projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: sco: fix information leak to userspace
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
dd135240 58#define VERSION "2.15"
44dd46de 59
bb58f747 60int disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
1890d36b
GP		 65static struct workqueue_struct *_busy_wq;
66
bb58f747 67struct bt_sock_list l2cap_sk_list = {
d5fb2962 68 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 69};
70
1890d36b
GP		 71static void l2cap_busy_work(struct work_struct *work);
72
1da177e4
LT		 73static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
74 u8 code, u8 ident, u16 dlen, void *data);
75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c
MH		 78/* ---- L2CAP channels ---- */
79static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
80{
81 struct sock *s;
82 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
83 if (l2cap_pi(s)->dcid == cid)
84 break;
85 }
86 return s;
87}
88
89static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
90{
91 struct sock *s;
92 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
93 if (l2cap_pi(s)->scid == cid)
94 break;
95 }
96 return s;
97}
98
99/* Find channel with given SCID.
100 * Returns locked socket */
101static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
102{
103 struct sock *s;
104 read_lock(&l->lock);
105 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 106 if (s)
107 bh_lock_sock(s);
0139418c
MH		 108 read_unlock(&l->lock);
109 return s;
110}
111
112static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
113{
114 struct sock *s;
115 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
116 if (l2cap_pi(s)->ident == ident)
117 break;
118 }
119 return s;
120}
121
122static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
123{
124 struct sock *s;
125 read_lock(&l->lock);
126 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 127 if (s)
128 bh_lock_sock(s);
0139418c
MH		 129 read_unlock(&l->lock);
130 return s;
131}
132
133static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
134{
8db4dc46 135 u16 cid = L2CAP_CID_DYN_START;
0139418c 136
8db4dc46 137 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 138 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 139 return cid;
140 }
141
142 return 0;
143}
144
145static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
146{
147 sock_hold(sk);
148
149 if (l->head)
150 l2cap_pi(l->head)->prev_c = sk;
151
152 l2cap_pi(sk)->next_c = l->head;
153 l2cap_pi(sk)->prev_c = NULL;
154 l->head = sk;
155}
156
157static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
158{
159 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
160
fd1278d7 161 write_lock_bh(&l->lock);
0139418c
MH		 162 if (sk == l->head)
163 l->head = next;
164
165 if (next)
166 l2cap_pi(next)->prev_c = prev;
167 if (prev)
168 l2cap_pi(prev)->next_c = next;
fd1278d7 169 write_unlock_bh(&l->lock);
0139418c
MH		 170
171 __sock_put(sk);
172}
173
174static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
175{
176 struct l2cap_chan_list *l = &conn->chan_list;
177
af05b30b
GP		 178 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
179 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 180
2950f21a
MH		 181 conn->disc_reason = 0x13;
182
0139418c
MH		 183 l2cap_pi(sk)->conn = conn;
184
bd3c9e25 185 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 186 /* Alloc CID for connection-oriented socket */
187 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
188 } else if (sk->sk_type == SOCK_DGRAM) {
189 /* Connectionless socket */
8db4dc46
GP		 190 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
191 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 192 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
193 } else {
194 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 195 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
196 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 197 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
198 }
199
200 __l2cap_chan_link(l, sk);
201
202 if (parent)
203 bt_accept_enqueue(parent, sk);
204}
205
8e87d142 206/* Delete channel.
0139418c 207 * Must be called on the locked socket. */
6de0702b 208void l2cap_chan_del(struct sock *sk, int err)
0139418c
MH		 209{
210 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
211 struct sock *parent = bt_sk(sk)->parent;
212
213 l2cap_sock_clear_timer(sk);
214
215 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
216
8e87d142 217 if (conn) {
0139418c
MH		 218 /* Unlink from channel list */
219 l2cap_chan_unlink(&conn->chan_list, sk);
220 l2cap_pi(sk)->conn = NULL;
221 hci_conn_put(conn->hcon);
222 }
223
b1235d79 224 sk->sk_state = BT_CLOSED;
0139418c
MH		 225 sock_set_flag(sk, SOCK_ZAPPED);
226
227 if (err)
228 sk->sk_err = err;
229
230 if (parent) {
231 bt_accept_unlink(sk);
232 parent->sk_data_ready(parent, 0);
233 } else
234 sk->sk_state_change(sk);
c13ffa62
GP		 235
236 skb_queue_purge(TX_QUEUE(sk));
237
238 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
239 struct srej_list *l, *tmp;
240
241 del_timer(&l2cap_pi(sk)->retrans_timer);
242 del_timer(&l2cap_pi(sk)->monitor_timer);
243 del_timer(&l2cap_pi(sk)->ack_timer);
244
245 skb_queue_purge(SREJ_QUEUE(sk));
246 skb_queue_purge(BUSY_QUEUE(sk));
247
248 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
249 list_del(&l->list);
250 kfree(l);
251 }
252 }
0139418c
MH		 253}
254
8556edd3 255static inline u8 l2cap_get_auth_type(struct sock *sk)
79d554a6 256{
8556edd3
JH		 257 if (sk->sk_type == SOCK_RAW) {
258 switch (l2cap_pi(sk)->sec_level) {
259 case BT_SECURITY_HIGH:
260 return HCI_AT_DEDICATED_BONDING_MITM;
261 case BT_SECURITY_MEDIUM:
262 return HCI_AT_DEDICATED_BONDING;
263 default:
264 return HCI_AT_NO_BONDING;
265 }
266 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
267 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
268 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
0684e5f9 269
00ae4af9 270 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8556edd3 271 return HCI_AT_NO_BONDING_MITM;
00ae4af9 272 else
8556edd3 273 return HCI_AT_NO_BONDING;
00ae4af9
MH		 274 } else {
275 switch (l2cap_pi(sk)->sec_level) {
276 case BT_SECURITY_HIGH:
8556edd3 277 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 278 case BT_SECURITY_MEDIUM:
8556edd3 279 return HCI_AT_GENERAL_BONDING;
00ae4af9 280 default:
8556edd3 281 return HCI_AT_NO_BONDING;
00ae4af9 282 }
0684e5f9 283 }
8556edd3
JH		 284}
285
286/* Service level security */
287static inline int l2cap_check_security(struct sock *sk)
288{
289 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
290 __u8 auth_type;
291
292 auth_type = l2cap_get_auth_type(sk);
79d554a6 293
0684e5f9
MH		 294 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
295 auth_type);
79d554a6
MH		 296}
297
68983259 298u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 299{
300 u8 id;
301
302 /* Get next available identificator.
303 * 1 - 128 are used by kernel.
304 * 129 - 199 are reserved.
305 * 200 - 254 are used by utilities like l2ping, etc.
306 */
307
308 spin_lock_bh(&conn->lock);
309
310 if (++conn->tx_ident > 128)
311 conn->tx_ident = 1;
312
313 id = conn->tx_ident;
314
315 spin_unlock_bh(&conn->lock);
316
317 return id;
318}
319
68983259 320void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 321{
322 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 323 u8 flags;
4e8402a3
MH		 324
325 BT_DBG("code 0x%2.2x", code);
326
327 if (!skb)
9a9c6a34 328 return;
4e8402a3 329
e702112f
AE		 330 if (lmp_no_flush_capable(conn->hcon->hdev))
331 flags = ACL_START_NO_FLUSH;
332 else
333 flags = ACL_START;
334
335 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 336}
337
9a9c6a34 338static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 339{
340 struct sk_buff *skb;
341 struct l2cap_hdr *lh;
342 struct l2cap_conn *conn = pi->conn;
c13ffa62 343 struct sock *sk = (struct sock *)pi;
fcc203c3 344 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 345 u8 flags;
fcc203c3 346
c13ffa62
GP		 347 if (sk->sk_state != BT_CONNECTED)
348 return;
349
fcc203c3
GP		 350 if (pi->fcs == L2CAP_FCS_CRC16)
351 hlen += 2;
1c2acffb
GP		 352
353 BT_DBG("pi %p, control 0x%2.2x", pi, control);
354
fcc203c3 355 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 356 control |= L2CAP_CTRL_FRAME_TYPE;
357
9e917af1
GP		 358 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
359 control |= L2CAP_CTRL_FINAL;
360 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
361 }
362
f0946ccf
GP		 363 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
364 control |= L2CAP_CTRL_POLL;
365 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
366 }
367
1c2acffb
GP		 368 skb = bt_skb_alloc(count, GFP_ATOMIC);
369 if (!skb)
9a9c6a34 370 return;
1c2acffb
GP		 371
372 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 373 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 374 lh->cid = cpu_to_le16(pi->dcid);
375 put_unaligned_le16(control, skb_put(skb, 2));
376
fcc203c3
GP		 377 if (pi->fcs == L2CAP_FCS_CRC16) {
378 u16 fcs = crc16(0, (u8 *)lh, count - 2);
379 put_unaligned_le16(fcs, skb_put(skb, 2));
380 }
381
e702112f
AE		 382 if (lmp_no_flush_capable(conn->hcon->hdev))
383 flags = ACL_START_NO_FLUSH;
384 else
385 flags = ACL_START;
386
387 hci_send_acl(pi->conn->hcon, skb, flags);
1c2acffb
GP		 388}
389
9a9c6a34 390static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 391{
1890d36b 392 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 393 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 394 pi->conn_state |= L2CAP_CONN_RNR_SENT;
395 } else
7e743090
GP		 396 control |= L2CAP_SUPER_RCV_READY;
397
2ab25cdd
GP		 398 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
399
9a9c6a34 400 l2cap_send_sframe(pi, control);
7e743090
GP		 401}
402
e501d055
AE		 403static inline int __l2cap_no_conn_pending(struct sock *sk)
404{
405 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
406}
407
79d554a6
MH		 408static void l2cap_do_start(struct sock *sk)
409{
410 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
411
412 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 413 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
414 return;
415
e501d055 416 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 417 struct l2cap_conn_req req;
418 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
419 req.psm = l2cap_pi(sk)->psm;
79d554a6 420
b1235d79 421 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 422 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 423
b1235d79 424 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 425 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 426 }
79d554a6
MH		 427 } else {
428 struct l2cap_info_req req;
429 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
430
431 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
432 conn->info_ident = l2cap_get_ident(conn);
433
434 mod_timer(&conn->info_timer, jiffies +
435 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
436
437 l2cap_send_cmd(conn, conn->info_ident,
438 L2CAP_INFO_REQ, sizeof(req), &req);
439 }
440}
441
cf6c2c0b
GP		 442static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
443{
444 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 445 if (!disable_ertm)
cf6c2c0b
GP		 446 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
447
448 switch (mode) {
449 case L2CAP_MODE_ERTM:
450 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
451 case L2CAP_MODE_STREAMING:
452 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
453 default:
454 return 0x00;
455 }
456}
457
6de0702b 458void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 459{
460 struct l2cap_disconn_req req;
461
c13ffa62
GP		 462 if (!conn)
463 return;
464
465 skb_queue_purge(TX_QUEUE(sk));
466
467 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
468 del_timer(&l2cap_pi(sk)->retrans_timer);
469 del_timer(&l2cap_pi(sk)->monitor_timer);
470 del_timer(&l2cap_pi(sk)->ack_timer);
471 }
472
22121fc9
GP		 473 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
474 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
475 l2cap_send_cmd(conn, l2cap_get_ident(conn),
476 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 477
478 sk->sk_state = BT_DISCONN;
9b108fc0 479 sk->sk_err = err;
22121fc9
GP		 480}
481
1da177e4 482/* ---- L2CAP connections ---- */
4e8402a3
MH		 483static void l2cap_conn_start(struct l2cap_conn *conn)
484{
485 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 486 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 487 struct sock *sk;
488
489 BT_DBG("conn %p", conn);
490
cf6c2c0b
GP		 491 INIT_LIST_HEAD(&del.list);
492
4e8402a3
MH		 493 read_lock(&l->lock);
494
495 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
496 bh_lock_sock(sk);
497
bd3c9e25
GP		 498 if (sk->sk_type != SOCK_SEQPACKET &&
499 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 500 bh_unlock_sock(sk);
501 continue;
502 }
503
504 if (sk->sk_state == BT_CONNECT) {
47731de7 505 struct l2cap_conn_req req;
79d554a6 506
47731de7
GP		 507 if (!l2cap_check_security(sk) ||
508 !__l2cap_no_conn_pending(sk)) {
509 bh_unlock_sock(sk);
510 continue;
511 }
79d554a6 512
47731de7
GP		 513 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
514 conn->feat_mask)
515 && l2cap_pi(sk)->conf_state &
516 L2CAP_CONF_STATE2_DEVICE) {
517 tmp1 = kzalloc(sizeof(struct sock_del_list),
518 GFP_ATOMIC);
519 tmp1->sk = sk;
520 list_add_tail(&tmp1->list, &del.list);
521 bh_unlock_sock(sk);
522 continue;
b1235d79 523 }
47731de7
GP		 524
525 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
526 req.psm = l2cap_pi(sk)->psm;
527
528 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
529 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
530
531 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
532 L2CAP_CONN_REQ, sizeof(req), &req);
533
79d554a6
MH		 534 } else if (sk->sk_state == BT_CONNECT2) {
535 struct l2cap_conn_rsp rsp;
e9aeb2dd 536 char buf[128];
79d554a6
MH		 537 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
538 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
539
2af6b9d5 540 if (l2cap_check_security(sk)) {
f66dc81f
MH		 541 if (bt_sk(sk)->defer_setup) {
542 struct sock *parent = bt_sk(sk)->parent;
543 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
544 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
545 parent->sk_data_ready(parent, 0);
546
547 } else {
548 sk->sk_state = BT_CONFIG;
549 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
550 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
551 }
79d554a6
MH		 552 } else {
553 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
