]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/bluetooth/l2cap_core.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: move l2cap_sock_bind()/listen() to l2cap_sock.c
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
dd135240 58#define VERSION "2.15"
44dd46de 59
bb58f747 60int disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
1890d36b
GP		 65static struct workqueue_struct *_busy_wq;
66
bb58f747 67struct bt_sock_list l2cap_sk_list = {
d5fb2962 68 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 69};
70
1890d36b
GP		 71static void l2cap_busy_work(struct work_struct *work);
72
1da177e4 73static void l2cap_sock_close(struct sock *sk);
1da177e4 74
e9aeb2dd 75static int l2cap_build_conf_req(struct sock *sk, void *data);
1da177e4
LT		 76static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
77 u8 code, u8 ident, u16 dlen, void *data);
78
218bb9df
GP		 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
80
1da177e4 81/* ---- L2CAP timers ---- */
bb58f747 82void l2cap_sock_set_timer(struct sock *sk, long timeout)
940a9eea
AE		 83{
84 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
85 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
86}
87
88static void l2cap_sock_clear_timer(struct sock *sk)
89{
90 BT_DBG("sock %p state %d", sk, sk->sk_state);
91 sk_stop_timer(sk, &sk->sk_timer);
92}
93
0139418c
MH		 94/* ---- L2CAP channels ---- */
95static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
96{
97 struct sock *s;
98 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
99 if (l2cap_pi(s)->dcid == cid)
100 break;
101 }
102 return s;
103}
104
105static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
106{
107 struct sock *s;
108 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
109 if (l2cap_pi(s)->scid == cid)
110 break;
111 }
112 return s;
113}
114
115/* Find channel with given SCID.
116 * Returns locked socket */
117static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
118{
119 struct sock *s;
120 read_lock(&l->lock);
121 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 122 if (s)
123 bh_lock_sock(s);
0139418c
MH		 124 read_unlock(&l->lock);
125 return s;
126}
127
128static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
129{
130 struct sock *s;
131 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
132 if (l2cap_pi(s)->ident == ident)
133 break;
134 }
135 return s;
136}
137
138static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
139{
140 struct sock *s;
141 read_lock(&l->lock);
142 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 143 if (s)
144 bh_lock_sock(s);
0139418c
MH		 145 read_unlock(&l->lock);
146 return s;
147}
148
149static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
150{
8db4dc46 151 u16 cid = L2CAP_CID_DYN_START;
0139418c 152
8db4dc46 153 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 154 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 155 return cid;
156 }
157
158 return 0;
159}
160
161static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
162{
163 sock_hold(sk);
164
165 if (l->head)
166 l2cap_pi(l->head)->prev_c = sk;
167
168 l2cap_pi(sk)->next_c = l->head;
169 l2cap_pi(sk)->prev_c = NULL;
170 l->head = sk;
171}
172
173static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
174{
175 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
176
fd1278d7 177 write_lock_bh(&l->lock);
0139418c
MH		 178 if (sk == l->head)
179 l->head = next;
180
181 if (next)
182 l2cap_pi(next)->prev_c = prev;
183 if (prev)
184 l2cap_pi(prev)->next_c = next;
fd1278d7 185 write_unlock_bh(&l->lock);
0139418c
MH		 186
187 __sock_put(sk);
188}
189
190static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
191{
192 struct l2cap_chan_list *l = &conn->chan_list;
193
af05b30b
GP		 194 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
195 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 196
2950f21a
MH		 197 conn->disc_reason = 0x13;
198
0139418c
MH		 199 l2cap_pi(sk)->conn = conn;
200
bd3c9e25 201 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 202 /* Alloc CID for connection-oriented socket */
203 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
204 } else if (sk->sk_type == SOCK_DGRAM) {
205 /* Connectionless socket */
8db4dc46
GP		 206 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
207 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 208 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
209 } else {
210 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 211 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
212 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 213 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
214 }
215
216 __l2cap_chan_link(l, sk);
217
218 if (parent)
219 bt_accept_enqueue(parent, sk);
220}
221
8e87d142 222/* Delete channel.
0139418c
MH		 223 * Must be called on the locked socket. */
224static void l2cap_chan_del(struct sock *sk, int err)
225{
226 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
227 struct sock *parent = bt_sk(sk)->parent;
228
229 l2cap_sock_clear_timer(sk);
230
231 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
232
8e87d142 233 if (conn) {
0139418c
MH		 234 /* Unlink from channel list */
235 l2cap_chan_unlink(&conn->chan_list, sk);
236 l2cap_pi(sk)->conn = NULL;
237 hci_conn_put(conn->hcon);
238 }
239
b1235d79 240 sk->sk_state = BT_CLOSED;
0139418c
MH		 241 sock_set_flag(sk, SOCK_ZAPPED);
242
243 if (err)
244 sk->sk_err = err;
245
246 if (parent) {
247 bt_accept_unlink(sk);
248 parent->sk_data_ready(parent, 0);
249 } else
250 sk->sk_state_change(sk);
c13ffa62
GP		 251
252 skb_queue_purge(TX_QUEUE(sk));
253
254 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
255 struct srej_list *l, *tmp;
256
257 del_timer(&l2cap_pi(sk)->retrans_timer);
258 del_timer(&l2cap_pi(sk)->monitor_timer);
259 del_timer(&l2cap_pi(sk)->ack_timer);
260
261 skb_queue_purge(SREJ_QUEUE(sk));
262 skb_queue_purge(BUSY_QUEUE(sk));
263
264 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
265 list_del(&l->list);
266 kfree(l);
267 }
268 }
0139418c
MH		 269}
270
8556edd3 271static inline u8 l2cap_get_auth_type(struct sock *sk)
79d554a6 272{
8556edd3
JH		 273 if (sk->sk_type == SOCK_RAW) {
274 switch (l2cap_pi(sk)->sec_level) {
275 case BT_SECURITY_HIGH:
276 return HCI_AT_DEDICATED_BONDING_MITM;
277 case BT_SECURITY_MEDIUM:
278 return HCI_AT_DEDICATED_BONDING;
279 default:
280 return HCI_AT_NO_BONDING;
281 }
282 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
283 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
284 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
0684e5f9 285
00ae4af9 286 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8556edd3 287 return HCI_AT_NO_BONDING_MITM;
00ae4af9 288 else
8556edd3 289 return HCI_AT_NO_BONDING;
00ae4af9
MH		 290 } else {
291 switch (l2cap_pi(sk)->sec_level) {
292 case BT_SECURITY_HIGH:
8556edd3 293 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 294 case BT_SECURITY_MEDIUM:
8556edd3 295 return HCI_AT_GENERAL_BONDING;
00ae4af9 296 default:
8556edd3 297 return HCI_AT_NO_BONDING;
00ae4af9 298 }
0684e5f9 299 }
8556edd3
JH		 300}
301
302/* Service level security */
303static inline int l2cap_check_security(struct sock *sk)
304{
305 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
306 __u8 auth_type;
307
308 auth_type = l2cap_get_auth_type(sk);
79d554a6 309
0684e5f9
MH		 310 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
311 auth_type);
79d554a6
MH		 312}
313
4e8402a3
MH		 314static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
315{
316 u8 id;
317
318 /* Get next available identificator.
319 * 1 - 128 are used by kernel.
320 * 129 - 199 are reserved.
321 * 200 - 254 are used by utilities like l2ping, etc.
322 */
323
324 spin_lock_bh(&conn->lock);
325
326 if (++conn->tx_ident > 128)
327 conn->tx_ident = 1;
328
329 id = conn->tx_ident;
330
331 spin_unlock_bh(&conn->lock);
332
333 return id;
334}
335
9a9c6a34 336static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 337{
338 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 339 u8 flags;
4e8402a3
MH		 340
341 BT_DBG("code 0x%2.2x", code);
342
343 if (!skb)
9a9c6a34 344 return;
4e8402a3 345
e702112f
AE		 346 if (lmp_no_flush_capable(conn->hcon->hdev))
347 flags = ACL_START_NO_FLUSH;
348 else
349 flags = ACL_START;
350
351 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 352}
353
9a9c6a34 354static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 355{
356 struct sk_buff *skb;
357 struct l2cap_hdr *lh;
358 struct l2cap_conn *conn = pi->conn;
c13ffa62 359 struct sock *sk = (struct sock *)pi;
fcc203c3 360 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 361 u8 flags;
fcc203c3 362
c13ffa62
GP		 363 if (sk->sk_state != BT_CONNECTED)
364 return;
365
fcc203c3
GP		 366 if (pi->fcs == L2CAP_FCS_CRC16)
367 hlen += 2;
1c2acffb
GP		 368
369 BT_DBG("pi %p, control 0x%2.2x", pi, control);
370
fcc203c3 371 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 372 control |= L2CAP_CTRL_FRAME_TYPE;
373
9e917af1
GP		 374 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
375 control |= L2CAP_CTRL_FINAL;
376 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
377 }
378
f0946ccf
GP		 379 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
380 control |= L2CAP_CTRL_POLL;
381 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
382 }
383
1c2acffb
GP		 384 skb = bt_skb_alloc(count, GFP_ATOMIC);
385 if (!skb)
9a9c6a34 386 return;
1c2acffb
GP		 387
388 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 389 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 390 lh->cid = cpu_to_le16(pi->dcid);
391 put_unaligned_le16(control, skb_put(skb, 2));
392
fcc203c3
GP		 393 if (pi->fcs == L2CAP_FCS_CRC16) {
394 u16 fcs = crc16(0, (u8 *)lh, count - 2);
395 put_unaligned_le16(fcs, skb_put(skb, 2));
396 }
397
e702112f
AE		 398 if (lmp_no_flush_capable(conn->hcon->hdev))
399 flags = ACL_START_NO_FLUSH;
400 else
401 flags = ACL_START;
402
403 hci_send_acl(pi->conn->hcon, skb, flags);
1c2acffb
GP		 404}
405
9a9c6a34 406static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 407{
1890d36b 408 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 409 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 410 pi->conn_state |= L2CAP_CONN_RNR_SENT;
411 } else
7e743090
GP		 412 control |= L2CAP_SUPER_RCV_READY;
413
2ab25cdd
GP		 414 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
415
9a9c6a34 416 l2cap_send_sframe(pi, control);
7e743090
GP		 417}
418
e501d055
AE		 419static inline int __l2cap_no_conn_pending(struct sock *sk)
420{
421 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
422}
423
79d554a6
MH		 424static void l2cap_do_start(struct sock *sk)
425{
426 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
427
428 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 429 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
430 return;
431
e501d055 432 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 433 struct l2cap_conn_req req;
434 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
435 req.psm = l2cap_pi(sk)->psm;
79d554a6 436
b1235d79 437 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 438 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 439
b1235d79 440 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 441 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 442 }
79d554a6
MH		 443 } else {
444 struct l2cap_info_req req;
445 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
446
447 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
448 conn->info_ident = l2cap_get_ident(conn);
449
450 mod_timer(&conn->info_timer, jiffies +
451 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
452
453 l2cap_send_cmd(conn, conn->info_ident,
454 L2CAP_INFO_REQ, sizeof(req), &req);
455 }
456}
457
cf6c2c0b
GP		 458static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
459{
460 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 461 if (!disable_ertm)
cf6c2c0b
GP		 462 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
463
464 switch (mode) {
465 case L2CAP_MODE_ERTM:
466 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
467 case L2CAP_MODE_STREAMING:
468 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
469 default:
470 return 0x00;
471 }
472}
473
9b108fc0 474static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 475{
476 struct l2cap_disconn_req req;
477
c13ffa62
GP		 478 if (!conn)
479 return;
480
481 skb_queue_purge(TX_QUEUE(sk));
482
483 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
484 del_timer(&l2cap_pi(sk)->retrans_timer);
485 del_timer(&l2cap_pi(sk)->monitor_timer);
486 del_timer(&l2cap_pi(sk)->ack_timer);
487 }
488
22121fc9
GP		 489 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
490 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
491 l2cap_send_cmd(conn, l2cap_get_ident(conn),
492 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 493
494 sk->sk_state = BT_DISCONN;
9b108fc0 495 sk->sk_err = err;
22121fc9
GP		 496}
497
1da177e4 498/* ---- L2CAP connections ---- */
4e8402a3
MH		 499static void l2cap_conn_start(struct l2cap_conn *conn)
500{
501 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 502 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 503 struct sock *sk;
504
505 BT_DBG("conn %p", conn);
506
cf6c2c0b
GP		 507 INIT_LIST_HEAD(&del.list);
508
4e8402a3
MH		 509 read_lock(&l->lock);
510
511 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
512 bh_lock_sock(sk);
513
bd3c9e25
GP		 514 if (sk->sk_type != SOCK_SEQPACKET &&
515 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 516 bh_unlock_sock(sk);
517 continue;
518 }
519
520 if (sk->sk_state == BT_CONNECT) {
47731de7 521 struct l2cap_conn_req req;
79d554a6 522
47731de7
GP		 523 if (!l2cap_check_security(sk) ||
524 !__l2cap_no_conn_pending(sk)) {
525 bh_unlock_sock(sk);
526 continue;
527 }
79d554a6 528
47731de7
GP		 529 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
530 conn->feat_mask)
531 && l2cap_pi(sk)->conf_state &
532 L2CAP_CONF_STATE2_DEVICE) {
533 tmp1 = kzalloc(sizeof(struct sock_del_list),
534 GFP_ATOMIC);
535 tmp1->sk = sk;
536 list_add_tail(&tmp1->list, &del.list);
537 bh_unlock_sock(sk);
538 continue;
b1235d79 539 }
47731de7
GP		 540
541 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
542 req.psm = l2cap_pi(sk)->psm;
543
544 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
545 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
546
547 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
548 L2CAP_CONN_REQ, sizeof(req), &req);
549
79d554a6
MH		 550 } else if (sk->sk_state == BT_CONNECT2) {
551 struct l2cap_conn_rsp rsp;
e9aeb2dd 552 char buf[128];
79d554a6
MH		 553 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
554 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
555
2af6b9d5 556 if (l2cap_check_security(sk)) {
f66dc81f
MH		 557 if (bt_sk(sk)->defer_setup) {
558 struct sock *parent = bt_sk(sk)->parent;
559 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
560 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
561 parent->sk_data_ready(parent, 0);
562
563 } else {
564 sk->sk_state = BT_CONFIG;
565 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
566 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
567 }
79d554a6
MH		 568 } else {
569 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
570 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
571 }
572
573 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
574 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
e9aeb2dd
GP		 575
576 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
577 rsp.result != L2CAP_CR_SUCCESS) {
578 bh_unlock_sock(sk);
579 continue;
580 }
581
582 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
583 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
584 l2cap_build_conf_req(sk, buf), buf);
585 l2cap_pi(sk)->num_conf_req++;
4e8402a3
MH		 586 }
587
588 bh_unlock_sock(sk);
589 }
590
591 read_unlock(&l->lock);
cf6c2c0b
GP		 592
593 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
594 bh_lock_sock(tmp1->sk);
595 __l2cap_sock_close(tmp1->sk, ECONNRESET);
596 bh_unlock_sock(tmp1->sk);
597 list_del(&tmp1->list);
598 kfree(tmp1);
599 }
4e8402a3
MH		 600}
601
602static void l2cap_conn_ready(struct l2cap_conn *conn)
603{
79d554a6
MH		 604 struct l2cap_chan_list *l = &conn->chan_list;
605 struct sock *sk;
4e8402a3 606
79d554a6 607 BT_DBG("conn %p", conn);
4e8402a3 608
79d554a6 609 read_lock(&l->lock);
4e8402a3 610
79d554a6
MH		 611 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
612 bh_lock_sock(sk);
4e8402a3 613
bd3c9e25
GP		 614 if (sk->sk_type != SOCK_SEQPACKET &&
615 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 616 l2cap_sock_clear_timer(sk);
617 sk->sk_state = BT_CONNECTED;
618 sk->sk_state_change(sk);
619 } else if (sk->sk_state == BT_CONNECT)
620 l2cap_do_start(sk);
4e8402a3 621
79d554a6 622 bh_unlock_sock(sk);
4e8402a3 623 }
79d554a6
MH		 624
625 read_unlock(&l->lock);
4e8402a3
MH		 626}
627
628/* Notify sockets that we cannot guaranty reliability anymore */
629static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
630{
631 struct l2cap_chan_list *l = &conn->chan_list;
632 struct sock *sk;
633
634 BT_DBG("conn %p", conn);
635
636 read_lock(&l->lock);
637
638 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 639 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 640 sk->sk_err = err;
641 }
642
643 read_unlock(&l->lock);
644}
645
646static void l2cap_info_timeout(unsigned long arg)
647{
648 struct l2cap_conn *conn = (void *) arg;
649
984947dc 650 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 651 conn->info_ident = 0;
984947dc 652
4e8402a3
MH		 653 l2cap_conn_start(conn);
654}
655
1da177e4
LT		 656static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
657{
0139418c 658 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 659
0139418c 660 if (conn || status)
1da177e4
LT		 661 return conn;
662
0139418c
MH		 663 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
664 if (!conn)
1da177e4 665 return NULL;
1da177e4
LT		 666
667 hcon->l2cap_data = conn;
668 conn->hcon = hcon;
669
0139418c
MH		 670 BT_DBG("hcon %p conn %p", hcon, conn);
671
1da177e4
LT		 672 conn->mtu = hcon->hdev->acl_mtu;
673 conn->src = &hcon->hdev->bdaddr;
674 conn->dst = &hcon->dst;
675
4e8402a3
MH		 676 conn->feat_mask = 0;
677
1da177e4
LT		 678 spin_lock_init(&conn->lock);
679 rwlock_init(&conn->chan_list.lock);
680
45054dc1
DY		 681 setup_timer(&conn->info_timer, l2cap_info_timeout,
682 (unsigned long) conn);
683
2950f21a
MH		 684 conn->disc_reason = 0x13;
685
1da177e4
LT		 686 return conn;
687}
688
0139418c 689static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 690{
0139418c 691 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 692 struct sock *sk;
693
0139418c
MH		 694 if (!conn)
695 return;
1da177e4
LT		 696
697 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
698
7585b97a 699 kfree_skb(conn->rx_skb);
1da177e4
LT		 700
701 /* Kill channels */
702 while ((sk = conn->chan_list.head)) {
703 bh_lock_sock(sk);
704 l2cap_chan_del(sk, err);
705 bh_unlock_sock(sk);
706 l2cap_sock_kill(sk);
707 }
708
8e8440f5
DY		 709 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
710 del_timer_sync(&conn->info_timer);
3ab22731 711
1da177e4
LT		 712 hcon->l2cap_data = NULL;
713 kfree(conn);
1da177e4
LT		 714}
715
716static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
717{
718 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 719 write_lock_bh(&l->lock);
1da177e4 720 __l2cap_chan_add(conn, sk, parent);
fd1278d7 721 write_unlock_bh(&l->lock);
1da177e4
LT		 722}
723
1da177e4 724/* ---- Socket interface ---- */
1da177e4
LT		 725
726/* Find socket with psm and source bdaddr.
