projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Prefer Basic Mode on receipt of ConfigReq
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
58static int enable_ertm = 0;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
90ddc4f0 63static const struct proto_ops l2cap_sock_ops;
1da177e4 64
1890d36b
GP		 65static struct workqueue_struct *_busy_wq;
66
1da177e4 67static struct bt_sock_list l2cap_sk_list = {
d5fb2962 68 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 69};
70
1890d36b
GP		 71static void l2cap_busy_work(struct work_struct *work);
72
1da177e4
LT		 73static void __l2cap_sock_close(struct sock *sk, int reason);
74static void l2cap_sock_close(struct sock *sk);
75static void l2cap_sock_kill(struct sock *sk);
76
77static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
78 u8 code, u8 ident, u16 dlen, void *data);
79
80/* ---- L2CAP timers ---- */
81static void l2cap_sock_timeout(unsigned long arg)
82{
83 struct sock *sk = (struct sock *) arg;
b1235d79 84 int reason;
1da177e4
LT		 85
86 BT_DBG("sock %p state %d", sk, sk->sk_state);
87
88 bh_lock_sock(sk);
b1235d79 89
f62e4323
MH		 90 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
91 reason = ECONNREFUSED;
92 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 93 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 94 reason = ECONNREFUSED;
95 else
96 reason = ETIMEDOUT;
97
98 __l2cap_sock_close(sk, reason);
99
1da177e4
LT		 100 bh_unlock_sock(sk);
101
102 l2cap_sock_kill(sk);
103 sock_put(sk);
104}
105
106static void l2cap_sock_set_timer(struct sock *sk, long timeout)
107{
108 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
109 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
110}
111
112static void l2cap_sock_clear_timer(struct sock *sk)
113{
114 BT_DBG("sock %p state %d", sk, sk->sk_state);
115 sk_stop_timer(sk, &sk->sk_timer);
116}
117
0139418c
MH		 118/* ---- L2CAP channels ---- */
119static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
120{
121 struct sock *s;
122 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
123 if (l2cap_pi(s)->dcid == cid)
124 break;
125 }
126 return s;
127}
128
129static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
130{
131 struct sock *s;
132 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
133 if (l2cap_pi(s)->scid == cid)
134 break;
135 }
136 return s;
137}
138
139/* Find channel with given SCID.
140 * Returns locked socket */
141static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
142{
143 struct sock *s;
144 read_lock(&l->lock);
145 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 146 if (s)
147 bh_lock_sock(s);
0139418c
MH		 148 read_unlock(&l->lock);
149 return s;
150}
151
152static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
153{
154 struct sock *s;
155 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
156 if (l2cap_pi(s)->ident == ident)
157 break;
158 }
159 return s;
160}
161
162static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
163{
164 struct sock *s;
165 read_lock(&l->lock);
166 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 167 if (s)
168 bh_lock_sock(s);
0139418c
MH		 169 read_unlock(&l->lock);
170 return s;
171}
172
173static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
174{
8db4dc46 175 u16 cid = L2CAP_CID_DYN_START;
0139418c 176
8db4dc46 177 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 178 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 179 return cid;
180 }
181
182 return 0;
183}
184
185static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
186{
187 sock_hold(sk);
188
189 if (l->head)
190 l2cap_pi(l->head)->prev_c = sk;
191
192 l2cap_pi(sk)->next_c = l->head;
193 l2cap_pi(sk)->prev_c = NULL;
194 l->head = sk;
195}
196
197static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
198{
199 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
200
fd1278d7 201 write_lock_bh(&l->lock);
0139418c
MH		 202 if (sk == l->head)
203 l->head = next;
204
205 if (next)
206 l2cap_pi(next)->prev_c = prev;
207 if (prev)
208 l2cap_pi(prev)->next_c = next;
fd1278d7 209 write_unlock_bh(&l->lock);
0139418c
MH		 210
211 __sock_put(sk);
212}
213
214static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
215{
216 struct l2cap_chan_list *l = &conn->chan_list;
217
af05b30b
GP		 218 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
219 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 220
2950f21a
MH		 221 conn->disc_reason = 0x13;
222
0139418c
MH		 223 l2cap_pi(sk)->conn = conn;
224
bd3c9e25 225 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 226 /* Alloc CID for connection-oriented socket */
227 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
228 } else if (sk->sk_type == SOCK_DGRAM) {
229 /* Connectionless socket */
8db4dc46
GP		 230 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
231 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 232 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
233 } else {
234 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 235 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
236 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 237 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
238 }
239
240 __l2cap_chan_link(l, sk);
241
242 if (parent)
243 bt_accept_enqueue(parent, sk);
244}
245
8e87d142 246/* Delete channel.
0139418c
MH		 247 * Must be called on the locked socket. */
248static void l2cap_chan_del(struct sock *sk, int err)
249{
250 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
251 struct sock *parent = bt_sk(sk)->parent;
252
253 l2cap_sock_clear_timer(sk);
254
255 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
256
8e87d142 257 if (conn) {
0139418c
MH		 258 /* Unlink from channel list */
259 l2cap_chan_unlink(&conn->chan_list, sk);
260 l2cap_pi(sk)->conn = NULL;
261 hci_conn_put(conn->hcon);
262 }
263
b1235d79 264 sk->sk_state = BT_CLOSED;
0139418c
MH		 265 sock_set_flag(sk, SOCK_ZAPPED);
266
267 if (err)
268 sk->sk_err = err;
269
270 if (parent) {
271 bt_accept_unlink(sk);
272 parent->sk_data_ready(parent, 0);
273 } else
274 sk->sk_state_change(sk);
c13ffa62
GP		 275
276 skb_queue_purge(TX_QUEUE(sk));
277
278 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
279 struct srej_list *l, *tmp;
280
281 del_timer(&l2cap_pi(sk)->retrans_timer);
282 del_timer(&l2cap_pi(sk)->monitor_timer);
283 del_timer(&l2cap_pi(sk)->ack_timer);
284
285 skb_queue_purge(SREJ_QUEUE(sk));
286 skb_queue_purge(BUSY_QUEUE(sk));
287
288 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
289 list_del(&l->list);
290 kfree(l);
291 }
292 }
0139418c
MH		 293}
294
79d554a6 295/* Service level security */
2af6b9d5 296static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 297{
298 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 299 __u8 auth_type;
300
00ae4af9
MH		 301 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
302 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
303 auth_type = HCI_AT_NO_BONDING_MITM;
304 else
af05b30b 305 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 306
307 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
308 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
309 } else {
310 switch (l2cap_pi(sk)->sec_level) {
311 case BT_SECURITY_HIGH:
312 auth_type = HCI_AT_GENERAL_BONDING_MITM;
313 break;
314 case BT_SECURITY_MEDIUM:
315 auth_type = HCI_AT_GENERAL_BONDING;
316 break;
317 default:
318 auth_type = HCI_AT_NO_BONDING;
319 break;
320 }
0684e5f9 321 }
79d554a6 322
0684e5f9
MH		 323 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
324 auth_type);
79d554a6
MH		 325}
326
4e8402a3
MH		 327static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
328{
329 u8 id;
330
331 /* Get next available identificator.
332 * 1 - 128 are used by kernel.
333 * 129 - 199 are reserved.
334 * 200 - 254 are used by utilities like l2ping, etc.
335 */
336
337 spin_lock_bh(&conn->lock);
338
339 if (++conn->tx_ident > 128)
340 conn->tx_ident = 1;
341
342 id = conn->tx_ident;
343
344 spin_unlock_bh(&conn->lock);
345
346 return id;
347}
348
9a9c6a34 349static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 350{
351 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
352
353 BT_DBG("code 0x%2.2x", code);
354
355 if (!skb)
9a9c6a34 356 return;
4e8402a3 357
9a9c6a34 358 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 359}
360
9a9c6a34 361static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 362{
363 struct sk_buff *skb;
364 struct l2cap_hdr *lh;
365 struct l2cap_conn *conn = pi->conn;
c13ffa62 366 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 367 int count, hlen = L2CAP_HDR_SIZE + 2;
368
c13ffa62
GP		 369 if (sk->sk_state != BT_CONNECTED)
370 return;
371
fcc203c3
GP		 372 if (pi->fcs == L2CAP_FCS_CRC16)
373 hlen += 2;
1c2acffb
GP		 374
375 BT_DBG("pi %p, control 0x%2.2x", pi, control);
376
fcc203c3 377 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 378 control |= L2CAP_CTRL_FRAME_TYPE;
379
9e917af1
GP		 380 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
381 control |= L2CAP_CTRL_FINAL;
382 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
383 }
384
f0946ccf
GP		 385 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
386 control |= L2CAP_CTRL_POLL;
387 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
388 }
389
1c2acffb
GP		 390 skb = bt_skb_alloc(count, GFP_ATOMIC);
391 if (!skb)
9a9c6a34 392 return;
1c2acffb
GP		 393
394 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 395 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 396 lh->cid = cpu_to_le16(pi->dcid);
397 put_unaligned_le16(control, skb_put(skb, 2));
398
fcc203c3
GP		 399 if (pi->fcs == L2CAP_FCS_CRC16) {
400 u16 fcs = crc16(0, (u8 *)lh, count - 2);
401 put_unaligned_le16(fcs, skb_put(skb, 2));
402 }
403
9a9c6a34 404 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 405}
406
9a9c6a34 407static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 408{
1890d36b 409 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 410 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 411 pi->conn_state |= L2CAP_CONN_RNR_SENT;
412 } else
7e743090
GP		 413 control |= L2CAP_SUPER_RCV_READY;
414
2ab25cdd
GP		 415 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
416
9a9c6a34 417 l2cap_send_sframe(pi, control);
7e743090
GP		 418}
419
e501d055
AE		 420static inline int __l2cap_no_conn_pending(struct sock *sk)
421{
422 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
423}
424
79d554a6
MH		 425static void l2cap_do_start(struct sock *sk)
426{
427 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
428
429 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 430 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
431 return;
432
e501d055 433 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 434 struct l2cap_conn_req req;
435 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
436 req.psm = l2cap_pi(sk)->psm;
79d554a6 437
b1235d79 438 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 439 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 440
b1235d79 441 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 442 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 443 }
79d554a6
MH		 444 } else {
445 struct l2cap_info_req req;
446 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
447
448 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
449 conn->info_ident = l2cap_get_ident(conn);
450
451 mod_timer(&conn->info_timer, jiffies +
452 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
453
454 l2cap_send_cmd(conn, conn->info_ident,
455 L2CAP_INFO_REQ, sizeof(req), &req);
456 }
457}
458
9b108fc0 459static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 460{
461 struct l2cap_disconn_req req;
462
c13ffa62
GP		 463 if (!conn)
464 return;
465
466 skb_queue_purge(TX_QUEUE(sk));
467
468 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
469 del_timer(&l2cap_pi(sk)->retrans_timer);
470 del_timer(&l2cap_pi(sk)->monitor_timer);
471 del_timer(&l2cap_pi(sk)->ack_timer);
472 }
473
22121fc9
GP		 474 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
475 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
476 l2cap_send_cmd(conn, l2cap_get_ident(conn),
477 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 478
479 sk->sk_state = BT_DISCONN;
9b108fc0 480 sk->sk_err = err;
22121fc9
GP		 481}
482
1da177e4 483/* ---- L2CAP connections ---- */
4e8402a3
MH		 484static void l2cap_conn_start(struct l2cap_conn *conn)
485{
486 struct l2cap_chan_list *l = &conn->chan_list;
487 struct sock *sk;
488
489 BT_DBG("conn %p", conn);
490
491 read_lock(&l->lock);
492
493 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
494 bh_lock_sock(sk);
495
bd3c9e25
GP		 496 if (sk->sk_type != SOCK_SEQPACKET &&
497 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 498 bh_unlock_sock(sk);
499 continue;
500 }
501
502 if (sk->sk_state == BT_CONNECT) {
e501d055
AE		 503 if (l2cap_check_security(sk) &&
504 __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 505 struct l2cap_conn_req req;
506 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
507 req.psm = l2cap_pi(sk)->psm;
79d554a6 508
b1235d79 509 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 510 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 511
b1235d79 512 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 513 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 514 }
79d554a6
MH		 515 } else if (sk->sk_state == BT_CONNECT2) {
516 struct l2cap_conn_rsp rsp;
517 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
518 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
519
2af6b9d5 520 if (l2cap_check_security(sk)) {
f66dc81f
MH		 521 if (bt_sk(sk)->defer_setup) {
522 struct sock *parent = bt_sk(sk)->parent;
523 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
524 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
525 parent->sk_data_ready(parent, 0);
526
527 } else {
528 sk->sk_state = BT_CONFIG;
529 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
530 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
531 }
79d554a6
MH		 532 } else {
533 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
534 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
535 }
536
537 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
538 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 539 }
540
541 bh_unlock_sock(sk);
542 }
543
544 read_unlock(&l->lock);
545}
546
547static void l2cap_conn_ready(struct l2cap_conn *conn)
548{
79d554a6
MH		 549 struct l2cap_chan_list *l = &conn->chan_list;
550 struct sock *sk;
4e8402a3 551
79d554a6 552 BT_DBG("conn %p", conn);
4e8402a3 553
79d554a6 554 read_lock(&l->lock);
4e8402a3 555
79d554a6
MH		 556 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
557 bh_lock_sock(sk);
4e8402a3 558
bd3c9e25
GP		 559 if (sk->sk_type != SOCK_SEQPACKET &&
560 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 561 l2cap_sock_clear_timer(sk);
562 sk->sk_state = BT_CONNECTED;
563 sk->sk_state_change(sk);
564 } else if (sk->sk_state == BT_CONNECT)
565 l2cap_do_start(sk);
4e8402a3 566
79d554a6 567 bh_unlock_sock(sk);
4e8402a3 568 }
79d554a6
MH		 569
570 read_unlock(&l->lock);
4e8402a3
MH		 571}
572
573/* Notify sockets that we cannot guaranty reliability anymore */
574static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
575{
576 struct l2cap_chan_list *l = &conn->chan_list;
577 struct sock *sk;
578
579 BT_DBG("conn %p", conn);
580
581 read_lock(&l->lock);
582
583 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 584 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 585 sk->sk_err = err;
586 }
587
588 read_unlock(&l->lock);
589}
590
591static void l2cap_info_timeout(unsigned long arg)
592{
593 struct l2cap_conn *conn = (void *) arg;
594
984947dc 595 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 596 conn->info_ident = 0;
984947dc 597
4e8402a3
MH		 598 l2cap_conn_start(conn);
599}
600
1da177e4
LT		 601static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
602{
0139418c 603 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 604
0139418c 605 if (conn || status)
1da177e4
LT		 606 return conn;
607
0139418c
MH		 608 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
609 if (!conn)
1da177e4 610 return NULL;
1da177e4
LT		 611
612 hcon->l2cap_data = conn;
613 conn->hcon = hcon;
614
0139418c
MH		 615 BT_DBG("hcon %p conn %p", hcon, conn);
616
1da177e4
LT		 617 conn->mtu = hcon->hdev->acl_mtu;
618 conn->src = &hcon->hdev->bdaddr;
619 conn->dst = &hcon->dst;
620
4e8402a3
MH		 621 conn->feat_mask = 0;
622
1da177e4
LT		 623 spin_lock_init(&conn->lock);
624 rwlock_init(&conn->chan_list.lock);
625
45054dc1
DY		 626 setup_timer(&conn->info_timer, l2cap_info_timeout,
627 (unsigned long) conn);
628
2950f21a
MH		 629 conn->disc_reason = 0x13;
630
1da177e4
LT		 631 return conn;
632}
633
0139418c 634static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 635{
0139418c 636 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 637 struct sock *sk;
638
0139418c
MH		 639 if (!conn)
640 return;
1da177e4
LT		 641
642 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
643
7585b97a 644 kfree_skb(conn->rx_skb);
1da177e4
LT		 645
646 /* Kill channels */
647 while ((sk = conn->chan_list.head)) {
648 bh_lock_sock(sk);
649 l2cap_chan_del(sk, err);
650 bh_unlock_sock(sk);
651 l2cap_sock_kill(sk);
652 }
653
8e8440f5
DY		 654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
655 del_timer_sync(&conn->info_timer);
3ab22731 656
1da177e4
LT		 657 hcon->l2cap_data = NULL;
658 kfree(conn);
1da177e4
LT		 659}
660
661static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
662{
663 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 664 write_lock_bh(&l->lock);
1da177e4 665 __l2cap_chan_add(conn, sk, parent);
fd1278d7 666 write_unlock_bh(&l->lock);
1da177e4
LT		 667}
668
1da177e4 669/* ---- Socket interface ---- */
8e036fc3 670static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 671{
672 struct sock *sk;
673 struct hlist_node *node;
674 sk_for_each(sk, node, &l2cap_sk_list.head)
675 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
676 goto found;
677 sk = NULL;
678found:
679 return sk;
680}
681
682/* Find socket with psm and source bdaddr.
