]> bbs.cooldavid.org Git - net-next-2.6.git/blame - net/bluetooth/l2cap.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix rejected connection not disconnecting ACL link
[net-next-2.6.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
af05b30b 43#include <linux/uaccess.h>
fcc203c3 44#include <linux/crc16.h>
1da177e4
LT		 45#include <net/sock.h>
46
47#include <asm/system.h>
1da177e4
LT		 48#include <asm/unaligned.h>
49
50#include <net/bluetooth/bluetooth.h>
51#include <net/bluetooth/hci_core.h>
52#include <net/bluetooth/l2cap.h>
53
44dd46de
MH		 54#define VERSION "2.14"
55
56static int enable_ertm = 0;
f0709e03 57
47ec1dcd 58static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 59static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 60
90ddc4f0 61static const struct proto_ops l2cap_sock_ops;
1da177e4
LT		 62
63static struct bt_sock_list l2cap_sk_list = {
d5fb2962 64 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 65};
66
1da177e4
LT		 67static void __l2cap_sock_close(struct sock *sk, int reason);
68static void l2cap_sock_close(struct sock *sk);
69static void l2cap_sock_kill(struct sock *sk);
70
71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
73
74/* ---- L2CAP timers ---- */
75static void l2cap_sock_timeout(unsigned long arg)
76{
77 struct sock *sk = (struct sock *) arg;
b1235d79 78 int reason;
1da177e4
LT		 79
80 BT_DBG("sock %p state %d", sk, sk->sk_state);
81
82 bh_lock_sock(sk);
b1235d79 83
f62e4323
MH		 84 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
85 reason = ECONNREFUSED;
86 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 87 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 88 reason = ECONNREFUSED;
89 else
90 reason = ETIMEDOUT;
91
92 __l2cap_sock_close(sk, reason);
93
1da177e4
LT		 94 bh_unlock_sock(sk);
95
96 l2cap_sock_kill(sk);
97 sock_put(sk);
98}
99
100static void l2cap_sock_set_timer(struct sock *sk, long timeout)
101{
102 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
103 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
104}
105
106static void l2cap_sock_clear_timer(struct sock *sk)
107{
108 BT_DBG("sock %p state %d", sk, sk->sk_state);
109 sk_stop_timer(sk, &sk->sk_timer);
110}
111
0139418c
MH		 112/* ---- L2CAP channels ---- */
113static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
114{
115 struct sock *s;
116 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
117 if (l2cap_pi(s)->dcid == cid)
118 break;
119 }
120 return s;
121}
122
123static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
124{
125 struct sock *s;
126 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
127 if (l2cap_pi(s)->scid == cid)
128 break;
129 }
130 return s;
131}
132
133/* Find channel with given SCID.
134 * Returns locked socket */
135static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
136{
137 struct sock *s;
138 read_lock(&l->lock);
139 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 140 if (s)
141 bh_lock_sock(s);
0139418c
MH		 142 read_unlock(&l->lock);
143 return s;
144}
145
146static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
147{
148 struct sock *s;
149 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
150 if (l2cap_pi(s)->ident == ident)
151 break;
152 }
153 return s;
154}
155
156static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
157{
158 struct sock *s;
159 read_lock(&l->lock);
160 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 161 if (s)
162 bh_lock_sock(s);
0139418c
MH		 163 read_unlock(&l->lock);
164 return s;
165}
166
167static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
168{
8db4dc46 169 u16 cid = L2CAP_CID_DYN_START;
0139418c 170
8db4dc46 171 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 172 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 173 return cid;
174 }
175
176 return 0;
177}
178
179static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
180{
181 sock_hold(sk);
182
183 if (l->head)
184 l2cap_pi(l->head)->prev_c = sk;
185
186 l2cap_pi(sk)->next_c = l->head;
187 l2cap_pi(sk)->prev_c = NULL;
188 l->head = sk;
189}
190
191static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
192{
193 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
194
fd1278d7 195 write_lock_bh(&l->lock);
0139418c
MH		 196 if (sk == l->head)
197 l->head = next;
198
199 if (next)
200 l2cap_pi(next)->prev_c = prev;
201 if (prev)
202 l2cap_pi(prev)->next_c = next;
fd1278d7 203 write_unlock_bh(&l->lock);
0139418c
MH		 204
205 __sock_put(sk);
206}
207
208static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
209{
210 struct l2cap_chan_list *l = &conn->chan_list;
211
af05b30b
GP		 212 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
213 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 214
2950f21a
MH		 215 conn->disc_reason = 0x13;
216
0139418c
MH		 217 l2cap_pi(sk)->conn = conn;
218
219 if (sk->sk_type == SOCK_SEQPACKET) {
220 /* Alloc CID for connection-oriented socket */
221 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
222 } else if (sk->sk_type == SOCK_DGRAM) {
223 /* Connectionless socket */
8db4dc46
GP		 224 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
225 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 226 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
227 } else {
228 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 229 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
230 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 231 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
232 }
233
234 __l2cap_chan_link(l, sk);
235
236 if (parent)
237 bt_accept_enqueue(parent, sk);
238}
239
8e87d142 240/* Delete channel.
0139418c
MH		 241 * Must be called on the locked socket. */
242static void l2cap_chan_del(struct sock *sk, int err)
243{
244 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
245 struct sock *parent = bt_sk(sk)->parent;
246
247 l2cap_sock_clear_timer(sk);
248
249 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
250
8e87d142 251 if (conn) {
0139418c
MH		 252 /* Unlink from channel list */
253 l2cap_chan_unlink(&conn->chan_list, sk);
254 l2cap_pi(sk)->conn = NULL;
255 hci_conn_put(conn->hcon);
256 }
257
b1235d79 258 sk->sk_state = BT_CLOSED;
0139418c
MH		 259 sock_set_flag(sk, SOCK_ZAPPED);
260
261 if (err)
262 sk->sk_err = err;
263
264 if (parent) {
265 bt_accept_unlink(sk);
266 parent->sk_data_ready(parent, 0);
267 } else
268 sk->sk_state_change(sk);
269}
270
79d554a6 271/* Service level security */
2af6b9d5 272static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 273{
274 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 275 __u8 auth_type;
276
00ae4af9
MH		 277 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
278 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
279 auth_type = HCI_AT_NO_BONDING_MITM;
280 else
af05b30b 281 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 282
283 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
284 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
285 } else {
286 switch (l2cap_pi(sk)->sec_level) {
287 case BT_SECURITY_HIGH:
288 auth_type = HCI_AT_GENERAL_BONDING_MITM;
289 break;
290 case BT_SECURITY_MEDIUM:
291 auth_type = HCI_AT_GENERAL_BONDING;
292 break;
293 default:
294 auth_type = HCI_AT_NO_BONDING;
295 break;
296 }
0684e5f9 297 }
79d554a6 298
0684e5f9
MH		 299 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
300 auth_type);
79d554a6
MH		 301}
302
4e8402a3
MH		 303static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
304{
305 u8 id;
306
307 /* Get next available identificator.
308 * 1 - 128 are used by kernel.
309 * 129 - 199 are reserved.
310 * 200 - 254 are used by utilities like l2ping, etc.