727 * Returns closest match.
728 */
e0f0cb56 729static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 730{
731 struct sock *sk = NULL, *sk1 = NULL;
732 struct hlist_node *node;
733
e0f0cb56
GP		 734 read_lock(&l2cap_sk_list.lock);
735
1da177e4
LT		 736 sk_for_each(sk, node, &l2cap_sk_list.head) {
737 if (state && sk->sk_state != state)
738 continue;
739
740 if (l2cap_pi(sk)->psm == psm) {
741 /* Exact match. */
742 if (!bacmp(&bt_sk(sk)->src, src))
743 break;
744
745 /* Closest match */
746 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
747 sk1 = sk;
748 }
749 }
1da177e4 750
1da177e4 751 read_unlock(&l2cap_sk_list.lock);
e0f0cb56
GP		 752
753 return node ? sk : sk1;
1da177e4
LT		 754}
755
1da177e4
LT		 756static void l2cap_sock_cleanup_listen(struct sock *parent)
757{
758 struct sock *sk;
759
760 BT_DBG("parent %p", parent);
761
762 /* Close not yet accepted channels */
763 while ((sk = bt_accept_dequeue(parent, NULL)))
764 l2cap_sock_close(sk);
765
b1235d79 766 parent->sk_state = BT_CLOSED;
1da177e4
LT		 767 sock_set_flag(parent, SOCK_ZAPPED);
768}
769
770/* Kill socket (only if zapped and orphan)
771 * Must be called on unlocked socket.
772 */
bb58f747 773void l2cap_sock_kill(struct sock *sk)
1da177e4
LT		 774{
775 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
776 return;
777
778 BT_DBG("sk %p state %d", sk, sk->sk_state);
779
780 /* Kill poor orphan */
781 bt_sock_unlink(&l2cap_sk_list, sk);
782 sock_set_flag(sk, SOCK_DEAD);
783 sock_put(sk);
784}
785
bb58f747 786void __l2cap_sock_close(struct sock *sk, int reason)
1da177e4
LT		 787{
788 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
789
790 switch (sk->sk_state) {
791 case BT_LISTEN:
792 l2cap_sock_cleanup_listen(sk);
793 break;
794
795 case BT_CONNECTED:
796 case BT_CONFIG:
bd3c9e25
GP		 797 if (sk->sk_type == SOCK_SEQPACKET ||
798 sk->sk_type == SOCK_STREAM) {
1da177e4 799 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 800
1da177e4 801 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 802 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 803 } else
1da177e4 804 l2cap_chan_del(sk, reason);
1da177e4
LT		 805 break;
806
f66dc81f 807 case BT_CONNECT2:
bd3c9e25
GP		 808 if (sk->sk_type == SOCK_SEQPACKET ||
809 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 810 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
811 struct l2cap_conn_rsp rsp;
812 __u16 result;
813
814 if (bt_sk(sk)->defer_setup)
815 result = L2CAP_CR_SEC_BLOCK;
816 else
817 result = L2CAP_CR_BAD_PSM;
e733fb62 818 sk->sk_state = BT_DISCONN;
f66dc81f
MH		 819
820 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
821 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
822 rsp.result = cpu_to_le16(result);
823 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
824 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
825 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
826 } else
827 l2cap_chan_del(sk, reason);
828 break;
829
1da177e4
LT		 830 case BT_CONNECT:
831 case BT_DISCONN:
832 l2cap_chan_del(sk, reason);
833 break;
834
835 default:
836 sock_set_flag(sk, SOCK_ZAPPED);
837 break;
838 }
839}
840
841/* Must be called on unlocked socket. */
842static void l2cap_sock_close(struct sock *sk)
843{
844 l2cap_sock_clear_timer(sk);
845 lock_sock(sk);
846 __l2cap_sock_close(sk, ECONNRESET);
847 release_sock(sk);
848 l2cap_sock_kill(sk);
849}
850
1da177e4
LT		 851static int l2cap_do_connect(struct sock *sk)
852{
853 bdaddr_t *src = &bt_sk(sk)->src;
854 bdaddr_t *dst = &bt_sk(sk)->dst;
855 struct l2cap_conn *conn;
856 struct hci_conn *hcon;
857 struct hci_dev *hdev;
09ab6f4c 858 __u8 auth_type;
44d0e48e 859 int err;
1da177e4 860
f29972de
MH		 861 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
862 l2cap_pi(sk)->psm);
1da177e4 863
af05b30b
GP		 864 hdev = hci_get_route(dst, src);
865 if (!hdev)
1da177e4
LT		 866 return -EHOSTUNREACH;
867
868 hci_dev_lock_bh(hdev);
869
870 err = -ENOMEM;
871
8556edd3 872 auth_type = l2cap_get_auth_type(sk);
09ab6f4c 873
2af6b9d5
MH		 874 hcon = hci_connect(hdev, ACL_LINK, dst,
875 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 876 if (!hcon)
877 goto done;
878
879 conn = l2cap_conn_add(hcon, 0);
880 if (!conn) {
881 hci_conn_put(hcon);
882 goto done;
883 }
884
885 err = 0;
886
887 /* Update source addr of the socket */
888 bacpy(src, conn->src);
889
890 l2cap_chan_add(conn, sk, NULL);
891
892 sk->sk_state = BT_CONNECT;
893 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
894
895 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 896 if (sk->sk_type != SOCK_SEQPACKET &&
897 sk->sk_type != SOCK_STREAM) {
1da177e4 898 l2cap_sock_clear_timer(sk);
d00ef24f
JH		 899 if (l2cap_check_security(sk))
900 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 901 } else
902 l2cap_do_start(sk);
1da177e4
LT		 903 }
904
905done:
906 hci_dev_unlock_bh(hdev);
907 hci_dev_put(hdev);
908 return err;
909}
910
65390587 911int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1da177e4 912{
1da177e4 913 struct sock *sk = sock->sk;
f29972de
MH		 914 struct sockaddr_l2 la;
915 int len, err = 0;
1da177e4 916
1da177e4
LT		 917 BT_DBG("sk %p", sk);
918
6503d961
CG		 919 if (!addr || alen < sizeof(addr->sa_family) ||
920 addr->sa_family != AF_BLUETOOTH)
2a517ca6 921 return -EINVAL;
1da177e4 922
f29972de
MH		 923 memset(&la, 0, sizeof(la));
924 len = min_t(unsigned int, sizeof(la), alen);
925 memcpy(&la, addr, len);
926
2a517ca6
MH		 927 if (la.l2_cid)
928 return -EINVAL;
929
930 lock_sock(sk);
931
bd3c9e25
GP		 932 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
933 && !la.l2_psm) {
1da177e4
LT		 934 err = -EINVAL;
935 goto done;
936 }
937
c6b03cf9
MH		 938 switch (l2cap_pi(sk)->mode) {
939 case L2CAP_MODE_BASIC:
940 break;
941 case L2CAP_MODE_ERTM:
f2fcfcd6 942 case L2CAP_MODE_STREAMING:
d1c4a17d 943 if (!disable_ertm)
c6b03cf9
MH		 944 break;
945 /* fall through */
946 default:
947 err = -ENOTSUPP;
948 goto done;
949 }
950
af05b30b 951 switch (sk->sk_state) {
1da177e4
LT		 952 case BT_CONNECT:
953 case BT_CONNECT2:
954 case BT_CONFIG:
955 /* Already connecting */
956 goto wait;
957
958 case BT_CONNECTED:
959 /* Already connected */
8b0dc6dc 960 err = -EISCONN;
1da177e4
LT		 961 goto done;
962
963 case BT_OPEN:
964 case BT_BOUND:
965 /* Can connect */
966 break;
967
968 default:
969 err = -EBADFD;
970 goto done;
971 }
972
0fba2558
MM		 973 /* PSM must be odd and lsb of upper byte must be 0 */
974 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 &&
975 sk->sk_type != SOCK_RAW) {
976 err = -EINVAL;
977 goto done;
978 }
979
1da177e4 980 /* Set destination address and psm */
f29972de
MH		 981 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
982 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 983
af05b30b
GP		 984 err = l2cap_do_connect(sk);
985 if (err)
1da177e4
LT		 986 goto done;
987
988wait:
989 err = bt_sock_wait_state(sk, BT_CONNECTED,
990 sock_sndtimeo(sk, flags & O_NONBLOCK));
991done:
992 release_sock(sk);
993 return err;
994}
995
65390587 996int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1da177e4
LT		 997{
998 DECLARE_WAITQUEUE(wait, current);
999 struct sock *sk = sock->sk, *nsk;
1000 long timeo;
1001 int err = 0;
1002
fcc70d5f 1003 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1004
1005 if (sk->sk_state != BT_LISTEN) {
1006 err = -EBADFD;
1007 goto done;
1008 }
1009
1010 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1011
1012 BT_DBG("sk %p timeo %ld", sk, timeo);
1013
1014 /* Wait for an incoming connection. (wake-one). */
aa395145 1015 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1016 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1017 set_current_state(TASK_INTERRUPTIBLE);
1018 if (!timeo) {
1019 err = -EAGAIN;
1020 break;
1021 }
1022
1023 release_sock(sk);
1024 timeo = schedule_timeout(timeo);
fcc70d5f 1025 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1026
1027 if (sk->sk_state != BT_LISTEN) {
1028 err = -EBADFD;
1029 break;
1030 }
1031
1032 if (signal_pending(current)) {
1033 err = sock_intr_errno(timeo);
1034 break;
1035 }
1036 }
1037 set_current_state(TASK_RUNNING);
aa395145 1038 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1039
1040 if (err)
1041 goto done;
1042
1043 newsock->state = SS_CONNECTED;
1044
1045 BT_DBG("new socket %p", nsk);
1046
1047done:
1048 release_sock(sk);
1049 return err;
1050}
1051
65390587 1052int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1da177e4
LT		 1053{
1054 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1055 struct sock *sk = sock->sk;
1056
1057 BT_DBG("sock %p, sk %p", sock, sk);
1058
1059 addr->sa_family = AF_BLUETOOTH;
1060 *len = sizeof(struct sockaddr_l2);
1061
f29972de
MH		 1062 if (peer) {
1063 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1064 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1065 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1066 } else {
1067 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1068 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1069 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1070 }
1da177e4 1071
1da177e4
LT		 1072 return 0;
1073}
1074
6161c038
GP		 1075static int __l2cap_wait_ack(struct sock *sk)
1076{
1077 DECLARE_WAITQUEUE(wait, current);
1078 int err = 0;
1079 int timeo = HZ/5;
1080
2b0b05dd 1081 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1082 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1083 set_current_state(TASK_INTERRUPTIBLE);
1084
1085 if (!timeo)
1086 timeo = HZ/5;
1087
1088 if (signal_pending(current)) {
1089 err = sock_intr_errno(timeo);
1090 break;
1091 }
1092
1093 release_sock(sk);
1094 timeo = schedule_timeout(timeo);
1095 lock_sock(sk);
1096
1097 err = sock_error(sk);
1098 if (err)
1099 break;
1100 }
1101 set_current_state(TASK_RUNNING);
2b0b05dd 1102 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1103 return err;
1104}
1105
e90bac06
GP		 1106static void l2cap_monitor_timeout(unsigned long arg)
1107{
1108 struct sock *sk = (void *) arg;
e90bac06 1109
0e98958d
GP		 1110 BT_DBG("sk %p", sk);
1111
e686219a 1112 bh_lock_sock(sk);
e90bac06 1113 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1114 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1115 bh_unlock_sock(sk);
e90bac06
GP		 1116 return;
1117 }
1118
1119 l2cap_pi(sk)->retry_count++;
1120 __mod_monitor_timer();
1121
a2e12a2a 1122 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1123 bh_unlock_sock(sk);
e90bac06
GP		 1124}
1125
1126static void l2cap_retrans_timeout(unsigned long arg)
1127{
1128 struct sock *sk = (void *) arg;
e90bac06 1129
0e98958d
GP		 1130 BT_DBG("sk %p", sk);
1131
e686219a 1132 bh_lock_sock(sk);
e90bac06
GP		 1133 l2cap_pi(sk)->retry_count = 1;
1134 __mod_monitor_timer();
1135
1136 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1137
a2e12a2a 1138 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1139 bh_unlock_sock(sk);
e90bac06
GP		 1140}
1141
1c2acffb 1142static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1143{
1c2acffb 1144 struct sk_buff *skb;
1da177e4 1145
812e737e
GP		 1146 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1147 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1148 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1149 break;
1da177e4 1150
1c2acffb
GP		 1151 skb = skb_dequeue(TX_QUEUE(sk));
1152 kfree_skb(skb);
1da177e4 1153
1c2acffb
GP		 1154 l2cap_pi(sk)->unacked_frames--;
1155 }
1da177e4 1156
e90bac06
GP		 1157 if (!l2cap_pi(sk)->unacked_frames)
1158 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1159}
1da177e4 1160
9a9c6a34 1161static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1162{
1163 struct l2cap_pinfo *pi = l2cap_pi(sk);
e702112f
AE		 1164 struct hci_conn *hcon = pi->conn->hcon;
1165 u16 flags;
1c2acffb
GP		 1166
1167 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1168
e702112f
AE		 1169 if (!pi->flushable && lmp_no_flush_capable(hcon->hdev))
1170 flags = ACL_START_NO_FLUSH;
1171 else
1172 flags = ACL_START;
1173
1174 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1175}
1176
305682e8 1177static void l2cap_streaming_send(struct sock *sk)
6840ed07 1178{
ccbb84af 1179 struct sk_buff *skb;
6840ed07 1180 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1181 u16 control, fcs;
6840ed07 1182
ccbb84af
GP		 1183 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
1184 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
6840ed07 1185 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1186 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1187
e8235c6b 1188 if (pi->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1189 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1190 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1191 }
1192
ccbb84af 1193 l2cap_do_send(sk, skb);
6840ed07
GP		 1194
1195 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
6840ed07 1196 }
6840ed07
GP		 1197}
1198
dfc909be 1199static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1200{
1201 struct l2cap_pinfo *pi = l2cap_pi(sk);
1202 struct sk_buff *skb, *tx_skb;
1203 u16 control, fcs;
8f17154f
GP		 1204
1205 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1206 if (!skb)
1207 return;
8f17154f 1208
f11d676d
GP		 1209 do {
1210 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1211 break;
8f17154f 1212
f11d676d
GP		 1213 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1214 return;
8f17154f 1215
f11d676d 1216 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1217
f11d676d
GP		 1218 if (pi->remote_max_tx &&
1219 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1220 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1221 return;
1222 }
1223
1224 tx_skb = skb_clone(skb, GFP_ATOMIC);
1225 bt_cb(skb)->retries++;
1226 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1227
1228 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1229 control |= L2CAP_CTRL_FINAL;
1230 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1231 }
95ffa978 1232
f11d676d
GP		 1233 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1234 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1235
f11d676d
GP		 1236 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1237
1238 if (pi->fcs == L2CAP_FCS_CRC16) {
1239 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1240 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1241 }
1242
1243 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1244}
1245
1c2acffb
GP		 1246static int l2cap_ertm_send(struct sock *sk)
1247{
1248 struct sk_buff *skb, *tx_skb;
1249 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1250 u16 control, fcs;
9a9c6a34 1251 int nsent = 0;
1c2acffb 1252
c13ffa62
GP		 1253 if (sk->sk_state != BT_CONNECTED)
1254 return -ENOTCONN;
e90bac06 1255
6e2b6722 1256 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1257
e90bac06
GP		 1258 if (pi->remote_max_tx &&
1259 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1260 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1261 break;
