]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - net/bluetooth/l2cap.c
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove unneeded control vars
[mirror_ubuntu-zesty-kernel.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
84fb0a63
GP		 58#ifdef CONFIG_BT_L2CAP_EXT_FEATURES
59static int enable_ertm = 1;
60#else
44dd46de 61static int enable_ertm = 0;
84fb0a63 62#endif
5fbcd3d1 63static int max_transmit = L2CAP_DEFAULT_MAX_TX;
369ba302 64static int tx_window = L2CAP_DEFAULT_TX_WINDOW;
f0709e03 65
47ec1dcd 66static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 67static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 68
90ddc4f0 69static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 70
71static struct bt_sock_list l2cap_sk_list = {
d5fb2962 72 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 73};
74
1da177e4
LT		 75static void __l2cap_sock_close(struct sock *sk, int reason);
76static void l2cap_sock_close(struct sock *sk);
77static void l2cap_sock_kill(struct sock *sk);
78
79static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
80 u8 code, u8 ident, u16 dlen, void *data);
81
82/* ---- L2CAP timers ---- */
83static void l2cap_sock_timeout(unsigned long arg)
84{
85 struct sock *sk = (struct sock *) arg;
b1235d79 86 int reason;
1da177e4
LT		 87
88 BT_DBG("sock %p state %d", sk, sk->sk_state);
89
90 bh_lock_sock(sk);
b1235d79 91
f62e4323
MH		 92 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
93 reason = ECONNREFUSED;
94 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 95 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 96 reason = ECONNREFUSED;
97 else
98 reason = ETIMEDOUT;
99
100 __l2cap_sock_close(sk, reason);
101
1da177e4
LT		 102 bh_unlock_sock(sk);
103
104 l2cap_sock_kill(sk);
105 sock_put(sk);
106}
107
108static void l2cap_sock_set_timer(struct sock *sk, long timeout)
109{
110 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
111 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
112}
113
114static void l2cap_sock_clear_timer(struct sock *sk)
115{
116 BT_DBG("sock %p state %d", sk, sk->sk_state);
117 sk_stop_timer(sk, &sk->sk_timer);
118}
119
0139418c
MH		 120/* ---- L2CAP channels ---- */
121static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
122{
123 struct sock *s;
124 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
125 if (l2cap_pi(s)->dcid == cid)
126 break;
127 }
128 return s;
129}
130
131static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
132{
133 struct sock *s;
134 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
135 if (l2cap_pi(s)->scid == cid)
136 break;
137 }
138 return s;
139}
140
141/* Find channel with given SCID.
142 * Returns locked socket */
143static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
144{
145 struct sock *s;
146 read_lock(&l->lock);
147 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 148 if (s)
149 bh_lock_sock(s);
0139418c
MH		 150 read_unlock(&l->lock);
151 return s;
152}
153
154static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
155{
156 struct sock *s;
157 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
158 if (l2cap_pi(s)->ident == ident)
159 break;
160 }
161 return s;
162}
163
164static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
165{
166 struct sock *s;
167 read_lock(&l->lock);
168 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 169 if (s)
170 bh_lock_sock(s);
0139418c
MH		 171 read_unlock(&l->lock);
172 return s;
173}
174
175static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
176{
8db4dc46 177 u16 cid = L2CAP_CID_DYN_START;
0139418c 178
8db4dc46 179 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 180 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 181 return cid;
182 }
183
184 return 0;
185}
186
187static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
188{
189 sock_hold(sk);
190
191 if (l->head)
192 l2cap_pi(l->head)->prev_c = sk;
193
194 l2cap_pi(sk)->next_c = l->head;
195 l2cap_pi(sk)->prev_c = NULL;
196 l->head = sk;
197}
198
199static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
200{
201 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
202
fd1278d7 203 write_lock_bh(&l->lock);
0139418c
MH		 204 if (sk == l->head)
205 l->head = next;
206
207 if (next)
208 l2cap_pi(next)->prev_c = prev;
209 if (prev)
210 l2cap_pi(prev)->next_c = next;
fd1278d7 211 write_unlock_bh(&l->lock);
0139418c
MH		 212
213 __sock_put(sk);
214}
215
216static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
217{
218 struct l2cap_chan_list *l = &conn->chan_list;
219
af05b30b
GP		 220 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
221 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 222
2950f21a
MH		 223 conn->disc_reason = 0x13;
224
0139418c
MH		 225 l2cap_pi(sk)->conn = conn;
226
bd3c9e25 227 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 228 /* Alloc CID for connection-oriented socket */
229 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
230 } else if (sk->sk_type == SOCK_DGRAM) {
231 /* Connectionless socket */
8db4dc46
GP		 232 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
233 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 234 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
235 } else {
236 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 237 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
238 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 239 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
240 }
241
242 __l2cap_chan_link(l, sk);
243
244 if (parent)
245 bt_accept_enqueue(parent, sk);
246}
247
8e87d142 248/* Delete channel.
0139418c
MH		 249 * Must be called on the locked socket. */
250static void l2cap_chan_del(struct sock *sk, int err)
251{
252 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
253 struct sock *parent = bt_sk(sk)->parent;
254
255 l2cap_sock_clear_timer(sk);
256
257 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
258
8e87d142 259 if (conn) {
0139418c
MH		 260 /* Unlink from channel list */
261 l2cap_chan_unlink(&conn->chan_list, sk);
262 l2cap_pi(sk)->conn = NULL;
263 hci_conn_put(conn->hcon);
264 }
265
b1235d79 266 sk->sk_state = BT_CLOSED;
0139418c
MH		 267 sock_set_flag(sk, SOCK_ZAPPED);
268
269 if (err)
270 sk->sk_err = err;
271
272 if (parent) {
273 bt_accept_unlink(sk);
274 parent->sk_data_ready(parent, 0);
275 } else
276 sk->sk_state_change(sk);
277}
278
79d554a6 279/* Service level security */
2af6b9d5 280static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 281{
282 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 283 __u8 auth_type;
284
00ae4af9
MH		 285 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
286 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
287 auth_type = HCI_AT_NO_BONDING_MITM;
288 else
af05b30b 289 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 290
291 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
292 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
293 } else {
294 switch (l2cap_pi(sk)->sec_level) {
295 case BT_SECURITY_HIGH:
296 auth_type = HCI_AT_GENERAL_BONDING_MITM;
297 break;
298 case BT_SECURITY_MEDIUM:
299 auth_type = HCI_AT_GENERAL_BONDING;
300 break;
301 default:
302 auth_type = HCI_AT_NO_BONDING;
303 break;
304 }
0684e5f9 305 }
79d554a6 306
0684e5f9
MH		 307 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
308 auth_type);
79d554a6
MH		 309}
310
4e8402a3
MH		 311static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
312{
313 u8 id;
314
315 /* Get next available identificator.
316 * 1 - 128 are used by kernel.
317 * 129 - 199 are reserved.
318 * 200 - 254 are used by utilities like l2ping, etc.
319 */
320
321 spin_lock_bh(&conn->lock);
322
323 if (++conn->tx_ident > 128)
324 conn->tx_ident = 1;
325
326 id = conn->tx_ident;
327
328 spin_unlock_bh(&conn->lock);
329
330 return id;
331}
332
333static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
334{
335 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
336
337 BT_DBG("code 0x%2.2x", code);
338
339 if (!skb)
340 return -ENOMEM;
341
342 return hci_send_acl(conn->hcon, skb, 0);
343}
344
1c2acffb
GP		 345static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
346{
347 struct sk_buff *skb;
348 struct l2cap_hdr *lh;
349 struct l2cap_conn *conn = pi->conn;
fcc203c3
GP		 350 int count, hlen = L2CAP_HDR_SIZE + 2;
351
352 if (pi->fcs == L2CAP_FCS_CRC16)
353 hlen += 2;
1c2acffb
GP		 354
355 BT_DBG("pi %p, control 0x%2.2x", pi, control);
356
fcc203c3 357 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 358 control |= L2CAP_CTRL_FRAME_TYPE;
359
9e917af1
GP		 360 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
361 control |= L2CAP_CTRL_FINAL;
362 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
363 }
364
f0946ccf
GP		 365 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
366 control |= L2CAP_CTRL_POLL;
367 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
368 }
369
1c2acffb
GP		 370 skb = bt_skb_alloc(count, GFP_ATOMIC);
371 if (!skb)
372 return -ENOMEM;
373
374 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 375 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 376 lh->cid = cpu_to_le16(pi->dcid);
377 put_unaligned_le16(control, skb_put(skb, 2));
378
fcc203c3
GP		 379 if (pi->fcs == L2CAP_FCS_CRC16) {
380 u16 fcs = crc16(0, (u8 *)lh, count - 2);
381 put_unaligned_le16(fcs, skb_put(skb, 2));
382 }
383
1c2acffb
GP		 384 return hci_send_acl(pi->conn->hcon, skb, 0);
385}
386
7e743090
GP		 387static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
388{
389 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
390 control |= L2CAP_SUPER_RCV_NOT_READY;
391 else
392 control |= L2CAP_SUPER_RCV_READY;
393
2ab25cdd
GP		 394 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
395
7e743090
GP		 396 return l2cap_send_sframe(pi, control);
397}
398
79d554a6
MH		 399static void l2cap_do_start(struct sock *sk)
400{
401 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
402
403 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 404 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
405 return;
406
2af6b9d5 407 if (l2cap_check_security(sk)) {
b1235d79
MH		 408 struct l2cap_conn_req req;
409 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
410 req.psm = l2cap_pi(sk)->psm;
79d554a6 411
b1235d79 412 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 413
b1235d79 414 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 415 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 416 }
79d554a6
MH		 417 } else {
418 struct l2cap_info_req req;
419 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
420
421 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
422 conn->info_ident = l2cap_get_ident(conn);
423
424 mod_timer(&conn->info_timer, jiffies +
425 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
426
427 l2cap_send_cmd(conn, conn->info_ident,
428 L2CAP_INFO_REQ, sizeof(req), &req);
429 }
430}
431
22121fc9
GP		 432static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
433{
434 struct l2cap_disconn_req req;
435
436 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
437 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
438 l2cap_send_cmd(conn, l2cap_get_ident(conn),
439 L2CAP_DISCONN_REQ, sizeof(req), &req);
440}
441
1da177e4 442/* ---- L2CAP connections ---- */
4e8402a3
MH		 443static void l2cap_conn_start(struct l2cap_conn *conn)
444{
445 struct l2cap_chan_list *l = &conn->chan_list;
446 struct sock *sk;
447
448 BT_DBG("conn %p", conn);
449
450 read_lock(&l->lock);
451
452 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
453 bh_lock_sock(sk);
454
bd3c9e25
GP		 455 if (sk->sk_type != SOCK_SEQPACKET &&
456 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 457 bh_unlock_sock(sk);
458 continue;
459 }
460
461 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 462 if (l2cap_check_security(sk)) {
b1235d79
MH		 463 struct l2cap_conn_req req;
464 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
465 req.psm = l2cap_pi(sk)->psm;
79d554a6 466
b1235d79 467 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 468
b1235d79 469 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 470 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 471 }
79d554a6
MH		 472 } else if (sk->sk_state == BT_CONNECT2) {
473 struct l2cap_conn_rsp rsp;
474 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
475 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
476
2af6b9d5 477 if (l2cap_check_security(sk)) {
f66dc81f
MH		 478 if (bt_sk(sk)->defer_setup) {
479 struct sock *parent = bt_sk(sk)->parent;
480 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
481 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
482 parent->sk_data_ready(parent, 0);
483
484 } else {
485 sk->sk_state = BT_CONFIG;
486 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
487 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
488 }
79d554a6
MH		 489 } else {
490 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
491 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
492 }
493
494 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
495 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 496 }
497
498 bh_unlock_sock(sk);
499 }
500
501 read_unlock(&l->lock);
502}
503
504static void l2cap_conn_ready(struct l2cap_conn *conn)
505{
79d554a6
MH		 506 struct l2cap_chan_list *l = &conn->chan_list;
507 struct sock *sk;
4e8402a3 508
79d554a6 509 BT_DBG("conn %p", conn);
4e8402a3 510
79d554a6 511 read_lock(&l->lock);
4e8402a3 512
79d554a6
MH		 513 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
514 bh_lock_sock(sk);
4e8402a3 515
bd3c9e25
GP		 516 if (sk->sk_type != SOCK_SEQPACKET &&
517 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 518 l2cap_sock_clear_timer(sk);
519 sk->sk_state = BT_CONNECTED;
520 sk->sk_state_change(sk);
521 } else if (sk->sk_state == BT_CONNECT)
522 l2cap_do_start(sk);
4e8402a3 523
79d554a6 524 bh_unlock_sock(sk);
4e8402a3 525 }
79d554a6
MH		 526
527 read_unlock(&l->lock);
4e8402a3
MH		 528}
529
530/* Notify sockets that we cannot guaranty reliability anymore */
531static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
532{
533 struct l2cap_chan_list *l = &conn->chan_list;
534 struct sock *sk;
535
536 BT_DBG("conn %p", conn);
537
538 read_lock(&l->lock);
539
540 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 541 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 542 sk->sk_err = err;
543 }
544
545 read_unlock(&l->lock);
546}
547
548static void l2cap_info_timeout(unsigned long arg)
549{
550 struct l2cap_conn *conn = (void *) arg;
551
984947dc 552 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 553 conn->info_ident = 0;
984947dc 554
4e8402a3
MH		 555 l2cap_conn_start(conn);
556}
557
1da177e4
LT		 558static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
559{
0139418c 560 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 561
0139418c 562 if (conn || status)
1da177e4
LT		 563 return conn;
564
0139418c
MH		 565 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
566 if (!conn)
1da177e4 567 return NULL;
1da177e4
LT		 568
569 hcon->l2cap_data = conn;
570 conn->hcon = hcon;
571
0139418c
MH		 572 BT_DBG("hcon %p conn %p", hcon, conn);
573
1da177e4
LT		 574 conn->mtu = hcon->hdev->acl_mtu;
575 conn->src = &hcon->hdev->bdaddr;
576 conn->dst = &hcon->dst;
577
4e8402a3
MH		 578 conn->feat_mask = 0;
579
1da177e4
LT		 580 spin_lock_init(&conn->lock);
581 rwlock_init(&conn->chan_list.lock);
582
45054dc1
DY		 583 setup_timer(&conn->info_timer, l2cap_info_timeout,
584 (unsigned long) conn);
585
2950f21a
MH		 586 conn->disc_reason = 0x13;
587
1da177e4
LT		 588 return conn;
589}
590
0139418c 591static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 592{
0139418c 593 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 594 struct sock *sk;
595
0139418c
MH		 596 if (!conn)
597 return;
1da177e4
LT		 598
599 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
600
7585b97a 601 kfree_skb(conn->rx_skb);
1da177e4
LT		 602
603 /* Kill channels */
604 while ((sk = conn->chan_list.head)) {
605 bh_lock_sock(sk);
606 l2cap_chan_del(sk, err);
607 bh_unlock_sock(sk);
608 l2cap_sock_kill(sk);
609 }
610
8e8440f5
DY		 611 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
612 del_timer_sync(&conn->info_timer);
3ab22731 613
1da177e4
LT		 614 hcon->l2cap_data = NULL;
615 kfree(conn);
1da177e4
LT		 616}
617
618static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
619{
620 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 621 write_lock_bh(&l->lock);
1da177e4 622 __l2cap_chan_add(conn, sk, parent);
fd1278d7 623 write_unlock_bh(&l->lock);
1da177e4
LT		 624}
625
1da177e4 626/* ---- Socket interface ---- */
8e036fc3 627static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 628{
629 struct sock *sk;
630 struct hlist_node *node;
631 sk_for_each(sk, node, &l2cap_sk_list.head)
632 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
633 goto found;
634 sk = NULL;
635found:
636 return sk;
637}
638
639/* Find socket with psm and source bdaddr.
