projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Refactor l2cap_retransmit_frame()
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
84fb0a63
GP		 58#ifdef CONFIG_BT_L2CAP_EXT_FEATURES
59static int enable_ertm = 1;
60#else
44dd46de 61static int enable_ertm = 0;
84fb0a63 62#endif
5fbcd3d1 63static int max_transmit = L2CAP_DEFAULT_MAX_TX;
369ba302 64static int tx_window = L2CAP_DEFAULT_TX_WINDOW;
f0709e03 65
47ec1dcd 66static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 67static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 68
90ddc4f0 69static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 70
71static struct bt_sock_list l2cap_sk_list = {
d5fb2962 72 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 73};
74
1da177e4
LT		 75static void __l2cap_sock_close(struct sock *sk, int reason);
76static void l2cap_sock_close(struct sock *sk);
77static void l2cap_sock_kill(struct sock *sk);
78
79static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
80 u8 code, u8 ident, u16 dlen, void *data);
81
82/* ---- L2CAP timers ---- */
83static void l2cap_sock_timeout(unsigned long arg)
84{
85 struct sock *sk = (struct sock *) arg;
b1235d79 86 int reason;
1da177e4
LT		 87
88 BT_DBG("sock %p state %d", sk, sk->sk_state);
89
90 bh_lock_sock(sk);
b1235d79 91
f62e4323
MH		 92 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
93 reason = ECONNREFUSED;
94 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 95 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 96 reason = ECONNREFUSED;
97 else
98 reason = ETIMEDOUT;
99
100 __l2cap_sock_close(sk, reason);
101
1da177e4
LT		 102 bh_unlock_sock(sk);
103
104 l2cap_sock_kill(sk);
105 sock_put(sk);
106}
107
108static void l2cap_sock_set_timer(struct sock *sk, long timeout)
109{
110 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
111 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
112}
113
114static void l2cap_sock_clear_timer(struct sock *sk)
115{
116 BT_DBG("sock %p state %d", sk, sk->sk_state);
117 sk_stop_timer(sk, &sk->sk_timer);
118}
119
0139418c
MH		 120/* ---- L2CAP channels ---- */
121static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
122{
123 struct sock *s;
124 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
125 if (l2cap_pi(s)->dcid == cid)
126 break;
127 }
128 return s;
129}
130
131static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
135 if (l2cap_pi(s)->scid == cid)
136 break;
137 }
138 return s;
139}
140
141/* Find channel with given SCID.
142 * Returns locked socket */
143static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
144{
145 struct sock *s;
146 read_lock(&l->lock);
147 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 148 if (s)
149 bh_lock_sock(s);
0139418c
MH		 150 read_unlock(&l->lock);
151 return s;
152}
153
154static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
155{
156 struct sock *s;
157 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
158 if (l2cap_pi(s)->ident == ident)
159 break;
160 }
161 return s;
162}
163
164static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
165{
166 struct sock *s;
167 read_lock(&l->lock);
168 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 169 if (s)
170 bh_lock_sock(s);
0139418c
MH		 171 read_unlock(&l->lock);
172 return s;
173}
174
175static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
176{
8db4dc46 177 u16 cid = L2CAP_CID_DYN_START;
0139418c 178
8db4dc46 179 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 180 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 181 return cid;
182 }
183
184 return 0;
185}
186
187static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
188{
189 sock_hold(sk);
190
191 if (l->head)
192 l2cap_pi(l->head)->prev_c = sk;
193
194 l2cap_pi(sk)->next_c = l->head;
195 l2cap_pi(sk)->prev_c = NULL;
196 l->head = sk;
197}
198
199static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
200{
201 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
202
fd1278d7 203 write_lock_bh(&l->lock);
0139418c
MH		 204 if (sk == l->head)
205 l->head = next;
206
207 if (next)
208 l2cap_pi(next)->prev_c = prev;
209 if (prev)
210 l2cap_pi(prev)->next_c = next;
fd1278d7 211 write_unlock_bh(&l->lock);
0139418c
MH		 212
213 __sock_put(sk);
214}
215
216static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
217{
218 struct l2cap_chan_list *l = &conn->chan_list;
219
af05b30b
GP		 220 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
221 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 222
2950f21a
MH		 223 conn->disc_reason = 0x13;
224
0139418c
MH		 225 l2cap_pi(sk)->conn = conn;
226
bd3c9e25 227 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 228 /* Alloc CID for connection-oriented socket */
229 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
230 } else if (sk->sk_type == SOCK_DGRAM) {
231 /* Connectionless socket */
8db4dc46
GP		 232 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
233 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 234 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
235 } else {
236 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 237 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
238 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 239 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
240 }
241
242 __l2cap_chan_link(l, sk);
243
244 if (parent)
245 bt_accept_enqueue(parent, sk);
246}
247
8e87d142 248/* Delete channel.
0139418c
MH		 249 * Must be called on the locked socket. */
250static void l2cap_chan_del(struct sock *sk, int err)
251{
252 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
253 struct sock *parent = bt_sk(sk)->parent;
254
255 l2cap_sock_clear_timer(sk);
256
257 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
258
8e87d142 259 if (conn) {
0139418c
MH		 260 /* Unlink from channel list */
261 l2cap_chan_unlink(&conn->chan_list, sk);
262 l2cap_pi(sk)->conn = NULL;
263 hci_conn_put(conn->hcon);
264 }
265
b1235d79 266 sk->sk_state = BT_CLOSED;
0139418c
MH		 267 sock_set_flag(sk, SOCK_ZAPPED);
268
269 if (err)
270 sk->sk_err = err;
271
272 if (parent) {
273 bt_accept_unlink(sk);
274 parent->sk_data_ready(parent, 0);
275 } else
276 sk->sk_state_change(sk);
277}
278
79d554a6 279/* Service level security */
2af6b9d5 280static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 281{
282 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 283 __u8 auth_type;
284
00ae4af9
MH		 285 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
286 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
287 auth_type = HCI_AT_NO_BONDING_MITM;
288 else
af05b30b 289 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 290
291 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
292 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
293 } else {
294 switch (l2cap_pi(sk)->sec_level) {
295 case BT_SECURITY_HIGH:
296 auth_type = HCI_AT_GENERAL_BONDING_MITM;
297 break;
298 case BT_SECURITY_MEDIUM:
299 auth_type = HCI_AT_GENERAL_BONDING;
300 break;
301 default:
302 auth_type = HCI_AT_NO_BONDING;
303 break;
304 }
0684e5f9 305 }
79d554a6 306
0684e5f9
MH		 307 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
308 auth_type);
79d554a6
MH		 309}
310
4e8402a3
MH		 311static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
312{
313 u8 id;
314
315 /* Get next available identificator.
316 * 1 - 128 are used by kernel.
317 * 129 - 199 are reserved.
318 * 200 - 254 are used by utilities like l2ping, etc.
319 */
320
321 spin_lock_bh(&conn->lock);
322
323 if (++conn->tx_ident > 128)
324 conn->tx_ident = 1;
325
326 id = conn->tx_ident;
327
328 spin_unlock_bh(&conn->lock);
329
330 return id;
331}
332
9a9c6a34 333static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 334{
335 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
336
337 BT_DBG("code 0x%2.2x", code);
338
339 if (!skb)
9a9c6a34 340 return;
4e8402a3 341
9a9c6a34 342 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 343}
344
9a9c6a34 345static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 346{
347 struct sk_buff *skb;
348 struct l2cap_hdr *lh;
349 struct l2cap_conn *conn = pi->conn;
fcc203c3
GP		 350 int count, hlen = L2CAP_HDR_SIZE + 2;
351
352 if (pi->fcs == L2CAP_FCS_CRC16)
353 hlen += 2;
1c2acffb
GP		 354
355 BT_DBG("pi %p, control 0x%2.2x", pi, control);
356
fcc203c3 357 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 358 control |= L2CAP_CTRL_FRAME_TYPE;
359
9e917af1
GP		 360 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
361 control |= L2CAP_CTRL_FINAL;
362 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
363 }
364
f0946ccf
GP		 365 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
366 control |= L2CAP_CTRL_POLL;
367 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
368 }
369
1c2acffb
GP		 370 skb = bt_skb_alloc(count, GFP_ATOMIC);
371 if (!skb)
9a9c6a34 372 return;
1c2acffb
GP		 373
374 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 375 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 376 lh->cid = cpu_to_le16(pi->dcid);
377 put_unaligned_le16(control, skb_put(skb, 2));
378
fcc203c3
GP		 379 if (pi->fcs == L2CAP_FCS_CRC16) {
380 u16 fcs = crc16(0, (u8 *)lh, count - 2);
381 put_unaligned_le16(fcs, skb_put(skb, 2));
382 }
383
9a9c6a34 384 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 385}
386
9a9c6a34 387static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090
GP		 388{
389 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
390 control |= L2CAP_SUPER_RCV_NOT_READY;
391 else
392 control |= L2CAP_SUPER_RCV_READY;
393
2ab25cdd
GP		 394 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
395
9a9c6a34 396 l2cap_send_sframe(pi, control);
7e743090
GP		 397}
398
79d554a6
MH		 399static void l2cap_do_start(struct sock *sk)
400{
401 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
402
403 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 404 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
405 return;
406
2af6b9d5 407 if (l2cap_check_security(sk)) {
b1235d79
MH		 408 struct l2cap_conn_req req;
409 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
410 req.psm = l2cap_pi(sk)->psm;
79d554a6 411
b1235d79 412 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 413
b1235d79 414 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 415 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 416 }
79d554a6
MH		 417 } else {
418 struct l2cap_info_req req;
419 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
420
421 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
422 conn->info_ident = l2cap_get_ident(conn);
423
424 mod_timer(&conn->info_timer, jiffies +
425 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
426
427 l2cap_send_cmd(conn, conn->info_ident,
428 L2CAP_INFO_REQ, sizeof(req), &req);
429 }
430}
431
22121fc9
GP		 432static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
433{
434 struct l2cap_disconn_req req;
435
436 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
437 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
438 l2cap_send_cmd(conn, l2cap_get_ident(conn),
439 L2CAP_DISCONN_REQ, sizeof(req), &req);
440}
441
1da177e4 442/* ---- L2CAP connections ---- */
4e8402a3
MH		 443static void l2cap_conn_start(struct l2cap_conn *conn)
444{
445 struct l2cap_chan_list *l = &conn->chan_list;
446 struct sock *sk;
447
448 BT_DBG("conn %p", conn);
449
450 read_lock(&l->lock);
451
452 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
453 bh_lock_sock(sk);
454
bd3c9e25
GP		 455 if (sk->sk_type != SOCK_SEQPACKET &&
456 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 457 bh_unlock_sock(sk);
458 continue;
459 }
460
461 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 462 if (l2cap_check_security(sk)) {
b1235d79
MH		 463 struct l2cap_conn_req req;
464 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
465 req.psm = l2cap_pi(sk)->psm;
79d554a6 466
b1235d79 467 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 468
b1235d79 469 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 470 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 471 }
79d554a6
MH		 472 } else if (sk->sk_state == BT_CONNECT2) {
473 struct l2cap_conn_rsp rsp;
474 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
475 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
476
2af6b9d5 477 if (l2cap_check_security(sk)) {
f66dc81f
MH		 478 if (bt_sk(sk)->defer_setup) {
479 struct sock *parent = bt_sk(sk)->parent;
480 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
481 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
482 parent->sk_data_ready(parent, 0);
483
484 } else {
485 sk->sk_state = BT_CONFIG;
486 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
487 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
488 }
79d554a6
MH		 489 } else {
490 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
491 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
492 }
493
494 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
495 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 496 }
497
498 bh_unlock_sock(sk);
499 }
500
501 read_unlock(&l->lock);
502}
503
504static void l2cap_conn_ready(struct l2cap_conn *conn)
505{
79d554a6
MH		 506 struct l2cap_chan_list *l = &conn->chan_list;
507 struct sock *sk;
4e8402a3 508
79d554a6 509 BT_DBG("conn %p", conn);
4e8402a3 510
79d554a6 511 read_lock(&l->lock);
4e8402a3 512
79d554a6
MH		 513 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
514 bh_lock_sock(sk);
4e8402a3 515
bd3c9e25
GP		 516 if (sk->sk_type != SOCK_SEQPACKET &&
517 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 518 l2cap_sock_clear_timer(sk);
519 sk->sk_state = BT_CONNECTED;
520 sk->sk_state_change(sk);
521 } else if (sk->sk_state == BT_CONNECT)
522 l2cap_do_start(sk);
4e8402a3 523
79d554a6 524 bh_unlock_sock(sk);
4e8402a3 525 }
79d554a6
MH		 526
527 read_unlock(&l->lock);
4e8402a3
MH		 528}
529
530/* Notify sockets that we cannot guaranty reliability anymore */
531static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
532{
533 struct l2cap_chan_list *l = &conn->chan_list;
534 struct sock *sk;
535
536 BT_DBG("conn %p", conn);
537
538 read_lock(&l->lock);
539
540 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 541 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 542 sk->sk_err = err;
543 }
544
545 read_unlock(&l->lock);
546}
547
548static void l2cap_info_timeout(unsigned long arg)
549{
550 struct l2cap_conn *conn = (void *) arg;
551
984947dc 552 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 553 conn->info_ident = 0;
984947dc 554
4e8402a3
MH		 555 l2cap_conn_start(conn);
556}
557
1da177e4
LT		 558static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
559{
0139418c 560 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 561
0139418c 562 if (conn || status)
1da177e4
LT		 563 return conn;
564
0139418c
MH		 565 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
566 if (!conn)
1da177e4 567 return NULL;
1da177e4
LT		 568
569 hcon->l2cap_data = conn;
570 conn->hcon = hcon;
571
0139418c
MH		 572 BT_DBG("hcon %p conn %p", hcon, conn);
573
1da177e4
LT		 574 conn->mtu = hcon->hdev->acl_mtu;
575 conn->src = &hcon->hdev->bdaddr;
576 conn->dst = &hcon->dst;
577
4e8402a3
MH		 578 conn->feat_mask = 0;
579
1da177e4
LT		 580 spin_lock_init(&conn->lock);
581 rwlock_init(&conn->chan_list.lock);
582
45054dc1
DY		 583 setup_timer(&conn->info_timer, l2cap_info_timeout,
584 (unsigned long) conn);
585
2950f21a
MH		 586 conn->disc_reason = 0x13;
587
1da177e4
LT		 588 return conn;
589}
590
0139418c 591static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 592{
0139418c 593 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 594 struct sock *sk;
595
0139418c
MH		 596 if (!conn)
597 return;
1da177e4
LT		 598
599 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
600
7585b97a 601 kfree_skb(conn->rx_skb);
1da177e4
LT		 602
603 /* Kill channels */
604 while ((sk = conn->chan_list.head)) {
605 bh_lock_sock(sk);
606 l2cap_chan_del(sk, err);
607 bh_unlock_sock(sk);
608 l2cap_sock_kill(sk);
609 }
610
8e8440f5
DY		 611 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
612 del_timer_sync(&conn->info_timer);
3ab22731 613
1da177e4
LT		 614 hcon->l2cap_data = NULL;
615 kfree(conn);
1da177e4
LT		 616}
617
618static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
619{
620 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 621 write_lock_bh(&l->lock);
1da177e4 622 __l2cap_chan_add(conn, sk, parent);
fd1278d7 623 write_unlock_bh(&l->lock);
1da177e4
LT		 624}
625
1da177e4 626/* ---- Socket interface ---- */
8e036fc3 627static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 628{
629 struct sock *sk;
630 struct hlist_node *node;
631 sk_for_each(sk, node, &l2cap_sk_list.head)
632 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
633 goto found;
634 sk = NULL;
635found:
636 return sk;
637}
638
639/* Find socket with psm and source bdaddr.