683 * Returns closest match.
684 */
8e036fc3 685static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 686{
687 struct sock *sk = NULL, *sk1 = NULL;
688 struct hlist_node *node;
689
690 sk_for_each(sk, node, &l2cap_sk_list.head) {
691 if (state && sk->sk_state != state)
692 continue;
693
694 if (l2cap_pi(sk)->psm == psm) {
695 /* Exact match. */
696 if (!bacmp(&bt_sk(sk)->src, src))
697 break;
698
699 /* Closest match */
700 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
701 sk1 = sk;
702 }
703 }
704 return node ? sk : sk1;
705}
706
707/* Find socket with given address (psm, src).
708 * Returns locked socket */
8e036fc3 709static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 710{
711 struct sock *s;
712 read_lock(&l2cap_sk_list.lock);
713 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 714 if (s)
715 bh_lock_sock(s);
1da177e4
LT		 716 read_unlock(&l2cap_sk_list.lock);
717 return s;
718}
719
720static void l2cap_sock_destruct(struct sock *sk)
721{
722 BT_DBG("sk %p", sk);
723
724 skb_queue_purge(&sk->sk_receive_queue);
725 skb_queue_purge(&sk->sk_write_queue);
726}
727
728static void l2cap_sock_cleanup_listen(struct sock *parent)
729{
730 struct sock *sk;
731
732 BT_DBG("parent %p", parent);
733
734 /* Close not yet accepted channels */
735 while ((sk = bt_accept_dequeue(parent, NULL)))
736 l2cap_sock_close(sk);
737
b1235d79 738 parent->sk_state = BT_CLOSED;
1da177e4
LT		 739 sock_set_flag(parent, SOCK_ZAPPED);
740}
741
742/* Kill socket (only if zapped and orphan)
743 * Must be called on unlocked socket.
744 */
745static void l2cap_sock_kill(struct sock *sk)
746{
747 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
748 return;
749
750 BT_DBG("sk %p state %d", sk, sk->sk_state);
751
752 /* Kill poor orphan */
753 bt_sock_unlink(&l2cap_sk_list, sk);
754 sock_set_flag(sk, SOCK_DEAD);
755 sock_put(sk);
756}
757
758static void __l2cap_sock_close(struct sock *sk, int reason)
759{
760 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
761
762 switch (sk->sk_state) {
763 case BT_LISTEN:
764 l2cap_sock_cleanup_listen(sk);
765 break;
766
767 case BT_CONNECTED:
768 case BT_CONFIG:
bd3c9e25
GP		 769 if (sk->sk_type == SOCK_SEQPACKET ||
770 sk->sk_type == SOCK_STREAM) {
1da177e4 771 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 772
1da177e4 773 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 774 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 775 } else
1da177e4 776 l2cap_chan_del(sk, reason);
1da177e4
LT		 777 break;
778
f66dc81f 779 case BT_CONNECT2:
bd3c9e25
GP		 780 if (sk->sk_type == SOCK_SEQPACKET ||
781 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 782 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
783 struct l2cap_conn_rsp rsp;
784 __u16 result;
785
786 if (bt_sk(sk)->defer_setup)
787 result = L2CAP_CR_SEC_BLOCK;
788 else
789 result = L2CAP_CR_BAD_PSM;
790
791 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
792 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
793 rsp.result = cpu_to_le16(result);
794 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
795 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
796 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
797 } else
798 l2cap_chan_del(sk, reason);
799 break;
800
1da177e4
LT		 801 case BT_CONNECT:
802 case BT_DISCONN:
803 l2cap_chan_del(sk, reason);
804 break;
805
806 default:
807 sock_set_flag(sk, SOCK_ZAPPED);
808 break;
809 }
810}
811
812/* Must be called on unlocked socket. */
813static void l2cap_sock_close(struct sock *sk)
814{
815 l2cap_sock_clear_timer(sk);
816 lock_sock(sk);
817 __l2cap_sock_close(sk, ECONNRESET);
818 release_sock(sk);
819 l2cap_sock_kill(sk);
820}
821
822static void l2cap_sock_init(struct sock *sk, struct sock *parent)
823{
824 struct l2cap_pinfo *pi = l2cap_pi(sk);
825
826 BT_DBG("sk %p", sk);
827
828 if (parent) {
829 sk->sk_type = parent->sk_type;
f66dc81f
MH		 830 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
831
1da177e4
LT		 832 pi->imtu = l2cap_pi(parent)->imtu;
833 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 834 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 835 pi->mode = l2cap_pi(parent)->mode;
836 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 837 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 838 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 839 pi->sec_level = l2cap_pi(parent)->sec_level;
840 pi->role_switch = l2cap_pi(parent)->role_switch;
841 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 842 } else {
843 pi->imtu = L2CAP_DEFAULT_MTU;
844 pi->omtu = 0;
85eb53c6 845 if (enable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 846 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 847 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
848 } else {
bd3c9e25 849 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 850 }
fd059b9b 851 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 852 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 853 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 854 pi->sec_level = BT_SECURITY_LOW;
855 pi->role_switch = 0;
856 pi->force_reliable = 0;
1da177e4
LT		 857 }
858
859 /* Default config options */
5dee9e7c 860 pi->conf_len = 0;
1da177e4 861 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 862 skb_queue_head_init(TX_QUEUE(sk));
863 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 864 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 865 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 866}
867
868static struct proto l2cap_proto = {
869 .name = "L2CAP",
870 .owner = THIS_MODULE,
871 .obj_size = sizeof(struct l2cap_pinfo)
872};
873
1b8d7ae4 874static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 875{
876 struct sock *sk;
877
6257ff21 878 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 879 if (!sk)
880 return NULL;
881
882 sock_init_data(sock, sk);
883 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
884
885 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 886 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 887
888 sock_reset_flag(sk, SOCK_ZAPPED);
889
890 sk->sk_protocol = proto;
b1235d79 891 sk->sk_state = BT_OPEN;
1da177e4 892
b1235d79 893 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 894
895 bt_sock_link(&l2cap_sk_list, sk);
896 return sk;
897}
898
3f378b68
EP		 899static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
900 int kern)
1da177e4
LT		 901{
902 struct sock *sk;
903
904 BT_DBG("sock %p", sock);
905
906 sock->state = SS_UNCONNECTED;
907
bd3c9e25 908 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 909 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
910 return -ESOCKTNOSUPPORT;
911
c84b3268 912 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 913 return -EPERM;
914
915 sock->ops = &l2cap_sock_ops;
916
1b8d7ae4 917 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 918 if (!sk)
919 return -ENOMEM;
920
921 l2cap_sock_init(sk, NULL);
922 return 0;
923}
924
f29972de 925static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 926{
1da177e4 927 struct sock *sk = sock->sk;
f29972de
MH		 928 struct sockaddr_l2 la;
929 int len, err = 0;
1da177e4 930
f29972de 931 BT_DBG("sk %p", sk);
1da177e4
LT		 932
933 if (!addr || addr->sa_family != AF_BLUETOOTH)
934 return -EINVAL;
935
f29972de
MH		 936 memset(&la, 0, sizeof(la));
937 len = min_t(unsigned int, sizeof(la), alen);
938 memcpy(&la, addr, len);
939
2a517ca6
MH		 940 if (la.l2_cid)
941 return -EINVAL;
942
1da177e4
LT		 943 lock_sock(sk);
944
945 if (sk->sk_state != BT_OPEN) {
946 err = -EBADFD;
947 goto done;
948 }
949
b4324b5d 950 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 951 !capable(CAP_NET_BIND_SERVICE)) {
952 err = -EACCES;
953 goto done;
954 }
8e87d142 955
1da177e4
LT		 956 write_lock_bh(&l2cap_sk_list.lock);
957
f29972de 958 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 959 err = -EADDRINUSE;
960 } else {
961 /* Save source address */
f29972de
MH		 962 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
963 l2cap_pi(sk)->psm = la.l2_psm;
964 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 965 sk->sk_state = BT_BOUND;
2af6b9d5 966
b4324b5d
MH		 967 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
968 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 969 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 970 }
971
972 write_unlock_bh(&l2cap_sk_list.lock);
973
974done:
975 release_sock(sk);
976 return err;
977}
978
979static int l2cap_do_connect(struct sock *sk)
980{
981 bdaddr_t *src = &bt_sk(sk)->src;
982 bdaddr_t *dst = &bt_sk(sk)->dst;
983 struct l2cap_conn *conn;
984 struct hci_conn *hcon;
985 struct hci_dev *hdev;
09ab6f4c 986 __u8 auth_type;
44d0e48e 987 int err;
1da177e4 988
f29972de
MH		 989 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
990 l2cap_pi(sk)->psm);
1da177e4 991
af05b30b
GP		 992 hdev = hci_get_route(dst, src);
993 if (!hdev)
1da177e4
LT		 994 return -EHOSTUNREACH;
995
996 hci_dev_lock_bh(hdev);
997
998 err = -ENOMEM;
999
8c1b2355 1000 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1001 switch (l2cap_pi(sk)->sec_level) {
1002 case BT_SECURITY_HIGH:
8c1b2355 1003 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1004 break;
1005 case BT_SECURITY_MEDIUM:
8c1b2355 1006 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1007 break;
1008 default:
09ab6f4c 1009 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1010 break;
1011 }
8c1b2355 1012 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1013 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1014 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1015 else
8c1b2355 1016 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1017
1018 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1019 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1020 } else {
2af6b9d5
MH		 1021 switch (l2cap_pi(sk)->sec_level) {
1022 case BT_SECURITY_HIGH:
8c1b2355 1023 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1024 break;
1025 case BT_SECURITY_MEDIUM:
09ab6f4c 1026 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1027 break;
1028 default:
8c1b2355 1029 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1030 break;
1031 }
09ab6f4c
MH		 1032 }
1033
2af6b9d5
MH		 1034 hcon = hci_connect(hdev, ACL_LINK, dst,
1035 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1036 if (!hcon)
1037 goto done;
1038
1039 conn = l2cap_conn_add(hcon, 0);
1040 if (!conn) {
1041 hci_conn_put(hcon);
1042 goto done;
1043 }
1044
1045 err = 0;
1046
1047 /* Update source addr of the socket */
1048 bacpy(src, conn->src);
1049
1050 l2cap_chan_add(conn, sk, NULL);
1051
1052 sk->sk_state = BT_CONNECT;
1053 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1054
1055 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1056 if (sk->sk_type != SOCK_SEQPACKET &&
1057 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1058 l2cap_sock_clear_timer(sk);
1059 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1060 } else
1061 l2cap_do_start(sk);
1da177e4
LT		 1062 }
1063
1064done:
1065 hci_dev_unlock_bh(hdev);
1066 hci_dev_put(hdev);
1067 return err;
1068}
1069
1070static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1071{
1da177e4 1072 struct sock *sk = sock->sk;
f29972de
MH		 1073 struct sockaddr_l2 la;
1074 int len, err = 0;
1da177e4 1075
1da177e4
LT		 1076 BT_DBG("sk %p", sk);
1077
6503d961
CG		 1078 if (!addr || alen < sizeof(addr->sa_family) ||
1079 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1080 return -EINVAL;
1da177e4 1081
f29972de
MH		 1082 memset(&la, 0, sizeof(la));
1083 len = min_t(unsigned int, sizeof(la), alen);
1084 memcpy(&la, addr, len);
1085
2a517ca6
MH		 1086 if (la.l2_cid)
1087 return -EINVAL;
1088
1089 lock_sock(sk);
1090
bd3c9e25
GP		 1091 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1092 && !la.l2_psm) {
1da177e4
LT		 1093 err = -EINVAL;
1094 goto done;
1095 }
1096
c6b03cf9
MH		 1097 switch (l2cap_pi(sk)->mode) {
1098 case L2CAP_MODE_BASIC:
1099 break;
1100 case L2CAP_MODE_ERTM:
f2fcfcd6 1101 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1102 if (enable_ertm)
1103 break;
1104 /* fall through */
1105 default:
1106 err = -ENOTSUPP;
1107 goto done;
1108 }
1109
af05b30b 1110 switch (sk->sk_state) {
1da177e4
LT		 1111 case BT_CONNECT:
1112 case BT_CONNECT2:
1113 case BT_CONFIG:
1114 /* Already connecting */
1115 goto wait;
1116
1117 case BT_CONNECTED:
1118 /* Already connected */
1119 goto done;
1120
1121 case BT_OPEN:
1122 case BT_BOUND:
1123 /* Can connect */
1124 break;
1125
1126 default:
1127 err = -EBADFD;
1128 goto done;
1129 }
1130
1131 /* Set destination address and psm */
f29972de
MH		 1132 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1133 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1134
af05b30b
GP		 1135 err = l2cap_do_connect(sk);
1136 if (err)
1da177e4
LT		 1137 goto done;
1138
1139wait:
1140 err = bt_sock_wait_state(sk, BT_CONNECTED,
1141 sock_sndtimeo(sk, flags & O_NONBLOCK));
1142done:
1143 release_sock(sk);
1144 return err;
1145}
1146
1147static int l2cap_sock_listen(struct socket *sock, int backlog)
1148{
1149 struct sock *sk = sock->sk;
1150 int err = 0;
1151
1152 BT_DBG("sk %p backlog %d", sk, backlog);
1153
1154 lock_sock(sk);
1155
bd3c9e25
GP		 1156 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1157 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1158 err = -EBADFD;
1159 goto done;
1160 }
1161
c6b03cf9
MH		 1162 switch (l2cap_pi(sk)->mode) {
1163 case L2CAP_MODE_BASIC:
1164 break;
1165 case L2CAP_MODE_ERTM:
f2fcfcd6 1166 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1167 if (enable_ertm)
1168 break;
1169 /* fall through */
1170 default:
1171 err = -ENOTSUPP;
1172 goto done;
1173 }
1174
1da177e4
LT		 1175 if (!l2cap_pi(sk)->psm) {
1176 bdaddr_t *src = &bt_sk(sk)->src;
1177 u16 psm;
1178
1179 err = -EINVAL;
1180
1181 write_lock_bh(&l2cap_sk_list.lock);
1182
1183 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1184 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1185 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1186 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1187 err = 0;
1188 break;
1189 }
1190
1191 write_unlock_bh(&l2cap_sk_list.lock);
1192
1193 if (err < 0)
1194 goto done;
1195 }
1196
1197 sk->sk_max_ack_backlog = backlog;
1198 sk->sk_ack_backlog = 0;
1199 sk->sk_state = BT_LISTEN;
1200
1201done:
1202 release_sock(sk);
1203 return err;
1204}
1205
1206static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1207{
1208 DECLARE_WAITQUEUE(wait, current);
1209 struct sock *sk = sock->sk, *nsk;
1210 long timeo;
1211 int err = 0;
1212
fcc70d5f 1213 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1214
1215 if (sk->sk_state != BT_LISTEN) {
1216 err = -EBADFD;
1217 goto done;
1218 }
1219
1220 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1221
1222 BT_DBG("sk %p timeo %ld", sk, timeo);
1223
1224 /* Wait for an incoming connection. (wake-one). */
aa395145 1225 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1226 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1227 set_current_state(TASK_INTERRUPTIBLE);
1228 if (!timeo) {
1229 err = -EAGAIN;
1230 break;
1231 }
1232
1233 release_sock(sk);
1234 timeo = schedule_timeout(timeo);
fcc70d5f 1235 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1236
1237 if (sk->sk_state != BT_LISTEN) {
1238 err = -EBADFD;
1239 break;
1240 }
1241
1242 if (signal_pending(current)) {
1243 err = sock_intr_errno(timeo);
1244 break;
1245 }
1246 }
1247 set_current_state(TASK_RUNNING);
aa395145 1248 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1249
1250 if (err)
1251 goto done;
1252
1253 newsock->state = SS_CONNECTED;
1254
1255 BT_DBG("new socket %p", nsk);
1256
1257done:
1258 release_sock(sk);
1259 return err;
1260}
1261
1262static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1263{
1264 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1265 struct sock *sk = sock->sk;
1266
1267 BT_DBG("sock %p, sk %p", sock, sk);
1268
1269 addr->sa_family = AF_BLUETOOTH;
1270 *len = sizeof(struct sockaddr_l2);
1271
f29972de
MH		 1272 if (peer) {
1273 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1274 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1275 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1276 } else {
1277 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1278 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1279 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1280 }
1da177e4 1281
1da177e4
LT		 1282 return 0;
1283}
1284
6161c038
GP		 1285static int __l2cap_wait_ack(struct sock *sk)
1286{
1287 DECLARE_WAITQUEUE(wait, current);
1288 int err = 0;
1289 int timeo = HZ/5;
1290
2b0b05dd 1291 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1292 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1293 set_current_state(TASK_INTERRUPTIBLE);
1294
1295 if (!timeo)
1296 timeo = HZ/5;
1297
1298 if (signal_pending(current)) {
1299 err = sock_intr_errno(timeo);
1300 break;
1301 }
1302
1303 release_sock(sk);
1304 timeo = schedule_timeout(timeo);
1305 lock_sock(sk);
1306
1307 err = sock_error(sk);
1308 if (err)
1309 break;
1310 }
1311 set_current_state(TASK_RUNNING);
2b0b05dd 1312 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1313 return err;
1314}
1315
e90bac06
