]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/bluetooth/l2cap.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix deadlock in the ERTM logic
[mirror_ubuntu-bionic-kernel.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
27/* Bluetooth L2CAP core and sockets. */
28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
dd135240 58#define VERSION "2.15"
44dd46de 59
d1c4a17d 60static int disable_ertm = 0;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
90ddc4f0 65static const struct proto_ops l2cap_sock_ops;
1da177e4 66
1890d36b
GP		 67static struct workqueue_struct *_busy_wq;
68
1da177e4 69static struct bt_sock_list l2cap_sk_list = {
d5fb2962 70 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 71};
72
1890d36b
GP		 73static void l2cap_busy_work(struct work_struct *work);
74
1da177e4
LT		 75static void __l2cap_sock_close(struct sock *sk, int reason);
76static void l2cap_sock_close(struct sock *sk);
77static void l2cap_sock_kill(struct sock *sk);
78
e9aeb2dd 79static int l2cap_build_conf_req(struct sock *sk, void *data);
1da177e4
LT		 80static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
81 u8 code, u8 ident, u16 dlen, void *data);
82
218bb9df
GP		 83static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
84
1da177e4
LT		 85/* ---- L2CAP timers ---- */
86static void l2cap_sock_timeout(unsigned long arg)
87{
88 struct sock *sk = (struct sock *) arg;
b1235d79 89 int reason;
1da177e4
LT		 90
91 BT_DBG("sock %p state %d", sk, sk->sk_state);
92
93 bh_lock_sock(sk);
b1235d79 94
f62e4323
MH		 95 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
96 reason = ECONNREFUSED;
97 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 98 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 99 reason = ECONNREFUSED;
100 else
101 reason = ETIMEDOUT;
102
103 __l2cap_sock_close(sk, reason);
104
1da177e4
LT		 105 bh_unlock_sock(sk);
106
107 l2cap_sock_kill(sk);
108 sock_put(sk);
109}
110
111static void l2cap_sock_set_timer(struct sock *sk, long timeout)
112{
113 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
114 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
115}
116
117static void l2cap_sock_clear_timer(struct sock *sk)
118{
119 BT_DBG("sock %p state %d", sk, sk->sk_state);
120 sk_stop_timer(sk, &sk->sk_timer);
121}
122
0139418c
MH		 123/* ---- L2CAP channels ---- */
124static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
125{
126 struct sock *s;
127 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
128 if (l2cap_pi(s)->dcid == cid)
129 break;
130 }
131 return s;
132}
133
134static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
135{
136 struct sock *s;
137 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
138 if (l2cap_pi(s)->scid == cid)
139 break;
140 }
141 return s;
142}
143
144/* Find channel with given SCID.
145 * Returns locked socket */
146static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
147{
148 struct sock *s;
149 read_lock(&l->lock);
150 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 151 if (s)
152 bh_lock_sock(s);
0139418c
MH		 153 read_unlock(&l->lock);
154 return s;
155}
156
157static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
158{
159 struct sock *s;
160 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
161 if (l2cap_pi(s)->ident == ident)
162 break;
163 }
164 return s;
165}
166
167static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
168{
169 struct sock *s;
170 read_lock(&l->lock);
171 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 172 if (s)
173 bh_lock_sock(s);
0139418c
MH		 174 read_unlock(&l->lock);
175 return s;
176}
177
178static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
179{
8db4dc46 180 u16 cid = L2CAP_CID_DYN_START;
0139418c 181
8db4dc46 182 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 183 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 184 return cid;
185 }
186
187 return 0;
188}
189
190static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
191{
192 sock_hold(sk);
193
194 if (l->head)
195 l2cap_pi(l->head)->prev_c = sk;
196
197 l2cap_pi(sk)->next_c = l->head;
198 l2cap_pi(sk)->prev_c = NULL;
199 l->head = sk;
200}
201
202static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
203{
204 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
205
fd1278d7 206 write_lock_bh(&l->lock);
0139418c
MH		 207 if (sk == l->head)
208 l->head = next;
209
210 if (next)
211 l2cap_pi(next)->prev_c = prev;
212 if (prev)
213 l2cap_pi(prev)->next_c = next;
fd1278d7 214 write_unlock_bh(&l->lock);
0139418c
MH		 215
216 __sock_put(sk);
217}
218
219static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
220{
221 struct l2cap_chan_list *l = &conn->chan_list;
222
af05b30b
GP		 223 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
224 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 225
2950f21a
MH		 226 conn->disc_reason = 0x13;
227
0139418c
MH		 228 l2cap_pi(sk)->conn = conn;
229
bd3c9e25 230 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 231 /* Alloc CID for connection-oriented socket */
232 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
233 } else if (sk->sk_type == SOCK_DGRAM) {
234 /* Connectionless socket */
8db4dc46
GP		 235 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
236 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 237 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
238 } else {
239 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 240 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
241 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 242 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
243 }
244
245 __l2cap_chan_link(l, sk);
246
247 if (parent)
248 bt_accept_enqueue(parent, sk);
249}
250
8e87d142 251/* Delete channel.
0139418c
MH		 252 * Must be called on the locked socket. */
253static void l2cap_chan_del(struct sock *sk, int err)
254{
255 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
256 struct sock *parent = bt_sk(sk)->parent;
257
258 l2cap_sock_clear_timer(sk);
259
260 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
261
8e87d142 262 if (conn) {
0139418c
MH		 263 /* Unlink from channel list */
264 l2cap_chan_unlink(&conn->chan_list, sk);
265 l2cap_pi(sk)->conn = NULL;
266 hci_conn_put(conn->hcon);
267 }
268
b1235d79 269 sk->sk_state = BT_CLOSED;
0139418c
MH		 270 sock_set_flag(sk, SOCK_ZAPPED);
271
272 if (err)
273 sk->sk_err = err;
274
275 if (parent) {
276 bt_accept_unlink(sk);
277 parent->sk_data_ready(parent, 0);
278 } else
279 sk->sk_state_change(sk);
c13ffa62
GP		 280
281 skb_queue_purge(TX_QUEUE(sk));
282
283 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
284 struct srej_list *l, *tmp;
285
286 del_timer(&l2cap_pi(sk)->retrans_timer);
287 del_timer(&l2cap_pi(sk)->monitor_timer);
288 del_timer(&l2cap_pi(sk)->ack_timer);
289
290 skb_queue_purge(SREJ_QUEUE(sk));
291 skb_queue_purge(BUSY_QUEUE(sk));
292
293 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
294 list_del(&l->list);
295 kfree(l);
296 }
297 }
0139418c
MH		 298}
299
79d554a6 300/* Service level security */
2af6b9d5 301static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 302{
303 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 304 __u8 auth_type;
305
00ae4af9
MH		 306 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
307 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
308 auth_type = HCI_AT_NO_BONDING_MITM;
309 else
af05b30b 310 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 311
312 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
313 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
314 } else {
315 switch (l2cap_pi(sk)->sec_level) {
316 case BT_SECURITY_HIGH:
317 auth_type = HCI_AT_GENERAL_BONDING_MITM;
318 break;
319 case BT_SECURITY_MEDIUM:
320 auth_type = HCI_AT_GENERAL_BONDING;
321 break;
322 default:
323 auth_type = HCI_AT_NO_BONDING;
324 break;
325 }
0684e5f9 326 }
79d554a6 327
0684e5f9
MH		 328 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
329 auth_type);
79d554a6
MH		 330}
331
4e8402a3
MH		 332static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
333{
334 u8 id;
335
336 /* Get next available identificator.
337 * 1 - 128 are used by kernel.
338 * 129 - 199 are reserved.
339 * 200 - 254 are used by utilities like l2ping, etc.
340 */
341
342 spin_lock_bh(&conn->lock);
343
344 if (++conn->tx_ident > 128)
345 conn->tx_ident = 1;
346
347 id = conn->tx_ident;
348
349 spin_unlock_bh(&conn->lock);
350
351 return id;
352}
353
9a9c6a34 354static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 355{
356 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
357
358 BT_DBG("code 0x%2.2x", code);
359
360 if (!skb)
9a9c6a34 361 return;
4e8402a3 362
9a9c6a34 363 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 364}
365
9a9c6a34 366static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 367{
368 struct sk_buff *skb;
369 struct l2cap_hdr *lh;
370 struct l2cap_conn *conn = pi->conn;
c13ffa62 371 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 372 int count, hlen = L2CAP_HDR_SIZE + 2;
373
c13ffa62
GP		 374 if (sk->sk_state != BT_CONNECTED)
375 return;
376
fcc203c3
GP		 377 if (pi->fcs == L2CAP_FCS_CRC16)
378 hlen += 2;
1c2acffb
GP		 379
380 BT_DBG("pi %p, control 0x%2.2x", pi, control);
381
fcc203c3 382 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 383 control |= L2CAP_CTRL_FRAME_TYPE;
384
9e917af1
GP		 385 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
386 control |= L2CAP_CTRL_FINAL;
387 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
388 }
389
f0946ccf
GP		 390 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
391 control |= L2CAP_CTRL_POLL;
392 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
393 }
394
1c2acffb
GP		 395 skb = bt_skb_alloc(count, GFP_ATOMIC);
396 if (!skb)
9a9c6a34 397 return;
1c2acffb
GP		 398
399 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 400 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 401 lh->cid = cpu_to_le16(pi->dcid);
402 put_unaligned_le16(control, skb_put(skb, 2));
403
fcc203c3
GP		 404 if (pi->fcs == L2CAP_FCS_CRC16) {
405 u16 fcs = crc16(0, (u8 *)lh, count - 2);
406 put_unaligned_le16(fcs, skb_put(skb, 2));
407 }
408
9a9c6a34 409 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 410}
411
9a9c6a34 412static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 413{
1890d36b 414 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 415 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 416 pi->conn_state |= L2CAP_CONN_RNR_SENT;
417 } else
7e743090
GP		 418 control |= L2CAP_SUPER_RCV_READY;
419
2ab25cdd
GP		 420 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
421
9a9c6a34 422 l2cap_send_sframe(pi, control);
7e743090
GP		 423}
424
e501d055
AE		 425static inline int __l2cap_no_conn_pending(struct sock *sk)
426{
427 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
428}
429
79d554a6
MH		 430static void l2cap_do_start(struct sock *sk)
431{
432 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
433
434 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 435 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
436 return;
437
e501d055 438 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 439 struct l2cap_conn_req req;
440 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
441 req.psm = l2cap_pi(sk)->psm;
79d554a6 442
b1235d79 443 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 444 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 445
b1235d79 446 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 447 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 448 }
79d554a6
MH		 449 } else {
450 struct l2cap_info_req req;
451 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
452
453 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
454 conn->info_ident = l2cap_get_ident(conn);
455
456 mod_timer(&conn->info_timer, jiffies +
457 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
458
459 l2cap_send_cmd(conn, conn->info_ident,
460 L2CAP_INFO_REQ, sizeof(req), &req);
461 }
462}
463
cf6c2c0b
GP		 464static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
465{
466 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 467 if (!disable_ertm)
cf6c2c0b
GP		 468 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
469
470 switch (mode) {
471 case L2CAP_MODE_ERTM:
472 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
473 case L2CAP_MODE_STREAMING:
474 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
475 default:
476 return 0x00;
477 }
478}
479
9b108fc0 480static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 481{
482 struct l2cap_disconn_req req;
483
c13ffa62
GP		 484 if (!conn)
485 return;
486
487 skb_queue_purge(TX_QUEUE(sk));
488
489 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
490 del_timer(&l2cap_pi(sk)->retrans_timer);
491 del_timer(&l2cap_pi(sk)->monitor_timer);
492 del_timer(&l2cap_pi(sk)->ack_timer);
493 }
494
22121fc9
GP		 495 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
496 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
497 l2cap_send_cmd(conn, l2cap_get_ident(conn),
498 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 499
500 sk->sk_state = BT_DISCONN;
9b108fc0 501 sk->sk_err = err;
22121fc9
GP		 502}
503
1da177e4 504/* ---- L2CAP connections ---- */
4e8402a3
MH		 505static void l2cap_conn_start(struct l2cap_conn *conn)
506{
507 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 508 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 509 struct sock *sk;
510
511 BT_DBG("conn %p", conn);
512
cf6c2c0b
GP		 513 INIT_LIST_HEAD(&del.list);
514
4e8402a3
MH		 515 read_lock(&l->lock);
516
517 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
518 bh_lock_sock(sk);
519
bd3c9e25
GP		 520 if (sk->sk_type != SOCK_SEQPACKET &&
521 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 522 bh_unlock_sock(sk);
523 continue;
524 }
525
526 if (sk->sk_state == BT_CONNECT) {
47731de7 527 struct l2cap_conn_req req;
79d554a6 528
47731de7
GP		 529 if (!l2cap_check_security(sk) ||
530 !__l2cap_no_conn_pending(sk)) {
531 bh_unlock_sock(sk);
532 continue;
533 }
79d554a6 534
47731de7
GP		 535 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
536 conn->feat_mask)
537 && l2cap_pi(sk)->conf_state &
538 L2CAP_CONF_STATE2_DEVICE) {
539 tmp1 = kzalloc(sizeof(struct sock_del_list),
540 GFP_ATOMIC);
541 tmp1->sk = sk;
542 list_add_tail(&tmp1->list, &del.list);
543 bh_unlock_sock(sk);
544 continue;
b1235d79 545 }
47731de7
GP		 546
547 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
548 req.psm = l2cap_pi(sk)->psm;
549
550 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
551 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
552
553 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
554 L2CAP_CONN_REQ, sizeof(req), &req);
555
79d554a6
MH		 556 } else if (sk->sk_state == BT_CONNECT2) {
557 struct l2cap_conn_rsp rsp;
e9aeb2dd 558 char buf[128];
79d554a6
MH		 559 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
560 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
561
2af6b9d5 562 if (l2cap_check_security(sk)) {
f66dc81f
MH		 563 if (bt_sk(sk)->defer_setup) {
564 struct sock *parent = bt_sk(sk)->parent;
565 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
566 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
567 parent->sk_data_ready(parent, 0);
568
569 } else {
570 sk->sk_state = BT_CONFIG;
571 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
572 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
573 }
79d554a6
MH		 574 } else {
575 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
576 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
577 }
578
579 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
580 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
e9aeb2dd
GP		 581
582 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
583 rsp.result != L2CAP_CR_SUCCESS) {
584 bh_unlock_sock(sk);
585 continue;
586 }
587
588 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
589 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
590 l2cap_build_conf_req(sk, buf), buf);
591 l2cap_pi(sk)->num_conf_req++;
4e8402a3
MH		 592 }
593
594 bh_unlock_sock(sk);
595 }
596
597 read_unlock(&l->lock);
cf6c2c0b
GP		 598
599 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
600 bh_lock_sock(tmp1->sk);
601 __l2cap_sock_close(tmp1->sk, ECONNRESET);
602 bh_unlock_sock(tmp1->sk);
603 list_del(&tmp1->list);
604 kfree(tmp1);
605 }
4e8402a3
MH		 606}
607
608static void l2cap_conn_ready(struct l2cap_conn *conn)
609{
79d554a6
MH		 610 struct l2cap_chan_list *l = &conn->chan_list;
611 struct sock *sk;
4e8402a3 612
79d554a6 613 BT_DBG("conn %p", conn);
4e8402a3 614
79d554a6 615 read_lock(&l->lock);
4e8402a3 616
79d554a6
MH		 617 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
618 bh_lock_sock(sk);
4e8402a3 619
bd3c9e25
GP		 620 if (sk->sk_type != SOCK_SEQPACKET &&
621 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 622 l2cap_sock_clear_timer(sk);
623 sk->sk_state = BT_CONNECTED;
624 sk->sk_state_change(sk);
625 } else if (sk->sk_state == BT_CONNECT)
626 l2cap_do_start(sk);
4e8402a3 627
79d554a6 628 bh_unlock_sock(sk);
4e8402a3 629 }
79d554a6
MH		 630
631 read_unlock(&l->lock);
4e8402a3
MH		 632}
633
634/* Notify sockets that we cannot guaranty reliability anymore */
635static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
636{
637 struct l2cap_chan_list *l = &conn->chan_list;
638 struct sock *sk;
639
640 BT_DBG("conn %p", conn);
641
642 read_lock(&l->lock);
643
644 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 645 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 646 sk->sk_err = err;
647 }
648
649 read_unlock(&l->lock);
650}
651
652static void l2cap_info_timeout(unsigned long arg)
653{
654 struct l2cap_conn *conn = (void *) arg;
655
984947dc 656 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 657 conn->info_ident = 0;
984947dc 658
4e8402a3
MH		 659 l2cap_conn_start(conn);
660}
661
1da177e4
LT		 662static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
663{
0139418c 664 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 665
0139418c 666 if (conn || status)
1da177e4
LT		 667 return conn;
668
0139418c
MH		 669 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
670 if (!conn)
1da177e4 671 return NULL;
1da177e4
LT		 672
673 hcon->l2cap_data = conn;
674 conn->hcon = hcon;
675
0139418c
MH		 676 BT_DBG("hcon %p conn %p", hcon, conn);
677
1da177e4
LT		 678 conn->mtu = hcon->hdev->acl_mtu;
679 conn->src = &hcon->hdev->bdaddr;
680 conn->dst = &hcon->dst;
681
4e8402a3
MH		 682 conn->feat_mask = 0;
683
1da177e4
LT		 684 spin_lock_init(&conn->lock);
685 rwlock_init(&conn->chan_list.lock);
686
45054dc1
DY		 687 setup_timer(&conn->info_timer, l2cap_info_timeout,
688 (unsigned long) conn);
689
2950f21a
MH		 690 conn->disc_reason = 0x13;
691
1da177e4
LT		 692 return conn;
693}
694
0139418c 695static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 696{
0139418c 697 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 698 struct sock *sk;
699
0139418c
MH		 700 if (!conn)
701 return;
1da177e4
LT		 702
703 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
704
7585b97a 705 kfree_skb(conn->rx_skb);
1da177e4
LT		 706
707 /* Kill channels */
708 while ((sk = conn->chan_list.head)) {
709 bh_lock_sock(sk);
710 l2cap_chan_del(sk, err);
711 bh_unlock_sock(sk);
712 l2cap_sock_kill(sk);
713 }
714
8e8440f5
DY		 715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
716 del_timer_sync(&conn->info_timer);
3ab22731 717
1da177e4
LT		 718 hcon->l2cap_data = NULL;
719 kfree(conn);
1da177e4
LT		 720}
721
722static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
723{
724 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 725 write_lock_bh(&l->lock);
1da177e4 726 __l2cap_chan_add(conn, sk, parent);
fd1278d7 727 write_unlock_bh(&l->lock);
1da177e4
LT		 728}
729
1da177e4 730/* ---- Socket interface ---- */
8e036fc3 731static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 732{
733 struct sock *sk;
734 struct hlist_node *node;
735 sk_for_each(sk, node, &l2cap_sk_list.head)
736 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
737 goto found;
738 sk = NULL;
739found:
740 return sk;
741}
742
743/* Find socket with psm and source bdaddr.