640 * Returns closest match.
641 */
8e036fc3 642static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 643{
644 struct sock *sk = NULL, *sk1 = NULL;
645 struct hlist_node *node;
646
647 sk_for_each(sk, node, &l2cap_sk_list.head) {
648 if (state && sk->sk_state != state)
649 continue;
650
651 if (l2cap_pi(sk)->psm == psm) {
652 /* Exact match. */
653 if (!bacmp(&bt_sk(sk)->src, src))
654 break;
655
656 /* Closest match */
657 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
658 sk1 = sk;
659 }
660 }
661 return node ? sk : sk1;
662}
663
664/* Find socket with given address (psm, src).
665 * Returns locked socket */
8e036fc3 666static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 667{
668 struct sock *s;
669 read_lock(&l2cap_sk_list.lock);
670 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 671 if (s)
672 bh_lock_sock(s);
1da177e4
LT		 673 read_unlock(&l2cap_sk_list.lock);
674 return s;
675}
676
677static void l2cap_sock_destruct(struct sock *sk)
678{
679 BT_DBG("sk %p", sk);
680
681 skb_queue_purge(&sk->sk_receive_queue);
682 skb_queue_purge(&sk->sk_write_queue);
683}
684
685static void l2cap_sock_cleanup_listen(struct sock *parent)
686{
687 struct sock *sk;
688
689 BT_DBG("parent %p", parent);
690
691 /* Close not yet accepted channels */
692 while ((sk = bt_accept_dequeue(parent, NULL)))
693 l2cap_sock_close(sk);
694
b1235d79 695 parent->sk_state = BT_CLOSED;
1da177e4
LT		 696 sock_set_flag(parent, SOCK_ZAPPED);
697}
698
699/* Kill socket (only if zapped and orphan)
700 * Must be called on unlocked socket.
701 */
702static void l2cap_sock_kill(struct sock *sk)
703{
704 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
705 return;
706
707 BT_DBG("sk %p state %d", sk, sk->sk_state);
708
709 /* Kill poor orphan */
710 bt_sock_unlink(&l2cap_sk_list, sk);
711 sock_set_flag(sk, SOCK_DEAD);
712 sock_put(sk);
713}
714
715static void __l2cap_sock_close(struct sock *sk, int reason)
716{
717 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
718
719 switch (sk->sk_state) {
720 case BT_LISTEN:
721 l2cap_sock_cleanup_listen(sk);
722 break;
723
724 case BT_CONNECTED:
725 case BT_CONFIG:
bd3c9e25
GP		 726 if (sk->sk_type == SOCK_SEQPACKET ||
727 sk->sk_type == SOCK_STREAM) {
1da177e4 728 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4
LT		 729
730 sk->sk_state = BT_DISCONN;
731 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
22121fc9 732 l2cap_send_disconn_req(conn, sk);
b1235d79 733 } else
1da177e4 734 l2cap_chan_del(sk, reason);
1da177e4
LT		 735 break;
736
f66dc81f 737 case BT_CONNECT2:
bd3c9e25
GP		 738 if (sk->sk_type == SOCK_SEQPACKET ||
739 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 740 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
741 struct l2cap_conn_rsp rsp;
742 __u16 result;
743
744 if (bt_sk(sk)->defer_setup)
745 result = L2CAP_CR_SEC_BLOCK;
746 else
747 result = L2CAP_CR_BAD_PSM;
748
749 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
750 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
751 rsp.result = cpu_to_le16(result);
752 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
753 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
754 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
755 } else
756 l2cap_chan_del(sk, reason);
757 break;
758
1da177e4
LT		 759 case BT_CONNECT:
760 case BT_DISCONN:
761 l2cap_chan_del(sk, reason);
762 break;
763
764 default:
765 sock_set_flag(sk, SOCK_ZAPPED);
766 break;
767 }
768}
769
770/* Must be called on unlocked socket. */
771static void l2cap_sock_close(struct sock *sk)
772{
773 l2cap_sock_clear_timer(sk);
774 lock_sock(sk);
775 __l2cap_sock_close(sk, ECONNRESET);
776 release_sock(sk);
777 l2cap_sock_kill(sk);
778}
779
780static void l2cap_sock_init(struct sock *sk, struct sock *parent)
781{
782 struct l2cap_pinfo *pi = l2cap_pi(sk);
783
784 BT_DBG("sk %p", sk);
785
786 if (parent) {
787 sk->sk_type = parent->sk_type;
f66dc81f
MH		 788 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
789
1da177e4
LT		 790 pi->imtu = l2cap_pi(parent)->imtu;
791 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 792 pi->mode = l2cap_pi(parent)->mode;
793 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 794 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 795 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 796 pi->sec_level = l2cap_pi(parent)->sec_level;
797 pi->role_switch = l2cap_pi(parent)->role_switch;
798 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 799 } else {
800 pi->imtu = L2CAP_DEFAULT_MTU;
801 pi->omtu = 0;
bd3c9e25
GP		 802 if (enable_ertm && sk->sk_type == SOCK_STREAM)
803 pi->mode = L2CAP_MODE_ERTM;
804 else
805 pi->mode = L2CAP_MODE_BASIC;
68d7f0ce 806 pi->max_tx = max_transmit;
c6b03cf9 807 pi->fcs = L2CAP_FCS_CRC16;
369ba302 808 pi->tx_win = tx_window;
2af6b9d5
MH		 809 pi->sec_level = BT_SECURITY_LOW;
810 pi->role_switch = 0;
811 pi->force_reliable = 0;
1da177e4
LT		 812 }
813
814 /* Default config options */
5dee9e7c 815 pi->conf_len = 0;
1da177e4 816 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 817 skb_queue_head_init(TX_QUEUE(sk));
818 skb_queue_head_init(SREJ_QUEUE(sk));
819 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 820}
821
822static struct proto l2cap_proto = {
823 .name = "L2CAP",
824 .owner = THIS_MODULE,
825 .obj_size = sizeof(struct l2cap_pinfo)
826};
827
1b8d7ae4 828static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 829{
830 struct sock *sk;
831
6257ff21 832 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 833 if (!sk)
834 return NULL;
835
836 sock_init_data(sock, sk);
837 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
838
839 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 840 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 841
842 sock_reset_flag(sk, SOCK_ZAPPED);
843
844 sk->sk_protocol = proto;
b1235d79 845 sk->sk_state = BT_OPEN;
1da177e4 846
b1235d79 847 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 848
849 bt_sock_link(&l2cap_sk_list, sk);
850 return sk;
851}
852
3f378b68
EP		 853static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
854 int kern)
1da177e4
LT		 855{
856 struct sock *sk;
857
858 BT_DBG("sock %p", sock);
859
860 sock->state = SS_UNCONNECTED;
861
bd3c9e25 862 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 863 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
864 return -ESOCKTNOSUPPORT;
865
c84b3268 866 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 867 return -EPERM;
868
869 sock->ops = &l2cap_sock_ops;
870
1b8d7ae4 871 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 872 if (!sk)
873 return -ENOMEM;
874
875 l2cap_sock_init(sk, NULL);
876 return 0;
877}
878
f29972de 879static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 880{
1da177e4 881 struct sock *sk = sock->sk;
f29972de
MH		 882 struct sockaddr_l2 la;
883 int len, err = 0;
1da177e4 884
f29972de 885 BT_DBG("sk %p", sk);
1da177e4
LT		 886
887 if (!addr || addr->sa_family != AF_BLUETOOTH)
888 return -EINVAL;
889
f29972de
MH		 890 memset(&la, 0, sizeof(la));
891 len = min_t(unsigned int, sizeof(la), alen);
892 memcpy(&la, addr, len);
893
2a517ca6
MH		 894 if (la.l2_cid)
895 return -EINVAL;
896
1da177e4
LT		 897 lock_sock(sk);
898
899 if (sk->sk_state != BT_OPEN) {
900 err = -EBADFD;
901 goto done;
902 }
903
b4324b5d 904 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 905 !capable(CAP_NET_BIND_SERVICE)) {
906 err = -EACCES;
907 goto done;
908 }
8e87d142 909
1da177e4
LT		 910 write_lock_bh(&l2cap_sk_list.lock);
911
f29972de 912 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 913 err = -EADDRINUSE;
914 } else {
915 /* Save source address */
f29972de
MH		 916 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
917 l2cap_pi(sk)->psm = la.l2_psm;
918 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 919 sk->sk_state = BT_BOUND;
2af6b9d5 920
b4324b5d
MH		 921 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
922 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 923 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 924 }
925
926 write_unlock_bh(&l2cap_sk_list.lock);
927
928done:
929 release_sock(sk);
930 return err;
931}
932
933static int l2cap_do_connect(struct sock *sk)
934{
935 bdaddr_t *src = &bt_sk(sk)->src;
936 bdaddr_t *dst = &bt_sk(sk)->dst;
937 struct l2cap_conn *conn;
938 struct hci_conn *hcon;
939 struct hci_dev *hdev;
09ab6f4c 940 __u8 auth_type;
44d0e48e 941 int err;
1da177e4 942
f29972de
MH		 943 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
944 l2cap_pi(sk)->psm);
1da177e4 945
af05b30b
GP		 946 hdev = hci_get_route(dst, src);
947 if (!hdev)
1da177e4
LT		 948 return -EHOSTUNREACH;
949
950 hci_dev_lock_bh(hdev);
951
952 err = -ENOMEM;
953
8c1b2355 954 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 955 switch (l2cap_pi(sk)->sec_level) {
956 case BT_SECURITY_HIGH:
8c1b2355 957 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 958 break;
959 case BT_SECURITY_MEDIUM:
8c1b2355 960 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 961 break;
962 default:
09ab6f4c 963 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 964 break;
965 }
8c1b2355 966 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 967 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 968 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 969 else
8c1b2355 970 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 971
972 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
973 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 974 } else {
2af6b9d5
MH		 975 switch (l2cap_pi(sk)->sec_level) {
976 case BT_SECURITY_HIGH:
8c1b2355 977 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 978 break;
979 case BT_SECURITY_MEDIUM:
09ab6f4c 980 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 981 break;
982 default:
8c1b2355 983 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 984 break;
985 }
09ab6f4c
MH		 986 }
987
2af6b9d5
MH		 988 hcon = hci_connect(hdev, ACL_LINK, dst,
989 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 990 if (!hcon)
991 goto done;
992
993 conn = l2cap_conn_add(hcon, 0);
994 if (!conn) {
995 hci_conn_put(hcon);
996 goto done;
997 }
998
999 err = 0;
1000
1001 /* Update source addr of the socket */
1002 bacpy(src, conn->src);
1003
1004 l2cap_chan_add(conn, sk, NULL);
1005
1006 sk->sk_state = BT_CONNECT;
1007 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1008
1009 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1010 if (sk->sk_type != SOCK_SEQPACKET &&
1011 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1012 l2cap_sock_clear_timer(sk);
1013 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1014 } else
1015 l2cap_do_start(sk);
1da177e4
LT		 1016 }
1017
1018done:
1019 hci_dev_unlock_bh(hdev);
1020 hci_dev_put(hdev);
1021 return err;
1022}
1023
1024static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1025{
1da177e4 1026 struct sock *sk = sock->sk;
f29972de
MH		 1027 struct sockaddr_l2 la;
1028 int len, err = 0;
1da177e4 1029
1da177e4
LT		 1030 BT_DBG("sk %p", sk);
1031
6503d961
CG		 1032 if (!addr || alen < sizeof(addr->sa_family) ||
1033 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1034 return -EINVAL;
1da177e4 1035
f29972de
MH		 1036 memset(&la, 0, sizeof(la));
1037 len = min_t(unsigned int, sizeof(la), alen);
1038 memcpy(&la, addr, len);
1039
2a517ca6
MH		 1040 if (la.l2_cid)
1041 return -EINVAL;
1042
1043 lock_sock(sk);
1044
bd3c9e25
GP		 1045 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1046 && !la.l2_psm) {
1da177e4
LT		 1047 err = -EINVAL;
1048 goto done;
1049 }
1050
c6b03cf9
MH		 1051 switch (l2cap_pi(sk)->mode) {
1052 case L2CAP_MODE_BASIC:
1053 break;
1054 case L2CAP_MODE_ERTM:
f2fcfcd6 1055 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1056 if (enable_ertm)
1057 break;
1058 /* fall through */
1059 default:
1060 err = -ENOTSUPP;
1061 goto done;
1062 }
1063
af05b30b 1064 switch (sk->sk_state) {
1da177e4
LT		 1065 case BT_CONNECT:
1066 case BT_CONNECT2:
1067 case BT_CONFIG:
1068 /* Already connecting */
1069 goto wait;
1070
1071 case BT_CONNECTED:
1072 /* Already connected */
1073 goto done;
1074
1075 case BT_OPEN:
1076 case BT_BOUND:
1077 /* Can connect */
1078 break;
1079
1080 default:
1081 err = -EBADFD;
1082 goto done;
1083 }
1084
1085 /* Set destination address and psm */
f29972de
MH		 1086 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1087 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1088
af05b30b
GP		 1089 err = l2cap_do_connect(sk);
1090 if (err)
1da177e4
LT		 1091 goto done;
1092
1093wait:
1094 err = bt_sock_wait_state(sk, BT_CONNECTED,
1095 sock_sndtimeo(sk, flags & O_NONBLOCK));
1096done:
1097 release_sock(sk);
1098 return err;
1099}
1100
1101static int l2cap_sock_listen(struct socket *sock, int backlog)
1102{
1103 struct sock *sk = sock->sk;
1104 int err = 0;
1105
1106 BT_DBG("sk %p backlog %d", sk, backlog);
1107
1108 lock_sock(sk);
1109
bd3c9e25
GP		 1110 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1111 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1112 err = -EBADFD;
1113 goto done;
1114 }
1115
c6b03cf9
MH		 1116 switch (l2cap_pi(sk)->mode) {
1117 case L2CAP_MODE_BASIC:
1118 break;
1119 case L2CAP_MODE_ERTM:
f2fcfcd6 1120 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1121 if (enable_ertm)
1122 break;
1123 /* fall through */
1124 default:
1125 err = -ENOTSUPP;
1126 goto done;
1127 }
1128
1da177e4
LT		 1129 if (!l2cap_pi(sk)->psm) {
1130 bdaddr_t *src = &bt_sk(sk)->src;
1131 u16 psm;
1132