640 * Returns closest match.
641 */
8e036fc3 642static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 643{
644 struct sock *sk = NULL, *sk1 = NULL;
645 struct hlist_node *node;
646
647 sk_for_each(sk, node, &l2cap_sk_list.head) {
648 if (state && sk->sk_state != state)
649 continue;
650
651 if (l2cap_pi(sk)->psm == psm) {
652 /* Exact match. */
653 if (!bacmp(&bt_sk(sk)->src, src))
654 break;
655
656 /* Closest match */
657 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
658 sk1 = sk;
659 }
660 }
661 return node ? sk : sk1;
662}
663
664/* Find socket with given address (psm, src).
665 * Returns locked socket */
8e036fc3 666static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 667{
668 struct sock *s;
669 read_lock(&l2cap_sk_list.lock);
670 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 671 if (s)
672 bh_lock_sock(s);
1da177e4
LT		 673 read_unlock(&l2cap_sk_list.lock);
674 return s;
675}
676
677static void l2cap_sock_destruct(struct sock *sk)
678{
679 BT_DBG("sk %p", sk);
680
681 skb_queue_purge(&sk->sk_receive_queue);
682 skb_queue_purge(&sk->sk_write_queue);
683}
684
685static void l2cap_sock_cleanup_listen(struct sock *parent)
686{
687 struct sock *sk;
688
689 BT_DBG("parent %p", parent);
690
691 /* Close not yet accepted channels */
692 while ((sk = bt_accept_dequeue(parent, NULL)))
693 l2cap_sock_close(sk);
694
b1235d79 695 parent->sk_state = BT_CLOSED;
1da177e4
LT		 696 sock_set_flag(parent, SOCK_ZAPPED);
697}
698
699/* Kill socket (only if zapped and orphan)
700 * Must be called on unlocked socket.
701 */
702static void l2cap_sock_kill(struct sock *sk)
703{
704 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
705 return;
706
707 BT_DBG("sk %p state %d", sk, sk->sk_state);
708
709 /* Kill poor orphan */
710 bt_sock_unlink(&l2cap_sk_list, sk);
711 sock_set_flag(sk, SOCK_DEAD);
712 sock_put(sk);
713}
714
715static void __l2cap_sock_close(struct sock *sk, int reason)
716{
717 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
718
719 switch (sk->sk_state) {
720 case BT_LISTEN:
721 l2cap_sock_cleanup_listen(sk);
722 break;
723
724 case BT_CONNECTED:
725 case BT_CONFIG:
bd3c9e25
GP		 726 if (sk->sk_type == SOCK_SEQPACKET ||
727 sk->sk_type == SOCK_STREAM) {
1da177e4 728 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4
LT		 729
730 sk->sk_state = BT_DISCONN;
731 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
22121fc9 732 l2cap_send_disconn_req(conn, sk);
b1235d79 733 } else
1da177e4 734 l2cap_chan_del(sk, reason);
1da177e4
LT		 735 break;
736
f66dc81f 737 case BT_CONNECT2:
bd3c9e25
GP		 738 if (sk->sk_type == SOCK_SEQPACKET ||
739 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 740 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
741 struct l2cap_conn_rsp rsp;
742 __u16 result;
743
744 if (bt_sk(sk)->defer_setup)
745 result = L2CAP_CR_SEC_BLOCK;
746 else
747 result = L2CAP_CR_BAD_PSM;
748
749 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
750 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
751 rsp.result = cpu_to_le16(result);
752 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
753 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
754 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
755 } else
756 l2cap_chan_del(sk, reason);
757 break;
758
1da177e4
LT		 759 case BT_CONNECT:
760 case BT_DISCONN:
761 l2cap_chan_del(sk, reason);
762 break;
763
764 default:
765 sock_set_flag(sk, SOCK_ZAPPED);
766 break;
767 }
768}
769
770/* Must be called on unlocked socket. */
771static void l2cap_sock_close(struct sock *sk)
772{
773 l2cap_sock_clear_timer(sk);
774 lock_sock(sk);
775 __l2cap_sock_close(sk, ECONNRESET);
776 release_sock(sk);
777 l2cap_sock_kill(sk);
778}
779
780static void l2cap_sock_init(struct sock *sk, struct sock *parent)
781{
782 struct l2cap_pinfo *pi = l2cap_pi(sk);
783
784 BT_DBG("sk %p", sk);
785
786 if (parent) {
787 sk->sk_type = parent->sk_type;
f66dc81f
MH		 788 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
789
1da177e4
LT		 790 pi->imtu = l2cap_pi(parent)->imtu;
791 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 792 pi->mode = l2cap_pi(parent)->mode;
793 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 794 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 795 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 796 pi->sec_level = l2cap_pi(parent)->sec_level;
797 pi->role_switch = l2cap_pi(parent)->role_switch;
798 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 799 } else {
800 pi->imtu = L2CAP_DEFAULT_MTU;
801 pi->omtu = 0;
bd3c9e25
GP		 802 if (enable_ertm && sk->sk_type == SOCK_STREAM)
803 pi->mode = L2CAP_MODE_ERTM;
804 else
805 pi->mode = L2CAP_MODE_BASIC;
68d7f0ce 806 pi->max_tx = max_transmit;
c6b03cf9 807 pi->fcs = L2CAP_FCS_CRC16;
369ba302 808 pi->tx_win = tx_window;
2af6b9d5
MH		 809 pi->sec_level = BT_SECURITY_LOW;
810 pi->role_switch = 0;
811 pi->force_reliable = 0;
1da177e4
LT		 812 }
813
814 /* Default config options */
5dee9e7c 815 pi->conf_len = 0;
1da177e4 816 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 817 skb_queue_head_init(TX_QUEUE(sk));
818 skb_queue_head_init(SREJ_QUEUE(sk));
819 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 820}
821
822static struct proto l2cap_proto = {
823 .name = "L2CAP",
824 .owner = THIS_MODULE,
825 .obj_size = sizeof(struct l2cap_pinfo)
826};
827
1b8d7ae4 828static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 829{
830 struct sock *sk;
831
6257ff21 832 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 833 if (!sk)
834 return NULL;
835
836 sock_init_data(sock, sk);
837 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
838
839 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 840 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 841
842 sock_reset_flag(sk, SOCK_ZAPPED);
843
844 sk->sk_protocol = proto;
b1235d79 845 sk->sk_state = BT_OPEN;
1da177e4 846
b1235d79 847 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 848
849 bt_sock_link(&l2cap_sk_list, sk);
850 return sk;
851}
852
3f378b68
EP		 853static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
854 int kern)
1da177e4
LT		 855{
856 struct sock *sk;
857
858 BT_DBG("sock %p", sock);
859
860 sock->state = SS_UNCONNECTED;
861
bd3c9e25 862 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 863 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
864 return -ESOCKTNOSUPPORT;
865
c84b3268 866 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 867 return -EPERM;
868
869 sock->ops = &l2cap_sock_ops;
870
1b8d7ae4 871 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 872 if (!sk)
873 return -ENOMEM;
874
875 l2cap_sock_init(sk, NULL);
876 return 0;
877}
878
f29972de 879static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 880{
1da177e4 881 struct sock *sk = sock->sk;
f29972de
MH		 882 struct sockaddr_l2 la;
883 int len, err = 0;
1da177e4 884
f29972de 885 BT_DBG("sk %p", sk);
1da177e4
LT		 886
887 if (!addr || addr->sa_family != AF_BLUETOOTH)
888 return -EINVAL;
889
f29972de
MH		 890 memset(&la, 0, sizeof(la));
891 len = min_t(unsigned int, sizeof(la), alen);
892 memcpy(&la, addr, len);
893
2a517ca6
MH		 894 if (la.l2_cid)
895 return -EINVAL;
896
1da177e4
LT		 897 lock_sock(sk);
898
899 if (sk->sk_state != BT_OPEN) {
900 err = -EBADFD;
901 goto done;
902 }
903
b4324b5d 904 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 905 !capable(CAP_NET_BIND_SERVICE)) {
906 err = -EACCES;
907 goto done;
908 }
8e87d142 909
1da177e4
LT		 910 write_lock_bh(&l2cap_sk_list.lock);
911
f29972de 912 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 913 err = -EADDRINUSE;
914 } else {
915 /* Save source address */
f29972de
MH		 916 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
917 l2cap_pi(sk)->psm = la.l2_psm;
918 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 919 sk->sk_state = BT_BOUND;
2af6b9d5 920
b4324b5d
MH		 921 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
922 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 923 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 924 }
925
926 write_unlock_bh(&l2cap_sk_list.lock);
927
928done:
929 release_sock(sk);
930 return err;
931}
932
933static int l2cap_do_connect(struct sock *sk)
934{
935 bdaddr_t *src = &bt_sk(sk)->src;
936 bdaddr_t *dst = &bt_sk(sk)->dst;
937 struct l2cap_conn *conn;
938 struct hci_conn *hcon;
939 struct hci_dev *hdev;
09ab6f4c 940 __u8 auth_type;
44d0e48e 941 int err;
1da177e4 942
f29972de
MH		 943 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
944 l2cap_pi(sk)->psm);
1da177e4 945
af05b30b
GP		 946 hdev = hci_get_route(dst, src);
947 if (!hdev)
1da177e4
LT		 948 return -EHOSTUNREACH;
949
950 hci_dev_lock_bh(hdev);
951
952 err = -ENOMEM;
953
8c1b2355 954 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 955 switch (l2cap_pi(sk)->sec_level) {
956 case BT_SECURITY_HIGH:
8c1b2355 957 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 958 break;
959 case BT_SECURITY_MEDIUM:
8c1b2355 960 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 961 break;
962 default:
09ab6f4c 963 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 964 break;
965 }
8c1b2355 966 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 967 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 968 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 969 else
8c1b2355 970 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 971
972 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
973 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 974 } else {
2af6b9d5
MH		 975 switch (l2cap_pi(sk)->sec_level) {
976 case BT_SECURITY_HIGH:
8c1b2355 977 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 978 break;
979 case BT_SECURITY_MEDIUM:
09ab6f4c 980 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 981 break;
982 default:
8c1b2355 983 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 984 break;
985 }
09ab6f4c
MH		 986 }
987
2af6b9d5
MH		 988 hcon = hci_connect(hdev, ACL_LINK, dst,
989 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 990 if (!hcon)
991 goto done;
992
993 conn = l2cap_conn_add(hcon, 0);
994 if (!conn) {
995 hci_conn_put(hcon);
996 goto done;
997 }
998
999 err = 0;
1000
1001 /* Update source addr of the socket */
1002 bacpy(src, conn->src);
1003
1004 l2cap_chan_add(conn, sk, NULL);
1005
1006 sk->sk_state = BT_CONNECT;
1007 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1008
1009 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1010 if (sk->sk_type != SOCK_SEQPACKET &&
1011 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1012 l2cap_sock_clear_timer(sk);
1013 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1014 } else
1015 l2cap_do_start(sk);
1da177e4
LT		 1016 }
1017
1018done:
1019 hci_dev_unlock_bh(hdev);
1020 hci_dev_put(hdev);
1021 return err;
1022}
1023
1024static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1025{
1da177e4 1026 struct sock *sk = sock->sk;
f29972de
MH		 1027 struct sockaddr_l2 la;
1028 int len, err = 0;
1da177e4 1029
1da177e4
LT		 1030 BT_DBG("sk %p", sk);
1031
6503d961
CG		 1032 if (!addr || alen < sizeof(addr->sa_family) ||
1033 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1034 return -EINVAL;
1da177e4 1035
f29972de
MH		 1036 memset(&la, 0, sizeof(la));
1037 len = min_t(unsigned int, sizeof(la), alen);
1038 memcpy(&la, addr, len);
1039
2a517ca6
MH		 1040 if (la.l2_cid)
1041 return -EINVAL;
1042
1043 lock_sock(sk);
1044
bd3c9e25
GP		 1045 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1046 && !la.l2_psm) {
1da177e4
LT		 1047 err = -EINVAL;
1048 goto done;
1049 }
1050
c6b03cf9
MH		 1051 switch (l2cap_pi(sk)->mode) {
1052 case L2CAP_MODE_BASIC:
1053 break;
1054 case L2CAP_MODE_ERTM:
f2fcfcd6 1055 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1056 if (enable_ertm)
1057 break;
1058 /* fall through */
1059 default:
1060 err = -ENOTSUPP;
1061 goto done;
1062 }
1063
af05b30b 1064 switch (sk->sk_state) {
1da177e4
LT		 1065 case BT_CONNECT:
1066 case BT_CONNECT2:
1067 case BT_CONFIG:
1068 /* Already connecting */
1069 goto wait;
1070
1071 case BT_CONNECTED:
1072 /* Already connected */
1073 goto done;
1074
1075 case BT_OPEN:
1076 case BT_BOUND:
1077 /* Can connect */
1078 break;
1079
1080 default:
1081 err = -EBADFD;
1082 goto done;
1083 }
1084
1085 /* Set destination address and psm */
f29972de
MH		 1086 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1087 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1088
af05b30b
GP		 1089 err = l2cap_do_connect(sk);
1090 if (err)
1da177e4
LT		 1091 goto done;
1092
1093wait:
1094 err = bt_sock_wait_state(sk, BT_CONNECTED,
1095 sock_sndtimeo(sk, flags & O_NONBLOCK));
1096done:
1097 release_sock(sk);
1098 return err;
1099}
1100
1101static int l2cap_sock_listen(struct socket *sock, int backlog)
1102{
1103 struct sock *sk = sock->sk;
1104 int err = 0;
1105
1106 BT_DBG("sk %p backlog %d", sk, backlog);
1107
1108 lock_sock(sk);
1109
bd3c9e25
GP		 1110 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1111 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1112 err = -EBADFD;
1113 goto done;
1114 }
1115
c6b03cf9
MH		 1116 switch (l2cap_pi(sk)->mode) {
1117 case L2CAP_MODE_BASIC:
1118 break;
1119 case L2CAP_MODE_ERTM:
f2fcfcd6 1120 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1121 if (enable_ertm)
1122 break;
1123 /* fall through */
1124 default:
1125 err = -ENOTSUPP;
1126 goto done;
1127 }
1128
1da177e4
LT		 1129 if (!l2cap_pi(sk)->psm) {
1130 bdaddr_t *src = &bt_sk(sk)->src;
1131 u16 psm;
1132
1133 err = -EINVAL;
1134