744 * Returns closest match.
745 */
8e036fc3 746static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 747{
748 struct sock *sk = NULL, *sk1 = NULL;
749 struct hlist_node *node;
750
751 sk_for_each(sk, node, &l2cap_sk_list.head) {
752 if (state && sk->sk_state != state)
753 continue;
754
755 if (l2cap_pi(sk)->psm == psm) {
756 /* Exact match. */
757 if (!bacmp(&bt_sk(sk)->src, src))
758 break;
759
760 /* Closest match */
761 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
762 sk1 = sk;
763 }
764 }
765 return node ? sk : sk1;
766}
767
768/* Find socket with given address (psm, src).
769 * Returns locked socket */
8e036fc3 770static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 771{
772 struct sock *s;
773 read_lock(&l2cap_sk_list.lock);
774 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 775 if (s)
776 bh_lock_sock(s);
1da177e4
LT		 777 read_unlock(&l2cap_sk_list.lock);
778 return s;
779}
780
781static void l2cap_sock_destruct(struct sock *sk)
782{
783 BT_DBG("sk %p", sk);
784
785 skb_queue_purge(&sk->sk_receive_queue);
786 skb_queue_purge(&sk->sk_write_queue);
787}
788
789static void l2cap_sock_cleanup_listen(struct sock *parent)
790{
791 struct sock *sk;
792
793 BT_DBG("parent %p", parent);
794
795 /* Close not yet accepted channels */
796 while ((sk = bt_accept_dequeue(parent, NULL)))
797 l2cap_sock_close(sk);
798
b1235d79 799 parent->sk_state = BT_CLOSED;
1da177e4
LT		 800 sock_set_flag(parent, SOCK_ZAPPED);
801}
802
803/* Kill socket (only if zapped and orphan)
804 * Must be called on unlocked socket.
805 */
806static void l2cap_sock_kill(struct sock *sk)
807{
808 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
809 return;
810
811 BT_DBG("sk %p state %d", sk, sk->sk_state);
812
813 /* Kill poor orphan */
814 bt_sock_unlink(&l2cap_sk_list, sk);
815 sock_set_flag(sk, SOCK_DEAD);
816 sock_put(sk);
817}
818
819static void __l2cap_sock_close(struct sock *sk, int reason)
820{
821 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
822
823 switch (sk->sk_state) {
824 case BT_LISTEN:
825 l2cap_sock_cleanup_listen(sk);
826 break;
827
828 case BT_CONNECTED:
829 case BT_CONFIG:
bd3c9e25
GP		 830 if (sk->sk_type == SOCK_SEQPACKET ||
831 sk->sk_type == SOCK_STREAM) {
1da177e4 832 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 833
1da177e4 834 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 835 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 836 } else
1da177e4 837 l2cap_chan_del(sk, reason);
1da177e4
LT		 838 break;
839
f66dc81f 840 case BT_CONNECT2:
bd3c9e25
GP		 841 if (sk->sk_type == SOCK_SEQPACKET ||
842 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 843 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
844 struct l2cap_conn_rsp rsp;
845 __u16 result;
846
847 if (bt_sk(sk)->defer_setup)
848 result = L2CAP_CR_SEC_BLOCK;
849 else
850 result = L2CAP_CR_BAD_PSM;
851
852 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
853 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
854 rsp.result = cpu_to_le16(result);
855 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
856 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
857 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
858 } else
859 l2cap_chan_del(sk, reason);
860 break;
861
1da177e4
LT		 862 case BT_CONNECT:
863 case BT_DISCONN:
864 l2cap_chan_del(sk, reason);
865 break;
866
867 default:
868 sock_set_flag(sk, SOCK_ZAPPED);
869 break;
870 }
871}
872
873/* Must be called on unlocked socket. */
874static void l2cap_sock_close(struct sock *sk)
875{
876 l2cap_sock_clear_timer(sk);
877 lock_sock(sk);
878 __l2cap_sock_close(sk, ECONNRESET);
879 release_sock(sk);
880 l2cap_sock_kill(sk);
881}
882
883static void l2cap_sock_init(struct sock *sk, struct sock *parent)
884{
885 struct l2cap_pinfo *pi = l2cap_pi(sk);
886
887 BT_DBG("sk %p", sk);
888
889 if (parent) {
890 sk->sk_type = parent->sk_type;
f66dc81f
MH		 891 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
892
1da177e4
LT		 893 pi->imtu = l2cap_pi(parent)->imtu;
894 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 895 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 896 pi->mode = l2cap_pi(parent)->mode;
897 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 898 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 899 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 900 pi->sec_level = l2cap_pi(parent)->sec_level;
901 pi->role_switch = l2cap_pi(parent)->role_switch;
902 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 903 } else {
904 pi->imtu = L2CAP_DEFAULT_MTU;
905 pi->omtu = 0;
d1c4a17d 906 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 907 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 908 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
909 } else {
bd3c9e25 910 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 911 }
fd059b9b 912 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 913 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 914 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 915 pi->sec_level = BT_SECURITY_LOW;
916 pi->role_switch = 0;
917 pi->force_reliable = 0;
1da177e4
LT		 918 }
919
920 /* Default config options */
5dee9e7c 921 pi->conf_len = 0;
1da177e4 922 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 923 skb_queue_head_init(TX_QUEUE(sk));
924 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 925 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 926 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 927}
928
929static struct proto l2cap_proto = {
930 .name = "L2CAP",
931 .owner = THIS_MODULE,
932 .obj_size = sizeof(struct l2cap_pinfo)
933};
934
1b8d7ae4 935static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 936{
937 struct sock *sk;
938
6257ff21 939 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 940 if (!sk)
941 return NULL;
942
943 sock_init_data(sock, sk);
944 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
945
946 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 947 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 948
949 sock_reset_flag(sk, SOCK_ZAPPED);
950
951 sk->sk_protocol = proto;
b1235d79 952 sk->sk_state = BT_OPEN;
1da177e4 953
b1235d79 954 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 955
956 bt_sock_link(&l2cap_sk_list, sk);
957 return sk;
958}
959
3f378b68
EP		 960static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
961 int kern)
1da177e4
LT		 962{
963 struct sock *sk;
964
965 BT_DBG("sock %p", sock);
966
967 sock->state = SS_UNCONNECTED;
968
bd3c9e25 969 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 970 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
971 return -ESOCKTNOSUPPORT;
972
c84b3268 973 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 974 return -EPERM;
975
976 sock->ops = &l2cap_sock_ops;
977
1b8d7ae4 978 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 979 if (!sk)
980 return -ENOMEM;
981
982 l2cap_sock_init(sk, NULL);
983 return 0;
984}
985
f29972de 986static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 987{
1da177e4 988 struct sock *sk = sock->sk;
f29972de
MH		 989 struct sockaddr_l2 la;
990 int len, err = 0;
1da177e4 991
f29972de 992 BT_DBG("sk %p", sk);
1da177e4
LT		 993
994 if (!addr || addr->sa_family != AF_BLUETOOTH)
995 return -EINVAL;
996
f29972de
MH		 997 memset(&la, 0, sizeof(la));
998 len = min_t(unsigned int, sizeof(la), alen);
999 memcpy(&la, addr, len);
1000
2a517ca6
MH		 1001 if (la.l2_cid)
1002 return -EINVAL;
1003
1da177e4
LT		 1004 lock_sock(sk);
1005
1006 if (sk->sk_state != BT_OPEN) {
1007 err = -EBADFD;
1008 goto done;
1009 }
1010
b4324b5d 1011 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 1012 !capable(CAP_NET_BIND_SERVICE)) {
1013 err = -EACCES;
1014 goto done;
1015 }
8e87d142 1016
1da177e4
LT		 1017 write_lock_bh(&l2cap_sk_list.lock);
1018
f29972de 1019 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 1020 err = -EADDRINUSE;
1021 } else {
1022 /* Save source address */
f29972de
MH		 1023 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1024 l2cap_pi(sk)->psm = la.l2_psm;
1025 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 1026 sk->sk_state = BT_BOUND;
2af6b9d5 1027
b4324b5d
MH		 1028 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1029 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 1030 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 1031 }
1032
1033 write_unlock_bh(&l2cap_sk_list.lock);
1034
1035done:
1036 release_sock(sk);
1037 return err;
1038}
1039
1040static int l2cap_do_connect(struct sock *sk)
1041{
1042 bdaddr_t *src = &bt_sk(sk)->src;
1043 bdaddr_t *dst = &bt_sk(sk)->dst;
1044 struct l2cap_conn *conn;
1045 struct hci_conn *hcon;
1046 struct hci_dev *hdev;
09ab6f4c 1047 __u8 auth_type;
44d0e48e 1048 int err;
1da177e4 1049
f29972de
MH		 1050 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1051 l2cap_pi(sk)->psm);
1da177e4 1052
af05b30b
GP		 1053 hdev = hci_get_route(dst, src);
1054 if (!hdev)
1da177e4
LT		 1055 return -EHOSTUNREACH;
1056
1057 hci_dev_lock_bh(hdev);
1058
1059 err = -ENOMEM;
1060
8c1b2355 1061 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1062 switch (l2cap_pi(sk)->sec_level) {
1063 case BT_SECURITY_HIGH:
8c1b2355 1064 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1065 break;
1066 case BT_SECURITY_MEDIUM:
8c1b2355 1067 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1068 break;
1069 default:
09ab6f4c 1070 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1071 break;
1072 }
8c1b2355 1073 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1074 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1075 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1076 else
8c1b2355 1077 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1078
1079 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1080 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1081 } else {
2af6b9d5
MH		 1082 switch (l2cap_pi(sk)->sec_level) {
1083 case BT_SECURITY_HIGH:
8c1b2355 1084 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1085 break;
1086 case BT_SECURITY_MEDIUM:
09ab6f4c 1087 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1088 break;
1089 default:
8c1b2355 1090 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1091 break;
1092 }
09ab6f4c
MH		 1093 }
1094
2af6b9d5
MH		 1095 hcon = hci_connect(hdev, ACL_LINK, dst,
1096 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1097 if (!hcon)
1098 goto done;
1099
1100 conn = l2cap_conn_add(hcon, 0);
1101 if (!conn) {
1102 hci_conn_put(hcon);
1103 goto done;
1104 }
1105
1106 err = 0;
1107
1108 /* Update source addr of the socket */
1109 bacpy(src, conn->src);
1110
1111 l2cap_chan_add(conn, sk, NULL);
1112
1113 sk->sk_state = BT_CONNECT;
1114 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1115
1116 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1117 if (sk->sk_type != SOCK_SEQPACKET &&
1118 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1119 l2cap_sock_clear_timer(sk);
1120 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1121 } else
1122 l2cap_do_start(sk);
1da177e4
LT		 1123 }
1124
1125done:
1126 hci_dev_unlock_bh(hdev);
1127 hci_dev_put(hdev);
1128 return err;
1129}
1130
1131static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1132{
1da177e4 1133 struct sock *sk = sock->sk;
f29972de
MH		 1134 struct sockaddr_l2 la;
1135 int len, err = 0;
1da177e4 1136
1da177e4
LT		 1137 BT_DBG("sk %p", sk);
1138
6503d961
CG		 1139 if (!addr || alen < sizeof(addr->sa_family) ||
1140 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1141 return -EINVAL;
1da177e4 1142
f29972de
MH		 1143 memset(&la, 0, sizeof(la));
1144 len = min_t(unsigned int, sizeof(la), alen);
1145 memcpy(&la, addr, len);
1146
2a517ca6
MH		 1147 if (la.l2_cid)
1148 return -EINVAL;
1149
1150 lock_sock(sk);
1151
bd3c9e25
GP		 1152 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1153 && !la.l2_psm) {
1da177e4
LT		 1154 err = -EINVAL;
1155 goto done;
1156 }
1157
c6b03cf9
MH		 1158 switch (l2cap_pi(sk)->mode) {
1159 case L2CAP_MODE_BASIC:
1160 break;
1161 case L2CAP_MODE_ERTM:
f2fcfcd6 1162 case L2CAP_MODE_STREAMING:
d1c4a17d 1163 if (!disable_ertm)
c6b03cf9
MH		 1164 break;
1165 /* fall through */
1166 default:
1167 err = -ENOTSUPP;
1168 goto done;
1169 }
1170
af05b30b 1171 switch (sk->sk_state) {
1da177e4
LT		 1172 case BT_CONNECT:
1173 case BT_CONNECT2:
1174 case BT_CONFIG:
1175 /* Already connecting */
1176 goto wait;
1177
1178 case BT_CONNECTED:
1179 /* Already connected */
8b0dc6dc 1180 err = -EISCONN;
1da177e4
LT		 1181 goto done;
1182
1183 case BT_OPEN:
1184 case BT_BOUND:
1185 /* Can connect */
1186 break;
1187
1188 default:
1189 err = -EBADFD;
1190 goto done;
1191 }
1192
1193 /* Set destination address and psm */
f29972de
MH		 1194 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1195 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1196
af05b30b
GP		 1197 err = l2cap_do_connect(sk);
1198 if (err)
1da177e4
LT		 1199 goto done;
1200
1201wait:
1202 err = bt_sock_wait_state(sk, BT_CONNECTED,
1203 sock_sndtimeo(sk, flags & O_NONBLOCK));
1204done:
1205 release_sock(sk);
1206 return err;
1207}
1208
1209static int l2cap_sock_listen(struct socket *sock, int backlog)
1210{
1211 struct sock *sk = sock->sk;
1212 int err = 0;
1213
1214 BT_DBG("sk %p backlog %d", sk, backlog);
1215
1216 lock_sock(sk);
1217
bd3c9e25
GP		 1218 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1219 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1220 err = -EBADFD;
1221 goto done;
1222 }
1223
c6b03cf9
MH		 1224 switch (l2cap_pi(sk)->mode) {
1225 case L2CAP_MODE_BASIC:
1226 break;
1227 case L2CAP_MODE_ERTM:
f2fcfcd6 1228 case L2CAP_MODE_STREAMING:
d1c4a17d 1229 if (!disable_ertm)
c6b03cf9
MH		 1230 break;
1231 /* fall through */
1232 default:
1233 err = -ENOTSUPP;
1234 goto done;
1235 }
1236
1da177e4
LT		 1237 if (!l2cap_pi(sk)->psm) {
1238 bdaddr_t *src = &bt_sk(sk)->src;
1239 u16 psm;
1240
1241 err = -EINVAL;
1242
1243 write_lock_bh(&l2cap_sk_list.lock);
1244
1245 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1246 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1247 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1248 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1249 err = 0;
1250 break;
1251 }
1252
1253 write_unlock_bh(&l2cap_sk_list.lock);
1254
1255 if (err < 0)
1256 goto done;
1257 }
1258
1259 sk->sk_max_ack_backlog = backlog;
1260 sk->sk_ack_backlog = 0;
1261 sk->sk_state = BT_LISTEN;
1262
1263done:
1264 release_sock(sk);
1265 return err;
1266}
1267
1268static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1269{
1270 DECLARE_WAITQUEUE(wait, current);
1271 struct sock *sk = sock->sk, *nsk;
1272 long timeo;
1273 int err = 0;
1274
fcc70d5f 1275 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1276
1277 if (sk->sk_state != BT_LISTEN) {
1278 err = -EBADFD;
1279 goto done;
1280 }
1281
1282 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1283
1284 BT_DBG("sk %p timeo %ld", sk, timeo);
1285
1286 /* Wait for an incoming connection. (wake-one). */
aa395145 1287 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1288 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1289 set_current_state(TASK_INTERRUPTIBLE);
1290 if (!timeo) {
1291 err = -EAGAIN;
1292 break;
1293 }
1294
1295 release_sock(sk);
1296 timeo = schedule_timeout(timeo);
fcc70d5f 1297 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1298
1299 if (sk->sk_state != BT_LISTEN) {
1300 err = -EBADFD;
1301 break;
1302 }
1303
1304 if (signal_pending(current)) {
1305 err = sock_intr_errno(timeo);
1306 break;
1307 }
1308 }
1309 set_current_state(TASK_RUNNING);
aa395145 1310 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1311
1312 if (err)
1313 goto done;
1314
1315 newsock->state = SS_CONNECTED;
1316
1317 BT_DBG("new socket %p", nsk);
1318
1319done:
1320 release_sock(sk);
1321 return err;
1322}
1323
1324static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1325{
1326 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1327 struct sock *sk = sock->sk;
1328
1329 BT_DBG("sock %p, sk %p", sock, sk);
1330
1331 addr->sa_family = AF_BLUETOOTH;
1332 *len = sizeof(struct sockaddr_l2);
1333
f29972de
MH		 1334 if (peer) {
1335 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1336 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1337 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1338 } else {
1339 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1340 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1341 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1342 }
