projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add le16 macro to Retransmission and Monitor Timeouts values
[deliverable/linux.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
58static int enable_ertm = 0;
5fbcd3d1 59static int max_transmit = L2CAP_DEFAULT_MAX_TX;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
90ddc4f0 64static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 65
66static struct bt_sock_list l2cap_sk_list = {
d5fb2962 67 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 68};
69
1da177e4
LT		 70static void __l2cap_sock_close(struct sock *sk, int reason);
71static void l2cap_sock_close(struct sock *sk);
72static void l2cap_sock_kill(struct sock *sk);
73
74static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
75 u8 code, u8 ident, u16 dlen, void *data);
76
77/* ---- L2CAP timers ---- */
78static void l2cap_sock_timeout(unsigned long arg)
79{
80 struct sock *sk = (struct sock *) arg;
b1235d79 81 int reason;
1da177e4
LT		 82
83 BT_DBG("sock %p state %d", sk, sk->sk_state);
84
85 bh_lock_sock(sk);
b1235d79 86
f62e4323
MH		 87 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
88 reason = ECONNREFUSED;
89 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 90 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 91 reason = ECONNREFUSED;
92 else
93 reason = ETIMEDOUT;
94
95 __l2cap_sock_close(sk, reason);
96
1da177e4
LT		 97 bh_unlock_sock(sk);
98
99 l2cap_sock_kill(sk);
100 sock_put(sk);
101}
102
103static void l2cap_sock_set_timer(struct sock *sk, long timeout)
104{
105 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
106 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
107}
108
109static void l2cap_sock_clear_timer(struct sock *sk)
110{
111 BT_DBG("sock %p state %d", sk, sk->sk_state);
112 sk_stop_timer(sk, &sk->sk_timer);
113}
114
0139418c
MH		 115/* ---- L2CAP channels ---- */
116static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
117{
118 struct sock *s;
119 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
120 if (l2cap_pi(s)->dcid == cid)
121 break;
122 }
123 return s;
124}
125
126static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
127{
128 struct sock *s;
129 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
130 if (l2cap_pi(s)->scid == cid)
131 break;
132 }
133 return s;
134}
135
136/* Find channel with given SCID.
137 * Returns locked socket */
138static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
139{
140 struct sock *s;
141 read_lock(&l->lock);
142 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 143 if (s)
144 bh_lock_sock(s);
0139418c
MH		 145 read_unlock(&l->lock);
146 return s;
147}
148
149static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
150{
151 struct sock *s;
152 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
153 if (l2cap_pi(s)->ident == ident)
154 break;
155 }
156 return s;
157}
158
159static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
160{
161 struct sock *s;
162 read_lock(&l->lock);
163 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 164 if (s)
165 bh_lock_sock(s);
0139418c
MH		 166 read_unlock(&l->lock);
167 return s;
168}
169
170static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
171{
8db4dc46 172 u16 cid = L2CAP_CID_DYN_START;
0139418c 173
8db4dc46 174 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 175 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 176 return cid;
177 }
178
179 return 0;
180}
181
182static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
183{
184 sock_hold(sk);
185
186 if (l->head)
187 l2cap_pi(l->head)->prev_c = sk;
188
189 l2cap_pi(sk)->next_c = l->head;
190 l2cap_pi(sk)->prev_c = NULL;
191 l->head = sk;
192}
193
194static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
195{
196 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
197
fd1278d7 198 write_lock_bh(&l->lock);
0139418c
MH		 199 if (sk == l->head)
200 l->head = next;
201
202 if (next)
203 l2cap_pi(next)->prev_c = prev;
204 if (prev)
205 l2cap_pi(prev)->next_c = next;
fd1278d7 206 write_unlock_bh(&l->lock);
0139418c
MH		 207
208 __sock_put(sk);
209}
210
211static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
212{
213 struct l2cap_chan_list *l = &conn->chan_list;
214
af05b30b
GP		 215 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
216 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 217
2950f21a
MH		 218 conn->disc_reason = 0x13;
219
0139418c
MH		 220 l2cap_pi(sk)->conn = conn;
221
222 if (sk->sk_type == SOCK_SEQPACKET) {
223 /* Alloc CID for connection-oriented socket */
224 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
225 } else if (sk->sk_type == SOCK_DGRAM) {
226 /* Connectionless socket */
8db4dc46
GP		 227 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
228 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 229 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
230 } else {
231 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 232 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
233 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 234 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
235 }
236
237 __l2cap_chan_link(l, sk);
238
239 if (parent)
240 bt_accept_enqueue(parent, sk);
241}
242
8e87d142 243/* Delete channel.
0139418c
MH		 244 * Must be called on the locked socket. */
245static void l2cap_chan_del(struct sock *sk, int err)
246{
247 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
248 struct sock *parent = bt_sk(sk)->parent;
249
250 l2cap_sock_clear_timer(sk);
251
252 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
253
8e87d142 254 if (conn) {
0139418c
MH		 255 /* Unlink from channel list */
256 l2cap_chan_unlink(&conn->chan_list, sk);
257 l2cap_pi(sk)->conn = NULL;
258 hci_conn_put(conn->hcon);
259 }
260
b1235d79 261 sk->sk_state = BT_CLOSED;
0139418c
MH		 262 sock_set_flag(sk, SOCK_ZAPPED);
263
264 if (err)
265 sk->sk_err = err;
266
267 if (parent) {
268 bt_accept_unlink(sk);
269 parent->sk_data_ready(parent, 0);
270 } else
271 sk->sk_state_change(sk);
272}
273
79d554a6 274/* Service level security */
2af6b9d5 275static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 276{
277 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 278 __u8 auth_type;
279
00ae4af9
MH		 280 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
281 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
282 auth_type = HCI_AT_NO_BONDING_MITM;
283 else
af05b30b 284 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 285
286 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
287 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
288 } else {
289 switch (l2cap_pi(sk)->sec_level) {
290 case BT_SECURITY_HIGH:
291 auth_type = HCI_AT_GENERAL_BONDING_MITM;
292 break;
293 case BT_SECURITY_MEDIUM:
294 auth_type = HCI_AT_GENERAL_BONDING;
295 break;
296 default:
297 auth_type = HCI_AT_NO_BONDING;
298 break;
299 }
0684e5f9 300 }
79d554a6 301
0684e5f9
MH		 302 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
303 auth_type);
79d554a6
MH		 304}
305
4e8402a3
MH		 306static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
307{
308 u8 id;
309
310 /* Get next available identificator.
311 * 1 - 128 are used by kernel.
312 * 129 - 199 are reserved.
313 * 200 - 254 are used by utilities like l2ping, etc.
314 */
315
316 spin_lock_bh(&conn->lock);
317
318 if (++conn->tx_ident > 128)
319 conn->tx_ident = 1;
320
321 id = conn->tx_ident;
322
323 spin_unlock_bh(&conn->lock);
324
325 return id;
326}
327
328static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
329{
330 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
331
332 BT_DBG("code 0x%2.2x", code);
333
334 if (!skb)
335 return -ENOMEM;
336
337 return hci_send_acl(conn->hcon, skb, 0);
338}
339
1c2acffb
GP		 340static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
341{
342 struct sk_buff *skb;
343 struct l2cap_hdr *lh;
344 struct l2cap_conn *conn = pi->conn;
fcc203c3
GP		 345 int count, hlen = L2CAP_HDR_SIZE + 2;
346
347 if (pi->fcs == L2CAP_FCS_CRC16)
348 hlen += 2;
1c2acffb
GP		 349
350 BT_DBG("pi %p, control 0x%2.2x", pi, control);
351
fcc203c3 352 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 353 control |= L2CAP_CTRL_FRAME_TYPE;
354
9e917af1
GP		 355 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
356 control |= L2CAP_CTRL_FINAL;
357 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
358 }
359
f0946ccf
GP		 360 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
361 control |= L2CAP_CTRL_POLL;
362 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
363 }
364
1c2acffb
GP		 365 skb = bt_skb_alloc(count, GFP_ATOMIC);
366 if (!skb)
367 return -ENOMEM;
368
369 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 370 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 371 lh->cid = cpu_to_le16(pi->dcid);
372 put_unaligned_le16(control, skb_put(skb, 2));
373
fcc203c3
GP		 374 if (pi->fcs == L2CAP_FCS_CRC16) {
375 u16 fcs = crc16(0, (u8 *)lh, count - 2);
376 put_unaligned_le16(fcs, skb_put(skb, 2));
377 }
378
1c2acffb
GP		 379 return hci_send_acl(pi->conn->hcon, skb, 0);
380}
381
7e743090
GP		 382static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
383{
384 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
385 control |= L2CAP_SUPER_RCV_NOT_READY;
386 else
387 control |= L2CAP_SUPER_RCV_READY;
388
2ab25cdd
GP		 389 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
390
7e743090
GP		 391 return l2cap_send_sframe(pi, control);
392}
393
79d554a6
MH		 394static void l2cap_do_start(struct sock *sk)
395{
396 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
397
398 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 399 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
400 return;
401
2af6b9d5 402 if (l2cap_check_security(sk)) {
b1235d79
MH		 403 struct l2cap_conn_req req;
404 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
405 req.psm = l2cap_pi(sk)->psm;
79d554a6 406
b1235d79 407 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 408
b1235d79 409 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 410 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 411 }
79d554a6
MH		 412 } else {
413 struct l2cap_info_req req;
414 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
415
416 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
417 conn->info_ident = l2cap_get_ident(conn);
418
419 mod_timer(&conn->info_timer, jiffies +
420 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
421
422 l2cap_send_cmd(conn, conn->info_ident,
423 L2CAP_INFO_REQ, sizeof(req), &req);
424 }
425}
426
22121fc9
GP		 427static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
428{
429 struct l2cap_disconn_req req;
430
431 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
432 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
433 l2cap_send_cmd(conn, l2cap_get_ident(conn),
434 L2CAP_DISCONN_REQ, sizeof(req), &req);
435}
436
1da177e4 437/* ---- L2CAP connections ---- */
4e8402a3
MH		 438static void l2cap_conn_start(struct l2cap_conn *conn)
439{
440 struct l2cap_chan_list *l = &conn->chan_list;
441 struct sock *sk;
442
443 BT_DBG("conn %p", conn);
444
445 read_lock(&l->lock);
446
447 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
448 bh_lock_sock(sk);
449
450 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 451 bh_unlock_sock(sk);
452 continue;
453 }
454
455 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 456 if (l2cap_check_security(sk)) {
b1235d79
MH		 457 struct l2cap_conn_req req;
458 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
459 req.psm = l2cap_pi(sk)->psm;
79d554a6 460
b1235d79 461 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 462
b1235d79 463 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 464 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 465 }
79d554a6
MH		 466 } else if (sk->sk_state == BT_CONNECT2) {
467 struct l2cap_conn_rsp rsp;
468 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
469 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
470
2af6b9d5 471 if (l2cap_check_security(sk)) {
f66dc81f
MH		 472 if (bt_sk(sk)->defer_setup) {
473 struct sock *parent = bt_sk(sk)->parent;
474 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
475 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
476 parent->sk_data_ready(parent, 0);
477
478 } else {
479 sk->sk_state = BT_CONFIG;
480 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
481 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
482 }
79d554a6
MH		 483 } else {
484 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
485 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
486 }
487
488 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
489 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 490 }
491
492 bh_unlock_sock(sk);
493 }
494
495 read_unlock(&l->lock);
496}
497
498static void l2cap_conn_ready(struct l2cap_conn *conn)
499{
79d554a6
MH		 500 struct l2cap_chan_list *l = &conn->chan_list;
501 struct sock *sk;
4e8402a3 502
79d554a6 503 BT_DBG("conn %p", conn);
4e8402a3 504
79d554a6 505 read_lock(&l->lock);
4e8402a3 506
79d554a6
MH		 507 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
508 bh_lock_sock(sk);
4e8402a3 509
79d554a6
MH		 510 if (sk->sk_type != SOCK_SEQPACKET) {
511 l2cap_sock_clear_timer(sk);
512 sk->sk_state = BT_CONNECTED;
513 sk->sk_state_change(sk);
514 } else if (sk->sk_state == BT_CONNECT)
515 l2cap_do_start(sk);
4e8402a3 516
79d554a6 517 bh_unlock_sock(sk);
4e8402a3 518 }
79d554a6
MH		 519
520 read_unlock(&l->lock);
4e8402a3
MH		 521}
522
523/* Notify sockets that we cannot guaranty reliability anymore */
524static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
525{
526 struct l2cap_chan_list *l = &conn->chan_list;
527 struct sock *sk;
528
529 BT_DBG("conn %p", conn);
530
531 read_lock(&l->lock);
532
533 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 534 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 535 sk->sk_err = err;
536 }
537
538 read_unlock(&l->lock);
539}
540
541static void l2cap_info_timeout(unsigned long arg)
542{
543 struct l2cap_conn *conn = (void *) arg;
544
984947dc 545 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 546 conn->info_ident = 0;
984947dc 547
4e8402a3
MH		 548 l2cap_conn_start(conn);
549}
550
1da177e4
LT		 551static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
552{
0139418c 553 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 554
0139418c 555 if (conn || status)
1da177e4
LT		 556 return conn;
557
0139418c
MH		 558 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
559 if (!conn)
1da177e4 560 return NULL;
1da177e4
LT		 561
562 hcon->l2cap_data = conn;
563 conn->hcon = hcon;
564
0139418c
MH		 565 BT_DBG("hcon %p conn %p", hcon, conn);
566
1da177e4
LT		 567 conn->mtu = hcon->hdev->acl_mtu;
568 conn->src = &hcon->hdev->bdaddr;
569 conn->dst = &hcon->dst;
570
4e8402a3
MH		 571 conn->feat_mask = 0;
572
1da177e4
LT		 573 spin_lock_init(&conn->lock);
574 rwlock_init(&conn->chan_list.lock);
575
45054dc1
DY		 576 setup_timer(&conn->info_timer, l2cap_info_timeout,
577 (unsigned long) conn);
578
2950f21a
MH		 579 conn->disc_reason = 0x13;
580
1da177e4
LT		 581 return conn;
582}
583
0139418c 584static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 585{
0139418c 586 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 587 struct sock *sk;
588
0139418c
MH		 589 if (!conn)
590 return;
1da177e4
LT		 591
592 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
593
7585b97a 594 kfree_skb(conn->rx_skb);
1da177e4
LT		 595
596 /* Kill channels */
597 while ((sk = conn->chan_list.head)) {
598 bh_lock_sock(sk);
599 l2cap_chan_del(sk, err);
600 bh_unlock_sock(sk);
601 l2cap_sock_kill(sk);
602 }
603
8e8440f5
DY		 604 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
605 del_timer_sync(&conn->info_timer);
3ab22731 606
1da177e4
LT		 607 hcon->l2cap_data = NULL;
608 kfree(conn);
1da177e4
LT		 609}
610
611static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
612{
613 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 614 write_lock_bh(&l->lock);
1da177e4 615 __l2cap_chan_add(conn, sk, parent);
fd1278d7 616 write_unlock_bh(&l->lock);
1da177e4
LT		 617}
618
1da177e4 619/* ---- Socket interface ---- */
8e036fc3 620static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 621{
622 struct sock *sk;
623 struct hlist_node *node;
624 sk_for_each(sk, node, &l2cap_sk_list.head)
625 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
626 goto found;
627 sk = NULL;
628found:
629 return sk;
630}
631
632/* Find socket with psm and source bdaddr.