GP		 1316static void l2cap_monitor_timeout(unsigned long arg)
1317{
1318 struct sock *sk = (void *) arg;
e90bac06 1319
0e98958d
GP		 1320 BT_DBG("sk %p", sk);
1321
e686219a 1322 bh_lock_sock(sk);
e90bac06 1323 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1324 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1325 bh_unlock_sock(sk);
e90bac06
GP		 1326 return;
1327 }
1328
1329 l2cap_pi(sk)->retry_count++;
1330 __mod_monitor_timer();
1331
a2e12a2a 1332 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1333 bh_unlock_sock(sk);
e90bac06
GP		 1334}
1335
1336static void l2cap_retrans_timeout(unsigned long arg)
1337{
1338 struct sock *sk = (void *) arg;
e90bac06 1339
0e98958d
GP		 1340 BT_DBG("sk %p", sk);
1341
e686219a 1342 bh_lock_sock(sk);
e90bac06
GP		 1343 l2cap_pi(sk)->retry_count = 1;
1344 __mod_monitor_timer();
1345
1346 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1347
a2e12a2a 1348 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1349 bh_unlock_sock(sk);
e90bac06
GP		 1350}
1351
1c2acffb 1352static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1353{
1c2acffb 1354 struct sk_buff *skb;
1da177e4 1355
812e737e
GP		 1356 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1357 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1358 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1359 break;
1da177e4 1360
1c2acffb
GP		 1361 skb = skb_dequeue(TX_QUEUE(sk));
1362 kfree_skb(skb);
1da177e4 1363
1c2acffb
GP		 1364 l2cap_pi(sk)->unacked_frames--;
1365 }
1da177e4 1366
e90bac06
GP		 1367 if (!l2cap_pi(sk)->unacked_frames)
1368 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1369}
1da177e4 1370
9a9c6a34 1371static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1372{
1373 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1374
1375 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1376
9a9c6a34 1377 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1378}
1379
6840ed07
GP		 1380static int l2cap_streaming_send(struct sock *sk)
1381{
1382 struct sk_buff *skb, *tx_skb;
1383 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1384 u16 control, fcs;
6840ed07
GP		 1385
1386 while ((skb = sk->sk_send_head)) {
1387 tx_skb = skb_clone(skb, GFP_ATOMIC);
1388
1389 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1390 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1391 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1392
e8235c6b 1393 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1394 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1395 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1396 }
1397
9a9c6a34 1398 l2cap_do_send(sk, tx_skb);
6840ed07
GP		 1399
1400 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1401
1402 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1403 sk->sk_send_head = NULL;
1404 else
1405 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1406
1407 skb = skb_dequeue(TX_QUEUE(sk));
1408 kfree_skb(skb);
1409 }
1410 return 0;
1411}
1412
dfc909be 1413static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1414{
1415 struct l2cap_pinfo *pi = l2cap_pi(sk);
1416 struct sk_buff *skb, *tx_skb;
1417 u16 control, fcs;
8f17154f
GP		 1418
1419 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1420 if (!skb)
1421 return;
8f17154f 1422
f11d676d
GP		 1423 do {
1424 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1425 break;
8f17154f 1426
f11d676d
GP		 1427 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1428 return;
8f17154f 1429
f11d676d 1430 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1431
f11d676d
GP		 1432 if (pi->remote_max_tx &&
1433 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1434 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1435 return;
1436 }
1437
1438 tx_skb = skb_clone(skb, GFP_ATOMIC);
1439 bt_cb(skb)->retries++;
1440 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1441
1442 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1443 control |= L2CAP_CTRL_FINAL;
1444 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1445 }
95ffa978 1446
f11d676d
GP		 1447 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1448 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1449
f11d676d
GP		 1450 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1451
1452 if (pi->fcs == L2CAP_FCS_CRC16) {
1453 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1454 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1455 }
1456
1457 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1458}
1459
1c2acffb
GP		 1460static int l2cap_ertm_send(struct sock *sk)
1461{
1462 struct sk_buff *skb, *tx_skb;
1463 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1464 u16 control, fcs;
9a9c6a34 1465 int nsent = 0;
1c2acffb 1466
c13ffa62
GP		 1467 if (sk->sk_state != BT_CONNECTED)
1468 return -ENOTCONN;
e90bac06 1469
6e2b6722 1470 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1471
e90bac06
GP		 1472 if (pi->remote_max_tx &&
1473 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1474 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1475 break;
1476 }
1477
e420aba3
AE		 1478 tx_skb = skb_clone(skb, GFP_ATOMIC);
1479
e90bac06
GP		 1480 bt_cb(skb)->retries++;
1481
1c2acffb 1482 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1483 control &= L2CAP_CTRL_SAR;
1484
d5392c8f
GP		 1485 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1486 control |= L2CAP_CTRL_FINAL;
1487 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1488 }
9f121a5a 1489 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1490 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1491 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1492
e90bac06 1493
e8235c6b 1494 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1495 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1496 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1497 }
1498
9a9c6a34
GP		 1499 l2cap_do_send(sk, tx_skb);
1500
e90bac06 1501 __mod_retrans_timer();
1c2acffb
GP		 1502
1503 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1504 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1505
1506 pi->unacked_frames++;
d5392c8f 1507 pi->frames_sent++;
1c2acffb
GP		 1508
1509 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1510 sk->sk_send_head = NULL;
1511 else
1512 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1513
1514 nsent++;
1c2acffb
GP		 1515 }
1516
9e917af1
GP		 1517 return nsent;
1518}
1519
dfc909be
GP		 1520static int l2cap_retransmit_frames(struct sock *sk)
1521{
1522 struct l2cap_pinfo *pi = l2cap_pi(sk);
1523 int ret;
1524
1525 spin_lock_bh(&pi->send_lock);
1526
1527 if (!skb_queue_empty(TX_QUEUE(sk)))
1528 sk->sk_send_head = TX_QUEUE(sk)->next;
1529
1530 pi->next_tx_seq = pi->expected_ack_seq;
1531 ret = l2cap_ertm_send(sk);
1532
1533 spin_unlock_bh(&pi->send_lock);
1534
1535 return ret;
1536}
1537
9a9c6a34 1538static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1539{
1540 struct sock *sk = (struct sock *)pi;
1541 u16 control = 0;
dfc909be 1542 int nframes;
9e917af1
GP		 1543
1544 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1545
1546 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1547 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1548 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1549 l2cap_send_sframe(pi, control);
1550 return;
9e917af1 1551 }
dfc909be
GP		 1552
1553 spin_lock_bh(&pi->send_lock);
1554 nframes = l2cap_ertm_send(sk);
1555 spin_unlock_bh(&pi->send_lock);
1556
1557 if (nframes > 0)
1558 return;
1559
1560 control |= L2CAP_SUPER_RCV_READY;
1561 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1562}
1563
9a9c6a34 1564static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1565{
1566 struct srej_list *tail;
1567 u16 control;
1568
1569 control = L2CAP_SUPER_SELECT_REJECT;
1570 control |= L2CAP_CTRL_FINAL;
1571
1572 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1573 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1574
1575 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1576}
1577
1c2acffb
GP		 1578static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1579{
1580 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1581 struct sk_buff **frag;
1582 int err, sent = 0;
1da177e4 1583
59203a21 1584 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1585 return -EFAULT;
1da177e4
LT		 1586
1587 sent += count;
1588 len -= count;
1589
1590 /* Continuation fragments (no L2CAP header) */
1591 frag = &skb_shinfo(skb)->frag_list;
1592 while (len) {
1593 count = min_t(unsigned int, conn->mtu, len);
1594
1595 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1596 if (!*frag)
1c2acffb
GP		 1597 return -EFAULT;
1598 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1599 return -EFAULT;
1da177e4
LT		 1600
1601 sent += count;
1602 len -= count;
1603
1604 frag = &(*frag)->next;
1605 }
1da177e4
LT		 1606
1607 return sent;
1c2acffb 1608}
1da177e4 1609
1c2acffb
GP		 1610static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1611{
1612 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1613 struct sk_buff *skb;
1614 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1615 struct l2cap_hdr *lh;
1616
1617 BT_DBG("sk %p len %d", sk, (int)len);
1618
1619 count = min_t(unsigned int, (conn->mtu - hlen), len);
1620 skb = bt_skb_send_alloc(sk, count + hlen,
1621 msg->msg_flags & MSG_DONTWAIT, &err);
1622 if (!skb)
1623 return ERR_PTR(-ENOMEM);
1624
1625 /* Create L2CAP header */
1626 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1627 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1628 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1629 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1630
1631 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1632 if (unlikely(err < 0)) {
1633 kfree_skb(skb);
1634 return ERR_PTR(err);
1635 }
1636 return skb;
1637}
1638
1639static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1640{
1641 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1642 struct sk_buff *skb;
1643 int err, count, hlen = L2CAP_HDR_SIZE;
1644 struct l2cap_hdr *lh;
1645
1646 BT_DBG("sk %p len %d", sk, (int)len);
1647
1648 count = min_t(unsigned int, (conn->mtu - hlen), len);
1649 skb = bt_skb_send_alloc(sk, count + hlen,
1650 msg->msg_flags & MSG_DONTWAIT, &err);
1651 if (!skb)
1652 return ERR_PTR(-ENOMEM);
1653
1654 /* Create L2CAP header */
1655 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1656 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1657 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1658
1659 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1660 if (unlikely(err < 0)) {
1661 kfree_skb(skb);
1662 return ERR_PTR(err);
1663 }
1664 return skb;
1665}
1666
6840ed07 1667static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1668{
1669 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1670 struct sk_buff *skb;
1671 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1672 struct l2cap_hdr *lh;
1673
1674 BT_DBG("sk %p len %d", sk, (int)len);
1675
0ee0d208
GP		 1676 if (!conn)
1677 return ERR_PTR(-ENOTCONN);
1678
c74e560c
GP		 1679 if (sdulen)
1680 hlen += 2;
1681
fcc203c3
GP		 1682 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1683 hlen += 2;
1684
1c2acffb
GP		 1685 count = min_t(unsigned int, (conn->mtu - hlen), len);
1686 skb = bt_skb_send_alloc(sk, count + hlen,
1687 msg->msg_flags & MSG_DONTWAIT, &err);
1688 if (!skb)
1689 return ERR_PTR(-ENOMEM);
1690
1691 /* Create L2CAP header */
1692 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1693 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1694 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1695 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1696 if (sdulen)
1697 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1698
1699 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1700 if (unlikely(err < 0)) {
1701 kfree_skb(skb);
1702 return ERR_PTR(err);
1703 }
e90bac06 1704
fcc203c3
GP		 1705 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1706 put_unaligned_le16(0, skb_put(skb, 2));
1707
e90bac06 1708 bt_cb(skb)->retries = 0;
1c2acffb 1709 return skb;
1da177e4
LT		 1710}
1711
c74e560c
GP		 1712static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1713{
1714 struct l2cap_pinfo *pi = l2cap_pi(sk);
1715 struct sk_buff *skb;
1716 struct sk_buff_head sar_queue;
1717 u16 control;
1718 size_t size = 0;
1719
ff12fd64 1720 skb_queue_head_init(&sar_queue);
c74e560c 1721 control = L2CAP_SDU_START;
1c762159 1722 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1723 if (IS_ERR(skb))
1724 return PTR_ERR(skb);
1725
1726 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1727 len -= pi->remote_mps;
1728 size += pi->remote_mps;
c74e560c
GP		 1729
1730 while (len > 0) {
1731 size_t buflen;
1732
1c762159 1733 if (len > pi->remote_mps) {
44651b85 1734 control = L2CAP_SDU_CONTINUE;
1c762159 1735 buflen = pi->remote_mps;
c74e560c 1736 } else {
44651b85 1737 control = L2CAP_SDU_END;
c74e560c
GP		 1738 buflen = len;
1739 }
1740
6840ed07 1741 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1742 if (IS_ERR(skb)) {
1743 skb_queue_purge(&sar_queue);
1744 return PTR_ERR(skb);
1745 }
1746
1747 __skb_queue_tail(&sar_queue, skb);
1748 len -= buflen;
1749 size += buflen;
c74e560c
GP		 1750 }
1751 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
dfc909be 1752 spin_lock_bh(&pi->send_lock);
c74e560c
GP		 1753 if (sk->sk_send_head == NULL)
1754 sk->sk_send_head = sar_queue.next;
dfc909be 1755 spin_unlock_bh(&pi->send_lock);
c74e560c
GP		 1756
1757 return size;
1758}
1759
1da177e4
LT		 1760static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1761{
1762 struct sock *sk = sock->sk;
1c2acffb
GP		 1763 struct l2cap_pinfo *pi = l2cap_pi(sk);
1764 struct sk_buff *skb;
1765 u16 control;
1766 int err;
1da177e4
LT		 1767
1768 BT_DBG("sock %p, sk %p", sock, sk);
1769
c1cbe4b7
BL		 1770 err = sock_error(sk);
1771 if (err)
1772 return err;
1da177e4
LT		 1773
1774 if (msg->msg_flags & MSG_OOB)
1775 return -EOPNOTSUPP;
1776
1da177e4
LT		 1777 lock_sock(sk);
1778
1c2acffb 1779 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1780 err = -ENOTCONN;
1c2acffb
GP		 1781 goto done;
1782 }
1da177e4 1783
1c2acffb
GP		 1784 /* Connectionless channel */
1785 if (sk->sk_type == SOCK_DGRAM) {
1786 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1787 if (IS_ERR(skb)) {
477fffb0 1788 err = PTR_ERR(skb);
9a9c6a34
GP		 1789 } else {
1790 l2cap_do_send(sk, skb);
1791 err = len;
1792 }
1c2acffb
GP		 1793 goto done;
1794 }
1795
1796 switch (pi->mode) {
1797 case L2CAP_MODE_BASIC:
c69163e9
GP		 1798 /* Check outgoing MTU */
1799 if (len > pi->omtu) {
1800 err = -EINVAL;
1801 goto done;
1802 }
1803
1c2acffb
GP		 1804 /* Create a basic PDU */
1805 skb = l2cap_create_basic_pdu(sk, msg, len);
1806 if (IS_ERR(skb)) {
1807 err = PTR_ERR(skb);
1808 goto done;
1809 }
1810
9a9c6a34
GP		 1811 l2cap_do_send(sk, skb);
1812 err = len;
1c2acffb
GP		 1813 break;
1814
1815 case L2CAP_MODE_ERTM:
6840ed07 1816 case L2CAP_MODE_STREAMING:
1c2acffb 1817 /* Entire SDU fits into one PDU */
1c762159 1818 if (len <= pi->remote_mps) {
1c2acffb 1819 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1820 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1821 if (IS_ERR(skb)) {
1822 err = PTR_ERR(skb);
1823 goto done;
1824 }
c74e560c 1825 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be
GP		 1826
1827 if (pi->mode == L2CAP_MODE_ERTM)
1828 spin_lock_bh(&pi->send_lock);
1829
c74e560c
GP		 1830 if (sk->sk_send_head == NULL)
1831 sk->sk_send_head = skb;
dfc909be
GP		 1832
1833 if (pi->mode == L2CAP_MODE_ERTM)
1834 spin_unlock_bh(&pi->send_lock);
1c2acffb 1835 } else {
c74e560c
GP		 1836 /* Segment SDU into multiples PDUs */
1837 err = l2cap_sar_segment_sdu(sk, msg, len);
1838 if (err < 0)
1839 goto done;
1c2acffb 1840 }
1c2acffb 1841
dfc909be 1842 if (pi->mode == L2CAP_MODE_STREAMING) {
6840ed07 1843 err = l2cap_streaming_send(sk);
dfc909be 1844 } else {
6e2b6722
GP		 1845 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1846 pi->conn_state && L2CAP_CONN_WAIT_F) {
1847 err = len;
1848 break;
1849 }
dfc909be 1850 spin_lock_bh(&pi->send_lock);
6840ed07 1851 err = l2cap_ertm_send(sk);
dfc909be
GP		 1852 spin_unlock_bh(&pi->send_lock);
1853 }
6840ed07 1854
9e917af1 1855 if (err >= 0)
1c2acffb
GP		 1856 err = len;
1857 break;
1858
1859 default:
1860 BT_DBG("bad state %1.1x", pi->mode);
1861 err = -EINVAL;
1862 }
1863
1864done:
1da177e4
LT		 1865 release_sock(sk);
1866 return err;
1867}
1868
f66dc81f
MH		 1869static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1870{
1871 struct sock *sk = sock->sk;
1872
1873 lock_sock(sk);
1874
1875 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1876 struct l2cap_conn_rsp rsp;
1877
1878 sk->sk_state = BT_CONFIG;
1879
1880 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1881 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1882 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1883 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1884 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1885 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1886
1887 release_sock(sk);
1888 return 0;
1889 }
1890
1891 release_sock(sk);
1892
1893 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1894}
1895