1133 err = -EINVAL;
1134
1135 write_lock_bh(&l2cap_sk_list.lock);
1136
1137 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1138 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1139 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1140 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1141 err = 0;
1142 break;
1143 }
1144
1145 write_unlock_bh(&l2cap_sk_list.lock);
1146
1147 if (err < 0)
1148 goto done;
1149 }
1150
1151 sk->sk_max_ack_backlog = backlog;
1152 sk->sk_ack_backlog = 0;
1153 sk->sk_state = BT_LISTEN;
1154
1155done:
1156 release_sock(sk);
1157 return err;
1158}
1159
1160static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1161{
1162 DECLARE_WAITQUEUE(wait, current);
1163 struct sock *sk = sock->sk, *nsk;
1164 long timeo;
1165 int err = 0;
1166
fcc70d5f 1167 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1168
1169 if (sk->sk_state != BT_LISTEN) {
1170 err = -EBADFD;
1171 goto done;
1172 }
1173
1174 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1175
1176 BT_DBG("sk %p timeo %ld", sk, timeo);
1177
1178 /* Wait for an incoming connection. (wake-one). */
aa395145 1179 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1180 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1181 set_current_state(TASK_INTERRUPTIBLE);
1182 if (!timeo) {
1183 err = -EAGAIN;
1184 break;
1185 }
1186
1187 release_sock(sk);
1188 timeo = schedule_timeout(timeo);
fcc70d5f 1189 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1190
1191 if (sk->sk_state != BT_LISTEN) {
1192 err = -EBADFD;
1193 break;
1194 }
1195
1196 if (signal_pending(current)) {
1197 err = sock_intr_errno(timeo);
1198 break;
1199 }
1200 }
1201 set_current_state(TASK_RUNNING);
aa395145 1202 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1203
1204 if (err)
1205 goto done;
1206
1207 newsock->state = SS_CONNECTED;
1208
1209 BT_DBG("new socket %p", nsk);
1210
1211done:
1212 release_sock(sk);
1213 return err;
1214}
1215
1216static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1217{
1218 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1219 struct sock *sk = sock->sk;
1220
1221 BT_DBG("sock %p, sk %p", sock, sk);
1222
1223 addr->sa_family = AF_BLUETOOTH;
1224 *len = sizeof(struct sockaddr_l2);
1225
f29972de
MH		 1226 if (peer) {
1227 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1228 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1229 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1230 } else {
1231 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1232 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1233 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1234 }
1da177e4 1235
1da177e4
LT		 1236 return 0;
1237}
1238
e90bac06
GP		 1239static void l2cap_monitor_timeout(unsigned long arg)
1240{
1241 struct sock *sk = (void *) arg;
e90bac06 1242
e686219a 1243 bh_lock_sock(sk);
e90bac06
GP		 1244 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1245 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
b13f5860 1246 bh_unlock_sock(sk);
e90bac06
GP		 1247 return;
1248 }
1249
1250 l2cap_pi(sk)->retry_count++;
1251 __mod_monitor_timer();
1252
a2e12a2a 1253 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1254 bh_unlock_sock(sk);
e90bac06
GP		 1255}
1256
1257static void l2cap_retrans_timeout(unsigned long arg)
1258{
1259 struct sock *sk = (void *) arg;
e90bac06 1260
e686219a 1261 bh_lock_sock(sk);
e90bac06
GP		 1262 l2cap_pi(sk)->retry_count = 1;
1263 __mod_monitor_timer();
1264
1265 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1266
a2e12a2a 1267 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1268 bh_unlock_sock(sk);
e90bac06
GP		 1269}
1270
1c2acffb 1271static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1272{
1c2acffb 1273 struct sk_buff *skb;
1da177e4 1274
812e737e
GP		 1275 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1276 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1277 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1278 break;
1da177e4 1279
1c2acffb
GP		 1280 skb = skb_dequeue(TX_QUEUE(sk));
1281 kfree_skb(skb);
1da177e4 1282
1c2acffb
GP		 1283 l2cap_pi(sk)->unacked_frames--;
1284 }
1da177e4 1285
e90bac06
GP		 1286 if (!l2cap_pi(sk)->unacked_frames)
1287 del_timer(&l2cap_pi(sk)->retrans_timer);
1288
1c2acffb
GP		 1289 return;
1290}
1da177e4 1291
9a9c6a34 1292static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1293{
1294 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1295
1296 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1297
9a9c6a34 1298 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1299}
1300
6840ed07
GP		 1301static int l2cap_streaming_send(struct sock *sk)
1302{
1303 struct sk_buff *skb, *tx_skb;
1304 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1305 u16 control, fcs;
6840ed07
GP		 1306
1307 while ((skb = sk->sk_send_head)) {
1308 tx_skb = skb_clone(skb, GFP_ATOMIC);
1309
1310 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1311 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1312 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1313
e8235c6b 1314 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1315 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1316 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1317 }
1318
9a9c6a34 1319 l2cap_do_send(sk, tx_skb);
6840ed07
GP		 1320
1321 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1322
1323 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1324 sk->sk_send_head = NULL;
1325 else
1326 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1327
1328 skb = skb_dequeue(TX_QUEUE(sk));
1329 kfree_skb(skb);
1330 }
1331 return 0;
1332}
1333
f11d676d 1334static void l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1335{
1336 struct l2cap_pinfo *pi = l2cap_pi(sk);
1337 struct sk_buff *skb, *tx_skb;
1338 u16 control, fcs;
8f17154f
GP		 1339
1340 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1341 if (!skb)
1342 return;
8f17154f 1343
f11d676d
GP		 1344 do {
1345 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1346 break;
8f17154f 1347
f11d676d
GP		 1348 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1349 return;
8f17154f 1350
f11d676d 1351 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1352
f11d676d
GP		 1353 if (pi->remote_max_tx &&
1354 bt_cb(skb)->retries == pi->remote_max_tx) {
1355 l2cap_send_disconn_req(pi->conn, sk);
1356 return;
1357 }
1358
1359 tx_skb = skb_clone(skb, GFP_ATOMIC);
1360 bt_cb(skb)->retries++;
1361 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1362 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1363 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1364 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1365
1366 if (pi->fcs == L2CAP_FCS_CRC16) {
1367 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1368 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1369 }
1370
1371 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1372}
1373
1c2acffb
GP		 1374static int l2cap_ertm_send(struct sock *sk)
1375{
1376 struct sk_buff *skb, *tx_skb;
1377 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1378 u16 control, fcs;
9a9c6a34 1379 int nsent = 0;
1c2acffb 1380
e90bac06
GP		 1381 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1382 return 0;
1383
f64f9e71 1384 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
59203a21 1385 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1c2acffb 1386
e90bac06
GP		 1387 if (pi->remote_max_tx &&
1388 bt_cb(skb)->retries == pi->remote_max_tx) {
1389 l2cap_send_disconn_req(pi->conn, sk);
1390 break;
1391 }
1392
e420aba3
AE		 1393 tx_skb = skb_clone(skb, GFP_ATOMIC);
1394
e90bac06
GP		 1395 bt_cb(skb)->retries++;
1396
1c2acffb 1397 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
d5392c8f
GP		 1398 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1399 control |= L2CAP_CTRL_FINAL;
1400 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1401 }
9f121a5a 1402 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1403 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1404 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1405
e90bac06 1406
e8235c6b 1407 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1408 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1409 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1410 }
1411
9a9c6a34
GP		 1412 l2cap_do_send(sk, tx_skb);
1413
e90bac06 1414 __mod_retrans_timer();
1c2acffb
GP		 1415
1416 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1417 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1418
1419 pi->unacked_frames++;
d5392c8f 1420 pi->frames_sent++;
1c2acffb
GP		 1421
1422 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1423 sk->sk_send_head = NULL;
1424 else
1425 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1426
1427 nsent++;
1c2acffb
GP		 1428 }
1429
9e917af1
GP		 1430 return nsent;
1431}
1432
9a9c6a34 1433static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1434{
1435 struct sock *sk = (struct sock *)pi;
1436 u16 control = 0;
1437
1438 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1439
1440 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1441 control |= L2CAP_SUPER_RCV_NOT_READY;
9a9c6a34
GP		 1442 l2cap_send_sframe(pi, control);
1443 return;
9e917af1
GP		 1444 } else if (l2cap_ertm_send(sk) == 0) {
1445 control |= L2CAP_SUPER_RCV_READY;
9a9c6a34 1446 l2cap_send_sframe(pi, control);
9e917af1 1447 }
1c2acffb
GP		 1448}
1449
9a9c6a34 1450static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1451{
1452 struct srej_list *tail;
1453 u16 control;
1454
1455 control = L2CAP_SUPER_SELECT_REJECT;
1456 control |= L2CAP_CTRL_FINAL;
1457
1458 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1459 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1460
1461 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1462}
1463
1c2acffb
GP		 1464static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1465{
1466 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1467 struct sk_buff **frag;
1468 int err, sent = 0;
1da177e4 1469
59203a21 1470 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1471 return -EFAULT;
1da177e4
LT		 1472
1473 sent += count;
1474 len -= count;
1475
1476 /* Continuation fragments (no L2CAP header) */
1477 frag = &skb_shinfo(skb)->frag_list;
1478 while (len) {
1479 count = min_t(unsigned int, conn->mtu, len);
1480
1481 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1482 if (!*frag)
1c2acffb
GP		 1483 return -EFAULT;
1484 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1485 return -EFAULT;
1da177e4
LT		 1486
1487 sent += count;
1488 len -= count;
1489
1490 frag = &(*frag)->next;
1491 }
1da177e4
LT		 1492
1493 return sent;
1c2acffb 1494}
1da177e4 1495
1c2acffb
GP		 1496static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1497{
1498 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1499 struct sk_buff *skb;
1500 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1501 struct l2cap_hdr *lh;
1502
1503 BT_DBG("sk %p len %d", sk, (int)len);
1504
1505 count = min_t(unsigned int, (conn->mtu - hlen), len);
1506 skb = bt_skb_send_alloc(sk, count + hlen,
1507 msg->msg_flags & MSG_DONTWAIT, &err);
1508 if (!skb)
1509 return ERR_PTR(-ENOMEM);
1510
1511 /* Create L2CAP header */
1512 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1513 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1514 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1515 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1516
1517 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1518 if (unlikely(err < 0)) {
1519 kfree_skb(skb);
1520 return ERR_PTR(err);
1521 }
1522 return skb;
1523}
1524
1525static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1526{
1527 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1528 struct sk_buff *skb;
1529 int err, count, hlen = L2CAP_HDR_SIZE;
1530 struct l2cap_hdr *lh;
1531
1532 BT_DBG("sk %p len %d", sk, (int)len);
1533
1534 count = min_t(unsigned int, (conn->mtu - hlen), len);
1535 skb = bt_skb_send_alloc(sk, count + hlen,
1536 msg->msg_flags & MSG_DONTWAIT, &err);
1537 if (!skb)
1538 return ERR_PTR(-ENOMEM);
1539
1540 /* Create L2CAP header */
1541 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1542 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1543 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1544
1545 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1546 if (unlikely(err < 0)) {
1547 kfree_skb(skb);
1548 return ERR_PTR(err);
1549 }
1550 return skb;
1551}
1552
6840ed07 1553static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1554{
1555 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1556 struct sk_buff *skb;
1557 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1558 struct l2cap_hdr *lh;
1559
1560 BT_DBG("sk %p len %d", sk, (int)len);
1561
0ee0d208
GP		 1562 if (!conn)
1563 return ERR_PTR(-ENOTCONN);
1564
c74e560c
GP		 1565 if (sdulen)
1566 hlen += 2;
1567
fcc203c3
GP		 1568 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1569 hlen += 2;
1570
1c2acffb
GP		 1571 count = min_t(unsigned int, (conn->mtu - hlen), len);
1572 skb = bt_skb_send_alloc(sk, count + hlen,
1573 msg->msg_flags & MSG_DONTWAIT, &err);
1574 if (!skb)
1575 return ERR_PTR(-ENOMEM);
1576
1577 /* Create L2CAP header */
1578 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1579 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1580 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1581 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1582 if (sdulen)