633 * Returns closest match.
634 */
8e036fc3 635static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 636{
637 struct sock *sk = NULL, *sk1 = NULL;
638 struct hlist_node *node;
639
640 sk_for_each(sk, node, &l2cap_sk_list.head) {
641 if (state && sk->sk_state != state)
642 continue;
643
644 if (l2cap_pi(sk)->psm == psm) {
645 /* Exact match. */
646 if (!bacmp(&bt_sk(sk)->src, src))
647 break;
648
649 /* Closest match */
650 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
651 sk1 = sk;
652 }
653 }
654 return node ? sk : sk1;
655}
656
657/* Find socket with given address (psm, src).
658 * Returns locked socket */
8e036fc3 659static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 660{
661 struct sock *s;
662 read_lock(&l2cap_sk_list.lock);
663 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 664 if (s)
665 bh_lock_sock(s);
1da177e4
LT		 666 read_unlock(&l2cap_sk_list.lock);
667 return s;
668}
669
670static void l2cap_sock_destruct(struct sock *sk)
671{
672 BT_DBG("sk %p", sk);
673
674 skb_queue_purge(&sk->sk_receive_queue);
675 skb_queue_purge(&sk->sk_write_queue);
676}
677
678static void l2cap_sock_cleanup_listen(struct sock *parent)
679{
680 struct sock *sk;
681
682 BT_DBG("parent %p", parent);
683
684 /* Close not yet accepted channels */
685 while ((sk = bt_accept_dequeue(parent, NULL)))
686 l2cap_sock_close(sk);
687
b1235d79 688 parent->sk_state = BT_CLOSED;
1da177e4
LT		 689 sock_set_flag(parent, SOCK_ZAPPED);
690}
691
692/* Kill socket (only if zapped and orphan)
693 * Must be called on unlocked socket.
694 */
695static void l2cap_sock_kill(struct sock *sk)
696{
697 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
698 return;
699
700 BT_DBG("sk %p state %d", sk, sk->sk_state);
701
702 /* Kill poor orphan */
703 bt_sock_unlink(&l2cap_sk_list, sk);
704 sock_set_flag(sk, SOCK_DEAD);
705 sock_put(sk);
706}
707
708static void __l2cap_sock_close(struct sock *sk, int reason)
709{
710 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
711
712 switch (sk->sk_state) {
713 case BT_LISTEN:
714 l2cap_sock_cleanup_listen(sk);
715 break;
716
717 case BT_CONNECTED:
718 case BT_CONFIG:
1da177e4
LT		 719 if (sk->sk_type == SOCK_SEQPACKET) {
720 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4
LT		 721
722 sk->sk_state = BT_DISCONN;
723 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
22121fc9 724 l2cap_send_disconn_req(conn, sk);
b1235d79 725 } else
1da177e4 726 l2cap_chan_del(sk, reason);
1da177e4
LT		 727 break;
728
f66dc81f
MH		 729 case BT_CONNECT2:
730 if (sk->sk_type == SOCK_SEQPACKET) {
731 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
732 struct l2cap_conn_rsp rsp;
733 __u16 result;
734
735 if (bt_sk(sk)->defer_setup)
736 result = L2CAP_CR_SEC_BLOCK;
737 else
738 result = L2CAP_CR_BAD_PSM;
739
740 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
741 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
742 rsp.result = cpu_to_le16(result);
743 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
744 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
745 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
746 } else
747 l2cap_chan_del(sk, reason);
748 break;
749
1da177e4
LT		 750 case BT_CONNECT:
751 case BT_DISCONN:
752 l2cap_chan_del(sk, reason);
753 break;
754
755 default:
756 sock_set_flag(sk, SOCK_ZAPPED);
757 break;
758 }
759}
760
761/* Must be called on unlocked socket. */
762static void l2cap_sock_close(struct sock *sk)
763{
764 l2cap_sock_clear_timer(sk);
765 lock_sock(sk);
766 __l2cap_sock_close(sk, ECONNRESET);
767 release_sock(sk);
768 l2cap_sock_kill(sk);
769}
770
771static void l2cap_sock_init(struct sock *sk, struct sock *parent)
772{
773 struct l2cap_pinfo *pi = l2cap_pi(sk);
774
775 BT_DBG("sk %p", sk);
776
777 if (parent) {
778 sk->sk_type = parent->sk_type;
f66dc81f
MH		 779 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
780
1da177e4
LT		 781 pi->imtu = l2cap_pi(parent)->imtu;
782 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 783 pi->mode = l2cap_pi(parent)->mode;
784 pi->fcs = l2cap_pi(parent)->fcs;
2af6b9d5
MH		 785 pi->sec_level = l2cap_pi(parent)->sec_level;
786 pi->role_switch = l2cap_pi(parent)->role_switch;
787 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 788 } else {
789 pi->imtu = L2CAP_DEFAULT_MTU;
790 pi->omtu = 0;
c6b03cf9
MH		 791 pi->mode = L2CAP_MODE_BASIC;
792 pi->fcs = L2CAP_FCS_CRC16;
2af6b9d5
MH		 793 pi->sec_level = BT_SECURITY_LOW;
794 pi->role_switch = 0;
795 pi->force_reliable = 0;
1da177e4
LT		 796 }
797
798 /* Default config options */
5dee9e7c 799 pi->conf_len = 0;
1da177e4 800 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 801 skb_queue_head_init(TX_QUEUE(sk));
802 skb_queue_head_init(SREJ_QUEUE(sk));
803 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 804}
805
806static struct proto l2cap_proto = {
807 .name = "L2CAP",
808 .owner = THIS_MODULE,
809 .obj_size = sizeof(struct l2cap_pinfo)
810};
811
1b8d7ae4 812static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 813{
814 struct sock *sk;
815
6257ff21 816 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 817 if (!sk)
818 return NULL;
819
820 sock_init_data(sock, sk);
821 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
822
823 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 824 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 825
826 sock_reset_flag(sk, SOCK_ZAPPED);
827
828 sk->sk_protocol = proto;
b1235d79 829 sk->sk_state = BT_OPEN;
1da177e4 830
b1235d79 831 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 832
833 bt_sock_link(&l2cap_sk_list, sk);
834 return sk;
835}
836
3f378b68
EP		 837static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
838 int kern)
1da177e4
LT		 839{
840 struct sock *sk;
841
842 BT_DBG("sock %p", sock);
843
844 sock->state = SS_UNCONNECTED;
845
846 if (sock->type != SOCK_SEQPACKET &&
847 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
848 return -ESOCKTNOSUPPORT;
849
c84b3268 850 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 851 return -EPERM;
852
853 sock->ops = &l2cap_sock_ops;
854
1b8d7ae4 855 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 856 if (!sk)
857 return -ENOMEM;
858
859 l2cap_sock_init(sk, NULL);
860 return 0;
861}
862
f29972de 863static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 864{
1da177e4 865 struct sock *sk = sock->sk;
f29972de
MH		 866 struct sockaddr_l2 la;
867 int len, err = 0;
1da177e4 868
f29972de 869 BT_DBG("sk %p", sk);
1da177e4
LT		 870
871 if (!addr || addr->sa_family != AF_BLUETOOTH)
872 return -EINVAL;
873
f29972de
MH		 874 memset(&la, 0, sizeof(la));
875 len = min_t(unsigned int, sizeof(la), alen);
876 memcpy(&la, addr, len);
877
2a517ca6
MH		 878 if (la.l2_cid)
879 return -EINVAL;
880
1da177e4
LT		 881 lock_sock(sk);
882
883 if (sk->sk_state != BT_OPEN) {
884 err = -EBADFD;
885 goto done;
886 }
887
b4324b5d 888 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 889 !capable(CAP_NET_BIND_SERVICE)) {
890 err = -EACCES;
891 goto done;
892 }
8e87d142 893
1da177e4
LT		 894 write_lock_bh(&l2cap_sk_list.lock);
895
f29972de 896 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 897 err = -EADDRINUSE;
898 } else {
899 /* Save source address */
f29972de
MH		 900 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
901 l2cap_pi(sk)->psm = la.l2_psm;
902 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 903 sk->sk_state = BT_BOUND;
2af6b9d5 904
b4324b5d
MH		 905 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
906 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 907 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 908 }
909
910 write_unlock_bh(&l2cap_sk_list.lock);
911
912done:
913 release_sock(sk);
914 return err;
915}
916
917static int l2cap_do_connect(struct sock *sk)
918{
919 bdaddr_t *src = &bt_sk(sk)->src;
920 bdaddr_t *dst = &bt_sk(sk)->dst;
921 struct l2cap_conn *conn;
922 struct hci_conn *hcon;
923 struct hci_dev *hdev;
09ab6f4c 924 __u8 auth_type;
44d0e48e 925 int err;
1da177e4 926
f29972de
MH		 927 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
928 l2cap_pi(sk)->psm);
1da177e4 929
af05b30b
GP		 930 hdev = hci_get_route(dst, src);
931 if (!hdev)
1da177e4
LT		 932 return -EHOSTUNREACH;
933
934 hci_dev_lock_bh(hdev);
935
936 err = -ENOMEM;
937
8c1b2355 938 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 939 switch (l2cap_pi(sk)->sec_level) {
940 case BT_SECURITY_HIGH:
8c1b2355 941 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 942 break;
943 case BT_SECURITY_MEDIUM:
8c1b2355 944 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 945 break;
946 default:
09ab6f4c 947 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 948 break;
949 }
8c1b2355 950 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 951 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 952 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 953 else
8c1b2355 954 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 955
956 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
957 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 958 } else {
2af6b9d5
MH		 959 switch (l2cap_pi(sk)->sec_level) {
960 case BT_SECURITY_HIGH:
8c1b2355 961 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 962 break;
963 case BT_SECURITY_MEDIUM:
09ab6f4c 964 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 965 break;
966 default:
8c1b2355 967 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 968 break;
969 }
09ab6f4c
MH		 970 }
971
2af6b9d5
MH		 972 hcon = hci_connect(hdev, ACL_LINK, dst,
973 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 974 if (!hcon)
975 goto done;
976
977 conn = l2cap_conn_add(hcon, 0);
978 if (!conn) {
979 hci_conn_put(hcon);
980 goto done;
981 }
982
983 err = 0;
984
985 /* Update source addr of the socket */
986 bacpy(src, conn->src);
987
988 l2cap_chan_add(conn, sk, NULL);
989
990 sk->sk_state = BT_CONNECT;
991 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
992
993 if (hcon->state == BT_CONNECTED) {
79d554a6 994 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 995 l2cap_sock_clear_timer(sk);
996 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 997 } else
998 l2cap_do_start(sk);
1da177e4
LT		 999 }
1000
1001done:
1002 hci_dev_unlock_bh(hdev);
1003 hci_dev_put(hdev);
1004 return err;
1005}
1006
1007static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1008{
1da177e4 1009 struct sock *sk = sock->sk;
f29972de
MH		 1010 struct sockaddr_l2 la;
1011 int len, err = 0;
1da177e4 1012
1da177e4
LT		 1013 BT_DBG("sk %p", sk);
1014
6503d961
CG		 1015 if (!addr || alen < sizeof(addr->sa_family) ||
1016 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1017 return -EINVAL;
1da177e4 1018
f29972de
MH		 1019 memset(&la, 0, sizeof(la));
1020 len = min_t(unsigned int, sizeof(la), alen);
1021 memcpy(&la, addr, len);
1022
2a517ca6
MH		 1023 if (la.l2_cid)
1024 return -EINVAL;
1025
1026 lock_sock(sk);
1027
f29972de 1028 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 1029 err = -EINVAL;
1030 goto done;
1031 }
1032
c6b03cf9
MH		 1033 switch (l2cap_pi(sk)->mode) {
1034 case L2CAP_MODE_BASIC:
1035 break;
1036 case L2CAP_MODE_ERTM:
f2fcfcd6 1037 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1038 if (enable_ertm)
1039 break;
1040 /* fall through */
1041 default:
1042 err = -ENOTSUPP;
1043 goto done;
1044 }
1045
af05b30b 1046 switch (sk->sk_state) {
1da177e4
LT		 1047 case BT_CONNECT:
1048 case BT_CONNECT2:
1049 case BT_CONFIG:
1050 /* Already connecting */
1051 goto wait;
1052
1053 case BT_CONNECTED:
1054 /* Already connected */
1055 goto done;
1056
1057 case BT_OPEN:
1058 case BT_BOUND:
1059 /* Can connect */
1060 break;
1061
1062 default:
1063 err = -EBADFD;
1064 goto done;
1065 }
1066
1067 /* Set destination address and psm */
f29972de
MH		 1068 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1069 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1070
af05b30b
GP		 1071 err = l2cap_do_connect(sk);
1072 if (err)
1da177e4
LT		 1073 goto done;
1074
1075wait:
1076 err = bt_sock_wait_state(sk, BT_CONNECTED,
1077 sock_sndtimeo(sk, flags & O_NONBLOCK));
1078done:
1079 release_sock(sk);
1080 return err;
1081}
1082
1083static int l2cap_sock_listen(struct socket *sock, int backlog)
1084{
1085 struct sock *sk = sock->sk;
1086 int err = 0;
1087
1088 BT_DBG("sk %p backlog %d", sk, backlog);
1089
1090 lock_sock(sk);
1091
1092 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1093 err = -EBADFD;
1094 goto done;
1095 }
1096
c6b03cf9
MH		 1097 switch (l2cap_pi(sk)->mode) {
1098 case L2CAP_MODE_BASIC:
1099 break;
1100 case L2CAP_MODE_ERTM:
f2fcfcd6 1101 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1102 if (enable_ertm)
1103 break;
1104 /* fall through */
1105 default:
1106 err = -ENOTSUPP;
1107 goto done;
1108 }
1109
1da177e4
LT		 1110 if (!l2cap_pi(sk)->psm) {
1111 bdaddr_t *src = &bt_sk(sk)->src;
1112 u16 psm;
1113
1114 err = -EINVAL;
1115
1116 write_lock_bh(&l2cap_sk_list.lock);
1117