1da177e4 1343
1da177e4
LT		 1344 return 0;
1345}
1346
6161c038
GP		 1347static int __l2cap_wait_ack(struct sock *sk)
1348{
1349 DECLARE_WAITQUEUE(wait, current);
1350 int err = 0;
1351 int timeo = HZ/5;
1352
2b0b05dd 1353 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1354 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1355 set_current_state(TASK_INTERRUPTIBLE);
1356
1357 if (!timeo)
1358 timeo = HZ/5;
1359
1360 if (signal_pending(current)) {
1361 err = sock_intr_errno(timeo);
1362 break;
1363 }
1364
1365 release_sock(sk);
1366 timeo = schedule_timeout(timeo);
1367 lock_sock(sk);
1368
1369 err = sock_error(sk);
1370 if (err)
1371 break;
1372 }
1373 set_current_state(TASK_RUNNING);
2b0b05dd 1374 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1375 return err;
1376}
1377
e90bac06
GP		 1378static void l2cap_monitor_timeout(unsigned long arg)
1379{
1380 struct sock *sk = (void *) arg;
e90bac06 1381
0e98958d
GP		 1382 BT_DBG("sk %p", sk);
1383
e686219a 1384 bh_lock_sock(sk);
e90bac06 1385 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1386 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1387 bh_unlock_sock(sk);
e90bac06
GP		 1388 return;
1389 }
1390
1391 l2cap_pi(sk)->retry_count++;
1392 __mod_monitor_timer();
1393
a2e12a2a 1394 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1395 bh_unlock_sock(sk);
e90bac06
GP		 1396}
1397
1398static void l2cap_retrans_timeout(unsigned long arg)
1399{
1400 struct sock *sk = (void *) arg;
e90bac06 1401
0e98958d
GP		 1402 BT_DBG("sk %p", sk);
1403
e686219a 1404 bh_lock_sock(sk);
e90bac06
GP		 1405 l2cap_pi(sk)->retry_count = 1;
1406 __mod_monitor_timer();
1407
1408 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1409
a2e12a2a 1410 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1411 bh_unlock_sock(sk);
e90bac06
GP		 1412}
1413
1c2acffb 1414static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1415{
1c2acffb 1416 struct sk_buff *skb;
1da177e4 1417
812e737e
GP		 1418 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1419 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1420 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1421 break;
1da177e4 1422
1c2acffb
GP		 1423 skb = skb_dequeue(TX_QUEUE(sk));
1424 kfree_skb(skb);
1da177e4 1425
1c2acffb
GP		 1426 l2cap_pi(sk)->unacked_frames--;
1427 }
1da177e4 1428
e90bac06
GP		 1429 if (!l2cap_pi(sk)->unacked_frames)
1430 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1431}
1da177e4 1432
9a9c6a34 1433static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1434{
1435 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1436
1437 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1438
9a9c6a34 1439 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1440}
1441
305682e8 1442static void l2cap_streaming_send(struct sock *sk)
6840ed07 1443{
ccbb84af 1444 struct sk_buff *skb;
6840ed07 1445 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1446 u16 control, fcs;
6840ed07 1447
ccbb84af
GP		 1448 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
1449 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
6840ed07 1450 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1451 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1452
e8235c6b 1453 if (pi->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1454 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1455 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1456 }
1457
ccbb84af 1458 l2cap_do_send(sk, skb);
6840ed07
GP		 1459
1460 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
6840ed07 1461 }
6840ed07
GP		 1462}
1463
dfc909be 1464static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1465{
1466 struct l2cap_pinfo *pi = l2cap_pi(sk);
1467 struct sk_buff *skb, *tx_skb;
1468 u16 control, fcs;
8f17154f
GP		 1469
1470 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1471 if (!skb)
1472 return;
8f17154f 1473
f11d676d
GP		 1474 do {
1475 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1476 break;
8f17154f 1477
f11d676d
GP		 1478 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1479 return;
8f17154f 1480
f11d676d 1481 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1482
f11d676d
GP		 1483 if (pi->remote_max_tx &&
1484 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1485 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1486 return;
1487 }
1488
1489 tx_skb = skb_clone(skb, GFP_ATOMIC);
1490 bt_cb(skb)->retries++;
1491 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1492
1493 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1494 control |= L2CAP_CTRL_FINAL;
1495 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1496 }
95ffa978 1497
f11d676d
GP		 1498 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1499 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1500
f11d676d
GP		 1501 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1502
1503 if (pi->fcs == L2CAP_FCS_CRC16) {
1504 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1505 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1506 }
1507
1508 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1509}
1510
1c2acffb
GP		 1511static int l2cap_ertm_send(struct sock *sk)
1512{
1513 struct sk_buff *skb, *tx_skb;
1514 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1515 u16 control, fcs;
9a9c6a34 1516 int nsent = 0;
1c2acffb 1517
c13ffa62
GP		 1518 if (sk->sk_state != BT_CONNECTED)
1519 return -ENOTCONN;
e90bac06 1520
6e2b6722 1521 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1522
e90bac06
GP		 1523 if (pi->remote_max_tx &&
1524 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1525 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1526 break;
1527 }
1528
e420aba3
AE		 1529 tx_skb = skb_clone(skb, GFP_ATOMIC);
1530
e90bac06
GP		 1531 bt_cb(skb)->retries++;
1532
1c2acffb 1533 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1534 control &= L2CAP_CTRL_SAR;
1535
d5392c8f
GP		 1536 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1537 control |= L2CAP_CTRL_FINAL;
1538 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1539 }
9f121a5a 1540 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1541 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1542 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1543
e90bac06 1544
e8235c6b 1545 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1546 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1547 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1548 }
1549
9a9c6a34
GP		 1550 l2cap_do_send(sk, tx_skb);
1551
e90bac06 1552 __mod_retrans_timer();
1c2acffb
GP		 1553
1554 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1555 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1556
1557 pi->unacked_frames++;
d5392c8f 1558 pi->frames_sent++;
1c2acffb
GP		 1559
1560 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1561 sk->sk_send_head = NULL;
1562 else
1563 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1564
1565 nsent++;
1c2acffb
GP		 1566 }
1567
9e917af1
GP		 1568 return nsent;
1569}
1570
dfc909be
GP		 1571static int l2cap_retransmit_frames(struct sock *sk)
1572{
1573 struct l2cap_pinfo *pi = l2cap_pi(sk);
1574 int ret;
1575
dfc909be
GP		 1576 if (!skb_queue_empty(TX_QUEUE(sk)))
1577 sk->sk_send_head = TX_QUEUE(sk)->next;
1578
1579 pi->next_tx_seq = pi->expected_ack_seq;
1580 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1581 return ret;
1582}
1583
9a9c6a34 1584static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1585{
1586 struct sock *sk = (struct sock *)pi;
1587 u16 control = 0;
1588
1589 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1590
1591 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1592 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1593 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1594 l2cap_send_sframe(pi, control);
1595 return;
9e917af1 1596 }
dfc909be 1597
e0f66218 1598 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1599 return;
1600
1601 control |= L2CAP_SUPER_RCV_READY;
1602 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1603}
1604
9a9c6a34 1605static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1606{
1607 struct srej_list *tail;
1608 u16 control;
1609
1610 control = L2CAP_SUPER_SELECT_REJECT;
1611 control |= L2CAP_CTRL_FINAL;
1612
1613 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1614 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1615
1616 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1617}
1618
1c2acffb
GP		 1619static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1620{
1621 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1622 struct sk_buff **frag;
1623 int err, sent = 0;
1da177e4 1624
59203a21 1625 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1626 return -EFAULT;
1da177e4
LT		 1627
1628 sent += count;
1629 len -= count;
1630
1631 /* Continuation fragments (no L2CAP header) */
1632 frag = &skb_shinfo(skb)->frag_list;
1633 while (len) {
1634 count = min_t(unsigned int, conn->mtu, len);
1635
1636 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1637 if (!*frag)
1c2acffb
GP		 1638 return -EFAULT;
1639 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1640 return -EFAULT;
1da177e4
LT		 1641
1642 sent += count;
1643 len -= count;
1644
1645 frag = &(*frag)->next;
1646 }
1da177e4
LT		 1647
1648 return sent;
1c2acffb 1649}
1da177e4 1650
1c2acffb
GP		 1651static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1652{
1653 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1654 struct sk_buff *skb;
1655 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1656 struct l2cap_hdr *lh;
1657
1658 BT_DBG("sk %p len %d", sk, (int)len);
1659
1660 count = min_t(unsigned int, (conn->mtu - hlen), len);
1661 skb = bt_skb_send_alloc(sk, count + hlen,
1662 msg->msg_flags & MSG_DONTWAIT, &err);
1663 if (!skb)
1664 return ERR_PTR(-ENOMEM);
1665
1666 /* Create L2CAP header */
1667 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1668 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1669 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1670 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1671
1672 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1673 if (unlikely(err < 0)) {
1674 kfree_skb(skb);
1675 return ERR_PTR(err);
1676 }
1677 return skb;
1678}
1679
1680static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1681{
1682 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1683 struct sk_buff *skb;
1684 int err, count, hlen = L2CAP_HDR_SIZE;
1685 struct l2cap_hdr *lh;
1686
1687 BT_DBG("sk %p len %d", sk, (int)len);
1688
1689 count = min_t(unsigned int, (conn->mtu - hlen), len);
1690 skb = bt_skb_send_alloc(sk, count + hlen,
1691 msg->msg_flags & MSG_DONTWAIT, &err);
1692 if (!skb)
1693 return ERR_PTR(-ENOMEM);
1694
1695 /* Create L2CAP header */
1696 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1697 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1698 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1699
1700 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1701 if (unlikely(err < 0)) {
1702 kfree_skb(skb);
1703 return ERR_PTR(err);
1704 }
1705 return skb;
1706}
1707
6840ed07 1708static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1709{
1710 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1711 struct sk_buff *skb;
1712 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1713 struct l2cap_hdr *lh;
1714
1715 BT_DBG("sk %p len %d", sk, (int)len);
1716
0ee0d208
GP		 1717 if (!conn)
1718 return ERR_PTR(-ENOTCONN);
1719
c74e560c
GP		 1720 if (sdulen)
1721 hlen += 2;
1722
fcc203c3
GP		 1723 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1724 hlen += 2;
1725
1c2acffb
GP		 1726 count = min_t(unsigned int, (conn->mtu - hlen), len);
1727 skb = bt_skb_send_alloc(sk, count + hlen,
1728 msg->msg_flags & MSG_DONTWAIT, &err);
1729 if (!skb)
1730 return ERR_PTR(-ENOMEM);
1731
1732 /* Create L2CAP header */
1733 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1734 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1735 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1736 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1737 if (sdulen)
1738 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1739
1740 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1741 if (unlikely(err < 0)) {
1742 kfree_skb(skb);
1743 return ERR_PTR(err);
1744 }
e90bac06 1745
fcc203c3
GP		 1746 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1747 put_unaligned_le16(0, skb_put(skb, 2));
1748
e90bac06 1749 bt_cb(skb)->retries = 0;
1c2acffb 1750 return skb;
1da177e4
LT		 1751}
1752
c74e560c
GP		 1753static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1754{
1755 struct l2cap_pinfo *pi = l2cap_pi(sk);
1756 struct sk_buff *skb;
1757 struct sk_buff_head sar_queue;
1758 u16 control;
1759 size_t size = 0;
1760
ff12fd64 1761 skb_queue_head_init(&sar_queue);
c74e560c 1762 control = L2CAP_SDU_START;
1c762159 1763 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1764 if (IS_ERR(skb))
1765 return PTR_ERR(skb);
1766
1767 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1768 len -= pi->remote_mps;
1769 size += pi->remote_mps;
c74e560c
GP		 1770
1771 while (len > 0) {
1772 size_t buflen;
1773
1c762159 1774 if (len > pi->remote_mps) {
44651b85 1775 control = L2CAP_SDU_CONTINUE;
1c762159 1776 buflen = pi->remote_mps;
c74e560c 1777 } else {
44651b85 1778 control = L2CAP_SDU_END;
c74e560c
GP		 1779 buflen = len;
1780 }
1781
6840ed07 1782 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1783 if (IS_ERR(skb)) {
1784 skb_queue_purge(&sar_queue);
1785 return PTR_ERR(skb);
1786 }
1787
1788 __skb_queue_tail(&sar_queue, skb);
1789 len -= buflen;
1790 size += buflen;
c74e560c
GP		 1791 }
1792 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1793 if (sk->sk_send_head == NULL)
1794 sk->sk_send_head = sar_queue.next;
1795
1796 return size;
1797}
1798
1da177e4
LT		 1799static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1800{
1801 struct sock *sk = sock->sk;
1c2acffb
GP		 1802 struct l2cap_pinfo *pi = l2cap_pi(sk);
1803 struct sk_buff *skb;
1804 u16 control;
1805 int err;
1da177e4
LT		 1806
1807 BT_DBG("sock %p, sk %p", sock, sk);
1808
c1cbe4b7
BL		 1809 err = sock_error(sk);
1810 if (err)
1811 return err;
1da177e4
LT		 1812
1813 if (msg->msg_flags & MSG_OOB)
1814 return -EOPNOTSUPP;
1815
1da177e4
LT		 1816 lock_sock(sk);
1817
1c2acffb 1818 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1819 err = -ENOTCONN;
1c2acffb
GP		 1820 goto done;
1821 }
1da177e4 1822
1c2acffb
GP		 1823 /* Connectionless channel */
1824 if (sk->sk_type == SOCK_DGRAM) {
1825 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1826 if (IS_ERR(skb)) {
477fffb0 1827 err = PTR_ERR(skb);
9a9c6a34
GP		 1828 } else {
1829 l2cap_do_send(sk, skb);
1830 err = len;
1831 }
1c2acffb
GP		 1832 goto done;
1833 }
1834
1835 switch (pi->mode) {
1836 case L2CAP_MODE_BASIC:
c69163e9
GP		 1837 /* Check outgoing MTU */
1838 if (len > pi->omtu) {
f9dd11b0 1839 err = -EMSGSIZE;
c69163e9
GP		 1840 goto done;
1841 }
1842
1c2acffb
GP		 1843 /* Create a basic PDU */
1844 skb = l2cap_create_basic_pdu(sk, msg, len);
1845 if (IS_ERR(skb)) {
1846 err = PTR_ERR(skb);
1847 goto done;
1848 }
1849
9a9c6a34
GP		 1850 l2cap_do_send(sk, skb);
1851 err = len;
1c2acffb
GP		 1852 break;
1853
1854 case L2CAP_MODE_ERTM:
6840ed07 1855 case L2CAP_MODE_STREAMING:
1c2acffb 1856 /* Entire SDU fits into one PDU */
1c762159 1857 if (len <= pi->remote_mps) {
1c2acffb 1858 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1859 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1860 if (IS_ERR(skb)) {
1861 err = PTR_ERR(skb);
1862 goto done;
1863 }
c74e560c 1864 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1865
c74e560c
GP		 1866 if (sk->sk_send_head == NULL)
1867 sk->sk_send_head = skb;
dfc909be 1868
1c2acffb 1869 } else {
c74e560c
GP		 1870 /* Segment SDU into multiples PDUs */
1871 err = l2cap_sar_segment_sdu(sk, msg, len);
1872 if (err < 0)
1873 goto done;
1c2acffb 1874 }
1c2acffb 1875
dfc909be 1876 if (pi->mode == L2CAP_MODE_STREAMING) {
305682e8 1877 l2cap_streaming_send(sk);
dfc909be 1878 } else {
6e2b6722
GP		 1879 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1880 pi->conn_state && L2CAP_CONN_WAIT_F) {
1881 err = len;
1882 break;
1883 }
6840ed07 1884 err = l2cap_ertm_send(sk);
dfc909be 1885 }
6840ed07 1886
9e917af1 1887 if (err >= 0)
1c2acffb
GP		 1888 err = len;
1889 break;
1890