1583 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1584
1585 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1586 if (unlikely(err < 0)) {
1587 kfree_skb(skb);
1588 return ERR_PTR(err);
1589 }
e90bac06 1590
fcc203c3
GP		 1591 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1592 put_unaligned_le16(0, skb_put(skb, 2));
1593
e90bac06 1594 bt_cb(skb)->retries = 0;
1c2acffb 1595 return skb;
1da177e4
LT		 1596}
1597
c74e560c
GP		 1598static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1599{
1600 struct l2cap_pinfo *pi = l2cap_pi(sk);
1601 struct sk_buff *skb;
1602 struct sk_buff_head sar_queue;
1603 u16 control;
1604 size_t size = 0;
1605
ff12fd64 1606 skb_queue_head_init(&sar_queue);
c74e560c 1607 control = L2CAP_SDU_START;
1c762159 1608 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1609 if (IS_ERR(skb))
1610 return PTR_ERR(skb);
1611
1612 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1613 len -= pi->remote_mps;
1614 size += pi->remote_mps;
c74e560c
GP		 1615
1616 while (len > 0) {
1617 size_t buflen;
1618
1c762159 1619 if (len > pi->remote_mps) {
44651b85 1620 control = L2CAP_SDU_CONTINUE;
1c762159 1621 buflen = pi->remote_mps;
c74e560c 1622 } else {
44651b85 1623 control = L2CAP_SDU_END;
c74e560c
GP		 1624 buflen = len;
1625 }
1626
6840ed07 1627 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1628 if (IS_ERR(skb)) {
1629 skb_queue_purge(&sar_queue);
1630 return PTR_ERR(skb);
1631 }
1632
1633 __skb_queue_tail(&sar_queue, skb);
1634 len -= buflen;
1635 size += buflen;
c74e560c
GP		 1636 }
1637 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1638 if (sk->sk_send_head == NULL)
1639 sk->sk_send_head = sar_queue.next;
1640
1641 return size;
1642}
1643
1da177e4
LT		 1644static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1645{
1646 struct sock *sk = sock->sk;
1c2acffb
GP		 1647 struct l2cap_pinfo *pi = l2cap_pi(sk);
1648 struct sk_buff *skb;
1649 u16 control;
1650 int err;
1da177e4
LT		 1651
1652 BT_DBG("sock %p, sk %p", sock, sk);
1653
c1cbe4b7
BL		 1654 err = sock_error(sk);
1655 if (err)
1656 return err;
1da177e4
LT		 1657
1658 if (msg->msg_flags & MSG_OOB)
1659 return -EOPNOTSUPP;
1660
1da177e4
LT		 1661 lock_sock(sk);
1662
1c2acffb 1663 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1664 err = -ENOTCONN;
1c2acffb
GP		 1665 goto done;
1666 }
1da177e4 1667
1c2acffb
GP		 1668 /* Connectionless channel */
1669 if (sk->sk_type == SOCK_DGRAM) {
1670 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1671 if (IS_ERR(skb)) {
477fffb0 1672 err = PTR_ERR(skb);
9a9c6a34
GP		 1673 } else {
1674 l2cap_do_send(sk, skb);
1675 err = len;
1676 }
1c2acffb
GP		 1677 goto done;
1678 }
1679
1680 switch (pi->mode) {
1681 case L2CAP_MODE_BASIC:
c69163e9
GP		 1682 /* Check outgoing MTU */
1683 if (len > pi->omtu) {
1684 err = -EINVAL;
1685 goto done;
1686 }
1687
1c2acffb
GP		 1688 /* Create a basic PDU */
1689 skb = l2cap_create_basic_pdu(sk, msg, len);
1690 if (IS_ERR(skb)) {
1691 err = PTR_ERR(skb);
1692 goto done;
1693 }
1694
9a9c6a34
GP		 1695 l2cap_do_send(sk, skb);
1696 err = len;
1c2acffb
GP		 1697 break;
1698
1699 case L2CAP_MODE_ERTM:
6840ed07 1700 case L2CAP_MODE_STREAMING:
1c2acffb 1701 /* Entire SDU fits into one PDU */
1c762159 1702 if (len <= pi->remote_mps) {
1c2acffb 1703 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1704 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1705 if (IS_ERR(skb)) {
1706 err = PTR_ERR(skb);
1707 goto done;
1708 }
c74e560c
GP		 1709 __skb_queue_tail(TX_QUEUE(sk), skb);
1710 if (sk->sk_send_head == NULL)
1711 sk->sk_send_head = skb;
1c2acffb 1712 } else {
c74e560c
GP		 1713 /* Segment SDU into multiples PDUs */
1714 err = l2cap_sar_segment_sdu(sk, msg, len);
1715 if (err < 0)
1716 goto done;
1c2acffb 1717 }
1c2acffb 1718
6840ed07
GP		 1719 if (pi->mode == L2CAP_MODE_STREAMING)
1720 err = l2cap_streaming_send(sk);
1721 else
1722 err = l2cap_ertm_send(sk);
1723
9e917af1 1724 if (err >= 0)
1c2acffb
GP		 1725 err = len;
1726 break;
1727
1728 default:
1729 BT_DBG("bad state %1.1x", pi->mode);
1730 err = -EINVAL;
1731 }
1732
1733done:
1da177e4
LT		 1734 release_sock(sk);
1735 return err;
1736}
1737
f66dc81f
MH		 1738static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1739{
1740 struct sock *sk = sock->sk;
1741
1742 lock_sock(sk);
1743
1744 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1745 struct l2cap_conn_rsp rsp;
1746
1747 sk->sk_state = BT_CONFIG;
1748
1749 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1750 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1751 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1752 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1753 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1754 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1755
1756 release_sock(sk);
1757 return 0;
1758 }
1759
1760 release_sock(sk);
1761
1762 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1763}
1764
b7058842 1765static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1766{
1767 struct sock *sk = sock->sk;
1768 struct l2cap_options opts;
f29972de 1769 int len, err = 0;
1da177e4
LT		 1770 u32 opt;
1771
1772 BT_DBG("sk %p", sk);
1773
1774 lock_sock(sk);
1775
1776 switch (optname) {
1777 case L2CAP_OPTIONS:
0878b666
MH		 1778 opts.imtu = l2cap_pi(sk)->imtu;
1779 opts.omtu = l2cap_pi(sk)->omtu;
1780 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1781 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1782 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1783 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1784 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1785
1da177e4
LT		 1786 len = min_t(unsigned int, sizeof(opts), optlen);
1787 if (copy_from_user((char *) &opts, optval, len)) {
1788 err = -EFAULT;
1789 break;
1790 }
0878b666 1791
0041ecfa
JPRV		 1792 l2cap_pi(sk)->mode = opts.mode;
1793 switch (l2cap_pi(sk)->mode) {
1794 case L2CAP_MODE_BASIC:
1795 break;
1796 case L2CAP_MODE_ERTM:
1797 case L2CAP_MODE_STREAMING:
1798 if (enable_ertm)
1799 break;
1800 /* fall through */
1801 default:
1802 err = -EINVAL;
1803 break;
1804 }
1805
c6b03cf9
MH		 1806 l2cap_pi(sk)->imtu = opts.imtu;
1807 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1808 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1809 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1810 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1811 break;
1812
1813 case L2CAP_LM:
1814 if (get_user(opt, (u32 __user *) optval)) {
1815 err = -EFAULT;
1816 break;
1817 }
1818
2af6b9d5
MH		 1819 if (opt & L2CAP_LM_AUTH)
1820 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1821 if (opt & L2CAP_LM_ENCRYPT)
1822 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1823 if (opt & L2CAP_LM_SECURE)
1824 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1825
1826 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1827 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1828 break;
1829
1830 default:
1831 err = -ENOPROTOOPT;
1832 break;
1833 }
1834
1835 release_sock(sk);
1836 return err;
1837}
1838
b7058842 1839static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1840{
1841 struct sock *sk = sock->sk;
2af6b9d5
MH		 1842 struct bt_security sec;
1843 int len, err = 0;
f66dc81f 1844 u32 opt;
d58daf42
MH		 1845
1846 BT_DBG("sk %p", sk);
1847
1848 if (level == SOL_L2CAP)
1849 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1850
0588d94f
MH		 1851 if (level != SOL_BLUETOOTH)
1852 return -ENOPROTOOPT;
1853
d58daf42
MH		 1854 lock_sock(sk);
1855
1856 switch (optname) {
2af6b9d5 1857 case BT_SECURITY:
bd3c9e25
GP		 1858 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1859 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1860 err = -EINVAL;
1861 break;
1862 }
1863
2af6b9d5
MH		 1864 sec.level = BT_SECURITY_LOW;
1865
1866 len = min_t(unsigned int, sizeof(sec), optlen);
1867 if (copy_from_user((char *) &sec, optval, len)) {
1868 err = -EFAULT;
1869 break;
1870 }
1871
1872 if (sec.level < BT_SECURITY_LOW ||
1873 sec.level > BT_SECURITY_HIGH) {
1874 err = -EINVAL;
1875 break;
1876 }
1877
1878 l2cap_pi(sk)->sec_level = sec.level;
1879 break;
1880
f66dc81f
MH		 1881 case BT_DEFER_SETUP:
1882 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1883 err = -EINVAL;
1884 break;
1885 }
1886
1887 if (get_user(opt, (u32 __user *) optval)) {
1888 err = -EFAULT;
1889 break;
1890 }
1891
1892 bt_sk(sk)->defer_setup = opt;
1893 break;
1894
d58daf42
MH		 1895 default:
1896 err = -ENOPROTOOPT;
1897 break;
1898 }
1899
1900 release_sock(sk);
1901 return err;
1902}
1903
1904static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1905{
1906 struct sock *sk = sock->sk;
1907 struct l2cap_options opts;
1908 struct l2cap_conninfo cinfo;
1909 int len, err = 0;
2af6b9d5 1910 u32 opt;
1da177e4
LT		 1911
1912 BT_DBG("sk %p", sk);
1913
1914 if (get_user(len, optlen))
1915 return -EFAULT;
1916
1917 lock_sock(sk);
1918
1919 switch (optname) {
1920 case L2CAP_OPTIONS:
1921 opts.imtu = l2cap_pi(sk)->imtu;
1922 opts.omtu = l2cap_pi(sk)->omtu;
1923 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1924 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1925 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1926 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1927 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 1928
1929 len = min_t(unsigned int, len, sizeof(opts));
1930 if (copy_to_user(optval, (char *) &opts, len))
1931 err = -EFAULT;
1932
1933 break;
1934
1935 case L2CAP_LM:
2af6b9d5
MH		 1936 switch (l2cap_pi(sk)->sec_level) {
1937 case BT_SECURITY_LOW:
1938 opt = L2CAP_LM_AUTH;
1939 break;
1940 case BT_SECURITY_MEDIUM:
1941 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1942 break;
1943 case BT_SECURITY_HIGH:
1944 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1945 L2CAP_LM_SECURE;
1946 break;
1947 default:
1948 opt = 0;
1949 break;
1950 }
1951
1952 if (l2cap_pi(sk)->role_switch)
1953 opt |= L2CAP_LM_MASTER;
1954
1955 if (l2cap_pi(sk)->force_reliable)
1956 opt |= L2CAP_LM_RELIABLE;
1957
1958 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1959 err = -EFAULT;
1960 break;
1961
1962 case L2CAP_CONNINFO:
f66dc81f
MH		 1963 if (sk->sk_state != BT_CONNECTED &&
1964 !(sk->sk_state == BT_CONNECT2 &&
1965 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1966 err = -ENOTCONN;
1967 break;
1968 }
1969
1970 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1971 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1972
1973 len = min_t(unsigned int, len, sizeof(cinfo));
1974 if (copy_to_user(optval, (char *) &cinfo, len))
1975 err = -EFAULT;
1976
1977 break;
1978
1979 default:
1980 err = -ENOPROTOOPT;
1981 break;
1982 }
1983
1984 release_sock(sk);
1985 return err;
1986}
1987
d58daf42
MH		 1988static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1989{
1990 struct sock *sk = sock->sk;
2af6b9d5 1991 struct bt_security sec;
d58daf42
MH		 1992 int len, err = 0;
1993
1994 BT_DBG("sk %p", sk);
1995
1996 if (level == SOL_L2CAP)
1997 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1998
0588d94f
MH		 1999 if (level != SOL_BLUETOOTH)
2000 return -ENOPROTOOPT;
2001
d58daf42
MH		 2002 if (get_user(len, optlen))
2003 return -EFAULT;
2004
2005 lock_sock(sk);
2006
2007 switch (optname) {
2af6b9d5 2008 case BT_SECURITY:
bd3c9e25
GP		 2009 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2010 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2011 err = -EINVAL;
2012 break;
2013 }
2014
2af6b9d5
MH		 2015 sec.level = l2cap_pi(sk)->sec_level;
2016
2017 len = min_t(unsigned int, len, sizeof(sec));
2018 if (copy_to_user(optval, (char *) &sec, len))
2019 err = -EFAULT;
2020
2021 break;
2022
f66dc81f
MH		 2023 case BT_DEFER_SETUP:
2024 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2025 err = -EINVAL;
2026 break;
2027 }
2028
2029 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2030 err = -EFAULT;
2031
2032 break;
2033
d58daf42
MH		 2034 default:
2035 err = -ENOPROTOOPT;
2036 break;
2037 }
2038
2039 release_sock(sk);
2040 return err;
2041}
2042
1da177e4
LT		 2043static int l2cap_sock_shutdown(struct socket *sock, int how)
2044{
2045 struct sock *sk = sock->sk;
2046 int err = 0;
2047
2048 BT_DBG("sock %p, sk %p", sock, sk);
2049
2050 if (!sk)
2051 return 0;
2052
2053 lock_sock(sk);
2054 if (!sk->sk_shutdown) {
2055 sk->sk_shutdown = SHUTDOWN_MASK;
2056 l2cap_sock_clear_timer(sk);
2057 __l2cap_sock_close(sk, 0);
2058
2059 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2060 err = bt_sock_wait_state(sk, BT_CLOSED,
2061 sk->sk_lingertime);
1da177e4
LT		 2062 }
2063 release_sock(sk);
2064 return err;
2065}
2066
2067static int l2cap_sock_release(struct socket *sock)
2068{
2069 struct sock *sk = sock->sk;
2070 int err;
2071
2072 BT_DBG("sock %p, sk %p", sock, sk);
2073
2074 if (!sk)
2075 return 0;
2076
2077 err = l2cap_sock_shutdown(sock, 2);
2078
2079 sock_orphan(sk);
2080 l2cap_sock_kill(sk);
2081 return err;
2082}
2083
1da177e4
LT		 2084static void l2cap_chan_ready(struct sock *sk)
2085{
2086 struct sock *parent = bt_sk(sk)->parent;
2087
2088 BT_DBG("sk %p, parent %p", sk, parent);
2089
2090 l2cap_pi(sk)->conf_state = 0;
2091 l2cap_sock_clear_timer(sk);
2092
2093 if (!parent) {
2094 /* Outgoing channel.
2095 * Wake up socket sleeping on connect.
2096 */
2097 sk->sk_state = BT_CONNECTED;
2098 sk->sk_state_change(sk);
2099 } else {
2100 /* Incoming channel.
2101 * Wake up socket sleeping on accept.