1135 write_lock_bh(&l2cap_sk_list.lock);
1136
1137 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1138 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1139 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1140 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1141 err = 0;
1142 break;
1143 }
1144
1145 write_unlock_bh(&l2cap_sk_list.lock);
1146
1147 if (err < 0)
1148 goto done;
1149 }
1150
1151 sk->sk_max_ack_backlog = backlog;
1152 sk->sk_ack_backlog = 0;
1153 sk->sk_state = BT_LISTEN;
1154
1155done:
1156 release_sock(sk);
1157 return err;
1158}
1159
1160static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1161{
1162 DECLARE_WAITQUEUE(wait, current);
1163 struct sock *sk = sock->sk, *nsk;
1164 long timeo;
1165 int err = 0;
1166
fcc70d5f 1167 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1168
1169 if (sk->sk_state != BT_LISTEN) {
1170 err = -EBADFD;
1171 goto done;
1172 }
1173
1174 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1175
1176 BT_DBG("sk %p timeo %ld", sk, timeo);
1177
1178 /* Wait for an incoming connection. (wake-one). */
aa395145 1179 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1180 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1181 set_current_state(TASK_INTERRUPTIBLE);
1182 if (!timeo) {
1183 err = -EAGAIN;
1184 break;
1185 }
1186
1187 release_sock(sk);
1188 timeo = schedule_timeout(timeo);
fcc70d5f 1189 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1190
1191 if (sk->sk_state != BT_LISTEN) {
1192 err = -EBADFD;
1193 break;
1194 }
1195
1196 if (signal_pending(current)) {
1197 err = sock_intr_errno(timeo);
1198 break;
1199 }
1200 }
1201 set_current_state(TASK_RUNNING);
aa395145 1202 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1203
1204 if (err)
1205 goto done;
1206
1207 newsock->state = SS_CONNECTED;
1208
1209 BT_DBG("new socket %p", nsk);
1210
1211done:
1212 release_sock(sk);
1213 return err;
1214}
1215
1216static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1217{
1218 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1219 struct sock *sk = sock->sk;
1220
1221 BT_DBG("sock %p, sk %p", sock, sk);
1222
1223 addr->sa_family = AF_BLUETOOTH;
1224 *len = sizeof(struct sockaddr_l2);
1225
f29972de
MH		 1226 if (peer) {
1227 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1228 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1229 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1230 } else {
1231 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1232 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1233 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1234 }
1da177e4 1235
1da177e4
LT		 1236 return 0;
1237}
1238
e90bac06
GP		 1239static void l2cap_monitor_timeout(unsigned long arg)
1240{
1241 struct sock *sk = (void *) arg;
e90bac06 1242
e686219a 1243 bh_lock_sock(sk);
e90bac06
GP		 1244 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1245 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
b13f5860 1246 bh_unlock_sock(sk);
e90bac06
GP		 1247 return;
1248 }
1249
1250 l2cap_pi(sk)->retry_count++;
1251 __mod_monitor_timer();
1252
a2e12a2a 1253 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1254 bh_unlock_sock(sk);
e90bac06
GP		 1255}
1256
1257static void l2cap_retrans_timeout(unsigned long arg)
1258{
1259 struct sock *sk = (void *) arg;
e90bac06 1260
e686219a 1261 bh_lock_sock(sk);
e90bac06
GP		 1262 l2cap_pi(sk)->retry_count = 1;
1263 __mod_monitor_timer();
1264
1265 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1266
a2e12a2a 1267 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1268 bh_unlock_sock(sk);
e90bac06
GP		 1269}
1270
1c2acffb 1271static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1272{
1c2acffb 1273 struct sk_buff *skb;
1da177e4 1274
812e737e
GP		 1275 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1276 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1277 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1278 break;
1da177e4 1279
1c2acffb
GP		 1280 skb = skb_dequeue(TX_QUEUE(sk));
1281 kfree_skb(skb);
1da177e4 1282
1c2acffb
GP		 1283 l2cap_pi(sk)->unacked_frames--;
1284 }
1da177e4 1285
e90bac06
GP		 1286 if (!l2cap_pi(sk)->unacked_frames)
1287 del_timer(&l2cap_pi(sk)->retrans_timer);
1288
1c2acffb
GP		 1289 return;
1290}
1da177e4 1291
1c2acffb
GP		 1292static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1293{
1294 struct l2cap_pinfo *pi = l2cap_pi(sk);
1295 int err;
1296
1297 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1298
1c2acffb
GP		 1299 err = hci_send_acl(pi->conn->hcon, skb, 0);
1300 if (err < 0)
1301 kfree_skb(skb);
1302
1303 return err;
1304}
1305
6840ed07
GP		 1306static int l2cap_streaming_send(struct sock *sk)
1307{
1308 struct sk_buff *skb, *tx_skb;
1309 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1310 u16 control, fcs;
6840ed07
GP		 1311 int err;
1312
1313 while ((skb = sk->sk_send_head)) {
1314 tx_skb = skb_clone(skb, GFP_ATOMIC);
1315
1316 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1317 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1318 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1319
e8235c6b 1320 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1321 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1322 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1323 }
1324
6840ed07
GP		 1325 err = l2cap_do_send(sk, tx_skb);
1326 if (err < 0) {
1327 l2cap_send_disconn_req(pi->conn, sk);
1328 return err;
1329 }
1330
1331 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1332
1333 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1334 sk->sk_send_head = NULL;
1335 else
1336 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1337
1338 skb = skb_dequeue(TX_QUEUE(sk));
1339 kfree_skb(skb);
1340 }
1341 return 0;
1342}
1343
8f17154f
GP		 1344static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1345{
1346 struct l2cap_pinfo *pi = l2cap_pi(sk);
1347 struct sk_buff *skb, *tx_skb;
1348 u16 control, fcs;
1349 int err;
1350
1351 skb = skb_peek(TX_QUEUE(sk));
1352 do {
1353 if (bt_cb(skb)->tx_seq != tx_seq) {
1354 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1355 break;
1356 skb = skb_queue_next(TX_QUEUE(sk), skb);
1357 continue;
1358 }
1359
1360 if (pi->remote_max_tx &&
1361 bt_cb(skb)->retries == pi->remote_max_tx) {
1362 l2cap_send_disconn_req(pi->conn, sk);
1363 break;
1364 }
1365
1366 tx_skb = skb_clone(skb, GFP_ATOMIC);
1367 bt_cb(skb)->retries++;
1368 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
9f121a5a 1369 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
8f17154f
GP		 1370 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1371 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1372
e8235c6b 1373 if (pi->fcs == L2CAP_FCS_CRC16) {
8f17154f
GP		 1374 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1375 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1376 }
1377
1378 err = l2cap_do_send(sk, tx_skb);
1379 if (err < 0) {
1380 l2cap_send_disconn_req(pi->conn, sk);
1381 return err;
1382 }
1383 break;
1384 } while(1);
1385 return 0;
1386}
1387
1c2acffb
GP		 1388static int l2cap_ertm_send(struct sock *sk)
1389{
1390 struct sk_buff *skb, *tx_skb;
1391 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1392 u16 control, fcs;
9e917af1 1393 int err, nsent = 0;
1c2acffb 1394
e90bac06
GP		 1395 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1396 return 0;
1397
f64f9e71 1398 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
59203a21 1399 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1c2acffb 1400
e90bac06
GP		 1401 if (pi->remote_max_tx &&
1402 bt_cb(skb)->retries == pi->remote_max_tx) {
1403 l2cap_send_disconn_req(pi->conn, sk);
1404 break;
1405 }
1406
e420aba3
AE		 1407 tx_skb = skb_clone(skb, GFP_ATOMIC);
1408
e90bac06
GP		 1409 bt_cb(skb)->retries++;
1410
1c2acffb 1411 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
d5392c8f
GP		 1412 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1413 control |= L2CAP_CTRL_FINAL;
1414 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1415 }
9f121a5a 1416 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1417 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1418 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1419
e90bac06 1420
e8235c6b 1421 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1422 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1423 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1424 }
1425
1c2acffb
GP		 1426 err = l2cap_do_send(sk, tx_skb);
1427 if (err < 0) {
1428 l2cap_send_disconn_req(pi->conn, sk);
1429 return err;
1430 }
e90bac06 1431 __mod_retrans_timer();
1c2acffb
GP		 1432
1433 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1434 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1435
1436 pi->unacked_frames++;
d5392c8f 1437 pi->frames_sent++;
1c2acffb
GP		 1438
1439 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1440 sk->sk_send_head = NULL;
1441 else
1442 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1443
1444 nsent++;
1c2acffb
GP		 1445 }
1446
9e917af1
GP		 1447 return nsent;
1448}
1449
1450static int l2cap_send_ack(struct l2cap_pinfo *pi)
1451{
1452 struct sock *sk = (struct sock *)pi;
1453 u16 control = 0;
1454
1455 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1456
1457 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1458 control |= L2CAP_SUPER_RCV_NOT_READY;
1459 return l2cap_send_sframe(pi, control);
1460 } else if (l2cap_ertm_send(sk) == 0) {
1461 control |= L2CAP_SUPER_RCV_READY;
1462 return l2cap_send_sframe(pi, control);
1463 }
1c2acffb
GP		 1464 return 0;
1465}
1466
99b0d4b7
GP		 1467static int l2cap_send_srejtail(struct sock *sk)
1468{
1469 struct srej_list *tail;
1470 u16 control;
1471
1472 control = L2CAP_SUPER_SELECT_REJECT;
1473 control |= L2CAP_CTRL_FINAL;
1474
1475 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1476 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1477
1478 l2cap_send_sframe(l2cap_pi(sk), control);
1479
1480 return 0;
1481}
1482
1c2acffb
GP		 1483static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1484{
1485 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1486 struct sk_buff **frag;
1487 int err, sent = 0;
1da177e4 1488
59203a21 1489 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1490 return -EFAULT;
1da177e4
LT		 1491
1492 sent += count;
1493 len -= count;
1494
1495 /* Continuation fragments (no L2CAP header) */
1496 frag = &skb_shinfo(skb)->frag_list;
1497 while (len) {
1498 count = min_t(unsigned int, conn->mtu, len);
1499
1500 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1501 if (!*frag)
1c2acffb
GP		 1502 return -EFAULT;
1503 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1504 return -EFAULT;
1da177e4
LT		 1505
1506 sent += count;
1507 len -= count;
1508
1509 frag = &(*frag)->next;
1510 }
1da177e4
LT		 1511
1512 return sent;
1c2acffb 1513}
1da177e4 1514
1c2acffb
GP		 1515static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1516{
1517 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1518 struct sk_buff *skb;
1519 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1520 struct l2cap_hdr *lh;
1521
1522 BT_DBG("sk %p len %d", sk, (int)len);
1523
1524 count = min_t(unsigned int, (conn->mtu - hlen), len);
1525 skb = bt_skb_send_alloc(sk, count + hlen,
1526 msg->msg_flags & MSG_DONTWAIT, &err);
1527 if (!skb)
1528 return ERR_PTR(-ENOMEM);
1529
1530 /* Create L2CAP header */
1531 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1532 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1533 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1534 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1535
1536 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1537 if (unlikely(err < 0)) {
1538 kfree_skb(skb);
1539 return ERR_PTR(err);
1540 }
1541 return skb;
1542}
1543
1544static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1545{
1546 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1547 struct sk_buff *skb;
1548 int err, count, hlen = L2CAP_HDR_SIZE;
1549 struct l2cap_hdr *lh;
1550
1551 BT_DBG("sk %p len %d", sk, (int)len);
1552
1553 count = min_t(unsigned int, (conn->mtu - hlen), len);
1554 skb = bt_skb_send_alloc(sk, count + hlen,
1555 msg->msg_flags & MSG_DONTWAIT, &err);
1556 if (!skb)
1557 return ERR_PTR(-ENOMEM);
1558
1559 /* Create L2CAP header */
1560 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1561 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1562 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1563
1564 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1565 if (unlikely(err < 0)) {
1566 kfree_skb(skb);
1567 return ERR_PTR(err);
1568 }
1569 return skb;
1570}
1571
6840ed07 1572static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1573{
1574 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1575 struct sk_buff *skb;
1576 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1577 struct l2cap_hdr *lh;
1578
1579 BT_DBG("sk %p len %d", sk, (int)len);
1580
0ee0d208
GP		 1581 if (!conn)
1582 return ERR_PTR(-ENOTCONN);
1583
c74e560c
GP		 1584 if (sdulen)
1585 hlen += 2;
1586
fcc203c3
GP		 1587 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1588 hlen += 2;
1589
1c2acffb
GP		 1590 count = min_t(unsigned int, (conn->mtu - hlen), len);
1591 skb = bt_skb_send_alloc(sk, count + hlen,
1592 msg->msg_flags & MSG_DONTWAIT, &err);
1593 if (!skb)
1594 return ERR_PTR(-ENOMEM);
1595
1596 /* Create L2CAP header */