554 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
555 }
556
557 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
558 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
e9aeb2dd
GP		 559
560 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
561 rsp.result != L2CAP_CR_SUCCESS) {
562 bh_unlock_sock(sk);
563 continue;
564 }
565
566 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
567 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
568 l2cap_build_conf_req(sk, buf), buf);
569 l2cap_pi(sk)->num_conf_req++;
4e8402a3
MH		 570 }
571
572 bh_unlock_sock(sk);
573 }
574
575 read_unlock(&l->lock);
cf6c2c0b
GP		 576
577 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
578 bh_lock_sock(tmp1->sk);
579 __l2cap_sock_close(tmp1->sk, ECONNRESET);
580 bh_unlock_sock(tmp1->sk);
581 list_del(&tmp1->list);
582 kfree(tmp1);
583 }
4e8402a3
MH		 584}
585
586static void l2cap_conn_ready(struct l2cap_conn *conn)
587{
79d554a6
MH		 588 struct l2cap_chan_list *l = &conn->chan_list;
589 struct sock *sk;
4e8402a3 590
79d554a6 591 BT_DBG("conn %p", conn);
4e8402a3 592
79d554a6 593 read_lock(&l->lock);
4e8402a3 594
79d554a6
MH		 595 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
596 bh_lock_sock(sk);
4e8402a3 597
bd3c9e25
GP		 598 if (sk->sk_type != SOCK_SEQPACKET &&
599 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 600 l2cap_sock_clear_timer(sk);
601 sk->sk_state = BT_CONNECTED;
602 sk->sk_state_change(sk);
603 } else if (sk->sk_state == BT_CONNECT)
604 l2cap_do_start(sk);
4e8402a3 605
79d554a6 606 bh_unlock_sock(sk);
4e8402a3 607 }
79d554a6
MH		 608
609 read_unlock(&l->lock);
4e8402a3
MH		 610}
611
612/* Notify sockets that we cannot guaranty reliability anymore */
613static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
614{
615 struct l2cap_chan_list *l = &conn->chan_list;
616 struct sock *sk;
617
618 BT_DBG("conn %p", conn);
619
620 read_lock(&l->lock);
621
622 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 623 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 624 sk->sk_err = err;
625 }
626
627 read_unlock(&l->lock);
628}
629
630static void l2cap_info_timeout(unsigned long arg)
631{
632 struct l2cap_conn *conn = (void *) arg;
633
984947dc 634 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 635 conn->info_ident = 0;
984947dc 636
4e8402a3
MH		 637 l2cap_conn_start(conn);
638}
639
1da177e4
LT		 640static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
641{
0139418c 642 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 643
0139418c 644 if (conn || status)
1da177e4
LT		 645 return conn;
646
0139418c
MH		 647 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
648 if (!conn)
1da177e4 649 return NULL;
1da177e4
LT		 650
651 hcon->l2cap_data = conn;
652 conn->hcon = hcon;
653
0139418c
MH		 654 BT_DBG("hcon %p conn %p", hcon, conn);
655
1da177e4
LT		 656 conn->mtu = hcon->hdev->acl_mtu;
657 conn->src = &hcon->hdev->bdaddr;
658 conn->dst = &hcon->dst;
659
4e8402a3
MH		 660 conn->feat_mask = 0;
661
1da177e4
LT		 662 spin_lock_init(&conn->lock);
663 rwlock_init(&conn->chan_list.lock);
664
45054dc1
DY		 665 setup_timer(&conn->info_timer, l2cap_info_timeout,
666 (unsigned long) conn);
667
2950f21a
MH		 668 conn->disc_reason = 0x13;
669
1da177e4
LT		 670 return conn;
671}
672
0139418c 673static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 674{
0139418c 675 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 676 struct sock *sk;
677
0139418c
MH		 678 if (!conn)
679 return;
1da177e4
LT		 680
681 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
682
7585b97a 683 kfree_skb(conn->rx_skb);
1da177e4
LT		 684
685 /* Kill channels */
686 while ((sk = conn->chan_list.head)) {
687 bh_lock_sock(sk);
688 l2cap_chan_del(sk, err);
689 bh_unlock_sock(sk);
690 l2cap_sock_kill(sk);
691 }
692
8e8440f5
DY		 693 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
694 del_timer_sync(&conn->info_timer);
3ab22731 695
1da177e4
LT		 696 hcon->l2cap_data = NULL;
697 kfree(conn);
1da177e4
LT		 698}
699
700static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
701{
702 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 703 write_lock_bh(&l->lock);
1da177e4 704 __l2cap_chan_add(conn, sk, parent);
fd1278d7 705 write_unlock_bh(&l->lock);
1da177e4
LT		 706}
707
1da177e4 708/* ---- Socket interface ---- */
1da177e4
LT		 709
710/* Find socket with psm and source bdaddr.
711 * Returns closest match.
712 */
e0f0cb56 713static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 714{
715 struct sock *sk = NULL, *sk1 = NULL;
716 struct hlist_node *node;
717
e0f0cb56
GP		 718 read_lock(&l2cap_sk_list.lock);
719
1da177e4
LT		 720 sk_for_each(sk, node, &l2cap_sk_list.head) {
721 if (state && sk->sk_state != state)
722 continue;
723
724 if (l2cap_pi(sk)->psm == psm) {
725 /* Exact match. */
726 if (!bacmp(&bt_sk(sk)->src, src))
727 break;
728
729 /* Closest match */
730 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
731 sk1 = sk;
732 }
733 }
1da177e4 734
1da177e4 735 read_unlock(&l2cap_sk_list.lock);
e0f0cb56
GP		 736
737 return node ? sk : sk1;
1da177e4
LT		 738}
739
4e34c50b 740int l2cap_do_connect(struct sock *sk)
1da177e4
LT		 741{
742 bdaddr_t *src = &bt_sk(sk)->src;
743 bdaddr_t *dst = &bt_sk(sk)->dst;
744 struct l2cap_conn *conn;
745 struct hci_conn *hcon;
746 struct hci_dev *hdev;
09ab6f4c 747 __u8 auth_type;
44d0e48e 748 int err;
1da177e4 749
f29972de
MH		 750 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
751 l2cap_pi(sk)->psm);
1da177e4 752
af05b30b
GP		 753 hdev = hci_get_route(dst, src);
754 if (!hdev)
1da177e4
LT		 755 return -EHOSTUNREACH;
756
757 hci_dev_lock_bh(hdev);
758
759 err = -ENOMEM;
760
8556edd3 761 auth_type = l2cap_get_auth_type(sk);
09ab6f4c 762
2af6b9d5
MH		 763 hcon = hci_connect(hdev, ACL_LINK, dst,
764 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 765 if (!hcon)
766 goto done;
767
768 conn = l2cap_conn_add(hcon, 0);
769 if (!conn) {
770 hci_conn_put(hcon);
771 goto done;
772 }
773
774 err = 0;
775
776 /* Update source addr of the socket */
777 bacpy(src, conn->src);
778
779 l2cap_chan_add(conn, sk, NULL);
780
781 sk->sk_state = BT_CONNECT;
782 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
783
784 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 785 if (sk->sk_type != SOCK_SEQPACKET &&
786 sk->sk_type != SOCK_STREAM) {
1da177e4 787 l2cap_sock_clear_timer(sk);
d00ef24f
JH		 788 if (l2cap_check_security(sk))
789 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 790 } else
791 l2cap_do_start(sk);
1da177e4
LT		 792 }
793
794done:
795 hci_dev_unlock_bh(hdev);
796 hci_dev_put(hdev);
797 return err;
798}
799
dcba0dba 800int __l2cap_wait_ack(struct sock *sk)
6161c038
GP		 801{
802 DECLARE_WAITQUEUE(wait, current);
803 int err = 0;
804 int timeo = HZ/5;
805
2b0b05dd 806 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 807 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
808 set_current_state(TASK_INTERRUPTIBLE);
809
810 if (!timeo)
811 timeo = HZ/5;
812
813 if (signal_pending(current)) {
814 err = sock_intr_errno(timeo);
815 break;
816 }
817
818 release_sock(sk);
819 timeo = schedule_timeout(timeo);
820 lock_sock(sk);
821
822 err = sock_error(sk);
823 if (err)
824 break;
825 }
826 set_current_state(TASK_RUNNING);
2b0b05dd 827 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 828 return err;
829}
830
e90bac06
GP		 831static void l2cap_monitor_timeout(unsigned long arg)
832{
833 struct sock *sk = (void *) arg;
e90bac06 834
0e98958d
GP		 835 BT_DBG("sk %p", sk);
836
e686219a 837 bh_lock_sock(sk);
e90bac06 838 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 839 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 840 bh_unlock_sock(sk);
e90bac06
GP		 841 return;
842 }
843
844 l2cap_pi(sk)->retry_count++;
845 __mod_monitor_timer();
846
a2e12a2a 847 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 848 bh_unlock_sock(sk);
e90bac06
GP		 849}
850
851static void l2cap_retrans_timeout(unsigned long arg)
852{
853 struct sock *sk = (void *) arg;
e90bac06 854
0e98958d
GP		 855 BT_DBG("sk %p", sk);
856
e686219a 857 bh_lock_sock(sk);
e90bac06
GP		 858 l2cap_pi(sk)->retry_count = 1;
859 __mod_monitor_timer();
860
861 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
862
a2e12a2a 863 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 864 bh_unlock_sock(sk);
e90bac06
GP		 865}
866
1c2acffb 867static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 868{
1c2acffb 869 struct sk_buff *skb;
1da177e4 870
812e737e
GP		 871 while ((skb = skb_peek(TX_QUEUE(sk))) &&
872 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 873 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
874 break;
1da177e4 875
1c2acffb
GP		 876 skb = skb_dequeue(TX_QUEUE(sk));
877 kfree_skb(skb);
1da177e4 878
1c2acffb
GP		 879 l2cap_pi(sk)->unacked_frames--;
880 }
1da177e4 881
e90bac06
GP		 882 if (!l2cap_pi(sk)->unacked_frames)
883 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 884}
1da177e4 885
fd83ccdb 886void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 887{
888 struct l2cap_pinfo *pi = l2cap_pi(sk);
e702112f
AE		 889 struct hci_conn *hcon = pi->conn->hcon;
890 u16 flags;
1c2acffb
GP		 891
892 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 893
e702112f
AE		 894 if (!pi->flushable && lmp_no_flush_capable(hcon->hdev))
895 flags = ACL_START_NO_FLUSH;
896 else
897 flags = ACL_START;
898
899 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 900}
901
fd83ccdb 902void l2cap_streaming_send(struct sock *sk)
6840ed07 903{
ccbb84af 904 struct sk_buff *skb;
6840ed07 905 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 906 u16 control, fcs;
6840ed07 907
ccbb84af
GP		 908 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
909 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
6840ed07 910 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 911 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 912
e8235c6b 913 if (pi->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 914 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
915 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 916 }
917
ccbb84af 918 l2cap_do_send(sk, skb);
6840ed07
GP		 919
920 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
6840ed07 921 }
6840ed07
GP		 922}
923
dfc909be 924static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 925{
926 struct l2cap_pinfo *pi = l2cap_pi(sk);
927 struct sk_buff *skb, *tx_skb;
928 u16 control, fcs;
8f17154f
GP		 929
930 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 931 if (!skb)
932 return;
8f17154f 933
f11d676d
GP		 934 do {
935 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 936 break;
8f17154f 937
f11d676d
GP		 938 if (skb_queue_is_last(TX_QUEUE(sk), skb))
939 return;
8f17154f 940
f11d676d 941 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 942
f11d676d
GP		 943 if (pi->remote_max_tx &&
944 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 945 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 946 return;
947 }
948
949 tx_skb = skb_clone(skb, GFP_ATOMIC);
950 bt_cb(skb)->retries++;
951 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 952
953 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
954 control |= L2CAP_CTRL_FINAL;
955 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
956 }
95ffa978 957
f11d676d
GP		 958 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
959 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 960
f11d676d
GP		 961 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
962
963 if (pi->fcs == L2CAP_FCS_CRC16) {
964 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
965 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
966 }
967
968 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 969}
970
fd83ccdb 971int l2cap_ertm_send(struct sock *sk)
1c2acffb
GP		 972{
973 struct sk_buff *skb, *tx_skb;
974 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 975 u16 control, fcs;
9a9c6a34 976 int nsent = 0;
1c2acffb 977
c13ffa62
GP		 978 if (sk->sk_state != BT_CONNECTED)
979 return -ENOTCONN;
e90bac06 980
6e2b6722 981 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 982
e90bac06
GP		 983 if (pi->remote_max_tx &&
984 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 985 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 986 break;
987 }
988
e420aba3
AE		 989 tx_skb = skb_clone(skb, GFP_ATOMIC);
990
e90bac06
GP		 991 bt_cb(skb)->retries++;
992
1c2acffb 993 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 994 control &= L2CAP_CTRL_SAR;
995
d5392c8f
GP		 996 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
997 control |= L2CAP_CTRL_FINAL;
998 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
999 }
9f121a5a 1000 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1001 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1002 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1003
e90bac06 1004
e8235c6b 1005 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1006 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1007 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1008 }
1009
9a9c6a34
GP		 1010 l2cap_do_send(sk, tx_skb);
1011
e90bac06 1012 __mod_retrans_timer();
1c2acffb
GP		 1013
1014 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1015 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1016
1017 pi->unacked_frames++;
d5392c8f 1018 pi->frames_sent++;
1c2acffb
GP		 1019
1020 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1021 sk->sk_send_head = NULL;
1022 else
1023 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1024
1025 nsent++;
1c2acffb
GP		 1026 }
1027
9e917af1
GP		 1028 return nsent;
1029}
1030
dfc909be
GP		 1031static int l2cap_retransmit_frames(struct sock *sk)
1032{
1033 struct l2cap_pinfo *pi = l2cap_pi(sk);
1034 int ret;
1035
dfc909be
GP		 1036 if (!skb_queue_empty(TX_QUEUE(sk)))
1037 sk->sk_send_head = TX_QUEUE(sk)->next;
1038
1039 pi->next_tx_seq = pi->expected_ack_seq;
1040 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1041 return ret;
1042}
1043
9a9c6a34 1044static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1045{
1046 struct sock *sk = (struct sock *)pi;
1047 u16 control = 0;
1048
1049 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1050
1051 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1052 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1053 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1054 l2cap_send_sframe(pi, control);
1055 return;
9e917af1 1056 }
dfc909be 1057
e0f66218 1058 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1059 return;
1060
1061 control |= L2CAP_SUPER_RCV_READY;