311 */
312
313 spin_lock_bh(&conn->lock);
314
315 if (++conn->tx_ident > 128)
316 conn->tx_ident = 1;
317
318 id = conn->tx_ident;
319
320 spin_unlock_bh(&conn->lock);
321
322 return id;
323}
324
325static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
326{
327 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
328
329 BT_DBG("code 0x%2.2x", code);
330
331 if (!skb)
332 return -ENOMEM;
333
334 return hci_send_acl(conn->hcon, skb, 0);
335}
336
1c2acffb
GP		 337static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
338{
339 struct sk_buff *skb;
340 struct l2cap_hdr *lh;
341 struct l2cap_conn *conn = pi->conn;
fcc203c3
GP		 342 int count, hlen = L2CAP_HDR_SIZE + 2;
343
344 if (pi->fcs == L2CAP_FCS_CRC16)
345 hlen += 2;
1c2acffb
GP		 346
347 BT_DBG("pi %p, control 0x%2.2x", pi, control);
348
fcc203c3 349 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 350 control |= L2CAP_CTRL_FRAME_TYPE;
351
352 skb = bt_skb_alloc(count, GFP_ATOMIC);
353 if (!skb)
354 return -ENOMEM;
355
356 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 357 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 358 lh->cid = cpu_to_le16(pi->dcid);
359 put_unaligned_le16(control, skb_put(skb, 2));
360
fcc203c3
GP		 361 if (pi->fcs == L2CAP_FCS_CRC16) {
362 u16 fcs = crc16(0, (u8 *)lh, count - 2);
363 put_unaligned_le16(fcs, skb_put(skb, 2));
364 }
365
1c2acffb
GP		 366 return hci_send_acl(pi->conn->hcon, skb, 0);
367}
368
79d554a6
MH		 369static void l2cap_do_start(struct sock *sk)
370{
371 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
372
373 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 374 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
375 return;
376
2af6b9d5 377 if (l2cap_check_security(sk)) {
b1235d79
MH		 378 struct l2cap_conn_req req;
379 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
380 req.psm = l2cap_pi(sk)->psm;
79d554a6 381
b1235d79 382 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 383
b1235d79 384 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 385 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 386 }
79d554a6
MH		 387 } else {
388 struct l2cap_info_req req;
389 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
390
391 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
392 conn->info_ident = l2cap_get_ident(conn);
393
394 mod_timer(&conn->info_timer, jiffies +
395 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
396
397 l2cap_send_cmd(conn, conn->info_ident,
398 L2CAP_INFO_REQ, sizeof(req), &req);
399 }
400}
401
22121fc9
GP		 402static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
403{
404 struct l2cap_disconn_req req;
405
406 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
407 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
408 l2cap_send_cmd(conn, l2cap_get_ident(conn),
409 L2CAP_DISCONN_REQ, sizeof(req), &req);
410}
411
1da177e4 412/* ---- L2CAP connections ---- */
4e8402a3
MH		 413static void l2cap_conn_start(struct l2cap_conn *conn)
414{
415 struct l2cap_chan_list *l = &conn->chan_list;
416 struct sock *sk;
417
418 BT_DBG("conn %p", conn);
419
420 read_lock(&l->lock);
421
422 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
423 bh_lock_sock(sk);
424
425 if (sk->sk_type != SOCK_SEQPACKET) {
79d554a6
MH		 426 bh_unlock_sock(sk);
427 continue;
428 }
429
430 if (sk->sk_state == BT_CONNECT) {
2af6b9d5 431 if (l2cap_check_security(sk)) {
b1235d79
MH		 432 struct l2cap_conn_req req;
433 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
434 req.psm = l2cap_pi(sk)->psm;
79d554a6 435
b1235d79 436 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
79d554a6 437
b1235d79 438 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 439 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 440 }
79d554a6
MH		 441 } else if (sk->sk_state == BT_CONNECT2) {
442 struct l2cap_conn_rsp rsp;
443 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
444 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
445
2af6b9d5 446 if (l2cap_check_security(sk)) {
f66dc81f
MH		 447 if (bt_sk(sk)->defer_setup) {
448 struct sock *parent = bt_sk(sk)->parent;
449 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
450 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
451 parent->sk_data_ready(parent, 0);
452
453 } else {
454 sk->sk_state = BT_CONFIG;
455 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
456 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
457 }
79d554a6
MH		 458 } else {
459 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
460 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
461 }
462
463 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
464 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 465 }
466
467 bh_unlock_sock(sk);
468 }
469
470 read_unlock(&l->lock);
471}
472
473static void l2cap_conn_ready(struct l2cap_conn *conn)
474{
79d554a6
MH		 475 struct l2cap_chan_list *l = &conn->chan_list;
476 struct sock *sk;
4e8402a3 477
79d554a6 478 BT_DBG("conn %p", conn);
4e8402a3 479
79d554a6 480 read_lock(&l->lock);
4e8402a3 481
79d554a6
MH		 482 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
483 bh_lock_sock(sk);
4e8402a3 484
79d554a6
MH		 485 if (sk->sk_type != SOCK_SEQPACKET) {
486 l2cap_sock_clear_timer(sk);
487 sk->sk_state = BT_CONNECTED;
488 sk->sk_state_change(sk);
489 } else if (sk->sk_state == BT_CONNECT)
490 l2cap_do_start(sk);
4e8402a3 491
79d554a6 492 bh_unlock_sock(sk);
4e8402a3 493 }
79d554a6
MH		 494
495 read_unlock(&l->lock);
4e8402a3
MH		 496}
497
498/* Notify sockets that we cannot guaranty reliability anymore */
499static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
500{
501 struct l2cap_chan_list *l = &conn->chan_list;
502 struct sock *sk;
503
504 BT_DBG("conn %p", conn);
505
506 read_lock(&l->lock);
507
508 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 509 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 510 sk->sk_err = err;
511 }
512
513 read_unlock(&l->lock);
514}
515
516static void l2cap_info_timeout(unsigned long arg)
517{
518 struct l2cap_conn *conn = (void *) arg;
519
984947dc 520 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 521 conn->info_ident = 0;
984947dc 522
4e8402a3
MH		 523 l2cap_conn_start(conn);
524}
525
1da177e4
LT		 526static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
527{
0139418c 528 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 529
0139418c 530 if (conn || status)
1da177e4
LT		 531 return conn;
532
0139418c
MH		 533 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
534 if (!conn)
1da177e4 535 return NULL;
1da177e4
LT		 536
537 hcon->l2cap_data = conn;
538 conn->hcon = hcon;
539
0139418c
MH		 540 BT_DBG("hcon %p conn %p", hcon, conn);
541
1da177e4
LT		 542 conn->mtu = hcon->hdev->acl_mtu;
543 conn->src = &hcon->hdev->bdaddr;
544 conn->dst = &hcon->dst;
545
4e8402a3
MH		 546 conn->feat_mask = 0;
547
b1235d79
MH		 548 setup_timer(&conn->info_timer, l2cap_info_timeout,
549 (unsigned long) conn);
4e8402a3 550
1da177e4
LT		 551 spin_lock_init(&conn->lock);
552 rwlock_init(&conn->chan_list.lock);
553
2950f21a
MH		 554 conn->disc_reason = 0x13;
555
1da177e4
LT		 556 return conn;
557}
558
0139418c 559static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 560{
0139418c 561 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 562 struct sock *sk;
563
0139418c
MH		 564 if (!conn)
565 return;
1da177e4
LT		 566
567 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
568
7585b97a 569 kfree_skb(conn->rx_skb);
1da177e4
LT		 570
571 /* Kill channels */
572 while ((sk = conn->chan_list.head)) {
573 bh_lock_sock(sk);
574 l2cap_chan_del(sk, err);
575 bh_unlock_sock(sk);
576 l2cap_sock_kill(sk);
577 }
578
8e8440f5
DY		 579 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
580 del_timer_sync(&conn->info_timer);
3ab22731 581
1da177e4
LT		 582 hcon->l2cap_data = NULL;
583 kfree(conn);
1da177e4
LT		 584}
585
586static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
587{
588 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 589 write_lock_bh(&l->lock);
1da177e4 590 __l2cap_chan_add(conn, sk, parent);
fd1278d7 591 write_unlock_bh(&l->lock);
1da177e4
LT		 592}
593
1da177e4 594/* ---- Socket interface ---- */
8e036fc3 595static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 596{
597 struct sock *sk;
598 struct hlist_node *node;
599 sk_for_each(sk, node, &l2cap_sk_list.head)
600 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
601 goto found;
602 sk = NULL;
603found:
604 return sk;
605}
606
607/* Find socket with psm and source bdaddr.
608 * Returns closest match.
609 */
8e036fc3 610static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 611{
612 struct sock *sk = NULL, *sk1 = NULL;
613 struct hlist_node *node;
614
615 sk_for_each(sk, node, &l2cap_sk_list.head) {
616 if (state && sk->sk_state != state)
617 continue;
618
619 if (l2cap_pi(sk)->psm == psm) {
620 /* Exact match. */
621 if (!bacmp(&bt_sk(sk)->src, src))
622 break;
623
624 /* Closest match */
625 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
626 sk1 = sk;
627 }
628 }
629 return node ? sk : sk1;
630}
631
632/* Find socket with given address (psm, src).
633 * Returns locked socket */
8e036fc3 634static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 635{
636 struct sock *s;
637 read_lock(&l2cap_sk_list.lock);
638 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 639 if (s)
640 bh_lock_sock(s);
1da177e4
LT		 641 read_unlock(&l2cap_sk_list.lock);
642 return s;
643}
644
645static void l2cap_sock_destruct(struct sock *sk)
646{
647 BT_DBG("sk %p", sk);
648
649 skb_queue_purge(&sk->sk_receive_queue);
650 skb_queue_purge(&sk->sk_write_queue);
651}
652
653static void l2cap_sock_cleanup_listen(struct sock *parent)
654{
655 struct sock *sk;
656
657 BT_DBG("parent %p", parent);
658
659 /* Close not yet accepted channels */
660 while ((sk = bt_accept_dequeue(parent, NULL)))
661 l2cap_sock_close(sk);
662
b1235d79 663 parent->sk_state = BT_CLOSED;
1da177e4
LT		 664 sock_set_flag(parent, SOCK_ZAPPED);
665}
666
667/* Kill socket (only if zapped and orphan)
668 * Must be called on unlocked socket.