1262 }
1263
e420aba3
AE		 1264 tx_skb = skb_clone(skb, GFP_ATOMIC);
1265
e90bac06
GP		 1266 bt_cb(skb)->retries++;
1267
1c2acffb 1268 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1269 control &= L2CAP_CTRL_SAR;
1270
d5392c8f
GP		 1271 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1272 control |= L2CAP_CTRL_FINAL;
1273 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1274 }
9f121a5a 1275 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1276 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1277 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1278
e90bac06 1279
e8235c6b 1280 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1281 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1282 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1283 }
1284
9a9c6a34
GP		 1285 l2cap_do_send(sk, tx_skb);
1286
e90bac06 1287 __mod_retrans_timer();
1c2acffb
GP		 1288
1289 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1290 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1291
1292 pi->unacked_frames++;
d5392c8f 1293 pi->frames_sent++;
1c2acffb
GP		 1294
1295 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1296 sk->sk_send_head = NULL;
1297 else
1298 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1299
1300 nsent++;
1c2acffb
GP		 1301 }
1302
9e917af1
GP		 1303 return nsent;
1304}
1305
dfc909be
GP		 1306static int l2cap_retransmit_frames(struct sock *sk)
1307{
1308 struct l2cap_pinfo *pi = l2cap_pi(sk);
1309 int ret;
1310
dfc909be
GP		 1311 if (!skb_queue_empty(TX_QUEUE(sk)))
1312 sk->sk_send_head = TX_QUEUE(sk)->next;
1313
1314 pi->next_tx_seq = pi->expected_ack_seq;
1315 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1316 return ret;
1317}
1318
9a9c6a34 1319static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1320{
1321 struct sock *sk = (struct sock *)pi;
1322 u16 control = 0;
1323
1324 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1325
1326 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1327 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1328 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1329 l2cap_send_sframe(pi, control);
1330 return;
9e917af1 1331 }
dfc909be 1332
e0f66218 1333 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1334 return;
1335
1336 control |= L2CAP_SUPER_RCV_READY;
1337 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1338}
1339
9a9c6a34 1340static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1341{
1342 struct srej_list *tail;
1343 u16 control;
1344
1345 control = L2CAP_SUPER_SELECT_REJECT;
1346 control |= L2CAP_CTRL_FINAL;
1347
1348 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1349 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1350
1351 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1352}
1353
1c2acffb
GP		 1354static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1355{
1356 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1357 struct sk_buff **frag;
1358 int err, sent = 0;
1da177e4 1359
59203a21 1360 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1361 return -EFAULT;
1da177e4
LT		 1362
1363 sent += count;
1364 len -= count;
1365
1366 /* Continuation fragments (no L2CAP header) */
1367 frag = &skb_shinfo(skb)->frag_list;
1368 while (len) {
1369 count = min_t(unsigned int, conn->mtu, len);
1370
1371 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1372 if (!*frag)
0175d629 1373 return err;
1c2acffb
GP		 1374 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1375 return -EFAULT;
1da177e4
LT		 1376
1377 sent += count;
1378 len -= count;
1379
1380 frag = &(*frag)->next;
1381 }
1da177e4
LT		 1382
1383 return sent;
1c2acffb 1384}
1da177e4 1385
1c2acffb
GP		 1386static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1387{
1388 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1389 struct sk_buff *skb;
1390 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1391 struct l2cap_hdr *lh;
1392
1393 BT_DBG("sk %p len %d", sk, (int)len);
1394
1395 count = min_t(unsigned int, (conn->mtu - hlen), len);
1396 skb = bt_skb_send_alloc(sk, count + hlen,
1397 msg->msg_flags & MSG_DONTWAIT, &err);
1398 if (!skb)
0175d629 1399 return ERR_PTR(err);
1c2acffb
GP		 1400
1401 /* Create L2CAP header */
1402 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1403 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1404 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1405 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1406
1407 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1408 if (unlikely(err < 0)) {
1409 kfree_skb(skb);
1410 return ERR_PTR(err);
1411 }
1412 return skb;
1413}
1414
1415static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1416{
1417 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1418 struct sk_buff *skb;
1419 int err, count, hlen = L2CAP_HDR_SIZE;
1420 struct l2cap_hdr *lh;
1421
1422 BT_DBG("sk %p len %d", sk, (int)len);
1423
1424 count = min_t(unsigned int, (conn->mtu - hlen), len);
1425 skb = bt_skb_send_alloc(sk, count + hlen,
1426 msg->msg_flags & MSG_DONTWAIT, &err);
1427 if (!skb)
0175d629 1428 return ERR_PTR(err);
1c2acffb
GP		 1429
1430 /* Create L2CAP header */
1431 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1432 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1433 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1434
1435 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1436 if (unlikely(err < 0)) {
1437 kfree_skb(skb);
1438 return ERR_PTR(err);
1439 }
1440 return skb;
1441}
1442
6840ed07 1443static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1444{
1445 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1446 struct sk_buff *skb;
1447 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1448 struct l2cap_hdr *lh;
1449
1450 BT_DBG("sk %p len %d", sk, (int)len);
1451
0ee0d208
GP		 1452 if (!conn)
1453 return ERR_PTR(-ENOTCONN);
1454
c74e560c
GP		 1455 if (sdulen)
1456 hlen += 2;
1457
fcc203c3
GP		 1458 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1459 hlen += 2;
1460
1c2acffb
GP		 1461 count = min_t(unsigned int, (conn->mtu - hlen), len);
1462 skb = bt_skb_send_alloc(sk, count + hlen,
1463 msg->msg_flags & MSG_DONTWAIT, &err);
1464 if (!skb)
0175d629 1465 return ERR_PTR(err);
1c2acffb
GP		 1466
1467 /* Create L2CAP header */
1468 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1469 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1470 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1471 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1472 if (sdulen)
1473 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1474
1475 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1476 if (unlikely(err < 0)) {
1477 kfree_skb(skb);
1478 return ERR_PTR(err);
1479 }
e90bac06 1480
fcc203c3
GP		 1481 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1482 put_unaligned_le16(0, skb_put(skb, 2));
1483
e90bac06 1484 bt_cb(skb)->retries = 0;
1c2acffb 1485 return skb;
1da177e4
LT		 1486}
1487
c74e560c
GP		 1488static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1489{
1490 struct l2cap_pinfo *pi = l2cap_pi(sk);
1491 struct sk_buff *skb;
1492 struct sk_buff_head sar_queue;
1493 u16 control;
1494 size_t size = 0;
1495
ff12fd64 1496 skb_queue_head_init(&sar_queue);
c74e560c 1497 control = L2CAP_SDU_START;
1c762159 1498 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1499 if (IS_ERR(skb))
1500 return PTR_ERR(skb);
1501
1502 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1503 len -= pi->remote_mps;
1504 size += pi->remote_mps;
c74e560c
GP		 1505
1506 while (len > 0) {
1507 size_t buflen;
1508
1c762159 1509 if (len > pi->remote_mps) {
44651b85 1510 control = L2CAP_SDU_CONTINUE;
1c762159 1511 buflen = pi->remote_mps;
c74e560c 1512 } else {
44651b85 1513 control = L2CAP_SDU_END;
c74e560c
GP		 1514 buflen = len;
1515 }
1516
6840ed07 1517 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1518 if (IS_ERR(skb)) {
1519 skb_queue_purge(&sar_queue);
1520 return PTR_ERR(skb);
1521 }
1522
1523 __skb_queue_tail(&sar_queue, skb);
1524 len -= buflen;
1525 size += buflen;
c74e560c
GP		 1526 }
1527 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1528 if (sk->sk_send_head == NULL)
1529 sk->sk_send_head = sar_queue.next;
1530
1531 return size;
1532}
1533
65390587 1534int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1da177e4
LT		 1535{
1536 struct sock *sk = sock->sk;
1c2acffb
GP		 1537 struct l2cap_pinfo *pi = l2cap_pi(sk);
1538 struct sk_buff *skb;
1539 u16 control;
1540 int err;
1da177e4
LT		 1541
1542 BT_DBG("sock %p, sk %p", sock, sk);
1543
c1cbe4b7
BL		 1544 err = sock_error(sk);
1545 if (err)
1546 return err;
1da177e4
LT		 1547
1548 if (msg->msg_flags & MSG_OOB)
1549 return -EOPNOTSUPP;
1550
1da177e4
LT		 1551 lock_sock(sk);
1552
1c2acffb 1553 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1554 err = -ENOTCONN;
1c2acffb
GP		 1555 goto done;
1556 }
1da177e4 1557
1c2acffb
GP		 1558 /* Connectionless channel */
1559 if (sk->sk_type == SOCK_DGRAM) {
1560 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1561 if (IS_ERR(skb)) {
477fffb0 1562 err = PTR_ERR(skb);
9a9c6a34
GP		 1563 } else {
1564 l2cap_do_send(sk, skb);
1565 err = len;
1566 }
1c2acffb
GP		 1567 goto done;
1568 }
1569
1570 switch (pi->mode) {
1571 case L2CAP_MODE_BASIC:
c69163e9
GP		 1572 /* Check outgoing MTU */
1573 if (len > pi->omtu) {
f9dd11b0 1574 err = -EMSGSIZE;
c69163e9
GP		 1575 goto done;
1576 }
1577
1c2acffb
GP		 1578 /* Create a basic PDU */
1579 skb = l2cap_create_basic_pdu(sk, msg, len);
1580 if (IS_ERR(skb)) {
1581 err = PTR_ERR(skb);
1582 goto done;
1583 }
1584
9a9c6a34
GP		 1585 l2cap_do_send(sk, skb);
1586 err = len;
1c2acffb
GP		 1587 break;
1588
1589 case L2CAP_MODE_ERTM:
6840ed07 1590 case L2CAP_MODE_STREAMING:
1c2acffb 1591 /* Entire SDU fits into one PDU */
1c762159 1592 if (len <= pi->remote_mps) {
1c2acffb 1593 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1594 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1595 if (IS_ERR(skb)) {
1596 err = PTR_ERR(skb);
1597 goto done;
1598 }
c74e560c 1599 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1600
c74e560c
GP		 1601 if (sk->sk_send_head == NULL)
1602 sk->sk_send_head = skb;
dfc909be 1603
1c2acffb 1604 } else {
c74e560c
GP		 1605 /* Segment SDU into multiples PDUs */
1606 err = l2cap_sar_segment_sdu(sk, msg, len);
1607 if (err < 0)
1608 goto done;
1c2acffb 1609 }
1c2acffb 1610
dfc909be 1611 if (pi->mode == L2CAP_MODE_STREAMING) {
305682e8 1612 l2cap_streaming_send(sk);
dfc909be 1613 } else {
4571928f
DS		 1614 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1615 (pi->conn_state & L2CAP_CONN_WAIT_F)) {
6e2b6722
GP		 1616 err = len;
1617 break;
1618 }
6840ed07 1619 err = l2cap_ertm_send(sk);
dfc909be 1620 }
6840ed07 1621
9e917af1 1622 if (err >= 0)
1c2acffb
GP		 1623 err = len;
1624 break;
1625
1626 default:
1627 BT_DBG("bad state %1.1x", pi->mode);
bc766db2 1628 err = -EBADFD;
1c2acffb
GP		 1629 }
1630
1631done:
1da177e4
LT		 1632 release_sock(sk);
1633 return err;
1634}
1635
65390587 1636int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
f66dc81f
MH		 1637{
1638 struct sock *sk = sock->sk;
1639
1640 lock_sock(sk);
1641
1642 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1643 struct l2cap_conn_rsp rsp;
e9aeb2dd
GP		 1644 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1645 u8 buf[128];
f66dc81f
MH		 1646
1647 sk->sk_state = BT_CONFIG;
1648
1649 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1650 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1651 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1652 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1653 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1654 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1655
e9aeb2dd
GP		 1656 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1657 release_sock(sk);
1658 return 0;
1659 }
1660
1661 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1662 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1663 l2cap_build_conf_req(sk, buf), buf);
1664 l2cap_pi(sk)->num_conf_req++;
1665
f66dc81f
MH		 1666 release_sock(sk);
1667 return 0;
1668 }
1669
1670 release_sock(sk);
1671
6fdf482b
MM		 1672 if (sock->type == SOCK_STREAM)
1673 return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1674
f66dc81f
MH		 1675 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1676}
1677
b7058842 1678static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1679{
1680 struct sock *sk = sock->sk;
1681 struct l2cap_options opts;
f29972de 1682 int len, err = 0;
1da177e4
LT		 1683 u32 opt;
1684
1685 BT_DBG("sk %p", sk);
1686
1687 lock_sock(sk);
1688
1689 switch (optname) {
1690 case L2CAP_OPTIONS:
eaa71b31
GP		 1691 if (sk->sk_state == BT_CONNECTED) {
1692 err = -EINVAL;
1693 break;
1694 }
1695
0878b666
MH		 1696 opts.imtu = l2cap_pi(sk)->imtu;
1697 opts.omtu = l2cap_pi(sk)->omtu;
1698 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1699 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1700 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1701 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1702 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1703
1da177e4
LT		 1704 len = min_t(unsigned int, sizeof(opts), optlen);
1705 if (copy_from_user((char *) &opts, optval, len)) {
1706 err = -EFAULT;
1707 break;
1708 }
0878b666 1709
45d65c46
GP		 1710 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1711 err = -EINVAL;
1712 break;
1713 }
1714
0041ecfa
JPRV		 1715 l2cap_pi(sk)->mode = opts.mode;
1716 switch (l2cap_pi(sk)->mode) {
1717 case L2CAP_MODE_BASIC:
85eb53c6 1718 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1719 break;
1720 case L2CAP_MODE_ERTM:
1721 case L2CAP_MODE_STREAMING:
d1c4a17d 1722 if (!disable_ertm)
0041ecfa
JPRV		 1723 break;
1724 /* fall through */
1725 default:
1726 err = -EINVAL;
1727 break;
1728 }
1729
c6b03cf9
MH		 1730 l2cap_pi(sk)->imtu = opts.imtu;
1731 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1732 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1733 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1734 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1735 break;
1736
1737 case L2CAP_LM:
1738 if (get_user(opt, (u32 __user *) optval)) {
1739 err = -EFAULT;
1740 break;
1741 }
1742
2af6b9d5
MH		 1743 if (opt & L2CAP_LM_AUTH)
1744 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1745 if (opt & L2CAP_LM_ENCRYPT)
1746 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1747 if (opt & L2CAP_LM_SECURE)
1748 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1749
1750 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1751 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1752 break;
1753
1754 default:
1755 err = -ENOPROTOOPT;
1756 break;
1757 }
1758
1759 release_sock(sk);
1760 return err;
1761}
1762
65390587 1763int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1764{