1118 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1119 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1120 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1121 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1122 err = 0;
1123 break;
1124 }
1125
1126 write_unlock_bh(&l2cap_sk_list.lock);
1127
1128 if (err < 0)
1129 goto done;
1130 }
1131
1132 sk->sk_max_ack_backlog = backlog;
1133 sk->sk_ack_backlog = 0;
1134 sk->sk_state = BT_LISTEN;
1135
1136done:
1137 release_sock(sk);
1138 return err;
1139}
1140
1141static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1142{
1143 DECLARE_WAITQUEUE(wait, current);
1144 struct sock *sk = sock->sk, *nsk;
1145 long timeo;
1146 int err = 0;
1147
fcc70d5f 1148 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1149
1150 if (sk->sk_state != BT_LISTEN) {
1151 err = -EBADFD;
1152 goto done;
1153 }
1154
1155 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1156
1157 BT_DBG("sk %p timeo %ld", sk, timeo);
1158
1159 /* Wait for an incoming connection. (wake-one). */
aa395145 1160 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1161 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1162 set_current_state(TASK_INTERRUPTIBLE);
1163 if (!timeo) {
1164 err = -EAGAIN;
1165 break;
1166 }
1167
1168 release_sock(sk);
1169 timeo = schedule_timeout(timeo);
fcc70d5f 1170 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1171
1172 if (sk->sk_state != BT_LISTEN) {
1173 err = -EBADFD;
1174 break;
1175 }
1176
1177 if (signal_pending(current)) {
1178 err = sock_intr_errno(timeo);
1179 break;
1180 }
1181 }
1182 set_current_state(TASK_RUNNING);
aa395145 1183 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1184
1185 if (err)
1186 goto done;
1187
1188 newsock->state = SS_CONNECTED;
1189
1190 BT_DBG("new socket %p", nsk);
1191
1192done:
1193 release_sock(sk);
1194 return err;
1195}
1196
1197static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1198{
1199 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1200 struct sock *sk = sock->sk;
1201
1202 BT_DBG("sock %p, sk %p", sock, sk);
1203
1204 addr->sa_family = AF_BLUETOOTH;
1205 *len = sizeof(struct sockaddr_l2);
1206
f29972de
MH		 1207 if (peer) {
1208 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1209 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1210 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1211 } else {
1212 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1213 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1214 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1215 }
1da177e4 1216
1da177e4
LT		 1217 return 0;
1218}
1219
e90bac06
GP		 1220static void l2cap_monitor_timeout(unsigned long arg)
1221{
1222 struct sock *sk = (void *) arg;
1223 u16 control;
1224
e686219a 1225 bh_lock_sock(sk);
e90bac06
GP		 1226 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1227 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
b13f5860 1228 bh_unlock_sock(sk);
e90bac06
GP		 1229 return;
1230 }
1231
1232 l2cap_pi(sk)->retry_count++;
1233 __mod_monitor_timer();
1234
1235 control = L2CAP_CTRL_POLL;
7e743090 1236 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
e686219a 1237 bh_unlock_sock(sk);
e90bac06
GP		 1238}
1239
1240static void l2cap_retrans_timeout(unsigned long arg)
1241{
1242 struct sock *sk = (void *) arg;
1243 u16 control;
1244
e686219a 1245 bh_lock_sock(sk);
e90bac06
GP		 1246 l2cap_pi(sk)->retry_count = 1;
1247 __mod_monitor_timer();
1248
1249 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1250
1251 control = L2CAP_CTRL_POLL;
7e743090 1252 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
e686219a 1253 bh_unlock_sock(sk);
e90bac06
GP		 1254}
1255
1c2acffb 1256static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1257{
1c2acffb 1258 struct sk_buff *skb;
1da177e4 1259
1c2acffb
GP		 1260 while ((skb = skb_peek(TX_QUEUE(sk)))) {
1261 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1262 break;
1da177e4 1263
1c2acffb
GP		 1264 skb = skb_dequeue(TX_QUEUE(sk));
1265 kfree_skb(skb);
1da177e4 1266
1c2acffb
GP		 1267 l2cap_pi(sk)->unacked_frames--;
1268 }
1da177e4 1269
e90bac06
GP		 1270 if (!l2cap_pi(sk)->unacked_frames)
1271 del_timer(&l2cap_pi(sk)->retrans_timer);
1272
1c2acffb
GP		 1273 return;
1274}
1da177e4 1275
1c2acffb
GP		 1276static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1277{
1278 struct l2cap_pinfo *pi = l2cap_pi(sk);
1279 int err;
1280
1281 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1282
1c2acffb
GP		 1283 err = hci_send_acl(pi->conn->hcon, skb, 0);
1284 if (err < 0)
1285 kfree_skb(skb);
1286
1287 return err;
1288}
1289
6840ed07
GP		 1290static int l2cap_streaming_send(struct sock *sk)
1291{
1292 struct sk_buff *skb, *tx_skb;
1293 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1294 u16 control, fcs;
6840ed07
GP		 1295 int err;
1296
1297 while ((skb = sk->sk_send_head)) {
1298 tx_skb = skb_clone(skb, GFP_ATOMIC);
1299
1300 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1301 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1302 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1303
e8235c6b 1304 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1305 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1306 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1307 }
1308
6840ed07
GP		 1309 err = l2cap_do_send(sk, tx_skb);
1310 if (err < 0) {
1311 l2cap_send_disconn_req(pi->conn, sk);
1312 return err;
1313 }
1314
1315 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1316
1317 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1318 sk->sk_send_head = NULL;
1319 else
1320 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1321
1322 skb = skb_dequeue(TX_QUEUE(sk));
1323 kfree_skb(skb);
1324 }
1325 return 0;
1326}
1327
8f17154f
GP		 1328static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1329{
1330 struct l2cap_pinfo *pi = l2cap_pi(sk);
1331 struct sk_buff *skb, *tx_skb;
1332 u16 control, fcs;
1333 int err;
1334
1335 skb = skb_peek(TX_QUEUE(sk));
1336 do {
1337 if (bt_cb(skb)->tx_seq != tx_seq) {
1338 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1339 break;
1340 skb = skb_queue_next(TX_QUEUE(sk), skb);
1341 continue;
1342 }
1343
1344 if (pi->remote_max_tx &&
1345 bt_cb(skb)->retries == pi->remote_max_tx) {
1346 l2cap_send_disconn_req(pi->conn, sk);
1347 break;
1348 }
1349
1350 tx_skb = skb_clone(skb, GFP_ATOMIC);
1351 bt_cb(skb)->retries++;
1352 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
9f121a5a 1353 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
8f17154f
GP		 1354 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1355 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1356
e8235c6b 1357 if (pi->fcs == L2CAP_FCS_CRC16) {
8f17154f
GP		 1358 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1359 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1360 }
1361
1362 err = l2cap_do_send(sk, tx_skb);
1363 if (err < 0) {
1364 l2cap_send_disconn_req(pi->conn, sk);
1365 return err;
1366 }
1367 break;
1368 } while(1);
1369 return 0;
1370}
1371
1c2acffb
GP		 1372static int l2cap_ertm_send(struct sock *sk)
1373{
1374 struct sk_buff *skb, *tx_skb;
1375 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1376 u16 control, fcs;
9e917af1 1377 int err, nsent = 0;
1c2acffb 1378
e90bac06
GP		 1379 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1380 return 0;
1381
f64f9e71
JP		 1382 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
1383 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1c2acffb 1384
e90bac06
GP		 1385 if (pi->remote_max_tx &&
1386 bt_cb(skb)->retries == pi->remote_max_tx) {
1387 l2cap_send_disconn_req(pi->conn, sk);
1388 break;
1389 }
1390
e420aba3
AE		 1391 tx_skb = skb_clone(skb, GFP_ATOMIC);
1392
e90bac06
GP		 1393 bt_cb(skb)->retries++;
1394
1c2acffb 1395 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
d5392c8f
GP		 1396 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1397 control |= L2CAP_CTRL_FINAL;
1398 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1399 }
9f121a5a 1400 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1401 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1402 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1403
e90bac06 1404
e8235c6b 1405 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1406 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1407 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1408 }
1409
1c2acffb
GP		 1410 err = l2cap_do_send(sk, tx_skb);
1411 if (err < 0) {
1412 l2cap_send_disconn_req(pi->conn, sk);
1413 return err;
1414 }
e90bac06 1415 __mod_retrans_timer();
1c2acffb
GP		 1416
1417 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1418 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1419
1420 pi->unacked_frames++;
d5392c8f 1421 pi->frames_sent++;
1c2acffb
GP		 1422
1423 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1424 sk->sk_send_head = NULL;
1425 else
1426 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1427
1428 nsent++;
1c2acffb
GP		 1429 }
1430
9e917af1
GP		 1431 return nsent;
1432}
1433
1434static int l2cap_send_ack(struct l2cap_pinfo *pi)
1435{
1436 struct sock *sk = (struct sock *)pi;
1437 u16 control = 0;
1438
1439 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1440
1441 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1442 control |= L2CAP_SUPER_RCV_NOT_READY;
1443 return l2cap_send_sframe(pi, control);
1444 } else if (l2cap_ertm_send(sk) == 0) {
1445 control |= L2CAP_SUPER_RCV_READY;
1446 return l2cap_send_sframe(pi, control);
1447 }
1c2acffb
GP		 1448 return 0;
1449}
1450
99b0d4b7
GP		 1451static int l2cap_send_srejtail(struct sock *sk)
1452{
1453 struct srej_list *tail;
1454 u16 control;
1455
1456 control = L2CAP_SUPER_SELECT_REJECT;
1457 control |= L2CAP_CTRL_FINAL;
1458
1459 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1460 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1461
1462 l2cap_send_sframe(l2cap_pi(sk), control);
1463
1464 return 0;
1465}
1466
1c2acffb
GP		 1467static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1468{
1469 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1470 struct sk_buff **frag;
1471 int err, sent = 0;
1da177e4
LT		 1472
1473 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1c2acffb 1474 return -EFAULT;
1da177e4
LT		 1475 }
1476
1477 sent += count;
1478 len -= count;
1479
1480 /* Continuation fragments (no L2CAP header) */
1481 frag = &skb_shinfo(skb)->frag_list;
1482 while (len) {
1483 count = min_t(unsigned int, conn->mtu, len);
1484
1485 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1486 if (!*frag)
1c2acffb
GP		 1487 return -EFAULT;
1488 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1489 return -EFAULT;
1da177e4
LT		 1490
1491 sent += count;
1492 len -= count;
1493
1494 frag = &(*frag)->next;
1495 }
1da177e4
LT		 1496
1497 return sent;
1c2acffb 1498}
1da177e4 1499
1c2acffb
GP		 1500static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1501{
1502 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1503 struct sk_buff *skb;
1504 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1505 struct l2cap_hdr *lh;
1506
1507 BT_DBG("sk %p len %d", sk, (int)len);
1508
1509 count = min_t(unsigned int, (conn->mtu - hlen), len);
1510 skb = bt_skb_send_alloc(sk, count + hlen,
1511 msg->msg_flags & MSG_DONTWAIT, &err);
1512 if (!skb)
1513 return ERR_PTR(-ENOMEM);
1514
1515 /* Create L2CAP header */
1516 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1517 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1518 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1519 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1520
1521 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1522 if (unlikely(err < 0)) {
1523 kfree_skb(skb);
1524 return ERR_PTR(err);
1525 }
1526 return skb;
1527}
1528
1529static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1530{
1531 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1532 struct sk_buff *skb;
1533 int err, count, hlen = L2CAP_HDR_SIZE;
1534 struct l2cap_hdr *lh;
1535
1536 BT_DBG("sk %p len %d", sk, (int)len);
1537
1538 count = min_t(unsigned int, (conn->mtu - hlen), len);
1539 skb = bt_skb_send_alloc(sk, count + hlen,
1540 msg->msg_flags & MSG_DONTWAIT, &err);
1541 if (!skb)
1542 return ERR_PTR(-ENOMEM);
1543
1544 /* Create L2CAP header */
1545 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1546 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1547 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1548
1549 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1550 if (unlikely(err < 0)) {
1551 kfree_skb(skb);
1552 return ERR_PTR(err);
1553 }
1554 return skb;
1555}
1556
6840ed07 1557static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1558{
1559 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1560 struct sk_buff *skb;
1561 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1562 struct l2cap_hdr *lh;
1563
1564 BT_DBG("sk %p len %d", sk, (int)len);
1565
c74e560c
GP		 1566 if (sdulen)
1567 hlen += 2;
1568
fcc203c3
GP		 1569 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1570 hlen += 2;
1571
1c2acffb