1597 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1598 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1599 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1600 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1601 if (sdulen)
1602 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1603
1604 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1605 if (unlikely(err < 0)) {
1606 kfree_skb(skb);
1607 return ERR_PTR(err);
1608 }
e90bac06 1609
fcc203c3
GP		 1610 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1611 put_unaligned_le16(0, skb_put(skb, 2));
1612
e90bac06 1613 bt_cb(skb)->retries = 0;
1c2acffb 1614 return skb;
1da177e4
LT		 1615}
1616
c74e560c
GP		 1617static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1618{
1619 struct l2cap_pinfo *pi = l2cap_pi(sk);
1620 struct sk_buff *skb;
1621 struct sk_buff_head sar_queue;
1622 u16 control;
1623 size_t size = 0;
1624
1625 __skb_queue_head_init(&sar_queue);
1626 control = L2CAP_SDU_START;
1c762159 1627 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1628 if (IS_ERR(skb))
1629 return PTR_ERR(skb);
1630
1631 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1632 len -= pi->remote_mps;
1633 size += pi->remote_mps;
c74e560c
GP		 1634
1635 while (len > 0) {
1636 size_t buflen;
1637
1c762159 1638 if (len > pi->remote_mps) {
44651b85 1639 control = L2CAP_SDU_CONTINUE;
1c762159 1640 buflen = pi->remote_mps;
c74e560c 1641 } else {
44651b85 1642 control = L2CAP_SDU_END;
c74e560c
GP		 1643 buflen = len;
1644 }
1645
6840ed07 1646 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1647 if (IS_ERR(skb)) {
1648 skb_queue_purge(&sar_queue);
1649 return PTR_ERR(skb);
1650 }
1651
1652 __skb_queue_tail(&sar_queue, skb);
1653 len -= buflen;
1654 size += buflen;
c74e560c
GP		 1655 }
1656 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1657 if (sk->sk_send_head == NULL)
1658 sk->sk_send_head = sar_queue.next;
1659
1660 return size;
1661}
1662
1da177e4
LT		 1663static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1664{
1665 struct sock *sk = sock->sk;
1c2acffb
GP		 1666 struct l2cap_pinfo *pi = l2cap_pi(sk);
1667 struct sk_buff *skb;
1668 u16 control;
1669 int err;
1da177e4
LT		 1670
1671 BT_DBG("sock %p, sk %p", sock, sk);
1672
c1cbe4b7
BL		 1673 err = sock_error(sk);
1674 if (err)
1675 return err;
1da177e4
LT		 1676
1677 if (msg->msg_flags & MSG_OOB)
1678 return -EOPNOTSUPP;
1679
1da177e4
LT		 1680 lock_sock(sk);
1681
1c2acffb 1682 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1683 err = -ENOTCONN;
1c2acffb
GP		 1684 goto done;
1685 }
1da177e4 1686
1c2acffb
GP		 1687 /* Connectionless channel */
1688 if (sk->sk_type == SOCK_DGRAM) {
1689 skb = l2cap_create_connless_pdu(sk, msg, len);
477fffb0
DC		 1690 if (IS_ERR(skb))
1691 err = PTR_ERR(skb);
1692 else
1693 err = l2cap_do_send(sk, skb);
1c2acffb
GP		 1694 goto done;
1695 }
1696
1697 switch (pi->mode) {
1698 case L2CAP_MODE_BASIC:
c69163e9
GP		 1699 /* Check outgoing MTU */
1700 if (len > pi->omtu) {
1701 err = -EINVAL;
1702 goto done;
1703 }
1704
1c2acffb
GP		 1705 /* Create a basic PDU */
1706 skb = l2cap_create_basic_pdu(sk, msg, len);
1707 if (IS_ERR(skb)) {
1708 err = PTR_ERR(skb);
1709 goto done;
1710 }
1711
1712 err = l2cap_do_send(sk, skb);
1713 if (!err)
1714 err = len;
1715 break;
1716
1717 case L2CAP_MODE_ERTM:
6840ed07 1718 case L2CAP_MODE_STREAMING:
1c2acffb 1719 /* Entire SDU fits into one PDU */
1c762159 1720 if (len <= pi->remote_mps) {
1c2acffb 1721 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1722 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1723 if (IS_ERR(skb)) {
1724 err = PTR_ERR(skb);
1725 goto done;
1726 }
c74e560c
GP		 1727 __skb_queue_tail(TX_QUEUE(sk), skb);
1728 if (sk->sk_send_head == NULL)
1729 sk->sk_send_head = skb;
1c2acffb 1730 } else {
c74e560c
GP		 1731 /* Segment SDU into multiples PDUs */
1732 err = l2cap_sar_segment_sdu(sk, msg, len);
1733 if (err < 0)
1734 goto done;
1c2acffb 1735 }
1c2acffb 1736
6840ed07
GP		 1737 if (pi->mode == L2CAP_MODE_STREAMING)
1738 err = l2cap_streaming_send(sk);
1739 else
1740 err = l2cap_ertm_send(sk);
1741
9e917af1 1742 if (err >= 0)
1c2acffb
GP		 1743 err = len;
1744 break;
1745
1746 default:
1747 BT_DBG("bad state %1.1x", pi->mode);
1748 err = -EINVAL;
1749 }
1750
1751done:
1da177e4
LT		 1752 release_sock(sk);
1753 return err;
1754}
1755
f66dc81f
MH		 1756static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1757{
1758 struct sock *sk = sock->sk;
1759
1760 lock_sock(sk);
1761
1762 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1763 struct l2cap_conn_rsp rsp;
1764
1765 sk->sk_state = BT_CONFIG;
1766
1767 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1768 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1769 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1770 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1771 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1772 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1773
1774 release_sock(sk);
1775 return 0;
1776 }
1777
1778 release_sock(sk);
1779
1780 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1781}
1782
b7058842 1783static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1784{
1785 struct sock *sk = sock->sk;
1786 struct l2cap_options opts;
f29972de 1787 int len, err = 0;
1da177e4
LT		 1788 u32 opt;
1789
1790 BT_DBG("sk %p", sk);
1791
1792 lock_sock(sk);
1793
1794 switch (optname) {
1795 case L2CAP_OPTIONS:
0878b666
MH		 1796 opts.imtu = l2cap_pi(sk)->imtu;
1797 opts.omtu = l2cap_pi(sk)->omtu;
1798 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1799 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1800 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1801 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1802 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1803
1da177e4
LT		 1804 len = min_t(unsigned int, sizeof(opts), optlen);
1805 if (copy_from_user((char *) &opts, optval, len)) {
1806 err = -EFAULT;
1807 break;
1808 }
0878b666 1809
0041ecfa
JPRV		 1810 l2cap_pi(sk)->mode = opts.mode;
1811 switch (l2cap_pi(sk)->mode) {
1812 case L2CAP_MODE_BASIC:
1813 break;
1814 case L2CAP_MODE_ERTM:
1815 case L2CAP_MODE_STREAMING:
1816 if (enable_ertm)
1817 break;
1818 /* fall through */
1819 default:
1820 err = -EINVAL;
1821 break;
1822 }
1823
c6b03cf9
MH		 1824 l2cap_pi(sk)->imtu = opts.imtu;
1825 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1826 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1827 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1828 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1829 break;
1830
1831 case L2CAP_LM:
1832 if (get_user(opt, (u32 __user *) optval)) {
1833 err = -EFAULT;
1834 break;
1835 }
1836
2af6b9d5
MH		 1837 if (opt & L2CAP_LM_AUTH)
1838 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1839 if (opt & L2CAP_LM_ENCRYPT)
1840 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1841 if (opt & L2CAP_LM_SECURE)
1842 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1843
1844 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1845 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1846 break;
1847
1848 default:
1849 err = -ENOPROTOOPT;
1850 break;
1851 }
1852
1853 release_sock(sk);
1854 return err;
1855}
1856
b7058842 1857static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1858{
1859 struct sock *sk = sock->sk;
2af6b9d5
MH		 1860 struct bt_security sec;
1861 int len, err = 0;
f66dc81f 1862 u32 opt;
d58daf42
MH		 1863
1864 BT_DBG("sk %p", sk);
1865
1866 if (level == SOL_L2CAP)
1867 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1868
0588d94f
MH		 1869 if (level != SOL_BLUETOOTH)
1870 return -ENOPROTOOPT;
1871
d58daf42
MH		 1872 lock_sock(sk);
1873
1874 switch (optname) {
2af6b9d5 1875 case BT_SECURITY:
bd3c9e25
GP		 1876 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1877 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1878 err = -EINVAL;
1879 break;
1880 }
1881
2af6b9d5
MH		 1882 sec.level = BT_SECURITY_LOW;
1883
1884 len = min_t(unsigned int, sizeof(sec), optlen);
1885 if (copy_from_user((char *) &sec, optval, len)) {
1886 err = -EFAULT;
1887 break;
1888 }
1889
1890 if (sec.level < BT_SECURITY_LOW ||
1891 sec.level > BT_SECURITY_HIGH) {
1892 err = -EINVAL;
1893 break;
1894 }
1895
1896 l2cap_pi(sk)->sec_level = sec.level;
1897 break;
1898
f66dc81f
MH		 1899 case BT_DEFER_SETUP:
1900 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1901 err = -EINVAL;
1902 break;
1903 }
1904
1905 if (get_user(opt, (u32 __user *) optval)) {
1906 err = -EFAULT;
1907 break;
1908 }
1909
1910 bt_sk(sk)->defer_setup = opt;
1911 break;
1912
d58daf42
MH		 1913 default:
1914 err = -ENOPROTOOPT;
1915 break;
1916 }
1917
1918 release_sock(sk);
1919 return err;
1920}
1921
1922static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1923{
1924 struct sock *sk = sock->sk;
1925 struct l2cap_options opts;
1926 struct l2cap_conninfo cinfo;
1927 int len, err = 0;
2af6b9d5 1928 u32 opt;
1da177e4
LT		 1929
1930 BT_DBG("sk %p", sk);
1931
1932 if (get_user(len, optlen))
1933 return -EFAULT;
1934
1935 lock_sock(sk);
1936
1937 switch (optname) {
1938 case L2CAP_OPTIONS:
1939 opts.imtu = l2cap_pi(sk)->imtu;
1940 opts.omtu = l2cap_pi(sk)->omtu;
1941 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1942 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1943 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1944 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1945 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 1946
1947 len = min_t(unsigned int, len, sizeof(opts));
1948 if (copy_to_user(optval, (char *) &opts, len))
1949 err = -EFAULT;
1950
1951 break;
1952
1953 case L2CAP_LM:
2af6b9d5
MH		 1954 switch (l2cap_pi(sk)->sec_level) {
1955 case BT_SECURITY_LOW:
1956 opt = L2CAP_LM_AUTH;
1957 break;
1958 case BT_SECURITY_MEDIUM:
1959 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1960 break;
1961 case BT_SECURITY_HIGH:
1962 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1963 L2CAP_LM_SECURE;
1964 break;
1965 default:
1966 opt = 0;
1967 break;
1968 }
1969
1970 if (l2cap_pi(sk)->role_switch)
1971 opt |= L2CAP_LM_MASTER;
1972
1973 if (l2cap_pi(sk)->force_reliable)
1974 opt |= L2CAP_LM_RELIABLE;
1975
1976 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1977 err = -EFAULT;
1978 break;
1979
1980 case L2CAP_CONNINFO:
f66dc81f
MH		 1981 if (sk->sk_state != BT_CONNECTED &&
1982 !(sk->sk_state == BT_CONNECT2 &&
1983 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1984 err = -ENOTCONN;
1985 break;
1986 }
1987
1988 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1989 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1990
1991 len = min_t(unsigned int, len, sizeof(cinfo));
1992 if (copy_to_user(optval, (char *) &cinfo, len))
1993 err = -EFAULT;
1994
1995 break;
1996
1997 default:
1998 err = -ENOPROTOOPT;
1999 break;
2000 }
2001
2002 release_sock(sk);
2003 return err;
2004}
2005
d58daf42
MH		 2006static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2007{
2008 struct sock *sk = sock->sk;
2af6b9d5 2009 struct bt_security sec;
d58daf42
MH		 2010 int len, err = 0;
2011
2012 BT_DBG("sk %p", sk);
2013
2014 if (level == SOL_L2CAP)
2015 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2016
0588d94f
MH		 2017 if (level != SOL_BLUETOOTH)
2018 return -ENOPROTOOPT;
2019
d58daf42
MH		 2020 if (get_user(len, optlen))
2021 return -EFAULT;
2022
2023 lock_sock(sk);
2024
2025 switch (optname) {
2af6b9d5 2026 case BT_SECURITY:
bd3c9e25
GP		 2027 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2028 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2029 err = -EINVAL;
2030 break;
2031 }
2032
2af6b9d5
MH		 2033 sec.level = l2cap_pi(sk)->sec_level;
2034
2035 len = min_t(unsigned int, len, sizeof(sec));
2036 if (copy_to_user(optval, (char *) &sec, len))
2037 err = -EFAULT;
2038
2039 break;
2040
f66dc81f
MH		 2041 case BT_DEFER_SETUP:
2042 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2043 err = -EINVAL;
2044 break;
2045 }
2046
2047 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2048 err = -EFAULT;
2049
2050 break;
2051
d58daf42
MH		 2052 default:
2053 err = -ENOPROTOOPT;
2054 break;
2055 }
2056
2057 release_sock(sk);
2058 return err;
2059}
2060
1da177e4
LT		 2061static int l2cap_sock_shutdown(struct socket *sock, int how)
2062{
2063 struct sock *sk = sock->sk;
2064 int err = 0;
2065
2066 BT_DBG("sock %p, sk %p", sock, sk);
2067
2068 if (!sk)
2069 return 0;
2070
2071 lock_sock(sk);
2072 if (!sk->sk_shutdown) {
2073 sk->sk_shutdown = SHUTDOWN_MASK;
2074 l2cap_sock_clear_timer(sk);
2075 __l2cap_sock_close(sk, 0);
2076
2077 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2078 err = bt_sock_wait_state(sk, BT_CLOSED,
2079 sk->sk_lingertime);
1da177e4
LT		 2080 }
2081 release_sock(sk);
2082 return err;
2083}
2084
2085static int l2cap_sock_release(struct socket *sock)
2086{
2087 struct sock *sk = sock->sk;
2088 int err;
2089
2090 BT_DBG("sock %p, sk %p", sock, sk);
2091
2092 if (!sk)
2093 return 0;
2094
2095 err = l2cap_sock_shutdown(sock, 2);
2096
2097 sock_orphan(sk);
2098 l2cap_sock_kill(sk);
2099 return err;
2100}
2101
1da177e4
LT		 2102static void l2cap_chan_ready(struct sock *sk)
2103{
2104 struct sock *parent = bt_sk(sk)->parent;
2105
2106 BT_DBG("sk %p, parent %p", sk, parent);
2107
2108 l2cap_pi(sk)->conf_state = 0;
2109 l2cap_sock_clear_timer(sk);
2110
2111 if (!parent) {
2112 /* Outgoing channel.
2113 * Wake up socket sleeping on connect.
2114 */
2115 sk->sk_state = BT_CONNECTED;
2116 sk->sk_state_change(sk);
2117 } else {
2118 /* Incoming channel.
2119 * Wake up socket sleeping on accept.