1765 struct sock *sk = sock->sk;
2af6b9d5
MH		 1766 struct bt_security sec;
1767 int len, err = 0;
f66dc81f 1768 u32 opt;
d58daf42
MH		 1769
1770 BT_DBG("sk %p", sk);
1771
1772 if (level == SOL_L2CAP)
1773 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1774
0588d94f
MH		 1775 if (level != SOL_BLUETOOTH)
1776 return -ENOPROTOOPT;
1777
d58daf42
MH		 1778 lock_sock(sk);
1779
1780 switch (optname) {
2af6b9d5 1781 case BT_SECURITY:
bd3c9e25
GP		 1782 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1783 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1784 err = -EINVAL;
1785 break;
1786 }
1787
2af6b9d5
MH		 1788 sec.level = BT_SECURITY_LOW;
1789
1790 len = min_t(unsigned int, sizeof(sec), optlen);
1791 if (copy_from_user((char *) &sec, optval, len)) {
1792 err = -EFAULT;
1793 break;
1794 }
1795
1796 if (sec.level < BT_SECURITY_LOW ||
1797 sec.level > BT_SECURITY_HIGH) {
1798 err = -EINVAL;
1799 break;
1800 }
1801
1802 l2cap_pi(sk)->sec_level = sec.level;
1803 break;
1804
f66dc81f
MH		 1805 case BT_DEFER_SETUP:
1806 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1807 err = -EINVAL;
1808 break;
1809 }
1810
1811 if (get_user(opt, (u32 __user *) optval)) {
1812 err = -EFAULT;
1813 break;
1814 }
1815
1816 bt_sk(sk)->defer_setup = opt;
1817 break;
1818
e702112f
AE		 1819 case BT_FLUSHABLE:
1820 if (get_user(opt, (u32 __user *) optval)) {
1821 err = -EFAULT;
1822 break;
1823 }
1824
1825 if (opt > BT_FLUSHABLE_ON) {
1826 err = -EINVAL;
1827 break;
1828 }
1829
1830 if (opt == BT_FLUSHABLE_OFF) {
1831 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1832 /* proceed futher only when we have l2cap_conn and
1833 No Flush support in the LM */
1834 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1835 err = -EINVAL;
1836 break;
1837 }
1838 }
1839
1840 l2cap_pi(sk)->flushable = opt;
1841 break;
1842
d58daf42
MH		 1843 default:
1844 err = -ENOPROTOOPT;
1845 break;
1846 }
1847
1848 release_sock(sk);
1849 return err;
1850}
1851
1852static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1853{
1854 struct sock *sk = sock->sk;
1855 struct l2cap_options opts;
1856 struct l2cap_conninfo cinfo;
1857 int len, err = 0;
2af6b9d5 1858 u32 opt;
1da177e4
LT		 1859
1860 BT_DBG("sk %p", sk);
1861
1862 if (get_user(len, optlen))
1863 return -EFAULT;
1864
1865 lock_sock(sk);
1866
1867 switch (optname) {
1868 case L2CAP_OPTIONS:
1869 opts.imtu = l2cap_pi(sk)->imtu;
1870 opts.omtu = l2cap_pi(sk)->omtu;
1871 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1872 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1873 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1874 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1875 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 1876
1877 len = min_t(unsigned int, len, sizeof(opts));
1878 if (copy_to_user(optval, (char *) &opts, len))
1879 err = -EFAULT;
1880
1881 break;
1882
1883 case L2CAP_LM:
2af6b9d5
MH		 1884 switch (l2cap_pi(sk)->sec_level) {
1885 case BT_SECURITY_LOW:
1886 opt = L2CAP_LM_AUTH;
1887 break;
1888 case BT_SECURITY_MEDIUM:
1889 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1890 break;
1891 case BT_SECURITY_HIGH:
1892 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1893 L2CAP_LM_SECURE;
1894 break;
1895 default:
1896 opt = 0;
1897 break;
1898 }
1899
1900 if (l2cap_pi(sk)->role_switch)
1901 opt |= L2CAP_LM_MASTER;
1902
1903 if (l2cap_pi(sk)->force_reliable)
1904 opt |= L2CAP_LM_RELIABLE;
1905
1906 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1907 err = -EFAULT;
1908 break;
1909
1910 case L2CAP_CONNINFO:
f66dc81f
MH		 1911 if (sk->sk_state != BT_CONNECTED &&
1912 !(sk->sk_state == BT_CONNECT2 &&
1913 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1914 err = -ENOTCONN;
1915 break;
1916 }
1917
1918 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1919 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1920
1921 len = min_t(unsigned int, len, sizeof(cinfo));
1922 if (copy_to_user(optval, (char *) &cinfo, len))
1923 err = -EFAULT;
1924
1925 break;
1926
1927 default:
1928 err = -ENOPROTOOPT;
1929 break;
1930 }
1931
1932 release_sock(sk);
1933 return err;
1934}
1935
65390587 1936int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
d58daf42
MH		 1937{
1938 struct sock *sk = sock->sk;
2af6b9d5 1939 struct bt_security sec;
d58daf42
MH		 1940 int len, err = 0;
1941
1942 BT_DBG("sk %p", sk);
1943
1944 if (level == SOL_L2CAP)
1945 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1946
0588d94f
MH		 1947 if (level != SOL_BLUETOOTH)
1948 return -ENOPROTOOPT;
1949
d58daf42
MH		 1950 if (get_user(len, optlen))
1951 return -EFAULT;
1952
1953 lock_sock(sk);
1954
1955 switch (optname) {
2af6b9d5 1956 case BT_SECURITY:
bd3c9e25
GP		 1957 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
1958 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1959 err = -EINVAL;
1960 break;
1961 }
1962
2af6b9d5
MH		 1963 sec.level = l2cap_pi(sk)->sec_level;
1964
1965 len = min_t(unsigned int, len, sizeof(sec));
1966 if (copy_to_user(optval, (char *) &sec, len))
1967 err = -EFAULT;
1968
1969 break;
1970
f66dc81f
MH		 1971 case BT_DEFER_SETUP:
1972 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1973 err = -EINVAL;
1974 break;
1975 }
1976
1977 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1978 err = -EFAULT;
1979
1980 break;
1981
e702112f
AE		 1982 case BT_FLUSHABLE:
1983 if (put_user(l2cap_pi(sk)->flushable, (u32 __user *) optval))
1984 err = -EFAULT;
1985
1986 break;
1987
d58daf42
MH		 1988 default:
1989 err = -ENOPROTOOPT;
1990 break;
1991 }
1992
1993 release_sock(sk);
1994 return err;
1995}
1996
65390587 1997int l2cap_sock_shutdown(struct socket *sock, int how)
1da177e4
LT		 1998{
1999 struct sock *sk = sock->sk;
2000 int err = 0;
2001
2002 BT_DBG("sock %p, sk %p", sock, sk);
2003
2004 if (!sk)
2005 return 0;
2006
2007 lock_sock(sk);
2008 if (!sk->sk_shutdown) {
6161c038
GP		 2009 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2010 err = __l2cap_wait_ack(sk);
2011
1da177e4
LT		 2012 sk->sk_shutdown = SHUTDOWN_MASK;
2013 l2cap_sock_clear_timer(sk);
2014 __l2cap_sock_close(sk, 0);
2015
2016 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2017 err = bt_sock_wait_state(sk, BT_CLOSED,
2018 sk->sk_lingertime);
1da177e4 2019 }
9b108fc0
GP		 2020
2021 if (!err && sk->sk_err)
2022 err = -sk->sk_err;
2023
1da177e4
LT		 2024 release_sock(sk);
2025 return err;
2026}
2027
1da177e4
LT		 2028static void l2cap_chan_ready(struct sock *sk)
2029{
2030 struct sock *parent = bt_sk(sk)->parent;
2031
2032 BT_DBG("sk %p, parent %p", sk, parent);
2033
2034 l2cap_pi(sk)->conf_state = 0;
2035 l2cap_sock_clear_timer(sk);
2036
2037 if (!parent) {
2038 /* Outgoing channel.
2039 * Wake up socket sleeping on connect.
2040 */
2041 sk->sk_state = BT_CONNECTED;
2042 sk->sk_state_change(sk);
2043 } else {
2044 /* Incoming channel.
2045 * Wake up socket sleeping on accept.
2046 */
2047 parent->sk_data_ready(parent, 0);
2048 }
2049}
2050
2051/* Copy frame to all raw sockets on that connection */
2052static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2053{
2054 struct l2cap_chan_list *l = &conn->chan_list;
2055 struct sk_buff *nskb;
af05b30b 2056 struct sock *sk;
1da177e4
LT		 2057
2058 BT_DBG("conn %p", conn);
2059
2060 read_lock(&l->lock);
2061 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2062 if (sk->sk_type != SOCK_RAW)
2063 continue;
2064
2065 /* Don't send frame to the socket it came from */
2066 if (skb->sk == sk)
2067 continue;
af05b30b
GP		 2068 nskb = skb_clone(skb, GFP_ATOMIC);
2069 if (!nskb)
1da177e4
LT		 2070 continue;
2071
2072 if (sock_queue_rcv_skb(sk, nskb))
2073 kfree_skb(nskb);
2074 }
2075 read_unlock(&l->lock);
2076}
2077
2078/* ---- L2CAP signalling commands ---- */
2079static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2080 u8 code, u8 ident, u16 dlen, void *data)
2081{
2082 struct sk_buff *skb, **frag;
2083 struct l2cap_cmd_hdr *cmd;
2084 struct l2cap_hdr *lh;
2085 int len, count;
2086
af05b30b
GP		 2087 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2088 conn, code, ident, dlen);
1da177e4
LT		 2089
2090 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2091 count = min_t(unsigned int, conn->mtu, len);
2092
2093 skb = bt_skb_alloc(count, GFP_ATOMIC);
2094 if (!skb)
2095 return NULL;
2096
2097 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2098 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2099 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2100
2101 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2102 cmd->code = code;
2103 cmd->ident = ident;
aca3192c 2104 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2105
2106 if (dlen) {
2107 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2108 memcpy(skb_put(skb, count), data, count);
2109 data += count;
2110 }
2111
2112 len -= skb->len;
2113
2114 /* Continuation fragments (no L2CAP header) */
2115 frag = &skb_shinfo(skb)->frag_list;
2116 while (len) {
2117 count = min_t(unsigned int, conn->mtu, len);
2118
2119 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2120 if (!*frag)
2121 goto fail;
2122
2123 memcpy(skb_put(*frag, count), data, count);
2124
2125 len -= count;
2126 data += count;
2127
2128 frag = &(*frag)->next;
2129 }
2130
2131 return skb;
2132
2133fail:
2134 kfree_skb(skb);
2135 return NULL;
2136}
2137
2138static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2139{
2140 struct l2cap_conf_opt *opt = *ptr;
2141 int len;
2142
2143 len = L2CAP_CONF_OPT_SIZE + opt->len;
2144 *ptr += len;
2145
2146 *type = opt->type;
2147 *olen = opt->len;
2148
2149 switch (opt->len) {
2150 case 1:
2151 *val = *((u8 *) opt->val);
2152 break;
2153
2154 case 2:
bfaaeb3e 2155 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2156 break;
2157
2158 case 4:
bfaaeb3e 2159 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2160 break;
2161
2162 default:
2163 *val = (unsigned long) opt->val;
2164 break;
2165 }
2166
2167 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2168 return len;
2169}
2170
1da177e4
LT		 2171static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2172{
2173 struct l2cap_conf_opt *opt = *ptr;
2174
2175 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2176
2177 opt->type = type;
2178 opt->len = len;
2179
2180 switch (len) {
2181 case 1:
2182 *((u8 *) opt->val) = val;
2183 break;
2184
2185 case 2:
4f8b691c 2186 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2187 break;
2188
2189 case 4:
4f8b691c 2190 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2191 break;
2192
2193 default:
2194 memcpy(opt->val, (void *) val, len);
2195 break;
2196 }
2197
2198 *ptr += L2CAP_CONF_OPT_SIZE + len;
2199}
2200
c1b4f43b
GP		 2201static void l2cap_ack_timeout(unsigned long arg)
2202{
2203 struct sock *sk = (void *) arg;
2204
2205 bh_lock_sock(sk);
2206 l2cap_send_ack(l2cap_pi(sk));
2207 bh_unlock_sock(sk);
2208}
2209
0565c1c2
GP		 2210static inline void l2cap_ertm_init(struct sock *sk)
2211{
2212 l2cap_pi(sk)->expected_ack_seq = 0;
2213 l2cap_pi(sk)->unacked_frames = 0;
2214 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2215 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2216 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2217
2218 setup_timer(&l2cap_pi(sk)->retrans_timer,
2219 l2cap_retrans_timeout, (unsigned long) sk);
2220 setup_timer(&l2cap_pi(sk)->monitor_timer,
2221 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2222 setup_timer(&l2cap_pi(sk)->ack_timer,
2223 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2224
2225 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2226 __skb_queue_head_init(BUSY_QUEUE(sk));
2227
2228 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
218bb9df
GP		 2229
2230 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 2231}
2232
f2fcfcd6
GP		 2233static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2234{
2235 switch (mode) {
2236 case L2CAP_MODE_STREAMING:
2237 case L2CAP_MODE_ERTM:
2238 if (l2cap_mode_supported(mode, remote_feat_mask))
2239 return mode;
2240 /* fall through */
2241 default:
2242 return L2CAP_MODE_BASIC;
2243 }
2244}
2245
1da177e4
LT		 2246static int l2cap_build_conf_req(struct sock *sk, void *data)
2247{
2248 struct l2cap_pinfo *pi = l2cap_pi(sk);
2249 struct l2cap_conf_req *req = data;
bd3c9e25 2250 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2251 void *ptr = req->data;
2252
2253 BT_DBG("sk %p", sk);
2254
f2fcfcd6
GP		 2255 if (pi->num_conf_req || pi->num_conf_rsp)
2256 goto done;
2257
2258 switch (pi->mode) {
2259 case L2CAP_MODE_STREAMING:
2260 case L2CAP_MODE_ERTM:
2ba13ed6 2261 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2262 break;
85eb53c6 2263
2ba13ed6 2264 /* fall through */
f2fcfcd6
GP		 2265 default:
2266 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2267 break;
2268 }
2269
2270done:
7990681c
GP		 2271 if (pi->imtu != L2CAP_DEFAULT_MTU)
2272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2273
65c7c491
MH		 2274 switch (pi->mode) {
2275 case L2CAP_MODE_BASIC:
63406504
GP		 2276 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2277 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
2278 break;
2279
62547752
GP		 2280 rfc.mode = L2CAP_MODE_BASIC;
2281 rfc.txwin_size = 0;
2282 rfc.max_transmit = 0;
2283 rfc.retrans_timeout = 0;
2284 rfc.monitor_timeout = 0;
2285 rfc.max_pdu_size = 0;
2286
63406504
GP		 2287 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2288 (unsigned long) &rfc);
65c7c491
MH		 2289 break;
2290
2291 case L2CAP_MODE_ERTM:
2292 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2293 rfc.txwin_size = pi->tx_win;
68d7f0ce 2294 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2295 rfc.retrans_timeout = 0;
2296 rfc.monitor_timeout = 0;
c74e560c 2297 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2298 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2299 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2300
63406504
GP		 2301 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2302 (unsigned long) &rfc);
2303
fcc203c3
GP		 2304 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2305 break;
2306
2307 if (pi->fcs == L2CAP_FCS_NONE ||
2308 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2309 pi->fcs = L2CAP_FCS_NONE;
2310 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2311 }
f2fcfcd6
GP		 2312 break;
2313
2314 case L2CAP_MODE_STREAMING:
2315 rfc.mode = L2CAP_MODE_STREAMING;
2316 rfc.txwin_size = 0;
2317 rfc.max_transmit = 0;
2318 rfc.retrans_timeout = 0;
2319 rfc.monitor_timeout = 0;
c74e560c 2320 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2321 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2322 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2323
63406504
GP		 2324 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2325 (unsigned long) &rfc);
2326
fcc203c3
GP		 2327 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2328 break;
2329
2330 if (pi->fcs == L2CAP_FCS_NONE ||
