projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove set of SrejSaveReqSeq under receipt of REJ frame
[deliverable/linux.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
84fb0a63
GP		 58#ifdef CONFIG_BT_L2CAP_EXT_FEATURES
59static int enable_ertm = 1;
60#else
44dd46de 61static int enable_ertm = 0;
84fb0a63 62#endif
5fbcd3d1 63static int max_transmit = L2CAP_DEFAULT_MAX_TX;
369ba302 64static int tx_window = L2CAP_DEFAULT_TX_WINDOW;
f0709e03 65
47ec1dcd 66static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 67static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 68
90ddc4f0 69static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 70
71static struct bt_sock_list l2cap_sk_list = {
d5fb2962 72 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 73};
74
1da177e4
LT		 75static void __l2cap_sock_close(struct sock *sk, int reason);
76static void l2cap_sock_close(struct sock *sk);
77static void l2cap_sock_kill(struct sock *sk);
78
79static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
80 u8 code, u8 ident, u16 dlen, void *data);
81
82/* ---- L2CAP timers ---- */
83static void l2cap_sock_timeout(unsigned long arg)
84{
85 struct sock *sk = (struct sock *) arg;
b1235d79 86 int reason;
1da177e4
LT		 87
88 BT_DBG("sock %p state %d", sk, sk->sk_state);
89
90 bh_lock_sock(sk);
b1235d79 91
f62e4323
MH		 92 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
93 reason = ECONNREFUSED;
94 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 95 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 96 reason = ECONNREFUSED;
97 else
98 reason = ETIMEDOUT;
99
100 __l2cap_sock_close(sk, reason);
101
1da177e4
LT		 102 bh_unlock_sock(sk);
103
104 l2cap_sock_kill(sk);
105 sock_put(sk);
106}
107
108static void l2cap_sock_set_timer(struct sock *sk, long timeout)
109{
110 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
111 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
112}
113
114static void l2cap_sock_clear_timer(struct sock *sk)
115{
116 BT_DBG("sock %p state %d", sk, sk->sk_state);
117 sk_stop_timer(sk, &sk->sk_timer);
118}
119
0139418c
MH		 120/* ---- L2CAP channels ---- */
121static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
122{
123 struct sock *s;
124 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
125 if (l2cap_pi(s)->dcid == cid)
126 break;
127 }
128 return s;
129}
130
131static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
135 if (l2cap_pi(s)->scid == cid)
136 break;
137 }
138 return s;
139}
140
141/* Find channel with given SCID.
142 * Returns locked socket */
143static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
144{
145 struct sock *s;
146 read_lock(&l->lock);
147 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 148 if (s)
149 bh_lock_sock(s);
0139418c
MH		 150 read_unlock(&l->lock);
151 return s;
152}
153
154static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
155{
156 struct sock *s;
157 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
158 if (l2cap_pi(s)->ident == ident)
159 break;
160 }
161 return s;
162}
163
164static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
165{
166 struct sock *s;
167 read_lock(&l->lock);
168 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 169 if (s)
170 bh_lock_sock(s);
0139418c
MH		 171 read_unlock(&l->lock);
172 return s;
173}
174
175static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
176{
8db4dc46 177 u16 cid = L2CAP_CID_DYN_START;
0139418c 178
8db4dc46 179 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 180 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 181 return cid;
182 }
183
184 return 0;
185}
186
187static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
188{
189 sock_hold(sk);
190
191 if (l->head)
192 l2cap_pi(l->head)->prev_c = sk;
193
194 l2cap_pi(sk)->next_c = l->head;
195 l2cap_pi(sk)->prev_c = NULL;
196 l->head = sk;
197}
198
199static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
200{
201 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
202
fd1278d7 203 write_lock_bh(&l->lock);
0139418c
MH		 204 if (sk == l->head)
205 l->head = next;
206
207 if (next)
208 l2cap_pi(next)->prev_c = prev;
209 if (prev)
210 l2cap_pi(prev)->next_c = next;
fd1278d7 211 write_unlock_bh(&l->lock);
0139418c
MH		 212
213 __sock_put(sk);
214}
215
216static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
217{
218 struct l2cap_chan_list *l = &conn->chan_list;
219
af05b30b
GP		 220 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
221 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 222
2950f21a
MH		 223 conn->disc_reason = 0x13;
224
0139418c
MH		 225 l2cap_pi(sk)->conn = conn;
226
bd3c9e25 227 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 228 /* Alloc CID for connection-oriented socket */
229 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
230 } else if (sk->sk_type == SOCK_DGRAM) {
231 /* Connectionless socket */
8db4dc46
GP		 232 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
233 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 234 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
235 } else {
236 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 237 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
238 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 239 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
240 }
241
242 __l2cap_chan_link(l, sk);
243
244 if (parent)
245 bt_accept_enqueue(parent, sk);
246}
247
8e87d142 248/* Delete channel.
0139418c
MH		 249 * Must be called on the locked socket. */
250static void l2cap_chan_del(struct sock *sk, int err)
251{
252 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
253 struct sock *parent = bt_sk(sk)->parent;
254
255 l2cap_sock_clear_timer(sk);
256
257 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
258
8e87d142 259 if (conn) {
0139418c
MH		 260 /* Unlink from channel list */
261 l2cap_chan_unlink(&conn->chan_list, sk);
262 l2cap_pi(sk)->conn = NULL;
263 hci_conn_put(conn->hcon);
264 }
265
b1235d79 266 sk->sk_state = BT_CLOSED;
0139418c
MH		 267 sock_set_flag(sk, SOCK_ZAPPED);
268
269 if (err)
270 sk->sk_err = err;
271
272 if (parent) {
273 bt_accept_unlink(sk);
274 parent->sk_data_ready(parent, 0);
275 } else
276 sk->sk_state_change(sk);
277}
278
79d554a6 279/* Service level security */
2af6b9d5 280static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 281{
282 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 283 __u8 auth_type;
284
00ae4af9
MH		 285 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
286 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
287 auth_type = HCI_AT_NO_BONDING_MITM;
288 else
af05b30b 289 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 290
291 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
292 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
293 } else {
294 switch (l2cap_pi(sk)->sec_level) {
295 case BT_SECURITY_HIGH:
296 auth_type = HCI_AT_GENERAL_BONDING_MITM;
297 break;
298 case BT_SECURITY_MEDIUM:
299 auth_type = HCI_AT_GENERAL_BONDING;
300 break;
301 default:
302 auth_type = HCI_AT_NO_BONDING;
303 break;
304 }
0684e5f9 305 }
79d554a6 306
0684e5f9
MH		 307 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
308 auth_type);
79d554a6
MH		 309}
310
4e8402a3
MH		 311static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
312{
313 u8 id;
314
315 /* Get next available identificator.
316 * 1 - 128 are used by kernel.
317 * 129 - 199 are reserved.
318 * 200 - 254 are used by utilities like l2ping, etc.
319 */
320
321 spin_lock_bh(&conn->lock);
322
323 if (++conn->tx_ident > 128)
324 conn->tx_ident = 1;
325
326 id = conn->tx_ident;
327
328 spin_unlock_bh(&conn->lock);
329
330 return id;
331}
332
333static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
334{
335 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
336
337 BT_DBG("code 0x%2.2x", code);
338
339 if (!skb)
340 return -ENOMEM;
341
342 return hci_send_acl(conn->hcon, skb, 0);
343}
344
1c2acffb
GP		 345static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
346{
347 struct sk_buff *skb;
348 struct l2cap_hdr *lh;
349 struct l2cap_conn *conn = pi->conn;
fcc203c3
GP		 350 int count, hlen = L2CAP_HDR_SIZE + 2;
351
352 if (pi->fcs == L2CAP_FCS_CRC16)
353 hlen += 2;
1c2acffb
GP		 354
355 BT_DBG("pi %p, control 0x%2.2x", pi, control);
356
fcc203c3 357 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 358 control |= L2CAP_CTRL_FRAME_TYPE;
359
9e917af1
GP		 360 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
361 control |= L2CAP_CTRL_FINAL;
362 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
363 }
364
f0946ccf
GP		 365 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
366 control |= L2CAP_CTRL_POLL;
367 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
368 }
369
1c2acffb
GP		 370 skb = bt_skb_alloc(count, GFP_ATOMIC);
371 if (!skb)
372 return -ENOMEM;
373
374 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 375 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 376 lh->cid = cpu_to_le16(pi->dcid);
377 put_unaligned_le16(control, skb_put(skb, 2));
378
fcc203c3
GP		 379 if (pi->fcs == L2CAP_FCS_CRC16) {
380 u16 fcs = crc16(0, (u8 *)lh, count - 2);
381 put_unaligned_le16(fcs, skb_put(skb, 2));
382 }
383
1c2acffb
GP		 384 return hci_send_acl(pi->conn->hcon, skb, 0);
385}
386
7e743090
GP		 387static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
388{
389 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
390 control |= L2CAP_SUPER_RCV_NOT_READY;
391 else
392 control |= L2CAP_SUPER_RCV_READY;
393
2ab25cdd
GP		 394 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
395
7e743090
GP		 396 return l2cap_send_sframe(pi, control);
397}
398
79d554a6
MH		 399static void l2cap_do_start(struct sock *sk)
400{
401 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
402
403 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 404 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
405 return;
406
2af6b9d5 407 if (l2cap_check_security(sk)) {
b1235d79
MH		 408 struct l2cap_conn_req req;
409 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
410 req.psm = l2cap_pi(sk)->psm;
79d554a6 411
b1235d79 412 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 413
b1235d79 414 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 415 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 416 }
79d554a6
MH		 417 } else {
418 struct l2cap_info_req req;
419 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
420
421 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
422 conn->info_ident = l2cap_get_ident(conn);
423
424 mod_timer(&conn->info_timer, jiffies +
425 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
426
427 l2cap_send_cmd(conn, conn->info_ident,
428 L2CAP_INFO_REQ, sizeof(req), &req);
429 }
430}
431
22121fc9
GP		 432static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
433{
434 struct l2cap_disconn_req req;
435
436 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
437 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
438 l2cap_send_cmd(conn, l2cap_get_ident(conn),
439 L2CAP_DISCONN_REQ, sizeof(req), &req);
440}
441
1da177e4 442/* ---- L2CAP connections ---- */
4e8402a3
MH		 443static void l2cap_conn_start(struct l2cap_conn *conn)
444{
445 struct l2cap_chan_list *l = &conn->chan_list;
446 struct sock *sk;
447
448 BT_DBG("conn %p", conn);
449
450 read_lock(&l->lock);
451
452 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
453 bh_lock_sock(sk);
454
bd3c9e25
GP		 455 if (sk->sk_type != SOCK_SEQPACKET &&
456 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 457 bh_unlock_sock(sk);
458 continue;
459 }
460
461 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 462 if (l2cap_check_security(sk)) {
b1235d79
MH		 463 struct l2cap_conn_req req;
464 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
465 req.psm = l2cap_pi(sk)->psm;
79d554a6 466
b1235d79 467 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 468
b1235d79 469 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 470 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 471 }
79d554a6
MH		 472 } else if (sk->sk_state == BT_CONNECT2) {
473 struct l2cap_conn_rsp rsp;
474 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
475 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
476
2af6b9d5 477 if (l2cap_check_security(sk)) {
f66dc81f
MH		 478 if (bt_sk(sk)->defer_setup) {
479 struct sock *parent = bt_sk(sk)->parent;
480 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
481 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
482 parent->sk_data_ready(parent, 0);
483
484 } else {
485 sk->sk_state = BT_CONFIG;
486 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
487 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
488 }
79d554a6
MH		 489 } else {
490 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
491 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
492 }
493
494 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
495 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 496 }
497
498 bh_unlock_sock(sk);
499 }
500
501 read_unlock(&l->lock);
502}
503
504static void l2cap_conn_ready(struct l2cap_conn *conn)
505{
79d554a6
MH		 506 struct l2cap_chan_list *l = &conn->chan_list;
507 struct sock *sk;
4e8402a3 508
79d554a6 509 BT_DBG("conn %p", conn);
4e8402a3 510
79d554a6 511 read_lock(&l->lock);
4e8402a3 512
79d554a6
MH		 513 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
514 bh_lock_sock(sk);
4e8402a3 515
bd3c9e25
GP		 516 if (sk->sk_type != SOCK_SEQPACKET &&
517 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 518 l2cap_sock_clear_timer(sk);
519 sk->sk_state = BT_CONNECTED;
520 sk->sk_state_change(sk);
521 } else if (sk->sk_state == BT_CONNECT)
522 l2cap_do_start(sk);
4e8402a3 523
79d554a6 524 bh_unlock_sock(sk);
4e8402a3 525 }
79d554a6
MH		 526
527 read_unlock(&l->lock);
4e8402a3
MH		 528}
529
530/* Notify sockets that we cannot guaranty reliability anymore */
531static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
532{
533 struct l2cap_chan_list *l = &conn->chan_list;
534 struct sock *sk;
535
536 BT_DBG("conn %p", conn);
537
538 read_lock(&l->lock);
539
540 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 541 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 542 sk->sk_err = err;
543 }
544
545 read_unlock(&l->lock);
546}
547
548static void l2cap_info_timeout(unsigned long arg)
549{
550 struct l2cap_conn *conn = (void *) arg;
551
984947dc 552 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 553 conn->info_ident = 0;
984947dc 554
4e8402a3
MH		 555 l2cap_conn_start(conn);
556}
557
1da177e4
LT		 558static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
559{
0139418c 560 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 561
0139418c 562 if (conn || status)
1da177e4
LT		 563 return conn;
564
0139418c
MH		 565 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
566 if (!conn)
1da177e4 567 return NULL;
1da177e4
LT		 568
569 hcon->l2cap_data = conn;
570 conn->hcon = hcon;
571
0139418c
MH		 572 BT_DBG("hcon %p conn %p", hcon, conn);
573
1da177e4
LT		 574 conn->mtu = hcon->hdev->acl_mtu;
575 conn->src = &hcon->hdev->bdaddr;
576 conn->dst = &hcon->dst;
577
4e8402a3
MH		 578 conn->feat_mask = 0;
579
1da177e4
LT		 580 spin_lock_init(&conn->lock);
581 rwlock_init(&conn->chan_list.lock);
582
45054dc1
DY		 583 setup_timer(&conn->info_timer, l2cap_info_timeout,
584 (unsigned long) conn);
585
2950f21a
MH		 586 conn->disc_reason = 0x13;
587
1da177e4
LT		 588 return conn;
589}
590
0139418c 591static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 592{
0139418c 593 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 594 struct sock *sk;
595
0139418c
MH		 596 if (!conn)
597 return;
1da177e4
LT		 598
599 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
600
7585b97a 601 kfree_skb(conn->rx_skb);
1da177e4
LT		 602
603 /* Kill channels */
604 while ((sk = conn->chan_list.head)) {
605 bh_lock_sock(sk);
606 l2cap_chan_del(sk, err);
607 bh_unlock_sock(sk);
608 l2cap_sock_kill(sk);
609 }
610
8e8440f5
DY		 611 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
612 del_timer_sync(&conn->info_timer);
3ab22731 613
1da177e4
LT		 614 hcon->l2cap_data = NULL;
615 kfree(conn);
1da177e4
LT		 616}
617
618static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
619{
620 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 621 write_lock_bh(&l->lock);
1da177e4 622 __l2cap_chan_add(conn, sk, parent);
fd1278d7 623 write_unlock_bh(&l->lock);
1da177e4
LT		 624}
625
1da177e4 626/* ---- Socket interface ---- */
8e036fc3 627static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 628{
629 struct sock *sk;
630 struct hlist_node *node;
631 sk_for_each(sk, node, &l2cap_sk_list.head)
632 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
633 goto found;
634 sk = NULL;
635found:
636 return sk;
637}
638
639/* Find socket with psm and source bdaddr.
