basic PDU */
1853 skb = l2cap_create_basic_pdu(sk, msg, len);
1854 if (IS_ERR(skb)) {
1855 err = PTR_ERR(skb);
1856 goto done;
1857 }
1858
9a9c6a34
GP		 1859 l2cap_do_send(sk, skb);
1860 err = len;
1c2acffb
GP		 1861 break;
1862
1863 case L2CAP_MODE_ERTM:
6840ed07 1864 case L2CAP_MODE_STREAMING:
1c2acffb 1865 /* Entire SDU fits into one PDU */
1c762159 1866 if (len <= pi->remote_mps) {
1c2acffb 1867 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1868 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1869 if (IS_ERR(skb)) {
1870 err = PTR_ERR(skb);
1871 goto done;
1872 }
c74e560c 1873 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1874
c74e560c
GP		 1875 if (sk->sk_send_head == NULL)
1876 sk->sk_send_head = skb;
dfc909be 1877
1c2acffb 1878 } else {
c74e560c
GP		 1879 /* Segment SDU into multiples PDUs */
1880 err = l2cap_sar_segment_sdu(sk, msg, len);
1881 if (err < 0)
1882 goto done;
1c2acffb 1883 }
1c2acffb 1884
dfc909be 1885 if (pi->mode == L2CAP_MODE_STREAMING) {
305682e8 1886 l2cap_streaming_send(sk);
dfc909be 1887 } else {
6e2b6722
GP		 1888 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1889 pi->conn_state && L2CAP_CONN_WAIT_F) {
1890 err = len;
1891 break;
1892 }
6840ed07 1893 err = l2cap_ertm_send(sk);
dfc909be 1894 }
6840ed07 1895
9e917af1 1896 if (err >= 0)
1c2acffb
GP		 1897 err = len;
1898 break;
1899
1900 default:
1901 BT_DBG("bad state %1.1x", pi->mode);
bc766db2 1902 err = -EBADFD;
1c2acffb
GP		 1903 }
1904
1905done:
1da177e4
LT		 1906 release_sock(sk);
1907 return err;
1908}
1909
f66dc81f
MH		 1910static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1911{
1912 struct sock *sk = sock->sk;
1913
1914 lock_sock(sk);
1915
1916 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1917 struct l2cap_conn_rsp rsp;
e9aeb2dd
GP		 1918 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1919 u8 buf[128];
f66dc81f
MH		 1920
1921 sk->sk_state = BT_CONFIG;
1922
1923 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1924 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1925 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1926 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1927 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1928 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1929
e9aeb2dd
GP		 1930 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1931 release_sock(sk);
1932 return 0;
1933 }
1934
1935 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1936 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1937 l2cap_build_conf_req(sk, buf), buf);
1938 l2cap_pi(sk)->num_conf_req++;
1939
f66dc81f
MH		 1940 release_sock(sk);
1941 return 0;
1942 }
1943
1944 release_sock(sk);
1945
1946 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1947}
1948
b7058842 1949static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1950{
1951 struct sock *sk = sock->sk;
1952 struct l2cap_options opts;
f29972de 1953 int len, err = 0;
1da177e4
LT		 1954 u32 opt;
1955
1956 BT_DBG("sk %p", sk);
1957
1958 lock_sock(sk);
1959
1960 switch (optname) {
1961 case L2CAP_OPTIONS:
0878b666
MH		 1962 opts.imtu = l2cap_pi(sk)->imtu;
1963 opts.omtu = l2cap_pi(sk)->omtu;
1964 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1965 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1966 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1967 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1968 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1969
1da177e4
LT		 1970 len = min_t(unsigned int, sizeof(opts), optlen);
1971 if (copy_from_user((char *) &opts, optval, len)) {
1972 err = -EFAULT;
1973 break;
1974 }
0878b666 1975
45d65c46
GP		 1976 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1977 err = -EINVAL;
1978 break;
1979 }
1980
0041ecfa
JPRV		 1981 l2cap_pi(sk)->mode = opts.mode;
1982 switch (l2cap_pi(sk)->mode) {
1983 case L2CAP_MODE_BASIC:
85eb53c6 1984 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1985 break;
1986 case L2CAP_MODE_ERTM:
1987 case L2CAP_MODE_STREAMING:
1988 if (enable_ertm)
1989 break;
1990 /* fall through */
1991 default:
1992 err = -EINVAL;
1993 break;
1994 }
1995
c6b03cf9
MH		 1996 l2cap_pi(sk)->imtu = opts.imtu;
1997 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1998 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1999 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 2000 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 2001 break;
2002
2003 case L2CAP_LM:
2004 if (get_user(opt, (u32 __user *) optval)) {
2005 err = -EFAULT;
2006 break;
2007 }
2008
2af6b9d5
MH		 2009 if (opt & L2CAP_LM_AUTH)
2010 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
2011 if (opt & L2CAP_LM_ENCRYPT)
2012 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
2013 if (opt & L2CAP_LM_SECURE)
2014 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
2015
2016 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
2017 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 2018 break;
2019
2020 default:
2021 err = -ENOPROTOOPT;
2022 break;
2023 }
2024
2025 release_sock(sk);
2026 return err;
2027}
2028
b7058842 2029static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 2030{
2031 struct sock *sk = sock->sk;
2af6b9d5
MH		 2032 struct bt_security sec;
2033 int len, err = 0;
f66dc81f 2034 u32 opt;
d58daf42
MH		 2035
2036 BT_DBG("sk %p", sk);
2037
2038 if (level == SOL_L2CAP)
2039 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2040
0588d94f
MH		 2041 if (level != SOL_BLUETOOTH)
2042 return -ENOPROTOOPT;
2043
d58daf42
MH		 2044 lock_sock(sk);
2045
2046 switch (optname) {
2af6b9d5 2047 case BT_SECURITY:
bd3c9e25
GP		 2048 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2049 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2050 err = -EINVAL;
2051 break;
2052 }
2053
2af6b9d5
MH		 2054 sec.level = BT_SECURITY_LOW;
2055
2056 len = min_t(unsigned int, sizeof(sec), optlen);
2057 if (copy_from_user((char *) &sec, optval, len)) {
2058 err = -EFAULT;
2059 break;
2060 }
2061
2062 if (sec.level < BT_SECURITY_LOW ||
2063 sec.level > BT_SECURITY_HIGH) {
2064 err = -EINVAL;
2065 break;
2066 }
2067
2068 l2cap_pi(sk)->sec_level = sec.level;
2069 break;
2070
f66dc81f
MH		 2071 case BT_DEFER_SETUP:
2072 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2073 err = -EINVAL;
2074 break;
2075 }
2076
2077 if (get_user(opt, (u32 __user *) optval)) {
2078 err = -EFAULT;
2079 break;
2080 }
2081
2082 bt_sk(sk)->defer_setup = opt;
2083 break;
2084
d58daf42
MH		 2085 default:
2086 err = -ENOPROTOOPT;
2087 break;
2088 }
2089
2090 release_sock(sk);
2091 return err;
2092}
2093
2094static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2095{
2096 struct sock *sk = sock->sk;
2097 struct l2cap_options opts;
2098 struct l2cap_conninfo cinfo;
2099 int len, err = 0;
2af6b9d5 2100 u32 opt;
1da177e4
LT		 2101
2102 BT_DBG("sk %p", sk);
2103
2104 if (get_user(len, optlen))
2105 return -EFAULT;
2106
2107 lock_sock(sk);
2108
2109 switch (optname) {
2110 case L2CAP_OPTIONS:
2111 opts.imtu = l2cap_pi(sk)->imtu;
2112 opts.omtu = l2cap_pi(sk)->omtu;
2113 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2114 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2115 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2116 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2117 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2118
2119 len = min_t(unsigned int, len, sizeof(opts));
2120 if (copy_to_user(optval, (char *) &opts, len))
2121 err = -EFAULT;
2122
2123 break;
2124
2125 case L2CAP_LM:
2af6b9d5
MH		 2126 switch (l2cap_pi(sk)->sec_level) {
2127 case BT_SECURITY_LOW:
2128 opt = L2CAP_LM_AUTH;
2129 break;
2130 case BT_SECURITY_MEDIUM:
2131 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2132 break;
2133 case BT_SECURITY_HIGH:
2134 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2135 L2CAP_LM_SECURE;
2136 break;
2137 default:
2138 opt = 0;
2139 break;
2140 }
2141
2142 if (l2cap_pi(sk)->role_switch)
2143 opt |= L2CAP_LM_MASTER;
2144
2145 if (l2cap_pi(sk)->force_reliable)
2146 opt |= L2CAP_LM_RELIABLE;
2147
2148 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2149 err = -EFAULT;
2150 break;
2151
2152 case L2CAP_CONNINFO:
f66dc81f
MH		 2153 if (sk->sk_state != BT_CONNECTED &&
2154 !(sk->sk_state == BT_CONNECT2 &&
2155 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2156 err = -ENOTCONN;
2157 break;
2158 }
2159
2160 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2161 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2162
2163 len = min_t(unsigned int, len, sizeof(cinfo));
2164 if (copy_to_user(optval, (char *) &cinfo, len))
2165 err = -EFAULT;
2166
2167 break;
2168
2169 default:
2170 err = -ENOPROTOOPT;
2171 break;
2172 }
2173
2174 release_sock(sk);
2175 return err;
2176}
2177
d58daf42
MH		 2178static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2179{
2180 struct sock *sk = sock->sk;
2af6b9d5 2181 struct bt_security sec;
d58daf42
MH		 2182 int len, err = 0;
2183
2184 BT_DBG("sk %p", sk);
2185
2186 if (level == SOL_L2CAP)
2187 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2188
0588d94f
MH		 2189 if (level != SOL_BLUETOOTH)
2190 return -ENOPROTOOPT;
2191
d58daf42
MH		 2192 if (get_user(len, optlen))
2193 return -EFAULT;
2194
2195 lock_sock(sk);
2196
2197 switch (optname) {
2af6b9d5 2198 case BT_SECURITY:
bd3c9e25
GP		 2199 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2200 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2201 err = -EINVAL;
2202 break;
2203 }
2204
2af6b9d5
MH		 2205 sec.level = l2cap_pi(sk)->sec_level;
2206
2207 len = min_t(unsigned int, len, sizeof(sec));
2208 if (copy_to_user(optval, (char *) &sec, len))
2209 err = -EFAULT;
2210
2211 break;
2212
f66dc81f
MH		 2213 case BT_DEFER_SETUP:
2214 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2215 err = -EINVAL;
2216 break;
2217 }
2218
2219 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2220 err = -EFAULT;
2221
2222 break;
2223
d58daf42
MH		 2224 default:
2225 err = -ENOPROTOOPT;
2226 break;
2227 }
2228
2229 release_sock(sk);
2230 return err;
2231}
2232
1da177e4
LT		 2233static int l2cap_sock_shutdown(struct socket *sock, int how)
2234{
2235 struct sock *sk = sock->sk;
2236 int err = 0;
2237
2238 BT_DBG("sock %p, sk %p", sock, sk);
2239
2240 if (!sk)
2241 return 0;
2242
2243 lock_sock(sk);
2244 if (!sk->sk_shutdown) {
6161c038
GP		 2245 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2246 err = __l2cap_wait_ack(sk);
2247
1da177e4
LT		 2248 sk->sk_shutdown = SHUTDOWN_MASK;
2249 l2cap_sock_clear_timer(sk);
2250 __l2cap_sock_close(sk, 0);
2251
2252 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2253 err = bt_sock_wait_state(sk, BT_CLOSED,
2254 sk->sk_lingertime);
1da177e4 2255 }
9b108fc0
GP		 2256
2257 if (!err && sk->sk_err)
2258 err = -sk->sk_err;
2259
1da177e4
LT		 2260 release_sock(sk);
2261 return err;
2262}
2263
2264static int l2cap_sock_release(struct socket *sock)
2265{
2266 struct sock *sk = sock->sk;
2267 int err;
2268
2269 BT_DBG("sock %p, sk %p", sock, sk);
2270
2271 if (!sk)
2272 return 0;
2273
2274 err = l2cap_sock_shutdown(sock, 2);
2275
2276 sock_orphan(sk);
2277 l2cap_sock_kill(sk);
2278 return err;
2279}
2280
1da177e4
LT		 2281static void l2cap_chan_ready(struct sock *sk)
2282{
2283 struct sock *parent = bt_sk(sk)->parent;
2284
2285 BT_DBG("sk %p, parent %p", sk, parent);
2286
2287 l2cap_pi(sk)->conf_state = 0;
2288 l2cap_sock_clear_timer(sk);
2289
2290 if (!parent) {
2291 /* Outgoing channel.