GP		 1572 count = min_t(unsigned int, (conn->mtu - hlen), len);
1573 skb = bt_skb_send_alloc(sk, count + hlen,
1574 msg->msg_flags & MSG_DONTWAIT, &err);
1575 if (!skb)
1576 return ERR_PTR(-ENOMEM);
1577
1578 /* Create L2CAP header */
1579 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1580 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1581 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1582 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1583 if (sdulen)
1584 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1585
1586 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1587 if (unlikely(err < 0)) {
1588 kfree_skb(skb);
1589 return ERR_PTR(err);
1590 }
e90bac06 1591
fcc203c3
GP		 1592 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1593 put_unaligned_le16(0, skb_put(skb, 2));
1594
e90bac06 1595 bt_cb(skb)->retries = 0;
1c2acffb 1596 return skb;
1da177e4
LT		 1597}
1598
c74e560c
GP		 1599static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1600{
1601 struct l2cap_pinfo *pi = l2cap_pi(sk);
1602 struct sk_buff *skb;
1603 struct sk_buff_head sar_queue;
1604 u16 control;
1605 size_t size = 0;
1606
1607 __skb_queue_head_init(&sar_queue);
1608 control = L2CAP_SDU_START;
1c762159 1609 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1610 if (IS_ERR(skb))
1611 return PTR_ERR(skb);
1612
1613 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1614 len -= pi->remote_mps;
1615 size += pi->remote_mps;
c74e560c
GP		 1616 control = 0;
1617
1618 while (len > 0) {
1619 size_t buflen;
1620
1c762159 1621 if (len > pi->remote_mps) {
c74e560c 1622 control |= L2CAP_SDU_CONTINUE;
1c762159 1623 buflen = pi->remote_mps;
c74e560c
GP		 1624 } else {
1625 control |= L2CAP_SDU_END;
1626 buflen = len;
1627 }
1628
6840ed07 1629 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1630 if (IS_ERR(skb)) {
1631 skb_queue_purge(&sar_queue);
1632 return PTR_ERR(skb);
1633 }
1634
1635 __skb_queue_tail(&sar_queue, skb);
1636 len -= buflen;
1637 size += buflen;
1638 control = 0;
1639 }
1640 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1641 if (sk->sk_send_head == NULL)
1642 sk->sk_send_head = sar_queue.next;
1643
1644 return size;
1645}
1646
1da177e4
LT		 1647static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1648{
1649 struct sock *sk = sock->sk;
1c2acffb
GP		 1650 struct l2cap_pinfo *pi = l2cap_pi(sk);
1651 struct sk_buff *skb;
1652 u16 control;
1653 int err;
1da177e4
LT		 1654
1655 BT_DBG("sock %p, sk %p", sock, sk);
1656
c1cbe4b7
BL		 1657 err = sock_error(sk);
1658 if (err)
1659 return err;
1da177e4
LT		 1660
1661 if (msg->msg_flags & MSG_OOB)
1662 return -EOPNOTSUPP;
1663
1da177e4
LT		 1664 lock_sock(sk);
1665
1c2acffb 1666 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1667 err = -ENOTCONN;
1c2acffb
GP		 1668 goto done;
1669 }
1da177e4 1670
1c2acffb
GP		 1671 /* Connectionless channel */
1672 if (sk->sk_type == SOCK_DGRAM) {
1673 skb = l2cap_create_connless_pdu(sk, msg, len);
477fffb0
DC		 1674 if (IS_ERR(skb))
1675 err = PTR_ERR(skb);
1676 else
1677 err = l2cap_do_send(sk, skb);
1c2acffb
GP		 1678 goto done;
1679 }
1680
1681 switch (pi->mode) {
1682 case L2CAP_MODE_BASIC:
c69163e9
GP		 1683 /* Check outgoing MTU */
1684 if (len > pi->omtu) {
1685 err = -EINVAL;
1686 goto done;
1687 }
1688
1c2acffb
GP		 1689 /* Create a basic PDU */
1690 skb = l2cap_create_basic_pdu(sk, msg, len);
1691 if (IS_ERR(skb)) {
1692 err = PTR_ERR(skb);
1693 goto done;
1694 }
1695
1696 err = l2cap_do_send(sk, skb);
1697 if (!err)
1698 err = len;
1699 break;
1700
1701 case L2CAP_MODE_ERTM:
6840ed07 1702 case L2CAP_MODE_STREAMING:
1c2acffb 1703 /* Entire SDU fits into one PDU */
1c762159 1704 if (len <= pi->remote_mps) {
1c2acffb 1705 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1706 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1707 if (IS_ERR(skb)) {
1708 err = PTR_ERR(skb);
1709 goto done;
1710 }
c74e560c
GP		 1711 __skb_queue_tail(TX_QUEUE(sk), skb);
1712 if (sk->sk_send_head == NULL)
1713 sk->sk_send_head = skb;
1c2acffb 1714 } else {
c74e560c
GP		 1715 /* Segment SDU into multiples PDUs */
1716 err = l2cap_sar_segment_sdu(sk, msg, len);
1717 if (err < 0)
1718 goto done;
1c2acffb 1719 }
1c2acffb 1720
6840ed07
GP		 1721 if (pi->mode == L2CAP_MODE_STREAMING)
1722 err = l2cap_streaming_send(sk);
1723 else
1724 err = l2cap_ertm_send(sk);
1725
9e917af1 1726 if (err >= 0)
1c2acffb
GP		 1727 err = len;
1728 break;
1729
1730 default:
1731 BT_DBG("bad state %1.1x", pi->mode);
1732 err = -EINVAL;
1733 }
1734
1735done:
1da177e4
LT		 1736 release_sock(sk);
1737 return err;
1738}
1739
f66dc81f
MH		 1740static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1741{
1742 struct sock *sk = sock->sk;
1743
1744 lock_sock(sk);
1745
1746 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1747 struct l2cap_conn_rsp rsp;
1748
1749 sk->sk_state = BT_CONFIG;
1750
1751 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1752 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1753 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1754 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1755 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1756 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1757
1758 release_sock(sk);
1759 return 0;
1760 }
1761
1762 release_sock(sk);
1763
1764 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1765}
1766
b7058842 1767static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1768{
1769 struct sock *sk = sock->sk;
1770 struct l2cap_options opts;
f29972de 1771 int len, err = 0;
1da177e4
LT		 1772 u32 opt;
1773
1774 BT_DBG("sk %p", sk);
1775
1776 lock_sock(sk);
1777
1778 switch (optname) {
1779 case L2CAP_OPTIONS:
0878b666
MH		 1780 opts.imtu = l2cap_pi(sk)->imtu;
1781 opts.omtu = l2cap_pi(sk)->omtu;
1782 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1783 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1784 opts.fcs = l2cap_pi(sk)->fcs;
0878b666 1785
1da177e4
LT		 1786 len = min_t(unsigned int, sizeof(opts), optlen);
1787 if (copy_from_user((char *) &opts, optval, len)) {
1788 err = -EFAULT;
1789 break;
1790 }
0878b666 1791
c6b03cf9
MH		 1792 l2cap_pi(sk)->imtu = opts.imtu;
1793 l2cap_pi(sk)->omtu = opts.omtu;
1794 l2cap_pi(sk)->mode = opts.mode;
fcc203c3 1795 l2cap_pi(sk)->fcs = opts.fcs;
1da177e4
LT		 1796 break;
1797
1798 case L2CAP_LM:
1799 if (get_user(opt, (u32 __user *) optval)) {
1800 err = -EFAULT;
1801 break;
1802 }
1803
2af6b9d5
MH		 1804 if (opt & L2CAP_LM_AUTH)
1805 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1806 if (opt & L2CAP_LM_ENCRYPT)
1807 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1808 if (opt & L2CAP_LM_SECURE)
1809 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1810
1811 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1812 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1813 break;
1814
1815 default:
1816 err = -ENOPROTOOPT;
1817 break;
1818 }
1819
1820 release_sock(sk);
1821 return err;
1822}
1823
b7058842 1824static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1825{
1826 struct sock *sk = sock->sk;
2af6b9d5
MH		 1827 struct bt_security sec;
1828 int len, err = 0;
f66dc81f 1829 u32 opt;
d58daf42
MH		 1830
1831 BT_DBG("sk %p", sk);
1832
1833 if (level == SOL_L2CAP)
1834 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1835
0588d94f
MH		 1836 if (level != SOL_BLUETOOTH)
1837 return -ENOPROTOOPT;
1838
d58daf42
MH		 1839 lock_sock(sk);
1840
1841 switch (optname) {
2af6b9d5 1842 case BT_SECURITY:
2526d3d8 1843 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1844 err = -EINVAL;
1845 break;
1846 }
1847
2af6b9d5
MH		 1848 sec.level = BT_SECURITY_LOW;
1849
1850 len = min_t(unsigned int, sizeof(sec), optlen);
1851 if (copy_from_user((char *) &sec, optval, len)) {
1852 err = -EFAULT;
1853 break;
1854 }
1855
1856 if (sec.level < BT_SECURITY_LOW ||
1857 sec.level > BT_SECURITY_HIGH) {
1858 err = -EINVAL;
1859 break;
1860 }
1861
1862 l2cap_pi(sk)->sec_level = sec.level;
1863 break;
1864
f66dc81f
MH		 1865 case BT_DEFER_SETUP:
1866 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1867 err = -EINVAL;
1868 break;
1869 }
1870
1871 if (get_user(opt, (u32 __user *) optval)) {
1872 err = -EFAULT;
1873 break;
1874 }
1875
1876 bt_sk(sk)->defer_setup = opt;
1877 break;
1878
d58daf42
MH		 1879 default:
1880 err = -ENOPROTOOPT;
1881 break;
1882 }
1883
1884 release_sock(sk);
1885 return err;
1886}
1887
1888static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1889{
1890 struct sock *sk = sock->sk;
1891 struct l2cap_options opts;
1892 struct l2cap_conninfo cinfo;
1893 int len, err = 0;
2af6b9d5 1894 u32 opt;
1da177e4
LT		 1895
1896 BT_DBG("sk %p", sk);
1897
1898 if (get_user(len, optlen))
1899 return -EFAULT;
1900
1901 lock_sock(sk);
1902
1903 switch (optname) {
1904 case L2CAP_OPTIONS:
1905 opts.imtu = l2cap_pi(sk)->imtu;
1906 opts.omtu = l2cap_pi(sk)->omtu;
1907 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1908 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1909 opts.fcs = l2cap_pi(sk)->fcs;
1da177e4
LT		 1910
1911 len = min_t(unsigned int, len, sizeof(opts));
1912 if (copy_to_user(optval, (char *) &opts, len))
1913 err = -EFAULT;
1914
1915 break;
1916
1917 case L2CAP_LM:
2af6b9d5
MH		 1918 switch (l2cap_pi(sk)->sec_level) {
1919 case BT_SECURITY_LOW:
1920 opt = L2CAP_LM_AUTH;
1921 break;
1922 case BT_SECURITY_MEDIUM:
1923 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1924 break;
1925 case BT_SECURITY_HIGH:
1926 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1927 L2CAP_LM_SECURE;
1928 break;
1929 default:
1930 opt = 0;
1931 break;
1932 }
1933
1934 if (l2cap_pi(sk)->role_switch)
1935 opt |= L2CAP_LM_MASTER;
1936
1937 if (l2cap_pi(sk)->force_reliable)
1938 opt |= L2CAP_LM_RELIABLE;
1939
1940 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1941 err = -EFAULT;
1942 break;
1943
1944 case L2CAP_CONNINFO:
f66dc81f
MH		 1945 if (sk->sk_state != BT_CONNECTED &&
1946 !(sk->sk_state == BT_CONNECT2 &&
1947 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1948 err = -ENOTCONN;
1949 break;
1950 }
1951
1952 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1953 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1954
1955 len = min_t(unsigned int, len, sizeof(cinfo));
1956 if (copy_to_user(optval, (char *) &cinfo, len))
1957 err = -EFAULT;
1958
1959 break;
1960
1961 default:
1962 err = -ENOPROTOOPT;
1963 break;
1964 }
1965
1966 release_sock(sk);
1967 return err;
1968}
1969
d58daf42
MH		 1970static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1971{
1972 struct sock *sk = sock->sk;
2af6b9d5 1973 struct bt_security sec;
d58daf42
MH		 1974 int len, err = 0;
1975
1976 BT_DBG("sk %p", sk);
1977
1978 if (level == SOL_L2CAP)
1979 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1980
0588d94f
MH		 1981 if (level != SOL_BLUETOOTH)
1982 return -ENOPROTOOPT;
1983
d58daf42
MH		 1984 if (get_user(len, optlen))
1985 return -EFAULT;
1986
1987 lock_sock(sk);
1988
1989 switch (optname) {
2af6b9d5 1990 case BT_SECURITY:
2526d3d8 1991 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1992 err = -EINVAL;
1993 break;
1994 }
1995
2af6b9d5
MH		 1996 sec.level = l2cap_pi(sk)->sec_level;
1997
1998 len = min_t(unsigned int, len, sizeof(sec));
1999 if (copy_to_user(optval, (char *) &sec, len))
2000 err = -EFAULT;
2001
2002 break;
2003
f66dc81f
MH		 2004 case BT_DEFER_SETUP:
2005 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2006 err = -EINVAL;
2007 break;
2008 }
2009
2010 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2011 err = -EFAULT;
2012
2013 break;
2014
d58daf42
MH		 2015 default:
2016 err = -ENOPROTOOPT;
2017 break;
2018 }
2019
2020 release_sock(sk);
2021 return err;
2022}
2023
1da177e4
LT		 2024static int l2cap_sock_shutdown(struct socket *sock, int how)
2025{
2026 struct sock *sk = sock->sk;
2027 int err = 0;
2028
2029 BT_DBG("sock %p, sk %p", sock, sk);
2030
2031 if (!sk)
2032 return 0;
2033
2034 lock_sock(sk);
2035 if (!sk->sk_shutdown) {
2036 sk->sk_shutdown = SHUTDOWN_MASK;
2037 l2cap_sock_clear_timer(sk);
2038 __l2cap_sock_close(sk, 0);
2039
2040 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2041 err = bt_sock_wait_state(sk, BT_CLOSED,
2042 sk->sk_lingertime);
1da177e4
LT		 2043 }
2044 release_sock(sk);
2045 return err;
2046}
2047
2048static int l2cap_sock_release(struct socket *sock)
2049{
2050 struct sock *sk = sock->sk;
2051 int err;
2052
2053 BT_DBG("sock %p, sk %p", sock, sk);
2054
2055 if (!sk)
2056 return 0;
2057
2058 err = l2cap_sock_shutdown(sock, 2);
2059
2060 sock_orphan(sk);
2061 l2cap_sock_kill(sk);
2062 return err;
2063}
2064
1da177e4
LT		 2065static void l2cap_chan_ready(struct sock *sk)
2066{
2067 struct sock *parent = bt_sk(sk)->parent;
2068
2069 BT_DBG("sk %p, parent %p", sk, parent);
2070
2071 l2cap_pi(sk)->conf_state = 0;
2072 l2cap_sock_clear_timer(sk);
2073
2074 if (!parent) {
2075 /* Outgoing channel.
2076 * Wake up socket sleeping on connect.
2077 */
2078 sk->sk_state = BT_CONNECTED;
2079 sk->sk_state_change(sk);
2080 } else {
2081 /* Incoming channel.
2082 * Wake up socket sleeping on accept.