640 * Returns closest match.
641 */
8e036fc3 642static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 643{
644 struct sock *sk = NULL, *sk1 = NULL;
645 struct hlist_node *node;
646
647 sk_for_each(sk, node, &l2cap_sk_list.head) {
648 if (state && sk->sk_state != state)
649 continue;
650
651 if (l2cap_pi(sk)->psm == psm) {
652 /* Exact match. */
653 if (!bacmp(&bt_sk(sk)->src, src))
654 break;
655
656 /* Closest match */
657 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
658 sk1 = sk;
659 }
660 }
661 return node ? sk : sk1;
662}
663
664/* Find socket with given address (psm, src).
665 * Returns locked socket */
8e036fc3 666static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 667{
668 struct sock *s;
669 read_lock(&l2cap_sk_list.lock);
670 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 671 if (s)
672 bh_lock_sock(s);
1da177e4
LT		 673 read_unlock(&l2cap_sk_list.lock);
674 return s;
675}
676
677static void l2cap_sock_destruct(struct sock *sk)
678{
679 BT_DBG("sk %p", sk);
680
681 skb_queue_purge(&sk->sk_receive_queue);
682 skb_queue_purge(&sk->sk_write_queue);
683}
684
685static void l2cap_sock_cleanup_listen(struct sock *parent)
686{
687 struct sock *sk;
688
689 BT_DBG("parent %p", parent);
690
691 /* Close not yet accepted channels */
692 while ((sk = bt_accept_dequeue(parent, NULL)))
693 l2cap_sock_close(sk);
694
b1235d79 695 parent->sk_state = BT_CLOSED;
1da177e4
LT		 696 sock_set_flag(parent, SOCK_ZAPPED);
697}
698
699/* Kill socket (only if zapped and orphan)
700 * Must be called on unlocked socket.
701 */
702static void l2cap_sock_kill(struct sock *sk)
703{
704 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
705 return;
706
707 BT_DBG("sk %p state %d", sk, sk->sk_state);
708
709 /* Kill poor orphan */
710 bt_sock_unlink(&l2cap_sk_list, sk);
711 sock_set_flag(sk, SOCK_DEAD);
712 sock_put(sk);
713}
714
715static void __l2cap_sock_close(struct sock *sk, int reason)
716{
717 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
718
719 switch (sk->sk_state) {
720 case BT_LISTEN:
721 l2cap_sock_cleanup_listen(sk);
722 break;
723
724 case BT_CONNECTED:
725 case BT_CONFIG:
bd3c9e25
GP		 726 if (sk->sk_type == SOCK_SEQPACKET ||
727 sk->sk_type == SOCK_STREAM) {
1da177e4 728 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4
LT		 729
730 sk->sk_state = BT_DISCONN;
731 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
22121fc9 732 l2cap_send_disconn_req(conn, sk);
b1235d79 733 } else
1da177e4 734 l2cap_chan_del(sk, reason);
1da177e4
LT		 735 break;
736
f66dc81f 737 case BT_CONNECT2:
bd3c9e25
GP		 738 if (sk->sk_type == SOCK_SEQPACKET ||
739 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 740 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
741 struct l2cap_conn_rsp rsp;
742 __u16 result;
743
744 if (bt_sk(sk)->defer_setup)
745 result = L2CAP_CR_SEC_BLOCK;
746 else
747 result = L2CAP_CR_BAD_PSM;
748
749 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
750 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
751 rsp.result = cpu_to_le16(result);
752 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
753 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
754 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
755 } else
756 l2cap_chan_del(sk, reason);
757 break;
758
1da177e4
LT		 759 case BT_CONNECT:
760 case BT_DISCONN:
761 l2cap_chan_del(sk, reason);
762 break;
763
764 default:
765 sock_set_flag(sk, SOCK_ZAPPED);
766 break;
767 }
768}
769
770/* Must be called on unlocked socket. */
771static void l2cap_sock_close(struct sock *sk)
772{
773 l2cap_sock_clear_timer(sk);
774 lock_sock(sk);
775 __l2cap_sock_close(sk, ECONNRESET);
776 release_sock(sk);
777 l2cap_sock_kill(sk);
778}
779
780static void l2cap_sock_init(struct sock *sk, struct sock *parent)
781{
782 struct l2cap_pinfo *pi = l2cap_pi(sk);
783
784 BT_DBG("sk %p", sk);
785
786 if (parent) {
787 sk->sk_type = parent->sk_type;
f66dc81f
MH		 788 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
789
1da177e4
LT		 790 pi->imtu = l2cap_pi(parent)->imtu;
791 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 792 pi->mode = l2cap_pi(parent)->mode;
793 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 794 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 795 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 796 pi->sec_level = l2cap_pi(parent)->sec_level;
797 pi->role_switch = l2cap_pi(parent)->role_switch;
798 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 799 } else {
800 pi->imtu = L2CAP_DEFAULT_MTU;
801 pi->omtu = 0;
bd3c9e25
GP		 802 if (enable_ertm && sk->sk_type == SOCK_STREAM)
803 pi->mode = L2CAP_MODE_ERTM;
804 else
805 pi->mode = L2CAP_MODE_BASIC;
68d7f0ce 806 pi->max_tx = max_transmit;
c6b03cf9 807 pi->fcs = L2CAP_FCS_CRC16;
369ba302 808 pi->tx_win = tx_window;
2af6b9d5
MH		 809 pi->sec_level = BT_SECURITY_LOW;
810 pi->role_switch = 0;
811 pi->force_reliable = 0;
1da177e4
LT		 812 }
813
814 /* Default config options */
5dee9e7c 815 pi->conf_len = 0;
1da177e4 816 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 817 skb_queue_head_init(TX_QUEUE(sk));
818 skb_queue_head_init(SREJ_QUEUE(sk));
819 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 820}
821
822static struct proto l2cap_proto = {
823 .name = "L2CAP",
824 .owner = THIS_MODULE,
825 .obj_size = sizeof(struct l2cap_pinfo)
826};
827
1b8d7ae4 828static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 829{
830 struct sock *sk;
831
6257ff21 832 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 833 if (!sk)
834 return NULL;
835
836 sock_init_data(sock, sk);
837 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
838
839 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 840 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 841
842 sock_reset_flag(sk, SOCK_ZAPPED);
843
844 sk->sk_protocol = proto;
b1235d79 845 sk->sk_state = BT_OPEN;
1da177e4 846
b1235d79 847 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 848
849 bt_sock_link(&l2cap_sk_list, sk);
850 return sk;
851}
852
3f378b68
EP		 853static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
854 int kern)
1da177e4
LT		 855{
856 struct sock *sk;
857
858 BT_DBG("sock %p", sock);
859
860 sock->state = SS_UNCONNECTED;
861
bd3c9e25 862 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 863 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
864 return -ESOCKTNOSUPPORT;
865
c84b3268 866 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 867 return -EPERM;
868
869 sock->ops = &l2cap_sock_ops;
870
1b8d7ae4 871 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 872 if (!sk)
873 return -ENOMEM;
874
875 l2cap_sock_init(sk, NULL);
876 return 0;
877}
878
f29972de 879static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 880{
1da177e4 881 struct sock *sk = sock->sk;
f29972de
MH		 882 struct sockaddr_l2 la;
883 int len, err = 0;
1da177e4 884
f29972de 885 BT_DBG("sk %p", sk);
1da177e4
LT		 886
887 if (!addr || addr->sa_family != AF_BLUETOOTH)
888 return -EINVAL;
889
f29972de
MH		 890 memset(&la, 0, sizeof(la));
891 len = min_t(unsigned int, sizeof(la), alen);
892 memcpy(&la, addr, len);
893
2a517ca6
MH		 894 if (la.l2_cid)
895 return -EINVAL;
896
1da177e4
LT		 897 lock_sock(sk);
898
899 if (sk->sk_state != BT_OPEN) {
900 err = -EBADFD;
901 goto done;
902 }
903
b4324b5d 904 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 905 !capable(CAP_NET_BIND_SERVICE)) {
906 err = -EACCES;
907 goto done;
908 }
8e87d142 909
1da177e4
LT		 910 write_lock_bh(&l2cap_sk_list.lock);
911
f29972de 912 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 913 err = -EADDRINUSE;
914 } else {
915 /* Save source address */
f29972de
MH		 916 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
917 l2cap_pi(sk)->psm = la.l2_psm;
918 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 919 sk->sk_state = BT_BOUND;
2af6b9d5 920
b4324b5d
MH		 921 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
922 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 923 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 924 }
925
926 write_unlock_bh(&l2cap_sk_list.lock);
927
928done:
929 release_sock(sk);
930 return err;
931}
932
933static int l2cap_do_connect(struct sock *sk)
934{
935 bdaddr_t *src = &bt_sk(sk)->src;
936 bdaddr_t *dst = &bt_sk(sk)->dst;
937 struct l2cap_conn *conn;
938 struct hci_conn *hcon;
939 struct hci_dev *hdev;
09ab6f4c 940 __u8 auth_type;
44d0e48e 941 int err;
1da177e4 942
f29972de
MH		 943 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
944 l2cap_pi(sk)->psm);
1da177e4 945
af05b30b
GP		 946 hdev = hci_get_route(dst, src);
947 if (!hdev)
1da177e4
LT		 948 return -EHOSTUNREACH;
949
950 hci_dev_lock_bh(hdev);
951
952 err = -ENOMEM;
953
8c1b2355 954 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 955 switch (l2cap_pi(sk)->sec_level) {
956 case BT_SECURITY_HIGH:
8c1b2355 957 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 958 break;
959 case BT_SECURITY_MEDIUM:
8c1b2355 960 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 961 break;
962 default:
09ab6f4c 963 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 964 break;
965 }
8c1b2355 966 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 967 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 968 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 969 else
8c1b2355 970 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 971
972 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
973 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 974 } else {
2af6b9d5
MH		 975 switch (l2cap_pi(sk)->sec_level) {
976 case BT_SECURITY_HIGH:
8c1b2355 977 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 978 break;
979 case BT_SECURITY_MEDIUM:
09ab6f4c 980 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 981 break;
982 default:
8c1b2355 983 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 984 break;
985 }
09ab6f4c
MH		 986 }
987
2af6b9d5
MH		 988 hcon = hci_connect(hdev, ACL_LINK, dst,
989 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 990 if (!hcon)
991 goto done;
992
993 conn = l2cap_conn_add(hcon, 0);
994 if (!conn) {
995 hci_conn_put(hcon);
996 goto done;
997 }
998
999 err = 0;
1000
1001 /* Update source addr of the socket */
1002 bacpy(src, conn->src);
1003
1004 l2cap_chan_add(conn, sk, NULL);
1005
1006 sk->sk_state = BT_CONNECT;
1007 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1008
1009 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1010 if (sk->sk_type != SOCK_SEQPACKET &&
1011 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1012 l2cap_sock_clear_timer(sk);
1013 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1014 } else
1015 l2cap_do_start(sk);
1da177e4
LT		 1016 }
1017
1018done:
1019 hci_dev_unlock_bh(hdev);
1020 hci_dev_put(hdev);
1021 return err;
1022}
1023
1024static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1025{
1da177e4 1026 struct sock *sk = sock->sk;
f29972de
MH		 1027 struct sockaddr_l2 la;
1028 int len, err = 0;
1da177e4 1029
1da177e4
LT		 1030 BT_DBG("sk %p", sk);
1031
6503d961
CG		 1032 if (!addr || alen < sizeof(addr->sa_family) ||
1033 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1034 return -EINVAL;
1da177e4 1035
f29972de
MH		 1036 memset(&la, 0, sizeof(la));
1037 len = min_t(unsigned int, sizeof(la), alen);
1038 memcpy(&la, addr, len);
1039
2a517ca6
MH		 1040 if (la.l2_cid)
1041 return -EINVAL;
1042
1043 lock_sock(sk);
1044
bd3c9e25
GP		 1045 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1046 && !la.l2_psm) {
1da177e4
LT		 1047 err = -EINVAL;
1048 goto done;
1049 }
1050
c6b03cf9
MH		 1051 switch (l2cap_pi(sk)->mode) {
1052 case L2CAP_MODE_BASIC:
1053 break;
1054 case L2CAP_MODE_ERTM:
f2fcfcd6 1055 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1056 if (enable_ertm)
1057 break;
1058 /* fall through */
1059 default:
1060 err = -ENOTSUPP;
1061 goto done;
1062 }
1063
af05b30b 1064 switch (sk->sk_state) {
1da177e4
LT		 1065 case BT_CONNECT:
1066 case BT_CONNECT2:
1067 case BT_CONFIG:
1068 /* Already connecting */
1069 goto wait;
1070
1071 case BT_CONNECTED:
1072 /* Already connected */
1073 goto done;
1074
1075 case BT_OPEN:
1076 case BT_BOUND:
1077 /* Can connect */
1078 break;
1079
1080 default:
1081 err = -EBADFD;
1082 goto done;
1083 }
1084
1085 /* Set destination address and psm */
f29972de
MH		 1086 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1087 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1088
af05b30b
GP		 1089 err = l2cap_do_connect(sk);
1090 if (err)
1da177e4
LT		 1091 goto done;
1092
1093wait:
1094 err = bt_sock_wait_state(sk, BT_CONNECTED,
1095 sock_sndtimeo(sk, flags & O_NONBLOCK));
1096done:
1097 release_sock(sk);
1098 return err;
1099}
1100
1101static int l2cap_sock_listen(struct socket *sock, int backlog)
1102{
1103 struct sock *sk = sock->sk;
1104 int err = 0;
1105
1106 BT_DBG("sk %p backlog %d", sk, backlog);
1107
1108 lock_sock(sk);
1109
bd3c9e25
GP		 1110 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1111 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1112 err = -EBADFD;
1113 goto done;
1114 }
1115
c6b03cf9
MH		 1116 switch (l2cap_pi(sk)->mode) {
1117 case L2CAP_MODE_BASIC:
1118 break;
1119 case L2CAP_MODE_ERTM:
f2fcfcd6 1120 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1121 if (enable_ertm)
1122 break;
1123 /* fall through */
1124 default:
1125 err = -ENOTSUPP;
1126 goto done;
1127 }
1128
1da177e4
LT		 1129 if (!l2cap_pi(sk)->psm) {
1130 bdaddr_t *src = &bt_sk(sk)->src;
1131 u16 psm;
1132
1133 err = -EINVAL;
1134
1135 write_lock_bh(&l2cap_sk_list.lock);
1136