1062 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1063}
1064
9a9c6a34 1065static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1066{
1067 struct srej_list *tail;
1068 u16 control;
1069
1070 control = L2CAP_SUPER_SELECT_REJECT;
1071 control |= L2CAP_CTRL_FINAL;
1072
1073 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1074 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1075
1076 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1077}
1078
1c2acffb
GP		 1079static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1080{
1081 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1082 struct sk_buff **frag;
1083 int err, sent = 0;
1da177e4 1084
59203a21 1085 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1086 return -EFAULT;
1da177e4
LT		 1087
1088 sent += count;
1089 len -= count;
1090
1091 /* Continuation fragments (no L2CAP header) */
1092 frag = &skb_shinfo(skb)->frag_list;
1093 while (len) {
1094 count = min_t(unsigned int, conn->mtu, len);
1095
1096 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1097 if (!*frag)
0175d629 1098 return err;
1c2acffb
GP		 1099 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1100 return -EFAULT;
1da177e4
LT		 1101
1102 sent += count;
1103 len -= count;
1104
1105 frag = &(*frag)->next;
1106 }
1da177e4
LT		 1107
1108 return sent;
1c2acffb 1109}
1da177e4 1110
fd83ccdb 1111struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1c2acffb
GP		 1112{
1113 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1114 struct sk_buff *skb;
1115 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1116 struct l2cap_hdr *lh;
1117
1118 BT_DBG("sk %p len %d", sk, (int)len);
1119
1120 count = min_t(unsigned int, (conn->mtu - hlen), len);
1121 skb = bt_skb_send_alloc(sk, count + hlen,
1122 msg->msg_flags & MSG_DONTWAIT, &err);
1123 if (!skb)
0175d629 1124 return ERR_PTR(err);
1c2acffb
GP		 1125
1126 /* Create L2CAP header */
1127 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1129 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1130 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1131
1132 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1133 if (unlikely(err < 0)) {
1134 kfree_skb(skb);
1135 return ERR_PTR(err);
1136 }
1137 return skb;
1138}
1139
fd83ccdb 1140struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1c2acffb
GP		 1141{
1142 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1143 struct sk_buff *skb;
1144 int err, count, hlen = L2CAP_HDR_SIZE;
1145 struct l2cap_hdr *lh;
1146
1147 BT_DBG("sk %p len %d", sk, (int)len);
1148
1149 count = min_t(unsigned int, (conn->mtu - hlen), len);
1150 skb = bt_skb_send_alloc(sk, count + hlen,
1151 msg->msg_flags & MSG_DONTWAIT, &err);
1152 if (!skb)
0175d629 1153 return ERR_PTR(err);
1c2acffb
GP		 1154
1155 /* Create L2CAP header */
1156 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1157 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1158 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1159
1160 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1161 if (unlikely(err < 0)) {
1162 kfree_skb(skb);
1163 return ERR_PTR(err);
1164 }
1165 return skb;
1166}
1167
fd83ccdb 1168struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1169{
1170 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1171 struct sk_buff *skb;
1172 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1173 struct l2cap_hdr *lh;
1174
1175 BT_DBG("sk %p len %d", sk, (int)len);
1176
0ee0d208
GP		 1177 if (!conn)
1178 return ERR_PTR(-ENOTCONN);
1179
c74e560c
GP		 1180 if (sdulen)
1181 hlen += 2;
1182
fcc203c3
GP		 1183 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1184 hlen += 2;
1185
1c2acffb
GP		 1186 count = min_t(unsigned int, (conn->mtu - hlen), len);
1187 skb = bt_skb_send_alloc(sk, count + hlen,
1188 msg->msg_flags & MSG_DONTWAIT, &err);
1189 if (!skb)
0175d629 1190 return ERR_PTR(err);
1c2acffb
GP		 1191
1192 /* Create L2CAP header */
1193 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1194 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1195 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1196 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1197 if (sdulen)
1198 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1199
1200 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1201 if (unlikely(err < 0)) {
1202 kfree_skb(skb);
1203 return ERR_PTR(err);
1204 }
e90bac06 1205
fcc203c3
GP		 1206 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1207 put_unaligned_le16(0, skb_put(skb, 2));
1208
e90bac06 1209 bt_cb(skb)->retries = 0;
1c2acffb 1210 return skb;
1da177e4
LT		 1211}
1212
fd83ccdb 1213int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
c74e560c
GP		 1214{
1215 struct l2cap_pinfo *pi = l2cap_pi(sk);
1216 struct sk_buff *skb;
1217 struct sk_buff_head sar_queue;
1218 u16 control;
1219 size_t size = 0;
1220
ff12fd64 1221 skb_queue_head_init(&sar_queue);
c74e560c 1222 control = L2CAP_SDU_START;
1c762159 1223 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1224 if (IS_ERR(skb))
1225 return PTR_ERR(skb);
1226
1227 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1228 len -= pi->remote_mps;
1229 size += pi->remote_mps;
c74e560c
GP		 1230
1231 while (len > 0) {
1232 size_t buflen;
1233
1c762159 1234 if (len > pi->remote_mps) {
44651b85 1235 control = L2CAP_SDU_CONTINUE;
1c762159 1236 buflen = pi->remote_mps;
c74e560c 1237 } else {
44651b85 1238 control = L2CAP_SDU_END;
c74e560c
GP		 1239 buflen = len;
1240 }
1241
6840ed07 1242 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1243 if (IS_ERR(skb)) {
1244 skb_queue_purge(&sar_queue);
1245 return PTR_ERR(skb);
1246 }
1247
1248 __skb_queue_tail(&sar_queue, skb);
1249 len -= buflen;
1250 size += buflen;
c74e560c
GP		 1251 }
1252 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1253 if (sk->sk_send_head == NULL)
1254 sk->sk_send_head = sar_queue.next;
1255
1256 return size;
1257}
1258
1da177e4
LT		 1259static void l2cap_chan_ready(struct sock *sk)
1260{
1261 struct sock *parent = bt_sk(sk)->parent;
1262
1263 BT_DBG("sk %p, parent %p", sk, parent);
1264
1265 l2cap_pi(sk)->conf_state = 0;
1266 l2cap_sock_clear_timer(sk);
1267
1268 if (!parent) {
1269 /* Outgoing channel.
1270 * Wake up socket sleeping on connect.
1271 */
1272 sk->sk_state = BT_CONNECTED;
1273 sk->sk_state_change(sk);
1274 } else {
1275 /* Incoming channel.
1276 * Wake up socket sleeping on accept.
1277 */
1278 parent->sk_data_ready(parent, 0);
1279 }
1280}
1281
1282/* Copy frame to all raw sockets on that connection */
1283static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1284{
1285 struct l2cap_chan_list *l = &conn->chan_list;
1286 struct sk_buff *nskb;
af05b30b 1287 struct sock *sk;
1da177e4
LT		 1288
1289 BT_DBG("conn %p", conn);
1290
1291 read_lock(&l->lock);
1292 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
1293 if (sk->sk_type != SOCK_RAW)
1294 continue;
1295
1296 /* Don't send frame to the socket it came from */
1297 if (skb->sk == sk)
1298 continue;
af05b30b
GP		 1299 nskb = skb_clone(skb, GFP_ATOMIC);
1300 if (!nskb)
1da177e4
LT		 1301 continue;
1302
1303 if (sock_queue_rcv_skb(sk, nskb))
1304 kfree_skb(nskb);
1305 }
1306 read_unlock(&l->lock);
1307}
1308
1309/* ---- L2CAP signalling commands ---- */
1310static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1311 u8 code, u8 ident, u16 dlen, void *data)
1312{
1313 struct sk_buff *skb, **frag;
1314 struct l2cap_cmd_hdr *cmd;
1315 struct l2cap_hdr *lh;
1316 int len, count;
1317
af05b30b
GP		 1318 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1319 conn, code, ident, dlen);
1da177e4
LT		 1320
1321 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1322 count = min_t(unsigned int, conn->mtu, len);
1323
1324 skb = bt_skb_alloc(count, GFP_ATOMIC);
1325 if (!skb)
1326 return NULL;
1327
1328 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1329 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 1330 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1331
1332 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1333 cmd->code = code;
1334 cmd->ident = ident;
aca3192c 1335 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1336
1337 if (dlen) {
1338 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1339 memcpy(skb_put(skb, count), data, count);
1340 data += count;
1341 }
1342
1343 len -= skb->len;
1344
1345 /* Continuation fragments (no L2CAP header) */
1346 frag = &skb_shinfo(skb)->frag_list;
1347 while (len) {
1348 count = min_t(unsigned int, conn->mtu, len);
1349
1350 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1351 if (!*frag)
1352 goto fail;
1353
1354 memcpy(skb_put(*frag, count), data, count);
1355
1356 len -= count;
1357 data += count;
1358
1359 frag = &(*frag)->next;
1360 }
1361
1362 return skb;
1363
1364fail:
1365 kfree_skb(skb);
1366 return NULL;
1367}
1368
1369static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1370{
1371 struct l2cap_conf_opt *opt = *ptr;
1372 int len;
1373
1374 len = L2CAP_CONF_OPT_SIZE + opt->len;
1375 *ptr += len;
1376
1377 *type = opt->type;
1378 *olen = opt->len;
1379
1380 switch (opt->len) {
1381 case 1:
1382 *val = *((u8 *) opt->val);
1383 break;
1384
1385 case 2:
bfaaeb3e 1386 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1387 break;
1388
1389 case 4:
bfaaeb3e 1390 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1391 break;
1392
1393 default:
1394 *val = (unsigned long) opt->val;
1395 break;
1396 }
1397
1398 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1399 return len;
1400}
1401
1da177e4
LT		 1402static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1403{
1404 struct l2cap_conf_opt *opt = *ptr;
1405
1406 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1407
1408 opt->type = type;
1409 opt->len = len;
1410
1411 switch (len) {
1412 case 1:
1413 *((u8 *) opt->val) = val;
1414 break;
1415
1416 case 2:
4f8b691c 1417 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1418 break;
1419
1420 case 4:
4f8b691c 1421 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1422 break;
1423
1424 default:
1425 memcpy(opt->val, (void *) val, len);
1426 break;
1427 }
1428
1429 *ptr += L2CAP_CONF_OPT_SIZE + len;
1430}
1431
c1b4f43b
GP		 1432static void l2cap_ack_timeout(unsigned long arg)
1433{
1434 struct sock *sk = (void *) arg;
1435
1436 bh_lock_sock(sk);
1437 l2cap_send_ack(l2cap_pi(sk));
1438 bh_unlock_sock(sk);
1439}
1440
0565c1c2
GP		 1441static inline void l2cap_ertm_init(struct sock *sk)
1442{
1443 l2cap_pi(sk)->expected_ack_seq = 0;
1444 l2cap_pi(sk)->unacked_frames = 0;
1445 l2cap_pi(sk)->buffer_seq = 0;
803020c6 1446 l2cap_pi(sk)->num_acked = 0;
d5392c8f 1447 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 1448
1449 setup_timer(&l2cap_pi(sk)->retrans_timer,
1450 l2cap_retrans_timeout, (unsigned long) sk);
1451 setup_timer(&l2cap_pi(sk)->monitor_timer,
1452 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 1453 setup_timer(&l2cap_pi(sk)->ack_timer,
1454 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 1455
1456 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 1457 __skb_queue_head_init(BUSY_QUEUE(sk));
1458
1459 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 1460
1461 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1462}
1463
f2fcfcd6
GP		 1464static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1465{
1466 switch (mode) {
1467 case L2CAP_MODE_STREAMING:
1468 case L2CAP_MODE_ERTM:
1469 if (l2cap_mode_supported(mode, remote_feat_mask))
1470 return mode;
1471 /* fall through */
1472 default:
1473 return L2CAP_MODE_BASIC;
1474 }
1475}
1476
68983259 1477int l2cap_build_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1478{
1479 struct l2cap_pinfo *pi = l2cap_pi(sk);
1480 struct l2cap_conf_req *req = data;
bd3c9e25 1481 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 1482 void *ptr = req->data;
1483
1484 BT_DBG("sk %p", sk);
1485
f2fcfcd6
GP		 1486 if (pi->num_conf_req || pi->num_conf_rsp)
1487 goto done;
1488
1489 switch (pi->mode) {
1490 case L2CAP_MODE_STREAMING:
1491 case L2CAP_MODE_ERTM:
2ba13ed6 1492 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1493 break;
85eb53c6 1494
2ba13ed6 1495 /* fall through */
f2fcfcd6
GP		 1496 default:
1497 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
1498 break;
1499 }
1500
1501done:
7990681c
GP		 1502 if (pi->imtu != L2CAP_DEFAULT_MTU)
1503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
1504
65c7c491
MH		 1505 switch (pi->mode) {
1506 case L2CAP_MODE_BASIC:
63406504
GP		 1507 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1508 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
1509 break;
1510
62547752
GP		 1511 rfc.mode = L2CAP_MODE_BASIC;
1512 rfc.txwin_size = 0;
1513 rfc.max_transmit = 0;
1514 rfc.retrans_timeout = 0;
1515 rfc.monitor_timeout = 0;
1516 rfc.max_pdu_size = 0;
1517
63406504
GP		 1518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1519 (unsigned long) &rfc);
65c7c491
MH		 1520 break;
1521
1522 case L2CAP_MODE_ERTM:
1523 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 1524 rfc.txwin_size = pi->tx_win;
68d7f0ce 1525 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 1526 rfc.retrans_timeout = 0;
1527 rfc.monitor_timeout = 0;
c74e560c 1528 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 1529 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 1530 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 1531
63406504
GP		 1532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1533 (unsigned long) &rfc);
1534
fcc203c3
GP		 1535 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
1536 break;
1537
1538 if (pi->fcs == L2CAP_FCS_NONE ||
1539 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1540 pi->fcs = L2CAP_FCS_NONE;
1541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
1542 }
f2fcfcd6
GP		 1543 break;
1544
1545 case L2CAP_MODE_STREAMING:
1546 rfc.mode = L2CAP_MODE_STREAMING;
1547 rfc.txwin_size = 0;
1548 rfc.max_transmit = 0;
1549 rfc.retrans_timeout = 0;
1550 rfc.monitor_timeout = 0;
c74e560c 1551 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 1552 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 1553 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 1554
63406504
GP		 1555 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1556 (unsigned long) &rfc);
1557
fcc203c3
GP		 1558 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
1559 break;
1560
1561 if (pi->fcs == L2CAP_FCS_NONE ||
1562 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1563 pi->fcs = L2CAP_FCS_NONE;
1564 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
1565 }
65c7c491
MH		 1566 break;
1567 }
1da177e4
LT		 1568
1569 /* FIXME: Need actual value of the flush timeout */