2120 */
2121 parent->sk_data_ready(parent, 0);
2122 }
2123}
2124
2125/* Copy frame to all raw sockets on that connection */
2126static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2127{
2128 struct l2cap_chan_list *l = &conn->chan_list;
2129 struct sk_buff *nskb;
af05b30b 2130 struct sock *sk;
1da177e4
LT		 2131
2132 BT_DBG("conn %p", conn);
2133
2134 read_lock(&l->lock);
2135 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2136 if (sk->sk_type != SOCK_RAW)
2137 continue;
2138
2139 /* Don't send frame to the socket it came from */
2140 if (skb->sk == sk)
2141 continue;
af05b30b
GP		 2142 nskb = skb_clone(skb, GFP_ATOMIC);
2143 if (!nskb)
1da177e4
LT		 2144 continue;
2145
2146 if (sock_queue_rcv_skb(sk, nskb))
2147 kfree_skb(nskb);
2148 }
2149 read_unlock(&l->lock);
2150}
2151
2152/* ---- L2CAP signalling commands ---- */
2153static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2154 u8 code, u8 ident, u16 dlen, void *data)
2155{
2156 struct sk_buff *skb, **frag;
2157 struct l2cap_cmd_hdr *cmd;
2158 struct l2cap_hdr *lh;
2159 int len, count;
2160
af05b30b
GP		 2161 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2162 conn, code, ident, dlen);
1da177e4
LT		 2163
2164 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2165 count = min_t(unsigned int, conn->mtu, len);
2166
2167 skb = bt_skb_alloc(count, GFP_ATOMIC);
2168 if (!skb)
2169 return NULL;
2170
2171 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2172 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2173 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2174
2175 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2176 cmd->code = code;
2177 cmd->ident = ident;
aca3192c 2178 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2179
2180 if (dlen) {
2181 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2182 memcpy(skb_put(skb, count), data, count);
2183 data += count;
2184 }
2185
2186 len -= skb->len;
2187
2188 /* Continuation fragments (no L2CAP header) */
2189 frag = &skb_shinfo(skb)->frag_list;
2190 while (len) {
2191 count = min_t(unsigned int, conn->mtu, len);
2192
2193 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2194 if (!*frag)
2195 goto fail;
2196
2197 memcpy(skb_put(*frag, count), data, count);
2198
2199 len -= count;
2200 data += count;
2201
2202 frag = &(*frag)->next;
2203 }
2204
2205 return skb;
2206
2207fail:
2208 kfree_skb(skb);
2209 return NULL;
2210}
2211
2212static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2213{
2214 struct l2cap_conf_opt *opt = *ptr;
2215 int len;
2216
2217 len = L2CAP_CONF_OPT_SIZE + opt->len;
2218 *ptr += len;
2219
2220 *type = opt->type;
2221 *olen = opt->len;
2222
2223 switch (opt->len) {
2224 case 1:
2225 *val = *((u8 *) opt->val);
2226 break;
2227
2228 case 2:
861d6882 2229 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2230 break;
2231
2232 case 4:
861d6882 2233 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2234 break;
2235
2236 default:
2237 *val = (unsigned long) opt->val;
2238 break;
2239 }
2240
2241 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2242 return len;
2243}
2244
1da177e4
LT		 2245static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2246{
2247 struct l2cap_conf_opt *opt = *ptr;
2248
2249 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2250
2251 opt->type = type;
2252 opt->len = len;
2253
2254 switch (len) {
2255 case 1:
2256 *((u8 *) opt->val) = val;
2257 break;
2258
2259 case 2:
8e036fc3 2260 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2261 break;
2262
2263 case 4:
8e036fc3 2264 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2265 break;
2266
2267 default:
2268 memcpy(opt->val, (void *) val, len);
2269 break;
2270 }
2271
2272 *ptr += L2CAP_CONF_OPT_SIZE + len;
2273}
2274
c1b4f43b
GP		 2275static void l2cap_ack_timeout(unsigned long arg)
2276{
2277 struct sock *sk = (void *) arg;
2278
2279 bh_lock_sock(sk);
2280 l2cap_send_ack(l2cap_pi(sk));
2281 bh_unlock_sock(sk);
2282}
2283
0565c1c2
GP		 2284static inline void l2cap_ertm_init(struct sock *sk)
2285{
2286 l2cap_pi(sk)->expected_ack_seq = 0;
2287 l2cap_pi(sk)->unacked_frames = 0;
2288 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2289 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2290 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2291
2292 setup_timer(&l2cap_pi(sk)->retrans_timer,
2293 l2cap_retrans_timeout, (unsigned long) sk);
2294 setup_timer(&l2cap_pi(sk)->monitor_timer,
2295 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2296 setup_timer(&l2cap_pi(sk)->ack_timer,
2297 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2298
2299 __skb_queue_head_init(SREJ_QUEUE(sk));
2300}
2301
f2fcfcd6
GP		 2302static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2303{
2304 u32 local_feat_mask = l2cap_feat_mask;
2305 if (enable_ertm)
6840ed07 2306 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2307
2308 switch (mode) {
2309 case L2CAP_MODE_ERTM:
2310 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2311 case L2CAP_MODE_STREAMING:
2312 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2313 default:
2314 return 0x00;
2315 }
2316}
2317
2318static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2319{
2320 switch (mode) {
2321 case L2CAP_MODE_STREAMING:
2322 case L2CAP_MODE_ERTM:
2323 if (l2cap_mode_supported(mode, remote_feat_mask))
2324 return mode;
2325 /* fall through */
2326 default:
2327 return L2CAP_MODE_BASIC;
2328 }
2329}
2330
1da177e4
LT		 2331static int l2cap_build_conf_req(struct sock *sk, void *data)
2332{
2333 struct l2cap_pinfo *pi = l2cap_pi(sk);
2334 struct l2cap_conf_req *req = data;
bd3c9e25 2335 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2336 void *ptr = req->data;
2337
2338 BT_DBG("sk %p", sk);
2339
f2fcfcd6
GP		 2340 if (pi->num_conf_req || pi->num_conf_rsp)
2341 goto done;
2342
2343 switch (pi->mode) {
2344 case L2CAP_MODE_STREAMING:
2345 case L2CAP_MODE_ERTM:
2346 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
22121fc9
GP		 2347 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2348 l2cap_send_disconn_req(pi->conn, sk);
f2fcfcd6
GP		 2349 break;
2350 default:
2351 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2352 break;
2353 }
2354
2355done:
65c7c491
MH		 2356 switch (pi->mode) {
2357 case L2CAP_MODE_BASIC:
2358 if (pi->imtu != L2CAP_DEFAULT_MTU)
2359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2360 break;
2361
2362 case L2CAP_MODE_ERTM:
2363 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2364 rfc.txwin_size = pi->tx_win;
68d7f0ce 2365 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2366 rfc.retrans_timeout = 0;
2367 rfc.monitor_timeout = 0;
c74e560c 2368 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2369 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2370 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6
GP		 2371
2372 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2373 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2374
2375 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2376 break;
2377
2378 if (pi->fcs == L2CAP_FCS_NONE ||
2379 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2380 pi->fcs = L2CAP_FCS_NONE;
2381 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2382 }
f2fcfcd6
GP		 2383 break;
2384
2385 case L2CAP_MODE_STREAMING:
2386 rfc.mode = L2CAP_MODE_STREAMING;
2387 rfc.txwin_size = 0;
2388 rfc.max_transmit = 0;
2389 rfc.retrans_timeout = 0;
2390 rfc.monitor_timeout = 0;
c74e560c 2391 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2392 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2393 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491
MH		 2394
2395 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2396 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2397
2398 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2399 break;
2400
2401 if (pi->fcs == L2CAP_FCS_NONE ||
2402 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2403 pi->fcs = L2CAP_FCS_NONE;
2404 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2405 }
65c7c491
MH		 2406 break;
2407 }
1da177e4
LT		 2408
2409 /* FIXME: Need actual value of the flush timeout */
2410 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2411 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2412
aca3192c
YH		 2413 req->dcid = cpu_to_le16(pi->dcid);
2414 req->flags = cpu_to_le16(0);
1da177e4
LT		 2415
2416 return ptr - data;
2417}
2418
5dee9e7c 2419static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2420{
2421 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2422 struct l2cap_conf_rsp *rsp = data;
2423 void *ptr = rsp->data;
2424 void *req = pi->conf_req;
2425 int len = pi->conf_len;
2426 int type, hint, olen;
2427 unsigned long val;
6464f35f 2428 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2429 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2430 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2431
5dee9e7c 2432 BT_DBG("sk %p", sk);
820ae1b8 2433
5dee9e7c
MH		 2434 while (len >= L2CAP_CONF_OPT_SIZE) {
2435 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2436
589d2746 2437 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2438 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2439
2440 switch (type) {
2441 case L2CAP_CONF_MTU:
861d6882 2442 mtu = val;
5dee9e7c
MH		 2443 break;
2444
2445 case L2CAP_CONF_FLUSH_TO:
2446 pi->flush_to = val;
2447 break;
2448
2449 case L2CAP_CONF_QOS:
2450 break;
2451
6464f35f
MH		 2452 case L2CAP_CONF_RFC:
2453 if (olen == sizeof(rfc))
2454 memcpy(&rfc, (void *) val, olen);
2455 break;
2456
fcc203c3
GP		 2457 case L2CAP_CONF_FCS:
2458 if (val == L2CAP_FCS_NONE)
2459 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2460
2461 break;
2462
5dee9e7c
MH		 2463 default:
2464 if (hint)
2465 break;
2466
2467 result = L2CAP_CONF_UNKNOWN;
2468 *((u8 *) ptr++) = type;
2469 break;
2470 }
2471 }
2472
f2fcfcd6
GP		 2473 if (pi->num_conf_rsp || pi->num_conf_req)
2474 goto done;
2475
2476 switch (pi->mode) {
2477 case L2CAP_MODE_STREAMING:
2478 case L2CAP_MODE_ERTM:
2479 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2480 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2481 return -ECONNREFUSED;
2482 break;
2483 default:
2484 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2485 break;
2486 }
2487
2488done:
2489 if (pi->mode != rfc.mode) {
2490 result = L2CAP_CONF_UNACCEPT;
2491 rfc.mode = pi->mode;
2492
2493 if (pi->num_conf_rsp == 1)
2494 return -ECONNREFUSED;
2495
2496 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2497 sizeof(rfc), (unsigned long) &rfc);
2498 }
2499
2500
5dee9e7c
MH		 2501 if (result == L2CAP_CONF_SUCCESS) {
2502 /* Configure output options and let the other side know
2503 * which ones we don't like. */
2504
f2fcfcd6
GP		 2505 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2506 result = L2CAP_CONF_UNACCEPT;
2507 else {
2508 pi->omtu = mtu;
2509 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2510 }
2511 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2512
f2fcfcd6
GP		 2513 switch (rfc.mode) {
2514 case L2CAP_MODE_BASIC:
2515 pi->fcs = L2CAP_FCS_NONE;
2516 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2517 break;
2518
2519 case L2CAP_MODE_ERTM:
2520 pi->remote_tx_win = rfc.txwin_size;
2521 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2522 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2523 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2524
2525 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2526
10467e9e
GP		 2527 rfc.retrans_timeout =
2528 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2529 rfc.monitor_timeout =
2530 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2531
2532 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2533
2534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2535 sizeof(rfc), (unsigned long) &rfc);
2536
f2fcfcd6
GP		 2537 break;
2538
2539 case L2CAP_MODE_STREAMING:
1c762159
GP		 2540 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2541 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2542
2543 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2544
2545 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2546
2547 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2548 sizeof(rfc), (unsigned long) &rfc);
2549
f2fcfcd6
GP		 2550 break;
2551
2552 default:
5dee9e7c 2553 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2554
6464f35f 2555 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2556 rfc.mode = pi->mode;
2557 }
6464f35f 2558
f2fcfcd6
GP		 2559 if (result == L2CAP_CONF_SUCCESS)
2560 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2561 }
5dee9e7c
MH		 2562 rsp->scid = cpu_to_le16(pi->dcid);
2563 rsp->result = cpu_to_le16(result);
2564 rsp->flags = cpu_to_le16(0x0000);
2565
2566 return ptr - data;
1da177e4
LT		 2567}
2568
f2fcfcd6
GP		 2569static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2570{
2571 struct l2cap_pinfo *pi = l2cap_pi(sk);
2572 struct l2cap_conf_req *req = data;
2573 void *ptr = req->data;
2574 int type, olen;
2575 unsigned long val;
2576 struct l2cap_conf_rfc rfc;
2577
2578 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2579
2580 while (len >= L2CAP_CONF_OPT_SIZE) {
2581 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2582
2583 switch (type) {
2584 case L2CAP_CONF_MTU:
2585 if (val < L2CAP_DEFAULT_MIN_MTU) {
2586 *result = L2CAP_CONF_UNACCEPT;
2587 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2588 } else
2589 pi->omtu = val;
2590 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2591 break;
2592
2593 case L2CAP_CONF_FLUSH_TO:
2594 pi->flush_to = val;
2595 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2596 2, pi->flush_to);
2597 break;
2598
2599 case L2CAP_CONF_RFC:
2600 if (olen == sizeof(rfc))
2601 memcpy(&rfc, (void *)val, olen);
2602
2603 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2604 rfc.mode != pi->mode)
2605 return -ECONNREFUSED;
2606
2607 pi->mode = rfc.mode;
2608 pi->fcs = 0;
2609
2610 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2611 sizeof(rfc), (unsigned long) &rfc);
2612 break;
2613 }
2614 }
2615
2616 if (*result == L2CAP_CONF_SUCCESS) {
2617 switch (rfc.mode) {
2618 case L2CAP_MODE_ERTM:
2619 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2620 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2621 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2622 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2623 break;
2624 case L2CAP_MODE_STREAMING:
1c762159 2625 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2626 }
2627 }
2628
2629 req->dcid = cpu_to_le16(pi->dcid);
2630 req->flags = cpu_to_le16(0x0000);
2631
2632 return ptr - data;
2633}
2634
5dee9e7c 2635static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2636{
2637 struct l2cap_conf_rsp *rsp = data;
2638 void *ptr = rsp->data;
1da177e4 2639
5dee9e7c 2640 BT_DBG("sk %p", sk);
1da177e4 2641
aca3192c 2642 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2643 rsp->result = cpu_to_le16(result);
aca3192c 2644 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2645
2646 return ptr - data;
2647}
2648
7b1c0049
GP		 2649static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2650{
2651 struct l2cap_pinfo *pi = l2cap_pi(sk);
2652 int type, olen;
2653 unsigned long val;
2654 struct l2cap_conf_rfc rfc;
2655
2656 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2657
2658 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2659 return;
2660
2661 while (len >= L2CAP_CONF_OPT_SIZE) {
2662 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2663
2664 switch (type) {
2665 case L2CAP_CONF_RFC:
2666 if (olen == sizeof(rfc))
2667 memcpy(&rfc, (void *)val, olen);
2668 goto done;
2669 }
2670 }
2671
2672done:
2673 switch (rfc.mode) {
2674 case L2CAP_MODE_ERTM:
2675 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2676 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2677 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2678 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2679 break;
2680 case L2CAP_MODE_STREAMING:
2681 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2682 }
2683}
2684
4e8402a3
MH		 2685static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2686{
2687 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2688
2689 if (rej->reason != 0x0000)
2690 return 0;
2691
2692 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2693 cmd->ident == conn->info_ident) {
4e8402a3 2694 del_timer(&conn->info_timer);
984947dc
MH		 2695
2696 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2697 conn->info_ident = 0;
984947dc 2698
4e8402a3
MH		 2699 l2cap_conn_start(conn);
2700 }
2701
2702 return 0;
2703}
2704
1da177e4
LT		 2705static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2706{
2707 struct l2cap_chan_list *list = &conn->chan_list;