2083 */
2084 parent->sk_data_ready(parent, 0);
2085 }
2086}
2087
2088/* Copy frame to all raw sockets on that connection */
2089static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2090{
2091 struct l2cap_chan_list *l = &conn->chan_list;
2092 struct sk_buff *nskb;
af05b30b 2093 struct sock *sk;
1da177e4
LT		 2094
2095 BT_DBG("conn %p", conn);
2096
2097 read_lock(&l->lock);
2098 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2099 if (sk->sk_type != SOCK_RAW)
2100 continue;
2101
2102 /* Don't send frame to the socket it came from */
2103 if (skb->sk == sk)
2104 continue;
af05b30b
GP		 2105 nskb = skb_clone(skb, GFP_ATOMIC);
2106 if (!nskb)
1da177e4
LT		 2107 continue;
2108
2109 if (sock_queue_rcv_skb(sk, nskb))
2110 kfree_skb(nskb);
2111 }
2112 read_unlock(&l->lock);
2113}
2114
2115/* ---- L2CAP signalling commands ---- */
2116static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2117 u8 code, u8 ident, u16 dlen, void *data)
2118{
2119 struct sk_buff *skb, **frag;
2120 struct l2cap_cmd_hdr *cmd;
2121 struct l2cap_hdr *lh;
2122 int len, count;
2123
af05b30b
GP		 2124 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2125 conn, code, ident, dlen);
1da177e4
LT		 2126
2127 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2128 count = min_t(unsigned int, conn->mtu, len);
2129
2130 skb = bt_skb_alloc(count, GFP_ATOMIC);
2131 if (!skb)
2132 return NULL;
2133
2134 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2135 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2136 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2137
2138 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2139 cmd->code = code;
2140 cmd->ident = ident;
aca3192c 2141 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2142
2143 if (dlen) {
2144 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2145 memcpy(skb_put(skb, count), data, count);
2146 data += count;
2147 }
2148
2149 len -= skb->len;
2150
2151 /* Continuation fragments (no L2CAP header) */
2152 frag = &skb_shinfo(skb)->frag_list;
2153 while (len) {
2154 count = min_t(unsigned int, conn->mtu, len);
2155
2156 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2157 if (!*frag)
2158 goto fail;
2159
2160 memcpy(skb_put(*frag, count), data, count);
2161
2162 len -= count;
2163 data += count;
2164
2165 frag = &(*frag)->next;
2166 }
2167
2168 return skb;
2169
2170fail:
2171 kfree_skb(skb);
2172 return NULL;
2173}
2174
2175static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2176{
2177 struct l2cap_conf_opt *opt = *ptr;
2178 int len;
2179
2180 len = L2CAP_CONF_OPT_SIZE + opt->len;
2181 *ptr += len;
2182
2183 *type = opt->type;
2184 *olen = opt->len;
2185
2186 switch (opt->len) {
2187 case 1:
2188 *val = *((u8 *) opt->val);
2189 break;
2190
2191 case 2:
861d6882 2192 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2193 break;
2194
2195 case 4:
861d6882 2196 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2197 break;
2198
2199 default:
2200 *val = (unsigned long) opt->val;
2201 break;
2202 }
2203
2204 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2205 return len;
2206}
2207
1da177e4
LT		 2208static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2209{
2210 struct l2cap_conf_opt *opt = *ptr;
2211
2212 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2213
2214 opt->type = type;
2215 opt->len = len;
2216
2217 switch (len) {
2218 case 1:
2219 *((u8 *) opt->val) = val;
2220 break;
2221
2222 case 2:
8e036fc3 2223 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2224 break;
2225
2226 case 4:
8e036fc3 2227 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2228 break;
2229
2230 default:
2231 memcpy(opt->val, (void *) val, len);
2232 break;
2233 }
2234
2235 *ptr += L2CAP_CONF_OPT_SIZE + len;
2236}
2237
c1b4f43b
GP		 2238static void l2cap_ack_timeout(unsigned long arg)
2239{
2240 struct sock *sk = (void *) arg;
2241
2242 bh_lock_sock(sk);
2243 l2cap_send_ack(l2cap_pi(sk));
2244 bh_unlock_sock(sk);
2245}
2246
0565c1c2
GP		 2247static inline void l2cap_ertm_init(struct sock *sk)
2248{
2249 l2cap_pi(sk)->expected_ack_seq = 0;
2250 l2cap_pi(sk)->unacked_frames = 0;
2251 l2cap_pi(sk)->buffer_seq = 0;
2252 l2cap_pi(sk)->num_to_ack = 0;
d5392c8f 2253 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2254
2255 setup_timer(&l2cap_pi(sk)->retrans_timer,
2256 l2cap_retrans_timeout, (unsigned long) sk);
2257 setup_timer(&l2cap_pi(sk)->monitor_timer,
2258 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2259 setup_timer(&l2cap_pi(sk)->ack_timer,
2260 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2261
2262 __skb_queue_head_init(SREJ_QUEUE(sk));
2263}
2264
f2fcfcd6
GP		 2265static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2266{
2267 u32 local_feat_mask = l2cap_feat_mask;
2268 if (enable_ertm)
6840ed07 2269 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2270
2271 switch (mode) {
2272 case L2CAP_MODE_ERTM:
2273 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2274 case L2CAP_MODE_STREAMING:
2275 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2276 default:
2277 return 0x00;
2278 }
2279}
2280
2281static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2282{
2283 switch (mode) {
2284 case L2CAP_MODE_STREAMING:
2285 case L2CAP_MODE_ERTM:
2286 if (l2cap_mode_supported(mode, remote_feat_mask))
2287 return mode;
2288 /* fall through */
2289 default:
2290 return L2CAP_MODE_BASIC;
2291 }
2292}
2293
1da177e4
LT		 2294static int l2cap_build_conf_req(struct sock *sk, void *data)
2295{
2296 struct l2cap_pinfo *pi = l2cap_pi(sk);
2297 struct l2cap_conf_req *req = data;
a0e55a32 2298 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1da177e4
LT		 2299 void *ptr = req->data;
2300
2301 BT_DBG("sk %p", sk);
2302
f2fcfcd6
GP		 2303 if (pi->num_conf_req || pi->num_conf_rsp)
2304 goto done;
2305
2306 switch (pi->mode) {
2307 case L2CAP_MODE_STREAMING:
2308 case L2CAP_MODE_ERTM:
2309 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
22121fc9
GP		 2310 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2311 l2cap_send_disconn_req(pi->conn, sk);
f2fcfcd6
GP		 2312 break;
2313 default:
2314 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2315 break;
2316 }
2317
2318done:
65c7c491
MH		 2319 switch (pi->mode) {
2320 case L2CAP_MODE_BASIC:
2321 if (pi->imtu != L2CAP_DEFAULT_MTU)
2322 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2323 break;
2324
2325 case L2CAP_MODE_ERTM:
2326 rfc.mode = L2CAP_MODE_ERTM;
f2fcfcd6 2327 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
5fbcd3d1 2328 rfc.max_transmit = max_transmit;
f2fcfcd6
GP		 2329 rfc.retrans_timeout = 0;
2330 rfc.monitor_timeout = 0;
c74e560c 2331 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2332 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2333 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6
GP		 2334
2335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2336 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2337
2338 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2339 break;
2340
2341 if (pi->fcs == L2CAP_FCS_NONE ||
2342 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2343 pi->fcs = L2CAP_FCS_NONE;
2344 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2345 }
f2fcfcd6
GP		 2346 break;
2347
2348 case L2CAP_MODE_STREAMING:
2349 rfc.mode = L2CAP_MODE_STREAMING;
2350 rfc.txwin_size = 0;
2351 rfc.max_transmit = 0;
2352 rfc.retrans_timeout = 0;
2353 rfc.monitor_timeout = 0;
c74e560c 2354 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2355 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2356 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491
MH		 2357
2358 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2359 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2360
2361 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2362 break;
2363
2364 if (pi->fcs == L2CAP_FCS_NONE ||
2365 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2366 pi->fcs = L2CAP_FCS_NONE;
2367 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2368 }
65c7c491
MH		 2369 break;
2370 }
1da177e4
LT		 2371
2372 /* FIXME: Need actual value of the flush timeout */
2373 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2374 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2375
aca3192c
YH		 2376 req->dcid = cpu_to_le16(pi->dcid);
2377 req->flags = cpu_to_le16(0);
1da177e4
LT		 2378
2379 return ptr - data;
2380}
2381
5dee9e7c 2382static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2383{
2384 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2385 struct l2cap_conf_rsp *rsp = data;
2386 void *ptr = rsp->data;
2387 void *req = pi->conf_req;
2388 int len = pi->conf_len;
2389 int type, hint, olen;
2390 unsigned long val;
6464f35f 2391 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2392 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2393 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2394
5dee9e7c 2395 BT_DBG("sk %p", sk);
820ae1b8 2396
5dee9e7c
MH		 2397 while (len >= L2CAP_CONF_OPT_SIZE) {
2398 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2399
589d2746 2400 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2401 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2402
2403 switch (type) {
2404 case L2CAP_CONF_MTU:
861d6882 2405 mtu = val;
5dee9e7c
MH		 2406 break;
2407
2408 case L2CAP_CONF_FLUSH_TO:
2409 pi->flush_to = val;
2410 break;
2411
2412 case L2CAP_CONF_QOS:
2413 break;
2414
6464f35f
MH		 2415 case L2CAP_CONF_RFC:
2416 if (olen == sizeof(rfc))
2417 memcpy(&rfc, (void *) val, olen);
2418 break;
2419
fcc203c3
GP		 2420 case L2CAP_CONF_FCS:
2421 if (val == L2CAP_FCS_NONE)
2422 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2423
2424 break;
2425
5dee9e7c
MH		 2426 default:
2427 if (hint)
2428 break;
2429
2430 result = L2CAP_CONF_UNKNOWN;
2431 *((u8 *) ptr++) = type;
2432 break;
2433 }
2434 }
2435
f2fcfcd6
GP		 2436 if (pi->num_conf_rsp || pi->num_conf_req)
2437 goto done;
2438
2439 switch (pi->mode) {
2440 case L2CAP_MODE_STREAMING:
2441 case L2CAP_MODE_ERTM:
2442 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2443 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2444 return -ECONNREFUSED;
2445 break;
2446 default:
2447 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2448 break;
2449 }
2450
2451done:
2452 if (pi->mode != rfc.mode) {
2453 result = L2CAP_CONF_UNACCEPT;
2454 rfc.mode = pi->mode;
2455
2456 if (pi->num_conf_rsp == 1)
2457 return -ECONNREFUSED;
2458
2459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2460 sizeof(rfc), (unsigned long) &rfc);
2461 }
2462
2463
5dee9e7c
MH		 2464 if (result == L2CAP_CONF_SUCCESS) {
2465 /* Configure output options and let the other side know
2466 * which ones we don't like. */
2467
f2fcfcd6
GP		 2468 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2469 result = L2CAP_CONF_UNACCEPT;
2470 else {
2471 pi->omtu = mtu;
2472 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2473 }
2474 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2475
f2fcfcd6
GP		 2476 switch (rfc.mode) {
2477 case L2CAP_MODE_BASIC:
2478 pi->fcs = L2CAP_FCS_NONE;
2479 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2480 break;
2481
2482 case L2CAP_MODE_ERTM:
2483 pi->remote_tx_win = rfc.txwin_size;
2484 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2485 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2486 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2487
2488 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2489
10467e9e
GP		 2490 rfc.retrans_timeout =
2491 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2492 rfc.monitor_timeout =
2493 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2494
2495 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2496
2497 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2498 sizeof(rfc), (unsigned long) &rfc);
2499
f2fcfcd6
GP		 2500 break;
2501
2502 case L2CAP_MODE_STREAMING:
1c762159
GP		 2503 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2504 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2505
2506 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2507
2508 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2509
2510 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2511 sizeof(rfc), (unsigned long) &rfc);
2512
f2fcfcd6
GP		 2513 break;
2514
2515 default:
5dee9e7c 2516 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2517
6464f35f 2518 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2519 rfc.mode = pi->mode;
2520 }
6464f35f 2521
f2fcfcd6
GP		 2522 if (result == L2CAP_CONF_SUCCESS)
2523 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2524 }
5dee9e7c
MH		 2525 rsp->scid = cpu_to_le16(pi->dcid);
2526 rsp->result = cpu_to_le16(result);
2527 rsp->flags = cpu_to_le16(0x0000);
2528
2529 return ptr - data;
1da177e4
LT		 2530}
2531
f2fcfcd6
GP		 2532static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2533{
2534 struct l2cap_pinfo *pi = l2cap_pi(sk);
2535 struct l2cap_conf_req *req = data;
2536 void *ptr = req->data;
2537 int type, olen;
2538 unsigned long val;
2539 struct l2cap_conf_rfc rfc;
2540
2541 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2542
2543 while (len >= L2CAP_CONF_OPT_SIZE) {
2544 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2545
2546 switch (type) {
2547 case L2CAP_CONF_MTU:
2548 if (val < L2CAP_DEFAULT_MIN_MTU) {
2549 *result = L2CAP_CONF_UNACCEPT;
2550 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2551 } else
2552 pi->omtu = val;
2553 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2554 break;
2555
2556 case L2CAP_CONF_FLUSH_TO:
2557 pi->flush_to = val;
2558 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2559 2, pi->flush_to);
2560 break;
2561
2562 case L2CAP_CONF_RFC:
2563 if (olen == sizeof(rfc))
2564 memcpy(&rfc, (void *)val, olen);
2565
2566 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2567 rfc.mode != pi->mode)
2568 return -ECONNREFUSED;
2569
2570 pi->mode = rfc.mode;
2571 pi->fcs = 0;
2572
2573 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2574 sizeof(rfc), (unsigned long) &rfc);
2575 break;
2576 }
2577 }
2578
2579 if (*result == L2CAP_CONF_SUCCESS) {
2580 switch (rfc.mode) {
2581 case L2CAP_MODE_ERTM:
2582 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2583 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2584 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2585 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2586 break;
2587 case L2CAP_MODE_STREAMING:
1c762159 2588 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2589 }
2590 }
2591
2592 req->dcid = cpu_to_le16(pi->dcid);
2593 req->flags = cpu_to_le16(0x0000);
2594
2595 return ptr - data;
2596}
2597
5dee9e7c 2598static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2599{
2600 struct l2cap_conf_rsp *rsp = data;
2601 void *ptr = rsp->data;
1da177e4 2602
5dee9e7c 2603 BT_DBG("sk %p", sk);
1da177e4 2604
aca3192c 2605 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2606 rsp->result = cpu_to_le16(result);
aca3192c 2607 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2608
2609 return ptr - data;
2610}
2611
7b1c0049
GP		 2612static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2613{
2614 struct l2cap_pinfo *pi = l2cap_pi(sk);
2615 int type, olen;
2616 unsigned long val;
2617 struct l2cap_conf_rfc rfc;
2618
2619 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2620
2621 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2622 return;
2623
2624 while (len >= L2CAP_CONF_OPT_SIZE) {
2625 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2626
2627 switch (type) {
2628 case L2CAP_CONF_RFC:
2629 if (olen == sizeof(rfc))
2630 memcpy(&rfc, (void *)val, olen);
2631 goto done;
2632 }
2633 }
2634
2635done:
2636 switch (rfc.mode) {
2637 case L2CAP_MODE_ERTM:
2638 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2639 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2640 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2641 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2642 break;
2643 case L2CAP_MODE_STREAMING:
2644 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2645 }
2646}
2647
4e8402a3
MH		 2648static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2649{
2650 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2651
2652 if (rej->reason != 0x0000)
2653 return 0;
2654
2655 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2656 cmd->ident == conn->info_ident) {
4e8402a3 2657 del_timer(&conn->info_timer);
984947dc
MH		 2658
2659 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2660 conn->info_ident = 0;
984947dc 2661
4e8402a3