1570 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
1571 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
1572
aca3192c
YH		 1573 req->dcid = cpu_to_le16(pi->dcid);
1574 req->flags = cpu_to_le16(0);
1da177e4
LT		 1575
1576 return ptr - data;
1577}
1578
5dee9e7c 1579static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 1580{
1581 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 1582 struct l2cap_conf_rsp *rsp = data;
1583 void *ptr = rsp->data;
1584 void *req = pi->conf_req;
1585 int len = pi->conf_len;
1586 int type, hint, olen;
1587 unsigned long val;
6464f35f 1588 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1589 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1590 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1591
5dee9e7c 1592 BT_DBG("sk %p", sk);
820ae1b8 1593
5dee9e7c
MH		 1594 while (len >= L2CAP_CONF_OPT_SIZE) {
1595 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1596
589d2746 1597 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1598 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1599
1600 switch (type) {
1601 case L2CAP_CONF_MTU:
861d6882 1602 mtu = val;
5dee9e7c
MH		 1603 break;
1604
1605 case L2CAP_CONF_FLUSH_TO:
1606 pi->flush_to = val;
1607 break;
1608
1609 case L2CAP_CONF_QOS:
1610 break;
1611
6464f35f
MH		 1612 case L2CAP_CONF_RFC:
1613 if (olen == sizeof(rfc))
1614 memcpy(&rfc, (void *) val, olen);
1615 break;
1616
fcc203c3
GP		 1617 case L2CAP_CONF_FCS:
1618 if (val == L2CAP_FCS_NONE)
1619 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
1620
1621 break;
1622
5dee9e7c
MH		 1623 default:
1624 if (hint)
1625 break;
1626
1627 result = L2CAP_CONF_UNKNOWN;
1628 *((u8 *) ptr++) = type;
1629 break;
1630 }
1631 }
1632
e9aeb2dd 1633 if (pi->num_conf_rsp || pi->num_conf_req > 1)
f2fcfcd6
GP		 1634 goto done;
1635
1636 switch (pi->mode) {
1637 case L2CAP_MODE_STREAMING:
1638 case L2CAP_MODE_ERTM:
85eb53c6
GP		 1639 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
1640 pi->mode = l2cap_select_mode(rfc.mode,
1641 pi->conn->feat_mask);
1642 break;
1643 }
1644
742e519b 1645 if (pi->mode != rfc.mode)
f2fcfcd6 1646 return -ECONNREFUSED;
742e519b 1647
f2fcfcd6 1648 break;
f2fcfcd6
GP		 1649 }
1650
1651done:
1652 if (pi->mode != rfc.mode) {
1653 result = L2CAP_CONF_UNACCEPT;
1654 rfc.mode = pi->mode;
1655
1656 if (pi->num_conf_rsp == 1)
1657 return -ECONNREFUSED;
1658
1659 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1660 sizeof(rfc), (unsigned long) &rfc);
1661 }
1662
1663
5dee9e7c
MH		 1664 if (result == L2CAP_CONF_SUCCESS) {
1665 /* Configure output options and let the other side know
1666 * which ones we don't like. */
1667
f2fcfcd6
GP		 1668 if (mtu < L2CAP_DEFAULT_MIN_MTU)
1669 result = L2CAP_CONF_UNACCEPT;
1670 else {
1671 pi->omtu = mtu;
1672 pi->conf_state |= L2CAP_CONF_MTU_DONE;
1673 }
1674 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 1675
f2fcfcd6
GP		 1676 switch (rfc.mode) {
1677 case L2CAP_MODE_BASIC:
1678 pi->fcs = L2CAP_FCS_NONE;
1679 pi->conf_state |= L2CAP_CONF_MODE_DONE;
1680 break;
1681
1682 case L2CAP_MODE_ERTM:
1683 pi->remote_tx_win = rfc.txwin_size;
1684 pi->remote_max_tx = rfc.max_transmit;
86b1b263
MM		 1685
1686 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1687 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 1688
1689 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 1690
10467e9e
GP		 1691 rfc.retrans_timeout =
1692 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
1693 rfc.monitor_timeout =
1694 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 1695
1696 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 1697
1698 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1699 sizeof(rfc), (unsigned long) &rfc);
1700
f2fcfcd6
GP		 1701 break;
1702
1703 case L2CAP_MODE_STREAMING:
86b1b263
MM		 1704 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1705 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 1706
1707 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 1708
1709 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 1710
1711 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1712 sizeof(rfc), (unsigned long) &rfc);
1713
f2fcfcd6
GP		 1714 break;
1715
1716 default:
5dee9e7c 1717 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1718
6464f35f 1719 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 1720 rfc.mode = pi->mode;
1721 }
6464f35f 1722
f2fcfcd6
GP		 1723 if (result == L2CAP_CONF_SUCCESS)
1724 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1725 }
5dee9e7c
MH		 1726 rsp->scid = cpu_to_le16(pi->dcid);
1727 rsp->result = cpu_to_le16(result);
1728 rsp->flags = cpu_to_le16(0x0000);
1729
1730 return ptr - data;
1da177e4
LT		 1731}
1732
f2fcfcd6
GP		 1733static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
1734{
1735 struct l2cap_pinfo *pi = l2cap_pi(sk);
1736 struct l2cap_conf_req *req = data;
1737 void *ptr = req->data;
1738 int type, olen;
1739 unsigned long val;
1740 struct l2cap_conf_rfc rfc;
1741
1742 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
1743
1744 while (len >= L2CAP_CONF_OPT_SIZE) {
1745 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
1746
1747 switch (type) {
1748 case L2CAP_CONF_MTU:
1749 if (val < L2CAP_DEFAULT_MIN_MTU) {
1750 *result = L2CAP_CONF_UNACCEPT;
8183b775 1751 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 1752 } else
8183b775
AE		 1753 pi->imtu = val;
1754 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
f2fcfcd6
GP		 1755 break;
1756
1757 case L2CAP_CONF_FLUSH_TO:
1758 pi->flush_to = val;
1759 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
1760 2, pi->flush_to);
1761 break;
1762
1763 case L2CAP_CONF_RFC:
1764 if (olen == sizeof(rfc))
1765 memcpy(&rfc, (void *)val, olen);
1766
1767 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
1768 rfc.mode != pi->mode)
1769 return -ECONNREFUSED;
1770
f2fcfcd6
GP		 1771 pi->fcs = 0;
1772
1773 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1774 sizeof(rfc), (unsigned long) &rfc);
1775 break;
1776 }
1777 }
1778
6c2ea7a8
GP		 1779 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
1780 return -ECONNREFUSED;
1781
1782 pi->mode = rfc.mode;
1783
f2fcfcd6
GP		 1784 if (*result == L2CAP_CONF_SUCCESS) {
1785 switch (rfc.mode) {
1786 case L2CAP_MODE_ERTM:
10467e9e
GP		 1787 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1788 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 1789 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 1790 break;
1791 case L2CAP_MODE_STREAMING:
1c762159 1792 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 1793 }
1794 }
1795
1796 req->dcid = cpu_to_le16(pi->dcid);
1797 req->flags = cpu_to_le16(0x0000);
1798
1799 return ptr - data;
1800}
1801
5dee9e7c 1802static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1803{
1804 struct l2cap_conf_rsp *rsp = data;
1805 void *ptr = rsp->data;
1da177e4 1806
5dee9e7c 1807 BT_DBG("sk %p", sk);
1da177e4 1808
aca3192c 1809 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1810 rsp->result = cpu_to_le16(result);
aca3192c 1811 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1812
1813 return ptr - data;
1814}
1815
7b1c0049
GP		 1816static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
1817{
1818 struct l2cap_pinfo *pi = l2cap_pi(sk);
1819 int type, olen;
1820 unsigned long val;
1821 struct l2cap_conf_rfc rfc;
1822
1823 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
1824
1825 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
1826 return;
1827
1828 while (len >= L2CAP_CONF_OPT_SIZE) {
1829 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
1830
1831 switch (type) {
1832 case L2CAP_CONF_RFC:
1833 if (olen == sizeof(rfc))
1834 memcpy(&rfc, (void *)val, olen);
1835 goto done;
1836 }
1837 }
1838
1839done:
1840 switch (rfc.mode) {
1841 case L2CAP_MODE_ERTM:
10467e9e
GP		 1842 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1843 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 1844 pi->mps = le16_to_cpu(rfc.max_pdu_size);
1845 break;
1846 case L2CAP_MODE_STREAMING:
1847 pi->mps = le16_to_cpu(rfc.max_pdu_size);
1848 }
1849}
1850
4e8402a3
MH		 1851static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1852{
1853 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
1854
1855 if (rej->reason != 0x0000)
1856 return 0;
1857
1858 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
1859 cmd->ident == conn->info_ident) {
4e8402a3 1860 del_timer(&conn->info_timer);
984947dc
MH		 1861
1862 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1863 conn->info_ident = 0;
984947dc 1864
4e8402a3
MH		 1865 l2cap_conn_start(conn);
1866 }
1867
1868 return 0;
1869}
1870
1da177e4
LT		 1871static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
1872{
1873 struct l2cap_chan_list *list = &conn->chan_list;
1874 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
1875 struct l2cap_conn_rsp rsp;
d793fe8c 1876 struct sock *parent, *sk = NULL;
e7c29cb1 1877 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1878
1879 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 1880 __le16 psm = req->psm;
1da177e4
LT		 1881
1882 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
1883
1884 /* Check if we have socket listening on psm */
1885 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
1886 if (!parent) {
1887 result = L2CAP_CR_BAD_PSM;
1888 goto sendresp;
1889 }
1890
e0f0cb56
GP		 1891 bh_lock_sock(parent);
1892
e7c29cb1
MH		 1893 /* Check if the ACL is secure enough (if not SDP) */
1894 if (psm != cpu_to_le16(0x0001) &&
1895 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 1896 conn->disc_reason = 0x05;
e7c29cb1
MH		 1897 result = L2CAP_CR_SEC_BLOCK;
1898 goto response;
1899 }
1900
1da177e4
LT		 1901 result = L2CAP_CR_NO_MEM;
1902
1903 /* Check for backlog size */
1904 if (sk_acceptq_is_full(parent)) {
8e87d142 1905 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 1906 goto response;
1907 }
1908
3b1e0a65 1909 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 1910 if (!sk)
1911 goto response;
1912
fd1278d7 1913 write_lock_bh(&list->lock);
1da177e4
LT		 1914
1915 /* Check if we already have channel with that dcid */
1916 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 1917 write_unlock_bh(&list->lock);
1da177e4
LT		 1918 sock_set_flag(sk, SOCK_ZAPPED);
1919 l2cap_sock_kill(sk);
1920 goto response;
1921 }
1922
1923 hci_conn_hold(conn->hcon);
1924
1925 l2cap_sock_init(sk, parent);
1926 bacpy(&bt_sk(sk)->src, conn->src);
1927 bacpy(&bt_sk(sk)->dst, conn->dst);
1928 l2cap_pi(sk)->psm = psm;
1929 l2cap_pi(sk)->dcid = scid;
1930
1931 __l2cap_chan_add(conn, sk, parent);
1932 dcid = l2cap_pi(sk)->scid;
1933
1934 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1935
1da177e4
LT		 1936 l2cap_pi(sk)->ident = cmd->ident;
1937
984947dc 1938 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 1939 if (l2cap_check_security(sk)) {
f66dc81f
MH		 1940 if (bt_sk(sk)->defer_setup) {
1941 sk->sk_state = BT_CONNECT2;
1942 result = L2CAP_CR_PEND;
1943 status = L2CAP_CS_AUTHOR_PEND;
1944 parent->sk_data_ready(parent, 0);
1945 } else {
1946 sk->sk_state = BT_CONFIG;
1947 result = L2CAP_CR_SUCCESS;
1948 status = L2CAP_CS_NO_INFO;
1949 }
79d554a6
MH		 1950 } else {
1951 sk->sk_state = BT_CONNECT2;
1952 result = L2CAP_CR_PEND;
1953 status = L2CAP_CS_AUTHEN_PEND;
1954 }
1955 } else {
1956 sk->sk_state = BT_CONNECT2;
1957 result = L2CAP_CR_PEND;
1958 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 1959 }
1960
fd1278d7 1961 write_unlock_bh(&list->lock);
1da177e4
LT		 1962
1963response:
1964 bh_unlock_sock(parent);
1965
1966sendresp:
aca3192c
YH		 1967 rsp.scid = cpu_to_le16(scid);
1968 rsp.dcid = cpu_to_le16(dcid);
1969 rsp.result = cpu_to_le16(result);
1970 rsp.status = cpu_to_le16(status);
1da177e4 1971 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 1972
1973 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
1974 struct l2cap_info_req info;
1975 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1976
1977 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1978 conn->info_ident = l2cap_get_ident(conn);
1979
1980 mod_timer(&conn->info_timer, jiffies +
1981 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
1982
1983 l2cap_send_cmd(conn, conn->info_ident,
1984 L2CAP_INFO_REQ, sizeof(info), &info);
1985 }
1986
d793fe8c 1987 if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 1988 result == L2CAP_CR_SUCCESS) {
1989 u8 buf[128];
1990 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1991 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1992 l2cap_build_conf_req(sk, buf), buf);
1993 l2cap_pi(sk)->num_conf_req++;
1994 }
1995
1da177e4
LT		 1996 return 0;
1997}
1998
1999static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2000{
2001 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2002 u16 scid, dcid, result, status;
2003 struct sock *sk;
2004 u8 req[128];
2005
2006 scid = __le16_to_cpu(rsp->scid);
2007 dcid = __le16_to_cpu(rsp->dcid);
2008 result = __le16_to_cpu(rsp->result);
2009 status = __le16_to_cpu(rsp->status);
2010
2011 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2012
2013 if (scid) {
af05b30b
GP		 2014 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2015 if (!sk)
57d3b22b 2016 return -EFAULT;
1da177e4 2017 } else {
af05b30b
GP		 2018 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2019 if (!sk)
57d3b22b 2020 return -EFAULT;
1da177e4
LT		 2021 }
2022
2023 switch (result) {
2024 case L2CAP_CR_SUCCESS:
2025 sk->sk_state = BT_CONFIG;
2026 l2cap_pi(sk)->ident = 0;
2027 l2cap_pi(sk)->dcid = dcid;
6a8d3010
MH		 2028 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2029
e9aeb2dd
GP		 2030 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
2031 break;
2032
2033 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2034
1da177e4
LT		 2035 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2036 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2037 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2038 break;
2039
2040 case L2CAP_CR_PEND:
6a8d3010 2041 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2042 break;
2043
2044 default:
a49184c2
AE		 2045 /* don't delete l2cap channel if sk is owned by user */
2046 if (sock_owned_by_user(sk)) {
2047 sk->sk_state = BT_DISCONN;
2048 l2cap_sock_clear_timer(sk);
2049 l2cap_sock_set_timer(sk, HZ / 5);
2050 break;
2051 }
2052
1da177e4
LT		 2053 l2cap_chan_del(sk, ECONNREFUSED);
2054 break;
2055 }
2056
2057 bh_unlock_sock(sk);
2058 return 0;
2059}
2060
8c462b60
MM		 2061static inline void set_default_fcs(struct l2cap_pinfo *pi)
2062{
2063 /* FCS is enabled only in ERTM or streaming mode, if one or both
2064 * sides request it.