1137 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1138 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1139 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1140 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1141 err = 0;
1142 break;
1143 }
1144
1145 write_unlock_bh(&l2cap_sk_list.lock);
1146
1147 if (err < 0)
1148 goto done;
1149 }
1150
1151 sk->sk_max_ack_backlog = backlog;
1152 sk->sk_ack_backlog = 0;
1153 sk->sk_state = BT_LISTEN;
1154
1155done:
1156 release_sock(sk);
1157 return err;
1158}
1159
1160static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1161{
1162 DECLARE_WAITQUEUE(wait, current);
1163 struct sock *sk = sock->sk, *nsk;
1164 long timeo;
1165 int err = 0;
1166
fcc70d5f 1167 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1168
1169 if (sk->sk_state != BT_LISTEN) {
1170 err = -EBADFD;
1171 goto done;
1172 }
1173
1174 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1175
1176 BT_DBG("sk %p timeo %ld", sk, timeo);
1177
1178 /* Wait for an incoming connection. (wake-one). */
aa395145 1179 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1180 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1181 set_current_state(TASK_INTERRUPTIBLE);
1182 if (!timeo) {
1183 err = -EAGAIN;
1184 break;
1185 }
1186
1187 release_sock(sk);
1188 timeo = schedule_timeout(timeo);
fcc70d5f 1189 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1190
1191 if (sk->sk_state != BT_LISTEN) {
1192 err = -EBADFD;
1193 break;
1194 }
1195
1196 if (signal_pending(current)) {
1197 err = sock_intr_errno(timeo);
1198 break;
1199 }
1200 }
1201 set_current_state(TASK_RUNNING);
aa395145 1202 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1203
1204 if (err)
1205 goto done;
1206
1207 newsock->state = SS_CONNECTED;
1208
1209 BT_DBG("new socket %p", nsk);
1210
1211done:
1212 release_sock(sk);
1213 return err;
1214}
1215
1216static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1217{
1218 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1219 struct sock *sk = sock->sk;
1220
1221 BT_DBG("sock %p, sk %p", sock, sk);
1222
1223 addr->sa_family = AF_BLUETOOTH;
1224 *len = sizeof(struct sockaddr_l2);
1225
f29972de
MH		 1226 if (peer) {
1227 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1228 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1229 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1230 } else {
1231 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1232 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1233 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1234 }
1da177e4 1235
1da177e4
LT		 1236 return 0;
1237}
1238
e90bac06
GP		 1239static void l2cap_monitor_timeout(unsigned long arg)
1240{
1241 struct sock *sk = (void *) arg;
1242 u16 control;
1243
e686219a 1244 bh_lock_sock(sk);
e90bac06
GP		 1245 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1246 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
b13f5860 1247 bh_unlock_sock(sk);
e90bac06
GP		 1248 return;
1249 }
1250
1251 l2cap_pi(sk)->retry_count++;
1252 __mod_monitor_timer();
1253
1254 control = L2CAP_CTRL_POLL;
7e743090 1255 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
e686219a 1256 bh_unlock_sock(sk);
e90bac06
GP		 1257}
1258
1259static void l2cap_retrans_timeout(unsigned long arg)
1260{
1261 struct sock *sk = (void *) arg;
1262 u16 control;
1263
e686219a 1264 bh_lock_sock(sk);
e90bac06
GP		 1265 l2cap_pi(sk)->retry_count = 1;
1266 __mod_monitor_timer();
1267
1268 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1269
1270 control = L2CAP_CTRL_POLL;
7e743090 1271 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
e686219a 1272 bh_unlock_sock(sk);
e90bac06
GP		 1273}
1274
1c2acffb 1275static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1276{
1c2acffb 1277 struct sk_buff *skb;
1da177e4 1278
812e737e
GP		 1279 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1280 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1281 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1282 break;
1da177e4 1283
1c2acffb
GP		 1284 skb = skb_dequeue(TX_QUEUE(sk));
1285 kfree_skb(skb);
1da177e4 1286
1c2acffb
GP		 1287 l2cap_pi(sk)->unacked_frames--;
1288 }
1da177e4 1289
e90bac06
GP		 1290 if (!l2cap_pi(sk)->unacked_frames)
1291 del_timer(&l2cap_pi(sk)->retrans_timer);
1292
1c2acffb
GP		 1293 return;
1294}
1da177e4 1295
1c2acffb
GP		 1296static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1297{
1298 struct l2cap_pinfo *pi = l2cap_pi(sk);
1299 int err;
1300
1301 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1302
1c2acffb
GP		 1303 err = hci_send_acl(pi->conn->hcon, skb, 0);
1304 if (err < 0)
1305 kfree_skb(skb);
1306
1307 return err;
1308}
1309
6840ed07
GP		 1310static int l2cap_streaming_send(struct sock *sk)
1311{
1312 struct sk_buff *skb, *tx_skb;
1313 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1314 u16 control, fcs;
6840ed07
GP		 1315 int err;
1316
1317 while ((skb = sk->sk_send_head)) {
1318 tx_skb = skb_clone(skb, GFP_ATOMIC);
1319
1320 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1321 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1322 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1323
e8235c6b 1324 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1325 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1326 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1327 }
1328
6840ed07
GP		 1329 err = l2cap_do_send(sk, tx_skb);
1330 if (err < 0) {
1331 l2cap_send_disconn_req(pi->conn, sk);
1332 return err;
1333 }
1334
1335 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1336
1337 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1338 sk->sk_send_head = NULL;
1339 else
1340 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1341
1342 skb = skb_dequeue(TX_QUEUE(sk));
1343 kfree_skb(skb);
1344 }
1345 return 0;
1346}
1347
8f17154f
GP		 1348static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1349{
1350 struct l2cap_pinfo *pi = l2cap_pi(sk);
1351 struct sk_buff *skb, *tx_skb;
1352 u16 control, fcs;
1353 int err;
1354
1355 skb = skb_peek(TX_QUEUE(sk));
1356 do {
1357 if (bt_cb(skb)->tx_seq != tx_seq) {
1358 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1359 break;
1360 skb = skb_queue_next(TX_QUEUE(sk), skb);
1361 continue;
1362 }
1363
1364 if (pi->remote_max_tx &&
1365 bt_cb(skb)->retries == pi->remote_max_tx) {
1366 l2cap_send_disconn_req(pi->conn, sk);
1367 break;
1368 }
1369
1370 tx_skb = skb_clone(skb, GFP_ATOMIC);
1371 bt_cb(skb)->retries++;
1372 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
9f121a5a 1373 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
8f17154f
GP		 1374 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1375 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1376
e8235c6b 1377 if (pi->fcs == L2CAP_FCS_CRC16) {
8f17154f
GP		 1378 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1379 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1380 }
1381
1382 err = l2cap_do_send(sk, tx_skb);
1383 if (err < 0) {
1384 l2cap_send_disconn_req(pi->conn, sk);
1385 return err;
1386 }
1387 break;
1388 } while(1);
1389 return 0;
1390}
1391
1c2acffb
GP		 1392static int l2cap_ertm_send(struct sock *sk)
1393{
1394 struct sk_buff *skb, *tx_skb;
1395 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1396 u16 control, fcs;
9e917af1 1397 int err, nsent = 0;
1c2acffb 1398
e90bac06
GP		 1399 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1400 return 0;
1401
f64f9e71 1402 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
59203a21 1403 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1c2acffb 1404
e90bac06
GP		 1405 if (pi->remote_max_tx &&
1406 bt_cb(skb)->retries == pi->remote_max_tx) {
1407 l2cap_send_disconn_req(pi->conn, sk);
1408 break;
1409 }
1410
e420aba3
AE		 1411 tx_skb = skb_clone(skb, GFP_ATOMIC);
1412
e90bac06
GP		 1413 bt_cb(skb)->retries++;
1414
1c2acffb 1415 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
d5392c8f
GP		 1416 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1417 control |= L2CAP_CTRL_FINAL;
1418 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1419 }
9f121a5a 1420 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1421 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1422 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1423
e90bac06 1424
e8235c6b 1425 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1426 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1427 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1428 }
1429
1c2acffb
GP		 1430 err = l2cap_do_send(sk, tx_skb);
1431 if (err < 0) {
1432 l2cap_send_disconn_req(pi->conn, sk);
1433 return err;
1434 }
e90bac06 1435 __mod_retrans_timer();
1c2acffb
GP		 1436
1437 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1438 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1439
1440 pi->unacked_frames++;
d5392c8f 1441 pi->frames_sent++;
1c2acffb
GP		 1442
1443 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1444 sk->sk_send_head = NULL;
1445 else
1446 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1447
1448 nsent++;
1c2acffb
GP		 1449 }
1450
9e917af1
GP		 1451 return nsent;
1452}
1453
1454static int l2cap_send_ack(struct l2cap_pinfo *pi)
1455{
1456 struct sock *sk = (struct sock *)pi;
1457 u16 control = 0;
1458
1459 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1460
1461 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1462 control |= L2CAP_SUPER_RCV_NOT_READY;
1463 return l2cap_send_sframe(pi, control);
1464 } else if (l2cap_ertm_send(sk) == 0) {
1465 control |= L2CAP_SUPER_RCV_READY;
1466 return l2cap_send_sframe(pi, control);
1467 }
1c2acffb
GP		 1468 return 0;
1469}
1470
99b0d4b7
GP		 1471static int l2cap_send_srejtail(struct sock *sk)
1472{
1473 struct srej_list *tail;
1474 u16 control;
1475
1476 control = L2CAP_SUPER_SELECT_REJECT;
1477 control |= L2CAP_CTRL_FINAL;
1478
1479 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1480 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1481
1482 l2cap_send_sframe(l2cap_pi(sk), control);
1483
1484 return 0;
1485}
1486
1c2acffb
GP		 1487static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1488{
1489 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1490 struct sk_buff **frag;
1491 int err, sent = 0;
1da177e4 1492
59203a21 1493 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1494 return -EFAULT;
1da177e4
LT		 1495
1496 sent += count;
1497 len -= count;
1498
1499 /* Continuation fragments (no L2CAP header) */
1500 frag = &skb_shinfo(skb)->frag_list;
1501 while (len) {
1502 count = min_t(unsigned int, conn->mtu, len);
1503
1504 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1505 if (!*frag)
1c2acffb
GP		 1506 return -EFAULT;
1507 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1508 return -EFAULT;
1da177e4
LT		 1509
1510 sent += count;
1511 len -= count;
1512
1513 frag = &(*frag)->next;
1514 }
1da177e4
LT		 1515
1516 return sent;
1c2acffb 1517}
1da177e4 1518
1c2acffb
GP		 1519static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1520{
1521 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1522 struct sk_buff *skb;
1523 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1524 struct l2cap_hdr *lh;
1525
1526 BT_DBG("sk %p len %d", sk, (int)len);
1527
1528 count = min_t(unsigned int, (conn->mtu - hlen), len);
1529 skb = bt_skb_send_alloc(sk, count + hlen,
1530 msg->msg_flags & MSG_DONTWAIT, &err);
1531 if (!skb)
1532 return ERR_PTR(-ENOMEM);
1533
1534 /* Create L2CAP header */
1535 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1536 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1537 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1538 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1539
1540 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1541 if (unlikely(err < 0)) {
1542 kfree_skb(skb);
1543 return ERR_PTR(err);
1544 }
1545 return skb;
1546}
1547
1548static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1549{
1550 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1551 struct sk_buff *skb;
1552 int err, count, hlen = L2CAP_HDR_SIZE;
1553 struct l2cap_hdr *lh;
1554
1555 BT_DBG("sk %p len %d", sk, (int)len);
1556
1557 count = min_t(unsigned int, (conn->mtu - hlen), len);
1558 skb = bt_skb_send_alloc(sk, count + hlen,
1559 msg->msg_flags & MSG_DONTWAIT, &err);
1560 if (!skb)
1561 return ERR_PTR(-ENOMEM);
1562
1563 /* Create L2CAP header */
1564 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1565 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1566 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1567
1568 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1569 if (unlikely(err < 0)) {
1570 kfree_skb(skb);
1571 return ERR_PTR(err);
1572 }
1573 return skb;
1574}
1575
6840ed07 1576static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1577{
1578 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1579 struct sk_buff *skb;
1580 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1581 struct l2cap_hdr *lh;
1582
1583 BT_DBG("sk %p len %d", sk, (int)len);
1584
0ee0d208
GP		 1585 if (!conn)
1586 return ERR_PTR(-ENOTCONN);
1587
c74e560c
GP		 1588 if (sdulen)
1589 hlen += 2;
1590
fcc203c3
GP		 1591 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1592 hlen += 2;
1593
1c2acffb
GP		 1594 count = min_t(unsigned int, (conn->mtu - hlen), len);
1595 skb = bt_skb_send_alloc(sk, count + hlen,
1596 msg->msg_flags & MSG_DONTWAIT, &err);
1597 if (!skb)
1598 return ERR_PTR(-ENOMEM);
1599
1600 /* Create L2CAP header */