669 */
670static void l2cap_sock_kill(struct sock *sk)
671{
672 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
673 return;
674
675 BT_DBG("sk %p state %d", sk, sk->sk_state);
676
677 /* Kill poor orphan */
678 bt_sock_unlink(&l2cap_sk_list, sk);
679 sock_set_flag(sk, SOCK_DEAD);
680 sock_put(sk);
681}
682
683static void __l2cap_sock_close(struct sock *sk, int reason)
684{
685 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
686
687 switch (sk->sk_state) {
688 case BT_LISTEN:
689 l2cap_sock_cleanup_listen(sk);
690 break;
691
692 case BT_CONNECTED:
693 case BT_CONFIG:
1da177e4
LT		 694 if (sk->sk_type == SOCK_SEQPACKET) {
695 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4
LT		 696
697 sk->sk_state = BT_DISCONN;
698 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
22121fc9 699 l2cap_send_disconn_req(conn, sk);
b1235d79 700 } else
1da177e4 701 l2cap_chan_del(sk, reason);
1da177e4
LT		 702 break;
703
f66dc81f
MH		 704 case BT_CONNECT2:
705 if (sk->sk_type == SOCK_SEQPACKET) {
706 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
707 struct l2cap_conn_rsp rsp;
708 __u16 result;
709
710 if (bt_sk(sk)->defer_setup)
711 result = L2CAP_CR_SEC_BLOCK;
712 else
713 result = L2CAP_CR_BAD_PSM;
714
715 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
716 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
717 rsp.result = cpu_to_le16(result);
718 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
719 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
720 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
721 } else
722 l2cap_chan_del(sk, reason);
723 break;
724
1da177e4
LT		 725 case BT_CONNECT:
726 case BT_DISCONN:
727 l2cap_chan_del(sk, reason);
728 break;
729
730 default:
731 sock_set_flag(sk, SOCK_ZAPPED);
732 break;
733 }
734}
735
736/* Must be called on unlocked socket. */
737static void l2cap_sock_close(struct sock *sk)
738{
739 l2cap_sock_clear_timer(sk);
740 lock_sock(sk);
741 __l2cap_sock_close(sk, ECONNRESET);
742 release_sock(sk);
743 l2cap_sock_kill(sk);
744}
745
746static void l2cap_sock_init(struct sock *sk, struct sock *parent)
747{
748 struct l2cap_pinfo *pi = l2cap_pi(sk);
749
750 BT_DBG("sk %p", sk);
751
752 if (parent) {
753 sk->sk_type = parent->sk_type;
f66dc81f
MH		 754 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
755
1da177e4
LT		 756 pi->imtu = l2cap_pi(parent)->imtu;
757 pi->omtu = l2cap_pi(parent)->omtu;
c6b03cf9
MH		 758 pi->mode = l2cap_pi(parent)->mode;
759 pi->fcs = l2cap_pi(parent)->fcs;
2af6b9d5
MH		 760 pi->sec_level = l2cap_pi(parent)->sec_level;
761 pi->role_switch = l2cap_pi(parent)->role_switch;
762 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 763 } else {
764 pi->imtu = L2CAP_DEFAULT_MTU;
765 pi->omtu = 0;
c6b03cf9
MH		 766 pi->mode = L2CAP_MODE_BASIC;
767 pi->fcs = L2CAP_FCS_CRC16;
2af6b9d5
MH		 768 pi->sec_level = BT_SECURITY_LOW;
769 pi->role_switch = 0;
770 pi->force_reliable = 0;
1da177e4
LT		 771 }
772
773 /* Default config options */
5dee9e7c 774 pi->conf_len = 0;
1da177e4
LT		 775 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
776}
777
778static struct proto l2cap_proto = {
779 .name = "L2CAP",
780 .owner = THIS_MODULE,
781 .obj_size = sizeof(struct l2cap_pinfo)
782};
783
1b8d7ae4 784static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 785{
786 struct sock *sk;
787
6257ff21 788 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 789 if (!sk)
790 return NULL;
791
792 sock_init_data(sock, sk);
793 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
794
795 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 796 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 797
798 sock_reset_flag(sk, SOCK_ZAPPED);
799
800 sk->sk_protocol = proto;
b1235d79 801 sk->sk_state = BT_OPEN;
1da177e4 802
b1235d79 803 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 804
805 bt_sock_link(&l2cap_sk_list, sk);
806 return sk;
807}
808
1b8d7ae4 809static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
1da177e4
LT		 810{
811 struct sock *sk;
812
813 BT_DBG("sock %p", sock);
814
815 sock->state = SS_UNCONNECTED;
816
817 if (sock->type != SOCK_SEQPACKET &&
818 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
819 return -ESOCKTNOSUPPORT;
820
821 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
822 return -EPERM;
823
824 sock->ops = &l2cap_sock_ops;
825
1b8d7ae4 826 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 827 if (!sk)
828 return -ENOMEM;
829
830 l2cap_sock_init(sk, NULL);
831 return 0;
832}
833
f29972de 834static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 835{
1da177e4 836 struct sock *sk = sock->sk;
f29972de
MH		 837 struct sockaddr_l2 la;
838 int len, err = 0;
1da177e4 839
f29972de 840 BT_DBG("sk %p", sk);
1da177e4
LT		 841
842 if (!addr || addr->sa_family != AF_BLUETOOTH)
843 return -EINVAL;
844
f29972de
MH		 845 memset(&la, 0, sizeof(la));
846 len = min_t(unsigned int, sizeof(la), alen);
847 memcpy(&la, addr, len);
848
2a517ca6
MH		 849 if (la.l2_cid)
850 return -EINVAL;
851
1da177e4
LT		 852 lock_sock(sk);
853
854 if (sk->sk_state != BT_OPEN) {
855 err = -EBADFD;
856 goto done;
857 }
858
b4324b5d 859 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 860 !capable(CAP_NET_BIND_SERVICE)) {
861 err = -EACCES;
862 goto done;
863 }
8e87d142 864
1da177e4
LT		 865 write_lock_bh(&l2cap_sk_list.lock);
866
f29972de 867 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 868 err = -EADDRINUSE;
869 } else {
870 /* Save source address */
f29972de
MH		 871 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
872 l2cap_pi(sk)->psm = la.l2_psm;
873 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 874 sk->sk_state = BT_BOUND;
2af6b9d5 875
b4324b5d
MH		 876 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
877 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 878 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 879 }
880
881 write_unlock_bh(&l2cap_sk_list.lock);
882
883done:
884 release_sock(sk);
885 return err;
886}
887
888static int l2cap_do_connect(struct sock *sk)
889{
890 bdaddr_t *src = &bt_sk(sk)->src;
891 bdaddr_t *dst = &bt_sk(sk)->dst;
892 struct l2cap_conn *conn;
893 struct hci_conn *hcon;
894 struct hci_dev *hdev;
09ab6f4c 895 __u8 auth_type;
44d0e48e 896 int err;
1da177e4 897
f29972de
MH		 898 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
899 l2cap_pi(sk)->psm);
1da177e4 900
af05b30b
GP		 901 hdev = hci_get_route(dst, src);
902 if (!hdev)
1da177e4
LT		 903 return -EHOSTUNREACH;
904
905 hci_dev_lock_bh(hdev);
906
907 err = -ENOMEM;
908
8c1b2355 909 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 910 switch (l2cap_pi(sk)->sec_level) {
911 case BT_SECURITY_HIGH:
8c1b2355 912 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 913 break;
914 case BT_SECURITY_MEDIUM:
8c1b2355 915 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 916 break;
917 default:
09ab6f4c 918 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 919 break;
920 }
8c1b2355 921 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 922 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 923 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 924 else
8c1b2355 925 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 926
927 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
928 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 929 } else {
2af6b9d5
MH		 930 switch (l2cap_pi(sk)->sec_level) {
931 case BT_SECURITY_HIGH:
8c1b2355 932 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 933 break;
934 case BT_SECURITY_MEDIUM:
09ab6f4c 935 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 936 break;
937 default:
8c1b2355 938 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 939 break;
940 }
09ab6f4c
MH		 941 }
942
2af6b9d5
MH		 943 hcon = hci_connect(hdev, ACL_LINK, dst,
944 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 945 if (!hcon)
946 goto done;
947
948 conn = l2cap_conn_add(hcon, 0);
949 if (!conn) {
950 hci_conn_put(hcon);
951 goto done;
952 }
953
954 err = 0;
955
956 /* Update source addr of the socket */
957 bacpy(src, conn->src);
958
959 l2cap_chan_add(conn, sk, NULL);
960
961 sk->sk_state = BT_CONNECT;