2065 */
2066 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
2067 pi->fcs = L2CAP_FCS_NONE;
2068 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
2069 pi->fcs = L2CAP_FCS_CRC16;
2070}
2071
88219a0f 2072static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2073{
2074 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2075 u16 dcid, flags;
2076 u8 rsp[64];
2077 struct sock *sk;
5dee9e7c 2078 int len;
1da177e4
LT		 2079
2080 dcid = __le16_to_cpu(req->dcid);
2081 flags = __le16_to_cpu(req->flags);
2082
2083 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2084
af05b30b
GP		 2085 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2086 if (!sk)
1da177e4
LT		 2087 return -ENOENT;
2088
df6bd743
GP		 2089 if (sk->sk_state != BT_CONFIG) {
2090 struct l2cap_cmd_rej rej;
2091
2092 rej.reason = cpu_to_le16(0x0002);
2093 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2094 sizeof(rej), &rej);
354f60a9 2095 goto unlock;
df6bd743 2096 }
354f60a9 2097
5dee9e7c 2098 /* Reject if config buffer is too small. */
88219a0f 2099 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2100 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2101 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2102 l2cap_build_conf_rsp(sk, rsp,
2103 L2CAP_CONF_REJECT, flags), rsp);
2104 goto unlock;
2105 }
2106
2107 /* Store config. */
2108 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2109 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2110
2111 if (flags & 0x0001) {
2112 /* Incomplete config. Send empty response. */
2113 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2114 l2cap_build_conf_rsp(sk, rsp,
2115 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2116 goto unlock;
2117 }
2118
2119 /* Complete config. */
5dee9e7c 2120 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2121 if (len < 0) {
9b108fc0 2122 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 2123 goto unlock;
f2fcfcd6 2124 }
1da177e4 2125
5dee9e7c 2126 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2127 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2128
5dee9e7c
MH		 2129 /* Reset config buffer. */
2130 l2cap_pi(sk)->conf_len = 0;
2131
876d9484
MH		 2132 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2133 goto unlock;
2134
1da177e4 2135 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
8c462b60 2136 set_default_fcs(l2cap_pi(sk));
fcc203c3 2137
1da177e4 2138 sk->sk_state = BT_CONNECTED;
e90bac06 2139
0565c1c2
GP		 2140 l2cap_pi(sk)->next_tx_seq = 0;
2141 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2142 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2143 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2144 l2cap_ertm_init(sk);
2145
1da177e4 2146 l2cap_chan_ready(sk);
876d9484
MH		 2147 goto unlock;
2148 }
2149
2150 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2151 u8 buf[64];
ab3e5715 2152 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2153 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2154 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2155 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2156 }
2157
2158unlock:
2159 bh_unlock_sock(sk);
2160 return 0;
2161}
2162
2163static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2164{
2165 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2166 u16 scid, flags, result;
2167 struct sock *sk;
7b1c0049 2168 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2169
2170 scid = __le16_to_cpu(rsp->scid);
2171 flags = __le16_to_cpu(rsp->flags);
2172 result = __le16_to_cpu(rsp->result);
2173
af05b30b
GP		 2174 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2175 scid, flags, result);
1da177e4 2176
af05b30b
GP		 2177 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2178 if (!sk)
1da177e4
LT		 2179 return 0;
2180
2181 switch (result) {
2182 case L2CAP_CONF_SUCCESS:
7b1c0049 2183 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2184 break;
2185
2186 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2187 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2188 char req[64];
2189
c2c77ec8 2190 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 2191 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 2192 goto done;
2193 }
2194
f2fcfcd6
GP		 2195 /* throw out any old stored conf requests */
2196 result = L2CAP_CONF_SUCCESS;
2197 len = l2cap_parse_conf_rsp(sk, rsp->data,
2198 len, req, &result);
2199 if (len < 0) {
9b108fc0 2200 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 2201 goto done;
2202 }
2203
2204 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2205 L2CAP_CONF_REQ, len, req);
2206 l2cap_pi(sk)->num_conf_req++;
2207 if (result != L2CAP_CONF_SUCCESS)
2208 goto done;
2209 break;
1da177e4
LT		 2210 }
2211
8e87d142 2212 default:
b1235d79 2213 sk->sk_err = ECONNRESET;
1da177e4 2214 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 2215 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 2216 goto done;
2217 }
2218
2219 if (flags & 0x01)
2220 goto done;
2221
1da177e4
LT		 2222 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2223
2224 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
8c462b60 2225 set_default_fcs(l2cap_pi(sk));
fcc203c3 2226
1da177e4 2227 sk->sk_state = BT_CONNECTED;
0565c1c2 2228 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 2229 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2230 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2231 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2232 l2cap_ertm_init(sk);
2233
1da177e4
LT		 2234 l2cap_chan_ready(sk);
2235 }
2236
2237done:
2238 bh_unlock_sock(sk);
2239 return 0;
2240}
2241
2242static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2243{
2244 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2245 struct l2cap_disconn_rsp rsp;
2246 u16 dcid, scid;
2247 struct sock *sk;
2248
2249 scid = __le16_to_cpu(req->scid);
2250 dcid = __le16_to_cpu(req->dcid);
2251
2252 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2253
af05b30b
GP		 2254 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2255 if (!sk)
1da177e4
LT		 2256 return 0;
2257
aca3192c
YH		 2258 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2259 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2260 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2261
2262 sk->sk_shutdown = SHUTDOWN_MASK;
2263
a49184c2
AE		 2264 /* don't delete l2cap channel if sk is owned by user */
2265 if (sock_owned_by_user(sk)) {
2266 sk->sk_state = BT_DISCONN;
2267 l2cap_sock_clear_timer(sk);
2268 l2cap_sock_set_timer(sk, HZ / 5);
2269 bh_unlock_sock(sk);
2270 return 0;
2271 }
2272
1da177e4
LT		 2273 l2cap_chan_del(sk, ECONNRESET);
2274 bh_unlock_sock(sk);
2275
2276 l2cap_sock_kill(sk);
2277 return 0;
2278}
2279
2280static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2281{
2282 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2283 u16 dcid, scid;
2284 struct sock *sk;
2285
2286 scid = __le16_to_cpu(rsp->scid);
2287 dcid = __le16_to_cpu(rsp->dcid);
2288
2289 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2290
af05b30b
GP		 2291 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2292 if (!sk)
1da177e4
LT		 2293 return 0;
2294
a49184c2
AE		 2295 /* don't delete l2cap channel if sk is owned by user */
2296 if (sock_owned_by_user(sk)) {
2297 sk->sk_state = BT_DISCONN;
2298 l2cap_sock_clear_timer(sk);
2299 l2cap_sock_set_timer(sk, HZ / 5);
2300 bh_unlock_sock(sk);
2301 return 0;
2302 }
2303
1da177e4
LT		 2304 l2cap_chan_del(sk, 0);
2305 bh_unlock_sock(sk);
2306
2307 l2cap_sock_kill(sk);
2308 return 0;
2309}
2310
2311static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2312{
2313 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2314 u16 type;
2315
2316 type = __le16_to_cpu(req->type);
2317
2318 BT_DBG("type 0x%4.4x", type);
2319
f0709e03
MH		 2320 if (type == L2CAP_IT_FEAT_MASK) {
2321 u8 buf[8];
44dd46de 2322 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2323 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2324 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2325 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2326 if (!disable_ertm)
fcc203c3
GP		 2327 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2328 | L2CAP_FEAT_FCS;
1b7bf4ed 2329 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2330 l2cap_send_cmd(conn, cmd->ident,
2331 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2332 } else if (type == L2CAP_IT_FIXED_CHAN) {
2333 u8 buf[12];
2334 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2335 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2336 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2337 memcpy(buf + 4, l2cap_fixed_chan, 8);
2338 l2cap_send_cmd(conn, cmd->ident,
2339 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2340 } else {
2341 struct l2cap_info_rsp rsp;
2342 rsp.type = cpu_to_le16(type);
2343 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2344 l2cap_send_cmd(conn, cmd->ident,
2345 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2346 }
1da177e4
LT		 2347
2348 return 0;
2349}
2350
2351static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2352{
2353 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2354 u16 type, result;
2355
2356 type = __le16_to_cpu(rsp->type);
2357 result = __le16_to_cpu(rsp->result);
2358
2359 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2360
4e8402a3
MH		 2361 del_timer(&conn->info_timer);
2362
adb08ede
VT		 2363 if (result != L2CAP_IR_SUCCESS) {
2364 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2365 conn->info_ident = 0;
2366
2367 l2cap_conn_start(conn);
2368
2369 return 0;
2370 }
2371
984947dc 2372 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2373 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2374
47ec1dcd 2375 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2376 struct l2cap_info_req req;
2377 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2378
2379 conn->info_ident = l2cap_get_ident(conn);
2380
2381 l2cap_send_cmd(conn, conn->info_ident,
2382 L2CAP_INFO_REQ, sizeof(req), &req);
2383 } else {
2384 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2385 conn->info_ident = 0;
2386
2387 l2cap_conn_start(conn);
2388 }
2389 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2390 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2391 conn->info_ident = 0;
984947dc
MH		 2392
2393 l2cap_conn_start(conn);
2394 }
4e8402a3 2395
1da177e4
LT		 2396 return 0;
2397}
2398
2399static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2400{
2401 u8 *data = skb->data;
2402 int len = skb->len;
2403 struct l2cap_cmd_hdr cmd;
2404 int err = 0;
2405
2406 l2cap_raw_recv(conn, skb);
2407
2408 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2409 u16 cmd_len;
1da177e4
LT		 2410 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2411 data += L2CAP_CMD_HDR_SIZE;
2412 len -= L2CAP_CMD_HDR_SIZE;
2413
88219a0f 2414 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2415
88219a0f 2416 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2417
88219a0f 2418 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2419 BT_DBG("corrupted command");