1601 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1602 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1603 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1604 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1605 if (sdulen)
1606 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1607
1608 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1609 if (unlikely(err < 0)) {
1610 kfree_skb(skb);
1611 return ERR_PTR(err);
1612 }
e90bac06 1613
fcc203c3
GP		 1614 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1615 put_unaligned_le16(0, skb_put(skb, 2));
1616
e90bac06 1617 bt_cb(skb)->retries = 0;
1c2acffb 1618 return skb;
1da177e4
LT		 1619}
1620
c74e560c
GP		 1621static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1622{
1623 struct l2cap_pinfo *pi = l2cap_pi(sk);
1624 struct sk_buff *skb;
1625 struct sk_buff_head sar_queue;
1626 u16 control;
1627 size_t size = 0;
1628
1629 __skb_queue_head_init(&sar_queue);
1630 control = L2CAP_SDU_START;
1c762159 1631 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1632 if (IS_ERR(skb))
1633 return PTR_ERR(skb);
1634
1635 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1636 len -= pi->remote_mps;
1637 size += pi->remote_mps;
c74e560c
GP		 1638
1639 while (len > 0) {
1640 size_t buflen;
1641
1c762159 1642 if (len > pi->remote_mps) {
44651b85 1643 control = L2CAP_SDU_CONTINUE;
1c762159 1644 buflen = pi->remote_mps;
c74e560c 1645 } else {
44651b85 1646 control = L2CAP_SDU_END;
c74e560c
GP		 1647 buflen = len;
1648 }
1649
6840ed07 1650 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1651 if (IS_ERR(skb)) {
1652 skb_queue_purge(&sar_queue);
1653 return PTR_ERR(skb);
1654 }
1655
1656 __skb_queue_tail(&sar_queue, skb);
1657 len -= buflen;
1658 size += buflen;
c74e560c
GP		 1659 }
1660 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1661 if (sk->sk_send_head == NULL)
1662 sk->sk_send_head = sar_queue.next;
1663
1664 return size;
1665}
1666
1da177e4
LT		 1667static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1668{
1669 struct sock *sk = sock->sk;
1c2acffb
GP		 1670 struct l2cap_pinfo *pi = l2cap_pi(sk);
1671 struct sk_buff *skb;
1672 u16 control;
1673 int err;
1da177e4
LT		 1674
1675 BT_DBG("sock %p, sk %p", sock, sk);
1676
c1cbe4b7
BL		 1677 err = sock_error(sk);
1678 if (err)
1679 return err;
1da177e4
LT		 1680
1681 if (msg->msg_flags & MSG_OOB)
1682 return -EOPNOTSUPP;
1683
1da177e4
LT		 1684 lock_sock(sk);
1685
1c2acffb 1686 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1687 err = -ENOTCONN;
1c2acffb
GP		 1688 goto done;
1689 }
1da177e4 1690
1c2acffb
GP		 1691 /* Connectionless channel */
1692 if (sk->sk_type == SOCK_DGRAM) {
1693 skb = l2cap_create_connless_pdu(sk, msg, len);
477fffb0
DC		 1694 if (IS_ERR(skb))
1695 err = PTR_ERR(skb);
1696 else
1697 err = l2cap_do_send(sk, skb);
1c2acffb
GP		 1698 goto done;
1699 }
1700
1701 switch (pi->mode) {
1702 case L2CAP_MODE_BASIC:
c69163e9
GP		 1703 /* Check outgoing MTU */
1704 if (len > pi->omtu) {
1705 err = -EINVAL;
1706 goto done;
1707 }
1708
1c2acffb
GP		 1709 /* Create a basic PDU */
1710 skb = l2cap_create_basic_pdu(sk, msg, len);
1711 if (IS_ERR(skb)) {
1712 err = PTR_ERR(skb);
1713 goto done;
1714 }
1715
1716 err = l2cap_do_send(sk, skb);
1717 if (!err)
1718 err = len;
1719 break;
1720
1721 case L2CAP_MODE_ERTM:
6840ed07 1722 case L2CAP_MODE_STREAMING:
1c2acffb 1723 /* Entire SDU fits into one PDU */
1c762159 1724 if (len <= pi->remote_mps) {
1c2acffb 1725 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1726 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1727 if (IS_ERR(skb)) {
1728 err = PTR_ERR(skb);
1729 goto done;
1730 }
c74e560c
GP		 1731 __skb_queue_tail(TX_QUEUE(sk), skb);
1732 if (sk->sk_send_head == NULL)
1733 sk->sk_send_head = skb;
1c2acffb 1734 } else {
c74e560c
GP		 1735 /* Segment SDU into multiples PDUs */
1736 err = l2cap_sar_segment_sdu(sk, msg, len);
1737 if (err < 0)
1738 goto done;
1c2acffb 1739 }
1c2acffb 1740
6840ed07
GP		 1741 if (pi->mode == L2CAP_MODE_STREAMING)
1742 err = l2cap_streaming_send(sk);
1743 else
1744 err = l2cap_ertm_send(sk);
1745
9e917af1 1746 if (err >= 0)
1c2acffb
GP		 1747 err = len;
1748 break;
1749
1750 default:
1751 BT_DBG("bad state %1.1x", pi->mode);
1752 err = -EINVAL;
1753 }
1754
1755done:
1da177e4
LT		 1756 release_sock(sk);
1757 return err;
1758}
1759
f66dc81f
MH		 1760static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1761{
1762 struct sock *sk = sock->sk;
1763
1764 lock_sock(sk);
1765
1766 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1767 struct l2cap_conn_rsp rsp;
1768
1769 sk->sk_state = BT_CONFIG;
1770
1771 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1772 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1773 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1774 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1775 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1776 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1777
1778 release_sock(sk);
1779 return 0;
1780 }
1781
1782 release_sock(sk);
1783
1784 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1785}
1786
b7058842 1787static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1788{
1789 struct sock *sk = sock->sk;
1790 struct l2cap_options opts;
f29972de 1791 int len, err = 0;
1da177e4
LT		 1792 u32 opt;
1793
1794 BT_DBG("sk %p", sk);
1795
1796 lock_sock(sk);
1797
1798 switch (optname) {
1799 case L2CAP_OPTIONS:
0878b666
MH		 1800 opts.imtu = l2cap_pi(sk)->imtu;
1801 opts.omtu = l2cap_pi(sk)->omtu;
1802 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1803 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1804 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1805 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1806 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1807
1da177e4
LT		 1808 len = min_t(unsigned int, sizeof(opts), optlen);
1809 if (copy_from_user((char *) &opts, optval, len)) {
1810 err = -EFAULT;
1811 break;
1812 }
0878b666 1813
0041ecfa
JPRV		 1814 l2cap_pi(sk)->mode = opts.mode;
1815 switch (l2cap_pi(sk)->mode) {
1816 case L2CAP_MODE_BASIC:
1817 break;
1818 case L2CAP_MODE_ERTM:
1819 case L2CAP_MODE_STREAMING:
1820 if (enable_ertm)
1821 break;
1822 /* fall through */
1823 default:
1824 err = -EINVAL;
1825 break;
1826 }
1827
c6b03cf9
MH		 1828 l2cap_pi(sk)->imtu = opts.imtu;
1829 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1830 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1831 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1832 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1833 break;
1834
1835 case L2CAP_LM:
1836 if (get_user(opt, (u32 __user *) optval)) {
1837 err = -EFAULT;
1838 break;
1839 }
1840
2af6b9d5
MH		 1841 if (opt & L2CAP_LM_AUTH)
1842 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1843 if (opt & L2CAP_LM_ENCRYPT)
1844 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1845 if (opt & L2CAP_LM_SECURE)
1846 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1847
1848 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1849 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1850 break;
1851
1852 default:
1853 err = -ENOPROTOOPT;
1854 break;
1855 }
1856
1857 release_sock(sk);
1858 return err;
1859}
1860
b7058842 1861static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1862{
1863 struct sock *sk = sock->sk;
2af6b9d5
MH		 1864 struct bt_security sec;
1865 int len, err = 0;
f66dc81f 1866 u32 opt;
d58daf42
MH		 1867
1868 BT_DBG("sk %p", sk);
1869
1870 if (level == SOL_L2CAP)
1871 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1872
0588d94f
MH		 1873 if (level != SOL_BLUETOOTH)
1874 return -ENOPROTOOPT;
1875
d58daf42
MH		 1876 lock_sock(sk);
1877
1878 switch (optname) {
2af6b9d5 1879 case BT_SECURITY:
bd3c9e25
GP		 1880 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1881 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1882 err = -EINVAL;
1883 break;
1884 }
1885
2af6b9d5
MH		 1886 sec.level = BT_SECURITY_LOW;
1887
1888 len = min_t(unsigned int, sizeof(sec), optlen);
1889 if (copy_from_user((char *) &sec, optval, len)) {
1890 err = -EFAULT;
1891 break;
1892 }
1893
1894 if (sec.level < BT_SECURITY_LOW ||
1895 sec.level > BT_SECURITY_HIGH) {
1896 err = -EINVAL;
1897 break;
1898 }
1899
1900 l2cap_pi(sk)->sec_level = sec.level;
1901 break;
1902
f66dc81f
MH		 1903 case BT_DEFER_SETUP:
1904 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1905 err = -EINVAL;
1906 break;
1907 }
1908
1909 if (get_user(opt, (u32 __user *) optval)) {
1910 err = -EFAULT;
1911 break;
1912 }
1913
1914 bt_sk(sk)->defer_setup = opt;
1915 break;
1916
d58daf42
MH		 1917 default:
1918 err = -ENOPROTOOPT;
1919 break;
1920 }
1921
1922 release_sock(sk);
1923 return err;
1924}
1925
1926static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1927{
1928 struct sock *sk = sock->sk;
1929 struct l2cap_options opts;
1930 struct l2cap_conninfo cinfo;
1931 int len, err = 0;
2af6b9d5 1932 u32 opt;
1da177e4
LT		 1933
1934 BT_DBG("sk %p", sk);
1935
1936 if (get_user(len, optlen))
1937 return -EFAULT;
1938
1939 lock_sock(sk);
1940
1941 switch (optname) {
1942 case L2CAP_OPTIONS:
1943 opts.imtu = l2cap_pi(sk)->imtu;
1944 opts.omtu = l2cap_pi(sk)->omtu;
1945 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1946 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1947 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1948 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1949 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 1950
1951 len = min_t(unsigned int, len, sizeof(opts));
1952 if (copy_to_user(optval, (char *) &opts, len))
1953 err = -EFAULT;
1954
1955 break;
1956
1957 case L2CAP_LM:
2af6b9d5
MH		 1958 switch (l2cap_pi(sk)->sec_level) {
1959 case BT_SECURITY_LOW:
1960 opt = L2CAP_LM_AUTH;
1961 break;
1962 case BT_SECURITY_MEDIUM:
1963 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1964 break;
1965 case BT_SECURITY_HIGH:
1966 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1967 L2CAP_LM_SECURE;
1968 break;
1969 default:
1970 opt = 0;
1971 break;
1972 }
1973
1974 if (l2cap_pi(sk)->role_switch)
1975 opt |= L2CAP_LM_MASTER;
1976
1977 if (l2cap_pi(sk)->force_reliable)
1978 opt |= L2CAP_LM_RELIABLE;
1979
1980 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1981 err = -EFAULT;
1982 break;
1983
1984 case L2CAP_CONNINFO:
f66dc81f
MH		 1985 if (sk->sk_state != BT_CONNECTED &&
1986 !(sk->sk_state == BT_CONNECT2 &&
1987 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1988 err = -ENOTCONN;
1989 break;
1990 }
1991
1992 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1993 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1994
1995 len = min_t(unsigned int, len, sizeof(cinfo));
1996 if (copy_to_user(optval, (char *) &cinfo, len))
1997 err = -EFAULT;
1998
1999 break;
2000
2001 default:
2002 err = -ENOPROTOOPT;
2003 break;
2004 }
2005
2006 release_sock(sk);
2007 return err;
2008}
2009
d58daf42
MH		 2010static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2011{
2012 struct sock *sk = sock->sk;
2af6b9d5 2013 struct bt_security sec;
d58daf42
MH		 2014 int len, err = 0;
2015
2016 BT_DBG("sk %p", sk);
2017
2018 if (level == SOL_L2CAP)
2019 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2020
0588d94f
MH		 2021 if (level != SOL_BLUETOOTH)
2022 return -ENOPROTOOPT;
2023
d58daf42
MH		 2024 if (get_user(len, optlen))
2025 return -EFAULT;
2026
2027 lock_sock(sk);
2028
2029 switch (optname) {
2af6b9d5 2030 case BT_SECURITY:
bd3c9e25
GP		 2031 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2032 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2033 err = -EINVAL;
2034 break;
2035 }
2036
2af6b9d5
MH		 2037 sec.level = l2cap_pi(sk)->sec_level;
2038
2039 len = min_t(unsigned int, len, sizeof(sec));
2040 if (copy_to_user(optval, (char *) &sec, len))
2041 err = -EFAULT;
2042
2043 break;
2044
f66dc81f
MH		 2045 case BT_DEFER_SETUP:
2046 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2047 err = -EINVAL;
2048 break;
2049 }
2050
2051 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2052 err = -EFAULT;
2053
2054 break;
2055
d58daf42
MH		 2056 default:
2057 err = -ENOPROTOOPT;
2058 break;
2059 }
2060
2061 release_sock(sk);
2062 return err;
2063}
2064
1da177e4
LT		 2065static int l2cap_sock_shutdown(struct socket *sock, int how)
2066{
2067 struct sock *sk = sock->sk;
2068 int err = 0;
2069
2070 BT_DBG("sock %p, sk %p", sock, sk);
2071
2072 if (!sk)
2073 return 0;
2074
2075 lock_sock(sk);
2076 if (!sk->sk_shutdown) {
2077 sk->sk_shutdown = SHUTDOWN_MASK;
2078 l2cap_sock_clear_timer(sk);
2079 __l2cap_sock_close(sk, 0);
2080
2081 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2082 err = bt_sock_wait_state(sk, BT_CLOSED,
2083 sk->sk_lingertime);
1da177e4
LT		 2084 }
2085 release_sock(sk);
2086 return err;
2087}
2088
2089static int l2cap_sock_release(struct socket *sock)
2090{
2091 struct sock *sk = sock->sk;
2092 int err;
2093
2094 BT_DBG("sock %p, sk %p", sock, sk);
2095
2096 if (!sk)
2097 return 0;
2098
2099 err = l2cap_sock_shutdown(sock, 2);
2100
2101 sock_orphan(sk);
2102 l2cap_sock_kill(sk);
2103 return err;
2104}
2105
1da177e4
LT		 2106static void l2cap_chan_ready(struct sock *sk)
2107{
2108 struct sock *parent = bt_sk(sk)->parent;
2109
2110 BT_DBG("sk %p, parent %p", sk, parent);
2111
2112 l2cap_pi(sk)->conf_state = 0;
2113 l2cap_sock_clear_timer(sk);
2114
2115 if (!parent) {
2116 /* Outgoing channel.
2117 * Wake up socket sleeping on connect.
2118 */
2119 sk->sk_state = BT_CONNECTED;
2120 sk->sk_state_change(sk);
2121 } else {
2122 /* Incoming channel.
2123 * Wake up socket sleeping on accept.