b7058842 1896static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1897{
1898 struct sock *sk = sock->sk;
1899 struct l2cap_options opts;
f29972de 1900 int len, err = 0;
1da177e4
LT		 1901 u32 opt;
1902
1903 BT_DBG("sk %p", sk);
1904
1905 lock_sock(sk);
1906
1907 switch (optname) {
1908 case L2CAP_OPTIONS:
0878b666
MH		 1909 opts.imtu = l2cap_pi(sk)->imtu;
1910 opts.omtu = l2cap_pi(sk)->omtu;
1911 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1912 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1913 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1914 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1915 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1916
1da177e4
LT		 1917 len = min_t(unsigned int, sizeof(opts), optlen);
1918 if (copy_from_user((char *) &opts, optval, len)) {
1919 err = -EFAULT;
1920 break;
1921 }
0878b666 1922
45d65c46
GP		 1923 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1924 err = -EINVAL;
1925 break;
1926 }
1927
0041ecfa
JPRV		 1928 l2cap_pi(sk)->mode = opts.mode;
1929 switch (l2cap_pi(sk)->mode) {
1930 case L2CAP_MODE_BASIC:
85eb53c6 1931 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1932 break;
1933 case L2CAP_MODE_ERTM:
1934 case L2CAP_MODE_STREAMING:
1935 if (enable_ertm)
1936 break;
1937 /* fall through */
1938 default:
1939 err = -EINVAL;
1940 break;
1941 }
1942
c6b03cf9
MH		 1943 l2cap_pi(sk)->imtu = opts.imtu;
1944 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1945 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1946 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1947 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1948 break;
1949
1950 case L2CAP_LM:
1951 if (get_user(opt, (u32 __user *) optval)) {
1952 err = -EFAULT;
1953 break;
1954 }
1955
2af6b9d5
MH		 1956 if (opt & L2CAP_LM_AUTH)
1957 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1958 if (opt & L2CAP_LM_ENCRYPT)
1959 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1960 if (opt & L2CAP_LM_SECURE)
1961 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1962
1963 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1964 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1965 break;
1966
1967 default:
1968 err = -ENOPROTOOPT;
1969 break;
1970 }
1971
1972 release_sock(sk);
1973 return err;
1974}
1975
b7058842 1976static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1977{
1978 struct sock *sk = sock->sk;
2af6b9d5
MH		 1979 struct bt_security sec;
1980 int len, err = 0;
f66dc81f 1981 u32 opt;
d58daf42
MH		 1982
1983 BT_DBG("sk %p", sk);
1984
1985 if (level == SOL_L2CAP)
1986 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1987
0588d94f
MH		 1988 if (level != SOL_BLUETOOTH)
1989 return -ENOPROTOOPT;
1990
d58daf42
MH		 1991 lock_sock(sk);
1992
1993 switch (optname) {
2af6b9d5 1994 case BT_SECURITY:
bd3c9e25
GP		 1995 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1996 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1997 err = -EINVAL;
1998 break;
1999 }
2000
2af6b9d5
MH		 2001 sec.level = BT_SECURITY_LOW;
2002
2003 len = min_t(unsigned int, sizeof(sec), optlen);
2004 if (copy_from_user((char *) &sec, optval, len)) {
2005 err = -EFAULT;
2006 break;
2007 }
2008
2009 if (sec.level < BT_SECURITY_LOW ||
2010 sec.level > BT_SECURITY_HIGH) {
2011 err = -EINVAL;
2012 break;
2013 }
2014
2015 l2cap_pi(sk)->sec_level = sec.level;
2016 break;
2017
f66dc81f
MH		 2018 case BT_DEFER_SETUP:
2019 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2020 err = -EINVAL;
2021 break;
2022 }
2023
2024 if (get_user(opt, (u32 __user *) optval)) {
2025 err = -EFAULT;
2026 break;
2027 }
2028
2029 bt_sk(sk)->defer_setup = opt;
2030 break;
2031
d58daf42
MH		 2032 default:
2033 err = -ENOPROTOOPT;
2034 break;
2035 }
2036
2037 release_sock(sk);
2038 return err;
2039}
2040
2041static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2042{
2043 struct sock *sk = sock->sk;
2044 struct l2cap_options opts;
2045 struct l2cap_conninfo cinfo;
2046 int len, err = 0;
2af6b9d5 2047 u32 opt;
1da177e4
LT		 2048
2049 BT_DBG("sk %p", sk);
2050
2051 if (get_user(len, optlen))
2052 return -EFAULT;
2053
2054 lock_sock(sk);
2055
2056 switch (optname) {
2057 case L2CAP_OPTIONS:
2058 opts.imtu = l2cap_pi(sk)->imtu;
2059 opts.omtu = l2cap_pi(sk)->omtu;
2060 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2061 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2062 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2063 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2064 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2065
2066 len = min_t(unsigned int, len, sizeof(opts));
2067 if (copy_to_user(optval, (char *) &opts, len))
2068 err = -EFAULT;
2069
2070 break;
2071
2072 case L2CAP_LM:
2af6b9d5
MH		 2073 switch (l2cap_pi(sk)->sec_level) {
2074 case BT_SECURITY_LOW:
2075 opt = L2CAP_LM_AUTH;
2076 break;
2077 case BT_SECURITY_MEDIUM:
2078 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2079 break;
2080 case BT_SECURITY_HIGH:
2081 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2082 L2CAP_LM_SECURE;
2083 break;
2084 default:
2085 opt = 0;
2086 break;
2087 }
2088
2089 if (l2cap_pi(sk)->role_switch)
2090 opt |= L2CAP_LM_MASTER;
2091
2092 if (l2cap_pi(sk)->force_reliable)
2093 opt |= L2CAP_LM_RELIABLE;
2094
2095 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2096 err = -EFAULT;
2097 break;
2098
2099 case L2CAP_CONNINFO:
f66dc81f
MH		 2100 if (sk->sk_state != BT_CONNECTED &&
2101 !(sk->sk_state == BT_CONNECT2 &&
2102 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2103 err = -ENOTCONN;
2104 break;
2105 }
2106
2107 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2108 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2109
2110 len = min_t(unsigned int, len, sizeof(cinfo));
2111 if (copy_to_user(optval, (char *) &cinfo, len))
2112 err = -EFAULT;
2113
2114 break;
2115
2116 default:
2117 err = -ENOPROTOOPT;
2118 break;
2119 }
2120
2121 release_sock(sk);
2122 return err;
2123}
2124
d58daf42
MH		 2125static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2126{
2127 struct sock *sk = sock->sk;
2af6b9d5 2128 struct bt_security sec;
d58daf42
MH		 2129 int len, err = 0;
2130
2131 BT_DBG("sk %p", sk);
2132
2133 if (level == SOL_L2CAP)
2134 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2135
0588d94f
MH		 2136 if (level != SOL_BLUETOOTH)
2137 return -ENOPROTOOPT;
2138
d58daf42
MH		 2139 if (get_user(len, optlen))
2140 return -EFAULT;
2141
2142 lock_sock(sk);
2143
2144 switch (optname) {
2af6b9d5 2145 case BT_SECURITY:
bd3c9e25
GP		 2146 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2147 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2148 err = -EINVAL;
2149 break;
2150 }
2151
2af6b9d5
MH		 2152 sec.level = l2cap_pi(sk)->sec_level;
2153
2154 len = min_t(unsigned int, len, sizeof(sec));
2155 if (copy_to_user(optval, (char *) &sec, len))
2156 err = -EFAULT;
2157
2158 break;
2159
f66dc81f
MH		 2160 case BT_DEFER_SETUP:
2161 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2162 err = -EINVAL;
2163 break;
2164 }
2165
2166 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2167 err = -EFAULT;
2168
2169 break;
2170
d58daf42
MH		 2171 default:
2172 err = -ENOPROTOOPT;
2173 break;
2174 }
2175
2176 release_sock(sk);
2177 return err;
2178}
2179
1da177e4
LT		 2180static int l2cap_sock_shutdown(struct socket *sock, int how)
2181{
2182 struct sock *sk = sock->sk;
2183 int err = 0;
2184
2185 BT_DBG("sock %p, sk %p", sock, sk);
2186
2187 if (!sk)
2188 return 0;
2189
2190 lock_sock(sk);
2191 if (!sk->sk_shutdown) {
6161c038
GP		 2192 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2193 err = __l2cap_wait_ack(sk);
2194
1da177e4
LT		 2195 sk->sk_shutdown = SHUTDOWN_MASK;
2196 l2cap_sock_clear_timer(sk);
2197 __l2cap_sock_close(sk, 0);
2198
2199 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2200 err = bt_sock_wait_state(sk, BT_CLOSED,
2201 sk->sk_lingertime);
1da177e4 2202 }
9b108fc0
GP		 2203
2204 if (!err && sk->sk_err)
2205 err = -sk->sk_err;
2206
1da177e4
LT		 2207 release_sock(sk);
2208 return err;
2209}
2210
2211static int l2cap_sock_release(struct socket *sock)
2212{
2213 struct sock *sk = sock->sk;
2214 int err;
2215
2216 BT_DBG("sock %p, sk %p", sock, sk);
2217
2218 if (!sk)
2219 return 0;
2220
2221 err = l2cap_sock_shutdown(sock, 2);
2222
2223 sock_orphan(sk);
2224 l2cap_sock_kill(sk);
2225 return err;
2226}
2227
1da177e4
LT		 2228static void l2cap_chan_ready(struct sock *sk)
2229{
2230 struct sock *parent = bt_sk(sk)->parent;
2231
2232 BT_DBG("sk %p, parent %p", sk, parent);
2233
2234 l2cap_pi(sk)->conf_state = 0;
2235 l2cap_sock_clear_timer(sk);
2236
2237 if (!parent) {
2238 /* Outgoing channel.
2239 * Wake up socket sleeping on connect.
2240 */
2241 sk->sk_state = BT_CONNECTED;
2242 sk->sk_state_change(sk);
2243 } else {
2244 /* Incoming channel.
2245 * Wake up socket sleeping on accept.
2246 */
2247 parent->sk_data_ready(parent, 0);
2248 }
2249}
2250
2251/* Copy frame to all raw sockets on that connection */
2252static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2253{
2254 struct l2cap_chan_list *l = &conn->chan_list;
2255 struct sk_buff *nskb;
af05b30b 2256 struct sock *sk;
1da177e4
LT		 2257
2258 BT_DBG("conn %p", conn);
2259
2260 read_lock(&l->lock);
2261 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2262 if (sk->sk_type != SOCK_RAW)
2263 continue;
2264
2265 /* Don't send frame to the socket it came from */
2266 if (skb->sk == sk)
2267 continue;
af05b30b
GP		 2268 nskb = skb_clone(skb, GFP_ATOMIC);
2269 if (!nskb)
1da177e4
LT		 2270 continue;
2271
2272 if (sock_queue_rcv_skb(sk, nskb))
2273 kfree_skb(nskb);
2274 }
2275 read_unlock(&l->lock);
2276}
2277
2278/* ---- L2CAP signalling commands ---- */
2279static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2280 u8 code, u8 ident, u16 dlen, void *data)
2281{
2282 struct sk_buff *skb, **frag;
2283 struct l2cap_cmd_hdr *cmd;
2284 struct l2cap_hdr *lh;
2285 int len, count;
2286
af05b30b
GP		 2287 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2288 conn, code, ident, dlen);
1da177e4
LT		 2289
2290 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2291 count = min_t(unsigned int, conn->mtu, len);
2292
2293 skb = bt_skb_alloc(count, GFP_ATOMIC);
2294 if (!skb)
2295 return NULL;
2296
2297 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2298 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2299 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2300
2301 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2302 cmd->code = code;
2303 cmd->ident = ident;
aca3192c 2304 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2305
2306 if (dlen) {
2307 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2308 memcpy(skb_put(skb, count), data, count);
2309 data += count;
2310 }
2311
2312 len -= skb->len;
2313
2314 /* Continuation fragments (no L2CAP header) */
2315 frag = &skb_shinfo(skb)->frag_list;
2316 while (len) {
2317 count = min_t(unsigned int, conn->mtu, len);
2318
2319 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2320 if (!*frag)
2321 goto fail;
2322
2323 memcpy(skb_put(*frag, count), data, count);
2324
2325 len -= count;
2326 data += count;
2327
2328 frag = &(*frag)->next;
2329 }
2330
2331 return skb;
2332
2333fail:
2334 kfree_skb(skb);
2335 return NULL;
2336}
2337
2338static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2339{
2340 struct l2cap_conf_opt *opt = *ptr;
2341 int len;
2342
2343 len = L2CAP_CONF_OPT_SIZE + opt->len;
2344 *ptr += len;
2345
2346 *type = opt->type;
2347 *olen = opt->len;
2348
2349 switch (opt->len) {
2350 case 1:
2351 *val = *((u8 *) opt->val);
2352 break;
2353
2354 case 2:
861d6882 2355 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2356 break;
2357
2358 case 4:
861d6882 2359 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2360 break;
2361
2362 default:
2363 *val = (unsigned long) opt->val;
2364 break;
2365 }
2366
2367 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2368 return len;
2369}
2370
1da177e4
LT		 2371static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2372{
2373 struct l2cap_conf_opt *opt = *ptr;
2374
2375 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2376
2377 opt->type = type;
2378 opt->len = len;
2379
2380 switch (len) {
2381 case 1:
2382 *((u8 *) opt->val) = val;
2383 break;
2384
2385 case 2:
8e036fc3 2386 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2387 break;
2388
2389 case 4:
8e036fc3 2390 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2391 break;
2392
2393 default:
2394 memcpy(opt->val, (void *) val, len);
2395 break;
2396 }
2397
2398 *ptr += L2CAP_CONF_OPT_SIZE + len;
2399}
2400
c1b4f43b
GP		 2401static void l2cap_ack_timeout(unsigned long arg)
2402{
2403 struct sock *sk = (void *) arg;
2404
2405 bh_lock_sock(sk);
2406 l2cap_send_ack(l2cap_pi(sk));
2407 bh_unlock_sock(sk);
2408}
2409
0565c1c2
GP		 2410static inline void l2cap_ertm_init(struct sock *sk)
2411{
2412 l2cap_pi(sk)->expected_ack_seq = 0;
2413 l2cap_pi(sk)->unacked_frames = 0;
2414 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2415 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2416 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2417
2418 setup_timer(&l2cap_pi(sk)->retrans_timer,
2419 l2cap_retrans_timeout, (unsigned long) sk);
2420 setup_timer(&l2cap_pi(sk)->monitor_timer,
2421 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2422 setup_timer(&l2cap_pi(sk)->ack_timer,
2423 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2424
2425 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 2426 __skb_queue_head_init(BUSY_QUEUE(sk));
dfc909be 2427 spin_lock_init(&l2cap_pi(sk)->send_lock);
1890d36b
GP		 2428
2429 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
0565c1c2
GP		 2430}
2431
f2fcfcd6
GP		 2432static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2433{
2434 u32 local_feat_mask = l2cap_feat_mask;
2435 if (enable_ertm)
6840ed07 2436 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2437
2438 switch (mode) {
2439 case L2CAP_MODE_ERTM:
2440 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2441 case L2CAP_MODE_STREAMING:
2442 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2443 default:
2444 return 0x00;
2445 }
2446}
2447
2448static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2449{
2450 switch (mode) {
2451 case L2CAP_MODE_STREAMING:
2452 case L2CAP_MODE_ERTM:
2453 if (l2cap_mode_supported(mode, remote_feat_mask))
2454 return mode;
2455 /* fall through */
2456 default:
2457 return L2CAP_MODE_BASIC;
2458 }
2459}
2460
1da177e4
LT		 2461static int l2cap_build_conf_req(struct sock *sk, void *data)
2462{
2463 struct l2cap_pinfo *pi = l2cap_pi(sk);
2464 struct l2cap_conf_req *req = data;
bd3c9e25 2465 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2466 void *ptr = req->data;
2467
2468 BT_DBG("sk %p", sk);
2469
f2fcfcd6
GP		 2470 if (pi->num_conf_req || pi->num_conf_rsp)
2471 goto done;
2472
2473 switch (pi->mode) {
2474 case L2CAP_MODE_STREAMING:
2475 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2476 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2477 pi->mode = l2cap_select_mode(rfc.mode,
2478 pi->conn->feat_mask);
2479 break;
2480 }
2481
22121fc9 2482 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
9b108fc0 2483 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
f2fcfcd6
GP		 2484 break;
2485 default:
2486 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2487 break;
2488 }
2489
2490done:
65c7c491
MH		 2491 switch (pi->mode) {
2492 case L2CAP_MODE_BASIC:
2493 if (pi->imtu != L2CAP_DEFAULT_MTU)
2494 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2495 break;
2496
2497 case L2CAP_MODE_ERTM:
2498 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2499 rfc.txwin_size = pi->tx_win;
68d7f0ce 2500 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2501 rfc.retrans_timeout = 0;
2502 rfc.monitor_timeout = 0;
c74e560c 2503 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2504 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2505 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6
GP		 2506
2507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2508 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2509
2510 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2511 break;
2512
2513 if (pi->fcs == L2CAP_FCS_NONE ||
2514 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2515 pi->fcs = L2CAP_FCS_NONE;
2516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2517 }
f2fcfcd6
GP		 2518 break;
2519
2520 case L2CAP_MODE_STREAMING:
2521 rfc.mode = L2CAP_MODE_STREAMING;
2522 rfc.txwin_size = 0;
2523 rfc.max_transmit = 0;
2524 rfc.retrans_timeout = 0;
2525 rfc.monitor_timeout = 0;
c74e560c 2526 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2527 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2528 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491
MH		 2529
2530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2531 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2532
2533 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2534 break;
2535
2536 if (pi->fcs == L2CAP_FCS_NONE ||
2537 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2538 pi->fcs = L2CAP_FCS_NONE;
2539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2540 }
65c7c491
MH		 2541 break;
2542 }
1da177e4
LT		 2543