MH		 2662 l2cap_conn_start(conn);
2663 }
2664
2665 return 0;
2666}
2667
1da177e4
LT		 2668static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2669{
2670 struct l2cap_chan_list *list = &conn->chan_list;
2671 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2672 struct l2cap_conn_rsp rsp;
2673 struct sock *sk, *parent;
e7c29cb1 2674 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2675
2676 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2677 __le16 psm = req->psm;
1da177e4
LT		 2678
2679 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2680
2681 /* Check if we have socket listening on psm */
2682 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2683 if (!parent) {
2684 result = L2CAP_CR_BAD_PSM;
2685 goto sendresp;
2686 }
2687
e7c29cb1
MH		 2688 /* Check if the ACL is secure enough (if not SDP) */
2689 if (psm != cpu_to_le16(0x0001) &&
2690 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2691 conn->disc_reason = 0x05;
e7c29cb1
MH		 2692 result = L2CAP_CR_SEC_BLOCK;
2693 goto response;
2694 }
2695
1da177e4
LT		 2696 result = L2CAP_CR_NO_MEM;
2697
2698 /* Check for backlog size */
2699 if (sk_acceptq_is_full(parent)) {
8e87d142 2700 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2701 goto response;
2702 }
2703
3b1e0a65 2704 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2705 if (!sk)
2706 goto response;
2707
fd1278d7 2708 write_lock_bh(&list->lock);
1da177e4
LT		 2709
2710 /* Check if we already have channel with that dcid */
2711 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2712 write_unlock_bh(&list->lock);
1da177e4
LT		 2713 sock_set_flag(sk, SOCK_ZAPPED);
2714 l2cap_sock_kill(sk);
2715 goto response;
2716 }
2717
2718 hci_conn_hold(conn->hcon);
2719
2720 l2cap_sock_init(sk, parent);
2721 bacpy(&bt_sk(sk)->src, conn->src);
2722 bacpy(&bt_sk(sk)->dst, conn->dst);
2723 l2cap_pi(sk)->psm = psm;
2724 l2cap_pi(sk)->dcid = scid;
2725
2726 __l2cap_chan_add(conn, sk, parent);
2727 dcid = l2cap_pi(sk)->scid;
2728
2729 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2730
1da177e4
LT		 2731 l2cap_pi(sk)->ident = cmd->ident;
2732
984947dc 2733 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2734 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2735 if (bt_sk(sk)->defer_setup) {
2736 sk->sk_state = BT_CONNECT2;
2737 result = L2CAP_CR_PEND;
2738 status = L2CAP_CS_AUTHOR_PEND;
2739 parent->sk_data_ready(parent, 0);
2740 } else {
2741 sk->sk_state = BT_CONFIG;
2742 result = L2CAP_CR_SUCCESS;
2743 status = L2CAP_CS_NO_INFO;
2744 }
79d554a6
MH		 2745 } else {
2746 sk->sk_state = BT_CONNECT2;
2747 result = L2CAP_CR_PEND;
2748 status = L2CAP_CS_AUTHEN_PEND;
2749 }
2750 } else {
2751 sk->sk_state = BT_CONNECT2;
2752 result = L2CAP_CR_PEND;
2753 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2754 }
2755
fd1278d7 2756 write_unlock_bh(&list->lock);
1da177e4
LT		 2757
2758response:
2759 bh_unlock_sock(parent);
2760
2761sendresp:
aca3192c
YH		 2762 rsp.scid = cpu_to_le16(scid);
2763 rsp.dcid = cpu_to_le16(dcid);
2764 rsp.result = cpu_to_le16(result);
2765 rsp.status = cpu_to_le16(status);
1da177e4 2766 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2767
2768 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2769 struct l2cap_info_req info;
2770 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2771
2772 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2773 conn->info_ident = l2cap_get_ident(conn);
2774
2775 mod_timer(&conn->info_timer, jiffies +
2776 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2777
2778 l2cap_send_cmd(conn, conn->info_ident,
2779 L2CAP_INFO_REQ, sizeof(info), &info);
2780 }
2781
1da177e4
LT		 2782 return 0;
2783}
2784
2785static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2786{
2787 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2788 u16 scid, dcid, result, status;
2789 struct sock *sk;
2790 u8 req[128];
2791
2792 scid = __le16_to_cpu(rsp->scid);
2793 dcid = __le16_to_cpu(rsp->dcid);
2794 result = __le16_to_cpu(rsp->result);
2795 status = __le16_to_cpu(rsp->status);
2796
2797 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2798
2799 if (scid) {
af05b30b
GP		 2800 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2801 if (!sk)
1da177e4
LT		 2802 return 0;
2803 } else {
af05b30b
GP		 2804 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2805 if (!sk)
1da177e4
LT		 2806 return 0;
2807 }
2808
2809 switch (result) {
2810 case L2CAP_CR_SUCCESS:
2811 sk->sk_state = BT_CONFIG;
2812 l2cap_pi(sk)->ident = 0;
2813 l2cap_pi(sk)->dcid = dcid;
2814 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2815
6a8d3010
MH		 2816 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2817
1da177e4
LT		 2818 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2819 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2820 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2821 break;
2822
2823 case L2CAP_CR_PEND:
6a8d3010 2824 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2825 break;
2826
2827 default:
2828 l2cap_chan_del(sk, ECONNREFUSED);
2829 break;
2830 }
2831
2832 bh_unlock_sock(sk);
2833 return 0;
2834}
2835
88219a0f 2836static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2837{
2838 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2839 u16 dcid, flags;
2840 u8 rsp[64];
2841 struct sock *sk;
5dee9e7c 2842 int len;
1da177e4
LT		 2843
2844 dcid = __le16_to_cpu(req->dcid);
2845 flags = __le16_to_cpu(req->flags);
2846
2847 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2848
af05b30b
GP		 2849 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2850 if (!sk)
1da177e4
LT		 2851 return -ENOENT;
2852
354f60a9
MH		 2853 if (sk->sk_state == BT_DISCONN)
2854 goto unlock;
2855
5dee9e7c 2856 /* Reject if config buffer is too small. */
88219a0f 2857 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2858 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2859 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2860 l2cap_build_conf_rsp(sk, rsp,
2861 L2CAP_CONF_REJECT, flags), rsp);
2862 goto unlock;
2863 }
2864
2865 /* Store config. */
2866 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2867 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2868
2869 if (flags & 0x0001) {
2870 /* Incomplete config. Send empty response. */
2871 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2872 l2cap_build_conf_rsp(sk, rsp,
2873 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2874 goto unlock;
2875 }
2876
2877 /* Complete config. */
5dee9e7c 2878 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2879 if (len < 0) {
22121fc9 2880 l2cap_send_disconn_req(conn, sk);
1da177e4 2881 goto unlock;
f2fcfcd6 2882 }
1da177e4 2883
5dee9e7c 2884 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2885 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2886
5dee9e7c
MH		 2887 /* Reset config buffer. */
2888 l2cap_pi(sk)->conf_len = 0;
2889
876d9484
MH		 2890 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2891 goto unlock;
2892
1da177e4 2893 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 2894 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2895 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 2896 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2897
1da177e4 2898 sk->sk_state = BT_CONNECTED;
e90bac06 2899
0565c1c2
GP		 2900 l2cap_pi(sk)->next_tx_seq = 0;
2901 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2902 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2903 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2904 l2cap_ertm_init(sk);
2905
1da177e4 2906 l2cap_chan_ready(sk);
876d9484
MH		 2907 goto unlock;
2908 }
2909
2910 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2911 u8 buf[64];
1da177e4 2912 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2913 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2914 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2915 }
2916
2917unlock:
2918 bh_unlock_sock(sk);
2919 return 0;
2920}
2921
2922static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2923{
2924 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2925 u16 scid, flags, result;
2926 struct sock *sk;
7b1c0049 2927 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2928
2929 scid = __le16_to_cpu(rsp->scid);
2930 flags = __le16_to_cpu(rsp->flags);
2931 result = __le16_to_cpu(rsp->result);
2932
af05b30b
GP		 2933 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2934 scid, flags, result);
1da177e4 2935
af05b30b
GP		 2936 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2937 if (!sk)
1da177e4
LT		 2938 return 0;
2939
2940 switch (result) {
2941 case L2CAP_CONF_SUCCESS:
7b1c0049 2942 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 2943 break;
2944
2945 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 2946 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2947 char req[64];
2948
c2c77ec8
AE		 2949 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2950 l2cap_send_disconn_req(conn, sk);
2951 goto done;
2952 }
2953
f2fcfcd6
GP		 2954 /* throw out any old stored conf requests */
2955 result = L2CAP_CONF_SUCCESS;
2956 len = l2cap_parse_conf_rsp(sk, rsp->data,
2957 len, req, &result);
2958 if (len < 0) {
22121fc9 2959 l2cap_send_disconn_req(conn, sk);
f2fcfcd6
GP		 2960 goto done;
2961 }
2962
2963 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2964 L2CAP_CONF_REQ, len, req);
2965 l2cap_pi(sk)->num_conf_req++;
2966 if (result != L2CAP_CONF_SUCCESS)
2967 goto done;
2968 break;
1da177e4
LT		 2969 }
2970
8e87d142 2971 default:
1da177e4 2972 sk->sk_state = BT_DISCONN;
b1235d79 2973 sk->sk_err = ECONNRESET;
1da177e4 2974 l2cap_sock_set_timer(sk, HZ * 5);
22121fc9 2975 l2cap_send_disconn_req(conn, sk);
1da177e4
LT		 2976 goto done;
2977 }
2978
2979 if (flags & 0x01)
2980 goto done;
2981
1da177e4
LT		 2982 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2983
2984 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 2985 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2986 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 2987 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2988
1da177e4 2989 sk->sk_state = BT_CONNECTED;
0565c1c2 2990 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 2991 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 2992 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 2993 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2994 l2cap_ertm_init(sk);
2995
1da177e4
LT		 2996 l2cap_chan_ready(sk);
2997 }
2998
2999done:
3000 bh_unlock_sock(sk);
3001 return 0;
3002}
3003
3004static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3005{
3006 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3007 struct l2cap_disconn_rsp rsp;
3008 u16 dcid, scid;
3009 struct sock *sk;
3010
3011 scid = __le16_to_cpu(req->scid);
3012 dcid = __le16_to_cpu(req->dcid);
3013
3014 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3015
af05b30b
GP		 3016 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3017 if (!sk)
1da177e4
LT		 3018 return 0;
3019
aca3192c
YH		 3020 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3021 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3022 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3023
3024 sk->sk_shutdown = SHUTDOWN_MASK;
3025
1c2acffb 3026 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3027
3028 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3029 skb_queue_purge(SREJ_QUEUE(sk));
3030 del_timer(&l2cap_pi(sk)->retrans_timer);
3031 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3032 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3033 }
1c2acffb 3034
1da177e4
LT		 3035 l2cap_chan_del(sk, ECONNRESET);
3036 bh_unlock_sock(sk);
3037
3038 l2cap_sock_kill(sk);
3039 return 0;
3040}
3041
3042static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3043{
3044 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3045 u16 dcid, scid;
3046 struct sock *sk;
3047
3048 scid = __le16_to_cpu(rsp->scid);
3049 dcid = __le16_to_cpu(rsp->dcid);
3050
3051 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3052
af05b30b
GP		 3053 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3054 if (!sk)
1da177e4
LT		 3055 return 0;
3056
1c2acffb 3057 skb_queue_purge(TX_QUEUE(sk));
0565c1c2
GP		 3058
3059 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3060 skb_queue_purge(SREJ_QUEUE(sk));
3061 del_timer(&l2cap_pi(sk)->retrans_timer);
3062 del_timer(&l2cap_pi(sk)->monitor_timer);
c1b4f43b 3063 del_timer(&l2cap_pi(sk)->ack_timer);
0565c1c2 3064 }
1c2acffb 3065
1da177e4
LT		 3066 l2cap_chan_del(sk, 0);
3067 bh_unlock_sock(sk);
3068
3069 l2cap_sock_kill(sk);
3070 return 0;
3071}
3072
3073static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3074{
3075 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3076 u16 type;
3077
3078 type = __le16_to_cpu(req->type);
3079
3080 BT_DBG("type 0x%4.4x", type);
3081
f0709e03
MH		 3082 if (type == L2CAP_IT_FEAT_MASK) {
3083 u8 buf[8];
44dd46de 3084 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3085 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3086 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3087 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3088 if (enable_ertm)
fcc203c3
GP		 3089 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3090 | L2CAP_FEAT_FCS;
1b7bf4ed 3091 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3092 l2cap_send_cmd(conn, cmd->ident,
3093 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3094 } else if (type == L2CAP_IT_FIXED_CHAN) {
3095 u8 buf[12];
3096 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3097 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3098 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3099 memcpy(buf + 4, l2cap_fixed_chan, 8);
3100 l2cap_send_cmd(conn, cmd->ident,
3101 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3102 } else {
3103 struct l2cap_info_rsp rsp;
3104 rsp.type = cpu_to_le16(type);
3105 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3106 l2cap_send_cmd(conn, cmd->ident,
3107 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3108 }
1da177e4
LT		 3109
3110 return 0;
3111}
3112
3113static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3114{
3115 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3116 u16 type, result;
3117
3118 type = __le16_to_cpu(rsp->type);
3119 result = __le16_to_cpu(rsp->result);
3120
3121 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3122
4e8402a3
MH		 3123 del_timer(&conn->info_timer);
3124
984947dc 3125 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3126 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3127
47ec1dcd 3128 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3129 struct l2cap_info_req req;
3130 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3131
3132 conn->info_ident = l2cap_get_ident(conn);
3133
3134 l2cap_send_cmd(conn, conn->info_ident,
3135 L2CAP_INFO_REQ, sizeof(req), &req);
3136 } else {
3137 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3138 conn->info_ident = 0;
3139
3140 l2cap_conn_start(conn);
3141 }
3142 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3143 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3144 conn->info_ident = 0;
984947dc
MH		 3145
3146 l2cap_conn_start(conn);
3147 }
4e8402a3 3148
1da177e4
LT		 3149 return 0;
3150}
3151
3152static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3153{
3154 u8 *data = skb->data;
3155 int len = skb->len;
3156 struct l2cap_cmd_hdr cmd;
3157 int err = 0;
3158
3159 l2cap_raw_recv(conn, skb);
3160
3161 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3162 u16 cmd_len;
1da177e4
LT		 3163 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3164 data += L2CAP_CMD_HDR_SIZE;
3165 len -= L2CAP_CMD_HDR_SIZE;
3166
88219a0f 3167 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3168
88219a0f 3169 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3170
88219a0f 3171 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3172 BT_DBG("corrupted command");
3173 break;
3174 }
3175
3176 switch (cmd.code) {
3177 case L2CAP_COMMAND_REJ:
4e8402a3 3178 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3179 break;
3180
3181 case L2CAP_CONN_REQ:
3182 err = l2cap_connect_req(conn, &cmd, data);
3183 break;
3184
3185 case L2CAP_CONN_RSP:
3186 err = l2cap_connect_rsp(conn, &cmd, data);
3187 break;
3188
3189 case L2CAP_CONF_REQ:
88219a0f 3190 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3191 break;
3192
3193 case L2CAP_CONF_RSP:
3194 err = l2cap_config_rsp(conn, &cmd, data);
3195 break;
3196
3197 case L2CAP_DISCONN_REQ:
3198 err = l2cap_disconnect_req(conn, &cmd, data);
3199 break;
3200
3201 case L2CAP_DISCONN_RSP:
3202 err = l2cap_disconnect_rsp(conn, &cmd, data);
3203 break;
3204
3205 case L2CAP_ECHO_REQ:
88219a0f 3206 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3207 break;
3208
3209 case L2CAP_ECHO_RSP:
3210 break;
3211
3212 case L2CAP_INFO_REQ:
3213 err = l2cap_information_req(conn, &cmd, data);
3214 break;
3215
3216 case L2CAP_INFO_RSP:
3217 err = l2cap_information_rsp(conn, &cmd, data);
3218 break;
3219
3220 default:
3221 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3222 err = -EINVAL;
3223 break;
3224 }
3225
3226 if (err) {
3227 struct l2cap_cmd_rej rej;
3228 BT_DBG("error %d", err);
3229
3230 /* FIXME: Map err to a valid reason */
aca3192c 3231 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3232 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3233 }
3234
88219a0f
AV		 3235 data += cmd_len;
3236 len -= cmd_len;
1da177e4
LT		 3237 }
3238
3239 kfree_skb(skb);
3240}
3241
fcc203c3
GP		 3242static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3243{
3244 u16 our_fcs, rcv_fcs;
3245 int hdr_size = L2CAP_HDR_SIZE + 2;
3246
3247 if (pi->fcs == L2CAP_FCS_CRC16) {
3248 skb_trim(skb, skb->len - 2);
3249 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3250 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3251
3252 if (our_fcs != rcv_fcs)
3253 return -EINVAL;
3254 }
3255 return 0;
3256}
3257
d5392c8f
GP		 3258static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3259{
3260 struct l2cap_pinfo *pi = l2cap_pi(sk);
3261 u16 control = 0;
3262
3263 pi->frames_sent = 0;
3264 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3265
3266 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3267
3268 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3269 control |= L2CAP_SUPER_RCV_NOT_READY | L2CAP_CTRL_FINAL;
3270 l2cap_send_sframe(pi, control);
3271 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3272 }
3273
3274 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY && pi->unacked_frames > 0)
3275 __mod_retrans_timer();
3276
3277 l2cap_ertm_send(sk);
3278
3279 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3280 pi->frames_sent == 0) {
3281 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3282 l2cap_send_sframe(pi, control);
3283 }
3284}
3285
8f17154f
GP		 3286static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3287{
3288 struct sk_buff *next_skb;
3289
3290 bt_cb(skb)->tx_seq = tx_seq;
3291 bt_cb(skb)->sar = sar;
3292
3293 next_skb = skb_peek(SREJ_QUEUE(sk));
3294 if (!next_skb) {
3295 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3296 return;
3297 }
3298
3299 do {
3300 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3301 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3302 return;
3303 }
3304
3305 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3306 break;
3307
3308 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3309
3310 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3311}
3312
c74e560c
GP		 3313static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3314{
3315 struct l2cap_pinfo *pi = l2cap_pi(sk);
3316 struct sk_buff *_skb;
3317 int err = -EINVAL;
3318
3319 switch (control & L2CAP_CTRL_SAR) {
3320 case L2CAP_SDU_UNSEGMENTED:
3321 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3322 kfree_skb(pi->sdu);
3323 break;
3324 }
3325
3326 err = sock_queue_rcv_skb(sk, skb);
3327 if (!err)
3328 return 0;
3329
3330 break;
3331
3332 case L2CAP_SDU_START:
3333 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3334 kfree_skb(pi->sdu);
3335 break;
3336 }
3337
3338 pi->sdu_len = get_unaligned_le16(skb->data);
3339 skb_pull(skb, 2);
3340
3341 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3342 if (!pi->sdu) {
3343 err = -ENOMEM;
3344 break;
3345 }
3346
3347 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3348
3349 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3350 pi->partial_sdu_len = skb->len;
3351 err = 0;
3352 break;
3353
3354 case L2CAP_SDU_CONTINUE:
3355 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3356 break;
3357
3358 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3359
3360 pi->partial_sdu_len += skb->len;
3361 if (pi->partial_sdu_len > pi->sdu_len)
3362 kfree_skb(pi->sdu);
3363 else
3364 err = 0;
3365
3366 break;
3367
3368 case L2CAP_SDU_END:
3369 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3370 break;
3371
3372 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3373
3374 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3375 pi->partial_sdu_len += skb->len;
3376
36f2fd58
GP		 3377 if (pi->partial_sdu_len > pi->imtu)
3378 goto drop;
3379
c74e560c
GP		 3380 if (pi->partial_sdu_len == pi->sdu_len) {
3381 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3382 err = sock_queue_rcv_skb(sk, _skb);
3383 if (err < 0)
3384 kfree_skb(_skb);
3385 }
c74e560c
GP		 3386 err = 0;
3387
36f2fd58
GP		 3388drop:
3389 kfree_skb(pi->sdu);
c74e560c
GP		 3390 break;
3391 }
3392
3393 kfree_skb(skb);
3394 return err;
3395}
3396
8f17154f
GP		 3397static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3398{
3399 struct sk_buff *skb;
3400 u16 control = 0;
3401
3402 while((skb = skb_peek(SREJ_QUEUE(sk)))) {
3403 if (bt_cb(skb)->tx_seq != tx_seq)
3404 break;
3405
3406 skb = skb_dequeue(SREJ_QUEUE(sk));
3407 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3408 l2cap_sar_reassembly_sdu(sk, skb, control);
3409 l2cap_pi(sk)->buffer_seq_srej =
3410 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3411 tx_seq++;
3412 }
3413}
3414
3415static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3416{
3417 struct l2cap_pinfo *pi = l2cap_pi(sk);
3418 struct srej_list *l, *tmp;
3419 u16 control;
3420
3421 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) {
3422 if (l->tx_seq == tx_seq) {
3423 list_del(&l->list);
3424 kfree(l);
3425 return;
3426 }
3427 control = L2CAP_SUPER_SELECT_REJECT;
3428 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3429 l2cap_send_sframe(pi, control);
3430 list_del(&l->list);
3431 list_add_tail(&l->list, SREJ_LIST(sk));
3432 }
3433}
3434
3435static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3436{
3437 struct l2cap_pinfo *pi = l2cap_pi(sk);
3438 struct srej_list *new;
3439 u16 control;
3440
3441 while (tx_seq != pi->expected_tx_seq) {
3442 control = L2CAP_SUPER_SELECT_REJECT;
3443 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3444 l2cap_send_sframe(pi, control);
3445
3446 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3447 new->tx_seq = pi->expected_tx_seq++;
3448 list_add_tail(&new->list, SREJ_LIST(sk));
3449 }
3450 pi->expected_tx_seq++;
3451}
3452
1c2acffb
GP		 3453static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3454{
3455 struct l2cap_pinfo *pi = l2cap_pi(sk);
3456 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3457 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3458 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
1c2acffb
GP		 3459 int err = 0;
3460
3461 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3462
1d8f5d16
GP		 3463 if (L2CAP_CTRL_FINAL & rx_control) {
3464 del_timer(&pi->monitor_timer);
3465 if (pi->unacked_frames > 0)
3466 __mod_retrans_timer();
3467 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3468 }
3469
9f121a5a
GP		 3470 pi->expected_ack_seq = req_seq;
3471 l2cap_drop_acked_frames(sk);
3472
8f17154f
GP		 3473 if (tx_seq == pi->expected_tx_seq)
3474 goto expected;
1c2acffb 3475
8f17154f
GP		 3476 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3477 struct srej_list *first;
30afb5b2 3478
8f17154f
GP		 3479 first = list_first_entry(SREJ_LIST(sk),
3480 struct srej_list, list);
3481 if (tx_seq == first->tx_seq) {
3482 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3483 l2cap_check_srej_gap(sk, tx_seq);
3484
3485 list_del(&first->list);
3486 kfree(first);
3487
3488 if (list_empty(SREJ_LIST(sk))) {
3489 pi->buffer_seq = pi->buffer_seq_srej;
3490 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3491 }
3492 } else {
3493 struct srej_list *l;
3494 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3495
3496 list_for_each_entry(l, SREJ_LIST(sk), list) {
3497 if (l->tx_seq == tx_seq) {
3498 l2cap_resend_srejframe(sk, tx_seq);
3499 return 0;
3500 }
3501 }
3502 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3503 }
3504 } else {
8f17154f 3505 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3506
8f17154f
GP		 3507 INIT_LIST_HEAD(SREJ_LIST(sk));
3508 pi->buffer_seq_srej = pi->buffer_seq;
3509
3510 __skb_queue_head_init(SREJ_QUEUE(sk));
3511 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3512
ef54fd93
GP		 3513 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3514
8f17154f 3515 l2cap_send_srejframe(sk, tx_seq);
1c2acffb 3516 }
30afb5b2
GP		 3517 return 0;
3518
8f17154f
GP		 3519expected:
3520 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3521
3522 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3523 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3524 return 0;
3525 }
3526
4ec10d97
GP		 3527 if (rx_control & L2CAP_CTRL_FINAL) {
3528 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3529 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3530 else {
3531 sk->sk_send_head = TX_QUEUE(sk)->next;
3532 pi->next_tx_seq = pi->expected_ack_seq;
3533 l2cap_ertm_send(sk);
3534 }
3535 }
3536
8f17154f
GP		 3537 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3538
3539 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3540 if (err < 0)
3541 return err;
3542
c1b4f43b
GP		 3543 __mod_ack_timer();
3544
8f17154f 3545 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK;
9e917af1
GP		 3546 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1)
3547 l2cap_send_ack(pi);
3548
8f17154f 3549 return 0;
1c2acffb
GP		 3550}
3551
e072745f 3552static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 3553{
3554 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981
GP		 3555
3556 pi->expected_ack_seq = __get_reqseq(rx_control);
3557 l2cap_drop_acked_frames(sk);
1c2acffb 3558
e072745f 3559 if (rx_control & L2CAP_CTRL_POLL) {
05fbd89d
GP		 3560 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3561 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3562 (pi->unacked_frames > 0))
3563 __mod_retrans_timer();
3564
3565 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3566 l2cap_send_srejtail(sk);
3567 } else {
3568 l2cap_send_i_or_rr_or_rnr(sk);
3569 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3570 }
1d8f5d16 3571
e072745f
GP		 3572 } else if (rx_control & L2CAP_CTRL_FINAL) {
3573 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3574
e072745f
GP		 3575 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3576 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3577 else {
3578 sk->sk_send_head = TX_QUEUE(sk)->next;
3579 pi->next_tx_seq = pi->expected_ack_seq;
3580 l2cap_ertm_send(sk);
3581 }
2246b2f1 3582
e072745f 3583 } else {
e072745f
GP		 3584 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3585 (pi->unacked_frames > 0))
3586 __mod_retrans_timer();
1c2acffb 3587
2246b2f1 3588 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f
GP		 3589 if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
3590 l2cap_send_ack(pi);
3591 else
3592 l2cap_ertm_send(sk);
3593 }
3594}
2246b2f1 3595
e072745f
GP		 3596static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3597{
3598 struct l2cap_pinfo *pi = l2cap_pi(sk);
3599 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3600
e072745f
GP		 3601 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3602
8abb52ee 3603 pi->expected_ack_seq = tx_seq;
e072745f
GP		 3604 l2cap_drop_acked_frames(sk);
3605
3606 if (rx_control & L2CAP_CTRL_FINAL) {
3607 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3608 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3609 else {
4ec10d97
GP		 3610 sk->sk_send_head = TX_QUEUE(sk)->next;
3611 pi->next_tx_seq = pi->expected_ack_seq;
3612 l2cap_ertm_send(sk);
4ec10d97 3613 }
e072745f
GP		 3614 } else {
3615 sk->sk_send_head = TX_QUEUE(sk)->next;
3616 pi->next_tx_seq = pi->expected_ack_seq;
3617 l2cap_ertm_send(sk);
30afb5b2 3618
e072745f
GP		 3619 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3620 pi->srej_save_reqseq = tx_seq;
3621 pi->conn_state |= L2CAP_CONN_REJ_ACT;
3622 }
3623 }
3624}
3625static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3626{
3627 struct l2cap_pinfo *pi = l2cap_pi(sk);
3628 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3629
e072745f 3630 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3631
e072745f
GP		 3632 if (rx_control & L2CAP_CTRL_POLL) {
3633 pi->expected_ack_seq = tx_seq;
3634 l2cap_drop_acked_frames(sk);
3635 l2cap_retransmit_frame(sk, tx_seq);
3636 l2cap_ertm_send(sk);
3637 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3638 pi->srej_save_reqseq = tx_seq;
3639 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3640 }
e072745f
GP		 3641 } else if (rx_control & L2CAP_CTRL_FINAL) {
3642 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3643 pi->srej_save_reqseq == tx_seq)
3644 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3645 else
ef54fd93 3646 l2cap_retransmit_frame(sk, tx_seq);
e072745f
GP		 3647 } else {
3648 l2cap_retransmit_frame(sk, tx_seq);
3649 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3650 pi->srej_save_reqseq = tx_seq;
3651 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3652 }
e072745f
GP		 3653 }
3654}
3655
3656static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
3657{
3658 struct l2cap_pinfo *pi = l2cap_pi(sk);
3659 u8 tx_seq = __get_reqseq(rx_control);
3660
3661 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3662 pi->expected_ack_seq = tx_seq;
3663 l2cap_drop_acked_frames(sk);
3664
99b0d4b7
GP		 3665 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
3666 del_timer(&pi->retrans_timer);
3667 if (rx_control & L2CAP_CTRL_POLL) {
3668 u16 control = L2CAP_CTRL_FINAL;
3669 l2cap_send_rr_or_rnr(pi, control);
3670 }
3671 return;
e072745f 3672 }
99b0d4b7
GP		 3673
3674 if (rx_control & L2CAP_CTRL_POLL)
3675 l2cap_send_srejtail(sk);
3676 else
3677 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3678}
3679
3680static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3681{
3682 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3683
3684 if (L2CAP_CTRL_FINAL & rx_control) {
3685 del_timer(&l2cap_pi(sk)->monitor_timer);
3686 if (l2cap_pi(sk)->unacked_frames > 0)
3687 __mod_retrans_timer();
3688 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
3689 }
3690
3691 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3692 case L2CAP_SUPER_RCV_READY:
3693 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 3694 break;
3695
e072745f
GP		 3696 case L2CAP_SUPER_REJECT:
3697 l2cap_data_channel_rejframe(sk, rx_control);
3698 break;
2246b2f1 3699
e072745f
GP		 3700 case L2CAP_SUPER_SELECT_REJECT:
3701 l2cap_data_channel_srejframe(sk, rx_control);
3702 break;
3703
3704 case L2CAP_SUPER_RCV_NOT_READY:
3705 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 3706 break;
3707 }
3708
faaebd19 3709 kfree_skb(skb);
1c2acffb
GP		 3710 return 0;
3711}
3712
1da177e4
LT		 3713static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3714{
3715 struct sock *sk;
6840ed07 3716 struct l2cap_pinfo *pi;
c74e560c 3717 u16 control, len;
6840ed07 3718 u8 tx_seq;
1da177e4
LT		 3719
3720 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3721 if (!sk) {
3722 BT_DBG("unknown cid 0x%4.4x", cid);
3723 goto drop;
3724 }
3725
6840ed07
GP		 3726 pi = l2cap_pi(sk);
3727
1da177e4
LT		 3728 BT_DBG("sk %p, len %d", sk, skb->len);
3729
3730 if (sk->sk_state != BT_CONNECTED)
3731 goto drop;
3732
6840ed07 3733 switch (pi->mode) {
1c2acffb
GP		 3734 case L2CAP_MODE_BASIC:
3735 /* If socket recv buffers overflows we drop data here
3736 * which is *bad* because L2CAP has to be reliable.
3737 * But we don't have any other choice. L2CAP doesn't
3738 * provide flow control mechanism. */
1da177e4 3739
6840ed07 3740 if (pi->imtu < skb->len)
1c2acffb 3741 goto drop;
1da177e4 3742
1c2acffb
GP		 3743 if (!sock_queue_rcv_skb(sk, skb))
3744 goto done;
3745 break;
3746
3747 case L2CAP_MODE_ERTM:
3748 control = get_unaligned_le16(skb->data);
3749 skb_pull(skb, 2);
c74e560c 3750 len = skb->len;
1c2acffb 3751
c74e560c
GP		 3752 if (__is_sar_start(control))
3753 len -= 2;
3754
fcc203c3
GP		 3755 if (pi->fcs == L2CAP_FCS_CRC16)
3756 len -= 2;
3757
30afb5b2
GP		 3758 /*
3759 * We can just drop the corrupted I-frame here.
3760 * Receiver will miss it and start proper recovery
3761 * procedures and ask retransmission.