2292 * Wake up socket sleeping on connect.
2293 */
2294 sk->sk_state = BT_CONNECTED;
2295 sk->sk_state_change(sk);
2296 } else {
2297 /* Incoming channel.
2298 * Wake up socket sleeping on accept.
2299 */
2300 parent->sk_data_ready(parent, 0);
2301 }
2302}
2303
2304/* Copy frame to all raw sockets on that connection */
2305static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2306{
2307 struct l2cap_chan_list *l = &conn->chan_list;
2308 struct sk_buff *nskb;
af05b30b 2309 struct sock *sk;
1da177e4
LT		 2310
2311 BT_DBG("conn %p", conn);
2312
2313 read_lock(&l->lock);
2314 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2315 if (sk->sk_type != SOCK_RAW)
2316 continue;
2317
2318 /* Don't send frame to the socket it came from */
2319 if (skb->sk == sk)
2320 continue;
af05b30b
GP		 2321 nskb = skb_clone(skb, GFP_ATOMIC);
2322 if (!nskb)
1da177e4
LT		 2323 continue;
2324
2325 if (sock_queue_rcv_skb(sk, nskb))
2326 kfree_skb(nskb);
2327 }
2328 read_unlock(&l->lock);
2329}
2330
2331/* ---- L2CAP signalling commands ---- */
2332static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2333 u8 code, u8 ident, u16 dlen, void *data)
2334{
2335 struct sk_buff *skb, **frag;
2336 struct l2cap_cmd_hdr *cmd;
2337 struct l2cap_hdr *lh;
2338 int len, count;
2339
af05b30b
GP		 2340 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2341 conn, code, ident, dlen);
1da177e4
LT		 2342
2343 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2344 count = min_t(unsigned int, conn->mtu, len);
2345
2346 skb = bt_skb_alloc(count, GFP_ATOMIC);
2347 if (!skb)
2348 return NULL;
2349
2350 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2351 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2352 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2353
2354 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2355 cmd->code = code;
2356 cmd->ident = ident;
aca3192c 2357 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2358
2359 if (dlen) {
2360 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2361 memcpy(skb_put(skb, count), data, count);
2362 data += count;
2363 }
2364
2365 len -= skb->len;
2366
2367 /* Continuation fragments (no L2CAP header) */
2368 frag = &skb_shinfo(skb)->frag_list;
2369 while (len) {
2370 count = min_t(unsigned int, conn->mtu, len);
2371
2372 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2373 if (!*frag)
2374 goto fail;
2375
2376 memcpy(skb_put(*frag, count), data, count);
2377
2378 len -= count;
2379 data += count;
2380
2381 frag = &(*frag)->next;
2382 }
2383
2384 return skb;
2385
2386fail:
2387 kfree_skb(skb);
2388 return NULL;
2389}
2390
2391static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2392{
2393 struct l2cap_conf_opt *opt = *ptr;
2394 int len;
2395
2396 len = L2CAP_CONF_OPT_SIZE + opt->len;
2397 *ptr += len;
2398
2399 *type = opt->type;
2400 *olen = opt->len;
2401
2402 switch (opt->len) {
2403 case 1:
2404 *val = *((u8 *) opt->val);
2405 break;
2406
2407 case 2:
861d6882 2408 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2409 break;
2410
2411 case 4:
861d6882 2412 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2413 break;
2414
2415 default:
2416 *val = (unsigned long) opt->val;
2417 break;
2418 }
2419
2420 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2421 return len;
2422}
2423
1da177e4
LT		 2424static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2425{
2426 struct l2cap_conf_opt *opt = *ptr;
2427
2428 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2429
2430 opt->type = type;
2431 opt->len = len;
2432
2433 switch (len) {
2434 case 1:
2435 *((u8 *) opt->val) = val;
2436 break;
2437
2438 case 2:
8e036fc3 2439 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2440 break;
2441
2442 case 4:
8e036fc3 2443 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2444 break;
2445
2446 default:
2447 memcpy(opt->val, (void *) val, len);
2448 break;
2449 }
2450
2451 *ptr += L2CAP_CONF_OPT_SIZE + len;
2452}
2453
c1b4f43b
GP		 2454static void l2cap_ack_timeout(unsigned long arg)
2455{
2456 struct sock *sk = (void *) arg;
2457
2458 bh_lock_sock(sk);
2459 l2cap_send_ack(l2cap_pi(sk));
2460 bh_unlock_sock(sk);
2461}
2462
0565c1c2
GP		 2463static inline void l2cap_ertm_init(struct sock *sk)
2464{
2465 l2cap_pi(sk)->expected_ack_seq = 0;
2466 l2cap_pi(sk)->unacked_frames = 0;
2467 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2468 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2469 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2470
2471 setup_timer(&l2cap_pi(sk)->retrans_timer,
2472 l2cap_retrans_timeout, (unsigned long) sk);
2473 setup_timer(&l2cap_pi(sk)->monitor_timer,
2474 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2475 setup_timer(&l2cap_pi(sk)->ack_timer,
2476 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2477
2478 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2479 __skb_queue_head_init(BUSY_QUEUE(sk));
2480
2481 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 2482
2483 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 2484}
2485
f2fcfcd6
GP		 2486static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2487{
2488 switch (mode) {
2489 case L2CAP_MODE_STREAMING:
2490 case L2CAP_MODE_ERTM:
2491 if (l2cap_mode_supported(mode, remote_feat_mask))
2492 return mode;
2493 /* fall through */
2494 default:
2495 return L2CAP_MODE_BASIC;
2496 }
2497}
2498
1da177e4
LT		 2499static int l2cap_build_conf_req(struct sock *sk, void *data)
2500{
2501 struct l2cap_pinfo *pi = l2cap_pi(sk);
2502 struct l2cap_conf_req *req = data;
bd3c9e25 2503 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2504 void *ptr = req->data;
2505
2506 BT_DBG("sk %p", sk);
2507
f2fcfcd6
GP		 2508 if (pi->num_conf_req || pi->num_conf_rsp)
2509 goto done;
2510
2511 switch (pi->mode) {
2512 case L2CAP_MODE_STREAMING:
2513 case L2CAP_MODE_ERTM:
2ba13ed6 2514 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2515 break;
85eb53c6 2516
2ba13ed6 2517 /* fall through */
f2fcfcd6
GP		 2518 default:
2519 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2520 break;
2521 }
2522
2523done:
65c7c491
MH		 2524 switch (pi->mode) {
2525 case L2CAP_MODE_BASIC:
2526 if (pi->imtu != L2CAP_DEFAULT_MTU)
2527 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
62547752
GP		 2528
2529 rfc.mode = L2CAP_MODE_BASIC;
2530 rfc.txwin_size = 0;
2531 rfc.max_transmit = 0;
2532 rfc.retrans_timeout = 0;
2533 rfc.monitor_timeout = 0;
2534 rfc.max_pdu_size = 0;
2535
65c7c491
MH		 2536 break;
2537
2538 case L2CAP_MODE_ERTM:
2539 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2540 rfc.txwin_size = pi->tx_win;
68d7f0ce 2541 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2542 rfc.retrans_timeout = 0;
2543 rfc.monitor_timeout = 0;
c74e560c 2544 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2545 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2546 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2547
fcc203c3
GP		 2548 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2549 break;
2550
2551 if (pi->fcs == L2CAP_FCS_NONE ||
2552 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2553 pi->fcs = L2CAP_FCS_NONE;
2554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2555 }
f2fcfcd6
GP		 2556 break;
2557
2558 case L2CAP_MODE_STREAMING:
2559 rfc.mode = L2CAP_MODE_STREAMING;
2560 rfc.txwin_size = 0;
2561 rfc.max_transmit = 0;
2562 rfc.retrans_timeout = 0;
2563 rfc.monitor_timeout = 0;
c74e560c 2564 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2565 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2566 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2567
fcc203c3
GP		 2568 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2569 break;
2570
2571 if (pi->fcs == L2CAP_FCS_NONE ||
2572 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2573 pi->fcs = L2CAP_FCS_NONE;
2574 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2575 }
65c7c491
MH		 2576 break;
2577 }
1da177e4 2578
62547752
GP		 2579 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2580 (unsigned long) &rfc);
2581
1da177e4
LT		 2582 /* FIXME: Need actual value of the flush timeout */
2583 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2584 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2585
aca3192c
YH		 2586 req->dcid = cpu_to_le16(pi->dcid);
2587 req->flags = cpu_to_le16(0);
1da177e4
LT		 2588
2589 return ptr - data;
2590}
2591
5dee9e7c 2592static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2593{
2594 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2595 struct l2cap_conf_rsp *rsp = data;
2596 void *ptr = rsp->data;
2597 void *req = pi->conf_req;
2598 int len = pi->conf_len;
2599 int type, hint, olen;
2600 unsigned long val;
6464f35f 2601 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2602 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2603 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2604
5dee9e7c 2605 BT_DBG("sk %p", sk);
820ae1b8 2606
5dee9e7c
MH		 2607 while (len >= L2CAP_CONF_OPT_SIZE) {
2608 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2609
589d2746 2610 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2611 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2612
2613 switch (type) {
2614 case L2CAP_CONF_MTU:
861d6882 2615 mtu = val;
5dee9e7c
MH		 2616 break;
2617
2618 case L2CAP_CONF_FLUSH_TO:
2619 pi->flush_to = val;
2620 break;
2621
2622 case L2CAP_CONF_QOS:
2623 break;
2624
6464f35f
MH		 2625 case L2CAP_CONF_RFC:
2626 if (olen == sizeof(rfc))
2627 memcpy(&rfc, (void *) val, olen);
2628 break;
2629
fcc203c3
GP		 2630 case L2CAP_CONF_FCS:
2631 if (val == L2CAP_FCS_NONE)
2632 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2633
2634 break;
2635
5dee9e7c
MH		 2636 default:
2637 if (hint)
2638 break;
2639
2640 result = L2CAP_CONF_UNKNOWN;
2641 *((u8 *) ptr++) = type;
2642 break;
2643 }
2644 }
2645
e9aeb2dd 2646 if (pi->num_conf_rsp || pi->num_conf_req > 1)
f2fcfcd6
GP		 2647 goto done;
2648
2649 switch (pi->mode) {
2650 case L2CAP_MODE_STREAMING:
2651 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2652 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2653 pi->mode = l2cap_select_mode(rfc.mode,
2654 pi->conn->feat_mask);
2655 break;
2656 }
2657
742e519b 2658 if (pi->mode != rfc.mode)
f2fcfcd6 2659 return -ECONNREFUSED;
742e519b 2660
f2fcfcd6 2661 break;
f2fcfcd6
GP		 2662 }
2663
2664done:
2665 if (pi->mode != rfc.mode) {
2666 result = L2CAP_CONF_UNACCEPT;
2667 rfc.mode = pi->mode;
2668
2669 if (pi->num_conf_rsp == 1)
2670 return -ECONNREFUSED;
2671
2672 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2673 sizeof(rfc), (unsigned long) &rfc);
2674 }
2675
2676
5dee9e7c
MH		 2677 if (result == L2CAP_CONF_SUCCESS) {
2678 /* Configure output options and let the other side know
2679 * which ones we don't like. */
2680
f2fcfcd6
GP		 2681 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2682 result = L2CAP_CONF_UNACCEPT;
2683 else {
2684 pi->omtu = mtu;