2544 /* FIXME: Need actual value of the flush timeout */
2545 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2546 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2547
aca3192c
YH		 2548 req->dcid = cpu_to_le16(pi->dcid);
2549 req->flags = cpu_to_le16(0);
1da177e4
LT		 2550
2551 return ptr - data;
2552}
2553
5dee9e7c 2554static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2555{
2556 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2557 struct l2cap_conf_rsp *rsp = data;
2558 void *ptr = rsp->data;
2559 void *req = pi->conf_req;
2560 int len = pi->conf_len;
2561 int type, hint, olen;
2562 unsigned long val;
6464f35f 2563 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2564 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2565 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2566
5dee9e7c 2567 BT_DBG("sk %p", sk);
820ae1b8 2568
5dee9e7c
MH		 2569 while (len >= L2CAP_CONF_OPT_SIZE) {
2570 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2571
589d2746 2572 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2573 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2574
2575 switch (type) {
2576 case L2CAP_CONF_MTU:
861d6882 2577 mtu = val;
5dee9e7c
MH		 2578 break;
2579
2580 case L2CAP_CONF_FLUSH_TO:
2581 pi->flush_to = val;
2582 break;
2583
2584 case L2CAP_CONF_QOS:
2585 break;
2586
6464f35f
MH		 2587 case L2CAP_CONF_RFC:
2588 if (olen == sizeof(rfc))
2589 memcpy(&rfc, (void *) val, olen);
2590 break;
2591
fcc203c3
GP		 2592 case L2CAP_CONF_FCS:
2593 if (val == L2CAP_FCS_NONE)
2594 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2595
2596 break;
2597
5dee9e7c
MH		 2598 default:
2599 if (hint)
2600 break;
2601
2602 result = L2CAP_CONF_UNKNOWN;
2603 *((u8 *) ptr++) = type;
2604 break;
2605 }
2606 }
2607
f2fcfcd6
GP		 2608 if (pi->num_conf_rsp || pi->num_conf_req)
2609 goto done;
2610
2611 switch (pi->mode) {
2612 case L2CAP_MODE_STREAMING:
2613 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2614 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2615 pi->mode = l2cap_select_mode(rfc.mode,
2616 pi->conn->feat_mask);
2617 break;
2618 }
2619
742e519b 2620 if (pi->mode != rfc.mode)
f2fcfcd6 2621 return -ECONNREFUSED;
742e519b 2622
f2fcfcd6 2623 break;
f2fcfcd6
GP		 2624 }
2625
2626done:
2627 if (pi->mode != rfc.mode) {
2628 result = L2CAP_CONF_UNACCEPT;
2629 rfc.mode = pi->mode;
2630
2631 if (pi->num_conf_rsp == 1)
2632 return -ECONNREFUSED;
2633
2634 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2635 sizeof(rfc), (unsigned long) &rfc);
2636 }
2637
2638
5dee9e7c
MH		 2639 if (result == L2CAP_CONF_SUCCESS) {
2640 /* Configure output options and let the other side know
2641 * which ones we don't like. */
2642
f2fcfcd6
GP		 2643 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2644 result = L2CAP_CONF_UNACCEPT;
2645 else {
2646 pi->omtu = mtu;
2647 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2648 }
2649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2650
f2fcfcd6
GP		 2651 switch (rfc.mode) {
2652 case L2CAP_MODE_BASIC:
2653 pi->fcs = L2CAP_FCS_NONE;
2654 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2655 break;
2656
2657 case L2CAP_MODE_ERTM:
2658 pi->remote_tx_win = rfc.txwin_size;
2659 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2660 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2661 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2662
2663 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2664
10467e9e
GP		 2665 rfc.retrans_timeout =
2666 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2667 rfc.monitor_timeout =
2668 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2669
2670 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2671
2672 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2673 sizeof(rfc), (unsigned long) &rfc);
2674
f2fcfcd6
GP		 2675 break;
2676
2677 case L2CAP_MODE_STREAMING:
1c762159
GP		 2678 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2679 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2680
2681 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2682
2683 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2684
2685 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2686 sizeof(rfc), (unsigned long) &rfc);
2687
f2fcfcd6
GP		 2688 break;
2689
2690 default:
5dee9e7c 2691 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2692
6464f35f 2693 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2694 rfc.mode = pi->mode;
2695 }
6464f35f 2696
f2fcfcd6
GP		 2697 if (result == L2CAP_CONF_SUCCESS)
2698 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2699 }
5dee9e7c
MH		 2700 rsp->scid = cpu_to_le16(pi->dcid);
2701 rsp->result = cpu_to_le16(result);
2702 rsp->flags = cpu_to_le16(0x0000);
2703
2704 return ptr - data;
1da177e4
LT		 2705}
2706
f2fcfcd6
GP		 2707static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2708{
2709 struct l2cap_pinfo *pi = l2cap_pi(sk);
2710 struct l2cap_conf_req *req = data;
2711 void *ptr = req->data;
2712 int type, olen;
2713 unsigned long val;
2714 struct l2cap_conf_rfc rfc;
2715
2716 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2717
2718 while (len >= L2CAP_CONF_OPT_SIZE) {
2719 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2720
2721 switch (type) {
2722 case L2CAP_CONF_MTU:
2723 if (val < L2CAP_DEFAULT_MIN_MTU) {
2724 *result = L2CAP_CONF_UNACCEPT;
2725 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2726 } else
2727 pi->omtu = val;
2728 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2729 break;
2730
2731 case L2CAP_CONF_FLUSH_TO:
2732 pi->flush_to = val;
2733 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2734 2, pi->flush_to);
2735 break;
2736
2737 case L2CAP_CONF_RFC:
2738 if (olen == sizeof(rfc))
2739 memcpy(&rfc, (void *)val, olen);
2740
2741 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2742 rfc.mode != pi->mode)
2743 return -ECONNREFUSED;
2744
2745 pi->mode = rfc.mode;
2746 pi->fcs = 0;
2747
2748 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2749 sizeof(rfc), (unsigned long) &rfc);
2750 break;
2751 }
2752 }
2753
2754 if (*result == L2CAP_CONF_SUCCESS) {
2755 switch (rfc.mode) {
2756 case L2CAP_MODE_ERTM:
2757 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2758 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2759 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2760 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2761 break;
2762 case L2CAP_MODE_STREAMING:
1c762159 2763 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2764 }
2765 }
2766
2767 req->dcid = cpu_to_le16(pi->dcid);
2768 req->flags = cpu_to_le16(0x0000);
2769
2770 return ptr - data;
2771}
2772
5dee9e7c 2773static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2774{
2775 struct l2cap_conf_rsp *rsp = data;
2776 void *ptr = rsp->data;
1da177e4 2777
5dee9e7c 2778 BT_DBG("sk %p", sk);
1da177e4 2779
aca3192c 2780 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2781 rsp->result = cpu_to_le16(result);
aca3192c 2782 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2783
2784 return ptr - data;
2785}
2786
7b1c0049
GP		 2787static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2788{
2789 struct l2cap_pinfo *pi = l2cap_pi(sk);
2790 int type, olen;
2791 unsigned long val;
2792 struct l2cap_conf_rfc rfc;
2793
2794 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2795
2796 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2797 return;
2798
2799 while (len >= L2CAP_CONF_OPT_SIZE) {
2800 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2801
2802 switch (type) {
2803 case L2CAP_CONF_RFC:
2804 if (olen == sizeof(rfc))
2805 memcpy(&rfc, (void *)val, olen);
2806 goto done;
2807 }
2808 }
2809
2810done:
2811 switch (rfc.mode) {
2812 case L2CAP_MODE_ERTM:
2813 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2814 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2815 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2816 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2817 break;
2818 case L2CAP_MODE_STREAMING:
2819 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2820 }
2821}
2822
4e8402a3
MH		 2823static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2824{
2825 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2826
2827 if (rej->reason != 0x0000)
2828 return 0;
2829
2830 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2831 cmd->ident == conn->info_ident) {
4e8402a3 2832 del_timer(&conn->info_timer);
984947dc
MH		 2833
2834 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2835 conn->info_ident = 0;
984947dc 2836
4e8402a3
MH		 2837 l2cap_conn_start(conn);
2838 }
2839
2840 return 0;
2841}
2842
1da177e4
LT		 2843static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2844{
2845 struct l2cap_chan_list *list = &conn->chan_list;
2846 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2847 struct l2cap_conn_rsp rsp;
2848 struct sock *sk, *parent;
e7c29cb1 2849 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2850
2851 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2852 __le16 psm = req->psm;
1da177e4
LT		 2853
2854 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2855
2856 /* Check if we have socket listening on psm */
2857 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2858 if (!parent) {
2859 result = L2CAP_CR_BAD_PSM;
2860 goto sendresp;
2861 }
2862
e7c29cb1
MH		 2863 /* Check if the ACL is secure enough (if not SDP) */
2864 if (psm != cpu_to_le16(0x0001) &&
2865 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2866 conn->disc_reason = 0x05;
e7c29cb1
MH		 2867 result = L2CAP_CR_SEC_BLOCK;
2868 goto response;
2869 }
2870
1da177e4
LT		 2871 result = L2CAP_CR_NO_MEM;
2872
2873 /* Check for backlog size */
2874 if (sk_acceptq_is_full(parent)) {
8e87d142 2875 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2876 goto response;
2877 }
2878
3b1e0a65 2879 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2880 if (!sk)
2881 goto response;
2882
fd1278d7 2883 write_lock_bh(&list->lock);
1da177e4
LT		 2884
2885 /* Check if we already have channel with that dcid */
2886 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2887 write_unlock_bh(&list->lock);
1da177e4
LT		 2888 sock_set_flag(sk, SOCK_ZAPPED);
2889 l2cap_sock_kill(sk);
2890 goto response;
2891 }
2892
2893 hci_conn_hold(conn->hcon);
2894
2895 l2cap_sock_init(sk, parent);
2896 bacpy(&bt_sk(sk)->src, conn->src);
2897 bacpy(&bt_sk(sk)->dst, conn->dst);
2898 l2cap_pi(sk)->psm = psm;
2899 l2cap_pi(sk)->dcid = scid;
2900
2901 __l2cap_chan_add(conn, sk, parent);
2902 dcid = l2cap_pi(sk)->scid;
2903
2904 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2905
1da177e4
LT		 2906 l2cap_pi(sk)->ident = cmd->ident;
2907
984947dc 2908 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2909 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2910 if (bt_sk(sk)->defer_setup) {
2911 sk->sk_state = BT_CONNECT2;
2912 result = L2CAP_CR_PEND;
2913 status = L2CAP_CS_AUTHOR_PEND;
2914 parent->sk_data_ready(parent, 0);
2915 } else {
2916 sk->sk_state = BT_CONFIG;
2917 result = L2CAP_CR_SUCCESS;
2918 status = L2CAP_CS_NO_INFO;
2919 }
79d554a6
MH		 2920 } else {
2921 sk->sk_state = BT_CONNECT2;
2922 result = L2CAP_CR_PEND;
2923 status = L2CAP_CS_AUTHEN_PEND;
2924 }
2925 } else {
2926 sk->sk_state = BT_CONNECT2;
2927 result = L2CAP_CR_PEND;
2928 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2929 }
2930
fd1278d7 2931 write_unlock_bh(&list->lock);
1da177e4
LT		 2932
2933response:
2934 bh_unlock_sock(parent);
2935
2936sendresp:
aca3192c
YH		 2937 rsp.scid = cpu_to_le16(scid);
2938 rsp.dcid = cpu_to_le16(dcid);
2939 rsp.result = cpu_to_le16(result);
2940 rsp.status = cpu_to_le16(status);
1da177e4 2941 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2942
2943 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2944 struct l2cap_info_req info;
2945 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2946
2947 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2948 conn->info_ident = l2cap_get_ident(conn);
2949
2950 mod_timer(&conn->info_timer, jiffies +
2951 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2952
2953 l2cap_send_cmd(conn, conn->info_ident,
2954 L2CAP_INFO_REQ, sizeof(info), &info);
2955 }
2956
1da177e4
LT		 2957 return 0;
2958}
2959
2960static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2961{
2962 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2963 u16 scid, dcid, result, status;
2964 struct sock *sk;
2965 u8 req[128];
2966
2967 scid = __le16_to_cpu(rsp->scid);
2968 dcid = __le16_to_cpu(rsp->dcid);
2969 result = __le16_to_cpu(rsp->result);
2970 status = __le16_to_cpu(rsp->status);
2971
2972 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2973
2974 if (scid) {
af05b30b
GP		 2975 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2976 if (!sk)
1da177e4
LT		 2977 return 0;
2978 } else {
af05b30b
GP		 2979 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2980 if (!sk)
1da177e4
LT		 2981 return 0;
2982 }
2983
2984 switch (result) {
2985 case L2CAP_CR_SUCCESS:
2986 sk->sk_state = BT_CONFIG;
2987 l2cap_pi(sk)->ident = 0;
2988 l2cap_pi(sk)->dcid = dcid;
2989 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
6a8d3010
MH		 2990 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2991
1da177e4
LT		 2992 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2993 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2994 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2995 break;
2996
2997 case L2CAP_CR_PEND:
6a8d3010 2998 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2999 break;
3000
3001 default:
3002 l2cap_chan_del(sk, ECONNREFUSED);
3003 break;
3004 }
3005
3006 bh_unlock_sock(sk);
3007 return 0;
3008}
3009
88219a0f 3010static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3011{
3012 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3013 u16 dcid, flags;
3014 u8 rsp[64];
3015 struct sock *sk;
5dee9e7c 3016 int len;
1da177e4
LT		 3017
3018 dcid = __le16_to_cpu(req->dcid);
3019 flags = __le16_to_cpu(req->flags);
3020
3021 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3022
af05b30b
GP		 3023 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3024 if (!sk)
1da177e4
LT		 3025 return -ENOENT;
3026
354f60a9
MH		 3027 if (sk->sk_state == BT_DISCONN)
3028 goto unlock;
3029
5dee9e7c 3030 /* Reject if config buffer is too small. */
88219a0f 3031 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3032 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3033 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3034 l2cap_build_conf_rsp(sk, rsp,
3035 L2CAP_CONF_REJECT, flags), rsp);
3036 goto unlock;
3037 }
3038
3039 /* Store config. */
3040 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3041 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3042
3043 if (flags & 0x0001) {
3044 /* Incomplete config. Send empty response. */
3045 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3046 l2cap_build_conf_rsp(sk, rsp,
3047 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3048 goto unlock;
3049 }
3050
3051 /* Complete config. */
5dee9e7c 3052 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3053 if (len < 0) {
9b108fc0 3054 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3055 goto unlock;
f2fcfcd6 3056 }
1da177e4 3057
5dee9e7c 3058 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3059 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3060
5dee9e7c
MH		 3061 /* Reset config buffer. */
3062 l2cap_pi(sk)->conf_len = 0;
3063
876d9484
MH		 3064 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3065 goto unlock;
3066
1da177e4 3067 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 3068 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3069 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3070 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3071
1da177e4 3072 sk->sk_state = BT_CONNECTED;
e90bac06 3073
0565c1c2
GP		 3074 l2cap_pi(sk)->next_tx_seq = 0;
3075 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3076 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3077 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3078 l2cap_ertm_init(sk);
3079
1da177e4 3080 l2cap_chan_ready(sk);
876d9484
MH		 3081 goto unlock;
3082 }
3083
3084 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3085 u8 buf[64];
1da177e4 3086 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3087 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3088 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3089 }
3090
3091unlock:
3092 bh_unlock_sock(sk);
3093 return 0;
3094}
3095
3096static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3097{
3098 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3099 u16 scid, flags, result;
3100 struct sock *sk;
7b1c0049 3101 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3102
3103 scid = __le16_to_cpu(rsp->scid);
3104 flags = __le16_to_cpu(rsp->flags);
3105 result = __le16_to_cpu(rsp->result);
3106
af05b30b
GP		 3107 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3108 scid, flags, result);
1da177e4 3109
af05b30b
GP		 3110 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3111 if (!sk)
1da177e4
LT		 3112 return 0;
3113
3114 switch (result) {
3115 case L2CAP_CONF_SUCCESS:
7b1c0049 3116 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3117 break;
3118