2124 */
2125 parent->sk_data_ready(parent, 0);
2126 }
2127}
2128
2129/* Copy frame to all raw sockets on that connection */
2130static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2131{
2132 struct l2cap_chan_list *l = &conn->chan_list;
2133 struct sk_buff *nskb;
af05b30b 2134 struct sock *sk;
1da177e4
LT		 2135
2136 BT_DBG("conn %p", conn);
2137
2138 read_lock(&l->lock);
2139 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2140 if (sk->sk_type != SOCK_RAW)
2141 continue;
2142
2143 /* Don't send frame to the socket it came from */
2144 if (skb->sk == sk)
2145 continue;
af05b30b
GP		 2146 nskb = skb_clone(skb, GFP_ATOMIC);
2147 if (!nskb)
1da177e4
LT		 2148 continue;
2149
2150 if (sock_queue_rcv_skb(sk, nskb))
2151 kfree_skb(nskb);
2152 }
2153 read_unlock(&l->lock);
2154}
2155
2156/* ---- L2CAP signalling commands ---- */
2157static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2158 u8 code, u8 ident, u16 dlen, void *data)
2159{
2160 struct sk_buff *skb, **frag;
2161 struct l2cap_cmd_hdr *cmd;
2162 struct l2cap_hdr *lh;
2163 int len, count;
2164
af05b30b
GP		 2165 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2166 conn, code, ident, dlen);
1da177e4
LT		 2167
2168 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2169 count = min_t(unsigned int, conn->mtu, len);
2170
2171 skb = bt_skb_alloc(count, GFP_ATOMIC);
2172 if (!skb)
2173 return NULL;
2174
2175 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2176 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2177 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2178
2179 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2180 cmd->code = code;
2181 cmd->ident = ident;
aca3192c 2182 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2183
2184 if (dlen) {
2185 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2186 memcpy(skb_put(skb, count), data, count);
2187 data += count;
2188 }
2189
2190 len -= skb->len;
2191
2192 /* Continuation fragments (no L2CAP header) */
2193 frag = &skb_shinfo(skb)->frag_list;
2194 while (len) {
2195 count = min_t(unsigned int, conn->mtu, len);
2196
2197 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2198 if (!*frag)
2199 goto fail;
2200
2201 memcpy(skb_put(*frag, count), data, count);
2202
2203 len -= count;
2204 data += count;
2205
2206 frag = &(*frag)->next;
2207 }
2208
2209 return skb;
2210
2211fail:
2212 kfree_skb(skb);
2213 return NULL;
2214}
2215
2216static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2217{
2218 struct l2cap_conf_opt *opt = *ptr;
2219 int len;
2220
2221 len = L2CAP_CONF_OPT_SIZE + opt->len;
2222 *ptr += len;
2223
2224 *type = opt->type;
2225 *olen = opt->len;
2226
2227 switch (opt->len) {
2228 case 1:
2229 *val = *((u8 *) opt->val);
2230 break;
2231
2232 case 2:
861d6882 2233 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2234 break;
2235
2236 case 4:
861d6882 2237 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2238 break;
2239
2240 default:
2241 *val = (unsigned long) opt->val;
2242 break;
2243 }
2244
2245 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2246 return len;
2247}
2248
1da177e4
LT		 2249static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2250{
2251 struct l2cap_conf_opt *opt = *ptr;
2252
2253 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2254
2255 opt->type = type;
2256 opt->len = len;
2257
2258 switch (len) {
2259 case 1:
2260 *((u8 *) opt->val) = val;
2261 break;
2262
2263 case 2:
8e036fc3 2264 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2265 break;
2266
2267 case 4:
8e036fc3 2268 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2269 break;
2270
2271 default:
2272 memcpy(opt->val, (void *) val, len);
2273 break;
2274 }
2275
2276 *ptr += L2CAP_CONF_OPT_SIZE + len;
2277}
2278
c1b4f43b
GP		 2279static void l2cap_ack_timeout(unsigned long arg)
2280{
2281 struct sock *sk = (void *) arg;
2282
2283 bh_lock_sock(sk);
2284 l2cap_send_ack(l2cap_pi(sk));
2285 bh_unlock_sock(sk);
2286}
2287
0565c1c2
GP		 2288static inline void l2cap_ertm_init(struct sock *sk)
2289{
2290 l2cap_pi(sk)->expected_ack_seq = 0;
2291 l2cap_pi(sk)->unacked_frames = 0;
2292 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2293 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2294 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2295
2296 setup_timer(&l2cap_pi(sk)->retrans_timer,
2297 l2cap_retrans_timeout, (unsigned long) sk);
2298 setup_timer(&l2cap_pi(sk)->monitor_timer,
2299 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2300 setup_timer(&l2cap_pi(sk)->ack_timer,
2301 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2302
2303 __skb_queue_head_init(SREJ_QUEUE(sk));
2304}
2305
f2fcfcd6
GP		 2306static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2307{
2308 u32 local_feat_mask = l2cap_feat_mask;
2309 if (enable_ertm)
6840ed07 2310 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2311
2312 switch (mode) {
2313 case L2CAP_MODE_ERTM:
2314 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2315 case L2CAP_MODE_STREAMING:
2316 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2317 default:
2318 return 0x00;
2319 }
2320}
2321
2322static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2323{
2324 switch (mode) {
2325 case L2CAP_MODE_STREAMING:
2326 case L2CAP_MODE_ERTM:
2327 if (l2cap_mode_supported(mode, remote_feat_mask))
2328 return mode;
2329 /* fall through */
2330 default:
2331 return L2CAP_MODE_BASIC;
2332 }
2333}
2334
1da177e4
LT		 2335static int l2cap_build_conf_req(struct sock *sk, void *data)
2336{
2337 struct l2cap_pinfo *pi = l2cap_pi(sk);
2338 struct l2cap_conf_req *req = data;
bd3c9e25 2339 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2340 void *ptr = req->data;
2341
2342 BT_DBG("sk %p", sk);
2343
f2fcfcd6
GP		 2344 if (pi->num_conf_req || pi->num_conf_rsp)
2345 goto done;
2346
2347 switch (pi->mode) {
2348 case L2CAP_MODE_STREAMING:
2349 case L2CAP_MODE_ERTM:
2350 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
22121fc9
GP		 2351 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2352 l2cap_send_disconn_req(pi->conn, sk);
f2fcfcd6
GP		 2353 break;
2354 default:
2355 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2356 break;
2357 }
2358
2359done:
65c7c491
MH		 2360 switch (pi->mode) {
2361 case L2CAP_MODE_BASIC:
2362 if (pi->imtu != L2CAP_DEFAULT_MTU)
2363 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2364 break;
2365
2366 case L2CAP_MODE_ERTM:
2367 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2368 rfc.txwin_size = pi->tx_win;
68d7f0ce 2369 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2370 rfc.retrans_timeout = 0;
2371 rfc.monitor_timeout = 0;
c74e560c 2372 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2373 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2374 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6
GP		 2375
2376 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2377 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2378
2379 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2380 break;
2381
2382 if (pi->fcs == L2CAP_FCS_NONE ||
2383 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2384 pi->fcs = L2CAP_FCS_NONE;
2385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2386 }
f2fcfcd6
GP		 2387 break;
2388
2389 case L2CAP_MODE_STREAMING:
2390 rfc.mode = L2CAP_MODE_STREAMING;
2391 rfc.txwin_size = 0;
2392 rfc.max_transmit = 0;
2393 rfc.retrans_timeout = 0;
2394 rfc.monitor_timeout = 0;
c74e560c 2395 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2396 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2397 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491
MH		 2398
2399 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2400 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2401
2402 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2403 break;
2404
2405 if (pi->fcs == L2CAP_FCS_NONE ||
2406 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2407 pi->fcs = L2CAP_FCS_NONE;
2408 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2409 }
65c7c491
MH		 2410 break;
2411 }
1da177e4
LT		 2412
2413 /* FIXME: Need actual value of the flush timeout */
2414 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2415 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2416
aca3192c
YH		 2417 req->dcid = cpu_to_le16(pi->dcid);
2418 req->flags = cpu_to_le16(0);
1da177e4
LT		 2419
2420 return ptr - data;
2421}
2422
5dee9e7c 2423static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2424{
2425 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2426 struct l2cap_conf_rsp *rsp = data;
2427 void *ptr = rsp->data;
2428 void *req = pi->conf_req;
2429 int len = pi->conf_len;
2430 int type, hint, olen;
2431 unsigned long val;
6464f35f 2432 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2433 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2434 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2435
5dee9e7c 2436 BT_DBG("sk %p", sk);
820ae1b8 2437
5dee9e7c
MH		 2438 while (len >= L2CAP_CONF_OPT_SIZE) {
2439 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2440
589d2746 2441 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2442 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2443
2444 switch (type) {
2445 case L2CAP_CONF_MTU:
861d6882 2446 mtu = val;
5dee9e7c
MH		 2447 break;
2448
2449 case L2CAP_CONF_FLUSH_TO:
2450 pi->flush_to = val;
2451 break;
2452
2453 case L2CAP_CONF_QOS:
2454 break;
2455
6464f35f
MH		 2456 case L2CAP_CONF_RFC:
2457 if (olen == sizeof(rfc))
2458 memcpy(&rfc, (void *) val, olen);
2459 break;
2460
fcc203c3
GP		 2461 case L2CAP_CONF_FCS:
2462 if (val == L2CAP_FCS_NONE)
2463 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2464
2465 break;
2466
5dee9e7c
MH		 2467 default:
2468 if (hint)
2469 break;
2470
2471 result = L2CAP_CONF_UNKNOWN;
2472 *((u8 *) ptr++) = type;
2473 break;
2474 }
2475 }
2476
f2fcfcd6
GP		 2477 if (pi->num_conf_rsp || pi->num_conf_req)
2478 goto done;
2479
2480 switch (pi->mode) {
2481 case L2CAP_MODE_STREAMING:
2482 case L2CAP_MODE_ERTM:
2483 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2484 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2485 return -ECONNREFUSED;
2486 break;
2487 default:
2488 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2489 break;
2490 }
2491
2492done:
2493 if (pi->mode != rfc.mode) {
2494 result = L2CAP_CONF_UNACCEPT;
2495 rfc.mode = pi->mode;
2496
2497 if (pi->num_conf_rsp == 1)
2498 return -ECONNREFUSED;
2499
2500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2501 sizeof(rfc), (unsigned long) &rfc);
2502 }
2503
2504
5dee9e7c
MH		 2505 if (result == L2CAP_CONF_SUCCESS) {
2506 /* Configure output options and let the other side know
2507 * which ones we don't like. */
2508
f2fcfcd6
GP		 2509 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2510 result = L2CAP_CONF_UNACCEPT;
2511 else {
2512 pi->omtu = mtu;
2513 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2514 }
2515 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2516
f2fcfcd6
GP		 2517 switch (rfc.mode) {
2518 case L2CAP_MODE_BASIC:
2519 pi->fcs = L2CAP_FCS_NONE;
2520 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2521 break;
2522
2523 case L2CAP_MODE_ERTM:
2524 pi->remote_tx_win = rfc.txwin_size;
2525 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2526 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2527 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2528
2529 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2530
10467e9e
GP		 2531 rfc.retrans_timeout =
2532 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2533 rfc.monitor_timeout =
2534 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2535
2536 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2537
2538 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2539 sizeof(rfc), (unsigned long) &rfc);
2540
f2fcfcd6
GP		 2541 break;
2542
2543 case L2CAP_MODE_STREAMING:
1c762159
GP		 2544 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2545 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2546
2547 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2548
2549 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2550
2551 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2552 sizeof(rfc), (unsigned long) &rfc);
2553
f2fcfcd6
GP		 2554 break;
2555
2556 default:
5dee9e7c 2557 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2558
6464f35f 2559 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2560 rfc.mode = pi->mode;
2561 }
6464f35f 2562
f2fcfcd6
GP		 2563 if (result == L2CAP_CONF_SUCCESS)
2564 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2565 }
5dee9e7c
MH		 2566 rsp->scid = cpu_to_le16(pi->dcid);
2567 rsp->result = cpu_to_le16(result);
2568 rsp->flags = cpu_to_le16(0x0000);
2569
2570 return ptr - data;
1da177e4
LT		 2571}
2572
f2fcfcd6
GP		 2573static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2574{
2575 struct l2cap_pinfo *pi = l2cap_pi(sk);
2576 struct l2cap_conf_req *req = data;
2577 void *ptr = req->data;
2578 int type, olen;
2579 unsigned long val;
2580 struct l2cap_conf_rfc rfc;
2581
2582 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2583
2584 while (len >= L2CAP_CONF_OPT_SIZE) {
2585 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2586
2587 switch (type) {
2588 case L2CAP_CONF_MTU:
2589 if (val < L2CAP_DEFAULT_MIN_MTU) {
2590 *result = L2CAP_CONF_UNACCEPT;
2591 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2592 } else
2593 pi->omtu = val;
2594 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2595 break;
2596
2597 case L2CAP_CONF_FLUSH_TO:
2598 pi->flush_to = val;
2599 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2600 2, pi->flush_to);
2601 break;
2602
2603 case L2CAP_CONF_RFC:
2604 if (olen == sizeof(rfc))
2605 memcpy(&rfc, (void *)val, olen);
2606
2607 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2608 rfc.mode != pi->mode)
2609 return -ECONNREFUSED;
2610
2611 pi->mode = rfc.mode;
2612 pi->fcs = 0;
2613
2614 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2615 sizeof(rfc), (unsigned long) &rfc);
2616 break;
2617 }
2618 }
2619
2620 if (*result == L2CAP_CONF_SUCCESS) {
2621 switch (rfc.mode) {
2622 case L2CAP_MODE_ERTM:
2623 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2624 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2625 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2626 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2627 break;
2628 case L2CAP_MODE_STREAMING:
1c762159 2629 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2630 }
2631 }
2632
2633 req->dcid = cpu_to_le16(pi->dcid);
2634 req->flags = cpu_to_le16(0x0000);
2635
2636 return ptr - data;
2637}
2638
5dee9e7c 2639static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2640{
2641 struct l2cap_conf_rsp *rsp = data;
2642 void *ptr = rsp->data;
1da177e4 2643
5dee9e7c 2644 BT_DBG("sk %p", sk);
1da177e4 2645
aca3192c 2646 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2647 rsp->result = cpu_to_le16(result);
aca3192c 2648 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2649
2650 return ptr - data;
2651}
2652
7b1c0049
GP		 2653static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2654{
2655 struct l2cap_pinfo *pi = l2cap_pi(sk);
2656 int type, olen;
2657 unsigned long val;
2658 struct l2cap_conf_rfc rfc;
2659
2660 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2661
2662 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2663 return;
2664
2665 while (len >= L2CAP_CONF_OPT_SIZE) {
2666 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2667
2668 switch (type) {
2669 case L2CAP_CONF_RFC:
2670 if (olen == sizeof(rfc))
2671 memcpy(&rfc, (void *)val, olen);
2672 goto done;
2673 }
2674 }
2675
2676done:
2677 switch (rfc.mode) {
2678 case L2CAP_MODE_ERTM:
2679 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2680 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2681 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2682 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2683 break;
2684 case L2CAP_MODE_STREAMING:
2685 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2686 }
2687}
2688
4e8402a3
MH		 2689static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2690{
2691 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2692
2693 if (rej->reason != 0x0000)
2694 return 0;
2695
2696 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2697 cmd->ident == conn->info_ident) {
4e8402a3 2698 del_timer(&conn->info_timer);
984947dc
MH		 2699
2700 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2701 conn->info_ident = 0;
984947dc 2702
4e8402a3
MH		 2703 l2cap_conn_start(conn);
2704 }
2705
2706 return 0;
2707}
2708
1da177e4
LT		 2709static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2710{
2711 struct l2cap_chan_list *list = &conn->chan_list;