2331 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2332 pi->fcs = L2CAP_FCS_NONE;
2333 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2334 }
65c7c491
MH		 2335 break;
2336 }
1da177e4
LT		 2337
2338 /* FIXME: Need actual value of the flush timeout */
2339 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2340 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2341
aca3192c
YH		 2342 req->dcid = cpu_to_le16(pi->dcid);
2343 req->flags = cpu_to_le16(0);
1da177e4
LT		 2344
2345 return ptr - data;
2346}
2347
5dee9e7c 2348static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2349{
2350 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2351 struct l2cap_conf_rsp *rsp = data;
2352 void *ptr = rsp->data;
2353 void *req = pi->conf_req;
2354 int len = pi->conf_len;
2355 int type, hint, olen;
2356 unsigned long val;
6464f35f 2357 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2358 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2359 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2360
5dee9e7c 2361 BT_DBG("sk %p", sk);
820ae1b8 2362
5dee9e7c
MH		 2363 while (len >= L2CAP_CONF_OPT_SIZE) {
2364 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2365
589d2746 2366 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2367 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2368
2369 switch (type) {
2370 case L2CAP_CONF_MTU:
861d6882 2371 mtu = val;
5dee9e7c
MH		 2372 break;
2373
2374 case L2CAP_CONF_FLUSH_TO:
2375 pi->flush_to = val;
2376 break;
2377
2378 case L2CAP_CONF_QOS:
2379 break;
2380
6464f35f
MH		 2381 case L2CAP_CONF_RFC:
2382 if (olen == sizeof(rfc))
2383 memcpy(&rfc, (void *) val, olen);
2384 break;
2385
fcc203c3
GP		 2386 case L2CAP_CONF_FCS:
2387 if (val == L2CAP_FCS_NONE)
2388 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2389
2390 break;
2391
5dee9e7c
MH		 2392 default:
2393 if (hint)
2394 break;
2395
2396 result = L2CAP_CONF_UNKNOWN;
2397 *((u8 *) ptr++) = type;
2398 break;
2399 }
2400 }
2401
e9aeb2dd 2402 if (pi->num_conf_rsp || pi->num_conf_req > 1)
f2fcfcd6
GP		 2403 goto done;
2404
2405 switch (pi->mode) {
2406 case L2CAP_MODE_STREAMING:
2407 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2408 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2409 pi->mode = l2cap_select_mode(rfc.mode,
2410 pi->conn->feat_mask);
2411 break;
2412 }
2413
742e519b 2414 if (pi->mode != rfc.mode)
f2fcfcd6 2415 return -ECONNREFUSED;
742e519b 2416
f2fcfcd6 2417 break;
f2fcfcd6
GP		 2418 }
2419
2420done:
2421 if (pi->mode != rfc.mode) {
2422 result = L2CAP_CONF_UNACCEPT;
2423 rfc.mode = pi->mode;
2424
2425 if (pi->num_conf_rsp == 1)
2426 return -ECONNREFUSED;
2427
2428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2429 sizeof(rfc), (unsigned long) &rfc);
2430 }
2431
2432
5dee9e7c
MH		 2433 if (result == L2CAP_CONF_SUCCESS) {
2434 /* Configure output options and let the other side know
2435 * which ones we don't like. */
2436
f2fcfcd6
GP		 2437 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2438 result = L2CAP_CONF_UNACCEPT;
2439 else {
2440 pi->omtu = mtu;
2441 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2442 }
2443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2444
f2fcfcd6
GP		 2445 switch (rfc.mode) {
2446 case L2CAP_MODE_BASIC:
2447 pi->fcs = L2CAP_FCS_NONE;
2448 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2449 break;
2450
2451 case L2CAP_MODE_ERTM:
2452 pi->remote_tx_win = rfc.txwin_size;
2453 pi->remote_max_tx = rfc.max_transmit;
86b1b263
MM		 2454
2455 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2456 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2457
2458 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2459
10467e9e
GP		 2460 rfc.retrans_timeout =
2461 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2462 rfc.monitor_timeout =
2463 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2464
2465 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2466
2467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2468 sizeof(rfc), (unsigned long) &rfc);
2469
f2fcfcd6
GP		 2470 break;
2471
2472 case L2CAP_MODE_STREAMING:
86b1b263
MM		 2473 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2474 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159
GP		 2475
2476 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2477
2478 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2479
2480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2481 sizeof(rfc), (unsigned long) &rfc);
2482
f2fcfcd6
GP		 2483 break;
2484
2485 default:
5dee9e7c 2486 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2487
6464f35f 2488 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2489 rfc.mode = pi->mode;
2490 }
6464f35f 2491
f2fcfcd6
GP		 2492 if (result == L2CAP_CONF_SUCCESS)
2493 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2494 }
5dee9e7c
MH		 2495 rsp->scid = cpu_to_le16(pi->dcid);
2496 rsp->result = cpu_to_le16(result);
2497 rsp->flags = cpu_to_le16(0x0000);
2498
2499 return ptr - data;
1da177e4
LT		 2500}
2501
f2fcfcd6
GP		 2502static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2503{
2504 struct l2cap_pinfo *pi = l2cap_pi(sk);
2505 struct l2cap_conf_req *req = data;
2506 void *ptr = req->data;
2507 int type, olen;
2508 unsigned long val;
2509 struct l2cap_conf_rfc rfc;
2510
2511 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2512
2513 while (len >= L2CAP_CONF_OPT_SIZE) {
2514 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2515
2516 switch (type) {
2517 case L2CAP_CONF_MTU:
2518 if (val < L2CAP_DEFAULT_MIN_MTU) {
2519 *result = L2CAP_CONF_UNACCEPT;
8183b775 2520 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2521 } else
8183b775
AE		 2522 pi->imtu = val;
2523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
f2fcfcd6
GP		 2524 break;
2525
2526 case L2CAP_CONF_FLUSH_TO:
2527 pi->flush_to = val;
2528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2529 2, pi->flush_to);
2530 break;
2531
2532 case L2CAP_CONF_RFC:
2533 if (olen == sizeof(rfc))
2534 memcpy(&rfc, (void *)val, olen);
2535
2536 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2537 rfc.mode != pi->mode)
2538 return -ECONNREFUSED;
2539
f2fcfcd6
GP		 2540 pi->fcs = 0;
2541
2542 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2543 sizeof(rfc), (unsigned long) &rfc);
2544 break;
2545 }
2546 }
2547
6c2ea7a8
GP		 2548 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2549 return -ECONNREFUSED;
2550
2551 pi->mode = rfc.mode;
2552
f2fcfcd6
GP		 2553 if (*result == L2CAP_CONF_SUCCESS) {
2554 switch (rfc.mode) {
2555 case L2CAP_MODE_ERTM:
10467e9e
GP		 2556 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2557 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2558 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2559 break;
2560 case L2CAP_MODE_STREAMING:
1c762159 2561 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2562 }
2563 }
2564
2565 req->dcid = cpu_to_le16(pi->dcid);
2566 req->flags = cpu_to_le16(0x0000);
2567
2568 return ptr - data;
2569}
2570
5dee9e7c 2571static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2572{
2573 struct l2cap_conf_rsp *rsp = data;
2574 void *ptr = rsp->data;
1da177e4 2575
5dee9e7c 2576 BT_DBG("sk %p", sk);
1da177e4 2577
aca3192c 2578 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2579 rsp->result = cpu_to_le16(result);
aca3192c 2580 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2581
2582 return ptr - data;
2583}
2584
7b1c0049
GP		 2585static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2586{
2587 struct l2cap_pinfo *pi = l2cap_pi(sk);
2588 int type, olen;
2589 unsigned long val;
2590 struct l2cap_conf_rfc rfc;
2591
2592 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2593
2594 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2595 return;
2596
2597 while (len >= L2CAP_CONF_OPT_SIZE) {
2598 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2599
2600 switch (type) {
2601 case L2CAP_CONF_RFC:
2602 if (olen == sizeof(rfc))
2603 memcpy(&rfc, (void *)val, olen);
2604 goto done;
2605 }
2606 }
2607
2608done:
2609 switch (rfc.mode) {
2610 case L2CAP_MODE_ERTM:
10467e9e
GP		 2611 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2612 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2613 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2614 break;
2615 case L2CAP_MODE_STREAMING:
2616 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2617 }
2618}
2619
4e8402a3
MH		 2620static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2621{
2622 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2623
2624 if (rej->reason != 0x0000)
2625 return 0;
2626
2627 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2628 cmd->ident == conn->info_ident) {
4e8402a3 2629 del_timer(&conn->info_timer);
984947dc
MH		 2630
2631 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2632 conn->info_ident = 0;
984947dc 2633
4e8402a3
MH		 2634 l2cap_conn_start(conn);
2635 }
2636
2637 return 0;
2638}
2639
1da177e4
LT		 2640static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2641{
2642 struct l2cap_chan_list *list = &conn->chan_list;
2643 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2644 struct l2cap_conn_rsp rsp;
d793fe8c 2645 struct sock *parent, *sk = NULL;
e7c29cb1 2646 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2647
2648 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2649 __le16 psm = req->psm;
1da177e4
LT		 2650
2651 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2652
2653 /* Check if we have socket listening on psm */
2654 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2655 if (!parent) {
2656 result = L2CAP_CR_BAD_PSM;
2657 goto sendresp;
2658 }
2659
e0f0cb56
GP		 2660 bh_lock_sock(parent);
2661
e7c29cb1
MH		 2662 /* Check if the ACL is secure enough (if not SDP) */
2663 if (psm != cpu_to_le16(0x0001) &&
2664 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2665 conn->disc_reason = 0x05;
e7c29cb1
MH		 2666 result = L2CAP_CR_SEC_BLOCK;
2667 goto response;
2668 }
2669
1da177e4
LT		 2670 result = L2CAP_CR_NO_MEM;
2671
2672 /* Check for backlog size */
2673 if (sk_acceptq_is_full(parent)) {
8e87d142 2674 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2675 goto response;
2676 }
2677
3b1e0a65 2678 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2679 if (!sk)
2680 goto response;
2681
fd1278d7 2682 write_lock_bh(&list->lock);
1da177e4
LT		 2683
2684 /* Check if we already have channel with that dcid */
2685 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2686 write_unlock_bh(&list->lock);
1da177e4
LT		 2687 sock_set_flag(sk, SOCK_ZAPPED);
2688 l2cap_sock_kill(sk);
2689 goto response;
2690 }
2691
2692 hci_conn_hold(conn->hcon);
2693
2694 l2cap_sock_init(sk, parent);
2695 bacpy(&bt_sk(sk)->src, conn->src);
2696 bacpy(&bt_sk(sk)->dst, conn->dst);
2697 l2cap_pi(sk)->psm = psm;
2698 l2cap_pi(sk)->dcid = scid;
2699
2700 __l2cap_chan_add(conn, sk, parent);
2701 dcid = l2cap_pi(sk)->scid;
2702
2703 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2704
1da177e4
LT		 2705 l2cap_pi(sk)->ident = cmd->ident;
2706
984947dc 2707 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2708 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2709 if (bt_sk(sk)->defer_setup) {
2710 sk->sk_state = BT_CONNECT2;
2711 result = L2CAP_CR_PEND;
2712 status = L2CAP_CS_AUTHOR_PEND;
2713 parent->sk_data_ready(parent, 0);
2714 } else {
2715 sk->sk_state = BT_CONFIG;
2716 result = L2CAP_CR_SUCCESS;
2717 status = L2CAP_CS_NO_INFO;
2718 }
79d554a6
MH		 2719 } else {
2720 sk->sk_state = BT_CONNECT2;
2721 result = L2CAP_CR_PEND;
2722 status = L2CAP_CS_AUTHEN_PEND;
2723 }
2724 } else {
2725 sk->sk_state = BT_CONNECT2;
2726 result = L2CAP_CR_PEND;
2727 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2728 }
2729
fd1278d7 2730 write_unlock_bh(&list->lock);
1da177e4
LT		 2731
2732response:
2733 bh_unlock_sock(parent);
2734
2735sendresp:
aca3192c
YH		 2736 rsp.scid = cpu_to_le16(scid);
2737 rsp.dcid = cpu_to_le16(dcid);
2738 rsp.result = cpu_to_le16(result);
2739 rsp.status = cpu_to_le16(status);
1da177e4 2740 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2741
2742 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2743 struct l2cap_info_req info;
2744 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2745
2746 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2747 conn->info_ident = l2cap_get_ident(conn);
2748
2749 mod_timer(&conn->info_timer, jiffies +
2750 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2751
2752 l2cap_send_cmd(conn, conn->info_ident,
2753 L2CAP_INFO_REQ, sizeof(info), &info);
2754 }
2755
d793fe8c 2756 if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2757 result == L2CAP_CR_SUCCESS) {
2758 u8 buf[128];
2759 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2760 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2761 l2cap_build_conf_req(sk, buf), buf);
2762 l2cap_pi(sk)->num_conf_req++;
2763 }
2764
1da177e4
LT		 2765 return 0;
2766}
2767
2768static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2769{
2770 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2771 u16 scid, dcid, result, status;
2772 struct sock *sk;
2773 u8 req[128];
2774
2775 scid = __le16_to_cpu(rsp->scid);
2776 dcid = __le16_to_cpu(rsp->dcid);
2777 result = __le16_to_cpu(rsp->result);
2778 status = __le16_to_cpu(rsp->status);
2779
2780 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2781
2782 if (scid) {
af05b30b
GP		 2783 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2784 if (!sk)
57d3b22b 2785 return -EFAULT;
1da177e4 2786 } else {
af05b30b
GP		 2787 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2788 if (!sk)
57d3b22b 2789 return -EFAULT;
1da177e4
LT		 2790 }
2791
2792 switch (result) {
2793 case L2CAP_CR_SUCCESS:
2794 sk->sk_state = BT_CONFIG;
2795 l2cap_pi(sk)->ident = 0;
2796 l2cap_pi(sk)->dcid = dcid;
6a8d3010
MH		 2797 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2798
e9aeb2dd
GP		 2799 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
2800 break;
2801
2802 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2803
1da177e4
LT		 2804 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2805 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2806 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2807 break;
2808
2809 case L2CAP_CR_PEND:
6a8d3010 2810 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2811 break;
2812
2813 default:
a49184c2
AE		 2814 /* don't delete l2cap channel if sk is owned by user */
2815 if (sock_owned_by_user(sk)) {
2816 sk->sk_state = BT_DISCONN;
2817 l2cap_sock_clear_timer(sk);
2818 l2cap_sock_set_timer(sk, HZ / 5);
2819 break;
2820 }
2821
1da177e4
LT		 2822 l2cap_chan_del(sk, ECONNREFUSED);
2823 break;
2824 }
2825
2826 bh_unlock_sock(sk);
2827 return 0;
2828}
2829
8c462b60
MM		 2830static inline void set_default_fcs(struct l2cap_pinfo *pi)
2831{
2832 /* FCS is enabled only in ERTM or streaming mode, if one or both
2833 * sides request it.