2685 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2686 }
2687 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2688
f2fcfcd6
GP		 2689 switch (rfc.mode) {
2690 case L2CAP_MODE_BASIC:
2691 pi->fcs = L2CAP_FCS_NONE;
2692 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2693 break;
2694
2695 case L2CAP_MODE_ERTM:
2696 pi->remote_tx_win = rfc.txwin_size;
2697 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2698 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2699 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2700
2701 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2702
10467e9e
GP		 2703 rfc.retrans_timeout =
2704 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2705 rfc.monitor_timeout =
2706 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2707
2708 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2709
2710 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2711 sizeof(rfc), (unsigned long) &rfc);
2712
f2fcfcd6
GP		 2713 break;
2714
2715 case L2CAP_MODE_STREAMING:
1c762159
GP		 2716 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2717 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2718
2719 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2720
2721 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2722
2723 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2724 sizeof(rfc), (unsigned long) &rfc);
2725
f2fcfcd6
GP		 2726 break;
2727
2728 default:
5dee9e7c 2729 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2730
6464f35f 2731 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2732 rfc.mode = pi->mode;
2733 }
6464f35f 2734
f2fcfcd6
GP		 2735 if (result == L2CAP_CONF_SUCCESS)
2736 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2737 }
5dee9e7c
MH		 2738 rsp->scid = cpu_to_le16(pi->dcid);
2739 rsp->result = cpu_to_le16(result);
2740 rsp->flags = cpu_to_le16(0x0000);
2741
2742 return ptr - data;
1da177e4
LT		 2743}
2744
f2fcfcd6
GP		 2745static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2746{
2747 struct l2cap_pinfo *pi = l2cap_pi(sk);
2748 struct l2cap_conf_req *req = data;
2749 void *ptr = req->data;
2750 int type, olen;
2751 unsigned long val;
2752 struct l2cap_conf_rfc rfc;
2753
2754 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2755
2756 while (len >= L2CAP_CONF_OPT_SIZE) {
2757 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2758
2759 switch (type) {
2760 case L2CAP_CONF_MTU:
2761 if (val < L2CAP_DEFAULT_MIN_MTU) {
2762 *result = L2CAP_CONF_UNACCEPT;
2763 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2764 } else
2765 pi->omtu = val;
2766 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2767 break;
2768
2769 case L2CAP_CONF_FLUSH_TO:
2770 pi->flush_to = val;
2771 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2772 2, pi->flush_to);
2773 break;
2774
2775 case L2CAP_CONF_RFC:
2776 if (olen == sizeof(rfc))
2777 memcpy(&rfc, (void *)val, olen);
2778
2779 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2780 rfc.mode != pi->mode)
2781 return -ECONNREFUSED;
2782
f2fcfcd6
GP		 2783 pi->fcs = 0;
2784
2785 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2786 sizeof(rfc), (unsigned long) &rfc);
2787 break;
2788 }
2789 }
2790
6c2ea7a8
GP		 2791 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2792 return -ECONNREFUSED;
2793
2794 pi->mode = rfc.mode;
2795
f2fcfcd6
GP		 2796 if (*result == L2CAP_CONF_SUCCESS) {
2797 switch (rfc.mode) {
2798 case L2CAP_MODE_ERTM:
2799 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2800 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2801 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2802 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2803 break;
2804 case L2CAP_MODE_STREAMING:
1c762159 2805 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2806 }
2807 }
2808
2809 req->dcid = cpu_to_le16(pi->dcid);
2810 req->flags = cpu_to_le16(0x0000);
2811
2812 return ptr - data;
2813}
2814
5dee9e7c 2815static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2816{
2817 struct l2cap_conf_rsp *rsp = data;
2818 void *ptr = rsp->data;
1da177e4 2819
5dee9e7c 2820 BT_DBG("sk %p", sk);
1da177e4 2821
aca3192c 2822 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2823 rsp->result = cpu_to_le16(result);
aca3192c 2824 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2825
2826 return ptr - data;
2827}
2828
7b1c0049
GP		 2829static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2830{
2831 struct l2cap_pinfo *pi = l2cap_pi(sk);
2832 int type, olen;
2833 unsigned long val;
2834 struct l2cap_conf_rfc rfc;
2835
2836 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2837
2838 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2839 return;
2840
2841 while (len >= L2CAP_CONF_OPT_SIZE) {
2842 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2843
2844 switch (type) {
2845 case L2CAP_CONF_RFC:
2846 if (olen == sizeof(rfc))
2847 memcpy(&rfc, (void *)val, olen);
2848 goto done;
2849 }
2850 }
2851
2852done:
2853 switch (rfc.mode) {
2854 case L2CAP_MODE_ERTM:
2855 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2856 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2857 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2858 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2859 break;
2860 case L2CAP_MODE_STREAMING:
2861 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2862 }
2863}
2864
4e8402a3
MH		 2865static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2866{
2867 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2868
2869 if (rej->reason != 0x0000)
2870 return 0;
2871
2872 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2873 cmd->ident == conn->info_ident) {
4e8402a3 2874 del_timer(&conn->info_timer);
984947dc
MH		 2875
2876 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2877 conn->info_ident = 0;
984947dc 2878
4e8402a3
MH		 2879 l2cap_conn_start(conn);
2880 }
2881
2882 return 0;
2883}
2884
1da177e4
LT		 2885static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2886{
2887 struct l2cap_chan_list *list = &conn->chan_list;
2888 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2889 struct l2cap_conn_rsp rsp;
e9aeb2dd 2890 struct sock *parent, *uninitialized_var(sk);
e7c29cb1 2891 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2892
2893 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2894 __le16 psm = req->psm;
1da177e4
LT		 2895
2896 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2897
2898 /* Check if we have socket listening on psm */
2899 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2900 if (!parent) {
2901 result = L2CAP_CR_BAD_PSM;
2902 goto sendresp;
2903 }
2904
e7c29cb1
MH		 2905 /* Check if the ACL is secure enough (if not SDP) */
2906 if (psm != cpu_to_le16(0x0001) &&
2907 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2908 conn->disc_reason = 0x05;
e7c29cb1
MH		 2909 result = L2CAP_CR_SEC_BLOCK;
2910 goto response;
2911 }
2912
1da177e4
LT		 2913 result = L2CAP_CR_NO_MEM;
2914
2915 /* Check for backlog size */
2916 if (sk_acceptq_is_full(parent)) {
8e87d142 2917 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2918 goto response;
2919 }
2920
3b1e0a65 2921 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2922 if (!sk)
2923 goto response;
2924
fd1278d7 2925 write_lock_bh(&list->lock);
1da177e4
LT		 2926
2927 /* Check if we already have channel with that dcid */
2928 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2929 write_unlock_bh(&list->lock);
1da177e4
LT		 2930 sock_set_flag(sk, SOCK_ZAPPED);
2931 l2cap_sock_kill(sk);
2932 goto response;
2933 }
2934
2935 hci_conn_hold(conn->hcon);
2936
2937 l2cap_sock_init(sk, parent);
2938 bacpy(&bt_sk(sk)->src, conn->src);
2939 bacpy(&bt_sk(sk)->dst, conn->dst);
2940 l2cap_pi(sk)->psm = psm;
2941 l2cap_pi(sk)->dcid = scid;
2942
2943 __l2cap_chan_add(conn, sk, parent);
2944 dcid = l2cap_pi(sk)->scid;
2945
2946 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2947
1da177e4
LT		 2948 l2cap_pi(sk)->ident = cmd->ident;
2949
984947dc 2950 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2951 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2952 if (bt_sk(sk)->defer_setup) {
2953 sk->sk_state = BT_CONNECT2;
2954 result = L2CAP_CR_PEND;
2955 status = L2CAP_CS_AUTHOR_PEND;
2956 parent->sk_data_ready(parent, 0);
2957 } else {
2958 sk->sk_state = BT_CONFIG;
2959 result = L2CAP_CR_SUCCESS;
2960 status = L2CAP_CS_NO_INFO;
2961 }
79d554a6
MH		 2962 } else {
2963 sk->sk_state = BT_CONNECT2;
2964 result = L2CAP_CR_PEND;
2965 status = L2CAP_CS_AUTHEN_PEND;
2966 }
2967 } else {
2968 sk->sk_state = BT_CONNECT2;
2969 result = L2CAP_CR_PEND;
2970 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2971 }
2972
fd1278d7 2973 write_unlock_bh(&list->lock);
1da177e4
LT		 2974
2975response:
2976 bh_unlock_sock(parent);
2977
2978sendresp:
aca3192c
YH		 2979 rsp.scid = cpu_to_le16(scid);
2980 rsp.dcid = cpu_to_le16(dcid);
2981 rsp.result = cpu_to_le16(result);
2982 rsp.status = cpu_to_le16(status);
1da177e4 2983 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2984
2985 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2986 struct l2cap_info_req info;
2987 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2988
2989 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2990 conn->info_ident = l2cap_get_ident(conn);
2991
2992 mod_timer(&conn->info_timer, jiffies +
2993 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2994
2995 l2cap_send_cmd(conn, conn->info_ident,
2996 L2CAP_INFO_REQ, sizeof(info), &info);
2997 }
2998
e9aeb2dd
GP		 2999 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
3000 result == L2CAP_CR_SUCCESS) {
3001 u8 buf[128];
3002 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3003 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3004 l2cap_build_conf_req(sk, buf), buf);
3005 l2cap_pi(sk)->num_conf_req++;
3006 }
3007
1da177e4
LT		 3008 return 0;
3009}
3010
3011static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3012{
3013 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3014 u16 scid, dcid, result, status;
3015 struct sock *sk;
3016 u8 req[128];
3017
3018 scid = __le16_to_cpu(rsp->scid);
3019 dcid = __le16_to_cpu(rsp->dcid);
3020 result = __le16_to_cpu(rsp->result);
3021 status = __le16_to_cpu(rsp->status);
3022
3023 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
3024
3025 if (scid) {
af05b30b
GP		 3026 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3027 if (!sk)
57d3b22b 3028 return -EFAULT;
1da177e4 3029 } else {
af05b30b
GP		 3030 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
3031 if (!sk)
57d3b22b 3032 return -EFAULT;
1da177e4
LT		 3033 }
3034
3035 switch (result) {
3036 case L2CAP_CR_SUCCESS:
3037 sk->sk_state = BT_CONFIG;
3038 l2cap_pi(sk)->ident = 0;
3039 l2cap_pi(sk)->dcid = dcid;
6a8d3010
MH		 3040 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
3041
e9aeb2dd
GP		 3042 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3043 break;