2102 */
2103 parent->sk_data_ready(parent, 0);
2104 }
2105}
2106
2107/* Copy frame to all raw sockets on that connection */
2108static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2109{
2110 struct l2cap_chan_list *l = &conn->chan_list;
2111 struct sk_buff *nskb;
af05b30b 2112 struct sock *sk;
1da177e4
LT		 2113
2114 BT_DBG("conn %p", conn);
2115
2116 read_lock(&l->lock);
2117 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2118 if (sk->sk_type != SOCK_RAW)
2119 continue;
2120
2121 /* Don't send frame to the socket it came from */
2122 if (skb->sk == sk)
2123 continue;
af05b30b
GP		 2124 nskb = skb_clone(skb, GFP_ATOMIC);
2125 if (!nskb)
1da177e4
LT		 2126 continue;
2127
2128 if (sock_queue_rcv_skb(sk, nskb))
2129 kfree_skb(nskb);
2130 }
2131 read_unlock(&l->lock);
2132}
2133
2134/* ---- L2CAP signalling commands ---- */
2135static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2136 u8 code, u8 ident, u16 dlen, void *data)
2137{
2138 struct sk_buff *skb, **frag;
2139 struct l2cap_cmd_hdr *cmd;
2140 struct l2cap_hdr *lh;
2141 int len, count;
2142
af05b30b
GP		 2143 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2144 conn, code, ident, dlen);
1da177e4
LT		 2145
2146 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2147 count = min_t(unsigned int, conn->mtu, len);
2148
2149 skb = bt_skb_alloc(count, GFP_ATOMIC);
2150 if (!skb)
2151 return NULL;
2152
2153 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2154 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2155 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2156
2157 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2158 cmd->code = code;
2159 cmd->ident = ident;
aca3192c 2160 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2161
2162 if (dlen) {
2163 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2164 memcpy(skb_put(skb, count), data, count);
2165 data += count;
2166 }
2167
2168 len -= skb->len;
2169
2170 /* Continuation fragments (no L2CAP header) */
2171 frag = &skb_shinfo(skb)->frag_list;
2172 while (len) {
2173 count = min_t(unsigned int, conn->mtu, len);
2174
2175 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2176 if (!*frag)
2177 goto fail;
2178
2179 memcpy(skb_put(*frag, count), data, count);
2180
2181 len -= count;
2182 data += count;
2183
2184 frag = &(*frag)->next;
2185 }
2186
2187 return skb;
2188
2189fail:
2190 kfree_skb(skb);
2191 return NULL;
2192}
2193
2194static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2195{
2196 struct l2cap_conf_opt *opt = *ptr;
2197 int len;
2198
2199 len = L2CAP_CONF_OPT_SIZE + opt->len;
2200 *ptr += len;
2201
2202 *type = opt->type;
2203 *olen = opt->len;
2204
2205 switch (opt->len) {
2206 case 1:
2207 *val = *((u8 *) opt->val);
2208 break;
2209
2210 case 2:
861d6882 2211 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2212 break;
2213
2214 case 4:
861d6882 2215 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2216 break;
2217
2218 default:
2219 *val = (unsigned long) opt->val;
2220 break;
2221 }
2222
2223 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2224 return len;
2225}
2226
1da177e4
LT		 2227static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2228{
2229 struct l2cap_conf_opt *opt = *ptr;
2230
2231 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2232
2233 opt->type = type;
2234 opt->len = len;
2235
2236 switch (len) {
2237 case 1:
2238 *((u8 *) opt->val) = val;
2239 break;
2240
2241 case 2:
8e036fc3 2242 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2243 break;
2244
2245 case 4:
8e036fc3 2246 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2247 break;
2248
2249 default:
2250 memcpy(opt->val, (void *) val, len);
2251 break;
2252 }
2253
2254 *ptr += L2CAP_CONF_OPT_SIZE + len;
2255}
2256
c1b4f43b
GP		 2257static void l2cap_ack_timeout(unsigned long arg)
2258{
2259 struct sock *sk = (void *) arg;
2260
2261 bh_lock_sock(sk);
2262 l2cap_send_ack(l2cap_pi(sk));
2263 bh_unlock_sock(sk);
2264}
2265
0565c1c2
GP		 2266static inline void l2cap_ertm_init(struct sock *sk)
2267{
2268 l2cap_pi(sk)->expected_ack_seq = 0;
2269 l2cap_pi(sk)->unacked_frames = 0;
2270 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2271 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2272 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2273
2274 setup_timer(&l2cap_pi(sk)->retrans_timer,
2275 l2cap_retrans_timeout, (unsigned long) sk);
2276 setup_timer(&l2cap_pi(sk)->monitor_timer,
2277 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2278 setup_timer(&l2cap_pi(sk)->ack_timer,
2279 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2280
2281 __skb_queue_head_init(SREJ_QUEUE(sk));
2282}
2283
f2fcfcd6
GP		 2284static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2285{
2286 u32 local_feat_mask = l2cap_feat_mask;
2287 if (enable_ertm)
6840ed07 2288 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2289
2290 switch (mode) {
2291 case L2CAP_MODE_ERTM:
2292 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2293 case L2CAP_MODE_STREAMING:
2294 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2295 default:
2296 return 0x00;
2297 }
2298}
2299
2300static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2301{
2302 switch (mode) {
2303 case L2CAP_MODE_STREAMING:
2304 case L2CAP_MODE_ERTM:
2305 if (l2cap_mode_supported(mode, remote_feat_mask))
2306 return mode;
2307 /* fall through */
2308 default:
2309 return L2CAP_MODE_BASIC;
2310 }
2311}
2312
1da177e4
LT		 2313static int l2cap_build_conf_req(struct sock *sk, void *data)
2314{
2315 struct l2cap_pinfo *pi = l2cap_pi(sk);
2316 struct l2cap_conf_req *req = data;
bd3c9e25 2317 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2318 void *ptr = req->data;
2319
2320 BT_DBG("sk %p", sk);
2321
f2fcfcd6
GP		 2322 if (pi->num_conf_req || pi->num_conf_rsp)
2323 goto done;
2324
2325 switch (pi->mode) {
2326 case L2CAP_MODE_STREAMING:
2327 case L2CAP_MODE_ERTM:
2328 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
22121fc9
GP		 2329 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2330 l2cap_send_disconn_req(pi->conn, sk);
f2fcfcd6
GP		 2331 break;
2332 default:
2333 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2334 break;
2335 }
2336
2337done:
65c7c491
MH		 2338 switch (pi->mode) {
2339 case L2CAP_MODE_BASIC:
2340 if (pi->imtu != L2CAP_DEFAULT_MTU)
2341 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2342 break;
2343
2344 case L2CAP_MODE_ERTM:
2345 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2346 rfc.txwin_size = pi->tx_win;
68d7f0ce 2347 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2348 rfc.retrans_timeout = 0;
2349 rfc.monitor_timeout = 0;
c74e560c 2350 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2351 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2352 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6
GP		 2353
2354 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2355 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2356
2357 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2358 break;
2359
2360 if (pi->fcs == L2CAP_FCS_NONE ||
2361 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2362 pi->fcs = L2CAP_FCS_NONE;
2363 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2364 }
f2fcfcd6
GP		 2365 break;
2366
2367 case L2CAP_MODE_STREAMING:
2368 rfc.mode = L2CAP_MODE_STREAMING;
2369 rfc.txwin_size = 0;
2370 rfc.max_transmit = 0;
2371 rfc.retrans_timeout = 0;
2372 rfc.monitor_timeout = 0;
c74e560c 2373 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2374 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2375 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491
MH		 2376
2377 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2378 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2379
2380 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2381 break;
2382
2383 if (pi->fcs == L2CAP_FCS_NONE ||
2384 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2385 pi->fcs = L2CAP_FCS_NONE;
2386 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2387 }
65c7c491
MH		 2388 break;
2389 }
1da177e4
LT		 2390
2391 /* FIXME: Need actual value of the flush timeout */
2392 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2393 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2394
aca3192c
YH		 2395 req->dcid = cpu_to_le16(pi->dcid);
2396 req->flags = cpu_to_le16(0);
1da177e4
LT		 2397
2398 return ptr - data;
2399}
2400
5dee9e7c 2401static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2402{
2403 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2404 struct l2cap_conf_rsp *rsp = data;
2405 void *ptr = rsp->data;
2406 void *req = pi->conf_req;
2407 int len = pi->conf_len;
2408 int type, hint, olen;
2409 unsigned long val;
6464f35f 2410 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2411 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2412 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2413
5dee9e7c 2414 BT_DBG("sk %p", sk);
820ae1b8 2415
5dee9e7c
MH		 2416 while (len >= L2CAP_CONF_OPT_SIZE) {
2417 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2418
589d2746 2419 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2420 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2421
2422 switch (type) {
2423 case L2CAP_CONF_MTU:
861d6882 2424 mtu = val;
5dee9e7c
MH		 2425 break;
2426
2427 case L2CAP_CONF_FLUSH_TO:
2428 pi->flush_to = val;
2429 break;
2430
2431 case L2CAP_CONF_QOS:
2432 break;
2433
6464f35f
MH		 2434 case L2CAP_CONF_RFC:
2435 if (olen == sizeof(rfc))
2436 memcpy(&rfc, (void *) val, olen);
2437 break;
2438
fcc203c3
GP		 2439 case L2CAP_CONF_FCS:
2440 if (val == L2CAP_FCS_NONE)
2441 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2442
2443 break;
2444
5dee9e7c
MH		 2445 default:
2446 if (hint)
2447 break;
2448
2449 result = L2CAP_CONF_UNKNOWN;
2450 *((u8 *) ptr++) = type;
2451 break;
2452 }
2453 }
2454
f2fcfcd6
GP		 2455 if (pi->num_conf_rsp || pi->num_conf_req)
2456 goto done;
2457
2458 switch (pi->mode) {
2459 case L2CAP_MODE_STREAMING:
2460 case L2CAP_MODE_ERTM:
2461 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2462 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2463 return -ECONNREFUSED;
2464 break;
2465 default:
2466 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2467 break;
2468 }
2469
2470done:
2471 if (pi->mode != rfc.mode) {
2472 result = L2CAP_CONF_UNACCEPT;
2473 rfc.mode = pi->mode;
2474
2475 if (pi->num_conf_rsp == 1)
2476 return -ECONNREFUSED;
2477
2478 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2479 sizeof(rfc), (unsigned long) &rfc);
2480 }
2481
2482
5dee9e7c
MH		 2483 if (result == L2CAP_CONF_SUCCESS) {
2484 /* Configure output options and let the other side know
2485 * which ones we don't like. */
2486
f2fcfcd6
GP		 2487 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2488 result = L2CAP_CONF_UNACCEPT;
2489 else {
2490 pi->omtu = mtu;
2491 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2492 }
2493 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2494
f2fcfcd6
GP		 2495 switch (rfc.mode) {
2496 case L2CAP_MODE_BASIC:
2497 pi->fcs = L2CAP_FCS_NONE;
2498 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2499 break;
2500
2501 case L2CAP_MODE_ERTM:
2502 pi->remote_tx_win = rfc.txwin_size;
2503 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2504 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2505 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2506
2507 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2508
10467e9e
GP		 2509 rfc.retrans_timeout =
2510 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2511 rfc.monitor_timeout =
2512 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2513
2514 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2515
2516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2517 sizeof(rfc), (unsigned long) &rfc);
2518
f2fcfcd6
GP		 2519 break;
2520
2521 case L2CAP_MODE_STREAMING:
1c762159
GP		 2522 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2523 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2524
2525 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2526
2527 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2528
2529 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2530 sizeof(rfc), (unsigned long) &rfc);
2531
f2fcfcd6
GP		 2532 break;
2533
2534 default:
5dee9e7c 2535 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2536
6464f35f 2537 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2538 rfc.mode = pi->mode;
2539 }
6464f35f 2540
f2fcfcd6
GP		 2541 if (result == L2CAP_CONF_SUCCESS)
2542 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2543 }
5dee9e7c
MH		 2544 rsp->scid = cpu_to_le16(pi->dcid);
2545 rsp->result = cpu_to_le16(result);
2546 rsp->flags = cpu_to_le16(0x0000);
2547
2548 return ptr - data;
1da177e4
LT		 2549}
2550
f2fcfcd6
GP		 2551static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2552{
2553 struct l2cap_pinfo *pi = l2cap_pi(sk);
2554 struct l2cap_conf_req *req = data;
2555 void *ptr = req->data;
2556 int type, olen;
2557 unsigned long val;
2558 struct l2cap_conf_rfc rfc;
2559
2560 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2561
2562 while (len >= L2CAP_CONF_OPT_SIZE) {
2563 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2564
2565 switch (type) {
2566 case L2CAP_CONF_MTU:
2567 if (val < L2CAP_DEFAULT_MIN_MTU) {
2568 *result = L2CAP_CONF_UNACCEPT;
2569 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2570 } else
2571 pi->omtu = val;
2572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2573 break;
2574
2575 case L2CAP_CONF_FLUSH_TO:
2576 pi->flush_to = val;
2577 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2578 2, pi->flush_to);
2579 break;
2580
2581 case L2CAP_CONF_RFC:
2582 if (olen == sizeof(rfc))
2583 memcpy(&rfc, (void *)val, olen);
2584
2585 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2586 rfc.mode != pi->mode)
2587 return -ECONNREFUSED;
2588
2589 pi->mode = rfc.mode;
2590 pi->fcs = 0;
2591
2592 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2593 sizeof(rfc), (unsigned long) &rfc);
2594 break;
2595 }
2596 }
2597
2598 if (*result == L2CAP_CONF_SUCCESS) {
2599 switch (rfc.mode) {
2600 case L2CAP_MODE_ERTM:
2601 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2602 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2603 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2604 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2605 break;
2606 case L2CAP_MODE_STREAMING:
1c762159 2607 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2608 }
2609 }
2610
2611 req->dcid = cpu_to_le16(pi->dcid);
2612 req->flags = cpu_to_le16(0x0000);
2613
2614 return ptr - data;
2615}
2616
5dee9e7c 2617static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2618{
2619 struct l2cap_conf_rsp *rsp = data;
2620 void *ptr = rsp->data;
1da177e4 2621
5dee9e7c 2622 BT_DBG("sk %p", sk);
1da177e4 2623
aca3192c 2624 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2625 rsp->result = cpu_to_le16(result);
aca3192c 2626 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2627
2628 return ptr - data;
2629}
2630
7b1c0049
GP		 2631static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2632{
2633 struct l2cap_pinfo *pi = l2cap_pi(sk);
2634 int type, olen;
2635 unsigned long val;
2636 struct l2cap_conf_rfc rfc;
2637
2638 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2639
2640 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2641 return;
2642
2643 while (len >= L2CAP_CONF_OPT_SIZE) {
2644 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2645
2646 switch (type) {
2647 case L2CAP_CONF_RFC:
2648 if (olen == sizeof(rfc))
2649 memcpy(&rfc, (void *)val, olen);
2650 goto done;
2651 }
2652 }
2653
2654done:
2655 switch (rfc.mode) {
2656 case L2CAP_MODE_ERTM:
2657 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2658 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2659 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2660 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2661 break;
2662 case L2CAP_MODE_STREAMING:
2663 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2664 }
2665}
2666
4e8402a3
MH		 2667static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2668{
2669 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2670
2671 if (rej->reason != 0x0000)
2672 return 0;
2673
2674 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2675 cmd->ident == conn->info_ident) {
4e8402a3 2676 del_timer(&conn->info_timer);
984947dc
MH		 2677
2678 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2679 conn->info_ident = 0;
984947dc 2680
4e8402a3
MH		 2681 l2cap_conn_start(conn);
2682 }
2683
2684 return 0;
2685}
2686
1da177e4
LT		 2687static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2688{
2689 struct l2cap_chan_list *list = &conn->chan_list;