2834 */
2835 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
2836 pi->fcs = L2CAP_FCS_NONE;
2837 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
2838 pi->fcs = L2CAP_FCS_CRC16;
2839}
2840
88219a0f 2841static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2842{
2843 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2844 u16 dcid, flags;
2845 u8 rsp[64];
2846 struct sock *sk;
5dee9e7c 2847 int len;
1da177e4
LT		 2848
2849 dcid = __le16_to_cpu(req->dcid);
2850 flags = __le16_to_cpu(req->flags);
2851
2852 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2853
af05b30b
GP		 2854 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2855 if (!sk)
1da177e4
LT		 2856 return -ENOENT;
2857
df6bd743
GP		 2858 if (sk->sk_state != BT_CONFIG) {
2859 struct l2cap_cmd_rej rej;
2860
2861 rej.reason = cpu_to_le16(0x0002);
2862 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2863 sizeof(rej), &rej);
354f60a9 2864 goto unlock;
df6bd743 2865 }
354f60a9 2866
5dee9e7c 2867 /* Reject if config buffer is too small. */
88219a0f 2868 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2869 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2870 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2871 l2cap_build_conf_rsp(sk, rsp,
2872 L2CAP_CONF_REJECT, flags), rsp);
2873 goto unlock;
2874 }
2875
2876 /* Store config. */
2877 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2878 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2879
2880 if (flags & 0x0001) {
2881 /* Incomplete config. Send empty response. */
2882 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2883 l2cap_build_conf_rsp(sk, rsp,
2884 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2885 goto unlock;
2886 }
2887
2888 /* Complete config. */
5dee9e7c 2889 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2890 if (len < 0) {
9b108fc0 2891 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 2892 goto unlock;
f2fcfcd6 2893 }
1da177e4 2894
5dee9e7c 2895 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2896 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2897
5dee9e7c
MH		 2898 /* Reset config buffer. */
2899 l2cap_pi(sk)->conf_len = 0;
2900
876d9484
MH		 2901 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2902 goto unlock;
2903
1da177e4 2904 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
8c462b60 2905 set_default_fcs(l2cap_pi(sk));
fcc203c3 2906
1da177e4 2907 sk->sk_state = BT_CONNECTED;
e90bac06 2908
0565c1c2
GP		 2909 l2cap_pi(sk)->next_tx_seq = 0;
2910 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2911 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2912 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2913 l2cap_ertm_init(sk);
2914
1da177e4 2915 l2cap_chan_ready(sk);
876d9484
MH		 2916 goto unlock;
2917 }
2918
2919 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2920 u8 buf[64];
ab3e5715 2921 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2922 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2923 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2924 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2925 }
2926
2927unlock:
2928 bh_unlock_sock(sk);
2929 return 0;
2930}
2931
2932static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2933{
2934 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2935 u16 scid, flags, result;
2936 struct sock *sk;
7b1c0049 2937 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2938
2939 scid = __le16_to_cpu(rsp->scid);
2940 flags = __le16_to_cpu(rsp->flags);
2941 result = __le16_to_cpu(rsp->result);
2942
af05b30b
GP		 2943 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2944 scid, flags, result);
1da177e4 2945
af05b30b
GP		 2946 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2947 if (!sk)
1da177e4
LT		 2948 return 0;
2949
2950 switch (result) {
2951 case L2CAP_CONF_SUCCESS:
7b1c0049 2952 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2953 break;
2954
2955 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2956 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2957 char req[64];
2958
c2c77ec8 2959 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 2960 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 2961 goto done;
2962 }
2963
f2fcfcd6
GP		 2964 /* throw out any old stored conf requests */
2965 result = L2CAP_CONF_SUCCESS;
2966 len = l2cap_parse_conf_rsp(sk, rsp->data,
2967 len, req, &result);
2968 if (len < 0) {
9b108fc0 2969 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 2970 goto done;
2971 }
2972
2973 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2974 L2CAP_CONF_REQ, len, req);
2975 l2cap_pi(sk)->num_conf_req++;
2976 if (result != L2CAP_CONF_SUCCESS)
2977 goto done;
2978 break;
1da177e4
LT		 2979 }
2980
8e87d142 2981 default:
b1235d79 2982 sk->sk_err = ECONNRESET;
1da177e4 2983 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 2984 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 2985 goto done;
2986 }
2987
2988 if (flags & 0x01)
2989 goto done;
2990
1da177e4
LT		 2991 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2992
2993 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
8c462b60 2994 set_default_fcs(l2cap_pi(sk));
fcc203c3 2995
1da177e4 2996 sk->sk_state = BT_CONNECTED;
0565c1c2 2997 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 2998 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2999 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3000 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3001 l2cap_ertm_init(sk);
3002
1da177e4
LT		 3003 l2cap_chan_ready(sk);
3004 }
3005
3006done:
3007 bh_unlock_sock(sk);
3008 return 0;
3009}
3010
3011static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3012{
3013 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3014 struct l2cap_disconn_rsp rsp;
3015 u16 dcid, scid;
3016 struct sock *sk;
3017
3018 scid = __le16_to_cpu(req->scid);
3019 dcid = __le16_to_cpu(req->dcid);
3020
3021 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3022
af05b30b
GP		 3023 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3024 if (!sk)
1da177e4
LT		 3025 return 0;
3026
aca3192c
YH		 3027 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3028 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3029 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3030
3031 sk->sk_shutdown = SHUTDOWN_MASK;
3032
a49184c2
AE		 3033 /* don't delete l2cap channel if sk is owned by user */
3034 if (sock_owned_by_user(sk)) {
3035 sk->sk_state = BT_DISCONN;
3036 l2cap_sock_clear_timer(sk);
3037 l2cap_sock_set_timer(sk, HZ / 5);
3038 bh_unlock_sock(sk);
3039 return 0;
3040 }
3041
1da177e4
LT		 3042 l2cap_chan_del(sk, ECONNRESET);
3043 bh_unlock_sock(sk);
3044
3045 l2cap_sock_kill(sk);
3046 return 0;
3047}
3048
3049static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3050{
3051 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3052 u16 dcid, scid;
3053 struct sock *sk;
3054
3055 scid = __le16_to_cpu(rsp->scid);
3056 dcid = __le16_to_cpu(rsp->dcid);
3057
3058 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3059
af05b30b
GP		 3060 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3061 if (!sk)
1da177e4
LT		 3062 return 0;
3063
a49184c2
AE		 3064 /* don't delete l2cap channel if sk is owned by user */
3065 if (sock_owned_by_user(sk)) {
3066 sk->sk_state = BT_DISCONN;
3067 l2cap_sock_clear_timer(sk);
3068 l2cap_sock_set_timer(sk, HZ / 5);
3069 bh_unlock_sock(sk);
3070 return 0;
3071 }
3072
1da177e4
LT		 3073 l2cap_chan_del(sk, 0);
3074 bh_unlock_sock(sk);
3075
3076 l2cap_sock_kill(sk);
3077 return 0;
3078}
3079
3080static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3081{
3082 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3083 u16 type;
3084
3085 type = __le16_to_cpu(req->type);
3086
3087 BT_DBG("type 0x%4.4x", type);
3088
f0709e03
MH		 3089 if (type == L2CAP_IT_FEAT_MASK) {
3090 u8 buf[8];
44dd46de 3091 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3092 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3093 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3094 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3095 if (!disable_ertm)
fcc203c3
GP		 3096 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3097 | L2CAP_FEAT_FCS;
1b7bf4ed 3098 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3099 l2cap_send_cmd(conn, cmd->ident,
3100 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3101 } else if (type == L2CAP_IT_FIXED_CHAN) {
3102 u8 buf[12];
3103 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3104 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3105 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3106 memcpy(buf + 4, l2cap_fixed_chan, 8);
3107 l2cap_send_cmd(conn, cmd->ident,
3108 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3109 } else {
3110 struct l2cap_info_rsp rsp;
3111 rsp.type = cpu_to_le16(type);
3112 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3113 l2cap_send_cmd(conn, cmd->ident,
3114 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3115 }
1da177e4
LT		 3116
3117 return 0;
3118}
3119
3120static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3121{
3122 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3123 u16 type, result;
3124
3125 type = __le16_to_cpu(rsp->type);
3126 result = __le16_to_cpu(rsp->result);
3127
3128 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3129
4e8402a3
MH		 3130 del_timer(&conn->info_timer);
3131
adb08ede
VT		 3132 if (result != L2CAP_IR_SUCCESS) {
3133 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3134 conn->info_ident = 0;
3135
3136 l2cap_conn_start(conn);
3137
3138 return 0;
3139 }
3140
984947dc 3141 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3142 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3143
47ec1dcd 3144 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3145 struct l2cap_info_req req;
3146 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3147
3148 conn->info_ident = l2cap_get_ident(conn);
3149
3150 l2cap_send_cmd(conn, conn->info_ident,
3151 L2CAP_INFO_REQ, sizeof(req), &req);
3152 } else {
3153 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3154 conn->info_ident = 0;
3155
3156 l2cap_conn_start(conn);
3157 }
3158 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3159 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3160 conn->info_ident = 0;
984947dc
MH		 3161
3162 l2cap_conn_start(conn);
3163 }
4e8402a3 3164
1da177e4
LT		 3165 return 0;
3166}
3167
3168static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3169{
3170 u8 *data = skb->data;
3171 int len = skb->len;
3172 struct l2cap_cmd_hdr cmd;
3173 int err = 0;
3174
3175 l2cap_raw_recv(conn, skb);
3176
3177 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3178 u16 cmd_len;
1da177e4
LT		 3179 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3180 data += L2CAP_CMD_HDR_SIZE;
3181 len -= L2CAP_CMD_HDR_SIZE;
3182
88219a0f 3183 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3184
88219a0f 3185 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3186
88219a0f 3187 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3188 BT_DBG("corrupted command");
3189 break;
3190 }
3191
3192 switch (cmd.code) {
3193 case L2CAP_COMMAND_REJ:
4e8402a3 3194 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3195 break;
3196
3197 case L2CAP_CONN_REQ:
3198 err = l2cap_connect_req(conn, &cmd, data);
3199 break;
3200
3201 case L2CAP_CONN_RSP:
3202 err = l2cap_connect_rsp(conn, &cmd, data);
3203 break;
3204
3205 case L2CAP_CONF_REQ:
88219a0f 3206 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3207 break;
3208
3209 case L2CAP_CONF_RSP:
3210 err = l2cap_config_rsp(conn, &cmd, data);
3211 break;
3212
3213 case L2CAP_DISCONN_REQ:
3214 err = l2cap_disconnect_req(conn, &cmd, data);
3215 break;
3216
3217 case L2CAP_DISCONN_RSP:
3218 err = l2cap_disconnect_rsp(conn, &cmd, data);
3219 break;
3220
3221 case L2CAP_ECHO_REQ:
88219a0f 3222 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3223 break;
3224
3225 case L2CAP_ECHO_RSP:
3226 break;
3227
3228 case L2CAP_INFO_REQ:
3229 err = l2cap_information_req(conn, &cmd, data);
3230 break;
3231
3232 case L2CAP_INFO_RSP:
3233 err = l2cap_information_rsp(conn, &cmd, data);
3234 break;
3235
3236 default:
3237 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3238 err = -EINVAL;
3239 break;
3240 }
3241
3242 if (err) {
3243 struct l2cap_cmd_rej rej;
3244 BT_DBG("error %d", err);
3245
3246 /* FIXME: Map err to a valid reason */
aca3192c 3247 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3248 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3249 }
3250
88219a0f
AV		 3251 data += cmd_len;
3252 len -= cmd_len;
1da177e4
LT		 3253 }
3254
3255 kfree_skb(skb);
3256}
3257
fcc203c3
GP		 3258static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3259{
3260 u16 our_fcs, rcv_fcs;
3261 int hdr_size = L2CAP_HDR_SIZE + 2;
3262
3263 if (pi->fcs == L2CAP_FCS_CRC16) {
3264 skb_trim(skb, skb->len - 2);
3265 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3266 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3267
3268 if (our_fcs != rcv_fcs)
7a560e5c 3269 return -EBADMSG;
fcc203c3
GP		 3270 }
3271 return 0;
3272}
3273
d5392c8f
GP		 3274static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3275{
3276 struct l2cap_pinfo *pi = l2cap_pi(sk);
3277 u16 control = 0;
3278
3279 pi->frames_sent = 0;
d5392c8f
GP		 3280
3281 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3282
3283 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3284 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3285 l2cap_send_sframe(pi, control);
1890d36b 3286 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3287 }
3288
4ea727ef
GP		 3289 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3290 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3291
3292 l2cap_ertm_send(sk);
3293
3294 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3295 pi->frames_sent == 0) {
3296 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3297 l2cap_send_sframe(pi, control);
3298 }
3299}
3300
9b53350d 3301static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3302{
3303 struct sk_buff *next_skb;
bfbacc11
JPRV		 3304 struct l2cap_pinfo *pi = l2cap_pi(sk);
3305 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3306
3307 bt_cb(skb)->tx_seq = tx_seq;
3308 bt_cb(skb)->sar = sar;
3309
3310 next_skb = skb_peek(SREJ_QUEUE(sk));
3311 if (!next_skb) {
3312 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3313 return 0;
8f17154f
GP		 3314 }
3315
bfbacc11
JPRV		 3316 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3317 if (tx_seq_offset < 0)
3318 tx_seq_offset += 64;
3319
8f17154f 3320 do {
9b53350d
JPRV		 3321 if (bt_cb(next_skb)->tx_seq == tx_seq)
3322 return -EINVAL;
3323
bfbacc11
JPRV		 3324 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3325 pi->buffer_seq) % 64;
3326 if (next_tx_seq_offset < 0)
3327 next_tx_seq_offset += 64;
3328
3329 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3330 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3331 return 0;
8f17154f
GP		 3332 }
3333
3334 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3335 break;
3336
59203a21 3337 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3338
3339 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3340
3341 return 0;
8f17154f
GP		 3342}
3343
18778a63
GP		 3344static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3345{
3346 struct l2cap_pinfo *pi = l2cap_pi(sk);
3347 struct sk_buff *_skb;
1890d36b 3348 int err;
18778a63
GP		 3349
3350 switch (control & L2CAP_CTRL_SAR) {
3351 case L2CAP_SDU_UNSEGMENTED:
3352 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3353 goto drop;
3354
3355 err = sock_queue_rcv_skb(sk, skb);
3356 if (!err)
3357 return err;
3358
3359 break;
3360
3361 case L2CAP_SDU_START:
3362 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3363 goto drop;
3364
3365 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3366
3367 if (pi->sdu_len > pi->imtu)
3368 goto disconnect;
3369
3370 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3371 if (!pi->sdu)
3372 return -ENOMEM;
3373
3374 /* pull sdu_len bytes only after alloc, because of Local Busy
3375 * condition we have to be sure that this will be executed
3376 * only once, i.e., when alloc does not fail */
3377 skb_pull(skb, 2);
18778a63
GP		 3378
3379 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3380
3381 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3382 pi->partial_sdu_len = skb->len;
3383 break;
3384
3385 case L2CAP_SDU_CONTINUE:
3386 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3387 goto disconnect;
3388
3389 if (!pi->sdu)
3390 goto disconnect;
3391
18778a63
GP		 3392 pi->partial_sdu_len += skb->len;
3393 if (pi->partial_sdu_len > pi->sdu_len)
3394 goto drop;
3395
4178ba46
GP		 3396 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3397
18778a63
GP		 3398 break;
3399
3400 case L2CAP_SDU_END:
3401 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3402 goto disconnect;
3403
3404 if (!pi->sdu)
3405 goto disconnect;
3406
1890d36b 3407 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3408 pi->partial_sdu_len += skb->len;
18778a63 3409
1890d36b
GP		 3410 if (pi->partial_sdu_len > pi->imtu)
3411 goto drop;
18778a63 3412
1890d36b
GP		 3413 if (pi->partial_sdu_len != pi->sdu_len)
3414 goto drop;
4178ba46
GP		 3415
3416 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3417 }
18778a63
GP		 3418
3419 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3420 if (!_skb) {
3421 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3422 return -ENOMEM;
3423 }
3424
18778a63 3425 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3426 if (err < 0) {
18778a63 3427 kfree_skb(_skb);
1890d36b
GP		 3428 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3429 return err;
3430 }
3431
3432 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3433 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3434
3435 kfree_skb(pi->sdu);
3436 break;
3437 }
3438
3439 kfree_skb(skb);
1890d36b 3440 return 0;
18778a63
GP		 3441
3442drop:
3443 kfree_skb(pi->sdu);
3444 pi->sdu = NULL;
3445
3446disconnect:
9b108fc0 3447 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3448 kfree_skb(skb);
3449 return 0;
3450}
3451
712132eb
GP		 3452static int l2cap_try_push_rx_skb(struct sock *sk)
3453{
3454 struct l2cap_pinfo *pi = l2cap_pi(sk);
3455 struct sk_buff *skb;
3456 u16 control;
3457 int err;
3458
3459 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3460 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3461 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3462 if (err < 0) {
3463 skb_queue_head(BUSY_QUEUE(sk), skb);
3464 return -EBUSY;
3465 }
3466
3467 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3468 }
3469
3470 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3471 goto done;
3472
3473 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3474 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3475 l2cap_send_sframe(pi, control);
3476 l2cap_pi(sk)->retry_count = 1;
3477
3478 del_timer(&pi->retrans_timer);
3479 __mod_monitor_timer();
3480
3481 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3482
3483done:
3484 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3485 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3486
3487 BT_DBG("sk %p, Exit local busy", sk);
3488
3489 return 0;
3490}
3491
1890d36b
GP		 3492static void l2cap_busy_work(struct work_struct *work)
3493{
3494 DECLARE_WAITQUEUE(wait, current);
3495 struct l2cap_pinfo *pi =
3496 container_of(work, struct l2cap_pinfo, busy_work);
3497 struct sock *sk = (struct sock *)pi;
3498 int n_tries = 0, timeo = HZ/5, err;
3499 struct sk_buff *skb;
1890d36b
GP		 3500
3501 lock_sock(sk);
3502
2b0b05dd 3503 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3504 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3505 set_current_state(TASK_INTERRUPTIBLE);
3506
3507 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3508 err = -EBUSY;
9b108fc0 3509 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
712132eb 3510 break;
1890d36b
GP		 3511 }
3512
3513 if (!timeo)
3514 timeo = HZ/5;
3515
3516 if (signal_pending(current)) {
3517 err = sock_intr_errno(timeo);
712132eb 3518 break;
1890d36b
GP		 3519 }
3520
3521 release_sock(sk);
3522 timeo = schedule_timeout(timeo);
3523 lock_sock(sk);
3524
3525 err = sock_error(sk);
3526 if (err)
712132eb 3527 break;
1890d36b 3528
712132eb 3529 if (l2cap_try_push_rx_skb(sk) == 0)
1890d36b
GP		 3530 break;
3531 }
3532
1890d36b 3533 set_current_state(TASK_RUNNING);
2b0b05dd 3534 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3535
3536 release_sock(sk);
3537}
3538
3539static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3540{
3541 struct l2cap_pinfo *pi = l2cap_pi(sk);
3542 int sctrl, err;
3543
3544 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3545 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3546 __skb_queue_tail(BUSY_QUEUE(sk), skb);
712132eb
GP		 3547 return l2cap_try_push_rx_skb(sk);
3548
3549
1890d36b
GP		 3550 }
3551
3552 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3553 if (err >= 0) {
3554 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3555 return err;
3556 }
3557
3558 /* Busy Condition */
0e98958d
GP		 3559 BT_DBG("sk %p, Enter local busy", sk);
3560
1890d36b
GP		 3561 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3562 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3563 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3564
3565 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3566 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3567 l2cap_send_sframe(pi, sctrl);
3568
3569 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3570
7fe9b298
GP		 3571 del_timer(&pi->ack_timer);
3572
1890d36b
GP		 3573 queue_work(_busy_wq, &pi->busy_work);
3574
3575 return err;
3576}
3577
18778a63 3578static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3579{
3580 struct l2cap_pinfo *pi = l2cap_pi(sk);
3581 struct sk_buff *_skb;
3582 int err = -EINVAL;
3583
18778a63
GP		 3584 /*
3585 * TODO: We have to notify the userland if some data is lost with the
3586 * Streaming Mode.