1891 default:
1892 BT_DBG("bad state %1.1x", pi->mode);
bc766db2 1893 err = -EBADFD;
1c2acffb
GP		 1894 }
1895
1896done:
1da177e4
LT		 1897 release_sock(sk);
1898 return err;
1899}
1900
f66dc81f
MH		 1901static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1902{
1903 struct sock *sk = sock->sk;
1904
1905 lock_sock(sk);
1906
1907 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1908 struct l2cap_conn_rsp rsp;
e9aeb2dd
GP		 1909 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1910 u8 buf[128];
f66dc81f
MH		 1911
1912 sk->sk_state = BT_CONFIG;
1913
1914 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1915 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1916 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1917 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1918 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1919 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1920
e9aeb2dd
GP		 1921 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1922 release_sock(sk);
1923 return 0;
1924 }
1925
1926 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1927 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1928 l2cap_build_conf_req(sk, buf), buf);
1929 l2cap_pi(sk)->num_conf_req++;
1930
f66dc81f
MH		 1931 release_sock(sk);
1932 return 0;
1933 }
1934
1935 release_sock(sk);
1936
1937 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1938}
1939
b7058842 1940static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1941{
1942 struct sock *sk = sock->sk;
1943 struct l2cap_options opts;
f29972de 1944 int len, err = 0;
1da177e4
LT		 1945 u32 opt;
1946
1947 BT_DBG("sk %p", sk);
1948
1949 lock_sock(sk);
1950
1951 switch (optname) {
1952 case L2CAP_OPTIONS:
0878b666
MH		 1953 opts.imtu = l2cap_pi(sk)->imtu;
1954 opts.omtu = l2cap_pi(sk)->omtu;
1955 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1956 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1957 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1958 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1959 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1960
1da177e4
LT		 1961 len = min_t(unsigned int, sizeof(opts), optlen);
1962 if (copy_from_user((char *) &opts, optval, len)) {
1963 err = -EFAULT;
1964 break;
1965 }
0878b666 1966
45d65c46
GP		 1967 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1968 err = -EINVAL;
1969 break;
1970 }
1971
0041ecfa
JPRV		 1972 l2cap_pi(sk)->mode = opts.mode;
1973 switch (l2cap_pi(sk)->mode) {
1974 case L2CAP_MODE_BASIC:
85eb53c6 1975 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1976 break;
1977 case L2CAP_MODE_ERTM:
1978 case L2CAP_MODE_STREAMING:
d1c4a17d 1979 if (!disable_ertm)
0041ecfa
JPRV		 1980 break;
1981 /* fall through */
1982 default:
1983 err = -EINVAL;
1984 break;
1985 }
1986
c6b03cf9
MH		 1987 l2cap_pi(sk)->imtu = opts.imtu;
1988 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1989 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1990 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1991 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1992 break;
1993
1994 case L2CAP_LM:
1995 if (get_user(opt, (u32 __user *) optval)) {
1996 err = -EFAULT;
1997 break;
1998 }
1999
2af6b9d5
MH		 2000 if (opt & L2CAP_LM_AUTH)
2001 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
2002 if (opt & L2CAP_LM_ENCRYPT)
2003 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
2004 if (opt & L2CAP_LM_SECURE)
2005 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
2006
2007 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
2008 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 2009 break;
2010
2011 default:
2012 err = -ENOPROTOOPT;
2013 break;
2014 }
2015
2016 release_sock(sk);
2017 return err;
2018}
2019
b7058842 2020static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 2021{
2022 struct sock *sk = sock->sk;
2af6b9d5
MH		 2023 struct bt_security sec;
2024 int len, err = 0;
f66dc81f 2025 u32 opt;
d58daf42
MH		 2026
2027 BT_DBG("sk %p", sk);
2028
2029 if (level == SOL_L2CAP)
2030 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2031
0588d94f
MH		 2032 if (level != SOL_BLUETOOTH)
2033 return -ENOPROTOOPT;
2034
d58daf42
MH		 2035 lock_sock(sk);
2036
2037 switch (optname) {
2af6b9d5 2038 case BT_SECURITY:
bd3c9e25
GP		 2039 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2040 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2041 err = -EINVAL;
2042 break;
2043 }
2044
2af6b9d5
MH		 2045 sec.level = BT_SECURITY_LOW;
2046
2047 len = min_t(unsigned int, sizeof(sec), optlen);
2048 if (copy_from_user((char *) &sec, optval, len)) {
2049 err = -EFAULT;
2050 break;
2051 }
2052
2053 if (sec.level < BT_SECURITY_LOW ||
2054 sec.level > BT_SECURITY_HIGH) {
2055 err = -EINVAL;
2056 break;
2057 }
2058
2059 l2cap_pi(sk)->sec_level = sec.level;
2060 break;
2061
f66dc81f
MH		 2062 case BT_DEFER_SETUP:
2063 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2064 err = -EINVAL;
2065 break;
2066 }
2067
2068 if (get_user(opt, (u32 __user *) optval)) {
2069 err = -EFAULT;
2070 break;
2071 }
2072
2073 bt_sk(sk)->defer_setup = opt;
2074 break;
2075
d58daf42
MH		 2076 default:
2077 err = -ENOPROTOOPT;
2078 break;
2079 }
2080
2081 release_sock(sk);
2082 return err;
2083}
2084
2085static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2086{
2087 struct sock *sk = sock->sk;
2088 struct l2cap_options opts;
2089 struct l2cap_conninfo cinfo;
2090 int len, err = 0;
2af6b9d5 2091 u32 opt;
1da177e4
LT		 2092
2093 BT_DBG("sk %p", sk);
2094
2095 if (get_user(len, optlen))
2096 return -EFAULT;
2097
2098 lock_sock(sk);
2099
2100 switch (optname) {
2101 case L2CAP_OPTIONS:
2102 opts.imtu = l2cap_pi(sk)->imtu;
2103 opts.omtu = l2cap_pi(sk)->omtu;
2104 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2105 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2106 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2107 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2108 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2109
2110 len = min_t(unsigned int, len, sizeof(opts));
2111 if (copy_to_user(optval, (char *) &opts, len))
2112 err = -EFAULT;
2113
2114 break;
2115
2116 case L2CAP_LM:
2af6b9d5
MH		 2117 switch (l2cap_pi(sk)->sec_level) {
2118 case BT_SECURITY_LOW:
2119 opt = L2CAP_LM_AUTH;
2120 break;
2121 case BT_SECURITY_MEDIUM:
2122 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2123 break;
2124 case BT_SECURITY_HIGH:
2125 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2126 L2CAP_LM_SECURE;
2127 break;
2128 default:
2129 opt = 0;
2130 break;
2131 }
2132
2133 if (l2cap_pi(sk)->role_switch)
2134 opt |= L2CAP_LM_MASTER;
2135
2136 if (l2cap_pi(sk)->force_reliable)
2137 opt |= L2CAP_LM_RELIABLE;
2138
2139 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2140 err = -EFAULT;
2141 break;
2142
2143 case L2CAP_CONNINFO:
f66dc81f
MH		 2144 if (sk->sk_state != BT_CONNECTED &&
2145 !(sk->sk_state == BT_CONNECT2 &&
2146 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2147 err = -ENOTCONN;
2148 break;
2149 }
2150
2151 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2152 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2153
2154 len = min_t(unsigned int, len, sizeof(cinfo));
2155 if (copy_to_user(optval, (char *) &cinfo, len))
2156 err = -EFAULT;
2157
2158 break;
2159
2160 default:
2161 err = -ENOPROTOOPT;
2162 break;
2163 }
2164
2165 release_sock(sk);
2166 return err;
2167}
2168
d58daf42
MH		 2169static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2170{
2171 struct sock *sk = sock->sk;
2af6b9d5 2172 struct bt_security sec;
d58daf42
MH		 2173 int len, err = 0;
2174
2175 BT_DBG("sk %p", sk);
2176
2177 if (level == SOL_L2CAP)
2178 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2179
0588d94f
MH		 2180 if (level != SOL_BLUETOOTH)
2181 return -ENOPROTOOPT;
2182
d58daf42
MH		 2183 if (get_user(len, optlen))
2184 return -EFAULT;
2185
2186 lock_sock(sk);
2187
2188 switch (optname) {
2af6b9d5 2189 case BT_SECURITY:
bd3c9e25
GP		 2190 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2191 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2192 err = -EINVAL;
2193 break;
2194 }
2195
2af6b9d5
MH		 2196 sec.level = l2cap_pi(sk)->sec_level;
2197
2198 len = min_t(unsigned int, len, sizeof(sec));
2199 if (copy_to_user(optval, (char *) &sec, len))
2200 err = -EFAULT;
2201
2202 break;
2203
f66dc81f
MH		 2204 case BT_DEFER_SETUP:
2205 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2206 err = -EINVAL;
2207 break;
2208 }
2209
2210 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2211 err = -EFAULT;
2212
2213 break;
2214
d58daf42
MH		 2215 default:
2216 err = -ENOPROTOOPT;
2217 break;
2218 }
2219
2220 release_sock(sk);
2221 return err;
2222}
2223
1da177e4
LT		 2224static int l2cap_sock_shutdown(struct socket *sock, int how)
2225{
2226 struct sock *sk = sock->sk;
2227 int err = 0;
2228
2229 BT_DBG("sock %p, sk %p", sock, sk);
2230
2231 if (!sk)
2232 return 0;
2233
2234 lock_sock(sk);
2235 if (!sk->sk_shutdown) {
6161c038
GP		 2236 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2237 err = __l2cap_wait_ack(sk);
2238
1da177e4
LT		 2239 sk->sk_shutdown = SHUTDOWN_MASK;
2240 l2cap_sock_clear_timer(sk);
2241 __l2cap_sock_close(sk, 0);
2242
2243 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2244 err = bt_sock_wait_state(sk, BT_CLOSED,
2245 sk->sk_lingertime);
1da177e4 2246 }
9b108fc0
GP		 2247
2248 if (!err && sk->sk_err)
2249 err = -sk->sk_err;
2250
1da177e4
LT		 2251 release_sock(sk);
2252 return err;
2253}
2254
2255static int l2cap_sock_release(struct socket *sock)
2256{
2257 struct sock *sk = sock->sk;
2258 int err;
2259
2260 BT_DBG("sock %p, sk %p", sock, sk);
2261
2262 if (!sk)
2263 return 0;
2264
2265 err = l2cap_sock_shutdown(sock, 2);
2266
2267 sock_orphan(sk);
2268 l2cap_sock_kill(sk);
2269 return err;
2270}
2271
1da177e4
LT		 2272static void l2cap_chan_ready(struct sock *sk)
2273{
2274 struct sock *parent = bt_sk(sk)->parent;
2275
2276 BT_DBG("sk %p, parent %p", sk, parent);
2277
2278 l2cap_pi(sk)->conf_state = 0;
2279 l2cap_sock_clear_timer(sk);
2280
2281 if (!parent) {
2282 /* Outgoing channel.
2283 * Wake up socket sleeping on connect.
2284 */
2285 sk->sk_state = BT_CONNECTED;
2286 sk->sk_state_change(sk);
2287 } else {
2288 /* Incoming channel.
2289 * Wake up socket sleeping on accept.
2290 */
2291 parent->sk_data_ready(parent, 0);
2292 }
2293}
2294
2295/* Copy frame to all raw sockets on that connection */
2296static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2297{
2298 struct l2cap_chan_list *l = &conn->chan_list;
2299 struct sk_buff *nskb;
af05b30b 2300 struct sock *sk;
1da177e4
LT		 2301
2302 BT_DBG("conn %p", conn);
2303
2304 read_lock(&l->lock);
2305 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2306 if (sk->sk_type != SOCK_RAW)
2307 continue;
2308
2309 /* Don't send frame to the socket it came from */
2310 if (skb->sk == sk)
2311 continue;
af05b30b
GP		 2312 nskb = skb_clone(skb, GFP_ATOMIC);
2313 if (!nskb)
1da177e4
LT		 2314 continue;
2315
2316 if (sock_queue_rcv_skb(sk, nskb))
2317 kfree_skb(nskb);
2318 }
2319 read_unlock(&l->lock);
2320}
2321
2322/* ---- L2CAP signalling commands ---- */
2323static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2324 u8 code, u8 ident, u16 dlen, void *data)
2325{
2326 struct sk_buff *skb, **frag;
2327 struct l2cap_cmd_hdr *cmd;
2328 struct l2cap_hdr *lh;
2329 int len, count;
2330
af05b30b
GP		 2331 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2332 conn, code, ident, dlen);
1da177e4
LT		 2333
2334 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2335 count = min_t(unsigned int, conn->mtu, len);
2336
2337 skb = bt_skb_alloc(count, GFP_ATOMIC);
2338 if (!skb)
2339 return NULL;
2340
2341 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2342 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2343 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2344
2345 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2346 cmd->code = code;
2347 cmd->ident = ident;
aca3192c 2348 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2349
2350 if (dlen) {
2351 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2352 memcpy(skb_put(skb, count), data, count);
2353 data += count;
2354 }
2355
2356 len -= skb->len;
2357
2358 /* Continuation fragments (no L2CAP header) */
2359 frag = &skb_shinfo(skb)->frag_list;
2360 while (len) {
2361 count = min_t(unsigned int, conn->mtu, len);
2362
2363 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2364 if (!*frag)
2365 goto fail;
2366
2367 memcpy(skb_put(*frag, count), data, count);
2368
2369 len -= count;
2370 data += count;
2371
2372 frag = &(*frag)->next;
2373 }
2374
2375 return skb;
2376
2377fail:
2378 kfree_skb(skb);
2379 return NULL;
2380}
2381
2382static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2383{
2384 struct l2cap_conf_opt *opt = *ptr;
2385 int len;
2386
2387 len = L2CAP_CONF_OPT_SIZE + opt->len;
2388 *ptr += len;
2389
2390 *type = opt->type;
2391 *olen = opt->len;
2392
2393 switch (opt->len) {
2394 case 1:
2395 *val = *((u8 *) opt->val);
2396 break;
2397
2398 case 2:
861d6882 2399 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2400 break;
2401
2402 case 4:
861d6882 2403 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2404 break;
2405
2406 default:
2407 *val = (unsigned long) opt->val;
2408 break;
2409 }
2410
2411 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2412 return len;
2413}
2414
1da177e4
LT		 2415static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2416{
2417 struct l2cap_conf_opt *opt = *ptr;
2418
2419 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2420
2421 opt->type = type;
2422 opt->len = len;
2423
2424 switch (len) {
2425 case 1:
2426 *((u8 *) opt->val) = val;
2427 break;
2428
2429 case 2:
8e036fc3 2430 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2431 break;
2432
2433 case 4:
8e036fc3 2434 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2435 break;
2436
2437 default:
2438 memcpy(opt->val, (void *) val, len);
2439 break;
2440 }
2441
2442 *ptr += L2CAP_CONF_OPT_SIZE + len;
2443}
2444
c1b4f43b
GP		 2445static void l2cap_ack_timeout(unsigned long arg)
2446{
2447 struct sock *sk = (void *) arg;
2448
2449 bh_lock_sock(sk);
2450 l2cap_send_ack(l2cap_pi(sk));
2451 bh_unlock_sock(sk);
2452}
2453
0565c1c2
GP		 2454static inline void l2cap_ertm_init(struct sock *sk)
2455{
2456 l2cap_pi(sk)->expected_ack_seq = 0;
2457 l2cap_pi(sk)->unacked_frames = 0;
2458 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2459 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2460 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2461
2462 setup_timer(&l2cap_pi(sk)->retrans_timer,
2463 l2cap_retrans_timeout, (unsigned long) sk);
2464 setup_timer(&l2cap_pi(sk)->monitor_timer,
2465 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2466 setup_timer(&l2cap_pi(sk)->ack_timer,
2467 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2468
2469 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2470 __skb_queue_head_init(BUSY_QUEUE(sk));
2471
2472 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 2473
2474 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 2475}
2476
f2fcfcd6
GP		 2477static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2478{
2479 switch (mode) {
2480 case L2CAP_MODE_STREAMING:
2481 case L2CAP_MODE_ERTM:
2482 if (l2cap_mode_supported(mode, remote_feat_mask))
2483 return mode;
2484 /* fall through */
2485 default:
2486 return L2CAP_MODE_BASIC;
2487 }
2488}
2489
1da177e4
LT		 2490static int l2cap_build_conf_req(struct sock *sk, void *data)
2491{
2492 struct l2cap_pinfo *pi = l2cap_pi(sk);
2493 struct l2cap_conf_req *req = data;
bd3c9e25 2494 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2495 void *ptr = req->data;
2496
2497 BT_DBG("sk %p", sk);
2498
f2fcfcd6
GP		 2499 if (pi->num_conf_req || pi->num_conf_rsp)
2500 goto done;
2501
2502 switch (pi->mode) {
2503 case L2CAP_MODE_STREAMING:
2504 case L2CAP_MODE_ERTM:
2ba13ed6 2505 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2506 break;
85eb53c6 2507
2ba13ed6 2508 /* fall through */
f2fcfcd6
GP		 2509 default:
2510 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2511 break;
2512 }
2513
2514done:
65c7c491
MH		 2515 switch (pi->mode) {
2516 case L2CAP_MODE_BASIC:
2517 if (pi->imtu != L2CAP_DEFAULT_MTU)
2518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
62547752 2519
63406504
GP		 2520 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2521 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