3762 */
1c762159 3763 if (len > pi->mps)
1c2acffb
GP		 3764 goto drop;
3765
fcc203c3
GP		 3766 if (l2cap_check_fcs(pi, skb))
3767 goto drop;
3768
277ffbe3
GP		 3769 if (__is_iframe(control)) {
3770 if (len < 4)
3771 goto drop;
3772
fcafde2e 3773 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3
GP		 3774 } else {
3775 if (len != 0)
3776 goto drop;
3777
fcafde2e 3778 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 3779 }
1c2acffb 3780
fcafde2e 3781 goto done;
1c2acffb 3782
6840ed07
GP		 3783 case L2CAP_MODE_STREAMING:
3784 control = get_unaligned_le16(skb->data);
3785 skb_pull(skb, 2);
3786 len = skb->len;
3787
3788 if (__is_sar_start(control))
3789 len -= 2;
3790
fcc203c3
GP		 3791 if (pi->fcs == L2CAP_FCS_CRC16)
3792 len -= 2;
3793
1c762159 3794 if (len > pi->mps || len < 4 || __is_sframe(control))
6840ed07
GP		 3795 goto drop;
3796
fcc203c3
GP		 3797 if (l2cap_check_fcs(pi, skb))
3798 goto drop;
3799
6840ed07
GP		 3800 tx_seq = __get_txseq(control);
3801
3802 if (pi->expected_tx_seq == tx_seq)
3803 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3804 else
7dffe421 3805 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3806
fcafde2e 3807 l2cap_sar_reassembly_sdu(sk, skb, control);
6840ed07
GP		 3808
3809 goto done;
3810
1c2acffb 3811 default:
e8235c6b 3812 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 3813 break;
3814 }
1da177e4
LT		 3815
3816drop:
3817 kfree_skb(skb);
3818
3819done:
0139418c
MH		 3820 if (sk)
3821 bh_unlock_sock(sk);
3822
1da177e4
LT		 3823 return 0;
3824}
3825
8e036fc3 3826static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3827{
3828 struct sock *sk;
3829
3830 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3831 if (!sk)
3832 goto drop;
3833
3834 BT_DBG("sk %p, len %d", sk, skb->len);
3835
3836 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3837 goto drop;
3838
3839 if (l2cap_pi(sk)->imtu < skb->len)
3840 goto drop;
3841
3842 if (!sock_queue_rcv_skb(sk, skb))
3843 goto done;
3844
3845drop:
3846 kfree_skb(skb);
3847
3848done:
af05b30b
GP		 3849 if (sk)
3850 bh_unlock_sock(sk);
1da177e4
LT		 3851 return 0;
3852}
3853
3854static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3855{
3856 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3857 u16 cid, len;
3858 __le16 psm;
1da177e4
LT		 3859
3860 skb_pull(skb, L2CAP_HDR_SIZE);
3861 cid = __le16_to_cpu(lh->cid);
3862 len = __le16_to_cpu(lh->len);
3863
1c2acffb
GP		 3864 if (len != skb->len) {
3865 kfree_skb(skb);
3866 return;
3867 }
3868
1da177e4
LT		 3869 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3870
3871 switch (cid) {
8db4dc46 3872 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3873 l2cap_sig_channel(conn, skb);
3874 break;
3875
8db4dc46 3876 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3877 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3878 skb_pull(skb, 2);
3879 l2cap_conless_channel(conn, psm, skb);
3880 break;
3881
3882 default:
3883 l2cap_data_channel(conn, cid, skb);
3884 break;
3885 }
3886}
3887
3888/* ---- L2CAP interface with lower layer (HCI) ---- */
3889
3890static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3891{
3892 int exact = 0, lm1 = 0, lm2 = 0;
3893 register struct sock *sk;
3894 struct hlist_node *node;
3895
3896 if (type != ACL_LINK)
3897 return 0;
3898
3899 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3900
3901 /* Find listening sockets and check their link_mode */
3902 read_lock(&l2cap_sk_list.lock);
3903 sk_for_each(sk, node, &l2cap_sk_list.head) {
3904 if (sk->sk_state != BT_LISTEN)
3905 continue;
3906
3907 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3908 lm1 |= HCI_LM_ACCEPT;
3909 if (l2cap_pi(sk)->role_switch)
3910 lm1 |= HCI_LM_MASTER;
1da177e4 3911 exact++;
2af6b9d5
MH		 3912 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3913 lm2 |= HCI_LM_ACCEPT;
3914 if (l2cap_pi(sk)->role_switch)
3915 lm2 |= HCI_LM_MASTER;
3916 }
1da177e4
LT		 3917 }
3918 read_unlock(&l2cap_sk_list.lock);
3919
3920 return exact ? lm1 : lm2;
3921}
3922
3923static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3924{
0139418c
MH		 3925 struct l2cap_conn *conn;
3926
1da177e4
LT		 3927 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3928
3929 if (hcon->type != ACL_LINK)
3930 return 0;
3931
3932 if (!status) {
1da177e4
LT		 3933 conn = l2cap_conn_add(hcon, status);
3934 if (conn)
3935 l2cap_conn_ready(conn);
0139418c 3936 } else
1da177e4
LT		 3937 l2cap_conn_del(hcon, bt_err(status));
3938
3939 return 0;
3940}
3941
2950f21a
MH		 3942static int l2cap_disconn_ind(struct hci_conn *hcon)
3943{
3944 struct l2cap_conn *conn = hcon->l2cap_data;
3945
3946 BT_DBG("hcon %p", hcon);
3947
3948 if (hcon->type != ACL_LINK || !conn)
3949 return 0x13;
3950
3951 return conn->disc_reason;
3952}
3953
3954static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 3955{
3956 BT_DBG("hcon %p reason %d", hcon, reason);
3957
3958 if (hcon->type != ACL_LINK)
3959 return 0;
3960
3961 l2cap_conn_del(hcon, bt_err(reason));
0139418c 3962
1da177e4
LT		 3963 return 0;
3964}
3965
f62e4323
MH		 3966static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3967{
255c7601
MH		 3968 if (sk->sk_type != SOCK_SEQPACKET)
3969 return;
3970
f62e4323
MH		 3971 if (encrypt == 0x00) {
3972 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3973 l2cap_sock_clear_timer(sk);
3974 l2cap_sock_set_timer(sk, HZ * 5);
3975 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3976 __l2cap_sock_close(sk, ECONNREFUSED);
3977 } else {
3978 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3979 l2cap_sock_clear_timer(sk);
3980 }
3981}
3982
8c1b2355 3983static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 3984{
3985 struct l2cap_chan_list *l;
0139418c 3986 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 3987 struct sock *sk;
1da177e4 3988
0139418c 3989 if (!conn)
1da177e4 3990 return 0;
0139418c 3991
1da177e4
LT		 3992 l = &conn->chan_list;
3993
3994 BT_DBG("conn %p", conn);
3995
3996 read_lock(&l->lock);
3997
3998 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3999 bh_lock_sock(sk);
4000
6a8d3010
MH		 4001 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4002 bh_unlock_sock(sk);
4003 continue;
4004 }
4005
f62e4323 4006 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4007 sk->sk_state == BT_CONFIG)) {
f62e4323 4008 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4009 bh_unlock_sock(sk);
4010 continue;
4011 }
4012
b1235d79
MH		 4013 if (sk->sk_state == BT_CONNECT) {
4014 if (!status) {
4015 struct l2cap_conn_req req;
4016 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4017 req.psm = l2cap_pi(sk)->psm;
1da177e4 4018
b1235d79 4019 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 4020
b1235d79
MH		 4021 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4022 L2CAP_CONN_REQ, sizeof(req), &req);
4023 } else {
4024 l2cap_sock_clear_timer(sk);
4025 l2cap_sock_set_timer(sk, HZ / 10);
4026 }
4027 } else if (sk->sk_state == BT_CONNECT2) {
4028 struct l2cap_conn_rsp rsp;
4029 __u16 result;
1da177e4 4030
b1235d79
MH		 4031 if (!status) {
4032 sk->sk_state = BT_CONFIG;
4033 result = L2CAP_CR_SUCCESS;
4034 } else {
4035 sk->sk_state = BT_DISCONN;
4036 l2cap_sock_set_timer(sk, HZ / 10);
4037 result = L2CAP_CR_SEC_BLOCK;
4038 }
4039
4040 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4041 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4042 rsp.result = cpu_to_le16(result);
e7c29cb1 4043 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4044 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4045 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4046 }
1da177e4
LT		 4047
4048 bh_unlock_sock(sk);
4049 }
4050
4051 read_unlock(&l->lock);
b1235d79 4052
1da177e4
LT		 4053 return 0;
4054}
4055
4056static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4057{
4058 struct l2cap_conn *conn = hcon->l2cap_data;
4059
4060 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4061 goto drop;
4062
4063 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4064
4065 if (flags & ACL_START) {
4066 struct l2cap_hdr *hdr;
4067 int len;
4068
4069 if (conn->rx_len) {
4070 BT_ERR("Unexpected start frame (len %d)", skb->len);
4071 kfree_skb(conn->rx_skb);
4072 conn->rx_skb = NULL;
4073 conn->rx_len = 0;
4074 l2cap_conn_unreliable(conn, ECOMM);
4075 }
4076
4077 if (skb->len < 2) {
4078 BT_ERR("Frame is too short (len %d)", skb->len);
4079 l2cap_conn_unreliable(conn, ECOMM);
4080 goto drop;
4081 }
4082
4083 hdr = (struct l2cap_hdr *) skb->data;
4084 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4085
4086 if (len == skb->len) {
4087 /* Complete frame received */
4088 l2cap_recv_frame(conn, skb);
4089 return 0;
4090 }
4091
4092 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4093
4094 if (skb->len > len) {
4095 BT_ERR("Frame is too long (len %d, expected len %d)",
4096 skb->len, len);
4097 l2cap_conn_unreliable(conn, ECOMM);
4098 goto drop;
4099 }
4100
4101 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4102 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4103 if (!conn->rx_skb)
1da177e4
LT		 4104 goto drop;
4105
d626f62b 4106 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4107 skb->len);
1da177e4
LT		 4108 conn->rx_len = len - skb->len;
4109 } else {
4110 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4111
4112 if (!conn->rx_len) {
4113 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4114 l2cap_conn_unreliable(conn, ECOMM);
4115 goto drop;
4116 }
4117
4118 if (skb->len > conn->rx_len) {
4119 BT_ERR("Fragment is too long (len %d, expected %d)",
4120 skb->len, conn->rx_len);
4121 kfree_skb(conn->rx_skb);
4122 conn->rx_skb = NULL;
4123 conn->rx_len = 0;
4124 l2cap_conn_unreliable(conn, ECOMM);
4125 goto drop;
4126 }
4127
d626f62b 4128 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4129 skb->len);
1da177e4
LT		 4130 conn->rx_len -= skb->len;
4131
4132 if (!conn->rx_len) {
4133 /* Complete frame received */
4134 l2cap_recv_frame(conn, conn->rx_skb);
4135 conn->rx_skb = NULL;
4136 }
4137 }
4138
4139drop:
4140 kfree_skb(skb);
4141 return 0;
4142}
4143
aef7d97c 4144static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4145{
4146 struct sock *sk;
4147 struct hlist_node *node;
1da177e4
LT		 4148
4149 read_lock_bh(&l2cap_sk_list.lock);
4150
be9d1227
MH		 4151 sk_for_each(sk, node, &l2cap_sk_list.head) {
4152 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4153
aef7d97c
MH		 4154 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4155 batostr(&bt_sk(sk)->src),
4156 batostr(&bt_sk(sk)->dst),
4157 sk->sk_state, __le16_to_cpu(pi->psm),
4158 pi->scid, pi->dcid,
4159 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4160 }
1da177e4 4161
1da177e4 4162 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4163
aef7d97c 4164 return 0;
1da177e4
LT		 4165}
4166
aef7d97c
MH		 4167static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4168{
4169 return single_open(file, l2cap_debugfs_show, inode->i_private);
4170}
4171
4172static const struct file_operations l2cap_debugfs_fops = {
4173 .open = l2cap_debugfs_open,
4174 .read = seq_read,
4175 .llseek = seq_lseek,
4176 .release = single_release,
4177};
4178
4179static struct dentry *l2cap_debugfs;
1da177e4 4180
90ddc4f0 4181static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4182 .family = PF_BLUETOOTH,
4183 .owner = THIS_MODULE,
4184 .release = l2cap_sock_release,
4185 .bind = l2cap_sock_bind,
4186 .connect = l2cap_sock_connect,
4187 .listen = l2cap_sock_listen,
4188 .accept = l2cap_sock_accept,
4189 .getname = l2cap_sock_getname,
4190 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4191 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4192 .poll = bt_sock_poll,
3241ad82 4193 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4194 .mmap = sock_no_mmap,
4195 .socketpair = sock_no_socketpair,
1da177e4
LT		 4196 .shutdown = l2cap_sock_shutdown,
4197 .setsockopt = l2cap_sock_setsockopt,
4198 .getsockopt = l2cap_sock_getsockopt
4199};
4200
ec1b4cf7 4201static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4202 .family = PF_BLUETOOTH,
4203 .owner = THIS_MODULE,
4204 .create = l2cap_sock_create,
4205};
4206
4207static struct hci_proto l2cap_hci_proto = {
4208 .name = "L2CAP",
4209 .id = HCI_PROTO_L2CAP,
4210 .connect_ind = l2cap_connect_ind,
4211 .connect_cfm = l2cap_connect_cfm,
4212 .disconn_ind = l2cap_disconn_ind,
2950f21a 4213 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4214 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4215 .recv_acldata = l2cap_recv_acldata
4216};
4217
4218static int __init l2cap_init(void)
4219{
4220 int err;
be9d1227 4221
1da177e4
LT		 4222 err = proto_register(&l2cap_proto, 0);
4223 if (err < 0)
4224 return err;
4225
4226 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4227 if (err < 0) {
4228 BT_ERR("L2CAP socket registration failed");
4229 goto error;
4230 }
4231
4232 err = hci_register_proto(&l2cap_hci_proto);
4233 if (err < 0) {
4234 BT_ERR("L2CAP protocol registration failed");
4235 bt_sock_unregister(BTPROTO_L2CAP);
4236 goto error;
4237 }
4238
aef7d97c
MH		 4239 if (bt_debugfs) {
4240 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4241 bt_debugfs, NULL, &l2cap_debugfs_fops);
4242 if (!l2cap_debugfs)
4243 BT_ERR("Failed to create L2CAP debug file");
4244 }
1da177e4
LT		 4245
4246 BT_INFO("L2CAP ver %s", VERSION);
4247 BT_INFO("L2CAP socket layer initialized");
4248
4249 return 0;
4250
4251error:
4252 proto_unregister(&l2cap_proto);
4253 return err;
4254}
4255
4256static void __exit l2cap_exit(void)
4257{
aef7d97c 4258 debugfs_remove(l2cap_debugfs);
1da177e4
LT		 4259
4260 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4261 BT_ERR("L2CAP socket unregistration failed");
4262
4263 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4264 BT_ERR("L2CAP protocol unregistration failed");
4265
4266 proto_unregister(&l2cap_proto);
4267}
4268
4269void l2cap_load(void)
4270{
4271 /* Dummy function to trigger automatic L2CAP module loading by
4272 * other modules that use L2CAP sockets but don't use any other
4273 * symbols from it. */
4274 return;
4275}
4276EXPORT_SYMBOL(l2cap_load);
4277
4278module_init(l2cap_init);
4279module_exit(l2cap_exit);
4280
44dd46de
MH		 4281module_param(enable_ertm, bool, 0644);
4282MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4283
5fbcd3d1
MH		 4284module_param(max_transmit, uint, 0644);
4285MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4286
63fbd24e 4287MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4288MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4289MODULE_VERSION(VERSION);
4290MODULE_LICENSE("GPL");
4291MODULE_ALIAS("bt-proto-0");
Linux kernel - Deliverables
This page took 0.778429 seconds and 5 git commands to generate.