962 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
963
964 if (hcon->state == BT_CONNECTED) {
79d554a6 965 if (sk->sk_type != SOCK_SEQPACKET) {
1da177e4
LT		 966 l2cap_sock_clear_timer(sk);
967 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 968 } else
969 l2cap_do_start(sk);
1da177e4
LT		 970 }
971
972done:
973 hci_dev_unlock_bh(hdev);
974 hci_dev_put(hdev);
975 return err;
976}
977
978static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
979{
1da177e4 980 struct sock *sk = sock->sk;
f29972de
MH		 981 struct sockaddr_l2 la;
982 int len, err = 0;
1da177e4 983
1da177e4
LT		 984 BT_DBG("sk %p", sk);
985
2a517ca6
MH		 986 if (!addr || addr->sa_family != AF_BLUETOOTH)
987 return -EINVAL;
1da177e4 988
f29972de
MH		 989 memset(&la, 0, sizeof(la));
990 len = min_t(unsigned int, sizeof(la), alen);
991 memcpy(&la, addr, len);
992
2a517ca6
MH		 993 if (la.l2_cid)
994 return -EINVAL;
995
996 lock_sock(sk);
997
f29972de 998 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1da177e4
LT		 999 err = -EINVAL;
1000 goto done;
1001 }
1002
c6b03cf9
MH		 1003 switch (l2cap_pi(sk)->mode) {
1004 case L2CAP_MODE_BASIC:
1005 break;
1006 case L2CAP_MODE_ERTM:
f2fcfcd6 1007 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1008 if (enable_ertm)
1009 break;
1010 /* fall through */
1011 default:
1012 err = -ENOTSUPP;
1013 goto done;
1014 }
1015
af05b30b 1016 switch (sk->sk_state) {
1da177e4
LT		 1017 case BT_CONNECT:
1018 case BT_CONNECT2:
1019 case BT_CONFIG:
1020 /* Already connecting */
1021 goto wait;
1022
1023 case BT_CONNECTED:
1024 /* Already connected */
1025 goto done;
1026
1027 case BT_OPEN:
1028 case BT_BOUND:
1029 /* Can connect */
1030 break;
1031
1032 default:
1033 err = -EBADFD;
1034 goto done;
1035 }
1036
1037 /* Set destination address and psm */
f29972de
MH		 1038 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1039 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1040
af05b30b
GP		 1041 err = l2cap_do_connect(sk);
1042 if (err)
1da177e4
LT		 1043 goto done;
1044
1045wait:
1046 err = bt_sock_wait_state(sk, BT_CONNECTED,
1047 sock_sndtimeo(sk, flags & O_NONBLOCK));
1048done:
1049 release_sock(sk);
1050 return err;
1051}
1052
1053static int l2cap_sock_listen(struct socket *sock, int backlog)
1054{
1055 struct sock *sk = sock->sk;
1056 int err = 0;
1057
1058 BT_DBG("sk %p backlog %d", sk, backlog);
1059
1060 lock_sock(sk);
1061
1062 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1063 err = -EBADFD;
1064 goto done;
1065 }
1066
c6b03cf9
MH		 1067 switch (l2cap_pi(sk)->mode) {
1068 case L2CAP_MODE_BASIC:
1069 break;
1070 case L2CAP_MODE_ERTM:
f2fcfcd6 1071 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1072 if (enable_ertm)
1073 break;
1074 /* fall through */
1075 default:
1076 err = -ENOTSUPP;
1077 goto done;
1078 }
1079
1da177e4
LT		 1080 if (!l2cap_pi(sk)->psm) {
1081 bdaddr_t *src = &bt_sk(sk)->src;
1082 u16 psm;
1083
1084 err = -EINVAL;
1085
1086 write_lock_bh(&l2cap_sk_list.lock);
1087
1088 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1089 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1090 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1091 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1092 err = 0;
1093 break;
1094 }
1095
1096 write_unlock_bh(&l2cap_sk_list.lock);
1097
1098 if (err < 0)
1099 goto done;
1100 }
1101
1102 sk->sk_max_ack_backlog = backlog;
1103 sk->sk_ack_backlog = 0;
1104 sk->sk_state = BT_LISTEN;
1105
1106done:
1107 release_sock(sk);
1108 return err;
1109}
1110
1111static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1112{
1113 DECLARE_WAITQUEUE(wait, current);
1114 struct sock *sk = sock->sk, *nsk;
1115 long timeo;
1116 int err = 0;
1117
fcc70d5f 1118 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1119
1120 if (sk->sk_state != BT_LISTEN) {
1121 err = -EBADFD;
1122 goto done;
1123 }
1124
1125 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1126
1127 BT_DBG("sk %p timeo %ld", sk, timeo);
1128
1129 /* Wait for an incoming connection. (wake-one). */
1130 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1131 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1132 set_current_state(TASK_INTERRUPTIBLE);
1133 if (!timeo) {
1134 err = -EAGAIN;
1135 break;
1136 }
1137
1138 release_sock(sk);
1139 timeo = schedule_timeout(timeo);
fcc70d5f 1140 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1141
1142 if (sk->sk_state != BT_LISTEN) {
1143 err = -EBADFD;
1144 break;
1145 }
1146
1147 if (signal_pending(current)) {
1148 err = sock_intr_errno(timeo);
1149 break;
1150 }
1151 }
1152 set_current_state(TASK_RUNNING);
1153 remove_wait_queue(sk->sk_sleep, &wait);
1154
1155 if (err)
1156 goto done;
1157
1158 newsock->state = SS_CONNECTED;
1159
1160 BT_DBG("new socket %p", nsk);
1161
1162done:
1163 release_sock(sk);
1164 return err;
1165}
1166
1167static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1168{
1169 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1170 struct sock *sk = sock->sk;
1171
1172 BT_DBG("sock %p, sk %p", sock, sk);
1173
1174 addr->sa_family = AF_BLUETOOTH;
1175 *len = sizeof(struct sockaddr_l2);
1176
f29972de
MH		 1177 if (peer) {
1178 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1179 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1180 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1181 } else {
1182 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1183 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1184 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1185 }
1da177e4 1186
1da177e4
LT		 1187 return 0;
1188}
1189
e90bac06
GP		 1190static void l2cap_monitor_timeout(unsigned long arg)
1191{
1192 struct sock *sk = (void *) arg;
1193 u16 control;
1194
1195 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1196 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
1197 return;
1198 }
1199
1200 l2cap_pi(sk)->retry_count++;
1201 __mod_monitor_timer();
1202
1203 control = L2CAP_CTRL_POLL;
1204 control |= L2CAP_SUPER_RCV_READY;
1205 l2cap_send_sframe(l2cap_pi(sk), control);
1206}
1207
1208static void l2cap_retrans_timeout(unsigned long arg)
1209{
1210 struct sock *sk = (void *) arg;
1211 u16 control;
1212
1213 l2cap_pi(sk)->retry_count = 1;
1214 __mod_monitor_timer();
1215
1216 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1217
1218 control = L2CAP_CTRL_POLL;
1219 control |= L2CAP_SUPER_RCV_READY;
1220 l2cap_send_sframe(l2cap_pi(sk), control);
1221}
1222
1c2acffb 1223static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1224{
1c2acffb 1225 struct sk_buff *skb;
1da177e4 1226
1c2acffb
GP		 1227 while ((skb = skb_peek(TX_QUEUE(sk)))) {
1228 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1229 break;
1da177e4 1230
1c2acffb
GP		 1231 skb = skb_dequeue(TX_QUEUE(sk));
1232 kfree_skb(skb);
1da177e4 1233
1c2acffb
GP		 1234 l2cap_pi(sk)->unacked_frames--;
1235 }
1da177e4 1236
e90bac06
GP		 1237 if (!l2cap_pi(sk)->unacked_frames)
1238 del_timer(&l2cap_pi(sk)->retrans_timer);
1239
1c2acffb
GP		 1240 return;
1241}
1da177e4 1242
1c2acffb
GP		 1243static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1244{
1245 struct l2cap_pinfo *pi = l2cap_pi(sk);
1246 int err;
1247
1248 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1249
1c2acffb
GP		 1250 err = hci_send_acl(pi->conn->hcon, skb, 0);
1251 if (err < 0)
1252 kfree_skb(skb);
1253
1254 return err;
1255}
1256
6840ed07
GP		 1257static int l2cap_streaming_send(struct sock *sk)
1258{
1259 struct sk_buff *skb, *tx_skb;
1260 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1261 u16 control, fcs;
6840ed07
GP		 1262 int err;
1263
1264 while ((skb = sk->sk_send_head)) {
1265 tx_skb = skb_clone(skb, GFP_ATOMIC);
1266
1267 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1268 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1269 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1270
fcc203c3
GP		 1271 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1272 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1273 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1274 }
1275
6840ed07
GP		 1276 err = l2cap_do_send(sk, tx_skb);
1277 if (err < 0) {