2522 break;
2523
62547752
GP		 2524 rfc.mode = L2CAP_MODE_BASIC;
2525 rfc.txwin_size = 0;
2526 rfc.max_transmit = 0;
2527 rfc.retrans_timeout = 0;
2528 rfc.monitor_timeout = 0;
2529 rfc.max_pdu_size = 0;
2530
63406504
GP		 2531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2532 (unsigned long) &rfc);
65c7c491
MH		 2533 break;
2534
2535 case L2CAP_MODE_ERTM:
2536 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2537 rfc.txwin_size = pi->tx_win;
68d7f0ce 2538 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2539 rfc.retrans_timeout = 0;
2540 rfc.monitor_timeout = 0;
c74e560c 2541 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2542 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2543 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2544
63406504
GP		 2545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2546 (unsigned long) &rfc);
2547
fcc203c3
GP		 2548 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2549 break;
2550
2551 if (pi->fcs == L2CAP_FCS_NONE ||
2552 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2553 pi->fcs = L2CAP_FCS_NONE;
2554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2555 }
f2fcfcd6
GP		 2556 break;
2557
2558 case L2CAP_MODE_STREAMING:
2559 rfc.mode = L2CAP_MODE_STREAMING;
2560 rfc.txwin_size = 0;
2561 rfc.max_transmit = 0;
2562 rfc.retrans_timeout = 0;
2563 rfc.monitor_timeout = 0;
c74e560c 2564 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2565 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2566 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2567
63406504
GP		 2568 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2569 (unsigned long) &rfc);
2570
fcc203c3
GP		 2571 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2572 break;
2573
2574 if (pi->fcs == L2CAP_FCS_NONE ||
2575 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2576 pi->fcs = L2CAP_FCS_NONE;
2577 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2578 }
65c7c491
MH		 2579 break;
2580 }
1da177e4
LT		 2581
2582 /* FIXME: Need actual value of the flush timeout */
2583 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2584 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2585
aca3192c
YH		 2586 req->dcid = cpu_to_le16(pi->dcid);
2587 req->flags = cpu_to_le16(0);
1da177e4
LT		 2588
2589 return ptr - data;
2590}
2591
5dee9e7c 2592static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2593{
2594 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2595 struct l2cap_conf_rsp *rsp = data;
2596 void *ptr = rsp->data;
2597 void *req = pi->conf_req;
2598 int len = pi->conf_len;
2599 int type, hint, olen;
2600 unsigned long val;
6464f35f 2601 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2602 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2603 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2604
5dee9e7c 2605 BT_DBG("sk %p", sk);
820ae1b8 2606
5dee9e7c
MH		 2607 while (len >= L2CAP_CONF_OPT_SIZE) {
2608 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2609
589d2746 2610 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2611 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2612
2613 switch (type) {
2614 case L2CAP_CONF_MTU:
861d6882 2615 mtu = val;
5dee9e7c
MH		 2616 break;
2617
2618 case L2CAP_CONF_FLUSH_TO:
2619 pi->flush_to = val;
2620 break;
2621
2622 case L2CAP_CONF_QOS:
2623 break;
2624
6464f35f
MH		 2625 case L2CAP_CONF_RFC:
2626 if (olen == sizeof(rfc))
2627 memcpy(&rfc, (void *) val, olen);
2628 break;
2629
fcc203c3
GP		 2630 case L2CAP_CONF_FCS:
2631 if (val == L2CAP_FCS_NONE)
2632 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2633
2634 break;
2635
5dee9e7c
MH		 2636 default:
2637 if (hint)
2638 break;
2639
2640 result = L2CAP_CONF_UNKNOWN;
2641 *((u8 *) ptr++) = type;
2642 break;
2643 }
2644 }
2645
e9aeb2dd 2646 if (pi->num_conf_rsp || pi->num_conf_req > 1)
f2fcfcd6
GP		 2647 goto done;
2648
2649 switch (pi->mode) {
2650 case L2CAP_MODE_STREAMING:
2651 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2652 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2653 pi->mode = l2cap_select_mode(rfc.mode,
2654 pi->conn->feat_mask);
2655 break;
2656 }
2657
742e519b 2658 if (pi->mode != rfc.mode)
f2fcfcd6 2659 return -ECONNREFUSED;
742e519b 2660
f2fcfcd6 2661 break;
f2fcfcd6
GP		 2662 }
2663
2664done:
2665 if (pi->mode != rfc.mode) {
2666 result = L2CAP_CONF_UNACCEPT;
2667 rfc.mode = pi->mode;
2668
2669 if (pi->num_conf_rsp == 1)
2670 return -ECONNREFUSED;
2671
2672 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2673 sizeof(rfc), (unsigned long) &rfc);
2674 }
2675
2676
5dee9e7c
MH		 2677 if (result == L2CAP_CONF_SUCCESS) {
2678 /* Configure output options and let the other side know
2679 * which ones we don't like. */
2680
f2fcfcd6
GP		 2681 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2682 result = L2CAP_CONF_UNACCEPT;
2683 else {
2684 pi->omtu = mtu;
2685 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2686 }
2687 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2688
f2fcfcd6
GP		 2689 switch (rfc.mode) {
2690 case L2CAP_MODE_BASIC:
2691 pi->fcs = L2CAP_FCS_NONE;
2692 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2693 break;
2694
2695 case L2CAP_MODE_ERTM:
2696 pi->remote_tx_win = rfc.txwin_size;
2697 pi->remote_max_tx = rfc.max_transmit;
86b1b263
MM		 2698
2699 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2700 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2701
2702 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2703
10467e9e
GP		 2704 rfc.retrans_timeout =
2705 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2706 rfc.monitor_timeout =
2707 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2708
2709 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2710
2711 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2712 sizeof(rfc), (unsigned long) &rfc);
2713
f2fcfcd6
GP		 2714 break;
2715
2716 case L2CAP_MODE_STREAMING:
86b1b263
MM		 2717 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2718 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2719
2720 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2721
2722 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2723
2724 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2725 sizeof(rfc), (unsigned long) &rfc);
2726
f2fcfcd6
GP		 2727 break;
2728
2729 default:
5dee9e7c 2730 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2731
6464f35f 2732 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2733 rfc.mode = pi->mode;
2734 }
6464f35f 2735
f2fcfcd6
GP		 2736 if (result == L2CAP_CONF_SUCCESS)
2737 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2738 }
5dee9e7c
MH		 2739 rsp->scid = cpu_to_le16(pi->dcid);
2740 rsp->result = cpu_to_le16(result);
2741 rsp->flags = cpu_to_le16(0x0000);
2742
2743 return ptr - data;
1da177e4
LT		 2744}
2745
f2fcfcd6
GP		 2746static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2747{
2748 struct l2cap_pinfo *pi = l2cap_pi(sk);
2749 struct l2cap_conf_req *req = data;
2750 void *ptr = req->data;
2751 int type, olen;
2752 unsigned long val;
2753 struct l2cap_conf_rfc rfc;
2754
2755 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2756
2757 while (len >= L2CAP_CONF_OPT_SIZE) {
2758 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2759
2760 switch (type) {
2761 case L2CAP_CONF_MTU:
2762 if (val < L2CAP_DEFAULT_MIN_MTU) {
2763 *result = L2CAP_CONF_UNACCEPT;
8183b775 2764 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2765 } else
8183b775
AE		 2766 pi->imtu = val;
2767 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
f2fcfcd6
GP		 2768 break;
2769
2770 case L2CAP_CONF_FLUSH_TO:
2771 pi->flush_to = val;
2772 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2773 2, pi->flush_to);
2774 break;
2775
2776 case L2CAP_CONF_RFC:
2777 if (olen == sizeof(rfc))
2778 memcpy(&rfc, (void *)val, olen);
2779
2780 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2781 rfc.mode != pi->mode)
2782 return -ECONNREFUSED;
2783
f2fcfcd6
GP		 2784 pi->fcs = 0;
2785
2786 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2787 sizeof(rfc), (unsigned long) &rfc);
2788 break;
2789 }
2790 }
2791
6c2ea7a8
GP		 2792 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2793 return -ECONNREFUSED;
2794
2795 pi->mode = rfc.mode;
2796
f2fcfcd6
GP		 2797 if (*result == L2CAP_CONF_SUCCESS) {
2798 switch (rfc.mode) {
2799 case L2CAP_MODE_ERTM:
10467e9e
GP		 2800 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2801 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2802 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2803 break;
2804 case L2CAP_MODE_STREAMING:
1c762159 2805 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2806 }
2807 }
2808
2809 req->dcid = cpu_to_le16(pi->dcid);
2810 req->flags = cpu_to_le16(0x0000);
2811
2812 return ptr - data;
2813}
2814
5dee9e7c 2815static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2816{
2817 struct l2cap_conf_rsp *rsp = data;
2818 void *ptr = rsp->data;
1da177e4 2819
5dee9e7c 2820 BT_DBG("sk %p", sk);
1da177e4 2821
aca3192c 2822 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2823 rsp->result = cpu_to_le16(result);
aca3192c 2824 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2825
2826 return ptr - data;
2827}
2828
7b1c0049
GP		 2829static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2830{
2831 struct l2cap_pinfo *pi = l2cap_pi(sk);
2832 int type, olen;
2833 unsigned long val;
2834 struct l2cap_conf_rfc rfc;
2835
2836 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2837
2838 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2839 return;
2840
2841 while (len >= L2CAP_CONF_OPT_SIZE) {
2842 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2843
2844 switch (type) {
2845 case L2CAP_CONF_RFC:
2846 if (olen == sizeof(rfc))
2847 memcpy(&rfc, (void *)val, olen);
2848 goto done;
2849 }
2850 }
2851
2852done:
2853 switch (rfc.mode) {
2854 case L2CAP_MODE_ERTM:
10467e9e
GP		 2855 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2856 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2857 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2858 break;
2859 case L2CAP_MODE_STREAMING:
2860 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2861 }
2862}
2863
4e8402a3
MH		 2864static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2865{
2866 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2867
2868 if (rej->reason != 0x0000)
2869 return 0;
2870
2871 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2872 cmd->ident == conn->info_ident) {
4e8402a3 2873 del_timer(&conn->info_timer);
984947dc
MH		 2874
2875 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2876 conn->info_ident = 0;
984947dc 2877
4e8402a3
MH		 2878 l2cap_conn_start(conn);
2879 }
2880
2881 return 0;
2882}
2883
1da177e4
LT		 2884static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2885{
2886 struct l2cap_chan_list *list = &conn->chan_list;
2887 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2888 struct l2cap_conn_rsp rsp;
e9aeb2dd 2889 struct sock *parent, *uninitialized_var(sk);
e7c29cb1 2890 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2891
2892 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2893 __le16 psm = req->psm;
1da177e4
LT		 2894
2895 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2896
2897 /* Check if we have socket listening on psm */
2898 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2899 if (!parent) {
2900 result = L2CAP_CR_BAD_PSM;
2901 goto sendresp;
2902 }
2903
e7c29cb1
MH		 2904 /* Check if the ACL is secure enough (if not SDP) */
2905 if (psm != cpu_to_le16(0x0001) &&
2906 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2907 conn->disc_reason = 0x05;
e7c29cb1
MH		 2908 result = L2CAP_CR_SEC_BLOCK;
2909 goto response;
2910 }
2911
1da177e4
LT		 2912 result = L2CAP_CR_NO_MEM;
2913
2914 /* Check for backlog size */
2915 if (sk_acceptq_is_full(parent)) {
8e87d142 2916 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2917 goto response;
2918 }
2919
3b1e0a65 2920 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2921 if (!sk)
2922 goto response;
2923
fd1278d7 2924 write_lock_bh(&list->lock);
1da177e4
LT		 2925
2926 /* Check if we already have channel with that dcid */
2927 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2928 write_unlock_bh(&list->lock);
1da177e4
LT		 2929 sock_set_flag(sk, SOCK_ZAPPED);
2930 l2cap_sock_kill(sk);
2931 goto response;
2932 }
2933
2934 hci_conn_hold(conn->hcon);
2935
2936 l2cap_sock_init(sk, parent);
2937 bacpy(&bt_sk(sk)->src, conn->src);
2938 bacpy(&bt_sk(sk)->dst, conn->dst);
2939 l2cap_pi(sk)->psm = psm;
2940 l2cap_pi(sk)->dcid = scid;
2941
2942 __l2cap_chan_add(conn, sk, parent);
2943 dcid = l2cap_pi(sk)->scid;
2944
2945 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2946
1da177e4
LT		 2947 l2cap_pi(sk)->ident = cmd->ident;
2948
984947dc 2949 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2950 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2951 if (bt_sk(sk)->defer_setup) {
2952 sk->sk_state = BT_CONNECT2;
2953 result = L2CAP_CR_PEND;
2954 status = L2CAP_CS_AUTHOR_PEND;
2955 parent->sk_data_ready(parent, 0);
2956 } else {
2957 sk->sk_state = BT_CONFIG;
2958 result = L2CAP_CR_SUCCESS;
2959 status = L2CAP_CS_NO_INFO;
2960 }
79d554a6
MH		 2961 } else {
2962 sk->sk_state = BT_CONNECT2;
2963 result = L2CAP_CR_PEND;
2964 status = L2CAP_CS_AUTHEN_PEND;
2965 }
2966 } else {
2967 sk->sk_state = BT_CONNECT2;
2968 result = L2CAP_CR_PEND;
2969 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2970 }
2971
fd1278d7 2972 write_unlock_bh(&list->lock);
1da177e4
LT		 2973
2974response:
2975 bh_unlock_sock(parent);
2976
2977sendresp:
aca3192c
YH		 2978 rsp.scid = cpu_to_le16(scid);
2979 rsp.dcid = cpu_to_le16(dcid);
2980 rsp.result = cpu_to_le16(result);
2981 rsp.status = cpu_to_le16(status);
1da177e4 2982 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2983
2984 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2985 struct l2cap_info_req info;
2986 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2987
2988 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2989 conn->info_ident = l2cap_get_ident(conn);
2990
2991 mod_timer(&conn->info_timer, jiffies +
2992 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2993
2994 l2cap_send_cmd(conn, conn->info_ident,
2995 L2CAP_INFO_REQ, sizeof(info), &info);
2996 }
2997
e9aeb2dd
GP		 2998 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
2999 result == L2CAP_CR_SUCCESS) {
3000 u8 buf[128];
3001 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3002 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3003 l2cap_build_conf_req(sk, buf), buf);
3004 l2cap_pi(sk)->num_conf_req++;
3005 }
3006
1da177e4
LT		 3007 return 0;
3008}
3009
3010static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3011{
3012 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3013 u16 scid, dcid, result, status;
3014 struct sock *sk;
3015 u8 req[128];
3016
3017 scid = __le16_to_cpu(rsp->scid);
3018 dcid = __le16_to_cpu(rsp->dcid);
3019 result = __le16_to_cpu(rsp->result);
3020 status = __le16_to_cpu(rsp->status);
3021
3022 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
3023
3024 if (scid) {
af05b30b
GP		 3025 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3026 if (!sk)
57d3b22b 3027 return -EFAULT;
1da177e4 3028 } else {
af05b30b
GP		 3029 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
3030 if (!sk)
57d3b22b 3031 return -EFAULT;
1da177e4
LT		 3032 }
3033
3034 switch (result) {
3035 case L2CAP_CR_SUCCESS:
3036 sk->sk_state = BT_CONFIG;
3037 l2cap_pi(sk)->ident = 0;
3038 l2cap_pi(sk)->dcid = dcid;
6a8d3010
MH		 3039 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
3040
e9aeb2dd
GP		 3041 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3042 break;
3043
3044 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3045
1da177e4
LT		 3046 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3047 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 3048 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3049 break;
3050
3051 case L2CAP_CR_PEND:
6a8d3010 3052 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 3053 break;
3054
3055 default:
3056 l2cap_chan_del(sk, ECONNREFUSED);
3057 break;
3058 }
3059
3060 bh_unlock_sock(sk);
3061 return 0;
3062}
3063
8c462b60
MM		 3064static inline void set_default_fcs(struct l2cap_pinfo *pi)
3065{
3066 /* FCS is enabled only in ERTM or streaming mode, if one or both
3067 * sides request it.