2420 break;
2421 }
2422
2423 switch (cmd.code) {
2424 case L2CAP_COMMAND_REJ:
4e8402a3 2425 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 2426 break;
2427
2428 case L2CAP_CONN_REQ:
2429 err = l2cap_connect_req(conn, &cmd, data);
2430 break;
2431
2432 case L2CAP_CONN_RSP:
2433 err = l2cap_connect_rsp(conn, &cmd, data);
2434 break;
2435
2436 case L2CAP_CONF_REQ:
88219a0f 2437 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 2438 break;
2439
2440 case L2CAP_CONF_RSP:
2441 err = l2cap_config_rsp(conn, &cmd, data);
2442 break;
2443
2444 case L2CAP_DISCONN_REQ:
2445 err = l2cap_disconnect_req(conn, &cmd, data);
2446 break;
2447
2448 case L2CAP_DISCONN_RSP:
2449 err = l2cap_disconnect_rsp(conn, &cmd, data);
2450 break;
2451
2452 case L2CAP_ECHO_REQ:
88219a0f 2453 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 2454 break;
2455
2456 case L2CAP_ECHO_RSP:
2457 break;
2458
2459 case L2CAP_INFO_REQ:
2460 err = l2cap_information_req(conn, &cmd, data);
2461 break;
2462
2463 case L2CAP_INFO_RSP:
2464 err = l2cap_information_rsp(conn, &cmd, data);
2465 break;
2466
2467 default:
2468 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
2469 err = -EINVAL;
2470 break;
2471 }
2472
2473 if (err) {
2474 struct l2cap_cmd_rej rej;
2475 BT_DBG("error %d", err);
2476
2477 /* FIXME: Map err to a valid reason */
aca3192c 2478 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2479 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2480 }
2481
88219a0f
AV		 2482 data += cmd_len;
2483 len -= cmd_len;
1da177e4
LT		 2484 }
2485
2486 kfree_skb(skb);
2487}
2488
fcc203c3
GP		 2489static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
2490{
2491 u16 our_fcs, rcv_fcs;
2492 int hdr_size = L2CAP_HDR_SIZE + 2;
2493
2494 if (pi->fcs == L2CAP_FCS_CRC16) {
2495 skb_trim(skb, skb->len - 2);
2496 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
2497 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
2498
2499 if (our_fcs != rcv_fcs)
7a560e5c 2500 return -EBADMSG;
fcc203c3
GP		 2501 }
2502 return 0;
2503}
2504
d5392c8f
GP		 2505static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
2506{
2507 struct l2cap_pinfo *pi = l2cap_pi(sk);
2508 u16 control = 0;
2509
2510 pi->frames_sent = 0;
d5392c8f
GP		 2511
2512 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2513
2514 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 2515 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 2516 l2cap_send_sframe(pi, control);
1890d36b 2517 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 2518 }
2519
4ea727ef
GP		 2520 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
2521 l2cap_retransmit_frames(sk);
d5392c8f
GP		 2522
2523 l2cap_ertm_send(sk);
2524
2525 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
2526 pi->frames_sent == 0) {
2527 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 2528 l2cap_send_sframe(pi, control);
2529 }
2530}
2531
9b53350d 2532static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 2533{
2534 struct sk_buff *next_skb;
bfbacc11
JPRV		 2535 struct l2cap_pinfo *pi = l2cap_pi(sk);
2536 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 2537
2538 bt_cb(skb)->tx_seq = tx_seq;
2539 bt_cb(skb)->sar = sar;
2540
2541 next_skb = skb_peek(SREJ_QUEUE(sk));
2542 if (!next_skb) {
2543 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 2544 return 0;
8f17154f
GP		 2545 }
2546
bfbacc11
JPRV		 2547 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
2548 if (tx_seq_offset < 0)
2549 tx_seq_offset += 64;
2550
8f17154f 2551 do {
9b53350d
JPRV		 2552 if (bt_cb(next_skb)->tx_seq == tx_seq)
2553 return -EINVAL;
2554
bfbacc11
JPRV		 2555 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
2556 pi->buffer_seq) % 64;
2557 if (next_tx_seq_offset < 0)
2558 next_tx_seq_offset += 64;
2559
2560 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 2561 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 2562 return 0;
8f17154f
GP		 2563 }
2564
2565 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
2566 break;
2567
59203a21 2568 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 2569
2570 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 2571
2572 return 0;
8f17154f
GP		 2573}
2574
18778a63
GP		 2575static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
2576{
2577 struct l2cap_pinfo *pi = l2cap_pi(sk);
2578 struct sk_buff *_skb;
1890d36b 2579 int err;
18778a63
GP		 2580
2581 switch (control & L2CAP_CTRL_SAR) {
2582 case L2CAP_SDU_UNSEGMENTED:
2583 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
2584 goto drop;
2585
2586 err = sock_queue_rcv_skb(sk, skb);
2587 if (!err)
2588 return err;
2589
2590 break;
2591
2592 case L2CAP_SDU_START:
2593 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
2594 goto drop;
2595
2596 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 2597
2598 if (pi->sdu_len > pi->imtu)
2599 goto disconnect;
2600
2601 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 2602 if (!pi->sdu)
2603 return -ENOMEM;
2604
2605 /* pull sdu_len bytes only after alloc, because of Local Busy
2606 * condition we have to be sure that this will be executed
2607 * only once, i.e., when alloc does not fail */
2608 skb_pull(skb, 2);
18778a63
GP		 2609
2610 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
2611
2612 pi->conn_state |= L2CAP_CONN_SAR_SDU;
2613 pi->partial_sdu_len = skb->len;
2614 break;
2615
2616 case L2CAP_SDU_CONTINUE:
2617 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
2618 goto disconnect;
2619
2620 if (!pi->sdu)
2621 goto disconnect;
2622
18778a63
GP		 2623 pi->partial_sdu_len += skb->len;
2624 if (pi->partial_sdu_len > pi->sdu_len)
2625 goto drop;
2626
4178ba46
GP		 2627 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
2628
18778a63
GP		 2629 break;
2630
2631 case L2CAP_SDU_END:
2632 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
2633 goto disconnect;
2634
2635 if (!pi->sdu)
2636 goto disconnect;
2637
1890d36b 2638 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 2639 pi->partial_sdu_len += skb->len;
18778a63 2640
1890d36b
GP		 2641 if (pi->partial_sdu_len > pi->imtu)
2642 goto drop;
18778a63 2643
1890d36b
GP		 2644 if (pi->partial_sdu_len != pi->sdu_len)
2645 goto drop;
4178ba46
GP		 2646
2647 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 2648 }
18778a63
GP		 2649
2650 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 2651 if (!_skb) {
2652 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
2653 return -ENOMEM;
2654 }
2655
18778a63 2656 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 2657 if (err < 0) {
18778a63 2658 kfree_skb(_skb);
1890d36b
GP		 2659 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
2660 return err;
2661 }
2662
2663 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
2664 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 2665
2666 kfree_skb(pi->sdu);
2667 break;
2668 }
2669
2670 kfree_skb(skb);
1890d36b 2671 return 0;
18778a63
GP		 2672
2673drop:
2674 kfree_skb(pi->sdu);
2675 pi->sdu = NULL;
2676
2677disconnect:
9b108fc0 2678 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 2679 kfree_skb(skb);
2680 return 0;
2681}
2682
712132eb
GP		 2683static int l2cap_try_push_rx_skb(struct sock *sk)
2684{
2685 struct l2cap_pinfo *pi = l2cap_pi(sk);
2686 struct sk_buff *skb;
2687 u16 control;
2688 int err;
2689
2690 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
2691 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
2692 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
2693 if (err < 0) {
2694 skb_queue_head(BUSY_QUEUE(sk), skb);
2695 return -EBUSY;
2696 }
2697
2698 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
2699 }
2700
2701 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
2702 goto done;
2703
2704 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2705 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
2706 l2cap_send_sframe(pi, control);
2707 l2cap_pi(sk)->retry_count = 1;
2708
2709 del_timer(&pi->retrans_timer);
2710 __mod_monitor_timer();
2711
2712 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
2713
2714done:
2715 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
2716 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
2717
2718 BT_DBG("sk %p, Exit local busy", sk);
2719
2720 return 0;
2721}
2722
1890d36b
GP		 2723static void l2cap_busy_work(struct work_struct *work)
2724{
2725 DECLARE_WAITQUEUE(wait, current);
2726 struct l2cap_pinfo *pi =
2727 container_of(work, struct l2cap_pinfo, busy_work);
2728 struct sock *sk = (struct sock *)pi;
2729 int n_tries = 0, timeo = HZ/5, err;
2730 struct sk_buff *skb;
1890d36b
GP		 2731
2732 lock_sock(sk);
2733
2b0b05dd 2734 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 2735 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
2736 set_current_state(TASK_INTERRUPTIBLE);
2737
2738 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
2739 err = -EBUSY;
9b108fc0 2740 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
712132eb 2741 break;
1890d36b
GP		 2742 }
2743
2744 if (!timeo)
2745 timeo = HZ/5;
2746
2747 if (signal_pending(current)) {
2748 err = sock_intr_errno(timeo);
712132eb 2749 break;
1890d36b
GP		 2750 }
2751
2752 release_sock(sk);
2753 timeo = schedule_timeout(timeo);
2754 lock_sock(sk);
2755
2756 err = sock_error(sk);
2757 if (err)
712132eb 2758 break;
1890d36b 2759
712132eb 2760 if (l2cap_try_push_rx_skb(sk) == 0)
1890d36b
GP		 2761 break;
2762 }
2763
1890d36b 2764 set_current_state(TASK_RUNNING);
2b0b05dd 2765 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 2766
2767 release_sock(sk);
2768}
2769
2770static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
2771{
2772 struct l2cap_pinfo *pi = l2cap_pi(sk);
2773 int sctrl, err;
2774
2775 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2776 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2777 __skb_queue_tail(BUSY_QUEUE(sk), skb);
712132eb
GP		 2778 return l2cap_try_push_rx_skb(sk);
2779
2780
1890d36b
GP		 2781 }
2782
2783 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
2784 if (err >= 0) {
2785 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
2786 return err;
2787 }
2788
2789 /* Busy Condition */
0e98958d
GP		 2790 BT_DBG("sk %p, Enter local busy", sk);
2791
1890d36b
GP		 2792 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
2793 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
2794 __skb_queue_tail(BUSY_QUEUE(sk), skb);
2795
2796 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2797 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
2798 l2cap_send_sframe(pi, sctrl);
2799
2800 pi->conn_state |= L2CAP_CONN_RNR_SENT;
2801
7fe9b298
GP		 2802 del_timer(&pi->ack_timer);
2803
1890d36b
GP		 2804 queue_work(_busy_wq, &pi->busy_work);
2805
2806 return err;
2807}
2808
18778a63 2809static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 2810{
2811 struct l2cap_pinfo *pi = l2cap_pi(sk);
2812 struct sk_buff *_skb;
2813 int err = -EINVAL;
2814
18778a63
GP		 2815 /*
2816 * TODO: We have to notify the userland if some data is lost with the
2817 * Streaming Mode.