1278 l2cap_send_disconn_req(pi->conn, sk);
1279 return err;
1280 }
1281
1282 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1283
1284 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1285 sk->sk_send_head = NULL;
1286 else
1287 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1288
1289 skb = skb_dequeue(TX_QUEUE(sk));
1290 kfree_skb(skb);
1291 }
1292 return 0;
1293}
1294
8f17154f
GP		 1295static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1296{
1297 struct l2cap_pinfo *pi = l2cap_pi(sk);
1298 struct sk_buff *skb, *tx_skb;
1299 u16 control, fcs;
1300 int err;
1301
1302 skb = skb_peek(TX_QUEUE(sk));
1303 do {
1304 if (bt_cb(skb)->tx_seq != tx_seq) {
1305 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1306 break;
1307 skb = skb_queue_next(TX_QUEUE(sk), skb);
1308 continue;
1309 }
1310
1311 if (pi->remote_max_tx &&
1312 bt_cb(skb)->retries == pi->remote_max_tx) {
1313 l2cap_send_disconn_req(pi->conn, sk);
1314 break;
1315 }
1316
1317 tx_skb = skb_clone(skb, GFP_ATOMIC);
1318 bt_cb(skb)->retries++;
1319 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1320 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1321 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1322 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1323
1324 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1325 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1326 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1327 }
1328
1329 err = l2cap_do_send(sk, tx_skb);
1330 if (err < 0) {
1331 l2cap_send_disconn_req(pi->conn, sk);
1332 return err;
1333 }
1334 break;
1335 } while(1);
1336 return 0;
1337}
1338
1c2acffb
GP		 1339static int l2cap_ertm_send(struct sock *sk)
1340{
1341 struct sk_buff *skb, *tx_skb;
1342 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1343 u16 control, fcs;
1c2acffb
GP		 1344 int err;
1345
e90bac06
GP		 1346 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1347 return 0;
1348
1c2acffb
GP		 1349 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1350 tx_skb = skb_clone(skb, GFP_ATOMIC);
1351
e90bac06
GP		 1352 if (pi->remote_max_tx &&
1353 bt_cb(skb)->retries == pi->remote_max_tx) {
1354 l2cap_send_disconn_req(pi->conn, sk);
1355 break;
1356 }
1357
1358 bt_cb(skb)->retries++;
1359
1c2acffb
GP		 1360 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1361 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1362 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1363 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1364
e90bac06 1365
fcc203c3
GP		 1366 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1367 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1368 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1369 }
1370
1c2acffb
GP		 1371 err = l2cap_do_send(sk, tx_skb);
1372 if (err < 0) {
1373 l2cap_send_disconn_req(pi->conn, sk);
1374 return err;
1375 }
e90bac06 1376 __mod_retrans_timer();
1c2acffb
GP		 1377
1378 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1379 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1380
1381 pi->unacked_frames++;
1382
1383 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1384 sk->sk_send_head = NULL;
1385 else
1386 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1387 }
1388
1389 return 0;
1390}
1391
1392static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1393{
1394 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1395 struct sk_buff **frag;
1396 int err, sent = 0;
1da177e4
LT		 1397
1398 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1c2acffb 1399 return -EFAULT;
1da177e4
LT		 1400 }
1401
1402 sent += count;
1403 len -= count;
1404
1405 /* Continuation fragments (no L2CAP header) */
1406 frag = &skb_shinfo(skb)->frag_list;
1407 while (len) {
1408 count = min_t(unsigned int, conn->mtu, len);
1409
1410 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1411 if (!*frag)
1c2acffb
GP		 1412 return -EFAULT;
1413 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1414 return -EFAULT;
1da177e4
LT		 1415
1416 sent += count;
1417 len -= count;
1418
1419 frag = &(*frag)->next;
1420 }
1da177e4
LT		 1421
1422 return sent;
1c2acffb 1423}
1da177e4 1424
1c2acffb
GP		 1425static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1426{
1427 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1428 struct sk_buff *skb;
1429 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1430 struct l2cap_hdr *lh;
1431
1432 BT_DBG("sk %p len %d", sk, (int)len);
1433
1434 count = min_t(unsigned int, (conn->mtu - hlen), len);
1435 skb = bt_skb_send_alloc(sk, count + hlen,
1436 msg->msg_flags & MSG_DONTWAIT, &err);
1437 if (!skb)
1438 return ERR_PTR(-ENOMEM);
1439
1440 /* Create L2CAP header */
1441 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1442 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1443 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1444 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1445
1446 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1447 if (unlikely(err < 0)) {
1448 kfree_skb(skb);
1449 return ERR_PTR(err);
1450 }
1451 return skb;
1452}
1453
1454static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1455{
1456 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1457 struct sk_buff *skb;
1458 int err, count, hlen = L2CAP_HDR_SIZE;
1459 struct l2cap_hdr *lh;
1460
1461 BT_DBG("sk %p len %d", sk, (int)len);
1462
1463 count = min_t(unsigned int, (conn->mtu - hlen), len);
1464 skb = bt_skb_send_alloc(sk, count + hlen,
1465 msg->msg_flags & MSG_DONTWAIT, &err);
1466 if (!skb)
1467 return ERR_PTR(-ENOMEM);
1468
1469 /* Create L2CAP header */
1470 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1471 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1472 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1473
1474 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1475 if (unlikely(err < 0)) {
1476 kfree_skb(skb);
1477 return ERR_PTR(err);
1478 }
1479 return skb;
1480}
1481
6840ed07 1482static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1483{
1484 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1485 struct sk_buff *skb;
1486 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1487 struct l2cap_hdr *lh;
1488
1489 BT_DBG("sk %p len %d", sk, (int)len);
1490
c74e560c
GP		 1491 if (sdulen)
1492 hlen += 2;
1493
fcc203c3
GP		 1494 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1495 hlen += 2;
1496
1c2acffb
GP		 1497 count = min_t(unsigned int, (conn->mtu - hlen), len);
1498 skb = bt_skb_send_alloc(sk, count + hlen,
1499 msg->msg_flags & MSG_DONTWAIT, &err);
1500 if (!skb)
1501 return ERR_PTR(-ENOMEM);
1502
1503 /* Create L2CAP header */
1504 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1505 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1506 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1507 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1508 if (sdulen)
1509 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1510
1511 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1512 if (unlikely(err < 0)) {
1513 kfree_skb(skb);
1514 return ERR_PTR(err);
1515 }
e90bac06 1516
fcc203c3
GP		 1517 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1518 put_unaligned_le16(0, skb_put(skb, 2));
1519
e90bac06 1520 bt_cb(skb)->retries = 0;
1c2acffb 1521 return skb;
1da177e4
LT		 1522}
1523
c74e560c
GP		 1524static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1525{
1526 struct l2cap_pinfo *pi = l2cap_pi(sk);
1527 struct sk_buff *skb;
1528 struct sk_buff_head sar_queue;
1529 u16 control;
1530 size_t size = 0;
1531
1532 __skb_queue_head_init(&sar_queue);
1533 control = L2CAP_SDU_START;
6840ed07 1534 skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len);
c74e560c
GP		 1535 if (IS_ERR(skb))
1536 return PTR_ERR(skb);
1537
1538 __skb_queue_tail(&sar_queue, skb);
1539 len -= pi->max_pdu_size;
1540 size +=pi->max_pdu_size;
1541 control = 0;
1542
1543 while (len > 0) {
1544 size_t buflen;
1545
1546 if (len > pi->max_pdu_size) {
1547 control |= L2CAP_SDU_CONTINUE;
1548 buflen = pi->max_pdu_size;
1549 } else {
1550 control |= L2CAP_SDU_END;
1551 buflen = len;
1552 }
1553