3119 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3120 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3121 char req[64];
3122
c2c77ec8 3123 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3124 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3125 goto done;
3126 }
3127
f2fcfcd6
GP		 3128 /* throw out any old stored conf requests */
3129 result = L2CAP_CONF_SUCCESS;
3130 len = l2cap_parse_conf_rsp(sk, rsp->data,
3131 len, req, &result);
3132 if (len < 0) {
9b108fc0 3133 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3134 goto done;
3135 }
3136
3137 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3138 L2CAP_CONF_REQ, len, req);
3139 l2cap_pi(sk)->num_conf_req++;
3140 if (result != L2CAP_CONF_SUCCESS)
3141 goto done;
3142 break;
1da177e4
LT		 3143 }
3144
8e87d142 3145 default:
b1235d79 3146 sk->sk_err = ECONNRESET;
1da177e4 3147 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3148 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3149 goto done;
3150 }
3151
3152 if (flags & 0x01)
3153 goto done;
3154
1da177e4
LT		 3155 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3156
3157 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3158 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3159 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3160 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3161
1da177e4 3162 sk->sk_state = BT_CONNECTED;
0565c1c2 3163 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3164 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3165 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3166 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3167 l2cap_ertm_init(sk);
3168
1da177e4
LT		 3169 l2cap_chan_ready(sk);
3170 }
3171
3172done:
3173 bh_unlock_sock(sk);
3174 return 0;
3175}
3176
3177static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3178{
3179 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3180 struct l2cap_disconn_rsp rsp;
3181 u16 dcid, scid;
3182 struct sock *sk;
3183
3184 scid = __le16_to_cpu(req->scid);
3185 dcid = __le16_to_cpu(req->dcid);
3186
3187 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3188
af05b30b
GP		 3189 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3190 if (!sk)
1da177e4
LT		 3191 return 0;
3192
aca3192c
YH		 3193 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3194 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3195 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3196
3197 sk->sk_shutdown = SHUTDOWN_MASK;
3198
3199 l2cap_chan_del(sk, ECONNRESET);
3200 bh_unlock_sock(sk);
3201
3202 l2cap_sock_kill(sk);
3203 return 0;
3204}
3205
3206static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3207{
3208 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3209 u16 dcid, scid;
3210 struct sock *sk;
3211
3212 scid = __le16_to_cpu(rsp->scid);
3213 dcid = __le16_to_cpu(rsp->dcid);
3214
3215 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3216
af05b30b
GP		 3217 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3218 if (!sk)
1da177e4
LT		 3219 return 0;
3220
3221 l2cap_chan_del(sk, 0);
3222 bh_unlock_sock(sk);
3223
3224 l2cap_sock_kill(sk);
3225 return 0;
3226}
3227
3228static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3229{
3230 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3231 u16 type;
3232
3233 type = __le16_to_cpu(req->type);
3234
3235 BT_DBG("type 0x%4.4x", type);
3236
f0709e03
MH		 3237 if (type == L2CAP_IT_FEAT_MASK) {
3238 u8 buf[8];
44dd46de 3239 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3240 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3241 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3242 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3243 if (enable_ertm)
fcc203c3
GP		 3244 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3245 | L2CAP_FEAT_FCS;
1b7bf4ed 3246 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3247 l2cap_send_cmd(conn, cmd->ident,
3248 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3249 } else if (type == L2CAP_IT_FIXED_CHAN) {
3250 u8 buf[12];
3251 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3252 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3253 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3254 memcpy(buf + 4, l2cap_fixed_chan, 8);
3255 l2cap_send_cmd(conn, cmd->ident,
3256 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3257 } else {
3258 struct l2cap_info_rsp rsp;
3259 rsp.type = cpu_to_le16(type);
3260 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3261 l2cap_send_cmd(conn, cmd->ident,
3262 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3263 }
1da177e4
LT		 3264
3265 return 0;
3266}
3267
3268static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3269{
3270 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3271 u16 type, result;
3272
3273 type = __le16_to_cpu(rsp->type);
3274 result = __le16_to_cpu(rsp->result);
3275
3276 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3277
4e8402a3
MH		 3278 del_timer(&conn->info_timer);
3279
984947dc 3280 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3281 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3282
47ec1dcd 3283 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3284 struct l2cap_info_req req;
3285 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3286
3287 conn->info_ident = l2cap_get_ident(conn);
3288
3289 l2cap_send_cmd(conn, conn->info_ident,
3290 L2CAP_INFO_REQ, sizeof(req), &req);
3291 } else {
3292 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3293 conn->info_ident = 0;
3294
3295 l2cap_conn_start(conn);
3296 }
3297 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3298 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3299 conn->info_ident = 0;
984947dc
MH		 3300
3301 l2cap_conn_start(conn);
3302 }
4e8402a3 3303
1da177e4
LT		 3304 return 0;
3305}
3306
3307static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3308{
3309 u8 *data = skb->data;
3310 int len = skb->len;
3311 struct l2cap_cmd_hdr cmd;
3312 int err = 0;
3313
3314 l2cap_raw_recv(conn, skb);
3315
3316 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3317 u16 cmd_len;
1da177e4
LT		 3318 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3319 data += L2CAP_CMD_HDR_SIZE;
3320 len -= L2CAP_CMD_HDR_SIZE;
3321
88219a0f 3322 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3323
88219a0f 3324 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3325
88219a0f 3326 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3327 BT_DBG("corrupted command");
3328 break;
3329 }
3330
3331 switch (cmd.code) {
3332 case L2CAP_COMMAND_REJ:
4e8402a3 3333 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3334 break;
3335
3336 case L2CAP_CONN_REQ:
3337 err = l2cap_connect_req(conn, &cmd, data);
3338 break;
3339
3340 case L2CAP_CONN_RSP:
3341 err = l2cap_connect_rsp(conn, &cmd, data);
3342 break;
3343
3344 case L2CAP_CONF_REQ:
88219a0f 3345 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3346 break;
3347
3348 case L2CAP_CONF_RSP:
3349 err = l2cap_config_rsp(conn, &cmd, data);
3350 break;
3351
3352 case L2CAP_DISCONN_REQ:
3353 err = l2cap_disconnect_req(conn, &cmd, data);
3354 break;
3355
3356 case L2CAP_DISCONN_RSP:
3357 err = l2cap_disconnect_rsp(conn, &cmd, data);
3358 break;
3359
3360 case L2CAP_ECHO_REQ:
88219a0f 3361 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3362 break;
3363
3364 case L2CAP_ECHO_RSP:
3365 break;
3366
3367 case L2CAP_INFO_REQ:
3368 err = l2cap_information_req(conn, &cmd, data);
3369 break;
3370
3371 case L2CAP_INFO_RSP:
3372 err = l2cap_information_rsp(conn, &cmd, data);
3373 break;
3374
3375 default:
3376 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3377 err = -EINVAL;
3378 break;
3379 }
3380
3381 if (err) {
3382 struct l2cap_cmd_rej rej;
3383 BT_DBG("error %d", err);
3384
3385 /* FIXME: Map err to a valid reason */
aca3192c 3386 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3387 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3388 }
3389
88219a0f
AV		 3390 data += cmd_len;
3391 len -= cmd_len;
1da177e4
LT		 3392 }
3393
3394 kfree_skb(skb);
3395}
3396
fcc203c3
GP		 3397static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3398{
3399 u16 our_fcs, rcv_fcs;
3400 int hdr_size = L2CAP_HDR_SIZE + 2;
3401
3402 if (pi->fcs == L2CAP_FCS_CRC16) {
3403 skb_trim(skb, skb->len - 2);
3404 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3405 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3406
3407 if (our_fcs != rcv_fcs)
3408 return -EINVAL;
3409 }
3410 return 0;
3411}
3412
d5392c8f
GP		 3413static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3414{
3415 struct l2cap_pinfo *pi = l2cap_pi(sk);
3416 u16 control = 0;
3417
3418 pi->frames_sent = 0;
d5392c8f
GP		 3419
3420 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3421
3422 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3423 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3424 l2cap_send_sframe(pi, control);
1890d36b 3425 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3426 }
3427
4ea727ef
GP		 3428 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3429 l2cap_retransmit_frames(sk);
d5392c8f 3430
dfc909be 3431 spin_lock_bh(&pi->send_lock);
d5392c8f 3432 l2cap_ertm_send(sk);
dfc909be 3433 spin_unlock_bh(&pi->send_lock);
d5392c8f
GP		 3434
3435 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3436 pi->frames_sent == 0) {
3437 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3438 l2cap_send_sframe(pi, control);
3439 }
3440}
3441
9b53350d 3442static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3443{
3444 struct sk_buff *next_skb;
bfbacc11
JPRV		 3445 struct l2cap_pinfo *pi = l2cap_pi(sk);
3446 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3447
3448 bt_cb(skb)->tx_seq = tx_seq;
3449 bt_cb(skb)->sar = sar;
3450
3451 next_skb = skb_peek(SREJ_QUEUE(sk));
3452 if (!next_skb) {
3453 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3454 return 0;
8f17154f
GP		 3455 }
3456
bfbacc11
JPRV		 3457 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3458 if (tx_seq_offset < 0)
3459 tx_seq_offset += 64;
3460
8f17154f 3461 do {
9b53350d
JPRV		 3462 if (bt_cb(next_skb)->tx_seq == tx_seq)
3463 return -EINVAL;
3464
bfbacc11
JPRV		 3465 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3466 pi->buffer_seq) % 64;
3467 if (next_tx_seq_offset < 0)
3468 next_tx_seq_offset += 64;
3469
3470 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3471 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3472 return 0;
8f17154f
GP		 3473 }
3474
3475 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3476 break;
3477
59203a21 3478 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3479
3480 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3481
3482 return 0;
8f17154f
GP		 3483}
3484
18778a63
GP		 3485static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3486{
3487 struct l2cap_pinfo *pi = l2cap_pi(sk);
3488 struct sk_buff *_skb;
1890d36b 3489 int err;
18778a63
GP		 3490
3491 switch (control & L2CAP_CTRL_SAR) {
3492 case L2CAP_SDU_UNSEGMENTED:
3493 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3494 goto drop;
3495
3496 err = sock_queue_rcv_skb(sk, skb);
3497 if (!err)
3498 return err;
3499
3500 break;
3501
3502 case L2CAP_SDU_START:
3503 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3504 goto drop;
3505
3506 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3507
3508 if (pi->sdu_len > pi->imtu)
3509 goto disconnect;
3510
3511 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3512 if (!pi->sdu)
3513 return -ENOMEM;
3514
3515 /* pull sdu_len bytes only after alloc, because of Local Busy
3516 * condition we have to be sure that this will be executed
3517 * only once, i.e., when alloc does not fail */
3518 skb_pull(skb, 2);
18778a63
GP		 3519
3520 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3521
3522 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3523 pi->partial_sdu_len = skb->len;
3524 break;
3525
3526 case L2CAP_SDU_CONTINUE:
3527 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3528 goto disconnect;
3529
3530 if (!pi->sdu)
3531 goto disconnect;
3532
18778a63
GP		 3533 pi->partial_sdu_len += skb->len;
3534 if (pi->partial_sdu_len > pi->sdu_len)
3535 goto drop;
3536
4178ba46
GP		 3537 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3538
18778a63
GP		 3539 break;
3540
3541 case L2CAP_SDU_END:
3542 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3543 goto disconnect;
3544
3545 if (!pi->sdu)
3546 goto disconnect;
3547
1890d36b 3548 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3549 pi->partial_sdu_len += skb->len;
18778a63 3550
1890d36b
GP		 3551 if (pi->partial_sdu_len > pi->imtu)
3552 goto drop;
18778a63 3553
1890d36b
GP		 3554 if (pi->partial_sdu_len != pi->sdu_len)
3555 goto drop;
4178ba46
GP		 3556
3557 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3558 }
18778a63
GP		 3559
3560 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3561 if (!_skb) {
3562 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3563 return -ENOMEM;
3564 }
3565
18778a63 3566 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3567 if (err < 0) {
18778a63 3568 kfree_skb(_skb);
1890d36b
GP		 3569 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3570 return err;
3571 }
3572
3573 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3574 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3575
3576 kfree_skb(pi->sdu);
3577 break;
3578 }
3579
3580 kfree_skb(skb);
1890d36b 3581 return 0;
18778a63
GP		 3582
3583drop:
3584 kfree_skb(pi->sdu);
3585 pi->sdu = NULL;
3586
3587disconnect:
9b108fc0 3588 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3589 kfree_skb(skb);
3590 return 0;
3591}
3592
1890d36b
GP		 3593static void l2cap_busy_work(struct work_struct *work)
3594{
3595 DECLARE_WAITQUEUE(wait, current);
3596 struct l2cap_pinfo *pi =
3597 container_of(work, struct l2cap_pinfo, busy_work);
3598 struct sock *sk = (struct sock *)pi;
3599 int n_tries = 0, timeo = HZ/5, err;
3600 struct sk_buff *skb;
3601 u16 control;
3602
3603 lock_sock(sk);
3604
2b0b05dd 3605 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3606 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3607 set_current_state(TASK_INTERRUPTIBLE);
3608
3609 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3610 err = -EBUSY;
9b108fc0 3611 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
1890d36b
GP		 3612 goto done;
3613 }
3614
3615 if (!timeo)
3616 timeo = HZ/5;
3617
3618 if (signal_pending(current)) {
3619 err = sock_intr_errno(timeo);
3620 goto done;
3621 }
3622
3623 release_sock(sk);
3624 timeo = schedule_timeout(timeo);
3625 lock_sock(sk);
3626
3627 err = sock_error(sk);
3628 if (err)
3629 goto done;
3630
3631 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3632 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3633 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3634 if (err < 0) {
3635 skb_queue_head(BUSY_QUEUE(sk), skb);
3636 break;
3637 }
3638
3639 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3640 }
3641
3642 if (!skb)
3643 break;
3644 }
3645
3646 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3647 goto done;
3648
3649 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3650 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3651 l2cap_send_sframe(pi, control);
3652 l2cap_pi(sk)->retry_count = 1;
3653
3654 del_timer(&pi->retrans_timer);
3655 __mod_monitor_timer();
3656
3657 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3658
3659done:
3660 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3661 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3662
0e98958d
GP		 3663 BT_DBG("sk %p, Exit local busy", sk);
3664
1890d36b 3665 set_current_state(TASK_RUNNING);
2b0b05dd 3666 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3667
3668 release_sock(sk);
3669}
3670
3671static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3672{
3673 struct l2cap_pinfo *pi = l2cap_pi(sk);
3674 int sctrl, err;
3675
3676 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3677 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3678 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3679 return -EBUSY;
3680 }
3681
3682 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3683 if (err >= 0) {
3684 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3685 return err;
3686 }
3687
3688 /* Busy Condition */
0e98958d
GP		 3689 BT_DBG("sk %p, Enter local busy", sk);
3690
1890d36b
GP		 3691 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3692 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3693 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3694
3695 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3696 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3697 l2cap_send_sframe(pi, sctrl);
3698
3699 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3700
7fe9b298
GP		 3701 del_timer(&pi->ack_timer);
3702
1890d36b
GP		 3703 queue_work(_busy_wq, &pi->busy_work);
3704
3705 return err;
3706}
3707
18778a63 3708static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3709{
3710 struct l2cap_pinfo *pi = l2cap_pi(sk);
3711 struct sk_buff *_skb;
3712 int err = -EINVAL;
3713
18778a63
GP		 3714 /*
3715 * TODO: We have to notify the userland if some data is lost with the
3716 * Streaming Mode.