3068 */
3069 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
3070 pi->fcs = L2CAP_FCS_NONE;
3071 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
3072 pi->fcs = L2CAP_FCS_CRC16;
3073}
3074
88219a0f 3075static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3076{
3077 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3078 u16 dcid, flags;
3079 u8 rsp[64];
3080 struct sock *sk;
5dee9e7c 3081 int len;
1da177e4
LT		 3082
3083 dcid = __le16_to_cpu(req->dcid);
3084 flags = __le16_to_cpu(req->flags);
3085
3086 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3087
af05b30b
GP		 3088 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3089 if (!sk)
1da177e4
LT		 3090 return -ENOENT;
3091
b0239c80 3092 if (sk->sk_state == BT_DISCONN)
354f60a9
MH		 3093 goto unlock;
3094
5dee9e7c 3095 /* Reject if config buffer is too small. */
88219a0f 3096 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3097 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3098 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3099 l2cap_build_conf_rsp(sk, rsp,
3100 L2CAP_CONF_REJECT, flags), rsp);
3101 goto unlock;
3102 }
3103
3104 /* Store config. */
3105 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3106 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3107
3108 if (flags & 0x0001) {
3109 /* Incomplete config. Send empty response. */
3110 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3111 l2cap_build_conf_rsp(sk, rsp,
3112 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3113 goto unlock;
3114 }
3115
3116 /* Complete config. */
5dee9e7c 3117 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3118 if (len < 0) {
9b108fc0 3119 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3120 goto unlock;
f2fcfcd6 3121 }
1da177e4 3122
5dee9e7c 3123 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3124 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3125
5dee9e7c
MH		 3126 /* Reset config buffer. */
3127 l2cap_pi(sk)->conf_len = 0;
3128
876d9484
MH		 3129 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3130 goto unlock;
3131
1da177e4 3132 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
8c462b60 3133 set_default_fcs(l2cap_pi(sk));
fcc203c3 3134
1da177e4 3135 sk->sk_state = BT_CONNECTED;
e90bac06 3136
0565c1c2
GP		 3137 l2cap_pi(sk)->next_tx_seq = 0;
3138 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3139 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3140 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3141 l2cap_ertm_init(sk);
3142
1da177e4 3143 l2cap_chan_ready(sk);
876d9484
MH		 3144 goto unlock;
3145 }
3146
3147 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3148 u8 buf[64];
1da177e4 3149 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3150 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3151 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3152 }
3153
3154unlock:
3155 bh_unlock_sock(sk);
3156 return 0;
3157}
3158
3159static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3160{
3161 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3162 u16 scid, flags, result;
3163 struct sock *sk;
7b1c0049 3164 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3165
3166 scid = __le16_to_cpu(rsp->scid);
3167 flags = __le16_to_cpu(rsp->flags);
3168 result = __le16_to_cpu(rsp->result);
3169
af05b30b
GP		 3170 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3171 scid, flags, result);
1da177e4 3172
af05b30b
GP		 3173 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3174 if (!sk)
1da177e4
LT		 3175 return 0;
3176
3177 switch (result) {
3178 case L2CAP_CONF_SUCCESS:
7b1c0049 3179 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3180 break;
3181
3182 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3183 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3184 char req[64];
3185
c2c77ec8 3186 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3187 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3188 goto done;
3189 }
3190
f2fcfcd6
GP		 3191 /* throw out any old stored conf requests */
3192 result = L2CAP_CONF_SUCCESS;
3193 len = l2cap_parse_conf_rsp(sk, rsp->data,
3194 len, req, &result);
3195 if (len < 0) {
9b108fc0 3196 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3197 goto done;
3198 }
3199
3200 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3201 L2CAP_CONF_REQ, len, req);
3202 l2cap_pi(sk)->num_conf_req++;
3203 if (result != L2CAP_CONF_SUCCESS)
3204 goto done;
3205 break;
1da177e4
LT		 3206 }
3207
8e87d142 3208 default:
b1235d79 3209 sk->sk_err = ECONNRESET;
1da177e4 3210 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3211 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3212 goto done;
3213 }
3214
3215 if (flags & 0x01)
3216 goto done;
3217
1da177e4
LT		 3218 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3219
3220 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
8c462b60 3221 set_default_fcs(l2cap_pi(sk));
fcc203c3 3222
1da177e4 3223 sk->sk_state = BT_CONNECTED;
0565c1c2 3224 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3225 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3226 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3227 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3228 l2cap_ertm_init(sk);
3229
1da177e4
LT		 3230 l2cap_chan_ready(sk);
3231 }
3232
3233done:
3234 bh_unlock_sock(sk);
3235 return 0;
3236}
3237
3238static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3239{
3240 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3241 struct l2cap_disconn_rsp rsp;
3242 u16 dcid, scid;
3243 struct sock *sk;
3244
3245 scid = __le16_to_cpu(req->scid);
3246 dcid = __le16_to_cpu(req->dcid);
3247
3248 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3249
af05b30b
GP		 3250 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3251 if (!sk)
1da177e4
LT		 3252 return 0;
3253
aca3192c
YH		 3254 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3255 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3256 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3257
3258 sk->sk_shutdown = SHUTDOWN_MASK;
3259
3260 l2cap_chan_del(sk, ECONNRESET);
3261 bh_unlock_sock(sk);
3262
3263 l2cap_sock_kill(sk);
3264 return 0;
3265}
3266
3267static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3268{
3269 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3270 u16 dcid, scid;
3271 struct sock *sk;
3272
3273 scid = __le16_to_cpu(rsp->scid);
3274 dcid = __le16_to_cpu(rsp->dcid);
3275
3276 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3277
af05b30b
GP		 3278 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3279 if (!sk)
1da177e4
LT		 3280 return 0;
3281
3282 l2cap_chan_del(sk, 0);
3283 bh_unlock_sock(sk);
3284
3285 l2cap_sock_kill(sk);
3286 return 0;
3287}
3288
3289static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3290{
3291 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3292 u16 type;
3293
3294 type = __le16_to_cpu(req->type);
3295
3296 BT_DBG("type 0x%4.4x", type);
3297
f0709e03
MH		 3298 if (type == L2CAP_IT_FEAT_MASK) {
3299 u8 buf[8];
44dd46de 3300 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3301 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3302 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3303 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3304 if (!disable_ertm)
fcc203c3
GP		 3305 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3306 | L2CAP_FEAT_FCS;
1b7bf4ed 3307 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3308 l2cap_send_cmd(conn, cmd->ident,
3309 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3310 } else if (type == L2CAP_IT_FIXED_CHAN) {
3311 u8 buf[12];
3312 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3313 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3314 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3315 memcpy(buf + 4, l2cap_fixed_chan, 8);
3316 l2cap_send_cmd(conn, cmd->ident,
3317 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3318 } else {
3319 struct l2cap_info_rsp rsp;
3320 rsp.type = cpu_to_le16(type);
3321 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3322 l2cap_send_cmd(conn, cmd->ident,
3323 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3324 }
1da177e4
LT		 3325
3326 return 0;
3327}
3328
3329static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3330{
3331 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3332 u16 type, result;
3333
3334 type = __le16_to_cpu(rsp->type);
3335 result = __le16_to_cpu(rsp->result);
3336
3337 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3338
4e8402a3
MH		 3339 del_timer(&conn->info_timer);
3340
adb08ede
VT		 3341 if (result != L2CAP_IR_SUCCESS) {
3342 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3343 conn->info_ident = 0;
3344
3345 l2cap_conn_start(conn);
3346
3347 return 0;
3348 }
3349
984947dc 3350 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3351 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3352
47ec1dcd 3353 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3354 struct l2cap_info_req req;
3355 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3356
3357 conn->info_ident = l2cap_get_ident(conn);
3358
3359 l2cap_send_cmd(conn, conn->info_ident,
3360 L2CAP_INFO_REQ, sizeof(req), &req);
3361 } else {
3362 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3363 conn->info_ident = 0;
3364
3365 l2cap_conn_start(conn);
3366 }
3367 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3368 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3369 conn->info_ident = 0;
984947dc
MH		 3370
3371 l2cap_conn_start(conn);
3372 }
4e8402a3 3373
1da177e4
LT		 3374 return 0;
3375}
3376
3377static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3378{
3379 u8 *data = skb->data;
3380 int len = skb->len;
3381 struct l2cap_cmd_hdr cmd;
3382 int err = 0;
3383
3384 l2cap_raw_recv(conn, skb);
3385
3386 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3387 u16 cmd_len;
1da177e4
LT		 3388 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3389 data += L2CAP_CMD_HDR_SIZE;
3390 len -= L2CAP_CMD_HDR_SIZE;
3391
88219a0f 3392 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3393
88219a0f 3394 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3395
88219a0f 3396 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3397 BT_DBG("corrupted command");
3398 break;
3399 }
3400
3401 switch (cmd.code) {
3402 case L2CAP_COMMAND_REJ:
4e8402a3 3403 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3404 break;
3405
3406 case L2CAP_CONN_REQ:
3407 err = l2cap_connect_req(conn, &cmd, data);
3408 break;
3409
3410 case L2CAP_CONN_RSP:
3411 err = l2cap_connect_rsp(conn, &cmd, data);
3412 break;
3413
3414 case L2CAP_CONF_REQ:
88219a0f 3415 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3416 break;
3417
3418 case L2CAP_CONF_RSP:
3419 err = l2cap_config_rsp(conn, &cmd, data);
3420 break;
3421
3422 case L2CAP_DISCONN_REQ:
3423 err = l2cap_disconnect_req(conn, &cmd, data);
3424 break;
3425
3426 case L2CAP_DISCONN_RSP:
3427 err = l2cap_disconnect_rsp(conn, &cmd, data);
3428 break;
3429
3430 case L2CAP_ECHO_REQ:
88219a0f 3431 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3432 break;
3433
3434 case L2CAP_ECHO_RSP:
3435 break;
3436
3437 case L2CAP_INFO_REQ:
3438 err = l2cap_information_req(conn, &cmd, data);
3439 break;
3440
3441 case L2CAP_INFO_RSP:
3442 err = l2cap_information_rsp(conn, &cmd, data);
3443 break;
3444
3445 default:
3446 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3447 err = -EINVAL;
3448 break;
3449 }
3450
3451 if (err) {
3452 struct l2cap_cmd_rej rej;
3453 BT_DBG("error %d", err);
3454
3455 /* FIXME: Map err to a valid reason */
aca3192c 3456 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3457 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3458 }
3459
88219a0f
AV		 3460 data += cmd_len;
3461 len -= cmd_len;
1da177e4
LT		 3462 }
3463
3464 kfree_skb(skb);
3465}
3466
fcc203c3
GP		 3467static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3468{
3469 u16 our_fcs, rcv_fcs;
3470 int hdr_size = L2CAP_HDR_SIZE + 2;
3471
3472 if (pi->fcs == L2CAP_FCS_CRC16) {
3473 skb_trim(skb, skb->len - 2);
3474 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3475 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3476
3477 if (our_fcs != rcv_fcs)
7a560e5c 3478 return -EBADMSG;
fcc203c3
GP		 3479 }
3480 return 0;
3481}
3482
d5392c8f
GP		 3483static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3484{
3485 struct l2cap_pinfo *pi = l2cap_pi(sk);
3486 u16 control = 0;
3487
3488 pi->frames_sent = 0;
d5392c8f
GP		 3489
3490 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3491
3492 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3493 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3494 l2cap_send_sframe(pi, control);
1890d36b 3495 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3496 }
3497
4ea727ef
GP		 3498 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3499 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3500
3501 l2cap_ertm_send(sk);
3502
3503 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3504 pi->frames_sent == 0) {
3505 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3506 l2cap_send_sframe(pi, control);
3507 }
3508}
3509
9b53350d 3510static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3511{
3512 struct sk_buff *next_skb;
bfbacc11
JPRV		 3513 struct l2cap_pinfo *pi = l2cap_pi(sk);
3514 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3515
3516 bt_cb(skb)->tx_seq = tx_seq;
3517 bt_cb(skb)->sar = sar;
3518
3519 next_skb = skb_peek(SREJ_QUEUE(sk));
3520 if (!next_skb) {
3521 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3522 return 0;
8f17154f
GP		 3523 }
3524
bfbacc11
JPRV		 3525 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3526 if (tx_seq_offset < 0)
3527 tx_seq_offset += 64;
3528
8f17154f 3529 do {
9b53350d
JPRV		 3530 if (bt_cb(next_skb)->tx_seq == tx_seq)
3531 return -EINVAL;
3532
bfbacc11
JPRV		 3533 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3534 pi->buffer_seq) % 64;
3535 if (next_tx_seq_offset < 0)
3536 next_tx_seq_offset += 64;
3537
3538 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3539 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3540 return 0;
8f17154f
GP		 3541 }
3542
3543 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3544 break;
3545
59203a21 3546 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3547
3548 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3549
3550 return 0;
8f17154f
GP		 3551}
3552
18778a63
GP		 3553static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3554{
3555 struct l2cap_pinfo *pi = l2cap_pi(sk);
3556 struct sk_buff *_skb;
1890d36b 3557 int err;
18778a63
GP		 3558
3559 switch (control & L2CAP_CTRL_SAR) {
3560 case L2CAP_SDU_UNSEGMENTED:
3561 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3562 goto drop;
3563
3564 err = sock_queue_rcv_skb(sk, skb);
3565 if (!err)
3566 return err;
3567
3568 break;
3569
3570 case L2CAP_SDU_START:
3571 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3572 goto drop;
3573
3574 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3575
3576 if (pi->sdu_len > pi->imtu)
3577 goto disconnect;
3578
3579 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3580 if (!pi->sdu)
3581 return -ENOMEM;
3582
3583 /* pull sdu_len bytes only after alloc, because of Local Busy
3584 * condition we have to be sure that this will be executed
3585 * only once, i.e., when alloc does not fail */
3586 skb_pull(skb, 2);
18778a63
GP		 3587
3588 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3589
3590 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3591 pi->partial_sdu_len = skb->len;
3592 break;
3593
3594 case L2CAP_SDU_CONTINUE:
3595 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3596 goto disconnect;
3597
3598 if (!pi->sdu)
3599 goto disconnect;
3600
18778a63
GP		 3601 pi->partial_sdu_len += skb->len;
3602 if (pi->partial_sdu_len > pi->sdu_len)
3603 goto drop;
3604
4178ba46
GP		 3605 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3606
18778a63
GP		 3607 break;
3608
3609 case L2CAP_SDU_END:
3610 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3611 goto disconnect;
3612
3613 if (!pi->sdu)
3614 goto disconnect;
3615
1890d36b 3616 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3617 pi->partial_sdu_len += skb->len;
18778a63 3618
1890d36b
GP		 3619 if (pi->partial_sdu_len > pi->imtu)
3620 goto drop;
18778a63 3621
1890d36b
GP		 3622 if (pi->partial_sdu_len != pi->sdu_len)
3623 goto drop;
4178ba46
GP		 3624
3625 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3626 }
18778a63
GP		 3627
3628 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3629 if (!_skb) {
3630 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3631 return -ENOMEM;
3632 }
3633
18778a63 3634 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3635 if (err < 0) {
18778a63 3636 kfree_skb(_skb);
1890d36b
GP		 3637 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3638 return err;
3639 }
3640
3641 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3642 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3643
3644 kfree_skb(pi->sdu);
3645 break;
3646 }
3647
3648 kfree_skb(skb);
1890d36b 3649 return 0;
18778a63
GP		 3650
3651drop:
3652 kfree_skb(pi->sdu);
3653 pi->sdu = NULL;
3654
3655disconnect:
9b108fc0 3656 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3657 kfree_skb(skb);
3658 return 0;
3659}
3660
712132eb
GP		 3661static int l2cap_try_push_rx_skb(struct sock *sk)
3662{
3663 struct l2cap_pinfo *pi = l2cap_pi(sk);
3664 struct sk_buff *skb;
3665 u16 control;
3666 int err;
3667
3668 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3669 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3670 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3671 if (err < 0) {
3672 skb_queue_head(BUSY_QUEUE(sk), skb);
3673 return -EBUSY;
3674 }
3675
3676 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3677 }
3678
3679 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3680 goto done;
3681
3682 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3683 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3684 l2cap_send_sframe(pi, control);
3685 l2cap_pi(sk)->retry_count = 1;
3686
3687 del_timer(&pi->retrans_timer);
3688 __mod_monitor_timer();
3689
3690 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3691
3692done:
3693 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3694 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3695
3696 BT_DBG("sk %p, Exit local busy", sk);
3697
3698 return 0;
3699}
3700
1890d36b
GP		 3701static void l2cap_busy_work(struct work_struct *work)
3702{
3703 DECLARE_WAITQUEUE(wait, current);
3704 struct l2cap_pinfo *pi =
3705 container_of(work, struct l2cap_pinfo, busy_work);
3706 struct sock *sk = (struct sock *)pi;
3707 int n_tries = 0, timeo = HZ/5, err;
3708 struct sk_buff *skb;
1890d36b
GP		 3709
3710 lock_sock(sk);
3711
2b0b05dd 3712 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3713 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3714 set_current_state(TASK_INTERRUPTIBLE);
3715
3716 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3717 err = -EBUSY;
9b108fc0 3718 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
712132eb 3719 break;
1890d36b
GP		 3720 }
3721
3722 if (!timeo)
3723 timeo = HZ/5;
3724
3725 if (signal_pending(current)) {
3726 err = sock_intr_errno(timeo);
712132eb 3727 break;
1890d36b
GP		 3728 }
3729
3730 release_sock(sk);
3731 timeo = schedule_timeout(timeo);
3732 lock_sock(sk);
3733
3734 err = sock_error(sk);
3735 if (err)
712132eb 3736 break;
1890d36b 3737
712132eb 3738 if (l2cap_try_push_rx_skb(sk) == 0)
1890d36b
GP		 3739 break;
3740 }
3741
1890d36b 3742 set_current_state(TASK_RUNNING);
2b0b05dd 3743 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3744
3745 release_sock(sk);
3746}
3747
3748static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3749{
3750 struct l2cap_pinfo *pi = l2cap_pi(sk);
3751 int sctrl, err;
3752
3753 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3754 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3755 __skb_queue_tail(BUSY_QUEUE(sk), skb);
712132eb
GP		 3756 return l2cap_try_push_rx_skb(sk);
3757
3758
1890d36b
GP		 3759 }
3760
3761 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3762 if (err >= 0) {
3763 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3764 return err;
3765 }
3766
3767 /* Busy Condition */
0e98958d
GP		 3768 BT_DBG("sk %p, Enter local busy", sk);
3769
1890d36b
GP		 3770 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3771 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3772 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3773
3774 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3775 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3776 l2cap_send_sframe(pi, sctrl);
3777
3778 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3779
7fe9b298
GP		 3780 del_timer(&pi->ack_timer);
3781
1890d36b
GP		 3782 queue_work(_busy_wq, &pi->busy_work);
3783
3784 return err;
3785}
3786
18778a63 3787static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3788{
3789 struct l2cap_pinfo *pi = l2cap_pi(sk);
3790 struct sk_buff *_skb;
3791 int err = -EINVAL;
3792
18778a63
GP		 3793 /*
3794 * TODO: We have to notify the userland if some data is lost with the
3795 * Streaming Mode.