2708 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2709 struct l2cap_conn_rsp rsp;
2710 struct sock *sk, *parent;
e7c29cb1 2711 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2712
2713 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2714 __le16 psm = req->psm;
1da177e4
LT		 2715
2716 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2717
2718 /* Check if we have socket listening on psm */
2719 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2720 if (!parent) {
2721 result = L2CAP_CR_BAD_PSM;
2722 goto sendresp;
2723 }
2724
e7c29cb1
MH		 2725 /* Check if the ACL is secure enough (if not SDP) */
2726 if (psm != cpu_to_le16(0x0001) &&
2727 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2728 conn->disc_reason = 0x05;
e7c29cb1
MH		 2729 result = L2CAP_CR_SEC_BLOCK;
2730 goto response;
2731 }
2732
1da177e4
LT		 2733 result = L2CAP_CR_NO_MEM;
2734
2735 /* Check for backlog size */
2736 if (sk_acceptq_is_full(parent)) {
8e87d142 2737 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2738 goto response;
2739 }
2740
3b1e0a65 2741 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2742 if (!sk)
2743 goto response;
2744
fd1278d7 2745 write_lock_bh(&list->lock);
1da177e4
LT		 2746
2747 /* Check if we already have channel with that dcid */
2748 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2749 write_unlock_bh(&list->lock);
1da177e4
LT		 2750 sock_set_flag(sk, SOCK_ZAPPED);
2751 l2cap_sock_kill(sk);
2752 goto response;
2753 }
2754
2755 hci_conn_hold(conn->hcon);
2756
2757 l2cap_sock_init(sk, parent);
2758 bacpy(&bt_sk(sk)->src, conn->src);
2759 bacpy(&bt_sk(sk)->dst, conn->dst);
2760 l2cap_pi(sk)->psm = psm;
2761 l2cap_pi(sk)->dcid = scid;
2762
2763 __l2cap_chan_add(conn, sk, parent);
2764 dcid = l2cap_pi(sk)->scid;
2765
2766 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2767
1da177e4
LT		 2768 l2cap_pi(sk)->ident = cmd->ident;
2769
984947dc 2770 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2771 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2772 if (bt_sk(sk)->defer_setup) {
2773 sk->sk_state = BT_CONNECT2;
2774 result = L2CAP_CR_PEND;
2775 status = L2CAP_CS_AUTHOR_PEND;
2776 parent->sk_data_ready(parent, 0);
2777 } else {
2778 sk->sk_state = BT_CONFIG;
2779 result = L2CAP_CR_SUCCESS;
2780 status = L2CAP_CS_NO_INFO;
2781 }
79d554a6
MH		 2782 } else {
2783 sk->sk_state = BT_CONNECT2;
2784 result = L2CAP_CR_PEND;
2785 status = L2CAP_CS_AUTHEN_PEND;
2786 }
2787 } else {
2788 sk->sk_state = BT_CONNECT2;
2789 result = L2CAP_CR_PEND;
2790 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2791 }
2792
fd1278d7 2793 write_unlock_bh(&list->lock);
1da177e4
LT		 2794
2795response:
2796 bh_unlock_sock(parent);
2797
2798sendresp:
aca3192c
YH		 2799 rsp.scid = cpu_to_le16(scid);
2800 rsp.dcid = cpu_to_le16(dcid);
2801 rsp.result = cpu_to_le16(result);
2802 rsp.status = cpu_to_le16(status);
1da177e4 2803 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2804
2805 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2806 struct l2cap_info_req info;
2807 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2808
2809 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2810 conn->info_ident = l2cap_get_ident(conn);
2811
2812 mod_timer(&conn->info_timer, jiffies +
2813 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2814
2815 l2cap_send_cmd(conn, conn->info_ident,
2816 L2CAP_INFO_REQ, sizeof(info), &info);
2817 }
2818
1da177e4
LT		 2819 return 0;
2820}
2821
2822static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2823{
2824 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2825 u16 scid, dcid, result, status;
2826 struct sock *sk;
2827 u8 req[128];
2828
2829 scid = __le16_to_cpu(rsp->scid);
2830 dcid = __le16_to_cpu(rsp->dcid);
2831 result = __le16_to_cpu(rsp->result);
2832 status = __le16_to_cpu(rsp->status);
2833
2834 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2835
2836 if (scid) {
af05b30b
GP		 2837 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2838 if (!sk)
1da177e4
LT		 2839 return 0;
2840 } else {
af05b30b
GP		 2841 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2842 if (!sk)
1da177e4
LT		 2843 return 0;
2844 }
2845
2846 switch (result) {
2847 case L2CAP_CR_SUCCESS:
2848 sk->sk_state = BT_CONFIG;
2849 l2cap_pi(sk)->ident = 0;
2850 l2cap_pi(sk)->dcid = dcid;
2851 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2852
6a8d3010
MH		 2853 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2854
1da177e4
LT		 2855 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2856 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2857 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2858 break;
2859
2860 case L2CAP_CR_PEND:
6a8d3010 2861 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2862 break;
2863
2864 default:
2865 l2cap_chan_del(sk, ECONNREFUSED);
2866 break;
2867 }
2868
2869 bh_unlock_sock(sk);
2870 return 0;
2871}
2872
88219a0f 2873static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2874{
2875 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2876 u16 dcid, flags;
2877 u8 rsp[64];
2878 struct sock *sk;
5dee9e7c 2879 int len;
1da177e4
LT		 2880
2881 dcid = __le16_to_cpu(req->dcid);
2882 flags = __le16_to_cpu(req->flags);
2883
2884 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2885
af05b30b
GP		 2886 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2887 if (!sk)
1da177e4
LT		 2888 return -ENOENT;
2889
354f60a9
MH		 2890 if (sk->sk_state == BT_DISCONN)
2891 goto unlock;
2892
5dee9e7c 2893 /* Reject if config buffer is too small. */
88219a0f 2894 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2895 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2896 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2897 l2cap_build_conf_rsp(sk, rsp,
2898 L2CAP_CONF_REJECT, flags), rsp);
2899 goto unlock;
2900 }
2901
2902 /* Store config. */
2903 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2904 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2905
2906 if (flags & 0x0001) {
2907 /* Incomplete config. Send empty response. */
2908 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2909 l2cap_build_conf_rsp(sk, rsp,
2910 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2911 goto unlock;
2912 }
2913
2914 /* Complete config. */
5dee9e7c 2915 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2916 if (len < 0) {
22121fc9 2917 l2cap_send_disconn_req(conn, sk);
1da177e4 2918 goto unlock;
f2fcfcd6 2919 }
1da177e4 2920
5dee9e7c 2921 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2922 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2923
5dee9e7c
MH		 2924 /* Reset config buffer. */
2925 l2cap_pi(sk)->conf_len = 0;
2926
876d9484
MH		 2927 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2928 goto unlock;
2929
1da177e4 2930 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 2931 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2932 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 2933 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2934
1da177e4 2935 sk->sk_state = BT_CONNECTED;
e90bac06 2936
0565c1c2
GP		 2937 l2cap_pi(sk)->next_tx_seq = 0;
2938 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2939 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2940 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2941 l2cap_ertm_init(sk);
2942
1da177e4 2943 l2cap_chan_ready(sk);
876d9484
MH		 2944 goto unlock;
2945 }
2946
2947 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2948 u8 buf[64];
1da177e4 2949 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2950 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2951 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2952 }
2953
2954unlock:
2955 bh_unlock_sock(sk);
2956 return 0;
2957}
2958
2959static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2960{
2961 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2962 u16 scid, flags, result;
2963 struct sock *sk;
7b1c0049 2964 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2965
2966 scid = __le16_to_cpu(rsp->scid);
2967 flags = __le16_to_cpu(rsp->flags);
2968 result = __le16_to_cpu(rsp->result);
2969
af05b30b
GP		 2970 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2971 scid, flags, result);
1da177e4 2972
af05b30b
GP		 2973 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2974 if (!sk)
1da177e4
LT		 2975 return 0;
2976
2977 switch (result) {
2978 case L2CAP_CONF_SUCCESS:
7b1c0049 2979 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2980 break;
2981
2982 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2983 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2984 char req[64];
2985
c2c77ec8
AE		 2986 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2987 l2cap_send_disconn_req(conn, sk);
2988 goto done;
2989 }
2990
f2fcfcd6
GP		 2991 /* throw out any old stored conf requests */
2992 result = L2CAP_CONF_SUCCESS;
2993 len = l2cap_parse_conf_rsp(sk, rsp->data,
2994 len, req, &result);
2995 if (len < 0) {
22121fc9 2996 l2cap_send_disconn_req(conn, sk);
f2fcfcd6
GP		 2997 goto done;
2998 }
2999
3000 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3001 L2CAP_CONF_REQ, len, req);
3002 l2cap_pi(sk)->num_conf_req++;
3003 if (result != L2CAP_CONF_SUCCESS)
3004 goto done;
3005 break;
1da177e4
LT		 3006 }
3007
8e87d142 3008 default:
1da177e4 3009 sk->sk_state = BT_DISCONN;
b1235d79 3010 sk->sk_err = ECONNRESET;
1da177e4 3011 l2cap_sock_set_timer(sk, HZ * 5);
22121fc9 3012 l2cap_send_disconn_req(conn, sk);
1da177e4
LT		 3013 goto done;
3014 }
3015
3016 if (flags & 0x01)
3017 goto done;
3018
1da177e4
LT		 3019 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3020
3021 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3022 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3023 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3024 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3025
1da177e4 3026 sk->sk_state = BT_CONNECTED;
0565c1c2 3027 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3028 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3029 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3030 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3031 l2cap_ertm_init(sk);
3032
1da177e4
LT		 3033 l2cap_chan_ready(sk);
3034 }
3035
3036done:
3037 bh_unlock_sock(sk);
3038 return 0;
3039}
3040
3041static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3042{
3043 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3044 struct l2cap_disconn_rsp rsp;
3045 u16 dcid, scid;
3046 struct sock *sk;
3047
3048 scid = __le16_to_cpu(req->scid);
3049 dcid = __le16_to_cpu(req->dcid);
3050
3051 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3052
af05b30b
GP		 3053 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3054 if (!sk)
1da177e4
LT		 3055 return 0;
3056
aca3192c
YH		 3057 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3058 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3059 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3060
3061 sk->sk_shutdown = SHUTDOWN_MASK;
3062
1c2acffb 3063 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3064
3065 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3066 skb_queue_purge(SREJ_QUEUE(sk));
3067 del_timer(&l2cap_pi(sk)->retrans_timer);
3068 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3069 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3070 }
1c2acffb 3071
1da177e4
LT		 3072 l2cap_chan_del(sk, ECONNRESET);
3073 bh_unlock_sock(sk);
3074
3075 l2cap_sock_kill(sk);
3076 return 0;
3077}
3078
3079static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3080{
3081 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3082 u16 dcid, scid;
3083 struct sock *sk;
3084
3085 scid = __le16_to_cpu(rsp->scid);
3086 dcid = __le16_to_cpu(rsp->dcid);
3087
3088 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3089
af05b30b
GP		 3090 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3091 if (!sk)
1da177e4
LT		 3092 return 0;
3093
1c2acffb 3094 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3095
3096 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3097 skb_queue_purge(SREJ_QUEUE(sk));
3098 del_timer(&l2cap_pi(sk)->retrans_timer);
3099 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3100 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3101 }
1c2acffb 3102
1da177e4
LT		 3103 l2cap_chan_del(sk, 0);
3104 bh_unlock_sock(sk);
3105
3106 l2cap_sock_kill(sk);
3107 return 0;
3108}
3109
3110static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3111{
3112 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3113 u16 type;
3114
3115 type = __le16_to_cpu(req->type);
3116
3117 BT_DBG("type 0x%4.4x", type);
3118
f0709e03
MH		 3119 if (type == L2CAP_IT_FEAT_MASK) {
3120 u8 buf[8];
44dd46de 3121 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3122 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3123 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3124 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3125 if (enable_ertm)
fcc203c3
GP		 3126 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3127 | L2CAP_FEAT_FCS;
1b7bf4ed 3128 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3129 l2cap_send_cmd(conn, cmd->ident,
3130 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3131 } else if (type == L2CAP_IT_FIXED_CHAN) {
3132 u8 buf[12];
3133 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3134 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3135 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3136 memcpy(buf + 4, l2cap_fixed_chan, 8);
3137 l2cap_send_cmd(conn, cmd->ident,
3138 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3139 } else {
3140 struct l2cap_info_rsp rsp;
3141 rsp.type = cpu_to_le16(type);
3142 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3143 l2cap_send_cmd(conn, cmd->ident,
3144 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3145 }
1da177e4
LT		 3146
3147 return 0;
3148}
3149
3150static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3151{
3152 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3153 u16 type, result;
3154
3155 type = __le16_to_cpu(rsp->type);
3156 result = __le16_to_cpu(rsp->result);
3157
3158 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3159
4e8402a3
MH		 3160 del_timer(&conn->info_timer);
3161
984947dc 3162 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3163 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3164
47ec1dcd 3165 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3166 struct l2cap_info_req req;
3167 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3168
3169 conn->info_ident = l2cap_get_ident(conn);
3170
3171 l2cap_send_cmd(conn, conn->info_ident,
3172 L2CAP_INFO_REQ, sizeof(req), &req);
3173 } else {
3174 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3175 conn->info_ident = 0;
3176
3177 l2cap_conn_start(conn);
3178 }
3179 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3180 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3181 conn->info_ident = 0;
984947dc
MH		 3182
3183 l2cap_conn_start(conn);
3184 }
4e8402a3 3185
1da177e4
LT		 3186 return 0;
3187}
3188
3189static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3190{
3191 u8 *data = skb->data;
3192 int len = skb->len;
3193 struct l2cap_cmd_hdr cmd;
3194 int err = 0;
3195
3196 l2cap_raw_recv(conn, skb);
3197
3198 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3199 u16 cmd_len;
1da177e4
LT		 3200 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3201 data += L2CAP_CMD_HDR_SIZE;
3202 len -= L2CAP_CMD_HDR_SIZE;
3203
88219a0f 3204 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3205
88219a0f 3206 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3207
88219a0f 3208 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3209 BT_DBG("corrupted command");
3210 break;
3211 }
3212
3213 switch (cmd.code) {
3214 case L2CAP_COMMAND_REJ:
4e8402a3 3215 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3216 break;
3217
3218 case L2CAP_CONN_REQ:
3219 err = l2cap_connect_req(conn, &cmd, data);
3220 break;
3221
3222 case L2CAP_CONN_RSP:
3223 err = l2cap_connect_rsp(conn, &cmd, data);
3224 break;
3225
3226 case L2CAP_CONF_REQ:
88219a0f 3227 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3228 break;
3229
3230 case L2CAP_CONF_RSP:
3231 err = l2cap_config_rsp(conn, &cmd, data);
3232 break;
3233
3234 case L2CAP_DISCONN_REQ:
3235 err = l2cap_disconnect_req(conn, &cmd, data);
3236 break;
3237
3238 case L2CAP_DISCONN_RSP:
3239 err = l2cap_disconnect_rsp(conn, &cmd, data);
3240 break;
3241
3242 case L2CAP_ECHO_REQ:
88219a0f 3243 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3244 break;
3245
3246 case L2CAP_ECHO_RSP:
3247 break;
3248
3249 case L2CAP_INFO_REQ:
3250 err = l2cap_information_req(conn, &cmd, data);
3251 break;