2712 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2713 struct l2cap_conn_rsp rsp;
2714 struct sock *sk, *parent;
e7c29cb1 2715 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2716
2717 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2718 __le16 psm = req->psm;
1da177e4
LT		 2719
2720 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2721
2722 /* Check if we have socket listening on psm */
2723 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2724 if (!parent) {
2725 result = L2CAP_CR_BAD_PSM;
2726 goto sendresp;
2727 }
2728
e7c29cb1
MH		 2729 /* Check if the ACL is secure enough (if not SDP) */
2730 if (psm != cpu_to_le16(0x0001) &&
2731 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2732 conn->disc_reason = 0x05;
e7c29cb1
MH		 2733 result = L2CAP_CR_SEC_BLOCK;
2734 goto response;
2735 }
2736
1da177e4
LT		 2737 result = L2CAP_CR_NO_MEM;
2738
2739 /* Check for backlog size */
2740 if (sk_acceptq_is_full(parent)) {
8e87d142 2741 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2742 goto response;
2743 }
2744
3b1e0a65 2745 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2746 if (!sk)
2747 goto response;
2748
fd1278d7 2749 write_lock_bh(&list->lock);
1da177e4
LT		 2750
2751 /* Check if we already have channel with that dcid */
2752 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2753 write_unlock_bh(&list->lock);
1da177e4
LT		 2754 sock_set_flag(sk, SOCK_ZAPPED);
2755 l2cap_sock_kill(sk);
2756 goto response;
2757 }
2758
2759 hci_conn_hold(conn->hcon);
2760
2761 l2cap_sock_init(sk, parent);
2762 bacpy(&bt_sk(sk)->src, conn->src);
2763 bacpy(&bt_sk(sk)->dst, conn->dst);
2764 l2cap_pi(sk)->psm = psm;
2765 l2cap_pi(sk)->dcid = scid;
2766
2767 __l2cap_chan_add(conn, sk, parent);
2768 dcid = l2cap_pi(sk)->scid;
2769
2770 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2771
1da177e4
LT		 2772 l2cap_pi(sk)->ident = cmd->ident;
2773
984947dc 2774 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2775 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2776 if (bt_sk(sk)->defer_setup) {
2777 sk->sk_state = BT_CONNECT2;
2778 result = L2CAP_CR_PEND;
2779 status = L2CAP_CS_AUTHOR_PEND;
2780 parent->sk_data_ready(parent, 0);
2781 } else {
2782 sk->sk_state = BT_CONFIG;
2783 result = L2CAP_CR_SUCCESS;
2784 status = L2CAP_CS_NO_INFO;
2785 }
79d554a6
MH		 2786 } else {
2787 sk->sk_state = BT_CONNECT2;
2788 result = L2CAP_CR_PEND;
2789 status = L2CAP_CS_AUTHEN_PEND;
2790 }
2791 } else {
2792 sk->sk_state = BT_CONNECT2;
2793 result = L2CAP_CR_PEND;
2794 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2795 }
2796
fd1278d7 2797 write_unlock_bh(&list->lock);
1da177e4
LT		 2798
2799response:
2800 bh_unlock_sock(parent);
2801
2802sendresp:
aca3192c
YH		 2803 rsp.scid = cpu_to_le16(scid);
2804 rsp.dcid = cpu_to_le16(dcid);
2805 rsp.result = cpu_to_le16(result);
2806 rsp.status = cpu_to_le16(status);
1da177e4 2807 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2808
2809 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2810 struct l2cap_info_req info;
2811 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2812
2813 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2814 conn->info_ident = l2cap_get_ident(conn);
2815
2816 mod_timer(&conn->info_timer, jiffies +
2817 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2818
2819 l2cap_send_cmd(conn, conn->info_ident,
2820 L2CAP_INFO_REQ, sizeof(info), &info);
2821 }
2822
1da177e4
LT		 2823 return 0;
2824}
2825
2826static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2827{
2828 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2829 u16 scid, dcid, result, status;
2830 struct sock *sk;
2831 u8 req[128];
2832
2833 scid = __le16_to_cpu(rsp->scid);
2834 dcid = __le16_to_cpu(rsp->dcid);
2835 result = __le16_to_cpu(rsp->result);
2836 status = __le16_to_cpu(rsp->status);
2837
2838 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2839
2840 if (scid) {
af05b30b
GP		 2841 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2842 if (!sk)
1da177e4
LT		 2843 return 0;
2844 } else {
af05b30b
GP		 2845 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2846 if (!sk)
1da177e4
LT		 2847 return 0;
2848 }
2849
2850 switch (result) {
2851 case L2CAP_CR_SUCCESS:
2852 sk->sk_state = BT_CONFIG;
2853 l2cap_pi(sk)->ident = 0;
2854 l2cap_pi(sk)->dcid = dcid;
2855 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2856
6a8d3010
MH		 2857 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2858
1da177e4
LT		 2859 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2860 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2861 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2862 break;
2863
2864 case L2CAP_CR_PEND:
6a8d3010 2865 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2866 break;
2867
2868 default:
2869 l2cap_chan_del(sk, ECONNREFUSED);
2870 break;
2871 }
2872
2873 bh_unlock_sock(sk);
2874 return 0;
2875}
2876
88219a0f 2877static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2878{
2879 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2880 u16 dcid, flags;
2881 u8 rsp[64];
2882 struct sock *sk;
5dee9e7c 2883 int len;
1da177e4
LT		 2884
2885 dcid = __le16_to_cpu(req->dcid);
2886 flags = __le16_to_cpu(req->flags);
2887
2888 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2889
af05b30b
GP		 2890 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2891 if (!sk)
1da177e4
LT		 2892 return -ENOENT;
2893
354f60a9
MH		 2894 if (sk->sk_state == BT_DISCONN)
2895 goto unlock;
2896
5dee9e7c 2897 /* Reject if config buffer is too small. */
88219a0f 2898 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2899 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2900 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2901 l2cap_build_conf_rsp(sk, rsp,
2902 L2CAP_CONF_REJECT, flags), rsp);
2903 goto unlock;
2904 }
2905
2906 /* Store config. */
2907 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2908 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2909
2910 if (flags & 0x0001) {
2911 /* Incomplete config. Send empty response. */
2912 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2913 l2cap_build_conf_rsp(sk, rsp,
2914 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2915 goto unlock;
2916 }
2917
2918 /* Complete config. */
5dee9e7c 2919 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2920 if (len < 0) {
22121fc9 2921 l2cap_send_disconn_req(conn, sk);
1da177e4 2922 goto unlock;
f2fcfcd6 2923 }
1da177e4 2924
5dee9e7c 2925 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2926 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2927
5dee9e7c
MH		 2928 /* Reset config buffer. */
2929 l2cap_pi(sk)->conf_len = 0;
2930
876d9484
MH		 2931 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2932 goto unlock;
2933
1da177e4 2934 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 2935 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2936 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 2937 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2938
1da177e4 2939 sk->sk_state = BT_CONNECTED;
e90bac06 2940
0565c1c2
GP		 2941 l2cap_pi(sk)->next_tx_seq = 0;
2942 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2943 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2944 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2945 l2cap_ertm_init(sk);
2946
1da177e4 2947 l2cap_chan_ready(sk);
876d9484
MH		 2948 goto unlock;
2949 }
2950
2951 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2952 u8 buf[64];
1da177e4 2953 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2954 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2955 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2956 }
2957
2958unlock:
2959 bh_unlock_sock(sk);
2960 return 0;
2961}
2962
2963static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2964{
2965 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2966 u16 scid, flags, result;
2967 struct sock *sk;
7b1c0049 2968 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2969
2970 scid = __le16_to_cpu(rsp->scid);
2971 flags = __le16_to_cpu(rsp->flags);
2972 result = __le16_to_cpu(rsp->result);
2973
af05b30b
GP		 2974 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2975 scid, flags, result);
1da177e4 2976
af05b30b
GP		 2977 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2978 if (!sk)
1da177e4
LT		 2979 return 0;
2980
2981 switch (result) {
2982 case L2CAP_CONF_SUCCESS:
7b1c0049 2983 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2984 break;
2985
2986 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2987 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2988 char req[64];
2989
c2c77ec8
AE		 2990 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2991 l2cap_send_disconn_req(conn, sk);
2992 goto done;
2993 }
2994
f2fcfcd6
GP		 2995 /* throw out any old stored conf requests */
2996 result = L2CAP_CONF_SUCCESS;
2997 len = l2cap_parse_conf_rsp(sk, rsp->data,
2998 len, req, &result);
2999 if (len < 0) {
22121fc9 3000 l2cap_send_disconn_req(conn, sk);
f2fcfcd6
GP		 3001 goto done;
3002 }
3003
3004 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3005 L2CAP_CONF_REQ, len, req);
3006 l2cap_pi(sk)->num_conf_req++;
3007 if (result != L2CAP_CONF_SUCCESS)
3008 goto done;
3009 break;
1da177e4
LT		 3010 }
3011
8e87d142 3012 default:
1da177e4 3013 sk->sk_state = BT_DISCONN;
b1235d79 3014 sk->sk_err = ECONNRESET;
1da177e4 3015 l2cap_sock_set_timer(sk, HZ * 5);
22121fc9 3016 l2cap_send_disconn_req(conn, sk);
1da177e4
LT		 3017 goto done;
3018 }
3019
3020 if (flags & 0x01)
3021 goto done;
3022
1da177e4
LT		 3023 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3024
3025 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3026 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3027 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3028 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3029
1da177e4 3030 sk->sk_state = BT_CONNECTED;
0565c1c2 3031 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3032 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3033 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3034 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3035 l2cap_ertm_init(sk);
3036
1da177e4
LT		 3037 l2cap_chan_ready(sk);
3038 }
3039
3040done:
3041 bh_unlock_sock(sk);
3042 return 0;
3043}
3044
3045static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3046{
3047 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3048 struct l2cap_disconn_rsp rsp;
3049 u16 dcid, scid;
3050 struct sock *sk;
3051
3052 scid = __le16_to_cpu(req->scid);
3053 dcid = __le16_to_cpu(req->dcid);
3054
3055 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3056
af05b30b
GP		 3057 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3058 if (!sk)
1da177e4
LT		 3059 return 0;
3060
aca3192c
YH		 3061 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3062 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3063 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3064
3065 sk->sk_shutdown = SHUTDOWN_MASK;
3066
1c2acffb 3067 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3068
3069 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3070 skb_queue_purge(SREJ_QUEUE(sk));
3071 del_timer(&l2cap_pi(sk)->retrans_timer);
3072 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3073 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3074 }
1c2acffb 3075
1da177e4
LT		 3076 l2cap_chan_del(sk, ECONNRESET);
3077 bh_unlock_sock(sk);
3078
3079 l2cap_sock_kill(sk);
3080 return 0;
3081}
3082
3083static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3084{
3085 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3086 u16 dcid, scid;
3087 struct sock *sk;
3088
3089 scid = __le16_to_cpu(rsp->scid);
3090 dcid = __le16_to_cpu(rsp->dcid);
3091
3092 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3093
af05b30b
GP		 3094 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3095 if (!sk)
1da177e4
LT		 3096 return 0;
3097
1c2acffb 3098 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3099
3100 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3101 skb_queue_purge(SREJ_QUEUE(sk));
3102 del_timer(&l2cap_pi(sk)->retrans_timer);
3103 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3104 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3105 }
1c2acffb 3106
1da177e4
LT		 3107 l2cap_chan_del(sk, 0);
3108 bh_unlock_sock(sk);
3109
3110 l2cap_sock_kill(sk);
3111 return 0;
3112}
3113
3114static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3115{
3116 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3117 u16 type;
3118
3119 type = __le16_to_cpu(req->type);
3120
3121 BT_DBG("type 0x%4.4x", type);
3122
f0709e03
MH		 3123 if (type == L2CAP_IT_FEAT_MASK) {
3124 u8 buf[8];
44dd46de 3125 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3126 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3127 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3128 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3129 if (enable_ertm)
fcc203c3
GP		 3130 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3131 | L2CAP_FEAT_FCS;
1b7bf4ed 3132 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3133 l2cap_send_cmd(conn, cmd->ident,
3134 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3135 } else if (type == L2CAP_IT_FIXED_CHAN) {
3136 u8 buf[12];
3137 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3138 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3139 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3140 memcpy(buf + 4, l2cap_fixed_chan, 8);
3141 l2cap_send_cmd(conn, cmd->ident,
3142 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3143 } else {
3144 struct l2cap_info_rsp rsp;
3145 rsp.type = cpu_to_le16(type);
3146 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3147 l2cap_send_cmd(conn, cmd->ident,
3148 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3149 }
1da177e4
LT		 3150
3151 return 0;
3152}
3153
3154static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3155{
3156 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3157 u16 type, result;
3158
3159 type = __le16_to_cpu(rsp->type);
3160 result = __le16_to_cpu(rsp->result);
3161
3162 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3163
4e8402a3
MH		 3164 del_timer(&conn->info_timer);
3165
984947dc 3166 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3167 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3168
47ec1dcd 3169 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3170 struct l2cap_info_req req;
3171 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3172
3173 conn->info_ident = l2cap_get_ident(conn);
3174
3175 l2cap_send_cmd(conn, conn->info_ident,
3176 L2CAP_INFO_REQ, sizeof(req), &req);
3177 } else {
3178 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3179 conn->info_ident = 0;
3180
3181 l2cap_conn_start(conn);
3182 }
3183 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3184 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3185 conn->info_ident = 0;
984947dc
MH		 3186
3187 l2cap_conn_start(conn);
3188 }
4e8402a3 3189
1da177e4
LT		 3190 return 0;
3191}
3192
3193static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3194{
3195 u8 *data = skb->data;
3196 int len = skb->len;
3197 struct l2cap_cmd_hdr cmd;
3198 int err = 0;
3199
3200 l2cap_raw_recv(conn, skb);
3201
3202 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3203 u16 cmd_len;
1da177e4
LT		 3204 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3205 data += L2CAP_CMD_HDR_SIZE;
3206 len -= L2CAP_CMD_HDR_SIZE;
3207
88219a0f 3208 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3209
88219a0f 3210 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3211
88219a0f 3212 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3213 BT_DBG("corrupted command");
3214 break;
3215 }
3216
3217 switch (cmd.code) {
3218 case L2CAP_COMMAND_REJ:
4e8402a3 3219 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3220 break;
3221
3222 case L2CAP_CONN_REQ:
3223 err = l2cap_connect_req(conn, &cmd, data);
3224 break;
3225
3226 case L2CAP_CONN_RSP:
3227 err = l2cap_connect_rsp(conn, &cmd, data);
3228 break;
3229
3230 case L2CAP_CONF_REQ:
88219a0f 3231 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3232 break;
3233
3234 case L2CAP_CONF_RSP:
3235 err = l2cap_config_rsp(conn, &cmd, data);
3236 break;
3237
3238 case L2CAP_DISCONN_REQ:
3239 err = l2cap_disconnect_req(conn, &cmd, data);
3240 break;
3241
3242 case L2CAP_DISCONN_RSP:
3243 err = l2cap_disconnect_rsp(conn, &cmd, data);
3244 break;
3245
3246 case L2CAP_ECHO_REQ:
88219a0f 3247 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3248 break;
3249
3250 case L2CAP_ECHO_RSP:
3251 break;
3252
3253 case L2CAP_INFO_REQ:
3254 err = l2cap_information_req(conn, &cmd, data);
3255 break;
3256