3796 */
3797
c74e560c
GP		 3798 switch (control & L2CAP_CTRL_SAR) {
3799 case L2CAP_SDU_UNSEGMENTED:
3800 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3801 kfree_skb(pi->sdu);
3802 break;
3803 }
3804
3805 err = sock_queue_rcv_skb(sk, skb);
3806 if (!err)
3807 return 0;
3808
3809 break;
3810
3811 case L2CAP_SDU_START:
3812 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3813 kfree_skb(pi->sdu);
3814 break;
3815 }
3816
3817 pi->sdu_len = get_unaligned_le16(skb->data);
3818 skb_pull(skb, 2);
3819
052897ca
GP		 3820 if (pi->sdu_len > pi->imtu) {
3821 err = -EMSGSIZE;
3822 break;
3823 }
3824
c74e560c
GP		 3825 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3826 if (!pi->sdu) {
3827 err = -ENOMEM;
3828 break;
3829 }
3830
3831 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3832
3833 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3834 pi->partial_sdu_len = skb->len;
3835 err = 0;
3836 break;
3837
3838 case L2CAP_SDU_CONTINUE:
3839 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3840 break;
3841
3842 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3843
3844 pi->partial_sdu_len += skb->len;
3845 if (pi->partial_sdu_len > pi->sdu_len)
3846 kfree_skb(pi->sdu);
3847 else
3848 err = 0;
3849
3850 break;
3851
3852 case L2CAP_SDU_END:
3853 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3854 break;
3855
3856 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3857
3858 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3859 pi->partial_sdu_len += skb->len;
3860
36f2fd58
GP		 3861 if (pi->partial_sdu_len > pi->imtu)
3862 goto drop;
3863
c74e560c
GP		 3864 if (pi->partial_sdu_len == pi->sdu_len) {
3865 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3866 err = sock_queue_rcv_skb(sk, _skb);
3867 if (err < 0)
3868 kfree_skb(_skb);
3869 }
c74e560c
GP		 3870 err = 0;
3871
36f2fd58
GP		 3872drop:
3873 kfree_skb(pi->sdu);
c74e560c
GP		 3874 break;
3875 }
3876
3877 kfree_skb(skb);
3878 return err;
3879}
3880
8f17154f
GP		 3881static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3882{
3883 struct sk_buff *skb;
afefdbc4 3884 u16 control;
8f17154f 3885
59203a21 3886 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3887 if (bt_cb(skb)->tx_seq != tx_seq)
3888 break;
3889
3890 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3891 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3892 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3893 l2cap_pi(sk)->buffer_seq_srej =
3894 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3895 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3896 }
3897}
3898
3899static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3900{
3901 struct l2cap_pinfo *pi = l2cap_pi(sk);
3902 struct srej_list *l, *tmp;
3903 u16 control;
3904
59203a21 3905 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3906 if (l->tx_seq == tx_seq) {
3907 list_del(&l->list);
3908 kfree(l);
3909 return;
3910 }
3911 control = L2CAP_SUPER_SELECT_REJECT;
3912 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3913 l2cap_send_sframe(pi, control);
3914 list_del(&l->list);
3915 list_add_tail(&l->list, SREJ_LIST(sk));
3916 }
3917}
3918
3919static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3920{
3921 struct l2cap_pinfo *pi = l2cap_pi(sk);
3922 struct srej_list *new;
3923 u16 control;
3924
3925 while (tx_seq != pi->expected_tx_seq) {
3926 control = L2CAP_SUPER_SELECT_REJECT;
3927 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3928 l2cap_send_sframe(pi, control);
3929
3930 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3931 new->tx_seq = pi->expected_tx_seq;
3932 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3933 list_add_tail(&new->list, SREJ_LIST(sk));
3934 }
8ff50ec0 3935 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3936}
3937
1c2acffb
GP		 3938static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3939{
3940 struct l2cap_pinfo *pi = l2cap_pi(sk);
3941 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3942 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3943 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3944 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3945 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3946 int err = 0;
3947
0e98958d
GP		 3948 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3949 rx_control);
1c2acffb 3950
9b16dc65
GP		 3951 if (L2CAP_CTRL_FINAL & rx_control &&
3952 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3953 del_timer(&pi->monitor_timer);
3954 if (pi->unacked_frames > 0)
3955 __mod_retrans_timer();
3956 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3957 }
3958
9f121a5a
GP		 3959 pi->expected_ack_seq = req_seq;
3960 l2cap_drop_acked_frames(sk);
3961
8f17154f
GP		 3962 if (tx_seq == pi->expected_tx_seq)
3963 goto expected;
1c2acffb 3964
9b53350d
JPRV		 3965 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3966 if (tx_seq_offset < 0)
3967 tx_seq_offset += 64;
3968
3969 /* invalid tx_seq */
3970 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3971 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3972 goto drop;
3973 }
3974
1890d36b
GP		 3975 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3976 goto drop;
3977
8f17154f
GP		 3978 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3979 struct srej_list *first;
30afb5b2 3980
8f17154f
GP		 3981 first = list_first_entry(SREJ_LIST(sk),
3982 struct srej_list, list);
3983 if (tx_seq == first->tx_seq) {
3984 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3985 l2cap_check_srej_gap(sk, tx_seq);
3986
3987 list_del(&first->list);
3988 kfree(first);
3989
3990 if (list_empty(SREJ_LIST(sk))) {
3991 pi->buffer_seq = pi->buffer_seq_srej;
3992 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3993 l2cap_send_ack(pi);
0e98958d 3994 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3995 }
3996 } else {
3997 struct srej_list *l;
9b53350d
JPRV		 3998
3999 /* duplicated tx_seq */
4000 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
4001 goto drop;
8f17154f
GP		 4002
4003 list_for_each_entry(l, SREJ_LIST(sk), list) {
4004 if (l->tx_seq == tx_seq) {
4005 l2cap_resend_srejframe(sk, tx_seq);
4006 return 0;
4007 }
4008 }
4009 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 4010 }
4011 } else {
9b53350d
JPRV		 4012 expected_tx_seq_offset =
4013 (pi->expected_tx_seq - pi->buffer_seq) % 64;
4014 if (expected_tx_seq_offset < 0)
4015 expected_tx_seq_offset += 64;
4016
4017 /* duplicated tx_seq */
4018 if (tx_seq_offset < expected_tx_seq_offset)
4019 goto drop;
4020
8f17154f 4021 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 4022
0e98958d
GP		 4023 BT_DBG("sk %p, Enter SREJ", sk);
4024
8f17154f
GP		 4025 INIT_LIST_HEAD(SREJ_LIST(sk));
4026 pi->buffer_seq_srej = pi->buffer_seq;
4027
4028 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 4029 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 4030 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
4031
ef54fd93
GP		 4032 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
4033
8f17154f 4034 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 4035
4036 del_timer(&pi->ack_timer);
1c2acffb 4037 }
30afb5b2
GP		 4038 return 0;
4039
8f17154f
GP		 4040expected:
4041 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4042
4043 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 4044 bt_cb(skb)->tx_seq = tx_seq;
4045 bt_cb(skb)->sar = sar;
4046 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 4047 return 0;
4048 }
4049
2ece3684
GP		 4050 err = l2cap_push_rx_skb(sk, skb, rx_control);
4051 if (err < 0)
4052 return 0;
4053
4ec10d97
GP		 4054 if (rx_control & L2CAP_CTRL_FINAL) {
4055 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4056 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4057 else
4058 l2cap_retransmit_frames(sk);
4ec10d97
GP		 4059 }
4060
c1b4f43b
GP		 4061 __mod_ack_timer();
4062
803020c6
GP		 4063 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
4064 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 4065 l2cap_send_ack(pi);
4066
8f17154f 4067 return 0;
9b53350d
JPRV		 4068
4069drop:
4070 kfree_skb(skb);
4071 return 0;
1c2acffb
GP		 4072}
4073
e072745f 4074static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 4075{
4076 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 4077
0e98958d
GP		 4078 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4079 rx_control);
4080
6e3a5981
GP		 4081 pi->expected_ack_seq = __get_reqseq(rx_control);
4082 l2cap_drop_acked_frames(sk);
1c2acffb 4083
e072745f 4084 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4085 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4086 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4087 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4088 (pi->unacked_frames > 0))
4089 __mod_retrans_timer();
4090
4091 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4092 l2cap_send_srejtail(sk);
4093 } else {
4094 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4095 }
1d8f5d16 4096
e072745f
GP		 4097 } else if (rx_control & L2CAP_CTRL_FINAL) {
4098 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4099
e072745f
GP		 4100 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4101 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4102 else
4103 l2cap_retransmit_frames(sk);
2246b2f1 4104
e072745f 4105 } else {
e072745f
GP		 4106 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4107 (pi->unacked_frames > 0))
4108 __mod_retrans_timer();
1c2acffb 4109
2246b2f1 4110 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
dfc909be 4111 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
e072745f 4112 l2cap_send_ack(pi);
dfc909be 4113 } else {
e072745f 4114 l2cap_ertm_send(sk);
dfc909be 4115 }
e072745f
GP		 4116 }
4117}
2246b2f1 4118
e072745f
GP		 4119static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4120{
4121 struct l2cap_pinfo *pi = l2cap_pi(sk);
4122 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4123
0e98958d
GP		 4124 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4125
e072745f
GP		 4126 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4127
8abb52ee 4128 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4129 l2cap_drop_acked_frames(sk);
4130
4131 if (rx_control & L2CAP_CTRL_FINAL) {
4132 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4133 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4134 else
4135 l2cap_retransmit_frames(sk);
e072745f 4136 } else {
dfc909be 4137 l2cap_retransmit_frames(sk);
30afb5b2 4138
0301ef04 4139 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4140 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4141 }
4142}
4143static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4144{
4145 struct l2cap_pinfo *pi = l2cap_pi(sk);
4146 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4147
0e98958d
GP		 4148 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4149
e072745f 4150 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4151
e072745f
GP		 4152 if (rx_control & L2CAP_CTRL_POLL) {
4153 pi->expected_ack_seq = tx_seq;
4154 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4155
4156 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4157 l2cap_retransmit_one_frame(sk, tx_seq);
4158
e072745f 4159 l2cap_ertm_send(sk);
dfc909be 4160
e072745f
GP		 4161 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4162 pi->srej_save_reqseq = tx_seq;
4163 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4164 }
e072745f
GP		 4165 } else if (rx_control & L2CAP_CTRL_FINAL) {
4166 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4167 pi->srej_save_reqseq == tx_seq)
4168 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4169 else
dfc909be 4170 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4171 } else {
dfc909be 4172 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4173 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4174 pi->srej_save_reqseq = tx_seq;
4175 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4176 }
e072745f
GP		 4177 }
4178}
4179
4180static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4181{
4182 struct l2cap_pinfo *pi = l2cap_pi(sk);
4183 u8 tx_seq = __get_reqseq(rx_control);
4184
0e98958d
GP		 4185 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4186
e072745f
GP		 4187 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4188 pi->expected_ack_seq = tx_seq;
4189 l2cap_drop_acked_frames(sk);
4190
3cb123d1
GP		 4191 if (rx_control & L2CAP_CTRL_POLL)
4192 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4193
99b0d4b7
GP		 4194 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4195 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4196 if (rx_control & L2CAP_CTRL_POLL)
4197 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4198 return;
e072745f 4199 }
99b0d4b7
GP		 4200
4201 if (rx_control & L2CAP_CTRL_POLL)
4202 l2cap_send_srejtail(sk);
4203 else
4204 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4205}
4206
4207static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4208{
4209 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4210
9b16dc65
GP		 4211 if (L2CAP_CTRL_FINAL & rx_control &&
4212 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4213 del_timer(&l2cap_pi(sk)->monitor_timer);
4214 if (l2cap_pi(sk)->unacked_frames > 0)
4215 __mod_retrans_timer();
4216 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4217 }
4218
4219 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4220 case L2CAP_SUPER_RCV_READY:
4221 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4222 break;
4223
e072745f
GP		 4224 case L2CAP_SUPER_REJECT:
4225 l2cap_data_channel_rejframe(sk, rx_control);
4226 break;
2246b2f1 4227
e072745f
GP		 4228 case L2CAP_SUPER_SELECT_REJECT:
4229 l2cap_data_channel_srejframe(sk, rx_control);
4230 break;
4231
4232 case L2CAP_SUPER_RCV_NOT_READY:
4233 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4234 break;
4235 }
4236
faaebd19 4237 kfree_skb(skb);
1c2acffb
GP		 4238 return 0;
4239}
4240
218bb9df
GP		 4241static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4242{
4243 struct l2cap_pinfo *pi = l2cap_pi(sk);
4244 u16 control;
4245 u8 req_seq;
4246 int len, next_tx_seq_offset, req_seq_offset;
4247
4248 control = get_unaligned_le16(skb->data);
4249 skb_pull(skb, 2);
4250 len = skb->len;
4251
4252 /*
4253 * We can just drop the corrupted I-frame here.
4254 * Receiver will miss it and start proper recovery
4255 * procedures and ask retransmission.
4256 */
4257 if (l2cap_check_fcs(pi, skb))
4258 goto drop;
4259
4260 if (__is_sar_start(control) && __is_iframe(control))
4261 len -= 2;
4262
4263 if (pi->fcs == L2CAP_FCS_CRC16)
4264 len -= 2;
4265
4266 if (len > pi->mps) {
4267 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4268 goto drop;
4269 }
4270
4271 req_seq = __get_reqseq(control);
4272 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4273 if (req_seq_offset < 0)
4274 req_seq_offset += 64;
4275
4276 next_tx_seq_offset =
4277 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4278 if (next_tx_seq_offset < 0)
4279 next_tx_seq_offset += 64;
4280
4281 /* check for invalid req-seq */
4282 if (req_seq_offset > next_tx_seq_offset) {
4283 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4284 goto drop;
4285 }
4286
4287 if (__is_iframe(control)) {
4288 if (len < 0) {
4289 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4290 goto drop;
4291 }
4292
4293 l2cap_data_channel_iframe(sk, control, skb);
4294 } else {
4295 if (len != 0) {
4296 BT_ERR("%d", len);
4297 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4298 goto drop;
4299 }
4300
4301 l2cap_data_channel_sframe(sk, control, skb);
4302 }
4303
4304 return 0;
4305
4306drop:
4307 kfree_skb(skb);
4308 return 0;
4309}
4310
1da177e4
LT		 4311static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4312{
4313 struct sock *sk;
6840ed07 4314 struct l2cap_pinfo *pi;
51893f88 4315 u16 control;
218bb9df
GP		 4316 u8 tx_seq;
4317 int len;
1da177e4
LT		 4318
4319 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4320 if (!sk) {
4321 BT_DBG("unknown cid 0x%4.4x", cid);
4322 goto drop;
4323 }
4324
6840ed07
GP		 4325 pi = l2cap_pi(sk);
4326
1da177e4
LT		 4327 BT_DBG("sk %p, len %d", sk, skb->len);
4328
4329 if (sk->sk_state != BT_CONNECTED)
4330 goto drop;
4331
6840ed07 4332 switch (pi->mode) {
1c2acffb
GP		 4333 case L2CAP_MODE_BASIC:
4334 /* If socket recv buffers overflows we drop data here
4335 * which is *bad* because L2CAP has to be reliable.