6840ed07 1554 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1555 if (IS_ERR(skb)) {
1556 skb_queue_purge(&sar_queue);
1557 return PTR_ERR(skb);
1558 }
1559
1560 __skb_queue_tail(&sar_queue, skb);
1561 len -= buflen;
1562 size += buflen;
1563 control = 0;
1564 }
1565 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1566 if (sk->sk_send_head == NULL)
1567 sk->sk_send_head = sar_queue.next;
1568
1569 return size;
1570}
1571
1da177e4
LT		 1572static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1573{
1574 struct sock *sk = sock->sk;
1c2acffb
GP		 1575 struct l2cap_pinfo *pi = l2cap_pi(sk);
1576 struct sk_buff *skb;
1577 u16 control;
1578 int err;
1da177e4
LT		 1579
1580 BT_DBG("sock %p, sk %p", sock, sk);
1581
c1cbe4b7
BL		 1582 err = sock_error(sk);
1583 if (err)
1584 return err;
1da177e4
LT		 1585
1586 if (msg->msg_flags & MSG_OOB)
1587 return -EOPNOTSUPP;
1588
1589 /* Check outgoing MTU */
1c2acffb
GP		 1590 if (sk->sk_type == SOCK_SEQPACKET && pi->mode == L2CAP_MODE_BASIC
1591 && len > pi->omtu)
1da177e4
LT		 1592 return -EINVAL;
1593
1594 lock_sock(sk);
1595
1c2acffb 1596 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1597 err = -ENOTCONN;
1c2acffb
GP		 1598 goto done;
1599 }
1da177e4 1600
1c2acffb
GP		 1601 /* Connectionless channel */
1602 if (sk->sk_type == SOCK_DGRAM) {
1603 skb = l2cap_create_connless_pdu(sk, msg, len);
1604 err = l2cap_do_send(sk, skb);
1605 goto done;
1606 }
1607
1608 switch (pi->mode) {
1609 case L2CAP_MODE_BASIC:
1610 /* Create a basic PDU */
1611 skb = l2cap_create_basic_pdu(sk, msg, len);
1612 if (IS_ERR(skb)) {
1613 err = PTR_ERR(skb);
1614 goto done;
1615 }
1616
1617 err = l2cap_do_send(sk, skb);
1618 if (!err)
1619 err = len;
1620 break;
1621
1622 case L2CAP_MODE_ERTM:
6840ed07 1623 case L2CAP_MODE_STREAMING:
1c2acffb 1624 /* Entire SDU fits into one PDU */
c74e560c 1625 if (len <= pi->max_pdu_size) {
1c2acffb 1626 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1627 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1628 if (IS_ERR(skb)) {
1629 err = PTR_ERR(skb);
1630 goto done;
1631 }
c74e560c
GP		 1632 __skb_queue_tail(TX_QUEUE(sk), skb);
1633 if (sk->sk_send_head == NULL)
1634 sk->sk_send_head = skb;
1c2acffb 1635 } else {
c74e560c
GP		 1636 /* Segment SDU into multiples PDUs */
1637 err = l2cap_sar_segment_sdu(sk, msg, len);
1638 if (err < 0)
1639 goto done;
1c2acffb 1640 }
1c2acffb 1641
6840ed07
GP		 1642 if (pi->mode == L2CAP_MODE_STREAMING)
1643 err = l2cap_streaming_send(sk);
1644 else
1645 err = l2cap_ertm_send(sk);
1646
1c2acffb
GP		 1647 if (!err)
1648 err = len;
1649 break;
1650
1651 default:
1652 BT_DBG("bad state %1.1x", pi->mode);
1653 err = -EINVAL;
1654 }
1655
1656done:
1da177e4
LT		 1657 release_sock(sk);
1658 return err;
1659}
1660
f66dc81f
MH		 1661static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1662{
1663 struct sock *sk = sock->sk;
1664
1665 lock_sock(sk);
1666
1667 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1668 struct l2cap_conn_rsp rsp;
1669
1670 sk->sk_state = BT_CONFIG;
1671
1672 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1673 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1674 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1675 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1676 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1677 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1678
1679 release_sock(sk);
1680 return 0;
1681 }
1682
1683 release_sock(sk);
1684
1685 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1686}
1687
d58daf42 1688static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, int optlen)
1da177e4
LT		 1689{
1690 struct sock *sk = sock->sk;
1691 struct l2cap_options opts;
f29972de 1692 int len, err = 0;
1da177e4
LT		 1693 u32 opt;
1694
1695 BT_DBG("sk %p", sk);
1696
1697 lock_sock(sk);
1698
1699 switch (optname) {
1700 case L2CAP_OPTIONS:
0878b666
MH		 1701 opts.imtu = l2cap_pi(sk)->imtu;
1702 opts.omtu = l2cap_pi(sk)->omtu;
1703 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1704 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1705 opts.fcs = l2cap_pi(sk)->fcs;
0878b666 1706
1da177e4
LT		 1707 len = min_t(unsigned int, sizeof(opts), optlen);
1708 if (copy_from_user((char *) &opts, optval, len)) {
1709 err = -EFAULT;
1710 break;
1711 }
0878b666 1712
c6b03cf9
MH		 1713 l2cap_pi(sk)->imtu = opts.imtu;
1714 l2cap_pi(sk)->omtu = opts.omtu;
1715 l2cap_pi(sk)->mode = opts.mode;
fcc203c3 1716 l2cap_pi(sk)->fcs = opts.fcs;
1da177e4
LT		 1717 break;
1718
1719 case L2CAP_LM:
1720 if (get_user(opt, (u32 __user *) optval)) {
1721 err = -EFAULT;
1722 break;
1723 }
1724
2af6b9d5
MH		 1725 if (opt & L2CAP_LM_AUTH)
1726 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1727 if (opt & L2CAP_LM_ENCRYPT)
1728 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1729 if (opt & L2CAP_LM_SECURE)
1730 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1731
1732 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1733 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1734 break;
1735
1736 default:
1737 err = -ENOPROTOOPT;
1738 break;
1739 }
1740
1741 release_sock(sk);
1742 return err;
1743}
1744
d58daf42
MH		 1745static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int optlen)
1746{
1747 struct sock *sk = sock->sk;
2af6b9d5
MH		 1748 struct bt_security sec;
1749 int len, err = 0;
f66dc81f 1750 u32 opt;
d58daf42
MH		 1751
1752 BT_DBG("sk %p", sk);
1753
1754 if (level == SOL_L2CAP)
1755 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1756
0588d94f
MH		 1757 if (level != SOL_BLUETOOTH)
1758 return -ENOPROTOOPT;
1759
d58daf42
MH		 1760 lock_sock(sk);
1761
1762 switch (optname) {
2af6b9d5 1763 case BT_SECURITY:
2526d3d8 1764 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1765 err = -EINVAL;
1766 break;
1767 }
1768
2af6b9d5
MH		 1769 sec.level = BT_SECURITY_LOW;
1770
1771 len = min_t(unsigned int, sizeof(sec), optlen);
1772 if (copy_from_user((char *) &sec, optval, len)) {
1773 err = -EFAULT;
1774 break;
1775 }
1776
1777 if (sec.level < BT_SECURITY_LOW ||
1778 sec.level > BT_SECURITY_HIGH) {
1779 err = -EINVAL;
1780 break;
1781 }
1782
1783 l2cap_pi(sk)->sec_level = sec.level;
1784 break;
1785
f66dc81f
MH		 1786 case BT_DEFER_SETUP:
1787 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1788 err = -EINVAL;
1789 break;
1790 }
1791
1792 if (get_user(opt, (u32 __user *) optval)) {
1793 err = -EFAULT;
1794 break;
1795 }
1796
1797 bt_sk(sk)->defer_setup = opt;
1798 break;
1799
d58daf42
MH		 1800 default:
1801 err = -ENOPROTOOPT;
1802 break;
1803 }
1804
1805 release_sock(sk);
1806 return err;
1807}
1808
1809static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 1810{
1811 struct sock *sk = sock->sk;
1812 struct l2cap_options opts;
1813 struct l2cap_conninfo cinfo;
1814 int len, err = 0;
2af6b9d5 1815 u32 opt;
1da177e4
LT		 1816
1817 BT_DBG("sk %p", sk);
1818
1819 if (get_user(len, optlen))
1820 return -EFAULT;
1821
1822 lock_sock(sk);
1823
1824 switch (optname) {
1825 case L2CAP_OPTIONS:
1826 opts.imtu = l2cap_pi(sk)->imtu;
1827 opts.omtu = l2cap_pi(sk)->omtu;
1828 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1829 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1830 opts.fcs = l2cap_pi(sk)->fcs;
1da177e4
LT		 1831
1832 len = min_t(unsigned int, len, sizeof(opts));
1833 if (copy_to_user(optval, (char *) &opts, len))
1834 err = -EFAULT;
1835
1836 break;
1837
1838 case L2CAP_LM:
2af6b9d5
MH		 1839 switch (l2cap_pi(sk)->sec_level) {
1840 case BT_SECURITY_LOW:
1841 opt = L2CAP_LM_AUTH;
1842 break;
1843 case BT_SECURITY_MEDIUM:
1844 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1845 break;
1846 case BT_SECURITY_HIGH:
1847 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1848 L2CAP_LM_SECURE;
1849 break;
1850 default:
1851 opt = 0;
1852 break;
1853 }
1854
1855 if (l2cap_pi(sk)->role_switch)
1856 opt |= L2CAP_LM_MASTER;
1857
1858 if (l2cap_pi(sk)->force_reliable)
1859 opt |= L2CAP_LM_RELIABLE;
1860
1861 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 1862 err = -EFAULT;
1863 break;
1864
1865 case L2CAP_CONNINFO:
f66dc81f
MH		 1866 if (sk->sk_state != BT_CONNECTED &&