3257 case L2CAP_INFO_RSP:
3258 err = l2cap_information_rsp(conn, &cmd, data);
3259 break;
3260
3261 default:
3262 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3263 err = -EINVAL;
3264 break;
3265 }
3266
3267 if (err) {
3268 struct l2cap_cmd_rej rej;
3269 BT_DBG("error %d", err);
3270
3271 /* FIXME: Map err to a valid reason */
aca3192c 3272 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3273 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3274 }
3275
88219a0f
AV		 3276 data += cmd_len;
3277 len -= cmd_len;
1da177e4
LT		 3278 }
3279
3280 kfree_skb(skb);
3281}
3282
fcc203c3
GP		 3283static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3284{
3285 u16 our_fcs, rcv_fcs;
3286 int hdr_size = L2CAP_HDR_SIZE + 2;
3287
3288 if (pi->fcs == L2CAP_FCS_CRC16) {
3289 skb_trim(skb, skb->len - 2);
3290 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3291 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3292
3293 if (our_fcs != rcv_fcs)
3294 return -EINVAL;
3295 }
3296 return 0;
3297}
3298
d5392c8f
GP		 3299static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3300{
3301 struct l2cap_pinfo *pi = l2cap_pi(sk);
3302 u16 control = 0;
3303
3304 pi->frames_sent = 0;
3305 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3306
3307 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3308
3309 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3310 control |= L2CAP_SUPER_RCV_NOT_READY | L2CAP_CTRL_FINAL;
3311 l2cap_send_sframe(pi, control);
3312 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3313 }
3314
3315 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY && pi->unacked_frames > 0)
3316 __mod_retrans_timer();
3317
3318 l2cap_ertm_send(sk);
3319
3320 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3321 pi->frames_sent == 0) {
3322 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3323 l2cap_send_sframe(pi, control);
3324 }
3325}
3326
8f17154f
GP		 3327static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3328{
3329 struct sk_buff *next_skb;
3330
3331 bt_cb(skb)->tx_seq = tx_seq;
3332 bt_cb(skb)->sar = sar;
3333
3334 next_skb = skb_peek(SREJ_QUEUE(sk));
3335 if (!next_skb) {
3336 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3337 return;
3338 }
3339
3340 do {
3341 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3342 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3343 return;
3344 }
3345
3346 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3347 break;
3348
59203a21 3349 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3350
3351 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3352}
3353
c74e560c
GP		 3354static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3355{
3356 struct l2cap_pinfo *pi = l2cap_pi(sk);
3357 struct sk_buff *_skb;
3358 int err = -EINVAL;
3359
3360 switch (control & L2CAP_CTRL_SAR) {
3361 case L2CAP_SDU_UNSEGMENTED:
3362 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3363 kfree_skb(pi->sdu);
3364 break;
3365 }
3366
3367 err = sock_queue_rcv_skb(sk, skb);
3368 if (!err)
3369 return 0;
3370
3371 break;
3372
3373 case L2CAP_SDU_START:
3374 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3375 kfree_skb(pi->sdu);
3376 break;
3377 }
3378
3379 pi->sdu_len = get_unaligned_le16(skb->data);
3380 skb_pull(skb, 2);
3381
052897ca
GP		 3382 if (pi->sdu_len > pi->imtu) {
3383 err = -EMSGSIZE;
3384 break;
3385 }
3386
c74e560c
GP		 3387 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3388 if (!pi->sdu) {
3389 err = -ENOMEM;
3390 break;
3391 }
3392
3393 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3394
3395 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3396 pi->partial_sdu_len = skb->len;
3397 err = 0;
3398 break;
3399
3400 case L2CAP_SDU_CONTINUE:
3401 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3402 break;
3403
3404 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3405
3406 pi->partial_sdu_len += skb->len;
3407 if (pi->partial_sdu_len > pi->sdu_len)
3408 kfree_skb(pi->sdu);
3409 else
3410 err = 0;
3411
3412 break;
3413
3414 case L2CAP_SDU_END:
3415 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3416 break;
3417
3418 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3419
3420 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3421 pi->partial_sdu_len += skb->len;
3422
36f2fd58
GP		 3423 if (pi->partial_sdu_len > pi->imtu)
3424 goto drop;
3425
c74e560c
GP		 3426 if (pi->partial_sdu_len == pi->sdu_len) {
3427 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3428 err = sock_queue_rcv_skb(sk, _skb);
3429 if (err < 0)
3430 kfree_skb(_skb);
3431 }
c74e560c
GP		 3432 err = 0;
3433
36f2fd58
GP		 3434drop:
3435 kfree_skb(pi->sdu);
c74e560c
GP		 3436 break;
3437 }
3438
3439 kfree_skb(skb);
3440 return err;
3441}
3442
8f17154f
GP		 3443static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3444{
3445 struct sk_buff *skb;
afefdbc4 3446 u16 control;
8f17154f 3447
59203a21 3448 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3449 if (bt_cb(skb)->tx_seq != tx_seq)
3450 break;
3451
3452 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3453 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
8f17154f
GP		 3454 l2cap_sar_reassembly_sdu(sk, skb, control);
3455 l2cap_pi(sk)->buffer_seq_srej =
3456 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3457 tx_seq++;
3458 }
3459}
3460
3461static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3462{
3463 struct l2cap_pinfo *pi = l2cap_pi(sk);
3464 struct srej_list *l, *tmp;
3465 u16 control;
3466
59203a21 3467 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3468 if (l->tx_seq == tx_seq) {
3469 list_del(&l->list);
3470 kfree(l);
3471 return;
3472 }
3473 control = L2CAP_SUPER_SELECT_REJECT;
3474 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3475 l2cap_send_sframe(pi, control);
3476 list_del(&l->list);
3477 list_add_tail(&l->list, SREJ_LIST(sk));
3478 }
3479}
3480
3481static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3482{
3483 struct l2cap_pinfo *pi = l2cap_pi(sk);
3484 struct srej_list *new;
3485 u16 control;
3486
3487 while (tx_seq != pi->expected_tx_seq) {
3488 control = L2CAP_SUPER_SELECT_REJECT;
3489 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3490 l2cap_send_sframe(pi, control);
3491
3492 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3493 new->tx_seq = pi->expected_tx_seq++;
3494 list_add_tail(&new->list, SREJ_LIST(sk));
3495 }
3496 pi->expected_tx_seq++;
3497}
3498
1c2acffb
GP		 3499static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3500{
3501 struct l2cap_pinfo *pi = l2cap_pi(sk);
3502 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3503 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3504 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
803020c6 3505 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3506 int err = 0;
3507
3508 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3509
1d8f5d16
GP		 3510 if (L2CAP_CTRL_FINAL & rx_control) {
3511 del_timer(&pi->monitor_timer);
3512 if (pi->unacked_frames > 0)
3513 __mod_retrans_timer();
3514 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3515 }
3516
9f121a5a
GP		 3517 pi->expected_ack_seq = req_seq;
3518 l2cap_drop_acked_frames(sk);
3519
8f17154f
GP		 3520 if (tx_seq == pi->expected_tx_seq)
3521 goto expected;
1c2acffb 3522
8f17154f
GP		 3523 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3524 struct srej_list *first;
30afb5b2 3525
8f17154f
GP		 3526 first = list_first_entry(SREJ_LIST(sk),
3527 struct srej_list, list);
3528 if (tx_seq == first->tx_seq) {
3529 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3530 l2cap_check_srej_gap(sk, tx_seq);
3531
3532 list_del(&first->list);
3533 kfree(first);
3534
3535 if (list_empty(SREJ_LIST(sk))) {
3536 pi->buffer_seq = pi->buffer_seq_srej;
3537 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3538 l2cap_send_ack(pi);
8f17154f
GP		 3539 }
3540 } else {
3541 struct srej_list *l;
3542 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3543
3544 list_for_each_entry(l, SREJ_LIST(sk), list) {
3545 if (l->tx_seq == tx_seq) {
3546 l2cap_resend_srejframe(sk, tx_seq);
3547 return 0;
3548 }
3549 }
3550 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3551 }
3552 } else {
8f17154f 3553 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3554
8f17154f
GP		 3555 INIT_LIST_HEAD(SREJ_LIST(sk));
3556 pi->buffer_seq_srej = pi->buffer_seq;
3557
3558 __skb_queue_head_init(SREJ_QUEUE(sk));
3559 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3560
ef54fd93
GP		 3561 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3562
8f17154f 3563 l2cap_send_srejframe(sk, tx_seq);
1c2acffb 3564 }
30afb5b2
GP		 3565 return 0;
3566
8f17154f
GP		 3567expected:
3568 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3569
3570 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3571 bt_cb(skb)->tx_seq = tx_seq;
3572 bt_cb(skb)->sar = sar;
3573 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3574 return 0;
3575 }
3576
4ec10d97
GP		 3577 if (rx_control & L2CAP_CTRL_FINAL) {
3578 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3579 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3580 else {
f6e6b168
GP		 3581 if (!skb_queue_empty(TX_QUEUE(sk)))
3582 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3583 pi->next_tx_seq = pi->expected_ack_seq;
3584 l2cap_ertm_send(sk);
3585 }
3586 }
3587
8f17154f
GP		 3588 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3589
3590 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3591 if (err < 0)
3592 return err;
3593
c1b4f43b
GP		 3594 __mod_ack_timer();
3595
803020c6
GP		 3596 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3597 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3598 l2cap_send_ack(pi);
3599
8f17154f 3600 return 0;
1c2acffb
GP		 3601}
3602
e072745f 3603static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3604{
3605 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981
GP		 3606
3607 pi->expected_ack_seq = __get_reqseq(rx_control);
3608 l2cap_drop_acked_frames(sk);
1c2acffb 3609
e072745f 3610 if (rx_control & L2CAP_CTRL_POLL) {
05fbd89d
GP		 3611 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3612 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3613 (pi->unacked_frames > 0))
3614 __mod_retrans_timer();
3615
3616 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3617 l2cap_send_srejtail(sk);
3618 } else {
3619 l2cap_send_i_or_rr_or_rnr(sk);
3620 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3621 }
1d8f5d16 3622
e072745f
GP		 3623 } else if (rx_control & L2CAP_CTRL_FINAL) {
3624 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3625
e072745f
GP		 3626 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3627 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3628 else {
f6e6b168
GP		 3629 if (!skb_queue_empty(TX_QUEUE(sk)))
3630 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3631 pi->next_tx_seq = pi->expected_ack_seq;
3632 l2cap_ertm_send(sk);
3633 }
2246b2f1 3634
e072745f 3635 } else {
e072745f
GP		 3636 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3637 (pi->unacked_frames > 0))
3638 __mod_retrans_timer();
1c2acffb 3639
2246b2f1 3640 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f
GP		 3641 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
3642 l2cap_send_ack(pi);
3643 else
3644 l2cap_ertm_send(sk);
3645 }
3646}
2246b2f1 3647
e072745f
GP		 3648static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3649{
3650 struct l2cap_pinfo *pi = l2cap_pi(sk);
3651 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3652
e072745f
GP		 3653 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3654
8abb52ee 3655 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3656 l2cap_drop_acked_frames(sk);
3657
3658 if (rx_control & L2CAP_CTRL_FINAL) {
3659 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3660 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3661 else {
f6e6b168
GP		 3662 if (!skb_queue_empty(TX_QUEUE(sk)))
3663 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3664 pi->next_tx_seq = pi->expected_ack_seq;
3665 l2cap_ertm_send(sk);
4ec10d97 3666 }
e072745f 3667 } else {
f6e6b168
GP		 3668 if (!skb_queue_empty(TX_QUEUE(sk)))
3669 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3670 pi->next_tx_seq = pi->expected_ack_seq;
3671 l2cap_ertm_send(sk);
30afb5b2 3672
0301ef04 3673 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 3674 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3675 }
3676}
3677static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3678{
3679 struct l2cap_pinfo *pi = l2cap_pi(sk);
3680 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3681
e072745f 3682 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3683
e072745f
GP		 3684 if (rx_control & L2CAP_CTRL_POLL) {
3685 pi->expected_ack_seq = tx_seq;
3686 l2cap_drop_acked_frames(sk);
3687 l2cap_retransmit_frame(sk, tx_seq);
3688 l2cap_ertm_send(sk);
3689 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3690 pi->srej_save_reqseq = tx_seq;
3691 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3692 }
e072745f
GP		 3693 } else if (rx_control & L2CAP_CTRL_FINAL) {
3694 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3695 pi->srej_save_reqseq == tx_seq)
3696 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3697 else
ef54fd93 3698 l2cap_retransmit_frame(sk, tx_seq);
e072745f
GP		 3699 } else {
3700 l2cap_retransmit_frame(sk, tx_seq);
3701 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3702 pi->srej_save_reqseq = tx_seq;
3703 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3704 }
e072745f
GP		 3705 }
3706}
3707
3708static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3709{
3710 struct l2cap_pinfo *pi = l2cap_pi(sk);
3711 u8 tx_seq = __get_reqseq(rx_control);
3712
3713 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3714 pi->expected_ack_seq = tx_seq;
3715 l2cap_drop_acked_frames(sk);
3716
99b0d4b7
GP		 3717 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3718 del_timer(&pi->retrans_timer);
3719 if (rx_control & L2CAP_CTRL_POLL) {
3720 u16 control = L2CAP_CTRL_FINAL;
3721 l2cap_send_rr_or_rnr(pi, control);
3722 }
3723 return;
e072745f 3724 }
99b0d4b7
GP		 3725
3726 if (rx_control & L2CAP_CTRL_POLL)
3727 l2cap_send_srejtail(sk);
3728 else
3729 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3730}
3731
3732static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3733{
3734 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3735
3736 if (L2CAP_CTRL_FINAL & rx_control) {
3737 del_timer(&l2cap_pi(sk)->monitor_timer);
3738 if (l2cap_pi(sk)->unacked_frames > 0)
3739 __mod_retrans_timer();
3740 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
3741 }
3742
3743 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3744 case L2CAP_SUPER_RCV_READY:
3745 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 3746 break;
3747
e072745f
GP		 3748 case L2CAP_SUPER_REJECT:
3749 l2cap_data_channel_rejframe(sk, rx_control);
3750 break;
2246b2f1 3751
e072745f
GP		 3752 case L2CAP_SUPER_SELECT_REJECT:
3753 l2cap_data_channel_srejframe(sk, rx_control);
3754 break;
3755
3756 case L2CAP_SUPER_RCV_NOT_READY:
3757 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 3758 break;
3759 }
3760
faaebd19 3761 kfree_skb(skb);
1c2acffb
GP		 3762 return 0;
3763}
3764
1da177e4
LT		 3765static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3766{
3767 struct sock *sk;
6840ed07 3768 struct l2cap_pinfo *pi;
c74e560c 3769 u16 control, len;
01760bdd 3770 u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset;
1da177e4
LT		 3771
3772 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3773 if (!sk) {
3774 BT_DBG("unknown cid 0x%4.4x", cid);
3775 goto drop;
3776 }
3777
6840ed07
GP		 3778 pi = l2cap_pi(sk);
3779
1da177e4
LT		 3780 BT_DBG("sk %p, len %d", sk, skb->len);
3781
3782 if (sk->sk_state != BT_CONNECTED)
3783 goto drop;
3784
6840ed07 3785 switch (pi->mode) {
1c2acffb
GP		 3786 case L2CAP_MODE_BASIC:
3787 /* If socket recv buffers overflows we drop data here
3788 * which is *bad* because L2CAP has to be reliable.
3789 * But we don't have any other choice. L2CAP doesn't
3790 * provide flow control mechanism. */
1da177e4 3791
6840ed07 3792 if (pi->imtu < skb->len)
1c2acffb 3793 goto drop;
1da177e4 3794
1c2acffb
GP		 3795 if (!sock_queue_rcv_skb(sk, skb))
3796 goto done;
3797 break;
3798
3799 case L2CAP_MODE_ERTM:
3800 control = get_unaligned_le16(skb->data);
3801 skb_pull(skb, 2);
c74e560c 3802 len = skb->len;
1c2acffb 3803
c74e560c
GP		 3804 if (__is_sar_start(control))
3805 len -= 2;
3806
fcc203c3
GP		 3807 if (pi->fcs == L2CAP_FCS_CRC16)
3808 len -= 2;
3809
30afb5b2
GP		 3810 /*
3811 * We can just drop the corrupted I-frame here.
3812 * Receiver will miss it and start proper recovery
3813 * procedures and ask retransmission.