3587 */
3588
c74e560c
GP		 3589 switch (control & L2CAP_CTRL_SAR) {
3590 case L2CAP_SDU_UNSEGMENTED:
3591 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3592 kfree_skb(pi->sdu);
3593 break;
3594 }
3595
3596 err = sock_queue_rcv_skb(sk, skb);
3597 if (!err)
3598 return 0;
3599
3600 break;
3601
3602 case L2CAP_SDU_START:
3603 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3604 kfree_skb(pi->sdu);
3605 break;
3606 }
3607
3608 pi->sdu_len = get_unaligned_le16(skb->data);
3609 skb_pull(skb, 2);
3610
052897ca
GP		 3611 if (pi->sdu_len > pi->imtu) {
3612 err = -EMSGSIZE;
3613 break;
3614 }
3615
c74e560c
GP		 3616 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3617 if (!pi->sdu) {
3618 err = -ENOMEM;
3619 break;
3620 }
3621
3622 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3623
3624 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3625 pi->partial_sdu_len = skb->len;
3626 err = 0;
3627 break;
3628
3629 case L2CAP_SDU_CONTINUE:
3630 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3631 break;
3632
3633 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3634
3635 pi->partial_sdu_len += skb->len;
3636 if (pi->partial_sdu_len > pi->sdu_len)
3637 kfree_skb(pi->sdu);
3638 else
3639 err = 0;
3640
3641 break;
3642
3643 case L2CAP_SDU_END:
3644 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3645 break;
3646
3647 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3648
3649 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3650 pi->partial_sdu_len += skb->len;
3651
36f2fd58
GP		 3652 if (pi->partial_sdu_len > pi->imtu)
3653 goto drop;
3654
c74e560c
GP		 3655 if (pi->partial_sdu_len == pi->sdu_len) {
3656 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3657 err = sock_queue_rcv_skb(sk, _skb);
3658 if (err < 0)
3659 kfree_skb(_skb);
3660 }
c74e560c
GP		 3661 err = 0;
3662
36f2fd58
GP		 3663drop:
3664 kfree_skb(pi->sdu);
c74e560c
GP		 3665 break;
3666 }
3667
3668 kfree_skb(skb);
3669 return err;
3670}
3671
8f17154f
GP		 3672static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3673{
3674 struct sk_buff *skb;
afefdbc4 3675 u16 control;
8f17154f 3676
59203a21 3677 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3678 if (bt_cb(skb)->tx_seq != tx_seq)
3679 break;
3680
3681 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3682 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3683 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3684 l2cap_pi(sk)->buffer_seq_srej =
3685 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3686 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3687 }
3688}
3689
3690static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3691{
3692 struct l2cap_pinfo *pi = l2cap_pi(sk);
3693 struct srej_list *l, *tmp;
3694 u16 control;
3695
59203a21 3696 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3697 if (l->tx_seq == tx_seq) {
3698 list_del(&l->list);
3699 kfree(l);
3700 return;
3701 }
3702 control = L2CAP_SUPER_SELECT_REJECT;
3703 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3704 l2cap_send_sframe(pi, control);
3705 list_del(&l->list);
3706 list_add_tail(&l->list, SREJ_LIST(sk));
3707 }
3708}
3709
3710static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3711{
3712 struct l2cap_pinfo *pi = l2cap_pi(sk);
3713 struct srej_list *new;
3714 u16 control;
3715
3716 while (tx_seq != pi->expected_tx_seq) {
3717 control = L2CAP_SUPER_SELECT_REJECT;
3718 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3719 l2cap_send_sframe(pi, control);
3720
3721 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3722 new->tx_seq = pi->expected_tx_seq;
3723 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3724 list_add_tail(&new->list, SREJ_LIST(sk));
3725 }
8ff50ec0 3726 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3727}
3728
1c2acffb
GP		 3729static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3730{
3731 struct l2cap_pinfo *pi = l2cap_pi(sk);
3732 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3733 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3734 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3735 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3736 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3737 int err = 0;
3738
0e98958d
GP		 3739 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3740 rx_control);
1c2acffb 3741
9b16dc65
GP		 3742 if (L2CAP_CTRL_FINAL & rx_control &&
3743 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3744 del_timer(&pi->monitor_timer);
3745 if (pi->unacked_frames > 0)
3746 __mod_retrans_timer();
3747 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3748 }
3749
9f121a5a
GP		 3750 pi->expected_ack_seq = req_seq;
3751 l2cap_drop_acked_frames(sk);
3752
8f17154f
GP		 3753 if (tx_seq == pi->expected_tx_seq)
3754 goto expected;
1c2acffb 3755
9b53350d
JPRV		 3756 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3757 if (tx_seq_offset < 0)
3758 tx_seq_offset += 64;
3759
3760 /* invalid tx_seq */
3761 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3762 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3763 goto drop;
3764 }
3765
1890d36b
GP		 3766 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3767 goto drop;
3768
8f17154f
GP		 3769 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3770 struct srej_list *first;
30afb5b2 3771
8f17154f
GP		 3772 first = list_first_entry(SREJ_LIST(sk),
3773 struct srej_list, list);
3774 if (tx_seq == first->tx_seq) {
3775 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3776 l2cap_check_srej_gap(sk, tx_seq);
3777
3778 list_del(&first->list);
3779 kfree(first);
3780
3781 if (list_empty(SREJ_LIST(sk))) {
3782 pi->buffer_seq = pi->buffer_seq_srej;
3783 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3784 l2cap_send_ack(pi);
0e98958d 3785 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3786 }
3787 } else {
3788 struct srej_list *l;
9b53350d
JPRV		 3789
3790 /* duplicated tx_seq */
3791 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3792 goto drop;
8f17154f
GP		 3793
3794 list_for_each_entry(l, SREJ_LIST(sk), list) {
3795 if (l->tx_seq == tx_seq) {
3796 l2cap_resend_srejframe(sk, tx_seq);
3797 return 0;
3798 }
3799 }
3800 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3801 }
3802 } else {
9b53350d
JPRV		 3803 expected_tx_seq_offset =
3804 (pi->expected_tx_seq - pi->buffer_seq) % 64;
3805 if (expected_tx_seq_offset < 0)
3806 expected_tx_seq_offset += 64;
3807
3808 /* duplicated tx_seq */
3809 if (tx_seq_offset < expected_tx_seq_offset)
3810 goto drop;
3811
8f17154f 3812 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3813
0e98958d
GP		 3814 BT_DBG("sk %p, Enter SREJ", sk);
3815
8f17154f
GP		 3816 INIT_LIST_HEAD(SREJ_LIST(sk));
3817 pi->buffer_seq_srej = pi->buffer_seq;
3818
3819 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 3820 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 3821 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3822
ef54fd93
GP		 3823 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3824
8f17154f 3825 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 3826
3827 del_timer(&pi->ack_timer);
1c2acffb 3828 }
30afb5b2
GP		 3829 return 0;
3830
8f17154f
GP		 3831expected:
3832 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3833
3834 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3835 bt_cb(skb)->tx_seq = tx_seq;
3836 bt_cb(skb)->sar = sar;
3837 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3838 return 0;
3839 }
3840
2ece3684
GP		 3841 err = l2cap_push_rx_skb(sk, skb, rx_control);
3842 if (err < 0)
3843 return 0;
3844
4ec10d97
GP		 3845 if (rx_control & L2CAP_CTRL_FINAL) {
3846 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3847 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3848 else
3849 l2cap_retransmit_frames(sk);
4ec10d97
GP		 3850 }
3851
c1b4f43b
GP		 3852 __mod_ack_timer();
3853
803020c6
GP		 3854 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3855 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3856 l2cap_send_ack(pi);
3857
8f17154f 3858 return 0;
9b53350d
JPRV		 3859
3860drop:
3861 kfree_skb(skb);
3862 return 0;
1c2acffb
GP		 3863}
3864
e072745f 3865static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3866{
3867 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 3868
0e98958d
GP		 3869 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
3870 rx_control);
3871
6e3a5981
GP		 3872 pi->expected_ack_seq = __get_reqseq(rx_control);
3873 l2cap_drop_acked_frames(sk);
1c2acffb 3874
e072745f 3875 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 3876 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 3877 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3878 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3879 (pi->unacked_frames > 0))
3880 __mod_retrans_timer();
3881
3882 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3883 l2cap_send_srejtail(sk);
3884 } else {
3885 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 3886 }
1d8f5d16 3887
e072745f
GP		 3888 } else if (rx_control & L2CAP_CTRL_FINAL) {
3889 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3890
e072745f
GP		 3891 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3892 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3893 else
3894 l2cap_retransmit_frames(sk);
2246b2f1 3895
e072745f 3896 } else {
e072745f
GP		 3897 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3898 (pi->unacked_frames > 0))
3899 __mod_retrans_timer();
1c2acffb 3900
2246b2f1 3901 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
894718a6 3902 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
e072745f 3903 l2cap_send_ack(pi);
894718a6 3904 else
e072745f
GP		 3905 l2cap_ertm_send(sk);
3906 }
3907}
2246b2f1 3908
e072745f
GP		 3909static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3910{
3911 struct l2cap_pinfo *pi = l2cap_pi(sk);
3912 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3913
0e98958d
GP		 3914 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3915
e072745f
GP		 3916 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3917
8abb52ee 3918 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3919 l2cap_drop_acked_frames(sk);
3920
3921 if (rx_control & L2CAP_CTRL_FINAL) {
3922 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3923 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3924 else
3925 l2cap_retransmit_frames(sk);
e072745f 3926 } else {
dfc909be 3927 l2cap_retransmit_frames(sk);
30afb5b2 3928
0301ef04 3929 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 3930 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3931 }
3932}
3933static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3934{
3935 struct l2cap_pinfo *pi = l2cap_pi(sk);
3936 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3937
0e98958d
GP		 3938 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3939
e072745f 3940 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3941
e072745f
GP		 3942 if (rx_control & L2CAP_CTRL_POLL) {
3943 pi->expected_ack_seq = tx_seq;
3944 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 3945
3946 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 3947 l2cap_retransmit_one_frame(sk, tx_seq);
3948
e072745f 3949 l2cap_ertm_send(sk);
dfc909be 3950
e072745f
GP		 3951 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3952 pi->srej_save_reqseq = tx_seq;
3953 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3954 }
e072745f
GP		 3955 } else if (rx_control & L2CAP_CTRL_FINAL) {
3956 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3957 pi->srej_save_reqseq == tx_seq)
3958 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3959 else
dfc909be 3960 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 3961 } else {
dfc909be 3962 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 3963 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3964 pi->srej_save_reqseq = tx_seq;
3965 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3966 }
e072745f
GP		 3967 }
3968}
3969
3970static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3971{
3972 struct l2cap_pinfo *pi = l2cap_pi(sk);
3973 u8 tx_seq = __get_reqseq(rx_control);
3974
0e98958d
GP		 3975 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3976
e072745f
GP		 3977 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3978 pi->expected_ack_seq = tx_seq;
3979 l2cap_drop_acked_frames(sk);
3980
3cb123d1
GP		 3981 if (rx_control & L2CAP_CTRL_POLL)
3982 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3983
99b0d4b7
GP		 3984 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3985 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 3986 if (rx_control & L2CAP_CTRL_POLL)
3987 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 3988 return;
e072745f 3989 }
99b0d4b7
GP		 3990
3991 if (rx_control & L2CAP_CTRL_POLL)
3992 l2cap_send_srejtail(sk);
3993 else
3994 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3995}
3996
3997static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3998{
3999 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4000
9b16dc65
GP		 4001 if (L2CAP_CTRL_FINAL & rx_control &&
4002 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4003 del_timer(&l2cap_pi(sk)->monitor_timer);
4004 if (l2cap_pi(sk)->unacked_frames > 0)
4005 __mod_retrans_timer();
4006 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4007 }
4008
4009 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4010 case L2CAP_SUPER_RCV_READY:
4011 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4012 break;
4013
e072745f
GP		 4014 case L2CAP_SUPER_REJECT:
4015 l2cap_data_channel_rejframe(sk, rx_control);
4016 break;
2246b2f1 4017
e072745f
GP		 4018 case L2CAP_SUPER_SELECT_REJECT:
4019 l2cap_data_channel_srejframe(sk, rx_control);
4020 break;
4021
4022 case L2CAP_SUPER_RCV_NOT_READY:
4023 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4024 break;
4025 }
4026
faaebd19 4027 kfree_skb(skb);
1c2acffb
GP		 4028 return 0;
4029}
4030
218bb9df
GP		 4031static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4032{
4033 struct l2cap_pinfo *pi = l2cap_pi(sk);
4034 u16 control;
4035 u8 req_seq;
4036 int len, next_tx_seq_offset, req_seq_offset;
4037
4038 control = get_unaligned_le16(skb->data);
4039 skb_pull(skb, 2);
4040 len = skb->len;
4041
4042 /*
4043 * We can just drop the corrupted I-frame here.
4044 * Receiver will miss it and start proper recovery
4045 * procedures and ask retransmission.
4046 */
4047 if (l2cap_check_fcs(pi, skb))
4048 goto drop;
4049
4050 if (__is_sar_start(control) && __is_iframe(control))
4051 len -= 2;
4052
4053 if (pi->fcs == L2CAP_FCS_CRC16)
4054 len -= 2;
4055
4056 if (len > pi->mps) {
4057 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4058 goto drop;
4059 }
4060
4061 req_seq = __get_reqseq(control);
4062 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4063 if (req_seq_offset < 0)
4064 req_seq_offset += 64;
4065
4066 next_tx_seq_offset =
4067 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4068 if (next_tx_seq_offset < 0)
4069 next_tx_seq_offset += 64;
4070
4071 /* check for invalid req-seq */
4072 if (req_seq_offset > next_tx_seq_offset) {
4073 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4074 goto drop;
4075 }
4076
4077 if (__is_iframe(control)) {
4078 if (len < 0) {
4079 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4080 goto drop;
4081 }
4082
4083 l2cap_data_channel_iframe(sk, control, skb);
4084 } else {
4085 if (len != 0) {
4086 BT_ERR("%d", len);
4087 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4088 goto drop;
4089 }
4090
4091 l2cap_data_channel_sframe(sk, control, skb);
4092 }
4093
4094 return 0;
4095
4096drop:
4097 kfree_skb(skb);
4098 return 0;
4099}
4100
1da177e4
LT		 4101static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4102{
4103 struct sock *sk;
6840ed07 4104 struct l2cap_pinfo *pi;
51893f88 4105 u16 control;
218bb9df
GP		 4106 u8 tx_seq;
4107 int len;
1da177e4
LT		 4108
4109 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4110 if (!sk) {
4111 BT_DBG("unknown cid 0x%4.4x", cid);
4112 goto drop;
4113 }
4114
6840ed07
GP		 4115 pi = l2cap_pi(sk);
4116
1da177e4
LT		 4117 BT_DBG("sk %p, len %d", sk, skb->len);
4118
4119 if (sk->sk_state != BT_CONNECTED)
4120 goto drop;
4121
6840ed07 4122 switch (pi->mode) {
1c2acffb
GP		 4123 case L2CAP_MODE_BASIC:
4124 /* If socket recv buffers overflows we drop data here
4125 * which is *bad* because L2CAP has to be reliable.