2690 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2691 struct l2cap_conn_rsp rsp;
2692 struct sock *sk, *parent;
e7c29cb1 2693 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2694
2695 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2696 __le16 psm = req->psm;
1da177e4
LT		 2697
2698 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2699
2700 /* Check if we have socket listening on psm */
2701 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2702 if (!parent) {
2703 result = L2CAP_CR_BAD_PSM;
2704 goto sendresp;
2705 }
2706
e7c29cb1
MH		 2707 /* Check if the ACL is secure enough (if not SDP) */
2708 if (psm != cpu_to_le16(0x0001) &&
2709 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2710 conn->disc_reason = 0x05;
e7c29cb1
MH		 2711 result = L2CAP_CR_SEC_BLOCK;
2712 goto response;
2713 }
2714
1da177e4
LT		 2715 result = L2CAP_CR_NO_MEM;
2716
2717 /* Check for backlog size */
2718 if (sk_acceptq_is_full(parent)) {
8e87d142 2719 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2720 goto response;
2721 }
2722
3b1e0a65 2723 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2724 if (!sk)
2725 goto response;
2726
fd1278d7 2727 write_lock_bh(&list->lock);
1da177e4
LT		 2728
2729 /* Check if we already have channel with that dcid */
2730 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2731 write_unlock_bh(&list->lock);
1da177e4
LT		 2732 sock_set_flag(sk, SOCK_ZAPPED);
2733 l2cap_sock_kill(sk);
2734 goto response;
2735 }
2736
2737 hci_conn_hold(conn->hcon);
2738
2739 l2cap_sock_init(sk, parent);
2740 bacpy(&bt_sk(sk)->src, conn->src);
2741 bacpy(&bt_sk(sk)->dst, conn->dst);
2742 l2cap_pi(sk)->psm = psm;
2743 l2cap_pi(sk)->dcid = scid;
2744
2745 __l2cap_chan_add(conn, sk, parent);
2746 dcid = l2cap_pi(sk)->scid;
2747
2748 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2749
1da177e4
LT		 2750 l2cap_pi(sk)->ident = cmd->ident;
2751
984947dc 2752 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2753 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2754 if (bt_sk(sk)->defer_setup) {
2755 sk->sk_state = BT_CONNECT2;
2756 result = L2CAP_CR_PEND;
2757 status = L2CAP_CS_AUTHOR_PEND;
2758 parent->sk_data_ready(parent, 0);
2759 } else {
2760 sk->sk_state = BT_CONFIG;
2761 result = L2CAP_CR_SUCCESS;
2762 status = L2CAP_CS_NO_INFO;
2763 }
79d554a6
MH		 2764 } else {
2765 sk->sk_state = BT_CONNECT2;
2766 result = L2CAP_CR_PEND;
2767 status = L2CAP_CS_AUTHEN_PEND;
2768 }
2769 } else {
2770 sk->sk_state = BT_CONNECT2;
2771 result = L2CAP_CR_PEND;
2772 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2773 }
2774
fd1278d7 2775 write_unlock_bh(&list->lock);
1da177e4
LT		 2776
2777response:
2778 bh_unlock_sock(parent);
2779
2780sendresp:
aca3192c
YH		 2781 rsp.scid = cpu_to_le16(scid);
2782 rsp.dcid = cpu_to_le16(dcid);
2783 rsp.result = cpu_to_le16(result);
2784 rsp.status = cpu_to_le16(status);
1da177e4 2785 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2786
2787 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2788 struct l2cap_info_req info;
2789 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2790
2791 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2792 conn->info_ident = l2cap_get_ident(conn);
2793
2794 mod_timer(&conn->info_timer, jiffies +
2795 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2796
2797 l2cap_send_cmd(conn, conn->info_ident,
2798 L2CAP_INFO_REQ, sizeof(info), &info);
2799 }
2800
1da177e4
LT		 2801 return 0;
2802}
2803
2804static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2805{
2806 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2807 u16 scid, dcid, result, status;
2808 struct sock *sk;
2809 u8 req[128];
2810
2811 scid = __le16_to_cpu(rsp->scid);
2812 dcid = __le16_to_cpu(rsp->dcid);
2813 result = __le16_to_cpu(rsp->result);
2814 status = __le16_to_cpu(rsp->status);
2815
2816 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2817
2818 if (scid) {
af05b30b
GP		 2819 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2820 if (!sk)
1da177e4
LT		 2821 return 0;
2822 } else {
af05b30b
GP		 2823 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2824 if (!sk)
1da177e4
LT		 2825 return 0;
2826 }
2827
2828 switch (result) {
2829 case L2CAP_CR_SUCCESS:
2830 sk->sk_state = BT_CONFIG;
2831 l2cap_pi(sk)->ident = 0;
2832 l2cap_pi(sk)->dcid = dcid;
2833 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2834
6a8d3010
MH		 2835 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2836
1da177e4
LT		 2837 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2838 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2839 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2840 break;
2841
2842 case L2CAP_CR_PEND:
6a8d3010 2843 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2844 break;
2845
2846 default:
2847 l2cap_chan_del(sk, ECONNREFUSED);
2848 break;
2849 }
2850
2851 bh_unlock_sock(sk);
2852 return 0;
2853}
2854
88219a0f 2855static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2856{
2857 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2858 u16 dcid, flags;
2859 u8 rsp[64];
2860 struct sock *sk;
5dee9e7c 2861 int len;
1da177e4
LT		 2862
2863 dcid = __le16_to_cpu(req->dcid);
2864 flags = __le16_to_cpu(req->flags);
2865
2866 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2867
af05b30b
GP		 2868 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2869 if (!sk)
1da177e4
LT		 2870 return -ENOENT;
2871
354f60a9
MH		 2872 if (sk->sk_state == BT_DISCONN)
2873 goto unlock;
2874
5dee9e7c 2875 /* Reject if config buffer is too small. */
88219a0f 2876 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2877 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2878 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2879 l2cap_build_conf_rsp(sk, rsp,
2880 L2CAP_CONF_REJECT, flags), rsp);
2881 goto unlock;
2882 }
2883
2884 /* Store config. */
2885 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2886 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2887
2888 if (flags & 0x0001) {
2889 /* Incomplete config. Send empty response. */
2890 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2891 l2cap_build_conf_rsp(sk, rsp,
2892 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2893 goto unlock;
2894 }
2895
2896 /* Complete config. */
5dee9e7c 2897 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2898 if (len < 0) {
22121fc9 2899 l2cap_send_disconn_req(conn, sk);
1da177e4 2900 goto unlock;
f2fcfcd6 2901 }
1da177e4 2902
5dee9e7c 2903 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2904 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2905
5dee9e7c
MH		 2906 /* Reset config buffer. */
2907 l2cap_pi(sk)->conf_len = 0;
2908
876d9484
MH		 2909 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2910 goto unlock;
2911
1da177e4 2912 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 2913 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2914 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 2915 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2916
1da177e4 2917 sk->sk_state = BT_CONNECTED;
e90bac06 2918
0565c1c2
GP		 2919 l2cap_pi(sk)->next_tx_seq = 0;
2920 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2921 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2922 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2923 l2cap_ertm_init(sk);
2924
1da177e4 2925 l2cap_chan_ready(sk);
876d9484
MH		 2926 goto unlock;
2927 }
2928
2929 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2930 u8 buf[64];
1da177e4 2931 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2932 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2933 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2934 }
2935
2936unlock:
2937 bh_unlock_sock(sk);
2938 return 0;
2939}
2940
2941static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2942{
2943 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2944 u16 scid, flags, result;
2945 struct sock *sk;
7b1c0049 2946 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2947
2948 scid = __le16_to_cpu(rsp->scid);
2949 flags = __le16_to_cpu(rsp->flags);
2950 result = __le16_to_cpu(rsp->result);
2951
af05b30b
GP		 2952 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2953 scid, flags, result);
1da177e4 2954
af05b30b
GP		 2955 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2956 if (!sk)
1da177e4
LT		 2957 return 0;
2958
2959 switch (result) {
2960 case L2CAP_CONF_SUCCESS:
7b1c0049 2961 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2962 break;
2963
2964 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2965 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2966 char req[64];
2967
c2c77ec8
AE		 2968 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2969 l2cap_send_disconn_req(conn, sk);
2970 goto done;
2971 }
2972
f2fcfcd6
GP		 2973 /* throw out any old stored conf requests */
2974 result = L2CAP_CONF_SUCCESS;
2975 len = l2cap_parse_conf_rsp(sk, rsp->data,
2976 len, req, &result);
2977 if (len < 0) {
22121fc9 2978 l2cap_send_disconn_req(conn, sk);
f2fcfcd6
GP		 2979 goto done;
2980 }
2981
2982 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2983 L2CAP_CONF_REQ, len, req);
2984 l2cap_pi(sk)->num_conf_req++;
2985 if (result != L2CAP_CONF_SUCCESS)
2986 goto done;
2987 break;
1da177e4
LT		 2988 }
2989
8e87d142 2990 default:
1da177e4 2991 sk->sk_state = BT_DISCONN;
b1235d79 2992 sk->sk_err = ECONNRESET;
1da177e4 2993 l2cap_sock_set_timer(sk, HZ * 5);
22121fc9 2994 l2cap_send_disconn_req(conn, sk);
1da177e4
LT		 2995 goto done;
2996 }
2997
2998 if (flags & 0x01)
2999 goto done;
3000
1da177e4
LT		 3001 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3002
3003 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3004 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3005 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3006 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3007
1da177e4 3008 sk->sk_state = BT_CONNECTED;
0565c1c2 3009 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3010 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3011 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3012 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3013 l2cap_ertm_init(sk);
3014
1da177e4
LT		 3015 l2cap_chan_ready(sk);
3016 }
3017
3018done:
3019 bh_unlock_sock(sk);
3020 return 0;
3021}
3022
3023static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3024{
3025 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3026 struct l2cap_disconn_rsp rsp;
3027 u16 dcid, scid;
3028 struct sock *sk;
3029
3030 scid = __le16_to_cpu(req->scid);
3031 dcid = __le16_to_cpu(req->dcid);
3032
3033 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3034
af05b30b
GP		 3035 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3036 if (!sk)
1da177e4
LT		 3037 return 0;
3038
aca3192c
YH		 3039 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3040 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3041 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3042
3043 sk->sk_shutdown = SHUTDOWN_MASK;
3044
1c2acffb 3045 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3046
3047 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3048 skb_queue_purge(SREJ_QUEUE(sk));
3049 del_timer(&l2cap_pi(sk)->retrans_timer);
3050 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3051 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3052 }
1c2acffb 3053
1da177e4
LT		 3054 l2cap_chan_del(sk, ECONNRESET);
3055 bh_unlock_sock(sk);
3056
3057 l2cap_sock_kill(sk);
3058 return 0;
3059}
3060
3061static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3062{
3063 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3064 u16 dcid, scid;
3065 struct sock *sk;
3066
3067 scid = __le16_to_cpu(rsp->scid);
3068 dcid = __le16_to_cpu(rsp->dcid);
3069
3070 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3071
af05b30b
GP		 3072 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3073 if (!sk)
1da177e4
LT		 3074 return 0;
3075
1c2acffb 3076 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3077
3078 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3079 skb_queue_purge(SREJ_QUEUE(sk));
3080 del_timer(&l2cap_pi(sk)->retrans_timer);
3081 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3082 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3083 }
1c2acffb 3084
1da177e4
LT		 3085 l2cap_chan_del(sk, 0);
3086 bh_unlock_sock(sk);
3087
3088 l2cap_sock_kill(sk);
3089 return 0;
3090}
3091
3092static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3093{
3094 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3095 u16 type;
3096
3097 type = __le16_to_cpu(req->type);
3098
3099 BT_DBG("type 0x%4.4x", type);
3100
f0709e03
MH		 3101 if (type == L2CAP_IT_FEAT_MASK) {
3102 u8 buf[8];
44dd46de 3103 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3104 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3105 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3106 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3107 if (enable_ertm)
fcc203c3
GP		 3108 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3109 | L2CAP_FEAT_FCS;
1b7bf4ed 3110 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3111 l2cap_send_cmd(conn, cmd->ident,
3112 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3113 } else if (type == L2CAP_IT_FIXED_CHAN) {
3114 u8 buf[12];
3115 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3116 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3117 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3118 memcpy(buf + 4, l2cap_fixed_chan, 8);
3119 l2cap_send_cmd(conn, cmd->ident,
3120 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3121 } else {
3122 struct l2cap_info_rsp rsp;
3123 rsp.type = cpu_to_le16(type);
3124 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3125 l2cap_send_cmd(conn, cmd->ident,
3126 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3127 }
1da177e4
LT		 3128
3129 return 0;
3130}
3131
3132static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3133{
3134 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3135 u16 type, result;
3136
3137 type = __le16_to_cpu(rsp->type);
3138 result = __le16_to_cpu(rsp->result);
3139
3140 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3141
4e8402a3
MH		 3142 del_timer(&conn->info_timer);
3143
984947dc 3144 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3145 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3146
47ec1dcd 3147 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3148 struct l2cap_info_req req;
3149 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3150
3151 conn->info_ident = l2cap_get_ident(conn);
3152
3153 l2cap_send_cmd(conn, conn->info_ident,
3154 L2CAP_INFO_REQ, sizeof(req), &req);
3155 } else {
3156 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3157 conn->info_ident = 0;
3158
3159 l2cap_conn_start(conn);
3160 }
3161 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3162 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3163 conn->info_ident = 0;
984947dc
MH		 3164
3165 l2cap_conn_start(conn);
3166 }
4e8402a3 3167
1da177e4
LT		 3168 return 0;
3169}
3170
3171static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3172{
3173 u8 *data = skb->data;
3174 int len = skb->len;
3175 struct l2cap_cmd_hdr cmd;
3176 int err = 0;
3177
3178 l2cap_raw_recv(conn, skb);
3179
3180 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3181 u16 cmd_len;
1da177e4
LT		 3182 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3183 data += L2CAP_CMD_HDR_SIZE;
3184 len -= L2CAP_CMD_HDR_SIZE;
3185
88219a0f 3186 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3187
88219a0f 3188 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3189
88219a0f 3190 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3191 BT_DBG("corrupted command");
3192 break;
3193 }
3194
3195 switch (cmd.code) {
3196 case L2CAP_COMMAND_REJ:
4e8402a3 3197 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3198 break;
3199
3200 case L2CAP_CONN_REQ:
3201 err = l2cap_connect_req(conn, &cmd, data);
3202 break;
3203
3204 case L2CAP_CONN_RSP:
3205 err = l2cap_connect_rsp(conn, &cmd, data);
3206 break;
3207
3208 case L2CAP_CONF_REQ:
88219a0f 3209 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3210 break;
3211
3212 case L2CAP_CONF_RSP:
3213 err = l2cap_config_rsp(conn, &cmd, data);
3214 break;
3215
3216 case L2CAP_DISCONN_REQ:
3217 err = l2cap_disconnect_req(conn, &cmd, data);
3218 break;
3219
3220 case L2CAP_DISCONN_RSP:
3221 err = l2cap_disconnect_rsp(conn, &cmd, data);
3222 break;
3223
3224 case L2CAP_ECHO_REQ:
88219a0f 3225 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3226 break;
3227
3228 case L2CAP_ECHO_RSP:
3229 break;
3230
3231 case L2CAP_INFO_REQ:
3232 err = l2cap_information_req(conn, &cmd, data);
3233 break;
3234
3235 case L2CAP_INFO_RSP:
3236 err = l2cap_information_rsp(conn, &cmd, data);
3237 break;