3814 */
1c762159 3815 if (len > pi->mps)
1c2acffb
GP		 3816 goto drop;
3817
fcc203c3
GP		 3818 if (l2cap_check_fcs(pi, skb))
3819 goto drop;
3820
01760bdd
JPRV		 3821 req_seq = __get_reqseq(control);
3822 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
3823 if (req_seq_offset < 0)
3824 req_seq_offset += 64;
3825
3826 next_tx_seq_offset =
3827 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
3828 if (next_tx_seq_offset < 0)
3829 next_tx_seq_offset += 64;
3830
3831 /* check for invalid req-seq */
3832 if (req_seq_offset > next_tx_seq_offset) {
3833 l2cap_send_disconn_req(pi->conn, sk);
3834 goto drop;
3835 }
3836
277ffbe3
GP		 3837 if (__is_iframe(control)) {
3838 if (len < 4)
3839 goto drop;
3840
fcafde2e 3841 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3
GP		 3842 } else {
3843 if (len != 0)
3844 goto drop;
3845
fcafde2e 3846 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 3847 }
1c2acffb 3848
fcafde2e 3849 goto done;
1c2acffb 3850
6840ed07
GP		 3851 case L2CAP_MODE_STREAMING:
3852 control = get_unaligned_le16(skb->data);
3853 skb_pull(skb, 2);
3854 len = skb->len;
3855
3856 if (__is_sar_start(control))
3857 len -= 2;
3858
fcc203c3
GP		 3859 if (pi->fcs == L2CAP_FCS_CRC16)
3860 len -= 2;
3861
1c762159 3862 if (len > pi->mps || len < 4 || __is_sframe(control))
6840ed07
GP		 3863 goto drop;
3864
fcc203c3
GP		 3865 if (l2cap_check_fcs(pi, skb))
3866 goto drop;
3867
6840ed07
GP		 3868 tx_seq = __get_txseq(control);
3869
3870 if (pi->expected_tx_seq == tx_seq)
3871 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3872 else
7dffe421 3873 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3874
fcafde2e 3875 l2cap_sar_reassembly_sdu(sk, skb, control);
6840ed07
GP		 3876
3877 goto done;
3878
1c2acffb 3879 default:
e8235c6b 3880 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 3881 break;
3882 }
1da177e4
LT		 3883
3884drop:
3885 kfree_skb(skb);
3886
3887done:
0139418c
MH		 3888 if (sk)
3889 bh_unlock_sock(sk);
3890
1da177e4
LT		 3891 return 0;
3892}
3893
8e036fc3 3894static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3895{
3896 struct sock *sk;
3897
3898 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3899 if (!sk)
3900 goto drop;
3901
3902 BT_DBG("sk %p, len %d", sk, skb->len);
3903
3904 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3905 goto drop;
3906
3907 if (l2cap_pi(sk)->imtu < skb->len)
3908 goto drop;
3909
3910 if (!sock_queue_rcv_skb(sk, skb))
3911 goto done;
3912
3913drop:
3914 kfree_skb(skb);
3915
3916done:
af05b30b
GP		 3917 if (sk)
3918 bh_unlock_sock(sk);
1da177e4
LT		 3919 return 0;
3920}
3921
3922static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3923{
3924 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3925 u16 cid, len;
3926 __le16 psm;
1da177e4
LT		 3927
3928 skb_pull(skb, L2CAP_HDR_SIZE);
3929 cid = __le16_to_cpu(lh->cid);
3930 len = __le16_to_cpu(lh->len);
3931
1c2acffb
GP		 3932 if (len != skb->len) {
3933 kfree_skb(skb);
3934 return;
3935 }
3936
1da177e4
LT		 3937 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3938
3939 switch (cid) {
8db4dc46 3940 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3941 l2cap_sig_channel(conn, skb);
3942 break;
3943
8db4dc46 3944 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3945 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3946 skb_pull(skb, 2);
3947 l2cap_conless_channel(conn, psm, skb);
3948 break;
3949
3950 default:
3951 l2cap_data_channel(conn, cid, skb);
3952 break;
3953 }
3954}
3955
3956/* ---- L2CAP interface with lower layer (HCI) ---- */
3957
3958static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3959{
3960 int exact = 0, lm1 = 0, lm2 = 0;
3961 register struct sock *sk;
3962 struct hlist_node *node;
3963
3964 if (type != ACL_LINK)
3965 return 0;
3966
3967 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3968
3969 /* Find listening sockets and check their link_mode */
3970 read_lock(&l2cap_sk_list.lock);
3971 sk_for_each(sk, node, &l2cap_sk_list.head) {
3972 if (sk->sk_state != BT_LISTEN)
3973 continue;
3974
3975 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3976 lm1 |= HCI_LM_ACCEPT;
3977 if (l2cap_pi(sk)->role_switch)
3978 lm1 |= HCI_LM_MASTER;
1da177e4 3979 exact++;
2af6b9d5
MH		 3980 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3981 lm2 |= HCI_LM_ACCEPT;
3982 if (l2cap_pi(sk)->role_switch)
3983 lm2 |= HCI_LM_MASTER;
3984 }
1da177e4
LT		 3985 }
3986 read_unlock(&l2cap_sk_list.lock);
3987
3988 return exact ? lm1 : lm2;
3989}
3990
3991static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3992{
0139418c
MH		 3993 struct l2cap_conn *conn;
3994
1da177e4
LT		 3995 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3996
3997 if (hcon->type != ACL_LINK)
3998 return 0;
3999
4000 if (!status) {
1da177e4
LT		 4001 conn = l2cap_conn_add(hcon, status);
4002 if (conn)
4003 l2cap_conn_ready(conn);
0139418c 4004 } else
1da177e4
LT		 4005 l2cap_conn_del(hcon, bt_err(status));
4006
4007 return 0;
4008}
4009
2950f21a
MH		 4010static int l2cap_disconn_ind(struct hci_conn *hcon)
4011{
4012 struct l2cap_conn *conn = hcon->l2cap_data;
4013
4014 BT_DBG("hcon %p", hcon);
4015
4016 if (hcon->type != ACL_LINK || !conn)
4017 return 0x13;
4018
4019 return conn->disc_reason;
4020}
4021
4022static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4023{
4024 BT_DBG("hcon %p reason %d", hcon, reason);
4025
4026 if (hcon->type != ACL_LINK)
4027 return 0;
4028
4029 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4030
1da177e4
LT		 4031 return 0;
4032}
4033
f62e4323
MH		 4034static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4035{
bd3c9e25 4036 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4037 return;
4038
f62e4323
MH		 4039 if (encrypt == 0x00) {
4040 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4041 l2cap_sock_clear_timer(sk);
4042 l2cap_sock_set_timer(sk, HZ * 5);
4043 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4044 __l2cap_sock_close(sk, ECONNREFUSED);
4045 } else {
4046 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4047 l2cap_sock_clear_timer(sk);
4048 }
4049}
4050
8c1b2355 4051static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4052{
4053 struct l2cap_chan_list *l;
0139418c 4054 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4055 struct sock *sk;
1da177e4 4056
0139418c 4057 if (!conn)
1da177e4 4058 return 0;
0139418c 4059
1da177e4
LT		 4060 l = &conn->chan_list;
4061
4062 BT_DBG("conn %p", conn);
4063
4064 read_lock(&l->lock);
4065
4066 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4067 bh_lock_sock(sk);
4068
6a8d3010
MH		 4069 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4070 bh_unlock_sock(sk);
4071 continue;
4072 }
4073
f62e4323 4074 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4075 sk->sk_state == BT_CONFIG)) {
f62e4323 4076 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4077 bh_unlock_sock(sk);
4078 continue;
4079 }
4080
b1235d79
MH		 4081 if (sk->sk_state == BT_CONNECT) {
4082 if (!status) {
4083 struct l2cap_conn_req req;
4084 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4085 req.psm = l2cap_pi(sk)->psm;
1da177e4 4086
b1235d79 4087 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 4088
b1235d79
MH		 4089 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4090 L2CAP_CONN_REQ, sizeof(req), &req);
4091 } else {
4092 l2cap_sock_clear_timer(sk);
4093 l2cap_sock_set_timer(sk, HZ / 10);
4094 }
4095 } else if (sk->sk_state == BT_CONNECT2) {
4096 struct l2cap_conn_rsp rsp;
4097 __u16 result;
1da177e4 4098
b1235d79
MH		 4099 if (!status) {
4100 sk->sk_state = BT_CONFIG;
4101 result = L2CAP_CR_SUCCESS;
4102 } else {
4103 sk->sk_state = BT_DISCONN;
4104 l2cap_sock_set_timer(sk, HZ / 10);
4105 result = L2CAP_CR_SEC_BLOCK;
4106 }
4107
4108 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4109 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4110 rsp.result = cpu_to_le16(result);
e7c29cb1 4111 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4112 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4113 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4114 }
1da177e4
LT		 4115
4116 bh_unlock_sock(sk);
4117 }
4118
4119 read_unlock(&l->lock);
b1235d79 4120
1da177e4
LT		 4121 return 0;
4122}
4123
4124static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4125{
4126 struct l2cap_conn *conn = hcon->l2cap_data;
4127
4128 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4129 goto drop;
4130
4131 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4132
4133 if (flags & ACL_START) {
4134 struct l2cap_hdr *hdr;
4135 int len;
4136
4137 if (conn->rx_len) {
4138 BT_ERR("Unexpected start frame (len %d)", skb->len);
4139 kfree_skb(conn->rx_skb);
4140 conn->rx_skb = NULL;
4141 conn->rx_len = 0;
4142 l2cap_conn_unreliable(conn, ECOMM);
4143 }
4144
4145 if (skb->len < 2) {
4146 BT_ERR("Frame is too short (len %d)", skb->len);
4147 l2cap_conn_unreliable(conn, ECOMM);
4148 goto drop;
4149 }
4150
4151 hdr = (struct l2cap_hdr *) skb->data;
4152 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4153
4154 if (len == skb->len) {
4155 /* Complete frame received */
4156 l2cap_recv_frame(conn, skb);
4157 return 0;
4158 }
4159
4160 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4161
4162 if (skb->len > len) {
4163 BT_ERR("Frame is too long (len %d, expected len %d)",
4164 skb->len, len);
4165 l2cap_conn_unreliable(conn, ECOMM);
4166 goto drop;
4167 }
4168
4169 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4170 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4171 if (!conn->rx_skb)
1da177e4
LT		 4172 goto drop;
4173
d626f62b 4174 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4175 skb->len);
1da177e4
LT		 4176 conn->rx_len = len - skb->len;
4177 } else {
4178 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4179
4180 if (!conn->rx_len) {
4181 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4182 l2cap_conn_unreliable(conn, ECOMM);
4183 goto drop;
4184 }
4185
4186 if (skb->len > conn->rx_len) {
4187 BT_ERR("Fragment is too long (len %d, expected %d)",
4188 skb->len, conn->rx_len);
4189 kfree_skb(conn->rx_skb);
4190 conn->rx_skb = NULL;
4191 conn->rx_len = 0;
4192 l2cap_conn_unreliable(conn, ECOMM);
4193 goto drop;
4194 }
4195
d626f62b 4196 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4197 skb->len);
1da177e4
LT		 4198 conn->rx_len -= skb->len;
4199
4200 if (!conn->rx_len) {
4201 /* Complete frame received */
4202 l2cap_recv_frame(conn, conn->rx_skb);
4203 conn->rx_skb = NULL;
4204 }
4205 }
4206
4207drop:
4208 kfree_skb(skb);
4209 return 0;
4210}
4211
aef7d97c 4212static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4213{
4214 struct sock *sk;
4215 struct hlist_node *node;
1da177e4
LT		 4216
4217 read_lock_bh(&l2cap_sk_list.lock);
4218
be9d1227
MH		 4219 sk_for_each(sk, node, &l2cap_sk_list.head) {
4220 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4221
aef7d97c
MH		 4222 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4223 batostr(&bt_sk(sk)->src),
4224 batostr(&bt_sk(sk)->dst),
4225 sk->sk_state, __le16_to_cpu(pi->psm),
4226 pi->scid, pi->dcid,
4227 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4228 }
1da177e4 4229
1da177e4 4230 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4231
aef7d97c 4232 return 0;
1da177e4
LT		 4233}
4234
aef7d97c
MH		 4235static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4236{
4237 return single_open(file, l2cap_debugfs_show, inode->i_private);
4238}
4239
4240static const struct file_operations l2cap_debugfs_fops = {
4241 .open = l2cap_debugfs_open,
4242 .read = seq_read,
4243 .llseek = seq_lseek,
4244 .release = single_release,
4245};
4246
4247static struct dentry *l2cap_debugfs;
1da177e4 4248
90ddc4f0 4249static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4250 .family = PF_BLUETOOTH,
4251 .owner = THIS_MODULE,
4252 .release = l2cap_sock_release,
4253 .bind = l2cap_sock_bind,
4254 .connect = l2cap_sock_connect,
4255 .listen = l2cap_sock_listen,
4256 .accept = l2cap_sock_accept,
4257 .getname = l2cap_sock_getname,
4258 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4259 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4260 .poll = bt_sock_poll,
3241ad82 4261 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4262 .mmap = sock_no_mmap,
4263 .socketpair = sock_no_socketpair,
1da177e4
LT		 4264 .shutdown = l2cap_sock_shutdown,
4265 .setsockopt = l2cap_sock_setsockopt,
4266 .getsockopt = l2cap_sock_getsockopt
4267};
4268
ec1b4cf7 4269static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4270 .family = PF_BLUETOOTH,
4271 .owner = THIS_MODULE,
4272 .create = l2cap_sock_create,
4273};
4274
4275static struct hci_proto l2cap_hci_proto = {
4276 .name = "L2CAP",
4277 .id = HCI_PROTO_L2CAP,
4278 .connect_ind = l2cap_connect_ind,
4279 .connect_cfm = l2cap_connect_cfm,
4280 .disconn_ind = l2cap_disconn_ind,
2950f21a 4281 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4282 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4283 .recv_acldata = l2cap_recv_acldata
4284};
4285
4286static int __init l2cap_init(void)
4287{
4288 int err;
be9d1227 4289
1da177e4
LT		 4290 err = proto_register(&l2cap_proto, 0);
4291 if (err < 0)
4292 return err;
4293
4294 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4295 if (err < 0) {
4296 BT_ERR("L2CAP socket registration failed");
4297 goto error;
4298 }
4299
4300 err = hci_register_proto(&l2cap_hci_proto);
4301 if (err < 0) {
4302 BT_ERR("L2CAP protocol registration failed");
4303 bt_sock_unregister(BTPROTO_L2CAP);
4304 goto error;
4305 }
4306
aef7d97c
MH		 4307 if (bt_debugfs) {
4308 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4309 bt_debugfs, NULL, &l2cap_debugfs_fops);
4310 if (!l2cap_debugfs)
4311 BT_ERR("Failed to create L2CAP debug file");
4312 }
1da177e4
LT		 4313
4314 BT_INFO("L2CAP ver %s", VERSION);
4315 BT_INFO("L2CAP socket layer initialized");
4316
4317 return 0;
4318
4319error:
4320 proto_unregister(&l2cap_proto);
4321 return err;
4322}
4323
4324static void __exit l2cap_exit(void)
4325{
aef7d97c 4326 debugfs_remove(l2cap_debugfs);
1da177e4
LT		 4327
4328 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4329 BT_ERR("L2CAP socket unregistration failed");
4330
4331 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4332 BT_ERR("L2CAP protocol unregistration failed");
4333
4334 proto_unregister(&l2cap_proto);
4335}
4336
4337void l2cap_load(void)
4338{
4339 /* Dummy function to trigger automatic L2CAP module loading by
4340 * other modules that use L2CAP sockets but don't use any other
4341 * symbols from it. */
4342 return;
4343}
4344EXPORT_SYMBOL(l2cap_load);
4345
4346module_init(l2cap_init);
4347module_exit(l2cap_exit);
4348
44dd46de
MH		 4349module_param(enable_ertm, bool, 0644);
4350MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4351
5fbcd3d1
MH		 4352module_param(max_transmit, uint, 0644);
4353MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4354
369ba302
GP		 4355module_param(tx_window, uint, 0644);
4356MODULE_PARM_DESC(tx_window, "Transmission window size value (default = 63)");
4357
63fbd24e 4358MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4359MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4360MODULE_VERSION(VERSION);
4361MODULE_LICENSE("GPL");
4362MODULE_ALIAS("bt-proto-0");
Linux kernel - Deliverables
This page took 1.261303 seconds and 5 git commands to generate.