3044
3045 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3046
1da177e4
LT		 3047 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3048 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 3049 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3050 break;
3051
3052 case L2CAP_CR_PEND:
6a8d3010 3053 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 3054 break;
3055
3056 default:
3057 l2cap_chan_del(sk, ECONNREFUSED);
3058 break;
3059 }
3060
3061 bh_unlock_sock(sk);
3062 return 0;
3063}
3064
88219a0f 3065static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3066{
3067 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3068 u16 dcid, flags;
3069 u8 rsp[64];
3070 struct sock *sk;
5dee9e7c 3071 int len;
1da177e4
LT		 3072
3073 dcid = __le16_to_cpu(req->dcid);
3074 flags = __le16_to_cpu(req->flags);
3075
3076 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3077
af05b30b
GP		 3078 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3079 if (!sk)
1da177e4
LT		 3080 return -ENOENT;
3081
8cb8e6f1
GP		 3082 if (sk->sk_state != BT_CONFIG) {
3083 struct l2cap_cmd_rej rej;
3084
3085 rej.reason = cpu_to_le16(0x0002);
3086 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3087 sizeof(rej), &rej);
354f60a9 3088 goto unlock;
8cb8e6f1 3089 }
354f60a9 3090
5dee9e7c 3091 /* Reject if config buffer is too small. */
88219a0f 3092 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3093 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3094 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3095 l2cap_build_conf_rsp(sk, rsp,
3096 L2CAP_CONF_REJECT, flags), rsp);
3097 goto unlock;
3098 }
3099
3100 /* Store config. */
3101 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3102 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3103
3104 if (flags & 0x0001) {
3105 /* Incomplete config. Send empty response. */
3106 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3107 l2cap_build_conf_rsp(sk, rsp,
3108 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3109 goto unlock;
3110 }
3111
3112 /* Complete config. */
5dee9e7c 3113 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3114 if (len < 0) {
9b108fc0 3115 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3116 goto unlock;
f2fcfcd6 3117 }
1da177e4 3118
5dee9e7c 3119 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3120 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3121
5dee9e7c
MH		 3122 /* Reset config buffer. */
3123 l2cap_pi(sk)->conf_len = 0;
3124
876d9484
MH		 3125 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3126 goto unlock;
3127
1da177e4 3128 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 3129 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3130 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3131 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3132
1da177e4 3133 sk->sk_state = BT_CONNECTED;
e90bac06 3134
0565c1c2
GP		 3135 l2cap_pi(sk)->next_tx_seq = 0;
3136 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3137 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3138 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3139 l2cap_ertm_init(sk);
3140
1da177e4 3141 l2cap_chan_ready(sk);
876d9484
MH		 3142 goto unlock;
3143 }
3144
3145 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3146 u8 buf[64];
1da177e4 3147 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3148 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3149 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3150 }
3151
3152unlock:
3153 bh_unlock_sock(sk);
3154 return 0;
3155}
3156
3157static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3158{
3159 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3160 u16 scid, flags, result;
3161 struct sock *sk;
7b1c0049 3162 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3163
3164 scid = __le16_to_cpu(rsp->scid);
3165 flags = __le16_to_cpu(rsp->flags);
3166 result = __le16_to_cpu(rsp->result);
3167
af05b30b
GP		 3168 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3169 scid, flags, result);
1da177e4 3170
af05b30b
GP		 3171 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3172 if (!sk)
1da177e4
LT		 3173 return 0;
3174
3175 switch (result) {
3176 case L2CAP_CONF_SUCCESS:
7b1c0049 3177 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3178 break;
3179
3180 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3181 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3182 char req[64];
3183
c2c77ec8 3184 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3185 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3186 goto done;
3187 }
3188
f2fcfcd6
GP		 3189 /* throw out any old stored conf requests */
3190 result = L2CAP_CONF_SUCCESS;
3191 len = l2cap_parse_conf_rsp(sk, rsp->data,
3192 len, req, &result);
3193 if (len < 0) {
9b108fc0 3194 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3195 goto done;
3196 }
3197
3198 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3199 L2CAP_CONF_REQ, len, req);
3200 l2cap_pi(sk)->num_conf_req++;
3201 if (result != L2CAP_CONF_SUCCESS)
3202 goto done;
3203 break;
1da177e4
LT		 3204 }
3205
8e87d142 3206 default:
b1235d79 3207 sk->sk_err = ECONNRESET;
1da177e4 3208 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3209 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3210 goto done;
3211 }
3212
3213 if (flags & 0x01)
3214 goto done;
3215
1da177e4
LT		 3216 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3217
3218 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3219 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3220 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3221 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3222
1da177e4 3223 sk->sk_state = BT_CONNECTED;
0565c1c2 3224 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3225 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3226 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3227 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3228 l2cap_ertm_init(sk);
3229
1da177e4
LT		 3230 l2cap_chan_ready(sk);
3231 }
3232
3233done:
3234 bh_unlock_sock(sk);
3235 return 0;
3236}
3237
3238static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3239{
3240 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3241 struct l2cap_disconn_rsp rsp;
3242 u16 dcid, scid;
3243 struct sock *sk;
3244
3245 scid = __le16_to_cpu(req->scid);
3246 dcid = __le16_to_cpu(req->dcid);
3247
3248 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3249
af05b30b
GP		 3250 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3251 if (!sk)
1da177e4
LT		 3252 return 0;
3253
aca3192c
YH		 3254 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3255 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3256 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3257
3258 sk->sk_shutdown = SHUTDOWN_MASK;
3259
3260 l2cap_chan_del(sk, ECONNRESET);
3261 bh_unlock_sock(sk);
3262
3263 l2cap_sock_kill(sk);
3264 return 0;
3265}
3266
3267static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3268{
3269 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3270 u16 dcid, scid;
3271 struct sock *sk;
3272
3273 scid = __le16_to_cpu(rsp->scid);
3274 dcid = __le16_to_cpu(rsp->dcid);
3275
3276 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3277
af05b30b
GP		 3278 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3279 if (!sk)
1da177e4
LT		 3280 return 0;
3281
3282 l2cap_chan_del(sk, 0);
3283 bh_unlock_sock(sk);
3284
3285 l2cap_sock_kill(sk);
3286 return 0;
3287}
3288
3289static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3290{
3291 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3292 u16 type;
3293
3294 type = __le16_to_cpu(req->type);
3295
3296 BT_DBG("type 0x%4.4x", type);
3297
f0709e03
MH		 3298 if (type == L2CAP_IT_FEAT_MASK) {
3299 u8 buf[8];
44dd46de 3300 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3301 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3302 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3303 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3304 if (enable_ertm)
fcc203c3
GP		 3305 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3306 | L2CAP_FEAT_FCS;
1b7bf4ed 3307 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3308 l2cap_send_cmd(conn, cmd->ident,
3309 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3310 } else if (type == L2CAP_IT_FIXED_CHAN) {
3311 u8 buf[12];
3312 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3313 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3314 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3315 memcpy(buf + 4, l2cap_fixed_chan, 8);
3316 l2cap_send_cmd(conn, cmd->ident,
3317 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3318 } else {
3319 struct l2cap_info_rsp rsp;
3320 rsp.type = cpu_to_le16(type);
3321 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3322 l2cap_send_cmd(conn, cmd->ident,
3323 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3324 }
1da177e4
LT		 3325
3326 return 0;
3327}
3328
3329static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3330{
3331 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3332 u16 type, result;
3333
3334 type = __le16_to_cpu(rsp->type);
3335 result = __le16_to_cpu(rsp->result);
3336
3337 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3338
4e8402a3
MH		 3339 del_timer(&conn->info_timer);
3340
984947dc 3341 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3342 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3343
47ec1dcd 3344 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3345 struct l2cap_info_req req;
3346 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3347
3348 conn->info_ident = l2cap_get_ident(conn);
3349
3350 l2cap_send_cmd(conn, conn->info_ident,
3351 L2CAP_INFO_REQ, sizeof(req), &req);
3352 } else {
3353 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3354 conn->info_ident = 0;
3355
3356 l2cap_conn_start(conn);
3357 }
3358 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3359 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3360 conn->info_ident = 0;
984947dc
MH		 3361
3362 l2cap_conn_start(conn);
3363 }
4e8402a3 3364
1da177e4
LT		 3365 return 0;
3366}
3367
3368static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3369{
3370 u8 *data = skb->data;
3371 int len = skb->len;
3372 struct l2cap_cmd_hdr cmd;
3373 int err = 0;
3374
3375 l2cap_raw_recv(conn, skb);
3376
3377 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3378 u16 cmd_len;
1da177e4
LT		 3379 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3380 data += L2CAP_CMD_HDR_SIZE;
3381 len -= L2CAP_CMD_HDR_SIZE;
3382
88219a0f 3383 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3384
88219a0f 3385 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3386
88219a0f 3387 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3388 BT_DBG("corrupted command");
3389 break;
3390 }
3391
3392 switch (cmd.code) {
3393 case L2CAP_COMMAND_REJ:
4e8402a3 3394 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3395 break;
3396
3397 case L2CAP_CONN_REQ:
3398 err = l2cap_connect_req(conn, &cmd, data);
3399 break;
3400
3401 case L2CAP_CONN_RSP:
3402 err = l2cap_connect_rsp(conn, &cmd, data);
3403 break;
3404
3405 case L2CAP_CONF_REQ:
88219a0f 3406 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3407 break;
3408
3409 case L2CAP_CONF_RSP:
3410 err = l2cap_config_rsp(conn, &cmd, data);
3411 break;
3412
3413 case L2CAP_DISCONN_REQ:
3414 err = l2cap_disconnect_req(conn, &cmd, data);
3415 break;
3416
3417 case L2CAP_DISCONN_RSP:
3418 err = l2cap_disconnect_rsp(conn, &cmd, data);
3419 break;
3420
3421 case L2CAP_ECHO_REQ:
88219a0f 3422 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3423 break;
3424
3425 case L2CAP_ECHO_RSP:
3426 break;
3427
3428 case L2CAP_INFO_REQ:
3429 err = l2cap_information_req(conn, &cmd, data);
3430 break;
3431
3432 case L2CAP_INFO_RSP:
3433 err = l2cap_information_rsp(conn, &cmd, data);
3434 break;
3435
3436 default:
3437 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3438 err = -EINVAL;
3439 break;
3440 }
3441
3442 if (err) {
3443 struct l2cap_cmd_rej rej;
3444 BT_DBG("error %d", err);
3445
3446 /* FIXME: Map err to a valid reason */
aca3192c 3447 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3448 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3449 }
3450
88219a0f
AV		 3451 data += cmd_len;
3452 len -= cmd_len;
1da177e4
LT		 3453 }
3454
3455 kfree_skb(skb);
3456}
3457
fcc203c3
GP		 3458static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3459{
3460 u16 our_fcs, rcv_fcs;
3461 int hdr_size = L2CAP_HDR_SIZE + 2;
3462
3463 if (pi->fcs == L2CAP_FCS_CRC16) {
3464 skb_trim(skb, skb->len - 2);
3465 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3466 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3467
3468 if (our_fcs != rcv_fcs)
7a560e5c 3469 return -EBADMSG;
fcc203c3
GP		 3470 }
3471 return 0;
3472}
3473
d5392c8f
GP		 3474static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3475{
3476 struct l2cap_pinfo *pi = l2cap_pi(sk);
3477 u16 control = 0;
3478
3479 pi->frames_sent = 0;
d5392c8f
GP		 3480
3481 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3482
3483 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3484 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3485 l2cap_send_sframe(pi, control);
1890d36b 3486 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3487 }
3488
4ea727ef
GP		 3489 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3490 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3491
3492 l2cap_ertm_send(sk);
3493
3494 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3495 pi->frames_sent == 0) {
3496 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3497 l2cap_send_sframe(pi, control);
3498 }
3499}
3500
9b53350d 3501static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3502{
3503 struct sk_buff *next_skb;
bfbacc11
JPRV		 3504 struct l2cap_pinfo *pi = l2cap_pi(sk);
3505 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3506
3507 bt_cb(skb)->tx_seq = tx_seq;
3508 bt_cb(skb)->sar = sar;
3509
3510 next_skb = skb_peek(SREJ_QUEUE(sk));
3511 if (!next_skb) {
3512 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3513 return 0;
8f17154f
GP		 3514 }
3515
bfbacc11
JPRV		 3516 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3517 if (tx_seq_offset < 0)
3518 tx_seq_offset += 64;
3519
8f17154f 3520 do {
9b53350d
JPRV		 3521 if (bt_cb(next_skb)->tx_seq == tx_seq)
3522 return -EINVAL;
3523
bfbacc11
JPRV		 3524 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3525 pi->buffer_seq) % 64;
3526 if (next_tx_seq_offset < 0)
3527 next_tx_seq_offset += 64;
3528
3529 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3530 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3531 return 0;
8f17154f
GP		 3532 }
3533
3534 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3535 break;
3536
59203a21 3537 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3538
3539 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3540
3541 return 0;
8f17154f
GP		 3542}
3543
18778a63
GP		 3544static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3545{
3546 struct l2cap_pinfo *pi = l2cap_pi(sk);
3547 struct sk_buff *_skb;
1890d36b 3548 int err;
18778a63
GP		 3549
3550 switch (control & L2CAP_CTRL_SAR) {
3551 case L2CAP_SDU_UNSEGMENTED:
3552 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3553 goto drop;
3554
3555 err = sock_queue_rcv_skb(sk, skb);
3556 if (!err)
3557 return err;
3558
3559 break;
3560
3561 case L2CAP_SDU_START:
3562 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3563 goto drop;
3564
3565 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3566
3567 if (pi->sdu_len > pi->imtu)
3568 goto disconnect;
3569
3570 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3571 if (!pi->sdu)
3572 return -ENOMEM;
3573
3574 /* pull sdu_len bytes only after alloc, because of Local Busy
3575 * condition we have to be sure that this will be executed
3576 * only once, i.e., when alloc does not fail */
3577 skb_pull(skb, 2);
18778a63
GP		 3578
3579 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3580
3581 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3582 pi->partial_sdu_len = skb->len;
3583 break;
3584
3585 case L2CAP_SDU_CONTINUE:
3586 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3587 goto disconnect;
3588
3589 if (!pi->sdu)
3590 goto disconnect;
3591
18778a63
GP		 3592 pi->partial_sdu_len += skb->len;
3593 if (pi->partial_sdu_len > pi->sdu_len)
3594 goto drop;
3595
4178ba46
GP		 3596 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3597
18778a63
GP		 3598 break;
3599
3600 case L2CAP_SDU_END:
3601 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3602 goto disconnect;
3603
3604 if (!pi->sdu)
3605 goto disconnect;
3606
1890d36b 3607 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3608 pi->partial_sdu_len += skb->len;
18778a63 3609
1890d36b
GP		 3610 if (pi->partial_sdu_len > pi->imtu)
3611 goto drop;
18778a63 3612
1890d36b
GP		 3613 if (pi->partial_sdu_len != pi->sdu_len)
3614 goto drop;
4178ba46
GP		 3615
3616 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3617 }
18778a63
GP		 3618
3619 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3620 if (!_skb) {
3621 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3622 return -ENOMEM;
3623 }
3624
18778a63 3625 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3626 if (err < 0) {
18778a63 3627 kfree_skb(_skb);
1890d36b
GP		 3628 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3629 return err;
3630 }
3631
3632 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3633 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3634
3635 kfree_skb(pi->sdu);
3636 break;
3637 }
3638
3639 kfree_skb(skb);
1890d36b 3640 return 0;
18778a63
GP		 3641
3642drop:
3643 kfree_skb(pi->sdu);
3644 pi->sdu = NULL;
3645
3646disconnect:
9b108fc0 3647 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3648 kfree_skb(skb);
3649 return 0;
3650}
3651
712132eb
GP		 3652static int l2cap_try_push_rx_skb(struct sock *sk)
3653{
3654 struct l2cap_pinfo *pi = l2cap_pi(sk);
3655 struct sk_buff *skb;
3656 u16 control;
3657 int err;
3658
3659 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3660 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3661 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3662 if (err < 0) {
3663 skb_queue_head(BUSY_QUEUE(sk), skb);
3664 return -EBUSY;
3665 }
3666
3667 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3668 }
3669
3670 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3671 goto done;
3672
3673 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3674 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3675 l2cap_send_sframe(pi, control);
3676 l2cap_pi(sk)->retry_count = 1;
3677
3678 del_timer(&pi->retrans_timer);
3679 __mod_monitor_timer();
3680
3681 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3682
3683done:
3684 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3685 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3686
3687 BT_DBG("sk %p, Exit local busy", sk);
3688
3689 return 0;
3690}
3691
1890d36b
GP		 3692static void l2cap_busy_work(struct work_struct *work)
3693{
3694 DECLARE_WAITQUEUE(wait, current);
3695 struct l2cap_pinfo *pi =
3696 container_of(work, struct l2cap_pinfo, busy_work);
3697 struct sock *sk = (struct sock *)pi;
3698 int n_tries = 0, timeo = HZ/5, err;
3699 struct sk_buff *skb;
1890d36b
GP		 3700
3701 lock_sock(sk);
3702
2b0b05dd 3703 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3704 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3705 set_current_state(TASK_INTERRUPTIBLE);
3706
3707 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3708 err = -EBUSY;
9b108fc0 3709 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
712132eb 3710 break;
1890d36b
GP		 3711 }
3712
3713 if (!timeo)
3714 timeo = HZ/5;
3715
3716 if (signal_pending(current)) {
3717 err = sock_intr_errno(timeo);
712132eb 3718 break;
1890d36b
GP		 3719 }
3720
3721 release_sock(sk);
3722 timeo = schedule_timeout(timeo);
3723 lock_sock(sk);
3724
3725 err = sock_error(sk);
3726 if (err)
712132eb 3727 break;
1890d36b 3728
712132eb 3729 if (l2cap_try_push_rx_skb(sk) == 0)
1890d36b
GP		 3730 break;
3731 }
3732
1890d36b 3733 set_current_state(TASK_RUNNING);
2b0b05dd 3734 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3735
3736 release_sock(sk);
3737}
3738
3739static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3740{
3741 struct l2cap_pinfo *pi = l2cap_pi(sk);
3742 int sctrl, err;
3743
3744 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3745 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3746 __skb_queue_tail(BUSY_QUEUE(sk), skb);
712132eb
GP		 3747 return l2cap_try_push_rx_skb(sk);
3748
3749
1890d36b
GP		 3750 }
3751
3752 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3753 if (err >= 0) {
3754 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3755 return err;
3756 }
3757
3758 /* Busy Condition */
0e98958d
GP		 3759 BT_DBG("sk %p, Enter local busy", sk);
3760
1890d36b
GP		 3761 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3762 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3763 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3764
3765 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3766 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3767 l2cap_send_sframe(pi, sctrl);
3768
3769 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3770
7fe9b298
GP		 3771 del_timer(&pi->ack_timer);
3772
1890d36b
GP		 3773 queue_work(_busy_wq, &pi->busy_work);
3774
3775 return err;
3776}
3777
18778a63 3778static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3779{
3780 struct l2cap_pinfo *pi = l2cap_pi(sk);
3781 struct sk_buff *_skb;
3782 int err = -EINVAL;
3783
18778a63
GP		 3784 /*
3785 * TODO: We have to notify the userland if some data is lost with the
3786 * Streaming Mode.