3238
3239 default:
3240 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3241 err = -EINVAL;
3242 break;
3243 }
3244
3245 if (err) {
3246 struct l2cap_cmd_rej rej;
3247 BT_DBG("error %d", err);
3248
3249 /* FIXME: Map err to a valid reason */
aca3192c 3250 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3251 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3252 }
3253
88219a0f
AV		 3254 data += cmd_len;
3255 len -= cmd_len;
1da177e4
LT		 3256 }
3257
3258 kfree_skb(skb);
3259}
3260
fcc203c3
GP		 3261static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3262{
3263 u16 our_fcs, rcv_fcs;
3264 int hdr_size = L2CAP_HDR_SIZE + 2;
3265
3266 if (pi->fcs == L2CAP_FCS_CRC16) {
3267 skb_trim(skb, skb->len - 2);
3268 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3269 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3270
3271 if (our_fcs != rcv_fcs)
3272 return -EINVAL;
3273 }
3274 return 0;
3275}
3276
d5392c8f
GP		 3277static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3278{
3279 struct l2cap_pinfo *pi = l2cap_pi(sk);
3280 u16 control = 0;
3281
3282 pi->frames_sent = 0;
3283 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3284
3285 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3286
3287 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3288 control |= L2CAP_SUPER_RCV_NOT_READY | L2CAP_CTRL_FINAL;
3289 l2cap_send_sframe(pi, control);
3290 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3291 }
3292
3293 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY && pi->unacked_frames > 0)
3294 __mod_retrans_timer();
3295
3296 l2cap_ertm_send(sk);
3297
3298 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3299 pi->frames_sent == 0) {
3300 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3301 l2cap_send_sframe(pi, control);
3302 }
3303}
3304
8f17154f
GP		 3305static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3306{
3307 struct sk_buff *next_skb;
3308
3309 bt_cb(skb)->tx_seq = tx_seq;
3310 bt_cb(skb)->sar = sar;
3311
3312 next_skb = skb_peek(SREJ_QUEUE(sk));
3313 if (!next_skb) {
3314 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3315 return;
3316 }
3317
3318 do {
3319 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3320 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3321 return;
3322 }
3323
3324 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3325 break;
3326
59203a21 3327 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3328
3329 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3330}
3331
c74e560c
GP		 3332static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3333{
3334 struct l2cap_pinfo *pi = l2cap_pi(sk);
3335 struct sk_buff *_skb;
3336 int err = -EINVAL;
3337
3338 switch (control & L2CAP_CTRL_SAR) {
3339 case L2CAP_SDU_UNSEGMENTED:
3340 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3341 kfree_skb(pi->sdu);
3342 break;
3343 }
3344
3345 err = sock_queue_rcv_skb(sk, skb);
3346 if (!err)
3347 return 0;
3348
3349 break;
3350
3351 case L2CAP_SDU_START:
3352 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3353 kfree_skb(pi->sdu);
3354 break;
3355 }
3356
3357 pi->sdu_len = get_unaligned_le16(skb->data);
3358 skb_pull(skb, 2);
3359
052897ca
GP		 3360 if (pi->sdu_len > pi->imtu) {
3361 err = -EMSGSIZE;
3362 break;
3363 }
3364
c74e560c
GP		 3365 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3366 if (!pi->sdu) {
3367 err = -ENOMEM;
3368 break;
3369 }
3370
3371 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3372
3373 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3374 pi->partial_sdu_len = skb->len;
3375 err = 0;
3376 break;
3377
3378 case L2CAP_SDU_CONTINUE:
3379 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3380 break;
3381
3382 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3383
3384 pi->partial_sdu_len += skb->len;
3385 if (pi->partial_sdu_len > pi->sdu_len)
3386 kfree_skb(pi->sdu);
3387 else
3388 err = 0;
3389
3390 break;
3391
3392 case L2CAP_SDU_END:
3393 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3394 break;
3395
3396 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3397
3398 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3399 pi->partial_sdu_len += skb->len;
3400
36f2fd58
GP		 3401 if (pi->partial_sdu_len > pi->imtu)
3402 goto drop;
3403
c74e560c
GP		 3404 if (pi->partial_sdu_len == pi->sdu_len) {
3405 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3406 err = sock_queue_rcv_skb(sk, _skb);
3407 if (err < 0)
3408 kfree_skb(_skb);
3409 }
c74e560c
GP		 3410 err = 0;
3411
36f2fd58
GP		 3412drop:
3413 kfree_skb(pi->sdu);
c74e560c
GP		 3414 break;
3415 }
3416
3417 kfree_skb(skb);
3418 return err;
3419}
3420
8f17154f
GP		 3421static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3422{
3423 struct sk_buff *skb;
afefdbc4 3424 u16 control;
8f17154f 3425
59203a21 3426 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3427 if (bt_cb(skb)->tx_seq != tx_seq)
3428 break;
3429
3430 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3431 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
8f17154f
GP		 3432 l2cap_sar_reassembly_sdu(sk, skb, control);
3433 l2cap_pi(sk)->buffer_seq_srej =
3434 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3435 tx_seq++;
3436 }
3437}
3438
3439static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3440{
3441 struct l2cap_pinfo *pi = l2cap_pi(sk);
3442 struct srej_list *l, *tmp;
3443 u16 control;
3444
59203a21 3445 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3446 if (l->tx_seq == tx_seq) {
3447 list_del(&l->list);
3448 kfree(l);
3449 return;
3450 }
3451 control = L2CAP_SUPER_SELECT_REJECT;
3452 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3453 l2cap_send_sframe(pi, control);
3454 list_del(&l->list);
3455 list_add_tail(&l->list, SREJ_LIST(sk));
3456 }
3457}
3458
3459static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3460{
3461 struct l2cap_pinfo *pi = l2cap_pi(sk);
3462 struct srej_list *new;
3463 u16 control;
3464
3465 while (tx_seq != pi->expected_tx_seq) {
3466 control = L2CAP_SUPER_SELECT_REJECT;
3467 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3468 l2cap_send_sframe(pi, control);
3469
3470 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3471 new->tx_seq = pi->expected_tx_seq++;
3472 list_add_tail(&new->list, SREJ_LIST(sk));
3473 }
3474 pi->expected_tx_seq++;
3475}
3476
1c2acffb
GP		 3477static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3478{
3479 struct l2cap_pinfo *pi = l2cap_pi(sk);
3480 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3481 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3482 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
803020c6 3483 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3484 int err = 0;
3485
3486 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3487
9b16dc65
GP		 3488 if (L2CAP_CTRL_FINAL & rx_control &&
3489 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3490 del_timer(&pi->monitor_timer);
3491 if (pi->unacked_frames > 0)
3492 __mod_retrans_timer();
3493 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3494 }
3495
9f121a5a
GP		 3496 pi->expected_ack_seq = req_seq;
3497 l2cap_drop_acked_frames(sk);
3498
8f17154f
GP		 3499 if (tx_seq == pi->expected_tx_seq)
3500 goto expected;
1c2acffb 3501
8f17154f
GP		 3502 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3503 struct srej_list *first;
30afb5b2 3504
8f17154f
GP		 3505 first = list_first_entry(SREJ_LIST(sk),
3506 struct srej_list, list);
3507 if (tx_seq == first->tx_seq) {
3508 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3509 l2cap_check_srej_gap(sk, tx_seq);
3510
3511 list_del(&first->list);
3512 kfree(first);
3513
3514 if (list_empty(SREJ_LIST(sk))) {
3515 pi->buffer_seq = pi->buffer_seq_srej;
3516 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3517 l2cap_send_ack(pi);
8f17154f
GP		 3518 }
3519 } else {
3520 struct srej_list *l;
3521 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3522
3523 list_for_each_entry(l, SREJ_LIST(sk), list) {
3524 if (l->tx_seq == tx_seq) {
3525 l2cap_resend_srejframe(sk, tx_seq);
3526 return 0;
3527 }
3528 }
3529 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3530 }
3531 } else {
8f17154f 3532 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3533
8f17154f
GP		 3534 INIT_LIST_HEAD(SREJ_LIST(sk));
3535 pi->buffer_seq_srej = pi->buffer_seq;
3536
3537 __skb_queue_head_init(SREJ_QUEUE(sk));
3538 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3539
ef54fd93
GP		 3540 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3541
8f17154f 3542 l2cap_send_srejframe(sk, tx_seq);
1c2acffb 3543 }
30afb5b2
GP		 3544 return 0;
3545
8f17154f
GP		 3546expected:
3547 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3548
3549 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3550 bt_cb(skb)->tx_seq = tx_seq;
3551 bt_cb(skb)->sar = sar;
3552 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3553 return 0;
3554 }
3555
4ec10d97
GP		 3556 if (rx_control & L2CAP_CTRL_FINAL) {
3557 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3558 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3559 else {
f6e6b168
GP		 3560 if (!skb_queue_empty(TX_QUEUE(sk)))
3561 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3562 pi->next_tx_seq = pi->expected_ack_seq;
3563 l2cap_ertm_send(sk);
3564 }
3565 }
3566
8f17154f
GP		 3567 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3568
3569 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3570 if (err < 0)
3571 return err;
3572
c1b4f43b
GP		 3573 __mod_ack_timer();
3574
803020c6
GP		 3575 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3576 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3577 l2cap_send_ack(pi);
3578
8f17154f 3579 return 0;
1c2acffb
GP		 3580}
3581
e072745f 3582static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3583{
3584 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981
GP		 3585
3586 pi->expected_ack_seq = __get_reqseq(rx_control);
3587 l2cap_drop_acked_frames(sk);
1c2acffb 3588
e072745f 3589 if (rx_control & L2CAP_CTRL_POLL) {
05fbd89d
GP		 3590 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3591 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3592 (pi->unacked_frames > 0))
3593 __mod_retrans_timer();
3594
3595 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3596 l2cap_send_srejtail(sk);
3597 } else {
3598 l2cap_send_i_or_rr_or_rnr(sk);
3599 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3600 }
1d8f5d16 3601
e072745f
GP		 3602 } else if (rx_control & L2CAP_CTRL_FINAL) {
3603 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3604
e072745f
GP		 3605 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3606 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3607 else {
f6e6b168
GP		 3608 if (!skb_queue_empty(TX_QUEUE(sk)))
3609 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3610 pi->next_tx_seq = pi->expected_ack_seq;
3611 l2cap_ertm_send(sk);
3612 }
2246b2f1 3613
e072745f 3614 } else {
e072745f
GP		 3615 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3616 (pi->unacked_frames > 0))
3617 __mod_retrans_timer();
1c2acffb 3618
2246b2f1 3619 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f
GP		 3620 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
3621 l2cap_send_ack(pi);
3622 else
3623 l2cap_ertm_send(sk);
3624 }
3625}
2246b2f1 3626
e072745f
GP		 3627static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3628{
3629 struct l2cap_pinfo *pi = l2cap_pi(sk);
3630 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3631
e072745f
GP		 3632 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3633
8abb52ee 3634 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3635 l2cap_drop_acked_frames(sk);
3636
3637 if (rx_control & L2CAP_CTRL_FINAL) {
3638 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3639 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3640 else {
f6e6b168
GP		 3641 if (!skb_queue_empty(TX_QUEUE(sk)))
3642 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3643 pi->next_tx_seq = pi->expected_ack_seq;
3644 l2cap_ertm_send(sk);
4ec10d97 3645 }
e072745f 3646 } else {
f6e6b168
GP		 3647 if (!skb_queue_empty(TX_QUEUE(sk)))
3648 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3649 pi->next_tx_seq = pi->expected_ack_seq;
3650 l2cap_ertm_send(sk);
30afb5b2 3651
0301ef04 3652 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 3653 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3654 }
3655}
3656static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3657{
3658 struct l2cap_pinfo *pi = l2cap_pi(sk);
3659 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3660
e072745f 3661 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3662
e072745f
GP		 3663 if (rx_control & L2CAP_CTRL_POLL) {
3664 pi->expected_ack_seq = tx_seq;
3665 l2cap_drop_acked_frames(sk);
3666 l2cap_retransmit_frame(sk, tx_seq);
3667 l2cap_ertm_send(sk);
3668 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3669 pi->srej_save_reqseq = tx_seq;
3670 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3671 }
e072745f
GP		 3672 } else if (rx_control & L2CAP_CTRL_FINAL) {
3673 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3674 pi->srej_save_reqseq == tx_seq)
3675 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3676 else
ef54fd93 3677 l2cap_retransmit_frame(sk, tx_seq);
e072745f
GP		 3678 } else {
3679 l2cap_retransmit_frame(sk, tx_seq);
3680 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3681 pi->srej_save_reqseq = tx_seq;
3682 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3683 }
e072745f
GP		 3684 }
3685}
3686
3687static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3688{
3689 struct l2cap_pinfo *pi = l2cap_pi(sk);
3690 u8 tx_seq = __get_reqseq(rx_control);
3691
3692 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3693 pi->expected_ack_seq = tx_seq;
3694 l2cap_drop_acked_frames(sk);
3695
99b0d4b7
GP		 3696 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3697 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 3698 if (rx_control & L2CAP_CTRL_POLL)
3699 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 3700 return;
e072745f 3701 }
99b0d4b7
GP		 3702
3703 if (rx_control & L2CAP_CTRL_POLL)
3704 l2cap_send_srejtail(sk);
3705 else
3706 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3707}
3708
3709static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3710{
3711 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3712
9b16dc65
GP		 3713 if (L2CAP_CTRL_FINAL & rx_control &&
3714 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 3715 del_timer(&l2cap_pi(sk)->monitor_timer);
3716 if (l2cap_pi(sk)->unacked_frames > 0)
3717 __mod_retrans_timer();
3718 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
3719 }
3720
3721 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3722 case L2CAP_SUPER_RCV_READY:
3723 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 3724 break;
3725
e072745f
GP		 3726 case L2CAP_SUPER_REJECT:
3727 l2cap_data_channel_rejframe(sk, rx_control);
3728 break;
2246b2f1 3729
e072745f
GP		 3730 case L2CAP_SUPER_SELECT_REJECT:
3731 l2cap_data_channel_srejframe(sk, rx_control);
3732 break;
3733
3734 case L2CAP_SUPER_RCV_NOT_READY:
3735 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 3736 break;
3737 }
3738
faaebd19 3739 kfree_skb(skb);
1c2acffb
GP		 3740 return 0;
3741}
3742
1da177e4
LT		 3743static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3744{
3745 struct sock *sk;
6840ed07 3746 struct l2cap_pinfo *pi;
c74e560c 3747 u16 control, len;
01760bdd 3748 u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset;
1da177e4
LT		 3749
3750 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3751 if (!sk) {
3752 BT_DBG("unknown cid 0x%4.4x", cid);
3753 goto drop;
3754 }
3755
6840ed07
GP		 3756 pi = l2cap_pi(sk);
3757
1da177e4
LT		 3758 BT_DBG("sk %p, len %d", sk, skb->len);
3759
3760 if (sk->sk_state != BT_CONNECTED)
3761 goto drop;
3762
6840ed07 3763 switch (pi->mode) {
1c2acffb
GP		 3764 case L2CAP_MODE_BASIC:
3765 /* If socket recv buffers overflows we drop data here
3766 * which is *bad* because L2CAP has to be reliable.
3767 * But we don't have any other choice. L2CAP doesn't
3768 * provide flow control mechanism. */
1da177e4 3769
6840ed07 3770 if (pi->imtu < skb->len)
1c2acffb 3771 goto drop;
1da177e4 3772
1c2acffb
GP		 3773 if (!sock_queue_rcv_skb(sk, skb))
3774 goto done;
3775 break;
3776
3777 case L2CAP_MODE_ERTM:
3778 control = get_unaligned_le16(skb->data);
3779 skb_pull(skb, 2);
c74e560c 3780 len = skb->len;
1c2acffb 3781
c74e560c
GP		 3782 if (__is_sar_start(control))
3783 len -= 2;
3784
fcc203c3
GP		 3785 if (pi->fcs == L2CAP_FCS_CRC16)
3786 len -= 2;
3787
30afb5b2
GP		 3788 /*
3789 * We can just drop the corrupted I-frame here.
3790 * Receiver will miss it and start proper recovery
3791 * procedures and ask retransmission.