1867 !(sk->sk_state == BT_CONNECT2 &&
1868 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 1869 err = -ENOTCONN;
1870 break;
1871 }
1872
1873 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1874 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1875
1876 len = min_t(unsigned int, len, sizeof(cinfo));
1877 if (copy_to_user(optval, (char *) &cinfo, len))
1878 err = -EFAULT;
1879
1880 break;
1881
1882 default:
1883 err = -ENOPROTOOPT;
1884 break;
1885 }
1886
1887 release_sock(sk);
1888 return err;
1889}
1890
d58daf42
MH		 1891static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1892{
1893 struct sock *sk = sock->sk;
2af6b9d5 1894 struct bt_security sec;
d58daf42
MH		 1895 int len, err = 0;
1896
1897 BT_DBG("sk %p", sk);
1898
1899 if (level == SOL_L2CAP)
1900 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1901
0588d94f
MH		 1902 if (level != SOL_BLUETOOTH)
1903 return -ENOPROTOOPT;
1904
d58daf42
MH		 1905 if (get_user(len, optlen))
1906 return -EFAULT;
1907
1908 lock_sock(sk);
1909
1910 switch (optname) {
2af6b9d5 1911 case BT_SECURITY:
2526d3d8 1912 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 1913 err = -EINVAL;
1914 break;
1915 }
1916
2af6b9d5
MH		 1917 sec.level = l2cap_pi(sk)->sec_level;
1918
1919 len = min_t(unsigned int, len, sizeof(sec));
1920 if (copy_to_user(optval, (char *) &sec, len))
1921 err = -EFAULT;
1922
1923 break;
1924
f66dc81f
MH		 1925 case BT_DEFER_SETUP:
1926 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1927 err = -EINVAL;
1928 break;
1929 }
1930
1931 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1932 err = -EFAULT;
1933
1934 break;
1935
d58daf42
MH		 1936 default:
1937 err = -ENOPROTOOPT;
1938 break;
1939 }
1940
1941 release_sock(sk);
1942 return err;
1943}
1944
1da177e4
LT		 1945static int l2cap_sock_shutdown(struct socket *sock, int how)
1946{
1947 struct sock *sk = sock->sk;
1948 int err = 0;
1949
1950 BT_DBG("sock %p, sk %p", sock, sk);
1951
1952 if (!sk)
1953 return 0;
1954
1955 lock_sock(sk);
1956 if (!sk->sk_shutdown) {
1957 sk->sk_shutdown = SHUTDOWN_MASK;
1958 l2cap_sock_clear_timer(sk);
1959 __l2cap_sock_close(sk, 0);
1960
1961 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 1962 err = bt_sock_wait_state(sk, BT_CLOSED,
1963 sk->sk_lingertime);
1da177e4
LT		 1964 }
1965 release_sock(sk);
1966 return err;
1967}
1968
1969static int l2cap_sock_release(struct socket *sock)
1970{
1971 struct sock *sk = sock->sk;
1972 int err;
1973
1974 BT_DBG("sock %p, sk %p", sock, sk);
1975
1976 if (!sk)
1977 return 0;
1978
1979 err = l2cap_sock_shutdown(sock, 2);
1980
1981 sock_orphan(sk);
1982 l2cap_sock_kill(sk);
1983 return err;
1984}
1985
1da177e4
LT		 1986static void l2cap_chan_ready(struct sock *sk)
1987{
1988 struct sock *parent = bt_sk(sk)->parent;
1989
1990 BT_DBG("sk %p, parent %p", sk, parent);
1991
1992 l2cap_pi(sk)->conf_state = 0;
1993 l2cap_sock_clear_timer(sk);
1994
1995 if (!parent) {
1996 /* Outgoing channel.
1997 * Wake up socket sleeping on connect.
1998 */
1999 sk->sk_state = BT_CONNECTED;
2000 sk->sk_state_change(sk);
2001 } else {
2002 /* Incoming channel.
2003 * Wake up socket sleeping on accept.
2004 */
2005 parent->sk_data_ready(parent, 0);
2006 }
2007}
2008
2009/* Copy frame to all raw sockets on that connection */
2010static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2011{
2012 struct l2cap_chan_list *l = &conn->chan_list;
2013 struct sk_buff *nskb;
af05b30b 2014 struct sock *sk;
1da177e4
LT		 2015
2016 BT_DBG("conn %p", conn);
2017
2018 read_lock(&l->lock);
2019 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2020 if (sk->sk_type != SOCK_RAW)
2021 continue;
2022
2023 /* Don't send frame to the socket it came from */
2024 if (skb->sk == sk)
2025 continue;
af05b30b
GP		 2026 nskb = skb_clone(skb, GFP_ATOMIC);
2027 if (!nskb)
1da177e4
LT		 2028 continue;
2029
2030 if (sock_queue_rcv_skb(sk, nskb))
2031 kfree_skb(nskb);
2032 }
2033 read_unlock(&l->lock);
2034}
2035
2036/* ---- L2CAP signalling commands ---- */
2037static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2038 u8 code, u8 ident, u16 dlen, void *data)
2039{
2040 struct sk_buff *skb, **frag;
2041 struct l2cap_cmd_hdr *cmd;
2042 struct l2cap_hdr *lh;
2043 int len, count;
2044
af05b30b
GP		 2045 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2046 conn, code, ident, dlen);
1da177e4
LT		 2047
2048 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2049 count = min_t(unsigned int, conn->mtu, len);
2050
2051 skb = bt_skb_alloc(count, GFP_ATOMIC);
2052 if (!skb)
2053 return NULL;
2054
2055 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2056 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2057 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2058
2059 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2060 cmd->code = code;
2061 cmd->ident = ident;
aca3192c 2062 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2063
2064 if (dlen) {
2065 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2066 memcpy(skb_put(skb, count), data, count);
2067 data += count;
2068 }
2069
2070 len -= skb->len;
2071
2072 /* Continuation fragments (no L2CAP header) */
2073 frag = &skb_shinfo(skb)->frag_list;
2074 while (len) {
2075 count = min_t(unsigned int, conn->mtu, len);
2076
2077 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2078 if (!*frag)
2079 goto fail;
2080
2081 memcpy(skb_put(*frag, count), data, count);
2082
2083 len -= count;
2084 data += count;
2085
2086 frag = &(*frag)->next;
2087 }
2088
2089 return skb;
2090
2091fail:
2092 kfree_skb(skb);
2093 return NULL;
2094}
2095
2096static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2097{
2098 struct l2cap_conf_opt *opt = *ptr;
2099 int len;
2100
2101 len = L2CAP_CONF_OPT_SIZE + opt->len;
2102 *ptr += len;
2103
2104 *type = opt->type;
2105 *olen = opt->len;
2106
2107 switch (opt->len) {
2108 case 1:
2109 *val = *((u8 *) opt->val);
2110 break;
2111
2112 case 2:
861d6882 2113 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2114 break;
2115
2116 case 4:
861d6882 2117 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2118 break;
2119
2120 default:
2121 *val = (unsigned long) opt->val;
2122 break;
2123 }
2124
2125 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2126 return len;
2127}
2128
1da177e4
LT		 2129static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2130{
2131 struct l2cap_conf_opt *opt = *ptr;
2132
2133 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2134
2135 opt->type = type;
2136 opt->len = len;
2137
2138 switch (len) {
2139 case 1:
2140 *((u8 *) opt->val) = val;
2141 break;
2142
2143 case 2:
8e036fc3 2144 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2145 break;
2146
2147 case 4:
8e036fc3 2148 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2149 break;
2150
2151 default:
2152 memcpy(opt->val, (void *) val, len);
2153 break;
2154 }
2155
2156 *ptr += L2CAP_CONF_OPT_SIZE + len;
2157}
2158
f2fcfcd6
GP		 2159static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2160{
2161 u32 local_feat_mask = l2cap_feat_mask;
2162 if (enable_ertm)
6840ed07 2163 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
f2fcfcd6
GP		 2164
2165 switch (mode) {
2166 case L2CAP_MODE_ERTM:
2167 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2168 case L2CAP_MODE_STREAMING:
2169 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2170 default:
2171 return 0x00;
2172 }
2173}
2174
2175static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2176{
2177 switch (mode) {
2178 case L2CAP_MODE_STREAMING:
2179 case L2CAP_MODE_ERTM:
2180 if (l2cap_mode_supported(mode, remote_feat_mask))
2181 return mode;
2182 /* fall through */
2183 default:
2184 return L2CAP_MODE_BASIC;
2185 }
2186}
2187
1da177e4
LT		 2188static int l2cap_build_conf_req(struct sock *sk, void *data)
2189{
2190 struct l2cap_pinfo *pi = l2cap_pi(sk);
2191 struct l2cap_conf_req *req = data;
f2fcfcd6 2192 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_ERTM };
1da177e4
LT		 2193 void *ptr = req->data;
2194
2195 BT_DBG("sk %p", sk);
2196
f2fcfcd6
GP		 2197 if (pi->num_conf_req || pi->num_conf_rsp)
2198 goto done;
2199
2200 switch (pi->mode) {