4336 * But we don't have any other choice. L2CAP doesn't
4337 * provide flow control mechanism. */
1da177e4 4338
6840ed07 4339 if (pi->imtu < skb->len)
1c2acffb 4340 goto drop;
1da177e4 4341
1c2acffb
GP		 4342 if (!sock_queue_rcv_skb(sk, skb))
4343 goto done;
4344 break;
4345
4346 case L2CAP_MODE_ERTM:
218bb9df
GP		 4347 if (!sock_owned_by_user(sk)) {
4348 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4349 } else {
218bb9df 4350 if (sk_add_backlog(sk, skb))
277ffbe3 4351 goto drop;
277ffbe3 4352 }
1c2acffb 4353
fcafde2e 4354 goto done;
1c2acffb 4355
6840ed07
GP		 4356 case L2CAP_MODE_STREAMING:
4357 control = get_unaligned_le16(skb->data);
4358 skb_pull(skb, 2);
4359 len = skb->len;
4360
26000089
GP		 4361 if (l2cap_check_fcs(pi, skb))
4362 goto drop;
4363
6840ed07
GP		 4364 if (__is_sar_start(control))
4365 len -= 2;
4366
fcc203c3
GP		 4367 if (pi->fcs == L2CAP_FCS_CRC16)
4368 len -= 2;
4369
51893f88 4370 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4371 goto drop;
4372
4373 tx_seq = __get_txseq(control);
4374
4375 if (pi->expected_tx_seq == tx_seq)
4376 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4377 else
7dffe421 4378 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4379
18778a63 4380 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4381
4382 goto done;
4383
1c2acffb 4384 default:
e8235c6b 4385 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4386 break;
4387 }
1da177e4
LT		 4388
4389drop:
4390 kfree_skb(skb);
4391
4392done:
0139418c
MH		 4393 if (sk)
4394 bh_unlock_sock(sk);
4395
1da177e4
LT		 4396 return 0;
4397}
4398
8e036fc3 4399static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4400{
4401 struct sock *sk;
4402
4403 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4404 if (!sk)
4405 goto drop;
4406
4407 BT_DBG("sk %p, len %d", sk, skb->len);
4408
4409 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4410 goto drop;
4411
4412 if (l2cap_pi(sk)->imtu < skb->len)
4413 goto drop;
4414
4415 if (!sock_queue_rcv_skb(sk, skb))
4416 goto done;
4417
4418drop:
4419 kfree_skb(skb);
4420
4421done:
af05b30b
GP		 4422 if (sk)
4423 bh_unlock_sock(sk);
1da177e4
LT		 4424 return 0;
4425}
4426
4427static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4428{
4429 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4430 u16 cid, len;
4431 __le16 psm;
1da177e4
LT		 4432
4433 skb_pull(skb, L2CAP_HDR_SIZE);
4434 cid = __le16_to_cpu(lh->cid);
4435 len = __le16_to_cpu(lh->len);
4436
1c2acffb
GP		 4437 if (len != skb->len) {
4438 kfree_skb(skb);
4439 return;
4440 }
4441
1da177e4
LT		 4442 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4443
4444 switch (cid) {
8db4dc46 4445 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4446 l2cap_sig_channel(conn, skb);
4447 break;
4448
8db4dc46 4449 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4450 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4451 skb_pull(skb, 2);
4452 l2cap_conless_channel(conn, psm, skb);
4453 break;
4454
4455 default:
4456 l2cap_data_channel(conn, cid, skb);
4457 break;
4458 }
4459}
4460
4461/* ---- L2CAP interface with lower layer (HCI) ---- */
4462
4463static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4464{
4465 int exact = 0, lm1 = 0, lm2 = 0;
4466 register struct sock *sk;
4467 struct hlist_node *node;
4468
4469 if (type != ACL_LINK)
963cf687 4470 return -EINVAL;
1da177e4
LT		 4471
4472 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4473
4474 /* Find listening sockets and check their link_mode */
4475 read_lock(&l2cap_sk_list.lock);
4476 sk_for_each(sk, node, &l2cap_sk_list.head) {
4477 if (sk->sk_state != BT_LISTEN)
4478 continue;
4479
4480 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4481 lm1 |= HCI_LM_ACCEPT;
4482 if (l2cap_pi(sk)->role_switch)
4483 lm1 |= HCI_LM_MASTER;
1da177e4 4484 exact++;
2af6b9d5
MH		 4485 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4486 lm2 |= HCI_LM_ACCEPT;
4487 if (l2cap_pi(sk)->role_switch)
4488 lm2 |= HCI_LM_MASTER;
4489 }
1da177e4
LT		 4490 }
4491 read_unlock(&l2cap_sk_list.lock);
4492
4493 return exact ? lm1 : lm2;
4494}
4495
4496static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4497{
0139418c
MH		 4498 struct l2cap_conn *conn;
4499
1da177e4
LT		 4500 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4501
4502 if (hcon->type != ACL_LINK)
963cf687 4503 return -EINVAL;
1da177e4
LT		 4504
4505 if (!status) {
1da177e4
LT		 4506 conn = l2cap_conn_add(hcon, status);
4507 if (conn)
4508 l2cap_conn_ready(conn);
0139418c 4509 } else
1da177e4
LT		 4510 l2cap_conn_del(hcon, bt_err(status));
4511
4512 return 0;
4513}
4514
2950f21a
MH		 4515static int l2cap_disconn_ind(struct hci_conn *hcon)
4516{
4517 struct l2cap_conn *conn = hcon->l2cap_data;
4518
4519 BT_DBG("hcon %p", hcon);
4520
4521 if (hcon->type != ACL_LINK || !conn)
4522 return 0x13;
4523
4524 return conn->disc_reason;
4525}
4526
4527static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4528{
4529 BT_DBG("hcon %p reason %d", hcon, reason);
4530
4531 if (hcon->type != ACL_LINK)
963cf687 4532 return -EINVAL;
1da177e4
LT		 4533
4534 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4535
1da177e4
LT		 4536 return 0;
4537}
4538
f62e4323
MH		 4539static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4540{
bd3c9e25 4541 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4542 return;
4543
f62e4323
MH		 4544 if (encrypt == 0x00) {
4545 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4546 l2cap_sock_clear_timer(sk);
4547 l2cap_sock_set_timer(sk, HZ * 5);
4548 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4549 __l2cap_sock_close(sk, ECONNREFUSED);
4550 } else {
4551 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4552 l2cap_sock_clear_timer(sk);
4553 }
4554}
4555
8c1b2355 4556static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4557{
4558 struct l2cap_chan_list *l;
0139418c 4559 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4560 struct sock *sk;
1da177e4 4561
0139418c 4562 if (!conn)
1da177e4 4563 return 0;
0139418c 4564
1da177e4
LT		 4565 l = &conn->chan_list;
4566
4567 BT_DBG("conn %p", conn);
4568
4569 read_lock(&l->lock);
4570
4571 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4572 bh_lock_sock(sk);
4573
6a8d3010
MH		 4574 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4575 bh_unlock_sock(sk);
4576 continue;
4577 }
4578
f62e4323 4579 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4580 sk->sk_state == BT_CONFIG)) {
f62e4323 4581 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4582 bh_unlock_sock(sk);
4583 continue;
4584 }
4585
b1235d79
MH		 4586 if (sk->sk_state == BT_CONNECT) {
4587 if (!status) {
4588 struct l2cap_conn_req req;
4589 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4590 req.psm = l2cap_pi(sk)->psm;
1da177e4 4591
b1235d79 4592 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4593 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4594
b1235d79
MH		 4595 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4596 L2CAP_CONN_REQ, sizeof(req), &req);
4597 } else {
4598 l2cap_sock_clear_timer(sk);
4599 l2cap_sock_set_timer(sk, HZ / 10);
4600 }
4601 } else if (sk->sk_state == BT_CONNECT2) {
4602 struct l2cap_conn_rsp rsp;
4603 __u16 result;
1da177e4 4604
b1235d79
MH		 4605 if (!status) {
4606 sk->sk_state = BT_CONFIG;
4607 result = L2CAP_CR_SUCCESS;
4608 } else {
4609 sk->sk_state = BT_DISCONN;
4610 l2cap_sock_set_timer(sk, HZ / 10);
4611 result = L2CAP_CR_SEC_BLOCK;
4612 }
4613
4614 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4615 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4616 rsp.result = cpu_to_le16(result);
e7c29cb1 4617 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4618 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4619 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4620 }
1da177e4
LT		 4621
4622 bh_unlock_sock(sk);
4623 }
4624
4625 read_unlock(&l->lock);
b1235d79 4626
1da177e4
LT		 4627 return 0;
4628}
4629
4630static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4631{
4632 struct l2cap_conn *conn = hcon->l2cap_data;
4633
4634 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4635 goto drop;
4636
4637 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4638
4639 if (flags & ACL_START) {
4640 struct l2cap_hdr *hdr;
4641 int len;
4642
4643 if (conn->rx_len) {
4644 BT_ERR("Unexpected start frame (len %d)", skb->len);
4645 kfree_skb(conn->rx_skb);
4646 conn->rx_skb = NULL;
4647 conn->rx_len = 0;
4648 l2cap_conn_unreliable(conn, ECOMM);
4649 }
4650
4651 if (skb->len < 2) {
4652 BT_ERR("Frame is too short (len %d)", skb->len);
4653 l2cap_conn_unreliable(conn, ECOMM);
4654 goto drop;
4655 }
4656
4657 hdr = (struct l2cap_hdr *) skb->data;
4658 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4659
4660 if (len == skb->len) {
4661 /* Complete frame received */
4662 l2cap_recv_frame(conn, skb);
4663 return 0;
4664 }
4665
4666 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4667
4668 if (skb->len > len) {
4669 BT_ERR("Frame is too long (len %d, expected len %d)",
4670 skb->len, len);
4671 l2cap_conn_unreliable(conn, ECOMM);
4672 goto drop;
4673 }
4674
4675 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4676 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4677 if (!conn->rx_skb)
1da177e4
LT		 4678 goto drop;
4679
d626f62b 4680 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4681 skb->len);
1da177e4
LT		 4682 conn->rx_len = len - skb->len;
4683 } else {
4684 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4685
4686 if (!conn->rx_len) {
4687 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4688 l2cap_conn_unreliable(conn, ECOMM);
4689 goto drop;
4690 }
4691
4692 if (skb->len > conn->rx_len) {
4693 BT_ERR("Fragment is too long (len %d, expected %d)",
4694 skb->len, conn->rx_len);
4695 kfree_skb(conn->rx_skb);
4696 conn->rx_skb = NULL;
4697 conn->rx_len = 0;
4698 l2cap_conn_unreliable(conn, ECOMM);
4699 goto drop;
4700 }
4701
d626f62b 4702 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4703 skb->len);
1da177e4
LT		 4704 conn->rx_len -= skb->len;
4705
4706 if (!conn->rx_len) {
4707 /* Complete frame received */
4708 l2cap_recv_frame(conn, conn->rx_skb);
4709 conn->rx_skb = NULL;
4710 }
4711 }
4712
4713drop:
4714 kfree_skb(skb);
4715 return 0;
4716}
4717
aef7d97c 4718static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4719{
4720 struct sock *sk;
4721 struct hlist_node *node;
1da177e4
LT		 4722
4723 read_lock_bh(&l2cap_sk_list.lock);
4724
be9d1227
MH		 4725 sk_for_each(sk, node, &l2cap_sk_list.head) {
4726 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4727
aef7d97c
MH		 4728 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4729 batostr(&bt_sk(sk)->src),
4730 batostr(&bt_sk(sk)->dst),
4731 sk->sk_state, __le16_to_cpu(pi->psm),
4732 pi->scid, pi->dcid,
4733 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4734 }
1da177e4 4735
1da177e4 4736 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4737
aef7d97c 4738 return 0;
1da177e4
LT		 4739}
4740
aef7d97c
MH		 4741static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4742{
4743 return single_open(file, l2cap_debugfs_show, inode->i_private);
4744}
4745
4746static const struct file_operations l2cap_debugfs_fops = {
4747 .open = l2cap_debugfs_open,
4748 .read = seq_read,
4749 .llseek = seq_lseek,
4750 .release = single_release,
4751};
4752
4753static struct dentry *l2cap_debugfs;
1da177e4 4754
90ddc4f0 4755static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4756 .family = PF_BLUETOOTH,
4757 .owner = THIS_MODULE,
4758 .release = l2cap_sock_release,
4759 .bind = l2cap_sock_bind,
4760 .connect = l2cap_sock_connect,
4761 .listen = l2cap_sock_listen,
4762 .accept = l2cap_sock_accept,
4763 .getname = l2cap_sock_getname,
4764 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4765 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4766 .poll = bt_sock_poll,
3241ad82 4767 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4768 .mmap = sock_no_mmap,
4769 .socketpair = sock_no_socketpair,
1da177e4
LT		 4770 .shutdown = l2cap_sock_shutdown,
4771 .setsockopt = l2cap_sock_setsockopt,
4772 .getsockopt = l2cap_sock_getsockopt
4773};
4774
ec1b4cf7 4775static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4776 .family = PF_BLUETOOTH,
4777 .owner = THIS_MODULE,
4778 .create = l2cap_sock_create,
4779};
4780
4781static struct hci_proto l2cap_hci_proto = {
4782 .name = "L2CAP",
4783 .id = HCI_PROTO_L2CAP,
4784 .connect_ind = l2cap_connect_ind,
4785 .connect_cfm = l2cap_connect_cfm,
4786 .disconn_ind = l2cap_disconn_ind,
2950f21a 4787 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4788 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4789 .recv_acldata = l2cap_recv_acldata
4790};
4791
4792static int __init l2cap_init(void)
4793{
4794 int err;
be9d1227 4795
1da177e4
LT		 4796 err = proto_register(&l2cap_proto, 0);
4797 if (err < 0)
4798 return err;
4799
1890d36b
GP		 4800 _busy_wq = create_singlethread_workqueue("l2cap");
4801 if (!_busy_wq)
4802 goto error;
4803
1da177e4
LT		 4804 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4805 if (err < 0) {
4806 BT_ERR("L2CAP socket registration failed");
4807 goto error;
4808 }
4809
4810 err = hci_register_proto(&l2cap_hci_proto);
4811 if (err < 0) {
4812 BT_ERR("L2CAP protocol registration failed");
4813 bt_sock_unregister(BTPROTO_L2CAP);
4814 goto error;
4815 }
4816
aef7d97c
MH		 4817 if (bt_debugfs) {
4818 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4819 bt_debugfs, NULL, &l2cap_debugfs_fops);
4820 if (!l2cap_debugfs)
4821 BT_ERR("Failed to create L2CAP debug file");
4822 }
1da177e4
LT		 4823
4824 BT_INFO("L2CAP ver %s", VERSION);
4825 BT_INFO("L2CAP socket layer initialized");
4826
4827 return 0;
4828
4829error:
4830 proto_unregister(&l2cap_proto);
4831 return err;
4832}
4833
4834static void __exit l2cap_exit(void)
4835{
aef7d97c 4836 debugfs_remove(l2cap_debugfs);
1da177e4 4837
1890d36b
GP		 4838 flush_workqueue(_busy_wq);
4839 destroy_workqueue(_busy_wq);
4840
1da177e4
LT		 4841 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4842 BT_ERR("L2CAP socket unregistration failed");
4843
4844 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4845 BT_ERR("L2CAP protocol unregistration failed");
4846
4847 proto_unregister(&l2cap_proto);
4848}
4849
4850void l2cap_load(void)
4851{
4852 /* Dummy function to trigger automatic L2CAP module loading by
4853 * other modules that use L2CAP sockets but don't use any other
4854 * symbols from it. */
1da177e4
LT		 4855}
4856EXPORT_SYMBOL(l2cap_load);
4857
4858module_init(l2cap_init);
4859module_exit(l2cap_exit);
4860
d1c4a17d
GP		 4861module_param(disable_ertm, bool, 0644);
4862MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
44dd46de 4863
63fbd24e 4864MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4865MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4866MODULE_VERSION(VERSION);
4867MODULE_LICENSE("GPL");
4868MODULE_ALIAS("bt-proto-0");
ubuntu-bionic-kernel mirror