3717 */
3718
c74e560c
GP		 3719 switch (control & L2CAP_CTRL_SAR) {
3720 case L2CAP_SDU_UNSEGMENTED:
3721 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3722 kfree_skb(pi->sdu);
3723 break;
3724 }
3725
3726 err = sock_queue_rcv_skb(sk, skb);
3727 if (!err)
3728 return 0;
3729
3730 break;
3731
3732 case L2CAP_SDU_START:
3733 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3734 kfree_skb(pi->sdu);
3735 break;
3736 }
3737
3738 pi->sdu_len = get_unaligned_le16(skb->data);
3739 skb_pull(skb, 2);
3740
052897ca
GP		 3741 if (pi->sdu_len > pi->imtu) {
3742 err = -EMSGSIZE;
3743 break;
3744 }
3745
c74e560c
GP		 3746 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3747 if (!pi->sdu) {
3748 err = -ENOMEM;
3749 break;
3750 }
3751
3752 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3753
3754 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3755 pi->partial_sdu_len = skb->len;
3756 err = 0;
3757 break;
3758
3759 case L2CAP_SDU_CONTINUE:
3760 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3761 break;
3762
3763 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3764
3765 pi->partial_sdu_len += skb->len;
3766 if (pi->partial_sdu_len > pi->sdu_len)
3767 kfree_skb(pi->sdu);
3768 else
3769 err = 0;
3770
3771 break;
3772
3773 case L2CAP_SDU_END:
3774 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3775 break;
3776
3777 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3778
3779 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3780 pi->partial_sdu_len += skb->len;
3781
36f2fd58
GP		 3782 if (pi->partial_sdu_len > pi->imtu)
3783 goto drop;
3784
c74e560c
GP		 3785 if (pi->partial_sdu_len == pi->sdu_len) {
3786 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3787 err = sock_queue_rcv_skb(sk, _skb);
3788 if (err < 0)
3789 kfree_skb(_skb);
3790 }
c74e560c
GP		 3791 err = 0;
3792
36f2fd58
GP		 3793drop:
3794 kfree_skb(pi->sdu);
c74e560c
GP		 3795 break;
3796 }
3797
3798 kfree_skb(skb);
3799 return err;
3800}
3801
8f17154f
GP		 3802static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3803{
3804 struct sk_buff *skb;
afefdbc4 3805 u16 control;
8f17154f 3806
59203a21 3807 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3808 if (bt_cb(skb)->tx_seq != tx_seq)
3809 break;
3810
3811 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3812 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3813 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3814 l2cap_pi(sk)->buffer_seq_srej =
3815 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3816 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3817 }
3818}
3819
3820static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3821{
3822 struct l2cap_pinfo *pi = l2cap_pi(sk);
3823 struct srej_list *l, *tmp;
3824 u16 control;
3825
59203a21 3826 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3827 if (l->tx_seq == tx_seq) {
3828 list_del(&l->list);
3829 kfree(l);
3830 return;
3831 }
3832 control = L2CAP_SUPER_SELECT_REJECT;
3833 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3834 l2cap_send_sframe(pi, control);
3835 list_del(&l->list);
3836 list_add_tail(&l->list, SREJ_LIST(sk));
3837 }
3838}
3839
3840static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3841{
3842 struct l2cap_pinfo *pi = l2cap_pi(sk);
3843 struct srej_list *new;
3844 u16 control;
3845
3846 while (tx_seq != pi->expected_tx_seq) {
3847 control = L2CAP_SUPER_SELECT_REJECT;
3848 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3849 l2cap_send_sframe(pi, control);
3850
3851 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3852 new->tx_seq = pi->expected_tx_seq;
3853 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3854 list_add_tail(&new->list, SREJ_LIST(sk));
3855 }
8ff50ec0 3856 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3857}
3858
1c2acffb
GP		 3859static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3860{
3861 struct l2cap_pinfo *pi = l2cap_pi(sk);
3862 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3863 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3864 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3865 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3866 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3867 int err = 0;
3868
0e98958d
GP		 3869 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3870 rx_control);
1c2acffb 3871
9b16dc65
GP		 3872 if (L2CAP_CTRL_FINAL & rx_control &&
3873 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3874 del_timer(&pi->monitor_timer);
3875 if (pi->unacked_frames > 0)
3876 __mod_retrans_timer();
3877 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3878 }
3879
9f121a5a
GP		 3880 pi->expected_ack_seq = req_seq;
3881 l2cap_drop_acked_frames(sk);
3882
8f17154f
GP		 3883 if (tx_seq == pi->expected_tx_seq)
3884 goto expected;
1c2acffb 3885
9b53350d
JPRV		 3886 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3887 if (tx_seq_offset < 0)
3888 tx_seq_offset += 64;
3889
3890 /* invalid tx_seq */
3891 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3892 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3893 goto drop;
3894 }
3895
1890d36b
GP		 3896 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3897 goto drop;
3898
8f17154f
GP		 3899 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3900 struct srej_list *first;
30afb5b2 3901
8f17154f
GP		 3902 first = list_first_entry(SREJ_LIST(sk),
3903 struct srej_list, list);
3904 if (tx_seq == first->tx_seq) {
3905 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3906 l2cap_check_srej_gap(sk, tx_seq);
3907
3908 list_del(&first->list);
3909 kfree(first);
3910
3911 if (list_empty(SREJ_LIST(sk))) {
3912 pi->buffer_seq = pi->buffer_seq_srej;
3913 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3914 l2cap_send_ack(pi);
0e98958d 3915 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3916 }
3917 } else {
3918 struct srej_list *l;
9b53350d
JPRV		 3919
3920 /* duplicated tx_seq */
3921 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3922 goto drop;
8f17154f
GP		 3923
3924 list_for_each_entry(l, SREJ_LIST(sk), list) {
3925 if (l->tx_seq == tx_seq) {
3926 l2cap_resend_srejframe(sk, tx_seq);
3927 return 0;
3928 }
3929 }
3930 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3931 }
3932 } else {
9b53350d
JPRV		 3933 expected_tx_seq_offset =
3934 (pi->expected_tx_seq - pi->buffer_seq) % 64;
3935 if (expected_tx_seq_offset < 0)
3936 expected_tx_seq_offset += 64;
3937
3938 /* duplicated tx_seq */
3939 if (tx_seq_offset < expected_tx_seq_offset)
3940 goto drop;
3941
8f17154f 3942 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3943
0e98958d
GP		 3944 BT_DBG("sk %p, Enter SREJ", sk);
3945
8f17154f
GP		 3946 INIT_LIST_HEAD(SREJ_LIST(sk));
3947 pi->buffer_seq_srej = pi->buffer_seq;
3948
3949 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 3950 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 3951 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3952
ef54fd93
GP		 3953 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3954
8f17154f 3955 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 3956
3957 del_timer(&pi->ack_timer);
1c2acffb 3958 }
30afb5b2
GP		 3959 return 0;
3960
8f17154f
GP		 3961expected:
3962 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3963
3964 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3965 bt_cb(skb)->tx_seq = tx_seq;
3966 bt_cb(skb)->sar = sar;
3967 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3968 return 0;
3969 }
3970
2ece3684
GP		 3971 err = l2cap_push_rx_skb(sk, skb, rx_control);
3972 if (err < 0)
3973 return 0;
3974
4ec10d97
GP		 3975 if (rx_control & L2CAP_CTRL_FINAL) {
3976 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3977 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3978 else
3979 l2cap_retransmit_frames(sk);
4ec10d97
GP		 3980 }
3981
c1b4f43b
GP		 3982 __mod_ack_timer();
3983
803020c6
GP		 3984 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3985 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3986 l2cap_send_ack(pi);
3987
8f17154f 3988 return 0;
9b53350d
JPRV		 3989
3990drop:
3991 kfree_skb(skb);
3992 return 0;
1c2acffb
GP		 3993}
3994
e072745f 3995static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3996{
3997 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 3998
0e98958d
GP		 3999 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4000 rx_control);
4001
6e3a5981
GP		 4002 pi->expected_ack_seq = __get_reqseq(rx_control);
4003 l2cap_drop_acked_frames(sk);
1c2acffb 4004
e072745f 4005 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4006 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4007 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4008 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4009 (pi->unacked_frames > 0))
4010 __mod_retrans_timer();
4011
4012 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4013 l2cap_send_srejtail(sk);
4014 } else {
4015 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4016 }
1d8f5d16 4017
e072745f
GP		 4018 } else if (rx_control & L2CAP_CTRL_FINAL) {
4019 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4020
e072745f
GP		 4021 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4022 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4023 else
4024 l2cap_retransmit_frames(sk);
2246b2f1 4025
e072745f 4026 } else {
e072745f
GP		 4027 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4028 (pi->unacked_frames > 0))
4029 __mod_retrans_timer();
1c2acffb 4030
2246b2f1 4031 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
dfc909be 4032 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
e072745f 4033 l2cap_send_ack(pi);
dfc909be
GP		 4034 } else {
4035 spin_lock_bh(&pi->send_lock);
e072745f 4036 l2cap_ertm_send(sk);
dfc909be
GP		 4037 spin_unlock_bh(&pi->send_lock);
4038 }
e072745f
GP		 4039 }
4040}
2246b2f1 4041
e072745f
GP		 4042static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4043{
4044 struct l2cap_pinfo *pi = l2cap_pi(sk);
4045 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4046
0e98958d
GP		 4047 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4048
e072745f
GP		 4049 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4050
8abb52ee 4051 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4052 l2cap_drop_acked_frames(sk);
4053
4054 if (rx_control & L2CAP_CTRL_FINAL) {
4055 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4056 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4057 else
4058 l2cap_retransmit_frames(sk);
e072745f 4059 } else {
dfc909be 4060 l2cap_retransmit_frames(sk);
30afb5b2 4061
0301ef04 4062 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4063 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4064 }
4065}
4066static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4067{
4068 struct l2cap_pinfo *pi = l2cap_pi(sk);
4069 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4070
0e98958d
GP		 4071 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4072
e072745f 4073 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4074
e072745f
GP		 4075 if (rx_control & L2CAP_CTRL_POLL) {
4076 pi->expected_ack_seq = tx_seq;
4077 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4078
4079 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4080 l2cap_retransmit_one_frame(sk, tx_seq);
4081
4082 spin_lock_bh(&pi->send_lock);
e072745f 4083 l2cap_ertm_send(sk);
dfc909be
GP		 4084 spin_unlock_bh(&pi->send_lock);
4085
e072745f
GP		 4086 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4087 pi->srej_save_reqseq = tx_seq;
4088 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4089 }
e072745f
GP		 4090 } else if (rx_control & L2CAP_CTRL_FINAL) {
4091 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4092 pi->srej_save_reqseq == tx_seq)
4093 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4094 else
dfc909be 4095 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4096 } else {
dfc909be 4097 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4098 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4099 pi->srej_save_reqseq = tx_seq;
4100 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4101 }
e072745f
GP		 4102 }
4103}
4104
4105static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4106{
4107 struct l2cap_pinfo *pi = l2cap_pi(sk);
4108 u8 tx_seq = __get_reqseq(rx_control);
4109
0e98958d
GP		 4110 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4111
e072745f
GP		 4112 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4113 pi->expected_ack_seq = tx_seq;
4114 l2cap_drop_acked_frames(sk);
4115
3cb123d1
GP		 4116 if (rx_control & L2CAP_CTRL_POLL)
4117 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4118
99b0d4b7
GP		 4119 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4120 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4121 if (rx_control & L2CAP_CTRL_POLL)
4122 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4123 return;
e072745f 4124 }
99b0d4b7
GP		 4125
4126 if (rx_control & L2CAP_CTRL_POLL)
4127 l2cap_send_srejtail(sk);
4128 else
4129 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4130}
4131
4132static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4133{
4134 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4135
9b16dc65
GP		 4136 if (L2CAP_CTRL_FINAL & rx_control &&
4137 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4138 del_timer(&l2cap_pi(sk)->monitor_timer);
4139 if (l2cap_pi(sk)->unacked_frames > 0)
4140 __mod_retrans_timer();
4141 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4142 }
4143
4144 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4145 case L2CAP_SUPER_RCV_READY:
4146 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4147 break;
4148
e072745f
GP		 4149 case L2CAP_SUPER_REJECT:
4150 l2cap_data_channel_rejframe(sk, rx_control);
4151 break;
2246b2f1 4152
e072745f
GP		 4153 case L2CAP_SUPER_SELECT_REJECT:
4154 l2cap_data_channel_srejframe(sk, rx_control);
4155 break;
4156
4157 case L2CAP_SUPER_RCV_NOT_READY:
4158 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4159 break;
4160 }
4161
faaebd19 4162 kfree_skb(skb);
1c2acffb
GP		 4163 return 0;
4164}
4165
1da177e4
LT		 4166static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4167{
4168 struct sock *sk;
6840ed07 4169 struct l2cap_pinfo *pi;
51893f88 4170 u16 control;
f6337c77 4171 u8 tx_seq, req_seq;
51893f88 4172 int len, next_tx_seq_offset, req_seq_offset;
1da177e4
LT		 4173
4174 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4175 if (!sk) {
4176 BT_DBG("unknown cid 0x%4.4x", cid);
4177 goto drop;
4178 }
4179
6840ed07
GP		 4180 pi = l2cap_pi(sk);
4181
1da177e4
LT		 4182 BT_DBG("sk %p, len %d", sk, skb->len);
4183
4184 if (sk->sk_state != BT_CONNECTED)
4185 goto drop;
4186
6840ed07 4187 switch (pi->mode) {
1c2acffb
GP		 4188 case L2CAP_MODE_BASIC:
4189 /* If socket recv buffers overflows we drop data here
4190 * which is *bad* because L2CAP has to be reliable.
4191 * But we don't have any other choice. L2CAP doesn't
4192 * provide flow control mechanism. */
1da177e4 4193
6840ed07 4194 if (pi->imtu < skb->len)
1c2acffb 4195 goto drop;
1da177e4 4196
1c2acffb
GP		 4197 if (!sock_queue_rcv_skb(sk, skb))
4198 goto done;
4199 break;
4200
4201 case L2CAP_MODE_ERTM:
4202 control = get_unaligned_le16(skb->data);
4203 skb_pull(skb, 2);
c74e560c 4204 len = skb->len;
1c2acffb 4205
26000089
GP		 4206 /*
4207 * We can just drop the corrupted I-frame here.
4208 * Receiver will miss it and start proper recovery
4209 * procedures and ask retransmission.