2818 */
2819
c74e560c
GP		 2820 switch (control & L2CAP_CTRL_SAR) {
2821 case L2CAP_SDU_UNSEGMENTED:
2822 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
2823 kfree_skb(pi->sdu);
2824 break;
2825 }
2826
2827 err = sock_queue_rcv_skb(sk, skb);
2828 if (!err)
2829 return 0;
2830
2831 break;
2832
2833 case L2CAP_SDU_START:
2834 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
2835 kfree_skb(pi->sdu);
2836 break;
2837 }
2838
2839 pi->sdu_len = get_unaligned_le16(skb->data);
2840 skb_pull(skb, 2);
2841
052897ca
GP		 2842 if (pi->sdu_len > pi->imtu) {
2843 err = -EMSGSIZE;
2844 break;
2845 }
2846
c74e560c
GP		 2847 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
2848 if (!pi->sdu) {
2849 err = -ENOMEM;
2850 break;
2851 }
2852
2853 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
2854
2855 pi->conn_state |= L2CAP_CONN_SAR_SDU;
2856 pi->partial_sdu_len = skb->len;
2857 err = 0;
2858 break;
2859
2860 case L2CAP_SDU_CONTINUE:
2861 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
2862 break;
2863
2864 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
2865
2866 pi->partial_sdu_len += skb->len;
2867 if (pi->partial_sdu_len > pi->sdu_len)
2868 kfree_skb(pi->sdu);
2869 else
2870 err = 0;
2871
2872 break;
2873
2874 case L2CAP_SDU_END:
2875 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
2876 break;
2877
2878 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
2879
2880 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
2881 pi->partial_sdu_len += skb->len;
2882
36f2fd58
GP		 2883 if (pi->partial_sdu_len > pi->imtu)
2884 goto drop;
2885
c74e560c
GP		 2886 if (pi->partial_sdu_len == pi->sdu_len) {
2887 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
2888 err = sock_queue_rcv_skb(sk, _skb);
2889 if (err < 0)
2890 kfree_skb(_skb);
2891 }
c74e560c
GP		 2892 err = 0;
2893
36f2fd58
GP		 2894drop:
2895 kfree_skb(pi->sdu);
c74e560c
GP		 2896 break;
2897 }
2898
2899 kfree_skb(skb);
2900 return err;
2901}
2902
8f17154f
GP		 2903static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
2904{
2905 struct sk_buff *skb;
afefdbc4 2906 u16 control;
8f17154f 2907
59203a21 2908 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 2909 if (bt_cb(skb)->tx_seq != tx_seq)
2910 break;
2911
2912 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 2913 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 2914 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 2915 l2cap_pi(sk)->buffer_seq_srej =
2916 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 2917 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 2918 }
2919}
2920
2921static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
2922{
2923 struct l2cap_pinfo *pi = l2cap_pi(sk);
2924 struct srej_list *l, *tmp;
2925 u16 control;
2926
59203a21 2927 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 2928 if (l->tx_seq == tx_seq) {
2929 list_del(&l->list);
2930 kfree(l);
2931 return;
2932 }
2933 control = L2CAP_SUPER_SELECT_REJECT;
2934 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2935 l2cap_send_sframe(pi, control);
2936 list_del(&l->list);
2937 list_add_tail(&l->list, SREJ_LIST(sk));
2938 }
2939}
2940
2941static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
2942{
2943 struct l2cap_pinfo *pi = l2cap_pi(sk);
2944 struct srej_list *new;
2945 u16 control;
2946
2947 while (tx_seq != pi->expected_tx_seq) {
2948 control = L2CAP_SUPER_SELECT_REJECT;
2949 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2950 l2cap_send_sframe(pi, control);
2951
2952 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 2953 new->tx_seq = pi->expected_tx_seq;
2954 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 2955 list_add_tail(&new->list, SREJ_LIST(sk));
2956 }
8ff50ec0 2957 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 2958}
2959
1c2acffb
GP		 2960static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
2961{
2962 struct l2cap_pinfo *pi = l2cap_pi(sk);
2963 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 2964 u8 req_seq = __get_reqseq(rx_control);
8f17154f 2965 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 2966 int tx_seq_offset, expected_tx_seq_offset;
803020c6 2967 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 2968 int err = 0;
2969
0e98958d
GP		 2970 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
2971 rx_control);
1c2acffb 2972
9b16dc65
GP		 2973 if (L2CAP_CTRL_FINAL & rx_control &&
2974 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 2975 del_timer(&pi->monitor_timer);
2976 if (pi->unacked_frames > 0)
2977 __mod_retrans_timer();
2978 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
2979 }
2980
9f121a5a
GP		 2981 pi->expected_ack_seq = req_seq;
2982 l2cap_drop_acked_frames(sk);
2983
8f17154f
GP		 2984 if (tx_seq == pi->expected_tx_seq)
2985 goto expected;
1c2acffb 2986
9b53350d
JPRV		 2987 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
2988 if (tx_seq_offset < 0)
2989 tx_seq_offset += 64;
2990
2991 /* invalid tx_seq */
2992 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 2993 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 2994 goto drop;
2995 }
2996
1890d36b
GP		 2997 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
2998 goto drop;
2999
8f17154f
GP		 3000 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3001 struct srej_list *first;
30afb5b2 3002
8f17154f
GP		 3003 first = list_first_entry(SREJ_LIST(sk),
3004 struct srej_list, list);
3005 if (tx_seq == first->tx_seq) {
3006 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3007 l2cap_check_srej_gap(sk, tx_seq);
3008
3009 list_del(&first->list);
3010 kfree(first);
3011
3012 if (list_empty(SREJ_LIST(sk))) {
3013 pi->buffer_seq = pi->buffer_seq_srej;
3014 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3015 l2cap_send_ack(pi);
0e98958d 3016 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3017 }
3018 } else {
3019 struct srej_list *l;
9b53350d
JPRV		 3020
3021 /* duplicated tx_seq */
3022 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3023 goto drop;
8f17154f
GP		 3024
3025 list_for_each_entry(l, SREJ_LIST(sk), list) {
3026 if (l->tx_seq == tx_seq) {
3027 l2cap_resend_srejframe(sk, tx_seq);
3028 return 0;
3029 }
3030 }
3031 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3032 }
3033 } else {
9b53350d
JPRV		 3034 expected_tx_seq_offset =
3035 (pi->expected_tx_seq - pi->buffer_seq) % 64;
3036 if (expected_tx_seq_offset < 0)
3037 expected_tx_seq_offset += 64;
3038
3039 /* duplicated tx_seq */
3040 if (tx_seq_offset < expected_tx_seq_offset)
3041 goto drop;
3042
8f17154f 3043 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3044
0e98958d
GP		 3045 BT_DBG("sk %p, Enter SREJ", sk);
3046
8f17154f
GP		 3047 INIT_LIST_HEAD(SREJ_LIST(sk));
3048 pi->buffer_seq_srej = pi->buffer_seq;
3049
3050 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 3051 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 3052 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3053
ef54fd93
GP		 3054 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3055
8f17154f 3056 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 3057
3058 del_timer(&pi->ack_timer);
1c2acffb 3059 }
30afb5b2
GP		 3060 return 0;
3061
8f17154f
GP		 3062expected:
3063 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3064
3065 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3066 bt_cb(skb)->tx_seq = tx_seq;
3067 bt_cb(skb)->sar = sar;
3068 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3069 return 0;
3070 }
3071
2ece3684
GP		 3072 err = l2cap_push_rx_skb(sk, skb, rx_control);
3073 if (err < 0)
3074 return 0;
3075
4ec10d97
GP		 3076 if (rx_control & L2CAP_CTRL_FINAL) {
3077 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3078 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3079 else
3080 l2cap_retransmit_frames(sk);
4ec10d97
GP		 3081 }
3082
c1b4f43b
GP		 3083 __mod_ack_timer();
3084
803020c6
GP		 3085 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3086 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3087 l2cap_send_ack(pi);
3088
8f17154f 3089 return 0;
9b53350d
JPRV		 3090
3091drop:
3092 kfree_skb(skb);
3093 return 0;
1c2acffb
GP		 3094}
3095
e072745f 3096static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3097{
3098 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 3099
0e98958d
GP		 3100 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
3101 rx_control);
3102
6e3a5981
GP		 3103 pi->expected_ack_seq = __get_reqseq(rx_control);
3104 l2cap_drop_acked_frames(sk);
1c2acffb 3105
e072745f 3106 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 3107 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 3108 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3109 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3110 (pi->unacked_frames > 0))
3111 __mod_retrans_timer();
3112
3113 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3114 l2cap_send_srejtail(sk);
3115 } else {
3116 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 3117 }
1d8f5d16 3118
e072745f
GP		 3119 } else if (rx_control & L2CAP_CTRL_FINAL) {
3120 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3121
e072745f
GP		 3122 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3123 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3124 else
3125 l2cap_retransmit_frames(sk);
2246b2f1 3126
e072745f 3127 } else {
e072745f
GP		 3128 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3129 (pi->unacked_frames > 0))
3130 __mod_retrans_timer();
1c2acffb 3131
2246b2f1 3132 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
894718a6 3133 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
e072745f 3134 l2cap_send_ack(pi);
894718a6 3135 else
e072745f
GP		 3136 l2cap_ertm_send(sk);
3137 }
3138}
2246b2f1 3139
e072745f
GP		 3140static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3141{
3142 struct l2cap_pinfo *pi = l2cap_pi(sk);
3143 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3144
0e98958d
GP		 3145 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3146
e072745f
GP		 3147 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3148
8abb52ee 3149 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3150 l2cap_drop_acked_frames(sk);
3151
3152 if (rx_control & L2CAP_CTRL_FINAL) {
3153 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3154 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3155 else
3156 l2cap_retransmit_frames(sk);
e072745f 3157 } else {
dfc909be 3158 l2cap_retransmit_frames(sk);
30afb5b2 3159
0301ef04 3160 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 3161 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3162 }
3163}
3164static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3165{
3166 struct l2cap_pinfo *pi = l2cap_pi(sk);
3167 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3168
0e98958d
GP		 3169 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3170
e072745f 3171 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3172
e072745f
GP		 3173 if (rx_control & L2CAP_CTRL_POLL) {
3174 pi->expected_ack_seq = tx_seq;
3175 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 3176
3177 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 3178 l2cap_retransmit_one_frame(sk, tx_seq);
3179
e072745f 3180 l2cap_ertm_send(sk);
dfc909be 3181
e072745f
GP		 3182 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3183 pi->srej_save_reqseq = tx_seq;
3184 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3185 }
e072745f
GP		 3186 } else if (rx_control & L2CAP_CTRL_FINAL) {
3187 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3188 pi->srej_save_reqseq == tx_seq)
3189 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3190 else
dfc909be 3191 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 3192 } else {
dfc909be 3193 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 3194 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3195 pi->srej_save_reqseq = tx_seq;
3196 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3197 }
e072745f
GP		 3198 }
3199}
3200
3201static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3202{
3203 struct l2cap_pinfo *pi = l2cap_pi(sk);
3204 u8 tx_seq = __get_reqseq(rx_control);
3205
0e98958d
GP		 3206 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3207
e072745f
GP		 3208 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3209 pi->expected_ack_seq = tx_seq;
3210 l2cap_drop_acked_frames(sk);
3211
3cb123d1
GP		 3212 if (rx_control & L2CAP_CTRL_POLL)
3213 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3214
99b0d4b7
GP		 3215 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3216 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 3217 if (rx_control & L2CAP_CTRL_POLL)
3218 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 3219 return;
e072745f 3220 }
99b0d4b7
GP		 3221
3222 if (rx_control & L2CAP_CTRL_POLL)
3223 l2cap_send_srejtail(sk);
3224 else
3225 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3226}
3227
3228static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3229{
3230 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3231
9b16dc65
GP		 3232 if (L2CAP_CTRL_FINAL & rx_control &&
3233 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 3234 del_timer(&l2cap_pi(sk)->monitor_timer);
3235 if (l2cap_pi(sk)->unacked_frames > 0)
3236 __mod_retrans_timer();
3237 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
3238 }
3239
3240 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3241 case L2CAP_SUPER_RCV_READY:
3242 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 3243 break;
3244
e072745f
GP		 3245 case L2CAP_SUPER_REJECT:
3246 l2cap_data_channel_rejframe(sk, rx_control);
3247 break;
2246b2f1 3248
e072745f
GP		 3249 case L2CAP_SUPER_SELECT_REJECT:
3250 l2cap_data_channel_srejframe(sk, rx_control);
3251 break;
3252
3253 case L2CAP_SUPER_RCV_NOT_READY:
3254 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 3255 break;
3256 }
3257
faaebd19 3258 kfree_skb(skb);
1c2acffb
GP		 3259 return 0;
3260}
3261
218bb9df
GP		 3262static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3263{
3264 struct l2cap_pinfo *pi = l2cap_pi(sk);
3265 u16 control;
3266 u8 req_seq;
3267 int len, next_tx_seq_offset, req_seq_offset;
3268
3269 control = get_unaligned_le16(skb->data);
3270 skb_pull(skb, 2);
3271 len = skb->len;
3272
3273 /*
3274 * We can just drop the corrupted I-frame here.
3275 * Receiver will miss it and start proper recovery
3276 * procedures and ask retransmission.
3277 */
3278 if (l2cap_check_fcs(pi, skb))
3279 goto drop;
3280
3281 if (__is_sar_start(control) && __is_iframe(control))
3282 len -= 2;
3283
3284 if (pi->fcs == L2CAP_FCS_CRC16)
3285 len -= 2;
3286
3287 if (len > pi->mps) {
3288 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3289 goto drop;
3290 }
3291
3292 req_seq = __get_reqseq(control);
3293 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
3294 if (req_seq_offset < 0)
3295 req_seq_offset += 64;
3296
3297 next_tx_seq_offset =
3298 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
3299 if (next_tx_seq_offset < 0)
3300 next_tx_seq_offset += 64;
3301
3302 /* check for invalid req-seq */
3303 if (req_seq_offset > next_tx_seq_offset) {
3304 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3305 goto drop;
3306 }
3307
3308 if (__is_iframe(control)) {
3309 if (len < 0) {
3310 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3311 goto drop;
3312 }
3313
3314 l2cap_data_channel_iframe(sk, control, skb);
3315 } else {
3316 if (len != 0) {
3317 BT_ERR("%d", len);
3318 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3319 goto drop;
3320 }
3321
3322 l2cap_data_channel_sframe(sk, control, skb);
3323 }
3324
3325 return 0;
3326
3327drop:
3328 kfree_skb(skb);
3329 return 0;
3330}
3331
1da177e4
LT		 3332static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3333{
3334 struct sock *sk;
6840ed07 3335 struct l2cap_pinfo *pi;
51893f88 3336 u16 control;
218bb9df
GP		 3337 u8 tx_seq;
3338 int len;
1da177e4
LT		 3339
3340 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3341 if (!sk) {
3342 BT_DBG("unknown cid 0x%4.4x", cid);
3343 goto drop;
3344 }
3345
6840ed07
GP		 3346 pi = l2cap_pi(sk);
3347
1da177e4
LT		 3348 BT_DBG("sk %p, len %d", sk, skb->len);
3349
3350 if (sk->sk_state != BT_CONNECTED)
3351 goto drop;
3352
6840ed07 3353 switch (pi->mode) {
1c2acffb
GP		 3354 case L2CAP_MODE_BASIC:
3355 /* If socket recv buffers overflows we drop data here
3356 * which is *bad* because L2CAP has to be reliable.