3792 */
1c762159 3793 if (len > pi->mps)
1c2acffb
GP		 3794 goto drop;
3795
fcc203c3
GP		 3796 if (l2cap_check_fcs(pi, skb))
3797 goto drop;
3798
01760bdd
JPRV		 3799 req_seq = __get_reqseq(control);
3800 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
3801 if (req_seq_offset < 0)
3802 req_seq_offset += 64;
3803
3804 next_tx_seq_offset =
3805 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
3806 if (next_tx_seq_offset < 0)
3807 next_tx_seq_offset += 64;
3808
3809 /* check for invalid req-seq */
3810 if (req_seq_offset > next_tx_seq_offset) {
3811 l2cap_send_disconn_req(pi->conn, sk);
3812 goto drop;
3813 }
3814
277ffbe3
GP		 3815 if (__is_iframe(control)) {
3816 if (len < 4)
3817 goto drop;
3818
fcafde2e 3819 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3
GP		 3820 } else {
3821 if (len != 0)
3822 goto drop;
3823
fcafde2e 3824 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 3825 }
1c2acffb 3826
fcafde2e 3827 goto done;
1c2acffb 3828
6840ed07
GP		 3829 case L2CAP_MODE_STREAMING:
3830 control = get_unaligned_le16(skb->data);
3831 skb_pull(skb, 2);
3832 len = skb->len;
3833
3834 if (__is_sar_start(control))
3835 len -= 2;
3836
fcc203c3
GP		 3837 if (pi->fcs == L2CAP_FCS_CRC16)
3838 len -= 2;
3839
1c762159 3840 if (len > pi->mps || len < 4 || __is_sframe(control))
6840ed07
GP		 3841 goto drop;
3842
fcc203c3
GP		 3843 if (l2cap_check_fcs(pi, skb))
3844 goto drop;
3845
6840ed07
GP		 3846 tx_seq = __get_txseq(control);
3847
3848 if (pi->expected_tx_seq == tx_seq)
3849 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3850 else
7dffe421 3851 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3852
fcafde2e 3853 l2cap_sar_reassembly_sdu(sk, skb, control);
6840ed07
GP		 3854
3855 goto done;
3856
1c2acffb 3857 default:
e8235c6b 3858 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 3859 break;
3860 }
1da177e4
LT		 3861
3862drop:
3863 kfree_skb(skb);
3864
3865done:
0139418c
MH		 3866 if (sk)
3867 bh_unlock_sock(sk);
3868
1da177e4
LT		 3869 return 0;
3870}
3871
8e036fc3 3872static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3873{
3874 struct sock *sk;
3875
3876 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3877 if (!sk)
3878 goto drop;
3879
3880 BT_DBG("sk %p, len %d", sk, skb->len);
3881
3882 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3883 goto drop;
3884
3885 if (l2cap_pi(sk)->imtu < skb->len)
3886 goto drop;
3887
3888 if (!sock_queue_rcv_skb(sk, skb))
3889 goto done;
3890
3891drop:
3892 kfree_skb(skb);
3893
3894done:
af05b30b
GP		 3895 if (sk)
3896 bh_unlock_sock(sk);
1da177e4
LT		 3897 return 0;
3898}
3899
3900static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3901{
3902 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3903 u16 cid, len;
3904 __le16 psm;
1da177e4
LT		 3905
3906 skb_pull(skb, L2CAP_HDR_SIZE);
3907 cid = __le16_to_cpu(lh->cid);
3908 len = __le16_to_cpu(lh->len);
3909
1c2acffb
GP		 3910 if (len != skb->len) {
3911 kfree_skb(skb);
3912 return;
3913 }
3914
1da177e4
LT		 3915 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3916
3917 switch (cid) {
8db4dc46 3918 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3919 l2cap_sig_channel(conn, skb);
3920 break;
3921
8db4dc46 3922 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3923 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3924 skb_pull(skb, 2);
3925 l2cap_conless_channel(conn, psm, skb);
3926 break;
3927
3928 default:
3929 l2cap_data_channel(conn, cid, skb);
3930 break;
3931 }
3932}
3933
3934/* ---- L2CAP interface with lower layer (HCI) ---- */
3935
3936static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3937{
3938 int exact = 0, lm1 = 0, lm2 = 0;
3939 register struct sock *sk;
3940 struct hlist_node *node;
3941
3942 if (type != ACL_LINK)
3943 return 0;
3944
3945 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3946
3947 /* Find listening sockets and check their link_mode */
3948 read_lock(&l2cap_sk_list.lock);
3949 sk_for_each(sk, node, &l2cap_sk_list.head) {
3950 if (sk->sk_state != BT_LISTEN)
3951 continue;
3952
3953 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3954 lm1 |= HCI_LM_ACCEPT;
3955 if (l2cap_pi(sk)->role_switch)
3956 lm1 |= HCI_LM_MASTER;
1da177e4 3957 exact++;
2af6b9d5
MH		 3958 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3959 lm2 |= HCI_LM_ACCEPT;
3960 if (l2cap_pi(sk)->role_switch)
3961 lm2 |= HCI_LM_MASTER;
3962 }
1da177e4
LT		 3963 }
3964 read_unlock(&l2cap_sk_list.lock);
3965
3966 return exact ? lm1 : lm2;
3967}
3968
3969static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3970{
0139418c
MH		 3971 struct l2cap_conn *conn;
3972
1da177e4
LT		 3973 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3974
3975 if (hcon->type != ACL_LINK)
3976 return 0;
3977
3978 if (!status) {
1da177e4
LT		 3979 conn = l2cap_conn_add(hcon, status);
3980 if (conn)
3981 l2cap_conn_ready(conn);
0139418c 3982 } else
1da177e4
LT		 3983 l2cap_conn_del(hcon, bt_err(status));
3984
3985 return 0;
3986}
3987
2950f21a
MH		 3988static int l2cap_disconn_ind(struct hci_conn *hcon)
3989{
3990 struct l2cap_conn *conn = hcon->l2cap_data;
3991
3992 BT_DBG("hcon %p", hcon);
3993
3994 if (hcon->type != ACL_LINK || !conn)
3995 return 0x13;
3996
3997 return conn->disc_reason;
3998}
3999
4000static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4001{
4002 BT_DBG("hcon %p reason %d", hcon, reason);
4003
4004 if (hcon->type != ACL_LINK)
4005 return 0;
4006
4007 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4008
1da177e4
LT		 4009 return 0;
4010}
4011
f62e4323
MH		 4012static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4013{
bd3c9e25 4014 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4015 return;
4016
f62e4323
MH		 4017 if (encrypt == 0x00) {
4018 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4019 l2cap_sock_clear_timer(sk);
4020 l2cap_sock_set_timer(sk, HZ * 5);
4021 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4022 __l2cap_sock_close(sk, ECONNREFUSED);
4023 } else {
4024 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4025 l2cap_sock_clear_timer(sk);
4026 }
4027}
4028
8c1b2355 4029static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4030{
4031 struct l2cap_chan_list *l;
0139418c 4032 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4033 struct sock *sk;
1da177e4 4034
0139418c 4035 if (!conn)
1da177e4 4036 return 0;
0139418c 4037
1da177e4
LT		 4038 l = &conn->chan_list;
4039
4040 BT_DBG("conn %p", conn);
4041
4042 read_lock(&l->lock);
4043
4044 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4045 bh_lock_sock(sk);
4046
6a8d3010
MH		 4047 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4048 bh_unlock_sock(sk);
4049 continue;
4050 }
4051
f62e4323 4052 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4053 sk->sk_state == BT_CONFIG)) {
f62e4323 4054 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4055 bh_unlock_sock(sk);
4056 continue;
4057 }
4058
b1235d79
MH		 4059 if (sk->sk_state == BT_CONNECT) {
4060 if (!status) {
4061 struct l2cap_conn_req req;
4062 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4063 req.psm = l2cap_pi(sk)->psm;
1da177e4 4064
b1235d79 4065 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 4066
b1235d79
MH		 4067 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4068 L2CAP_CONN_REQ, sizeof(req), &req);
4069 } else {
4070 l2cap_sock_clear_timer(sk);
4071 l2cap_sock_set_timer(sk, HZ / 10);
4072 }
4073 } else if (sk->sk_state == BT_CONNECT2) {
4074 struct l2cap_conn_rsp rsp;
4075 __u16 result;
1da177e4 4076
b1235d79
MH		 4077 if (!status) {
4078 sk->sk_state = BT_CONFIG;
4079 result = L2CAP_CR_SUCCESS;
4080 } else {
4081 sk->sk_state = BT_DISCONN;
4082 l2cap_sock_set_timer(sk, HZ / 10);
4083 result = L2CAP_CR_SEC_BLOCK;
4084 }
4085
4086 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4087 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4088 rsp.result = cpu_to_le16(result);
e7c29cb1 4089 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4090 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4091 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4092 }
1da177e4
LT		 4093
4094 bh_unlock_sock(sk);
4095 }
4096
4097 read_unlock(&l->lock);
b1235d79 4098
1da177e4
LT		 4099 return 0;
4100}
4101
4102static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4103{
4104 struct l2cap_conn *conn = hcon->l2cap_data;
4105
4106 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4107 goto drop;
4108
4109 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4110
4111 if (flags & ACL_START) {
4112 struct l2cap_hdr *hdr;
4113 int len;
4114
4115 if (conn->rx_len) {
4116 BT_ERR("Unexpected start frame (len %d)", skb->len);
4117 kfree_skb(conn->rx_skb);
4118 conn->rx_skb = NULL;
4119 conn->rx_len = 0;
4120 l2cap_conn_unreliable(conn, ECOMM);
4121 }
4122
4123 if (skb->len < 2) {
4124 BT_ERR("Frame is too short (len %d)", skb->len);
4125 l2cap_conn_unreliable(conn, ECOMM);
4126 goto drop;
4127 }
4128
4129 hdr = (struct l2cap_hdr *) skb->data;
4130 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4131
4132 if (len == skb->len) {
4133 /* Complete frame received */
4134 l2cap_recv_frame(conn, skb);
4135 return 0;
4136 }
4137
4138 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4139
4140 if (skb->len > len) {
4141 BT_ERR("Frame is too long (len %d, expected len %d)",
4142 skb->len, len);
4143 l2cap_conn_unreliable(conn, ECOMM);
4144 goto drop;
4145 }
4146
4147 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4148 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4149 if (!conn->rx_skb)
1da177e4
LT		 4150 goto drop;
4151
d626f62b 4152 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4153 skb->len);
1da177e4
LT		 4154 conn->rx_len = len - skb->len;
4155 } else {
4156 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4157
4158 if (!conn->rx_len) {
4159 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4160 l2cap_conn_unreliable(conn, ECOMM);
4161 goto drop;
4162 }
4163
4164 if (skb->len > conn->rx_len) {
4165 BT_ERR("Fragment is too long (len %d, expected %d)",
4166 skb->len, conn->rx_len);
4167 kfree_skb(conn->rx_skb);
4168 conn->rx_skb = NULL;
4169 conn->rx_len = 0;
4170 l2cap_conn_unreliable(conn, ECOMM);
4171 goto drop;
4172 }
4173
d626f62b 4174 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4175 skb->len);
1da177e4
LT		 4176 conn->rx_len -= skb->len;
4177
4178 if (!conn->rx_len) {
4179 /* Complete frame received */
4180 l2cap_recv_frame(conn, conn->rx_skb);
4181 conn->rx_skb = NULL;
4182 }
4183 }
4184
4185drop:
4186 kfree_skb(skb);
4187 return 0;
4188}
4189
aef7d97c 4190static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4191{
4192 struct sock *sk;
4193 struct hlist_node *node;
1da177e4
LT		 4194
4195 read_lock_bh(&l2cap_sk_list.lock);
4196
be9d1227
MH		 4197 sk_for_each(sk, node, &l2cap_sk_list.head) {
4198 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4199
aef7d97c
MH		 4200 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4201 batostr(&bt_sk(sk)->src),
4202 batostr(&bt_sk(sk)->dst),
4203 sk->sk_state, __le16_to_cpu(pi->psm),
4204 pi->scid, pi->dcid,
4205 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4206 }
1da177e4 4207
1da177e4 4208 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4209
aef7d97c 4210 return 0;
1da177e4
LT		 4211}
4212
aef7d97c
MH		 4213static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4214{
4215 return single_open(file, l2cap_debugfs_show, inode->i_private);
4216}
4217
4218static const struct file_operations l2cap_debugfs_fops = {
4219 .open = l2cap_debugfs_open,
4220 .read = seq_read,
4221 .llseek = seq_lseek,
4222 .release = single_release,
4223};
4224
4225static struct dentry *l2cap_debugfs;
1da177e4 4226
90ddc4f0 4227static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4228 .family = PF_BLUETOOTH,
4229 .owner = THIS_MODULE,
4230 .release = l2cap_sock_release,
4231 .bind = l2cap_sock_bind,
4232 .connect = l2cap_sock_connect,
4233 .listen = l2cap_sock_listen,
4234 .accept = l2cap_sock_accept,
4235 .getname = l2cap_sock_getname,
4236 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4237 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4238 .poll = bt_sock_poll,
3241ad82 4239 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4240 .mmap = sock_no_mmap,
4241 .socketpair = sock_no_socketpair,
1da177e4
LT		 4242 .shutdown = l2cap_sock_shutdown,
4243 .setsockopt = l2cap_sock_setsockopt,
4244 .getsockopt = l2cap_sock_getsockopt
4245};
4246
ec1b4cf7 4247static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4248 .family = PF_BLUETOOTH,
4249 .owner = THIS_MODULE,
4250 .create = l2cap_sock_create,
4251};
4252
4253static struct hci_proto l2cap_hci_proto = {
4254 .name = "L2CAP",
4255 .id = HCI_PROTO_L2CAP,
4256 .connect_ind = l2cap_connect_ind,
4257 .connect_cfm = l2cap_connect_cfm,
4258 .disconn_ind = l2cap_disconn_ind,
2950f21a 4259 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4260 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4261 .recv_acldata = l2cap_recv_acldata
4262};
4263
4264static int __init l2cap_init(void)
4265{
4266 int err;
be9d1227 4267
1da177e4
LT		 4268 err = proto_register(&l2cap_proto, 0);
4269 if (err < 0)
4270 return err;
4271
4272 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4273 if (err < 0) {
4274 BT_ERR("L2CAP socket registration failed");
4275 goto error;
4276 }
4277
4278 err = hci_register_proto(&l2cap_hci_proto);
4279 if (err < 0) {
4280 BT_ERR("L2CAP protocol registration failed");
4281 bt_sock_unregister(BTPROTO_L2CAP);
4282 goto error;
4283 }
4284
aef7d97c
MH		 4285 if (bt_debugfs) {
4286 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4287 bt_debugfs, NULL, &l2cap_debugfs_fops);
4288 if (!l2cap_debugfs)
4289 BT_ERR("Failed to create L2CAP debug file");
4290 }
1da177e4
LT		 4291
4292 BT_INFO("L2CAP ver %s", VERSION);
4293 BT_INFO("L2CAP socket layer initialized");
4294
4295 return 0;
4296
4297error:
4298 proto_unregister(&l2cap_proto);
4299 return err;
4300}
4301
4302static void __exit l2cap_exit(void)
4303{
aef7d97c 4304 debugfs_remove(l2cap_debugfs);
1da177e4
LT		 4305
4306 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4307 BT_ERR("L2CAP socket unregistration failed");
4308
4309 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4310 BT_ERR("L2CAP protocol unregistration failed");
4311
4312 proto_unregister(&l2cap_proto);
4313}
4314
4315void l2cap_load(void)
4316{
4317 /* Dummy function to trigger automatic L2CAP module loading by
4318 * other modules that use L2CAP sockets but don't use any other
4319 * symbols from it. */
4320 return;
4321}
4322EXPORT_SYMBOL(l2cap_load);
4323
4324module_init(l2cap_init);
4325module_exit(l2cap_exit);
4326
44dd46de
MH		 4327module_param(enable_ertm, bool, 0644);
4328MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4329
5fbcd3d1
MH		 4330module_param(max_transmit, uint, 0644);
4331MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4332
369ba302
GP		 4333module_param(tx_window, uint, 0644);
4334MODULE_PARM_DESC(tx_window, "Transmission window size value (default = 63)");
4335
63fbd24e 4336MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4337MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4338MODULE_VERSION(VERSION);
4339MODULE_LICENSE("GPL");
4340MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)