3787 */
3788
c74e560c
GP		 3789 switch (control & L2CAP_CTRL_SAR) {
3790 case L2CAP_SDU_UNSEGMENTED:
3791 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3792 kfree_skb(pi->sdu);
3793 break;
3794 }
3795
3796 err = sock_queue_rcv_skb(sk, skb);
3797 if (!err)
3798 return 0;
3799
3800 break;
3801
3802 case L2CAP_SDU_START:
3803 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3804 kfree_skb(pi->sdu);
3805 break;
3806 }
3807
3808 pi->sdu_len = get_unaligned_le16(skb->data);
3809 skb_pull(skb, 2);
3810
052897ca
GP		 3811 if (pi->sdu_len > pi->imtu) {
3812 err = -EMSGSIZE;
3813 break;
3814 }
3815
c74e560c
GP		 3816 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3817 if (!pi->sdu) {
3818 err = -ENOMEM;
3819 break;
3820 }
3821
3822 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3823
3824 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3825 pi->partial_sdu_len = skb->len;
3826 err = 0;
3827 break;
3828
3829 case L2CAP_SDU_CONTINUE:
3830 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3831 break;
3832
3833 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3834
3835 pi->partial_sdu_len += skb->len;
3836 if (pi->partial_sdu_len > pi->sdu_len)
3837 kfree_skb(pi->sdu);
3838 else
3839 err = 0;
3840
3841 break;
3842
3843 case L2CAP_SDU_END:
3844 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3845 break;
3846
3847 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3848
3849 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3850 pi->partial_sdu_len += skb->len;
3851
36f2fd58
GP		 3852 if (pi->partial_sdu_len > pi->imtu)
3853 goto drop;
3854
c74e560c
GP		 3855 if (pi->partial_sdu_len == pi->sdu_len) {
3856 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3857 err = sock_queue_rcv_skb(sk, _skb);
3858 if (err < 0)
3859 kfree_skb(_skb);
3860 }
c74e560c
GP		 3861 err = 0;
3862
36f2fd58
GP		 3863drop:
3864 kfree_skb(pi->sdu);
c74e560c
GP		 3865 break;
3866 }
3867
3868 kfree_skb(skb);
3869 return err;
3870}
3871
8f17154f
GP		 3872static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3873{
3874 struct sk_buff *skb;
afefdbc4 3875 u16 control;
8f17154f 3876
59203a21 3877 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3878 if (bt_cb(skb)->tx_seq != tx_seq)
3879 break;
3880
3881 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3882 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3883 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3884 l2cap_pi(sk)->buffer_seq_srej =
3885 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3886 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3887 }
3888}
3889
3890static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3891{
3892 struct l2cap_pinfo *pi = l2cap_pi(sk);
3893 struct srej_list *l, *tmp;
3894 u16 control;
3895
59203a21 3896 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3897 if (l->tx_seq == tx_seq) {
3898 list_del(&l->list);
3899 kfree(l);
3900 return;
3901 }
3902 control = L2CAP_SUPER_SELECT_REJECT;
3903 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3904 l2cap_send_sframe(pi, control);
3905 list_del(&l->list);
3906 list_add_tail(&l->list, SREJ_LIST(sk));
3907 }
3908}
3909
3910static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3911{
3912 struct l2cap_pinfo *pi = l2cap_pi(sk);
3913 struct srej_list *new;
3914 u16 control;
3915
3916 while (tx_seq != pi->expected_tx_seq) {
3917 control = L2CAP_SUPER_SELECT_REJECT;
3918 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3919 l2cap_send_sframe(pi, control);
3920
3921 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3922 new->tx_seq = pi->expected_tx_seq;
3923 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3924 list_add_tail(&new->list, SREJ_LIST(sk));
3925 }
8ff50ec0 3926 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3927}
3928
1c2acffb
GP		 3929static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3930{
3931 struct l2cap_pinfo *pi = l2cap_pi(sk);
3932 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3933 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3934 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3935 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3936 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3937 int err = 0;
3938
0e98958d
GP		 3939 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3940 rx_control);
1c2acffb 3941
9b16dc65
GP		 3942 if (L2CAP_CTRL_FINAL & rx_control &&
3943 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3944 del_timer(&pi->monitor_timer);
3945 if (pi->unacked_frames > 0)
3946 __mod_retrans_timer();
3947 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3948 }
3949
9f121a5a
GP		 3950 pi->expected_ack_seq = req_seq;
3951 l2cap_drop_acked_frames(sk);
3952
8f17154f
GP		 3953 if (tx_seq == pi->expected_tx_seq)
3954 goto expected;
1c2acffb 3955
9b53350d
JPRV		 3956 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3957 if (tx_seq_offset < 0)
3958 tx_seq_offset += 64;
3959
3960 /* invalid tx_seq */
3961 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3962 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3963 goto drop;
3964 }
3965
1890d36b
GP		 3966 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3967 goto drop;
3968
8f17154f
GP		 3969 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3970 struct srej_list *first;
30afb5b2 3971
8f17154f
GP		 3972 first = list_first_entry(SREJ_LIST(sk),
3973 struct srej_list, list);
3974 if (tx_seq == first->tx_seq) {
3975 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3976 l2cap_check_srej_gap(sk, tx_seq);
3977
3978 list_del(&first->list);
3979 kfree(first);
3980
3981 if (list_empty(SREJ_LIST(sk))) {
3982 pi->buffer_seq = pi->buffer_seq_srej;
3983 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3984 l2cap_send_ack(pi);
0e98958d 3985 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3986 }
3987 } else {
3988 struct srej_list *l;
9b53350d
JPRV		 3989
3990 /* duplicated tx_seq */
3991 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3992 goto drop;
8f17154f
GP		 3993
3994 list_for_each_entry(l, SREJ_LIST(sk), list) {
3995 if (l->tx_seq == tx_seq) {
3996 l2cap_resend_srejframe(sk, tx_seq);
3997 return 0;
3998 }
3999 }
4000 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 4001 }
4002 } else {
9b53350d
JPRV		 4003 expected_tx_seq_offset =
4004 (pi->expected_tx_seq - pi->buffer_seq) % 64;
4005 if (expected_tx_seq_offset < 0)
4006 expected_tx_seq_offset += 64;
4007
4008 /* duplicated tx_seq */
4009 if (tx_seq_offset < expected_tx_seq_offset)
4010 goto drop;
4011
8f17154f 4012 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 4013
0e98958d
GP		 4014 BT_DBG("sk %p, Enter SREJ", sk);
4015
8f17154f
GP		 4016 INIT_LIST_HEAD(SREJ_LIST(sk));
4017 pi->buffer_seq_srej = pi->buffer_seq;
4018
4019 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 4020 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 4021 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
4022
ef54fd93
GP		 4023 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
4024
8f17154f 4025 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 4026
4027 del_timer(&pi->ack_timer);
1c2acffb 4028 }
30afb5b2
GP		 4029 return 0;
4030
8f17154f
GP		 4031expected:
4032 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4033
4034 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 4035 bt_cb(skb)->tx_seq = tx_seq;
4036 bt_cb(skb)->sar = sar;
4037 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 4038 return 0;
4039 }
4040
2ece3684
GP		 4041 err = l2cap_push_rx_skb(sk, skb, rx_control);
4042 if (err < 0)
4043 return 0;
4044
4ec10d97
GP		 4045 if (rx_control & L2CAP_CTRL_FINAL) {
4046 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4047 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4048 else
4049 l2cap_retransmit_frames(sk);
4ec10d97
GP		 4050 }
4051
c1b4f43b
GP		 4052 __mod_ack_timer();
4053
803020c6
GP		 4054 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
4055 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 4056 l2cap_send_ack(pi);
4057
8f17154f 4058 return 0;
9b53350d
JPRV		 4059
4060drop:
4061 kfree_skb(skb);
4062 return 0;
1c2acffb
GP		 4063}
4064
e072745f 4065static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 4066{
4067 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 4068
0e98958d
GP		 4069 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4070 rx_control);
4071
6e3a5981
GP		 4072 pi->expected_ack_seq = __get_reqseq(rx_control);
4073 l2cap_drop_acked_frames(sk);
1c2acffb 4074
e072745f 4075 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4076 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4077 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4078 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4079 (pi->unacked_frames > 0))
4080 __mod_retrans_timer();
4081
4082 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4083 l2cap_send_srejtail(sk);
4084 } else {
4085 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4086 }
1d8f5d16 4087
e072745f
GP		 4088 } else if (rx_control & L2CAP_CTRL_FINAL) {
4089 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4090
e072745f
GP		 4091 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4092 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4093 else
4094 l2cap_retransmit_frames(sk);
2246b2f1 4095
e072745f 4096 } else {
e072745f
GP		 4097 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4098 (pi->unacked_frames > 0))
4099 __mod_retrans_timer();
1c2acffb 4100
2246b2f1 4101 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
dfc909be 4102 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
e072745f 4103 l2cap_send_ack(pi);
dfc909be 4104 } else {
e072745f 4105 l2cap_ertm_send(sk);
dfc909be 4106 }
e072745f
GP		 4107 }
4108}
2246b2f1 4109
e072745f
GP		 4110static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4111{
4112 struct l2cap_pinfo *pi = l2cap_pi(sk);
4113 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4114
0e98958d
GP		 4115 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4116
e072745f
GP		 4117 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4118
8abb52ee 4119 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4120 l2cap_drop_acked_frames(sk);
4121
4122 if (rx_control & L2CAP_CTRL_FINAL) {
4123 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4124 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4125 else
4126 l2cap_retransmit_frames(sk);
e072745f 4127 } else {
dfc909be 4128 l2cap_retransmit_frames(sk);
30afb5b2 4129
0301ef04 4130 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4131 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4132 }
4133}
4134static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4135{
4136 struct l2cap_pinfo *pi = l2cap_pi(sk);
4137 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4138
0e98958d
GP		 4139 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4140
e072745f 4141 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4142
e072745f
GP		 4143 if (rx_control & L2CAP_CTRL_POLL) {
4144 pi->expected_ack_seq = tx_seq;
4145 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4146
4147 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4148 l2cap_retransmit_one_frame(sk, tx_seq);
4149
e072745f 4150 l2cap_ertm_send(sk);
dfc909be 4151
e072745f
GP		 4152 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4153 pi->srej_save_reqseq = tx_seq;
4154 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4155 }
e072745f
GP		 4156 } else if (rx_control & L2CAP_CTRL_FINAL) {
4157 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4158 pi->srej_save_reqseq == tx_seq)
4159 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4160 else
dfc909be 4161 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4162 } else {
dfc909be 4163 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4164 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4165 pi->srej_save_reqseq = tx_seq;
4166 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4167 }
e072745f
GP		 4168 }
4169}
4170
4171static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4172{
4173 struct l2cap_pinfo *pi = l2cap_pi(sk);
4174 u8 tx_seq = __get_reqseq(rx_control);
4175
0e98958d
GP		 4176 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4177
e072745f
GP		 4178 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4179 pi->expected_ack_seq = tx_seq;
4180 l2cap_drop_acked_frames(sk);
4181
3cb123d1
GP		 4182 if (rx_control & L2CAP_CTRL_POLL)
4183 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4184
99b0d4b7
GP		 4185 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4186 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4187 if (rx_control & L2CAP_CTRL_POLL)
4188 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4189 return;
e072745f 4190 }
99b0d4b7
GP		 4191
4192 if (rx_control & L2CAP_CTRL_POLL)
4193 l2cap_send_srejtail(sk);
4194 else
4195 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4196}
4197
4198static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4199{
4200 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4201
9b16dc65
GP		 4202 if (L2CAP_CTRL_FINAL & rx_control &&
4203 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4204 del_timer(&l2cap_pi(sk)->monitor_timer);
4205 if (l2cap_pi(sk)->unacked_frames > 0)
4206 __mod_retrans_timer();
4207 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4208 }
4209
4210 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4211 case L2CAP_SUPER_RCV_READY:
4212 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4213 break;
4214
e072745f
GP		 4215 case L2CAP_SUPER_REJECT:
4216 l2cap_data_channel_rejframe(sk, rx_control);
4217 break;
2246b2f1 4218
e072745f
GP		 4219 case L2CAP_SUPER_SELECT_REJECT:
4220 l2cap_data_channel_srejframe(sk, rx_control);
4221 break;
4222
4223 case L2CAP_SUPER_RCV_NOT_READY:
4224 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4225 break;
4226 }
4227
faaebd19 4228 kfree_skb(skb);
1c2acffb
GP		 4229 return 0;
4230}
4231
218bb9df
GP		 4232static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4233{
4234 struct l2cap_pinfo *pi = l2cap_pi(sk);
4235 u16 control;
4236 u8 req_seq;
4237 int len, next_tx_seq_offset, req_seq_offset;
4238
4239 control = get_unaligned_le16(skb->data);
4240 skb_pull(skb, 2);
4241 len = skb->len;
4242
4243 /*
4244 * We can just drop the corrupted I-frame here.