4126 * But we don't have any other choice. L2CAP doesn't
4127 * provide flow control mechanism. */
1da177e4 4128
6840ed07 4129 if (pi->imtu < skb->len)
1c2acffb 4130 goto drop;
1da177e4 4131
1c2acffb
GP		 4132 if (!sock_queue_rcv_skb(sk, skb))
4133 goto done;
4134 break;
4135
4136 case L2CAP_MODE_ERTM:
218bb9df
GP		 4137 if (!sock_owned_by_user(sk)) {
4138 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4139 } else {
218bb9df 4140 if (sk_add_backlog(sk, skb))
277ffbe3 4141 goto drop;
277ffbe3 4142 }
1c2acffb 4143
fcafde2e 4144 goto done;
1c2acffb 4145
6840ed07
GP		 4146 case L2CAP_MODE_STREAMING:
4147 control = get_unaligned_le16(skb->data);
4148 skb_pull(skb, 2);
4149 len = skb->len;
4150
26000089
GP		 4151 if (l2cap_check_fcs(pi, skb))
4152 goto drop;
4153
6840ed07
GP		 4154 if (__is_sar_start(control))
4155 len -= 2;
4156
fcc203c3
GP		 4157 if (pi->fcs == L2CAP_FCS_CRC16)
4158 len -= 2;
4159
51893f88 4160 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4161 goto drop;
4162
4163 tx_seq = __get_txseq(control);
4164
4165 if (pi->expected_tx_seq == tx_seq)
4166 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4167 else
7dffe421 4168 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4169
18778a63 4170 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4171
4172 goto done;
4173
1c2acffb 4174 default:
e8235c6b 4175 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4176 break;
4177 }
1da177e4
LT		 4178
4179drop:
4180 kfree_skb(skb);
4181
4182done:
0139418c
MH		 4183 if (sk)
4184 bh_unlock_sock(sk);
4185
1da177e4
LT		 4186 return 0;
4187}
4188
8e036fc3 4189static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4190{
4191 struct sock *sk;
4192
4193 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4194 if (!sk)
4195 goto drop;
4196
e0f0cb56
GP		 4197 bh_lock_sock(sk);
4198
1da177e4
LT		 4199 BT_DBG("sk %p, len %d", sk, skb->len);
4200
4201 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4202 goto drop;
4203
4204 if (l2cap_pi(sk)->imtu < skb->len)
4205 goto drop;
4206
4207 if (!sock_queue_rcv_skb(sk, skb))
4208 goto done;
4209
4210drop:
4211 kfree_skb(skb);
4212
4213done:
af05b30b
GP		 4214 if (sk)
4215 bh_unlock_sock(sk);
1da177e4
LT		 4216 return 0;
4217}
4218
4219static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4220{
4221 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4222 u16 cid, len;
4223 __le16 psm;
1da177e4
LT		 4224
4225 skb_pull(skb, L2CAP_HDR_SIZE);
4226 cid = __le16_to_cpu(lh->cid);
4227 len = __le16_to_cpu(lh->len);
4228
1c2acffb
GP		 4229 if (len != skb->len) {
4230 kfree_skb(skb);
4231 return;
4232 }
4233
1da177e4
LT		 4234 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4235
4236 switch (cid) {
8db4dc46 4237 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4238 l2cap_sig_channel(conn, skb);
4239 break;
4240
8db4dc46 4241 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4242 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4243 skb_pull(skb, 2);
4244 l2cap_conless_channel(conn, psm, skb);
4245 break;
4246
4247 default:
4248 l2cap_data_channel(conn, cid, skb);
4249 break;
4250 }
4251}
4252
4253/* ---- L2CAP interface with lower layer (HCI) ---- */
4254
4255static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4256{
4257 int exact = 0, lm1 = 0, lm2 = 0;
4258 register struct sock *sk;
4259 struct hlist_node *node;
4260
4261 if (type != ACL_LINK)
963cf687 4262 return -EINVAL;
1da177e4
LT		 4263
4264 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4265
4266 /* Find listening sockets and check their link_mode */
4267 read_lock(&l2cap_sk_list.lock);
4268 sk_for_each(sk, node, &l2cap_sk_list.head) {
4269 if (sk->sk_state != BT_LISTEN)
4270 continue;
4271
4272 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4273 lm1 |= HCI_LM_ACCEPT;
4274 if (l2cap_pi(sk)->role_switch)
4275 lm1 |= HCI_LM_MASTER;
1da177e4 4276 exact++;
2af6b9d5
MH		 4277 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4278 lm2 |= HCI_LM_ACCEPT;
4279 if (l2cap_pi(sk)->role_switch)
4280 lm2 |= HCI_LM_MASTER;
4281 }
1da177e4
LT		 4282 }
4283 read_unlock(&l2cap_sk_list.lock);
4284
4285 return exact ? lm1 : lm2;
4286}
4287
4288static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4289{
0139418c
MH		 4290 struct l2cap_conn *conn;
4291
1da177e4
LT		 4292 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4293
4294 if (hcon->type != ACL_LINK)
963cf687 4295 return -EINVAL;
1da177e4
LT		 4296
4297 if (!status) {
1da177e4
LT		 4298 conn = l2cap_conn_add(hcon, status);
4299 if (conn)
4300 l2cap_conn_ready(conn);
0139418c 4301 } else
1da177e4
LT		 4302 l2cap_conn_del(hcon, bt_err(status));
4303
4304 return 0;
4305}
4306
2950f21a
MH		 4307static int l2cap_disconn_ind(struct hci_conn *hcon)
4308{
4309 struct l2cap_conn *conn = hcon->l2cap_data;
4310
4311 BT_DBG("hcon %p", hcon);
4312
4313 if (hcon->type != ACL_LINK || !conn)
4314 return 0x13;
4315
4316 return conn->disc_reason;
4317}
4318
4319static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4320{
4321 BT_DBG("hcon %p reason %d", hcon, reason);
4322
4323 if (hcon->type != ACL_LINK)
963cf687 4324 return -EINVAL;
1da177e4
LT		 4325
4326 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4327
1da177e4
LT		 4328 return 0;
4329}
4330
f62e4323
MH		 4331static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4332{
bd3c9e25 4333 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4334 return;
4335
f62e4323
MH		 4336 if (encrypt == 0x00) {
4337 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4338 l2cap_sock_clear_timer(sk);
4339 l2cap_sock_set_timer(sk, HZ * 5);
4340 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4341 __l2cap_sock_close(sk, ECONNREFUSED);
4342 } else {
4343 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4344 l2cap_sock_clear_timer(sk);
4345 }
4346}
4347
8c1b2355 4348static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4349{
4350 struct l2cap_chan_list *l;
0139418c 4351 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4352 struct sock *sk;
1da177e4 4353
0139418c 4354 if (!conn)
1da177e4 4355 return 0;
0139418c 4356
1da177e4
LT		 4357 l = &conn->chan_list;
4358
4359 BT_DBG("conn %p", conn);
4360
4361 read_lock(&l->lock);
4362
4363 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4364 bh_lock_sock(sk);
4365
6a8d3010
MH		 4366 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4367 bh_unlock_sock(sk);
4368 continue;
4369 }
4370
f62e4323 4371 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4372 sk->sk_state == BT_CONFIG)) {
f62e4323 4373 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4374 bh_unlock_sock(sk);
4375 continue;
4376 }
4377
b1235d79
MH		 4378 if (sk->sk_state == BT_CONNECT) {
4379 if (!status) {
4380 struct l2cap_conn_req req;
4381 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4382 req.psm = l2cap_pi(sk)->psm;
1da177e4 4383
b1235d79 4384 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4385 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4386
b1235d79
MH		 4387 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4388 L2CAP_CONN_REQ, sizeof(req), &req);
4389 } else {
4390 l2cap_sock_clear_timer(sk);
4391 l2cap_sock_set_timer(sk, HZ / 10);
4392 }
4393 } else if (sk->sk_state == BT_CONNECT2) {
4394 struct l2cap_conn_rsp rsp;
4395 __u16 result;
1da177e4 4396
b1235d79
MH		 4397 if (!status) {
4398 sk->sk_state = BT_CONFIG;
4399 result = L2CAP_CR_SUCCESS;
4400 } else {
4401 sk->sk_state = BT_DISCONN;
4402 l2cap_sock_set_timer(sk, HZ / 10);
4403 result = L2CAP_CR_SEC_BLOCK;
4404 }
4405
4406 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4407 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4408 rsp.result = cpu_to_le16(result);
e7c29cb1 4409 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4410 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4411 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4412 }
1da177e4
LT		 4413
4414 bh_unlock_sock(sk);
4415 }
4416
4417 read_unlock(&l->lock);
b1235d79 4418
1da177e4
LT		 4419 return 0;
4420}
4421
4422static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4423{
4424 struct l2cap_conn *conn = hcon->l2cap_data;
4425
5a08ecce
AE		 4426 if (!conn)
4427 conn = l2cap_conn_add(hcon, 0);
4428
4429 if (!conn)
1da177e4
LT		 4430 goto drop;
4431
4432 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4433
e702112f 4434 if (!(flags & ACL_CONT)) {
1da177e4 4435 struct l2cap_hdr *hdr;
89794813
AE		 4436 struct sock *sk;
4437 u16 cid;
1da177e4
LT		 4438 int len;
4439
4440 if (conn->rx_len) {
4441 BT_ERR("Unexpected start frame (len %d)", skb->len);
4442 kfree_skb(conn->rx_skb);
4443 conn->rx_skb = NULL;
4444 conn->rx_len = 0;
4445 l2cap_conn_unreliable(conn, ECOMM);
4446 }
4447
aae7fe22
AE		 4448 /* Start fragment always begin with Basic L2CAP header */
4449 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4450 BT_ERR("Frame is too short (len %d)", skb->len);
4451 l2cap_conn_unreliable(conn, ECOMM);
4452 goto drop;
4453 }
4454
4455 hdr = (struct l2cap_hdr *) skb->data;
4456 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4457 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4458
4459 if (len == skb->len) {
4460 /* Complete frame received */
4461 l2cap_recv_frame(conn, skb);
4462 return 0;
4463 }
4464
4465 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4466
4467 if (skb->len > len) {
4468 BT_ERR("Frame is too long (len %d, expected len %d)",
4469 skb->len, len);
4470 l2cap_conn_unreliable(conn, ECOMM);
4471 goto drop;
4472 }
4473
89794813
AE		 4474 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4475
4476 if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
4477 BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)",
4478 len, l2cap_pi(sk)->imtu);
4479 bh_unlock_sock(sk);
4480 l2cap_conn_unreliable(conn, ECOMM);
4481 goto drop;
4482 }
4483
4484 if (sk)
4485 bh_unlock_sock(sk);
4486
1da177e4 4487 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4488 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4489 if (!conn->rx_skb)
1da177e4
LT		 4490 goto drop;
4491
d626f62b 4492 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4493 skb->len);
1da177e4
LT		 4494 conn->rx_len = len - skb->len;
4495 } else {
4496 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4497
4498 if (!conn->rx_len) {
4499 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4500 l2cap_conn_unreliable(conn, ECOMM);
4501 goto drop;
4502 }
4503
4504 if (skb->len > conn->rx_len) {
4505 BT_ERR("Fragment is too long (len %d, expected %d)",
4506 skb->len, conn->rx_len);
4507 kfree_skb(conn->rx_skb);
4508 conn->rx_skb = NULL;
4509 conn->rx_len = 0;
4510 l2cap_conn_unreliable(conn, ECOMM);
4511 goto drop;
4512 }
4513
d626f62b 4514 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4515 skb->len);
1da177e4
LT		 4516 conn->rx_len -= skb->len;
4517
4518 if (!conn->rx_len) {
4519 /* Complete frame received */
4520 l2cap_recv_frame(conn, conn->rx_skb);
4521 conn->rx_skb = NULL;
4522 }
4523 }
4524
4525drop:
4526 kfree_skb(skb);
4527 return 0;
4528}
4529
aef7d97c 4530static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4531{
4532 struct sock *sk;
4533 struct hlist_node *node;
1da177e4
LT		 4534
4535 read_lock_bh(&l2cap_sk_list.lock);
4536
be9d1227
MH		 4537 sk_for_each(sk, node, &l2cap_sk_list.head) {
4538 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4539
aef7d97c
MH		 4540 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4541 batostr(&bt_sk(sk)->src),
4542 batostr(&bt_sk(sk)->dst),
4543 sk->sk_state, __le16_to_cpu(pi->psm),
4544 pi->scid, pi->dcid,
4545 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4546 }
1da177e4 4547
1da177e4 4548 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4549
aef7d97c 4550 return 0;
1da177e4
LT		 4551}
4552
aef7d97c
MH		 4553static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4554{
4555 return single_open(file, l2cap_debugfs_show, inode->i_private);
4556}
4557
4558static const struct file_operations l2cap_debugfs_fops = {
4559 .open = l2cap_debugfs_open,
4560 .read = seq_read,
4561 .llseek = seq_lseek,
4562 .release = single_release,
4563};
4564
4565static struct dentry *l2cap_debugfs;
1da177e4 4566
1da177e4
LT		 4567static struct hci_proto l2cap_hci_proto = {
4568 .name = "L2CAP",
4569 .id = HCI_PROTO_L2CAP,
4570 .connect_ind = l2cap_connect_ind,
4571 .connect_cfm = l2cap_connect_cfm,
4572 .disconn_ind = l2cap_disconn_ind,
2950f21a 4573 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4574 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4575 .recv_acldata = l2cap_recv_acldata
4576};
4577
4578static int __init l2cap_init(void)
4579{
4580 int err;
be9d1227 4581
bb58f747 4582 err = l2cap_init_sockets();
1da177e4
LT		 4583 if (err < 0)
4584 return err;
4585
1890d36b 4586 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4587 if (!_busy_wq) {
bb58f747 4588 err = -ENOMEM;
1da177e4
LT		 4589 goto error;
4590 }
4591
4592 err = hci_register_proto(&l2cap_hci_proto);
4593 if (err < 0) {
4594 BT_ERR("L2CAP protocol registration failed");
4595 bt_sock_unregister(BTPROTO_L2CAP);
4596 goto error;
4597 }
4598
aef7d97c
MH		 4599 if (bt_debugfs) {
4600 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4601 bt_debugfs, NULL, &l2cap_debugfs_fops);
4602 if (!l2cap_debugfs)
4603 BT_ERR("Failed to create L2CAP debug file");
4604 }
1da177e4
LT		 4605
4606 BT_INFO("L2CAP ver %s", VERSION);
4607 BT_INFO("L2CAP socket layer initialized");
4608
4609 return 0;
4610
4611error:
b78d7b4f 4612 destroy_workqueue(_busy_wq);
bb58f747 4613 l2cap_cleanup_sockets();
1da177e4
LT		 4614 return err;
4615}
4616
4617static void __exit l2cap_exit(void)
4618{
aef7d97c 4619 debugfs_remove(l2cap_debugfs);
1da177e4 4620
1890d36b
GP		 4621 flush_workqueue(_busy_wq);
4622 destroy_workqueue(_busy_wq);
4623
1da177e4
LT		 4624 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4625 BT_ERR("L2CAP protocol unregistration failed");
4626
bb58f747 4627 l2cap_cleanup_sockets();
1da177e4
LT		 4628}
4629
4630void l2cap_load(void)
4631{
4632 /* Dummy function to trigger automatic L2CAP module loading by
4633 * other modules that use L2CAP sockets but don't use any other
4634 * symbols from it. */
1da177e4
LT		 4635}
4636EXPORT_SYMBOL(l2cap_load);
4637
4638module_init(l2cap_init);
4639module_exit(l2cap_exit);
4640
d1c4a17d
GP		 4641module_param(disable_ertm, bool, 0644);
4642MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
44dd46de 4643
63fbd24e 4644MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4645MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4646MODULE_VERSION(VERSION);
4647MODULE_LICENSE("GPL");
4648MODULE_ALIAS("bt-proto-0");
Ubuntu Artful kernel mirror