3357 * But we don't have any other choice. L2CAP doesn't
3358 * provide flow control mechanism. */
1da177e4 3359
6840ed07 3360 if (pi->imtu < skb->len)
1c2acffb 3361 goto drop;
1da177e4 3362
1c2acffb
GP		 3363 if (!sock_queue_rcv_skb(sk, skb))
3364 goto done;
3365 break;
3366
3367 case L2CAP_MODE_ERTM:
218bb9df
GP		 3368 if (!sock_owned_by_user(sk)) {
3369 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3370 } else {
218bb9df 3371 if (sk_add_backlog(sk, skb))
277ffbe3 3372 goto drop;
277ffbe3 3373 }
1c2acffb 3374
fcafde2e 3375 goto done;
1c2acffb 3376
6840ed07
GP		 3377 case L2CAP_MODE_STREAMING:
3378 control = get_unaligned_le16(skb->data);
3379 skb_pull(skb, 2);
3380 len = skb->len;
3381
26000089
GP		 3382 if (l2cap_check_fcs(pi, skb))
3383 goto drop;
3384
6840ed07
GP		 3385 if (__is_sar_start(control))
3386 len -= 2;
3387
fcc203c3
GP		 3388 if (pi->fcs == L2CAP_FCS_CRC16)
3389 len -= 2;
3390
51893f88 3391 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3392 goto drop;
3393
3394 tx_seq = __get_txseq(control);
3395
3396 if (pi->expected_tx_seq == tx_seq)
3397 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3398 else
7dffe421 3399 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3400
18778a63 3401 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 3402
3403 goto done;
3404
1c2acffb 3405 default:
e8235c6b 3406 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 3407 break;
3408 }
1da177e4
LT		 3409
3410drop:
3411 kfree_skb(skb);
3412
3413done:
0139418c
MH		 3414 if (sk)
3415 bh_unlock_sock(sk);
3416
1da177e4
LT		 3417 return 0;
3418}
3419
8e036fc3 3420static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3421{
3422 struct sock *sk;
3423
3424 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3425 if (!sk)
3426 goto drop;
3427
e0f0cb56
GP		 3428 bh_lock_sock(sk);
3429
1da177e4
LT		 3430 BT_DBG("sk %p, len %d", sk, skb->len);
3431
3432 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3433 goto drop;
3434
3435 if (l2cap_pi(sk)->imtu < skb->len)
3436 goto drop;
3437
3438 if (!sock_queue_rcv_skb(sk, skb))
3439 goto done;
3440
3441drop:
3442 kfree_skb(skb);
3443
3444done:
af05b30b
GP		 3445 if (sk)
3446 bh_unlock_sock(sk);
1da177e4
LT		 3447 return 0;
3448}
3449
3450static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3451{
3452 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3453 u16 cid, len;
3454 __le16 psm;
1da177e4
LT		 3455
3456 skb_pull(skb, L2CAP_HDR_SIZE);
3457 cid = __le16_to_cpu(lh->cid);
3458 len = __le16_to_cpu(lh->len);
3459
1c2acffb
GP		 3460 if (len != skb->len) {
3461 kfree_skb(skb);
3462 return;
3463 }
3464
1da177e4
LT		 3465 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3466
3467 switch (cid) {
8db4dc46 3468 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3469 l2cap_sig_channel(conn, skb);
3470 break;
3471
8db4dc46 3472 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3473 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3474 skb_pull(skb, 2);
3475 l2cap_conless_channel(conn, psm, skb);
3476 break;
3477
3478 default:
3479 l2cap_data_channel(conn, cid, skb);
3480 break;
3481 }
3482}
3483
3484/* ---- L2CAP interface with lower layer (HCI) ---- */
3485
3486static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3487{
3488 int exact = 0, lm1 = 0, lm2 = 0;
3489 register struct sock *sk;
3490 struct hlist_node *node;
3491
3492 if (type != ACL_LINK)
963cf687 3493 return -EINVAL;
1da177e4
LT		 3494
3495 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3496
3497 /* Find listening sockets and check their link_mode */
3498 read_lock(&l2cap_sk_list.lock);
3499 sk_for_each(sk, node, &l2cap_sk_list.head) {
3500 if (sk->sk_state != BT_LISTEN)
3501 continue;
3502
3503 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3504 lm1 |= HCI_LM_ACCEPT;
3505 if (l2cap_pi(sk)->role_switch)
3506 lm1 |= HCI_LM_MASTER;
1da177e4 3507 exact++;
2af6b9d5
MH		 3508 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3509 lm2 |= HCI_LM_ACCEPT;
3510 if (l2cap_pi(sk)->role_switch)
3511 lm2 |= HCI_LM_MASTER;
3512 }
1da177e4
LT		 3513 }
3514 read_unlock(&l2cap_sk_list.lock);
3515
3516 return exact ? lm1 : lm2;
3517}
3518
3519static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3520{
0139418c
MH		 3521 struct l2cap_conn *conn;
3522
1da177e4
LT		 3523 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3524
3525 if (hcon->type != ACL_LINK)
963cf687 3526 return -EINVAL;
1da177e4
LT		 3527
3528 if (!status) {
1da177e4
LT		 3529 conn = l2cap_conn_add(hcon, status);
3530 if (conn)
3531 l2cap_conn_ready(conn);
0139418c 3532 } else
1da177e4
LT		 3533 l2cap_conn_del(hcon, bt_err(status));
3534
3535 return 0;
3536}
3537
2950f21a
MH		 3538static int l2cap_disconn_ind(struct hci_conn *hcon)
3539{
3540 struct l2cap_conn *conn = hcon->l2cap_data;
3541
3542 BT_DBG("hcon %p", hcon);
3543
3544 if (hcon->type != ACL_LINK || !conn)
3545 return 0x13;
3546
3547 return conn->disc_reason;
3548}
3549
3550static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 3551{
3552 BT_DBG("hcon %p reason %d", hcon, reason);
3553
3554 if (hcon->type != ACL_LINK)
963cf687 3555 return -EINVAL;
1da177e4
LT		 3556
3557 l2cap_conn_del(hcon, bt_err(reason));
0139418c 3558
1da177e4
LT		 3559 return 0;
3560}
3561
f62e4323
MH		 3562static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3563{
bd3c9e25 3564 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 3565 return;
3566
f62e4323
MH		 3567 if (encrypt == 0x00) {
3568 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3569 l2cap_sock_clear_timer(sk);
3570 l2cap_sock_set_timer(sk, HZ * 5);
3571 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3572 __l2cap_sock_close(sk, ECONNREFUSED);
3573 } else {
3574 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3575 l2cap_sock_clear_timer(sk);
3576 }
3577}
3578
8c1b2355 3579static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 3580{
3581 struct l2cap_chan_list *l;
0139418c 3582 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 3583 struct sock *sk;
1da177e4 3584
0139418c 3585 if (!conn)
1da177e4 3586 return 0;
0139418c 3587
1da177e4
LT		 3588 l = &conn->chan_list;
3589
3590 BT_DBG("conn %p", conn);
3591
3592 read_lock(&l->lock);
3593
3594 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3595 bh_lock_sock(sk);
3596
6a8d3010
MH		 3597 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
3598 bh_unlock_sock(sk);
3599 continue;
3600 }
3601
f62e4323 3602 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 3603 sk->sk_state == BT_CONFIG)) {
f62e4323 3604 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 3605 bh_unlock_sock(sk);
3606 continue;
3607 }
3608
b1235d79
MH		 3609 if (sk->sk_state == BT_CONNECT) {
3610 if (!status) {
3611 struct l2cap_conn_req req;
3612 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3613 req.psm = l2cap_pi(sk)->psm;
1da177e4 3614
b1235d79 3615 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 3616 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 3617
b1235d79
MH		 3618 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3619 L2CAP_CONN_REQ, sizeof(req), &req);
3620 } else {
3621 l2cap_sock_clear_timer(sk);
3622 l2cap_sock_set_timer(sk, HZ / 10);
3623 }
3624 } else if (sk->sk_state == BT_CONNECT2) {
3625 struct l2cap_conn_rsp rsp;
3626 __u16 result;
1da177e4 3627
b1235d79
MH		 3628 if (!status) {
3629 sk->sk_state = BT_CONFIG;
3630 result = L2CAP_CR_SUCCESS;
3631 } else {
3632 sk->sk_state = BT_DISCONN;
3633 l2cap_sock_set_timer(sk, HZ / 10);
3634 result = L2CAP_CR_SEC_BLOCK;
3635 }
3636
3637 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3638 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3639 rsp.result = cpu_to_le16(result);
e7c29cb1 3640 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 3641 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3642 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3643 }
1da177e4
LT		 3644
3645 bh_unlock_sock(sk);
3646 }
3647
3648 read_unlock(&l->lock);
b1235d79 3649
1da177e4
LT		 3650 return 0;
3651}
3652
3653static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3654{
3655 struct l2cap_conn *conn = hcon->l2cap_data;
3656
5a08ecce
AE		 3657 if (!conn)
3658 conn = l2cap_conn_add(hcon, 0);
3659
3660 if (!conn)
1da177e4
LT		 3661 goto drop;
3662
3663 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3664
e702112f 3665 if (!(flags & ACL_CONT)) {
1da177e4 3666 struct l2cap_hdr *hdr;
89794813
AE		 3667 struct sock *sk;
3668 u16 cid;
1da177e4
LT		 3669 int len;
3670
3671 if (conn->rx_len) {
3672 BT_ERR("Unexpected start frame (len %d)", skb->len);
3673 kfree_skb(conn->rx_skb);
3674 conn->rx_skb = NULL;
3675 conn->rx_len = 0;
3676 l2cap_conn_unreliable(conn, ECOMM);
3677 }
3678
aae7fe22
AE		 3679 /* Start fragment always begin with Basic L2CAP header */
3680 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 3681 BT_ERR("Frame is too short (len %d)", skb->len);
3682 l2cap_conn_unreliable(conn, ECOMM);
3683 goto drop;
3684 }
3685
3686 hdr = (struct l2cap_hdr *) skb->data;
3687 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 3688 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 3689
3690 if (len == skb->len) {
3691 /* Complete frame received */
3692 l2cap_recv_frame(conn, skb);
3693 return 0;
3694 }
3695
3696 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
3697
3698 if (skb->len > len) {
3699 BT_ERR("Frame is too long (len %d, expected len %d)",
3700 skb->len, len);
3701 l2cap_conn_unreliable(conn, ECOMM);
3702 goto drop;
3703 }
3704
89794813
AE		 3705 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3706
3707 if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
3708 BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)",
3709 len, l2cap_pi(sk)->imtu);
3710 bh_unlock_sock(sk);
3711 l2cap_conn_unreliable(conn, ECOMM);
3712 goto drop;
3713 }
3714
3715 if (sk)
3716 bh_unlock_sock(sk);
3717
1da177e4 3718 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 3719 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
3720 if (!conn->rx_skb)
1da177e4
LT		 3721 goto drop;
3722
d626f62b 3723 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 3724 skb->len);
1da177e4
LT		 3725 conn->rx_len = len - skb->len;
3726 } else {
3727 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
3728
3729 if (!conn->rx_len) {
3730 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
3731 l2cap_conn_unreliable(conn, ECOMM);
3732 goto drop;
3733 }
3734
3735 if (skb->len > conn->rx_len) {
3736 BT_ERR("Fragment is too long (len %d, expected %d)",
3737 skb->len, conn->rx_len);
3738 kfree_skb(conn->rx_skb);
3739 conn->rx_skb = NULL;
3740 conn->rx_len = 0;
3741 l2cap_conn_unreliable(conn, ECOMM);
3742 goto drop;
3743 }
3744
d626f62b 3745 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 3746 skb->len);
1da177e4
LT		 3747 conn->rx_len -= skb->len;
3748
3749 if (!conn->rx_len) {
3750 /* Complete frame received */
3751 l2cap_recv_frame(conn, conn->rx_skb);
3752 conn->rx_skb = NULL;
3753 }
3754 }
3755
3756drop:
3757 kfree_skb(skb);
3758 return 0;
3759}
3760
aef7d97c 3761static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 3762{
3763 struct sock *sk;
3764 struct hlist_node *node;
1da177e4
LT		 3765
3766 read_lock_bh(&l2cap_sk_list.lock);
3767
be9d1227
MH		 3768 sk_for_each(sk, node, &l2cap_sk_list.head) {
3769 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 3770
aef7d97c
MH		 3771 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
3772 batostr(&bt_sk(sk)->src),
3773 batostr(&bt_sk(sk)->dst),
3774 sk->sk_state, __le16_to_cpu(pi->psm),
3775 pi->scid, pi->dcid,
3776 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 3777 }
1da177e4 3778
1da177e4 3779 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 3780
aef7d97c 3781 return 0;
1da177e4
LT		 3782}
3783
aef7d97c
MH		 3784static int l2cap_debugfs_open(struct inode *inode, struct file *file)
3785{
3786 return single_open(file, l2cap_debugfs_show, inode->i_private);
3787}
3788
3789static const struct file_operations l2cap_debugfs_fops = {
3790 .open = l2cap_debugfs_open,
3791 .read = seq_read,
3792 .llseek = seq_lseek,
3793 .release = single_release,
3794};
3795
3796static struct dentry *l2cap_debugfs;
1da177e4 3797
1da177e4
LT		 3798static struct hci_proto l2cap_hci_proto = {
3799 .name = "L2CAP",
3800 .id = HCI_PROTO_L2CAP,
3801 .connect_ind = l2cap_connect_ind,
3802 .connect_cfm = l2cap_connect_cfm,
3803 .disconn_ind = l2cap_disconn_ind,
2950f21a 3804 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 3805 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 3806 .recv_acldata = l2cap_recv_acldata
3807};
3808
3809static int __init l2cap_init(void)
3810{
3811 int err;
be9d1227 3812
bb58f747 3813 err = l2cap_init_sockets();
1da177e4
LT		 3814 if (err < 0)
3815 return err;
3816
1890d36b 3817 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 3818 if (!_busy_wq) {
bb58f747 3819 err = -ENOMEM;
1da177e4
LT		 3820 goto error;
3821 }
3822
3823 err = hci_register_proto(&l2cap_hci_proto);
3824 if (err < 0) {
3825 BT_ERR("L2CAP protocol registration failed");
3826 bt_sock_unregister(BTPROTO_L2CAP);
3827 goto error;
3828 }
3829
aef7d97c
MH		 3830 if (bt_debugfs) {
3831 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
3832 bt_debugfs, NULL, &l2cap_debugfs_fops);
3833 if (!l2cap_debugfs)
3834 BT_ERR("Failed to create L2CAP debug file");
3835 }
1da177e4
LT		 3836
3837 BT_INFO("L2CAP ver %s", VERSION);
3838 BT_INFO("L2CAP socket layer initialized");
3839
3840 return 0;
3841
3842error:
b78d7b4f 3843 destroy_workqueue(_busy_wq);
bb58f747 3844 l2cap_cleanup_sockets();
1da177e4
LT		 3845 return err;
3846}
3847
3848static void __exit l2cap_exit(void)
3849{
aef7d97c 3850 debugfs_remove(l2cap_debugfs);
1da177e4 3851
1890d36b
GP		 3852 flush_workqueue(_busy_wq);
3853 destroy_workqueue(_busy_wq);
3854
1da177e4
LT		 3855 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
3856 BT_ERR("L2CAP protocol unregistration failed");
3857
bb58f747 3858 l2cap_cleanup_sockets();
1da177e4
LT		 3859}
3860
3861void l2cap_load(void)
3862{
3863 /* Dummy function to trigger automatic L2CAP module loading by
3864 * other modules that use L2CAP sockets but don't use any other
3865 * symbols from it. */
1da177e4
LT		 3866}
3867EXPORT_SYMBOL(l2cap_load);
3868
3869module_init(l2cap_init);
3870module_exit(l2cap_exit);
3871
d1c4a17d
GP		 3872module_param(disable_ertm, bool, 0644);
3873MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
44dd46de 3874
63fbd24e 3875MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 3876MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
3877MODULE_VERSION(VERSION);
3878MODULE_LICENSE("GPL");
3879MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)