4210 */
4211 if (l2cap_check_fcs(pi, skb))
4212 goto drop;
4213
bc1b1f8b 4214 if (__is_sar_start(control) && __is_iframe(control))
c74e560c
GP		 4215 len -= 2;
4216
fcc203c3
GP		 4217 if (pi->fcs == L2CAP_FCS_CRC16)
4218 len -= 2;
4219
18778a63 4220 if (len > pi->mps) {
9b108fc0 4221 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
1c2acffb 4222 goto drop;
18778a63 4223 }
1c2acffb 4224
01760bdd
JPRV		 4225 req_seq = __get_reqseq(control);
4226 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4227 if (req_seq_offset < 0)
4228 req_seq_offset += 64;
4229
4230 next_tx_seq_offset =
4231 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4232 if (next_tx_seq_offset < 0)
4233 next_tx_seq_offset += 64;
4234
4235 /* check for invalid req-seq */
4236 if (req_seq_offset > next_tx_seq_offset) {
9b108fc0 4237 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
01760bdd
JPRV		 4238 goto drop;
4239 }
4240
277ffbe3 4241 if (__is_iframe(control)) {
51893f88 4242 if (len < 0) {
9b108fc0 4243 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
277ffbe3 4244 goto drop;
18778a63 4245 }
277ffbe3 4246
fcafde2e 4247 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3 4248 } else {
18778a63 4249 if (len != 0) {
9b108fc0 4250 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
277ffbe3 4251 goto drop;
18778a63 4252 }
277ffbe3 4253
fcafde2e 4254 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 4255 }
1c2acffb 4256
fcafde2e 4257 goto done;
1c2acffb 4258
6840ed07
GP		 4259 case L2CAP_MODE_STREAMING:
4260 control = get_unaligned_le16(skb->data);
4261 skb_pull(skb, 2);
4262 len = skb->len;
4263
26000089
GP		 4264 if (l2cap_check_fcs(pi, skb))
4265 goto drop;
4266
6840ed07
GP		 4267 if (__is_sar_start(control))
4268 len -= 2;
4269
fcc203c3
GP		 4270 if (pi->fcs == L2CAP_FCS_CRC16)
4271 len -= 2;
4272
51893f88 4273 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4274 goto drop;
4275
4276 tx_seq = __get_txseq(control);
4277
4278 if (pi->expected_tx_seq == tx_seq)
4279 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4280 else
7dffe421 4281 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4282
18778a63 4283 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4284
4285 goto done;
4286
1c2acffb 4287 default:
e8235c6b 4288 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4289 break;
4290 }
1da177e4
LT		 4291
4292drop:
4293 kfree_skb(skb);
4294
4295done:
0139418c
MH		 4296 if (sk)
4297 bh_unlock_sock(sk);
4298
1da177e4
LT		 4299 return 0;
4300}
4301
8e036fc3 4302static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4303{
4304 struct sock *sk;
4305
4306 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4307 if (!sk)
4308 goto drop;
4309
4310 BT_DBG("sk %p, len %d", sk, skb->len);
4311
4312 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4313 goto drop;
4314
4315 if (l2cap_pi(sk)->imtu < skb->len)
4316 goto drop;
4317
4318 if (!sock_queue_rcv_skb(sk, skb))
4319 goto done;
4320
4321drop:
4322 kfree_skb(skb);
4323
4324done:
af05b30b
GP		 4325 if (sk)
4326 bh_unlock_sock(sk);
1da177e4
LT		 4327 return 0;
4328}
4329
4330static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4331{
4332 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4333 u16 cid, len;
4334 __le16 psm;
1da177e4
LT		 4335
4336 skb_pull(skb, L2CAP_HDR_SIZE);
4337 cid = __le16_to_cpu(lh->cid);
4338 len = __le16_to_cpu(lh->len);
4339
1c2acffb
GP		 4340 if (len != skb->len) {
4341 kfree_skb(skb);
4342 return;
4343 }
4344
1da177e4
LT		 4345 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4346
4347 switch (cid) {
8db4dc46 4348 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4349 l2cap_sig_channel(conn, skb);
4350 break;
4351
8db4dc46 4352 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4353 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4354 skb_pull(skb, 2);
4355 l2cap_conless_channel(conn, psm, skb);
4356 break;
4357
4358 default:
4359 l2cap_data_channel(conn, cid, skb);
4360 break;
4361 }
4362}
4363
4364/* ---- L2CAP interface with lower layer (HCI) ---- */
4365
4366static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4367{
4368 int exact = 0, lm1 = 0, lm2 = 0;
4369 register struct sock *sk;
4370 struct hlist_node *node;
4371
4372 if (type != ACL_LINK)
4373 return 0;
4374
4375 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4376
4377 /* Find listening sockets and check their link_mode */
4378 read_lock(&l2cap_sk_list.lock);
4379 sk_for_each(sk, node, &l2cap_sk_list.head) {
4380 if (sk->sk_state != BT_LISTEN)
4381 continue;
4382
4383 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4384 lm1 |= HCI_LM_ACCEPT;
4385 if (l2cap_pi(sk)->role_switch)
4386 lm1 |= HCI_LM_MASTER;
1da177e4 4387 exact++;
2af6b9d5
MH		 4388 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4389 lm2 |= HCI_LM_ACCEPT;
4390 if (l2cap_pi(sk)->role_switch)
4391 lm2 |= HCI_LM_MASTER;
4392 }
1da177e4
LT		 4393 }
4394 read_unlock(&l2cap_sk_list.lock);
4395
4396 return exact ? lm1 : lm2;
4397}
4398
4399static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4400{
0139418c
MH		 4401 struct l2cap_conn *conn;
4402
1da177e4
LT		 4403 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4404
4405 if (hcon->type != ACL_LINK)
4406 return 0;
4407
4408 if (!status) {
1da177e4
LT		 4409 conn = l2cap_conn_add(hcon, status);
4410 if (conn)
4411 l2cap_conn_ready(conn);
0139418c 4412 } else
1da177e4
LT		 4413 l2cap_conn_del(hcon, bt_err(status));
4414
4415 return 0;
4416}
4417
2950f21a
MH		 4418static int l2cap_disconn_ind(struct hci_conn *hcon)
4419{
4420 struct l2cap_conn *conn = hcon->l2cap_data;
4421
4422 BT_DBG("hcon %p", hcon);
4423
4424 if (hcon->type != ACL_LINK || !conn)
4425 return 0x13;
4426
4427 return conn->disc_reason;
4428}
4429
4430static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4431{
4432 BT_DBG("hcon %p reason %d", hcon, reason);
4433
4434 if (hcon->type != ACL_LINK)
4435 return 0;
4436
4437 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4438
1da177e4
LT		 4439 return 0;
4440}
4441
f62e4323
MH		 4442static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4443{
bd3c9e25 4444 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4445 return;
4446
f62e4323
MH		 4447 if (encrypt == 0x00) {
4448 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4449 l2cap_sock_clear_timer(sk);
4450 l2cap_sock_set_timer(sk, HZ * 5);
4451 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4452 __l2cap_sock_close(sk, ECONNREFUSED);
4453 } else {
4454 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4455 l2cap_sock_clear_timer(sk);
4456 }
4457}
4458
8c1b2355 4459static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4460{
4461 struct l2cap_chan_list *l;
0139418c 4462 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4463 struct sock *sk;
1da177e4 4464
0139418c 4465 if (!conn)
1da177e4 4466 return 0;
0139418c 4467
1da177e4
LT		 4468 l = &conn->chan_list;
4469
4470 BT_DBG("conn %p", conn);
4471
4472 read_lock(&l->lock);
4473
4474 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4475 bh_lock_sock(sk);
4476
6a8d3010
MH		 4477 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4478 bh_unlock_sock(sk);
4479 continue;
4480 }
4481
f62e4323 4482 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4483 sk->sk_state == BT_CONFIG)) {
f62e4323 4484 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4485 bh_unlock_sock(sk);
4486 continue;
4487 }
4488
b1235d79
MH		 4489 if (sk->sk_state == BT_CONNECT) {
4490 if (!status) {
4491 struct l2cap_conn_req req;
4492 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4493 req.psm = l2cap_pi(sk)->psm;
1da177e4 4494
b1235d79 4495 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4496 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4497
b1235d79
MH		 4498 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4499 L2CAP_CONN_REQ, sizeof(req), &req);
4500 } else {
4501 l2cap_sock_clear_timer(sk);
4502 l2cap_sock_set_timer(sk, HZ / 10);
4503 }
4504 } else if (sk->sk_state == BT_CONNECT2) {
4505 struct l2cap_conn_rsp rsp;
4506 __u16 result;
1da177e4 4507
b1235d79
MH		 4508 if (!status) {
4509 sk->sk_state = BT_CONFIG;
4510 result = L2CAP_CR_SUCCESS;
4511 } else {
4512 sk->sk_state = BT_DISCONN;
4513 l2cap_sock_set_timer(sk, HZ / 10);
4514 result = L2CAP_CR_SEC_BLOCK;
4515 }
4516
4517 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4518 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4519 rsp.result = cpu_to_le16(result);
e7c29cb1 4520 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4521 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4522 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4523 }
1da177e4
LT		 4524
4525 bh_unlock_sock(sk);
4526 }
4527
4528 read_unlock(&l->lock);
b1235d79 4529
1da177e4
LT		 4530 return 0;
4531}
4532
4533static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4534{
4535 struct l2cap_conn *conn = hcon->l2cap_data;
4536
4537 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4538 goto drop;
4539
4540 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4541
4542 if (flags & ACL_START) {
4543 struct l2cap_hdr *hdr;
4544 int len;
4545
4546 if (conn->rx_len) {
4547 BT_ERR("Unexpected start frame (len %d)", skb->len);
4548 kfree_skb(conn->rx_skb);
4549 conn->rx_skb = NULL;
4550 conn->rx_len = 0;
4551 l2cap_conn_unreliable(conn, ECOMM);
4552 }
4553
4554 if (skb->len < 2) {
4555 BT_ERR("Frame is too short (len %d)", skb->len);
4556 l2cap_conn_unreliable(conn, ECOMM);
4557 goto drop;
4558 }
4559
4560 hdr = (struct l2cap_hdr *) skb->data;
4561 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4562
4563 if (len == skb->len) {
4564 /* Complete frame received */
4565 l2cap_recv_frame(conn, skb);
4566 return 0;
4567 }
4568
4569 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4570
4571 if (skb->len > len) {
4572 BT_ERR("Frame is too long (len %d, expected len %d)",
4573 skb->len, len);
4574 l2cap_conn_unreliable(conn, ECOMM);
4575 goto drop;
4576 }
4577
4578 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4579 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4580 if (!conn->rx_skb)
1da177e4
LT		 4581 goto drop;
4582
d626f62b 4583 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4584 skb->len);
1da177e4
LT		 4585 conn->rx_len = len - skb->len;
4586 } else {
4587 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4588
4589 if (!conn->rx_len) {
4590 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4591 l2cap_conn_unreliable(conn, ECOMM);
4592 goto drop;
4593 }
4594
4595 if (skb->len > conn->rx_len) {
4596 BT_ERR("Fragment is too long (len %d, expected %d)",
4597 skb->len, conn->rx_len);
4598 kfree_skb(conn->rx_skb);
4599 conn->rx_skb = NULL;
4600 conn->rx_len = 0;
4601 l2cap_conn_unreliable(conn, ECOMM);
4602 goto drop;
4603 }
4604
d626f62b 4605 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4606 skb->len);
1da177e4
LT		 4607 conn->rx_len -= skb->len;
4608
4609 if (!conn->rx_len) {
4610 /* Complete frame received */
4611 l2cap_recv_frame(conn, conn->rx_skb);
4612 conn->rx_skb = NULL;
4613 }
4614 }
4615
4616drop:
4617 kfree_skb(skb);
4618 return 0;
4619}
4620
aef7d97c 4621static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4622{
4623 struct sock *sk;
4624 struct hlist_node *node;
1da177e4
LT		 4625
4626 read_lock_bh(&l2cap_sk_list.lock);
4627
be9d1227
MH		 4628 sk_for_each(sk, node, &l2cap_sk_list.head) {
4629 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4630
aef7d97c
MH		 4631 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4632 batostr(&bt_sk(sk)->src),
4633 batostr(&bt_sk(sk)->dst),
4634 sk->sk_state, __le16_to_cpu(pi->psm),
4635 pi->scid, pi->dcid,
4636 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4637 }
1da177e4 4638
1da177e4 4639 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4640
aef7d97c 4641 return 0;
1da177e4
LT		 4642}
4643
aef7d97c
MH		 4644static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4645{
4646 return single_open(file, l2cap_debugfs_show, inode->i_private);
4647}
4648
4649static const struct file_operations l2cap_debugfs_fops = {
4650 .open = l2cap_debugfs_open,
4651 .read = seq_read,
4652 .llseek = seq_lseek,
4653 .release = single_release,
4654};
4655
4656static struct dentry *l2cap_debugfs;
1da177e4 4657
90ddc4f0 4658static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4659 .family = PF_BLUETOOTH,
4660 .owner = THIS_MODULE,
4661 .release = l2cap_sock_release,
4662 .bind = l2cap_sock_bind,
4663 .connect = l2cap_sock_connect,
4664 .listen = l2cap_sock_listen,
4665 .accept = l2cap_sock_accept,
4666 .getname = l2cap_sock_getname,
4667 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4668 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4669 .poll = bt_sock_poll,
3241ad82 4670 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4671 .mmap = sock_no_mmap,
4672 .socketpair = sock_no_socketpair,
1da177e4
LT		 4673 .shutdown = l2cap_sock_shutdown,
4674 .setsockopt = l2cap_sock_setsockopt,
4675 .getsockopt = l2cap_sock_getsockopt
4676};
4677
ec1b4cf7 4678static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4679 .family = PF_BLUETOOTH,
4680 .owner = THIS_MODULE,
4681 .create = l2cap_sock_create,
4682};
4683
4684static struct hci_proto l2cap_hci_proto = {
4685 .name = "L2CAP",
4686 .id = HCI_PROTO_L2CAP,
4687 .connect_ind = l2cap_connect_ind,
4688 .connect_cfm = l2cap_connect_cfm,
4689 .disconn_ind = l2cap_disconn_ind,
2950f21a 4690 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4691 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4692 .recv_acldata = l2cap_recv_acldata
4693};
4694
4695static int __init l2cap_init(void)
4696{
4697 int err;
be9d1227 4698
1da177e4
LT		 4699 err = proto_register(&l2cap_proto, 0);
4700 if (err < 0)
4701 return err;
4702
1890d36b
GP		 4703 _busy_wq = create_singlethread_workqueue("l2cap");
4704 if (!_busy_wq)
4705 goto error;
4706
1da177e4
LT		 4707 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4708 if (err < 0) {
4709 BT_ERR("L2CAP socket registration failed");
4710 goto error;
4711 }
4712
4713 err = hci_register_proto(&l2cap_hci_proto);
4714 if (err < 0) {
4715 BT_ERR("L2CAP protocol registration failed");
4716 bt_sock_unregister(BTPROTO_L2CAP);
4717 goto error;
4718 }
4719
aef7d97c
MH		 4720 if (bt_debugfs) {
4721 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4722 bt_debugfs, NULL, &l2cap_debugfs_fops);
4723 if (!l2cap_debugfs)
4724 BT_ERR("Failed to create L2CAP debug file");
4725 }
1da177e4
LT		 4726
4727 BT_INFO("L2CAP ver %s", VERSION);
4728 BT_INFO("L2CAP socket layer initialized");
4729
4730 return 0;
4731
4732error:
4733 proto_unregister(&l2cap_proto);
4734 return err;
4735}
4736
4737static void __exit l2cap_exit(void)
4738{
aef7d97c 4739 debugfs_remove(l2cap_debugfs);
1da177e4 4740
1890d36b
GP		 4741 flush_workqueue(_busy_wq);
4742 destroy_workqueue(_busy_wq);
4743
1da177e4
LT		 4744 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4745 BT_ERR("L2CAP socket unregistration failed");
4746
4747 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4748 BT_ERR("L2CAP protocol unregistration failed");
4749
4750 proto_unregister(&l2cap_proto);
4751}
4752
4753void l2cap_load(void)
4754{
4755 /* Dummy function to trigger automatic L2CAP module loading by
4756 * other modules that use L2CAP sockets but don't use any other
4757 * symbols from it. */
1da177e4
LT		 4758}
4759EXPORT_SYMBOL(l2cap_load);
4760
4761module_init(l2cap_init);
4762module_exit(l2cap_exit);
4763
44dd46de
MH		 4764module_param(enable_ertm, bool, 0644);
4765MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4766
63fbd24e 4767MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4768MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4769MODULE_VERSION(VERSION);
4770MODULE_LICENSE("GPL");
4771MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)