4245 * Receiver will miss it and start proper recovery
4246 * procedures and ask retransmission.
4247 */
4248 if (l2cap_check_fcs(pi, skb))
4249 goto drop;
4250
4251 if (__is_sar_start(control) && __is_iframe(control))
4252 len -= 2;
4253
4254 if (pi->fcs == L2CAP_FCS_CRC16)
4255 len -= 2;
4256
4257 if (len > pi->mps) {
4258 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4259 goto drop;
4260 }
4261
4262 req_seq = __get_reqseq(control);
4263 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4264 if (req_seq_offset < 0)
4265 req_seq_offset += 64;
4266
4267 next_tx_seq_offset =
4268 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4269 if (next_tx_seq_offset < 0)
4270 next_tx_seq_offset += 64;
4271
4272 /* check for invalid req-seq */
4273 if (req_seq_offset > next_tx_seq_offset) {
4274 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4275 goto drop;
4276 }
4277
4278 if (__is_iframe(control)) {
4279 if (len < 0) {
4280 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4281 goto drop;
4282 }
4283
4284 l2cap_data_channel_iframe(sk, control, skb);
4285 } else {
4286 if (len != 0) {
4287 BT_ERR("%d", len);
4288 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4289 goto drop;
4290 }
4291
4292 l2cap_data_channel_sframe(sk, control, skb);
4293 }
4294
4295 return 0;
4296
4297drop:
4298 kfree_skb(skb);
4299 return 0;
4300}
4301
1da177e4
LT		 4302static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4303{
4304 struct sock *sk;
6840ed07 4305 struct l2cap_pinfo *pi;
51893f88 4306 u16 control;
218bb9df
GP		 4307 u8 tx_seq;
4308 int len;
1da177e4
LT		 4309
4310 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4311 if (!sk) {
4312 BT_DBG("unknown cid 0x%4.4x", cid);
4313 goto drop;
4314 }
4315
6840ed07
GP		 4316 pi = l2cap_pi(sk);
4317
1da177e4
LT		 4318 BT_DBG("sk %p, len %d", sk, skb->len);
4319
4320 if (sk->sk_state != BT_CONNECTED)
4321 goto drop;
4322
6840ed07 4323 switch (pi->mode) {
1c2acffb
GP		 4324 case L2CAP_MODE_BASIC:
4325 /* If socket recv buffers overflows we drop data here
4326 * which is *bad* because L2CAP has to be reliable.
4327 * But we don't have any other choice. L2CAP doesn't
4328 * provide flow control mechanism. */
1da177e4 4329
6840ed07 4330 if (pi->imtu < skb->len)
1c2acffb 4331 goto drop;
1da177e4 4332
1c2acffb
GP		 4333 if (!sock_queue_rcv_skb(sk, skb))
4334 goto done;
4335 break;
4336
4337 case L2CAP_MODE_ERTM:
218bb9df
GP		 4338 if (!sock_owned_by_user(sk)) {
4339 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4340 } else {
218bb9df 4341 if (sk_add_backlog(sk, skb))
277ffbe3 4342 goto drop;
277ffbe3 4343 }
1c2acffb 4344
fcafde2e 4345 goto done;
1c2acffb 4346
6840ed07
GP		 4347 case L2CAP_MODE_STREAMING:
4348 control = get_unaligned_le16(skb->data);
4349 skb_pull(skb, 2);
4350 len = skb->len;
4351
26000089
GP		 4352 if (l2cap_check_fcs(pi, skb))
4353 goto drop;
4354
6840ed07
GP		 4355 if (__is_sar_start(control))
4356 len -= 2;
4357
fcc203c3
GP		 4358 if (pi->fcs == L2CAP_FCS_CRC16)
4359 len -= 2;
4360
51893f88 4361 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4362 goto drop;
4363
4364 tx_seq = __get_txseq(control);
4365
4366 if (pi->expected_tx_seq == tx_seq)
4367 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4368 else
7dffe421 4369 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4370
18778a63 4371 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4372
4373 goto done;
4374
1c2acffb 4375 default:
e8235c6b 4376 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4377 break;
4378 }
1da177e4
LT		 4379
4380drop:
4381 kfree_skb(skb);
4382
4383done:
0139418c
MH		 4384 if (sk)
4385 bh_unlock_sock(sk);
4386
1da177e4
LT		 4387 return 0;
4388}
4389
8e036fc3 4390static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4391{
4392 struct sock *sk;
4393
4394 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4395 if (!sk)
4396 goto drop;
4397
4398 BT_DBG("sk %p, len %d", sk, skb->len);
4399
4400 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4401 goto drop;
4402
4403 if (l2cap_pi(sk)->imtu < skb->len)
4404 goto drop;
4405
4406 if (!sock_queue_rcv_skb(sk, skb))
4407 goto done;
4408
4409drop:
4410 kfree_skb(skb);
4411
4412done:
af05b30b
GP		 4413 if (sk)
4414 bh_unlock_sock(sk);
1da177e4
LT		 4415 return 0;
4416}
4417
4418static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4419{
4420 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4421 u16 cid, len;
4422 __le16 psm;
1da177e4
LT		 4423
4424 skb_pull(skb, L2CAP_HDR_SIZE);
4425 cid = __le16_to_cpu(lh->cid);
4426 len = __le16_to_cpu(lh->len);
4427
1c2acffb
GP		 4428 if (len != skb->len) {
4429 kfree_skb(skb);
4430 return;
4431 }
4432
1da177e4
LT		 4433 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4434
4435 switch (cid) {
8db4dc46 4436 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4437 l2cap_sig_channel(conn, skb);
4438 break;
4439
8db4dc46 4440 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4441 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4442 skb_pull(skb, 2);
4443 l2cap_conless_channel(conn, psm, skb);
4444 break;
4445
4446 default:
4447 l2cap_data_channel(conn, cid, skb);
4448 break;
4449 }
4450}
4451
4452/* ---- L2CAP interface with lower layer (HCI) ---- */
4453
4454static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4455{
4456 int exact = 0, lm1 = 0, lm2 = 0;
4457 register struct sock *sk;
4458 struct hlist_node *node;
4459
4460 if (type != ACL_LINK)
963cf687 4461 return -EINVAL;
1da177e4
LT		 4462
4463 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4464
4465 /* Find listening sockets and check their link_mode */
4466 read_lock(&l2cap_sk_list.lock);
4467 sk_for_each(sk, node, &l2cap_sk_list.head) {
4468 if (sk->sk_state != BT_LISTEN)
4469 continue;
4470
4471 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4472 lm1 |= HCI_LM_ACCEPT;
4473 if (l2cap_pi(sk)->role_switch)
4474 lm1 |= HCI_LM_MASTER;
1da177e4 4475 exact++;
2af6b9d5
MH		 4476 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4477 lm2 |= HCI_LM_ACCEPT;
4478 if (l2cap_pi(sk)->role_switch)
4479 lm2 |= HCI_LM_MASTER;
4480 }
1da177e4
LT		 4481 }
4482 read_unlock(&l2cap_sk_list.lock);
4483
4484 return exact ? lm1 : lm2;
4485}
4486
4487static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4488{
0139418c
MH		 4489 struct l2cap_conn *conn;
4490
1da177e4
LT		 4491 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4492
4493 if (hcon->type != ACL_LINK)
963cf687 4494 return -EINVAL;
1da177e4
LT		 4495
4496 if (!status) {
1da177e4
LT		 4497 conn = l2cap_conn_add(hcon, status);
4498 if (conn)
4499 l2cap_conn_ready(conn);
0139418c 4500 } else
1da177e4
LT		 4501 l2cap_conn_del(hcon, bt_err(status));
4502
4503 return 0;
4504}
4505
2950f21a
MH		 4506static int l2cap_disconn_ind(struct hci_conn *hcon)
4507{
4508 struct l2cap_conn *conn = hcon->l2cap_data;
4509
4510 BT_DBG("hcon %p", hcon);
4511
4512 if (hcon->type != ACL_LINK || !conn)
4513 return 0x13;
4514
4515 return conn->disc_reason;
4516}
4517
4518static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4519{
4520 BT_DBG("hcon %p reason %d", hcon, reason);
4521
4522 if (hcon->type != ACL_LINK)
963cf687 4523 return -EINVAL;
1da177e4
LT		 4524
4525 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4526
1da177e4
LT		 4527 return 0;
4528}
4529
f62e4323
MH		 4530static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4531{
bd3c9e25 4532 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4533 return;
4534
f62e4323
MH		 4535 if (encrypt == 0x00) {
4536 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4537 l2cap_sock_clear_timer(sk);
4538 l2cap_sock_set_timer(sk, HZ * 5);
4539 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4540 __l2cap_sock_close(sk, ECONNREFUSED);
4541 } else {
4542 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4543 l2cap_sock_clear_timer(sk);
4544 }
4545}
4546
8c1b2355 4547static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4548{
4549 struct l2cap_chan_list *l;
0139418c 4550 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4551 struct sock *sk;
1da177e4 4552
0139418c 4553 if (!conn)
1da177e4 4554 return 0;
0139418c 4555
1da177e4
LT		 4556 l = &conn->chan_list;
4557
4558 BT_DBG("conn %p", conn);
4559
4560 read_lock(&l->lock);
4561
4562 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4563 bh_lock_sock(sk);
4564
6a8d3010
MH		 4565 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4566 bh_unlock_sock(sk);
4567 continue;
4568 }
4569
f62e4323 4570 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4571 sk->sk_state == BT_CONFIG)) {