3252
3253 case L2CAP_INFO_RSP:
3254 err = l2cap_information_rsp(conn, &cmd, data);
3255 break;
3256
3257 default:
3258 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3259 err = -EINVAL;
3260 break;
3261 }
3262
3263 if (err) {
3264 struct l2cap_cmd_rej rej;
3265 BT_DBG("error %d", err);
3266
3267 /* FIXME: Map err to a valid reason */
aca3192c 3268 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3269 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3270 }
3271
88219a0f
AV		 3272 data += cmd_len;
3273 len -= cmd_len;
1da177e4
LT		 3274 }
3275
3276 kfree_skb(skb);
3277}
3278
fcc203c3
GP		 3279static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3280{
3281 u16 our_fcs, rcv_fcs;
3282 int hdr_size = L2CAP_HDR_SIZE + 2;
3283
3284 if (pi->fcs == L2CAP_FCS_CRC16) {
3285 skb_trim(skb, skb->len - 2);
3286 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3287 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3288
3289 if (our_fcs != rcv_fcs)
3290 return -EINVAL;
3291 }
3292 return 0;
3293}
3294
d5392c8f
GP		 3295static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3296{
3297 struct l2cap_pinfo *pi = l2cap_pi(sk);
3298 u16 control = 0;
3299
3300 pi->frames_sent = 0;
3301 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3302
3303 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3304
3305 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3306 control |= L2CAP_SUPER_RCV_NOT_READY | L2CAP_CTRL_FINAL;
3307 l2cap_send_sframe(pi, control);
3308 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3309 }
3310
3311 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY && pi->unacked_frames > 0)
3312 __mod_retrans_timer();
3313
3314 l2cap_ertm_send(sk);
3315
3316 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3317 pi->frames_sent == 0) {
3318 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3319 l2cap_send_sframe(pi, control);
3320 }
3321}
3322
8f17154f
GP		 3323static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3324{
3325 struct sk_buff *next_skb;
3326
3327 bt_cb(skb)->tx_seq = tx_seq;
3328 bt_cb(skb)->sar = sar;
3329
3330 next_skb = skb_peek(SREJ_QUEUE(sk));
3331 if (!next_skb) {
3332 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3333 return;
3334 }
3335
3336 do {
3337 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3338 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3339 return;
3340 }
3341
3342 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3343 break;
3344
59203a21 3345 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3346
3347 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3348}
3349
c74e560c
GP		 3350static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3351{
3352 struct l2cap_pinfo *pi = l2cap_pi(sk);
3353 struct sk_buff *_skb;
3354 int err = -EINVAL;
3355
3356 switch (control & L2CAP_CTRL_SAR) {
3357 case L2CAP_SDU_UNSEGMENTED:
3358 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3359 kfree_skb(pi->sdu);
3360 break;
3361 }
3362
3363 err = sock_queue_rcv_skb(sk, skb);
3364 if (!err)
3365 return 0;
3366
3367 break;
3368
3369 case L2CAP_SDU_START:
3370 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3371 kfree_skb(pi->sdu);
3372 break;
3373 }
3374
3375 pi->sdu_len = get_unaligned_le16(skb->data);
3376 skb_pull(skb, 2);
3377
052897ca
GP		 3378 if (pi->sdu_len > pi->imtu) {
3379 err = -EMSGSIZE;
3380 break;
3381 }
3382
c74e560c
GP		 3383 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3384 if (!pi->sdu) {
3385 err = -ENOMEM;
3386 break;
3387 }
3388
3389 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3390
3391 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3392 pi->partial_sdu_len = skb->len;
3393 err = 0;
3394 break;
3395
3396 case L2CAP_SDU_CONTINUE:
3397 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3398 break;
3399
3400 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3401
3402 pi->partial_sdu_len += skb->len;
3403 if (pi->partial_sdu_len > pi->sdu_len)
3404 kfree_skb(pi->sdu);
3405 else
3406 err = 0;
3407
3408 break;
3409
3410 case L2CAP_SDU_END:
3411 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3412 break;
3413
3414 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3415
3416 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3417 pi->partial_sdu_len += skb->len;
3418
36f2fd58
GP		 3419 if (pi->partial_sdu_len > pi->imtu)
3420 goto drop;
3421
c74e560c
GP		 3422 if (pi->partial_sdu_len == pi->sdu_len) {
3423 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3424 err = sock_queue_rcv_skb(sk, _skb);
3425 if (err < 0)
3426 kfree_skb(_skb);
3427 }
c74e560c
GP		 3428 err = 0;
3429
36f2fd58
GP		 3430drop:
3431 kfree_skb(pi->sdu);
c74e560c
GP		 3432 break;
3433 }
3434
3435 kfree_skb(skb);
3436 return err;
3437}
3438
8f17154f
GP		 3439static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3440{
3441 struct sk_buff *skb;
afefdbc4 3442 u16 control;
8f17154f 3443
59203a21 3444 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3445 if (bt_cb(skb)->tx_seq != tx_seq)
3446 break;
3447
3448 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3449 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
8f17154f
GP		 3450 l2cap_sar_reassembly_sdu(sk, skb, control);
3451 l2cap_pi(sk)->buffer_seq_srej =
3452 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3453 tx_seq++;
3454 }
3455}
3456
3457static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3458{
3459 struct l2cap_pinfo *pi = l2cap_pi(sk);
3460 struct srej_list *l, *tmp;
3461 u16 control;
3462
59203a21 3463 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3464 if (l->tx_seq == tx_seq) {
3465 list_del(&l->list);
3466 kfree(l);
3467 return;
3468 }
3469 control = L2CAP_SUPER_SELECT_REJECT;
3470 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3471 l2cap_send_sframe(pi, control);
3472 list_del(&l->list);
3473 list_add_tail(&l->list, SREJ_LIST(sk));
3474 }
3475}
3476
3477static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3478{
3479 struct l2cap_pinfo *pi = l2cap_pi(sk);
3480 struct srej_list *new;
3481 u16 control;
3482
3483 while (tx_seq != pi->expected_tx_seq) {
3484 control = L2CAP_SUPER_SELECT_REJECT;
3485 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3486 l2cap_send_sframe(pi, control);
3487
3488 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3489 new->tx_seq = pi->expected_tx_seq++;
3490 list_add_tail(&new->list, SREJ_LIST(sk));
3491 }
3492 pi->expected_tx_seq++;
3493}
3494
1c2acffb
GP		 3495static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3496{
3497 struct l2cap_pinfo *pi = l2cap_pi(sk);
3498 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3499 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3500 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
803020c6 3501 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3502 int err = 0;
3503
3504 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3505
1d8f5d16
GP		 3506 if (L2CAP_CTRL_FINAL & rx_control) {
3507 del_timer(&pi->monitor_timer);
3508 if (pi->unacked_frames > 0)
3509 __mod_retrans_timer();
3510 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3511 }
3512
9f121a5a
GP		 3513 pi->expected_ack_seq = req_seq;
3514 l2cap_drop_acked_frames(sk);
3515
8f17154f
GP		 3516 if (tx_seq == pi->expected_tx_seq)
3517 goto expected;
1c2acffb 3518
8f17154f
GP		 3519 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3520 struct srej_list *first;
30afb5b2 3521
8f17154f
GP		 3522 first = list_first_entry(SREJ_LIST(sk),
3523 struct srej_list, list);
3524 if (tx_seq == first->tx_seq) {
3525 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3526 l2cap_check_srej_gap(sk, tx_seq);
3527
3528 list_del(&first->list);
3529 kfree(first);
3530
3531 if (list_empty(SREJ_LIST(sk))) {
3532 pi->buffer_seq = pi->buffer_seq_srej;
3533 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3534 l2cap_send_ack(pi);
8f17154f
GP		 3535 }
3536 } else {
3537 struct srej_list *l;
3538 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3539
3540 list_for_each_entry(l, SREJ_LIST(sk), list) {
3541 if (l->tx_seq == tx_seq) {
3542 l2cap_resend_srejframe(sk, tx_seq);
3543 return 0;
3544 }
3545 }
3546 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3547 }
3548 } else {
8f17154f 3549 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3550
8f17154f
GP		 3551 INIT_LIST_HEAD(SREJ_LIST(sk));
3552 pi->buffer_seq_srej = pi->buffer_seq;
3553
3554 __skb_queue_head_init(SREJ_QUEUE(sk));
3555 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3556
ef54fd93
GP		 3557 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3558
8f17154f 3559 l2cap_send_srejframe(sk, tx_seq);
1c2acffb 3560 }
30afb5b2
GP		 3561 return 0;
3562
8f17154f
GP		 3563expected:
3564 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3565
3566 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3567 bt_cb(skb)->tx_seq = tx_seq;
3568 bt_cb(skb)->sar = sar;
3569 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3570 return 0;
3571 }
3572
4ec10d97
GP		 3573 if (rx_control & L2CAP_CTRL_FINAL) {
3574 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3575 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3576 else {
f6e6b168
GP		 3577 if (!skb_queue_empty(TX_QUEUE(sk)))
3578 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3579 pi->next_tx_seq = pi->expected_ack_seq;
3580 l2cap_ertm_send(sk);
3581 }
3582 }
3583
8f17154f
GP		 3584 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3585
3586 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3587 if (err < 0)
3588 return err;
3589
c1b4f43b
GP		 3590 __mod_ack_timer();
3591
803020c6
GP		 3592 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3593 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3594 l2cap_send_ack(pi);
3595
8f17154f 3596 return 0;
1c2acffb
GP		 3597}
3598
e072745f 3599static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3600{
3601 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981
GP		 3602
3603 pi->expected_ack_seq = __get_reqseq(rx_control);
3604 l2cap_drop_acked_frames(sk);
1c2acffb 3605
e072745f 3606 if (rx_control & L2CAP_CTRL_POLL) {
05fbd89d
GP		 3607 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3608 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3609 (pi->unacked_frames > 0))
3610 __mod_retrans_timer();
3611
3612 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3613 l2cap_send_srejtail(sk);
3614 } else {
3615 l2cap_send_i_or_rr_or_rnr(sk);
3616 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3617 }
1d8f5d16 3618
e072745f
GP		 3619 } else if (rx_control & L2CAP_CTRL_FINAL) {
3620 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3621
e072745f
GP		 3622 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3623 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3624 else {
f6e6b168
GP		 3625 if (!skb_queue_empty(TX_QUEUE(sk)))
3626 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3627 pi->next_tx_seq = pi->expected_ack_seq;
3628 l2cap_ertm_send(sk);
3629 }
2246b2f1 3630
e072745f 3631 } else {
e072745f
GP		 3632 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3633 (pi->unacked_frames > 0))
3634 __mod_retrans_timer();
1c2acffb 3635
2246b2f1 3636 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f
GP		 3637 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
3638 l2cap_send_ack(pi);
3639 else
3640 l2cap_ertm_send(sk);
3641 }
3642}
2246b2f1 3643
e072745f
GP		 3644static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3645{
3646 struct l2cap_pinfo *pi = l2cap_pi(sk);
3647 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3648
e072745f
GP		 3649 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3650
8abb52ee 3651 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3652 l2cap_drop_acked_frames(sk);
3653
3654 if (rx_control & L2CAP_CTRL_FINAL) {
3655 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3656 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3657 else {
f6e6b168
GP		 3658 if (!skb_queue_empty(TX_QUEUE(sk)))
3659 sk->sk_send_head = TX_QUEUE(sk)->next;
4ec10d97
GP		 3660 pi->next_tx_seq = pi->expected_ack_seq;
3661 l2cap_ertm_send(sk);
4ec10d97 3662 }
e072745f 3663 } else {
f6e6b168
GP		 3664 if (!skb_queue_empty(TX_QUEUE(sk)))
3665 sk->sk_send_head = TX_QUEUE(sk)->next;
e072745f
GP		 3666 pi->next_tx_seq = pi->expected_ack_seq;
3667 l2cap_ertm_send(sk);
30afb5b2 3668
0301ef04 3669 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 3670 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3671 }
3672}
3673static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3674{
3675 struct l2cap_pinfo *pi = l2cap_pi(sk);
3676 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3677
e072745f 3678 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3679
e072745f
GP		 3680 if (rx_control & L2CAP_CTRL_POLL) {
3681 pi->expected_ack_seq = tx_seq;
3682 l2cap_drop_acked_frames(sk);
3683 l2cap_retransmit_frame(sk, tx_seq);
3684 l2cap_ertm_send(sk);
3685 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3686 pi->srej_save_reqseq = tx_seq;
3687 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3688 }
e072745f
GP		 3689 } else if (rx_control & L2CAP_CTRL_FINAL) {
3690 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3691 pi->srej_save_reqseq == tx_seq)
3692 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3693 else
ef54fd93 3694 l2cap_retransmit_frame(sk, tx_seq);
e072745f
GP		 3695 } else {
3696 l2cap_retransmit_frame(sk, tx_seq);
3697 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3698 pi->srej_save_reqseq = tx_seq;
3699 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3700 }
e072745f
GP		 3701 }
3702}
3703
3704static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3705{
3706 struct l2cap_pinfo *pi = l2cap_pi(sk);
3707 u8 tx_seq = __get_reqseq(rx_control);
3708
3709 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3710 pi->expected_ack_seq = tx_seq;
3711 l2cap_drop_acked_frames(sk);
3712
99b0d4b7
GP		 3713 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3714 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 3715 if (rx_control & L2CAP_CTRL_POLL)
3716 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 3717 return;
e072745f 3718 }
99b0d4b7
GP		 3719
3720 if (rx_control & L2CAP_CTRL_POLL)
3721 l2cap_send_srejtail(sk);
3722 else
3723 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3724}
3725
3726static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3727{
3728 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3729
3730 if (L2CAP_CTRL_FINAL & rx_control) {
3731 del_timer(&l2cap_pi(sk)->monitor_timer);
3732 if (l2cap_pi(sk)->unacked_frames > 0)
3733 __mod_retrans_timer();
3734 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
3735 }
3736
3737 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3738 case L2CAP_SUPER_RCV_READY:
3739 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 3740 break;
3741
e072745f
GP		 3742 case L2CAP_SUPER_REJECT:
3743 l2cap_data_channel_rejframe(sk, rx_control);
3744 break;
2246b2f1 3745
e072745f
GP		 3746 case L2CAP_SUPER_SELECT_REJECT:
3747 l2cap_data_channel_srejframe(sk, rx_control);
3748 break;
3749
3750 case L2CAP_SUPER_RCV_NOT_READY:
3751 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 3752 break;
3753 }
3754
faaebd19 3755 kfree_skb(skb);
1c2acffb
GP		 3756 return 0;
3757}
3758
1da177e4
LT		 3759static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3760{
3761 struct sock *sk;
6840ed07 3762 struct l2cap_pinfo *pi;
c74e560c 3763 u16 control, len;
01760bdd 3764 u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset;
1da177e4
LT		 3765
3766 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3767 if (!sk) {
3768 BT_DBG("unknown cid 0x%4.4x", cid);
3769 goto drop;
3770 }
3771
6840ed07
GP		 3772 pi = l2cap_pi(sk);
3773
1da177e4
LT		 3774 BT_DBG("sk %p, len %d", sk, skb->len);
3775
3776 if (sk->sk_state != BT_CONNECTED)
3777 goto drop;
3778
6840ed07 3779 switch (pi->mode) {
1c2acffb
GP		 3780 case L2CAP_MODE_BASIC:
3781 /* If socket recv buffers overflows we drop data here
3782 * which is *bad* because L2CAP has to be reliable.
3783 * But we don't have any other choice. L2CAP doesn't
3784 * provide flow control mechanism. */
1da177e4 3785
6840ed07 3786 if (pi->imtu < skb->len)
1c2acffb 3787 goto drop;
1da177e4 3788
1c2acffb
GP		 3789 if (!sock_queue_rcv_skb(sk, skb))
3790 goto done;
3791 break;
3792
3793 case L2CAP_MODE_ERTM:
3794 control = get_unaligned_le16(skb->data);
3795 skb_pull(skb, 2);
c74e560c 3796 len = skb->len;
1c2acffb 3797
c74e560c
GP		 3798 if (__is_sar_start(control))
3799 len -= 2;
3800
fcc203c3
GP		 3801 if (pi->fcs == L2CAP_FCS_CRC16)
3802 len -= 2;
3803
30afb5b2
GP		 3804 /*
3805 * We can just drop the corrupted I-frame here.
3806 * Receiver will miss it and start proper recovery
3807 * procedures and ask retransmission.
3808 */
1c762159 3809 if (len > pi->mps)
1c2acffb
GP		 3810 goto drop;
3811
fcc203c3
GP		 3812 if (l2cap_check_fcs(pi, skb))
3813 goto drop;
3814
01760bdd
JPRV		 3815 req_seq = __get_reqseq(control);
3816 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
3817 if (req_seq_offset < 0)
3818 req_seq_offset += 64;
3819
3820 next_tx_seq_offset =
3821 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
3822 if (next_tx_seq_offset < 0)
3823 next_tx_seq_offset += 64;
3824
3825 /* check for invalid req-seq */
3826 if (req_seq_offset > next_tx_seq_offset) {
3827 l2cap_send_disconn_req(pi->conn, sk);
3828 goto drop;
3829 }
3830
277ffbe3
GP		 3831 if (__is_iframe(control)) {
3832 if (len < 4)
3833 goto drop;
3834
fcafde2e 3835 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3
GP		 3836 } else {
3837 if (len != 0)
3838 goto drop;
3839
fcafde2e 3840 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 3841 }
1c2acffb 3842
fcafde2e 3843 goto done;
1c2acffb 3844
6840ed07
GP		 3845 case L2CAP_MODE_STREAMING:
3846 control = get_unaligned_le16(skb->data);
3847 skb_pull(skb, 2);
3848 len = skb->len;
3849
3850 if (__is_sar_start(control))
3851 len -= 2;
3852
fcc203c3
GP		 3853 if (pi->fcs == L2CAP_FCS_CRC16)
3854 len -= 2;
3855
1c762159 3856 if (len > pi->mps || len < 4 || __is_sframe(control))
6840ed07
GP		 3857 goto drop;
3858
fcc203c3
GP		 3859 if (l2cap_check_fcs(pi, skb))
3860 goto drop;
3861
6840ed07
GP		 3862 tx_seq = __get_txseq(control);
3863
3864 if (pi->expected_tx_seq == tx_seq)
3865 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3866 else
7dffe421 3867 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3868
fcafde2e 3869 l2cap_sar_reassembly_sdu(sk, skb, control);
6840ed07
GP		 3870
3871 goto done;
3872
1c2acffb 3873 default:
e8235c6b 3874 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 3875 break;
3876 }
1da177e4
LT		 3877
3878drop:
3879 kfree_skb(skb);
3880
3881done:
0139418c
MH		 3882 if (sk)
3883 bh_unlock_sock(sk);
3884
1da177e4
LT		 3885 return 0;
3886}
3887
8e036fc3 3888static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3889{
3890 struct sock *sk;
3891
3892 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3893 if (!sk)
3894 goto drop;
3895
3896 BT_DBG("sk %p, len %d", sk, skb->len);
3897
3898 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3899 goto drop;
3900
3901 if (l2cap_pi(sk)->imtu < skb->len)
3902 goto drop;
3903
3904 if (!sock_queue_rcv_skb(sk, skb))
3905 goto done;
3906
3907drop:
3908 kfree_skb(skb);
3909
3910done:
af05b30b
GP		 3911 if (sk)
3912 bh_unlock_sock(sk);
1da177e4
LT		 3913 return 0;
3914}
3915
3916static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3917{
3918 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3919 u16 cid, len;
3920 __le16 psm;
1da177e4
LT		 3921
3922 skb_pull(skb, L2CAP_HDR_SIZE);
3923 cid = __le16_to_cpu(lh->cid);
3924 len = __le16_to_cpu(lh->len);
3925
1c2acffb
GP		 3926 if (len != skb->len) {
3927 kfree_skb(skb);
3928 return;
3929 }
3930
1da177e4
LT		 3931 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3932
3933 switch (cid) {
8db4dc46 3934 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3935 l2cap_sig_channel(conn, skb);
3936 break;
3937
8db4dc46 3938 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3939 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3940 skb_pull(skb, 2);
3941 l2cap_conless_channel(conn, psm, skb);
3942 break;
3943
3944 default:
3945 l2cap_data_channel(conn, cid, skb);
3946 break;
3947 }
3948}
3949
3950/* ---- L2CAP interface with lower layer (HCI) ---- */
3951
3952static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3953{
3954 int exact = 0, lm1 = 0, lm2 = 0;
3955 register struct sock *sk;
3956 struct hlist_node *node;
3957
3958 if (type != ACL_LINK)
3959 return 0;
3960
3961 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3962
3963 /* Find listening sockets and check their link_mode */
3964 read_lock(&l2cap_sk_list.lock);
3965 sk_for_each(sk, node, &l2cap_sk_list.head) {
3966 if (sk->sk_state != BT_LISTEN)
3967 continue;
3968
3969 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3970 lm1 |= HCI_LM_ACCEPT;
3971 if (l2cap_pi(sk)->role_switch)
3972 lm1 |= HCI_LM_MASTER;
1da177e4 3973 exact++;
2af6b9d5
MH		 3974 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3975 lm2 |= HCI_LM_ACCEPT;
3976 if (l2cap_pi(sk)->role_switch)
3977 lm2 |= HCI_LM_MASTER;
3978 }
1da177e4
LT		 3979 }
3980 read_unlock(&l2cap_sk_list.lock);
3981
3982 return exact ? lm1 : lm2;
3983}
3984
3985static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3986{
0139418c
MH		 3987 struct l2cap_conn *conn;
3988
1da177e4
LT		 3989 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3990
3991 if (hcon->type != ACL_LINK)
3992 return 0;
3993
3994 if (!status) {
1da177e4
LT		 3995 conn = l2cap_conn_add(hcon, status);
3996 if (conn)
3997 l2cap_conn_ready(conn);
0139418c 3998 } else
1da177e4
LT		 3999 l2cap_conn_del(hcon, bt_err(status));
4000
4001 return 0;
4002}
4003
2950f21a
MH		 4004static int l2cap_disconn_ind(struct hci_conn *hcon)
4005{
4006 struct l2cap_conn *conn = hcon->l2cap_data;
4007
4008 BT_DBG("hcon %p", hcon);
4009
4010 if (hcon->type != ACL_LINK || !conn)
4011 return 0x13;
4012
4013 return conn->disc_reason;
4014}
4015
4016static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4017{
4018 BT_DBG("hcon %p reason %d", hcon, reason);
4019
4020 if (hcon->type != ACL_LINK)
4021 return 0;
4022
4023 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4024
1da177e4
LT		 4025 return 0;
4026}
4027
f62e4323
MH		 4028static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4029{
bd3c9e25 4030 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4031 return;
4032
f62e4323
MH		 4033 if (encrypt == 0x00) {
4034 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4035 l2cap_sock_clear_timer(sk);
4036 l2cap_sock_set_timer(sk, HZ * 5);
4037 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4038 __l2cap_sock_close(sk, ECONNREFUSED);
4039 } else {
4040 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4041 l2cap_sock_clear_timer(sk);
4042 }
4043}
4044
8c1b2355 4045static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4046{
4047 struct l2cap_chan_list *l;
0139418c 4048 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4049 struct sock *sk;
1da177e4 4050
0139418c 4051 if (!conn)
1da177e4 4052 return 0;
0139418c 4053
1da177e4
LT		 4054 l = &conn->chan_list;
4055
4056 BT_DBG("conn %p", conn);
4057
4058 read_lock(&l->lock);
4059
4060 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4061 bh_lock_sock(sk);
4062
6a8d3010
MH		 4063 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4064 bh_unlock_sock(sk);
4065 continue;
4066 }
4067
f62e4323 4068 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4069 sk->sk_state == BT_CONFIG)) {
f62e4323 4070 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4071 bh_unlock_sock(sk);
4072 continue;
4073 }
4074
b1235d79
MH		 4075 if (sk->sk_state == BT_CONNECT) {
4076 if (!status) {
4077 struct l2cap_conn_req req;
4078 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4079 req.psm = l2cap_pi(sk)->psm;
1da177e4 4080
b1235d79 4081 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 4082
b1235d79
MH		 4083 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4084 L2CAP_CONN_REQ, sizeof(req), &req);
4085 } else {
4086 l2cap_sock_clear_timer(sk);
4087 l2cap_sock_set_timer(sk, HZ / 10);
4088 }
4089 } else if (sk->sk_state == BT_CONNECT2) {
4090 struct l2cap_conn_rsp rsp;
4091 __u16 result;
1da177e4 4092
b1235d79
MH		 4093 if (!status) {
4094 sk->sk_state = BT_CONFIG;
4095 result = L2CAP_CR_SUCCESS;
4096 } else {
4097 sk->sk_state = BT_DISCONN;
4098 l2cap_sock_set_timer(sk, HZ / 10);
4099 result = L2CAP_CR_SEC_BLOCK;
4100 }
4101
4102 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4103 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4104 rsp.result = cpu_to_le16(result);
e7c29cb1 4105 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4106 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4107 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4108 }
1da177e4
LT		 4109
4110 bh_unlock_sock(sk);
4111 }
4112
4113 read_unlock(&l->lock);
b1235d79 4114
1da177e4
LT		 4115 return 0;
4116}
4117
4118static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4119{
4120 struct l2cap_conn *conn = hcon->l2cap_data;
4121
4122 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4123 goto drop;
4124
4125 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4126
4127 if (flags & ACL_START) {
4128 struct l2cap_hdr *hdr;
4129 int len;
4130
4131 if (conn->rx_len) {
4132 BT_ERR("Unexpected start frame (len %d)", skb->len);
4133 kfree_skb(conn->rx_skb);
4134 conn->rx_skb = NULL;
4135 conn->rx_len = 0;
4136 l2cap_conn_unreliable(conn, ECOMM);
4137 }
4138
4139 if (skb->len < 2) {
4140 BT_ERR("Frame is too short (len %d)", skb->len);
4141 l2cap_conn_unreliable(conn, ECOMM);
4142 goto drop;
4143 }
4144
4145 hdr = (struct l2cap_hdr *) skb->data;
4146 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4147
4148 if (len == skb->len) {
4149 /* Complete frame received */
4150 l2cap_recv_frame(conn, skb);
4151 return 0;
4152 }
4153
4154 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4155
4156 if (skb->len > len) {
4157 BT_ERR("Frame is too long (len %d, expected len %d)",
4158 skb->len, len);
4159 l2cap_conn_unreliable(conn, ECOMM);
4160 goto drop;
4161 }
4162
4163 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4164 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4165 if (!conn->rx_skb)
1da177e4
LT		 4166 goto drop;
4167
d626f62b 4168 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4169 skb->len);
1da177e4
LT		 4170 conn->rx_len = len - skb->len;
4171 } else {
4172 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4173
4174 if (!conn->rx_len) {
4175 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4176 l2cap_conn_unreliable(conn, ECOMM);
4177 goto drop;
4178 }
4179
4180 if (skb->len > conn->rx_len) {
4181 BT_ERR("Fragment is too long (len %d, expected %d)",
4182 skb->len, conn->rx_len);
4183 kfree_skb(conn->rx_skb);
4184 conn->rx_skb = NULL;
4185 conn->rx_len = 0;
4186 l2cap_conn_unreliable(conn, ECOMM);
4187 goto drop;
4188 }
4189
d626f62b 4190 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4191 skb->len);
1da177e4
LT		 4192 conn->rx_len -= skb->len;
4193
4194 if (!conn->rx_len) {
4195 /* Complete frame received */
4196 l2cap_recv_frame(conn, conn->rx_skb);
4197 conn->rx_skb = NULL;
4198 }
4199 }
4200
4201drop:
4202 kfree_skb(skb);
4203 return 0;
4204}
4205
aef7d97c 4206static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4207{
4208 struct sock *sk;
4209 struct hlist_node *node;
1da177e4
LT		 4210
4211 read_lock_bh(&l2cap_sk_list.lock);
4212
be9d1227
MH		 4213 sk_for_each(sk, node, &l2cap_sk_list.head) {
4214 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4215
aef7d97c
MH		 4216 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4217 batostr(&bt_sk(sk)->src),
4218 batostr(&bt_sk(sk)->dst),
4219 sk->sk_state, __le16_to_cpu(pi->psm),
4220 pi->scid, pi->dcid,
4221 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4222 }
1da177e4 4223
1da177e4 4224 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4225
aef7d97c 4226 return 0;
1da177e4
LT		 4227}
4228
aef7d97c
MH		 4229static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4230{
4231 return single_open(file, l2cap_debugfs_show, inode->i_private);
4232}
4233
4234static const struct file_operations l2cap_debugfs_fops = {
4235 .open = l2cap_debugfs_open,
4236 .read = seq_read,
4237 .llseek = seq_lseek,
4238 .release = single_release,
4239};
4240
4241static struct dentry *l2cap_debugfs;
1da177e4 4242
90ddc4f0 4243static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4244 .family = PF_BLUETOOTH,
4245 .owner = THIS_MODULE,
4246 .release = l2cap_sock_release,
4247 .bind = l2cap_sock_bind,
4248 .connect = l2cap_sock_connect,
4249 .listen = l2cap_sock_listen,
4250 .accept = l2cap_sock_accept,
4251 .getname = l2cap_sock_getname,
4252 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4253 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4254 .poll = bt_sock_poll,
3241ad82 4255 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4256 .mmap = sock_no_mmap,
4257 .socketpair = sock_no_socketpair,
1da177e4
LT		 4258 .shutdown = l2cap_sock_shutdown,
4259 .setsockopt = l2cap_sock_setsockopt,
4260 .getsockopt = l2cap_sock_getsockopt
4261};
4262
ec1b4cf7 4263static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4264 .family = PF_BLUETOOTH,
4265 .owner = THIS_MODULE,
4266 .create = l2cap_sock_create,
4267};
4268
4269static struct hci_proto l2cap_hci_proto = {
4270 .name = "L2CAP",
4271 .id = HCI_PROTO_L2CAP,
4272 .connect_ind = l2cap_connect_ind,
4273 .connect_cfm = l2cap_connect_cfm,
4274 .disconn_ind = l2cap_disconn_ind,
2950f21a 4275 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4276 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4277 .recv_acldata = l2cap_recv_acldata
4278};
4279
4280static int __init l2cap_init(void)
4281{
4282 int err;
be9d1227 4283
1da177e4
LT		 4284 err = proto_register(&l2cap_proto, 0);
4285 if (err < 0)
4286 return err;
4287
4288 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4289 if (err < 0) {
4290 BT_ERR("L2CAP socket registration failed");
4291 goto error;
4292 }
4293
4294 err = hci_register_proto(&l2cap_hci_proto);
4295 if (err < 0) {
4296 BT_ERR("L2CAP protocol registration failed");
4297 bt_sock_unregister(BTPROTO_L2CAP);
4298 goto error;
4299 }
4300
aef7d97c
MH		 4301 if (bt_debugfs) {
4302 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4303 bt_debugfs, NULL, &l2cap_debugfs_fops);
4304 if (!l2cap_debugfs)
4305 BT_ERR("Failed to create L2CAP debug file");
4306 }
1da177e4
LT		 4307
4308 BT_INFO("L2CAP ver %s", VERSION);
4309 BT_INFO("L2CAP socket layer initialized");
4310
4311 return 0;
4312
4313error:
4314 proto_unregister(&l2cap_proto);
4315 return err;
4316}
4317
4318static void __exit l2cap_exit(void)
4319{
aef7d97c 4320 debugfs_remove(l2cap_debugfs);
1da177e4
LT		 4321
4322 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4323 BT_ERR("L2CAP socket unregistration failed");
4324
4325 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4326 BT_ERR("L2CAP protocol unregistration failed");
4327
4328 proto_unregister(&l2cap_proto);
4329}
4330
4331void l2cap_load(void)
4332{
4333 /* Dummy function to trigger automatic L2CAP module loading by
4334 * other modules that use L2CAP sockets but don't use any other
4335 * symbols from it. */
4336 return;
4337}
4338EXPORT_SYMBOL(l2cap_load);
4339
4340module_init(l2cap_init);
4341module_exit(l2cap_exit);
4342
44dd46de
MH		 4343module_param(enable_ertm, bool, 0644);
4344MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4345
5fbcd3d1
MH		 4346module_param(max_transmit, uint, 0644);
4347MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4348
369ba302
GP		 4349module_param(tx_window, uint, 0644);
4350MODULE_PARM_DESC(tx_window, "Transmission window size value (default = 63)");
4351
63fbd24e 4352MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4353MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4354MODULE_VERSION(VERSION);
4355MODULE_LICENSE("GPL");
4356MODULE_ALIAS("bt-proto-0");
ubuntu-zesty-kernel mirror