f62e4323 4572 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4573 bh_unlock_sock(sk);
4574 continue;
4575 }
4576
b1235d79
MH		 4577 if (sk->sk_state == BT_CONNECT) {
4578 if (!status) {
4579 struct l2cap_conn_req req;
4580 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4581 req.psm = l2cap_pi(sk)->psm;
1da177e4 4582
b1235d79 4583 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4584 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4585
b1235d79
MH		 4586 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4587 L2CAP_CONN_REQ, sizeof(req), &req);
4588 } else {
4589 l2cap_sock_clear_timer(sk);
4590 l2cap_sock_set_timer(sk, HZ / 10);
4591 }
4592 } else if (sk->sk_state == BT_CONNECT2) {
4593 struct l2cap_conn_rsp rsp;
4594 __u16 result;
1da177e4 4595
b1235d79
MH		 4596 if (!status) {
4597 sk->sk_state = BT_CONFIG;
4598 result = L2CAP_CR_SUCCESS;
4599 } else {
4600 sk->sk_state = BT_DISCONN;
4601 l2cap_sock_set_timer(sk, HZ / 10);
4602 result = L2CAP_CR_SEC_BLOCK;
4603 }
4604
4605 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4606 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4607 rsp.result = cpu_to_le16(result);
e7c29cb1 4608 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4609 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4610 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4611 }
1da177e4
LT		 4612
4613 bh_unlock_sock(sk);
4614 }
4615
4616 read_unlock(&l->lock);
b1235d79 4617
1da177e4
LT		 4618 return 0;
4619}
4620
4621static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4622{
4623 struct l2cap_conn *conn = hcon->l2cap_data;
4624
4625 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4626 goto drop;
4627
4628 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4629
4630 if (flags & ACL_START) {
4631 struct l2cap_hdr *hdr;
4632 int len;
4633
4634 if (conn->rx_len) {
4635 BT_ERR("Unexpected start frame (len %d)", skb->len);
4636 kfree_skb(conn->rx_skb);
4637 conn->rx_skb = NULL;
4638 conn->rx_len = 0;
4639 l2cap_conn_unreliable(conn, ECOMM);
4640 }
4641
4642 if (skb->len < 2) {
4643 BT_ERR("Frame is too short (len %d)", skb->len);
4644 l2cap_conn_unreliable(conn, ECOMM);
4645 goto drop;
4646 }
4647
4648 hdr = (struct l2cap_hdr *) skb->data;
4649 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4650
4651 if (len == skb->len) {
4652 /* Complete frame received */
4653 l2cap_recv_frame(conn, skb);
4654 return 0;
4655 }
4656
4657 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4658
4659 if (skb->len > len) {
4660 BT_ERR("Frame is too long (len %d, expected len %d)",
4661 skb->len, len);
4662 l2cap_conn_unreliable(conn, ECOMM);
4663 goto drop;
4664 }
4665
4666 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4667 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4668 if (!conn->rx_skb)
1da177e4
LT		 4669 goto drop;
4670
d626f62b 4671 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4672 skb->len);
1da177e4
LT		 4673 conn->rx_len = len - skb->len;
4674 } else {
4675 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4676
4677 if (!conn->rx_len) {
4678 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4679 l2cap_conn_unreliable(conn, ECOMM);
4680 goto drop;
4681 }
4682
4683 if (skb->len > conn->rx_len) {
4684 BT_ERR("Fragment is too long (len %d, expected %d)",
4685 skb->len, conn->rx_len);
4686 kfree_skb(conn->rx_skb);
4687 conn->rx_skb = NULL;
4688 conn->rx_len = 0;
4689 l2cap_conn_unreliable(conn, ECOMM);
4690 goto drop;
4691 }
4692
d626f62b 4693 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4694 skb->len);
1da177e4
LT		 4695 conn->rx_len -= skb->len;
4696
4697 if (!conn->rx_len) {
4698 /* Complete frame received */
4699 l2cap_recv_frame(conn, conn->rx_skb);
4700 conn->rx_skb = NULL;
4701 }
4702 }
4703
4704drop:
4705 kfree_skb(skb);
4706 return 0;
4707}
4708
aef7d97c 4709static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4710{
4711 struct sock *sk;
4712 struct hlist_node *node;
1da177e4
LT		 4713
4714 read_lock_bh(&l2cap_sk_list.lock);
4715
be9d1227
MH		 4716 sk_for_each(sk, node, &l2cap_sk_list.head) {
4717 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4718
aef7d97c
MH		 4719 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4720 batostr(&bt_sk(sk)->src),
4721 batostr(&bt_sk(sk)->dst),
4722 sk->sk_state, __le16_to_cpu(pi->psm),
4723 pi->scid, pi->dcid,
4724 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4725 }
1da177e4 4726
1da177e4 4727 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4728
aef7d97c 4729 return 0;
1da177e4
LT		 4730}
4731
aef7d97c
MH		 4732static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4733{
4734 return single_open(file, l2cap_debugfs_show, inode->i_private);
4735}
4736
4737static const struct file_operations l2cap_debugfs_fops = {
4738 .open = l2cap_debugfs_open,
4739 .read = seq_read,
4740 .llseek = seq_lseek,
4741 .release = single_release,
4742};
4743
4744static struct dentry *l2cap_debugfs;
1da177e4 4745
90ddc4f0 4746static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4747 .family = PF_BLUETOOTH,
4748 .owner = THIS_MODULE,
4749 .release = l2cap_sock_release,
4750 .bind = l2cap_sock_bind,
4751 .connect = l2cap_sock_connect,
4752 .listen = l2cap_sock_listen,
4753 .accept = l2cap_sock_accept,
4754 .getname = l2cap_sock_getname,
4755 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4756 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4757 .poll = bt_sock_poll,
3241ad82 4758 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4759 .mmap = sock_no_mmap,
4760 .socketpair = sock_no_socketpair,
1da177e4
LT		 4761 .shutdown = l2cap_sock_shutdown,
4762 .setsockopt = l2cap_sock_setsockopt,
4763 .getsockopt = l2cap_sock_getsockopt
4764};
4765
ec1b4cf7 4766static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4767 .family = PF_BLUETOOTH,
4768 .owner = THIS_MODULE,
4769 .create = l2cap_sock_create,
4770};
4771
4772static struct hci_proto l2cap_hci_proto = {
4773 .name = "L2CAP",
4774 .id = HCI_PROTO_L2CAP,
4775 .connect_ind = l2cap_connect_ind,
4776 .connect_cfm = l2cap_connect_cfm,
4777 .disconn_ind = l2cap_disconn_ind,
2950f21a 4778 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4779 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4780 .recv_acldata = l2cap_recv_acldata
4781};
4782
4783static int __init l2cap_init(void)
4784{
4785 int err;
be9d1227 4786
1da177e4
LT		 4787 err = proto_register(&l2cap_proto, 0);
4788 if (err < 0)
4789 return err;
4790
1890d36b
GP		 4791 _busy_wq = create_singlethread_workqueue("l2cap");
4792 if (!_busy_wq)
4793 goto error;
4794
1da177e4
LT		 4795 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4796 if (err < 0) {
4797 BT_ERR("L2CAP socket registration failed");
4798 goto error;
4799 }
4800
4801 err = hci_register_proto(&l2cap_hci_proto);
4802 if (err < 0) {
4803 BT_ERR("L2CAP protocol registration failed");
4804 bt_sock_unregister(BTPROTO_L2CAP);
4805 goto error;
4806 }
4807
aef7d97c
MH		 4808 if (bt_debugfs) {
4809 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4810 bt_debugfs, NULL, &l2cap_debugfs_fops);
4811 if (!l2cap_debugfs)
4812 BT_ERR("Failed to create L2CAP debug file");
4813 }
1da177e4
LT		 4814
4815 BT_INFO("L2CAP ver %s", VERSION);
4816 BT_INFO("L2CAP socket layer initialized");
4817
4818 return 0;
4819
4820error:
4821 proto_unregister(&l2cap_proto);
4822 return err;
4823}
4824
4825static void __exit l2cap_exit(void)
4826{
aef7d97c 4827 debugfs_remove(l2cap_debugfs);
1da177e4 4828
1890d36b
GP		 4829 flush_workqueue(_busy_wq);
4830 destroy_workqueue(_busy_wq);
4831
1da177e4
LT		 4832 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4833 BT_ERR("L2CAP socket unregistration failed");
4834
4835 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4836 BT_ERR("L2CAP protocol unregistration failed");
4837
4838 proto_unregister(&l2cap_proto);
4839}
4840
4841void l2cap_load(void)
4842{
4843 /* Dummy function to trigger automatic L2CAP module loading by
4844 * other modules that use L2CAP sockets but don't use any other
4845 * symbols from it. */
1da177e4
LT		 4846}
4847EXPORT_SYMBOL(l2cap_load);
4848
4849module_init(l2cap_init);
4850module_exit(l2cap_exit);
4851
44dd46de
MH		 4852module_param(enable_ertm, bool, 0644);
4853MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4854
63fbd24e 4855MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4856MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4857MODULE_VERSION(VERSION);
4858MODULE_LICENSE("GPL");
4859MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)