2201 case L2CAP_MODE_STREAMING:
2202 case L2CAP_MODE_ERTM:
2203 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
22121fc9
GP		 2204 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2205 l2cap_send_disconn_req(pi->conn, sk);
f2fcfcd6
GP		 2206 break;
2207 default:
2208 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2209 break;
2210 }
2211
2212done:
65c7c491
MH		 2213 switch (pi->mode) {
2214 case L2CAP_MODE_BASIC:
2215 if (pi->imtu != L2CAP_DEFAULT_MTU)
2216 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2217 break;
2218
2219 case L2CAP_MODE_ERTM:
2220 rfc.mode = L2CAP_MODE_ERTM;
f2fcfcd6 2221 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
e90bac06 2222 rfc.max_transmit = L2CAP_DEFAULT_MAX_TX;
f2fcfcd6
GP		 2223 rfc.retrans_timeout = 0;
2224 rfc.monitor_timeout = 0;
c74e560c 2225 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
f2fcfcd6
GP		 2226
2227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2228 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2229
2230 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2231 break;
2232
2233 if (pi->fcs == L2CAP_FCS_NONE ||
2234 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2235 pi->fcs = L2CAP_FCS_NONE;
2236 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2237 }
f2fcfcd6
GP		 2238 break;
2239
2240 case L2CAP_MODE_STREAMING:
2241 rfc.mode = L2CAP_MODE_STREAMING;
2242 rfc.txwin_size = 0;
2243 rfc.max_transmit = 0;
2244 rfc.retrans_timeout = 0;
2245 rfc.monitor_timeout = 0;
c74e560c 2246 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
65c7c491
MH		 2247
2248 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2249 sizeof(rfc), (unsigned long) &rfc);
fcc203c3
GP		 2250
2251 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2252 break;
2253
2254 if (pi->fcs == L2CAP_FCS_NONE ||
2255 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2256 pi->fcs = L2CAP_FCS_NONE;
2257 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2258 }
65c7c491
MH		 2259 break;
2260 }
1da177e4
LT		 2261
2262 /* FIXME: Need actual value of the flush timeout */
2263 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2264 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2265
aca3192c
YH		 2266 req->dcid = cpu_to_le16(pi->dcid);
2267 req->flags = cpu_to_le16(0);
1da177e4
LT		 2268
2269 return ptr - data;
2270}
2271
5dee9e7c 2272static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2273{
2274 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2275 struct l2cap_conf_rsp *rsp = data;
2276 void *ptr = rsp->data;
2277 void *req = pi->conf_req;
2278 int len = pi->conf_len;
2279 int type, hint, olen;
2280 unsigned long val;
6464f35f 2281 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2282 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2283 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2284
5dee9e7c 2285 BT_DBG("sk %p", sk);
820ae1b8 2286
5dee9e7c
MH		 2287 while (len >= L2CAP_CONF_OPT_SIZE) {
2288 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2289
589d2746 2290 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2291 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2292
2293 switch (type) {
2294 case L2CAP_CONF_MTU:
861d6882 2295 mtu = val;
5dee9e7c
MH		 2296 break;
2297
2298 case L2CAP_CONF_FLUSH_TO:
2299 pi->flush_to = val;
2300 break;
2301
2302 case L2CAP_CONF_QOS:
2303 break;
2304
6464f35f
MH		 2305 case L2CAP_CONF_RFC:
2306 if (olen == sizeof(rfc))
2307 memcpy(&rfc, (void *) val, olen);
2308 break;
2309
fcc203c3
GP		 2310 case L2CAP_CONF_FCS:
2311 if (val == L2CAP_FCS_NONE)
2312 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2313
2314 break;
2315
5dee9e7c
MH		 2316 default:
2317 if (hint)
2318 break;
2319
2320 result = L2CAP_CONF_UNKNOWN;
2321 *((u8 *) ptr++) = type;
2322 break;
2323 }
2324 }
2325
f2fcfcd6
GP		 2326 if (pi->num_conf_rsp || pi->num_conf_req)
2327 goto done;
2328
2329 switch (pi->mode) {
2330 case L2CAP_MODE_STREAMING:
2331 case L2CAP_MODE_ERTM:
2332 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2333 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2334 return -ECONNREFUSED;
2335 break;
2336 default:
2337 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2338 break;
2339 }
2340
2341done:
2342 if (pi->mode != rfc.mode) {
2343 result = L2CAP_CONF_UNACCEPT;
2344 rfc.mode = pi->mode;
2345
2346 if (pi->num_conf_rsp == 1)
2347 return -ECONNREFUSED;
2348
2349 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2350 sizeof(rfc), (unsigned long) &rfc);
2351 }
2352
2353
5dee9e7c
MH		 2354 if (result == L2CAP_CONF_SUCCESS) {
2355 /* Configure output options and let the other side know
2356 * which ones we don't like. */
2357
f2fcfcd6
GP		 2358 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2359 result = L2CAP_CONF_UNACCEPT;
2360 else {
2361 pi->omtu = mtu;
2362 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2363 }
2364 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2365
f2fcfcd6
GP		 2366 switch (rfc.mode) {
2367 case L2CAP_MODE_BASIC:
2368 pi->fcs = L2CAP_FCS_NONE;
2369 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2370 break;
2371
2372 case L2CAP_MODE_ERTM:
2373 pi->remote_tx_win = rfc.txwin_size;
2374 pi->remote_max_tx = rfc.max_transmit;
2375 pi->max_pdu_size = rfc.max_pdu_size;
2376
2377 rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
2378 rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
2379
2380 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2381 break;
2382
2383 case L2CAP_MODE_STREAMING:
2384 pi->remote_tx_win = rfc.txwin_size;
2385 pi->max_pdu_size = rfc.max_pdu_size;
2386
2387 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2388 break;
2389
2390 default:
5dee9e7c 2391 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2392
6464f35f 2393 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2394 rfc.mode = pi->mode;
2395 }
6464f35f 2396
f2fcfcd6 2397 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
65c7c491 2398 sizeof(rfc), (unsigned long) &rfc);
5dee9e7c 2399
f2fcfcd6
GP		 2400 if (result == L2CAP_CONF_SUCCESS)
2401 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2402 }
5dee9e7c
MH		 2403 rsp->scid = cpu_to_le16(pi->dcid);
2404 rsp->result = cpu_to_le16(result);
2405 rsp->flags = cpu_to_le16(0x0000);
2406
2407 return ptr - data;
1da177e4
LT		 2408}
2409
f2fcfcd6
GP		 2410static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2411{
2412 struct l2cap_pinfo *pi = l2cap_pi(sk);
2413 struct l2cap_conf_req *req = data;
2414 void *ptr = req->data;
2415 int type, olen;
2416 unsigned long val;
2417 struct l2cap_conf_rfc rfc;
2418
2419 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2420
2421 while (len >= L2CAP_CONF_OPT_SIZE) {
2422 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2423
2424 switch (type) {
2425 case L2CAP_CONF_MTU:
2426 if (val < L2CAP_DEFAULT_MIN_MTU) {
2427 *result = L2CAP_CONF_UNACCEPT;
2428 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2429 } else
2430 pi->omtu = val;
2431 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2432 break;
2433
2434 case L2CAP_CONF_FLUSH_TO:
2435 pi->flush_to = val;
2436 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2437 2, pi->flush_to);
2438 break;
2439
2440 case L2CAP_CONF_RFC:
2441 if (olen == sizeof(rfc))
2442 memcpy(&rfc, (void *)val, olen);
2443
2444 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2445 rfc.mode != pi->mode)
2446 return -ECONNREFUSED;
2447
2448 pi->mode = rfc.mode;
2449 pi->fcs = 0;
2450
2451 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2452 sizeof(rfc), (unsigned long) &rfc);
2453 break;
2454 }
2455 }
2456
2457 if (*result == L2CAP_CONF_SUCCESS) {
2458 switch (rfc.mode) {
2459 case L2CAP_MODE_ERTM:
2460 pi->remote_tx_win = rfc.txwin_size;
2461 pi->retrans_timeout = rfc.retrans_timeout;
2462 pi->monitor_timeout = rfc.monitor_timeout;
2463 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2464 break;
2465 case L2CAP_MODE_STREAMING:
2466 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2467 break;
2468 }
2469 }
2470
2471 req->dcid = cpu_to_le16(pi->dcid);
2472 req->flags = cpu_to_le16(0x0000);
2473
2474 return ptr - data;
2475}
2476
5dee9e7c 2477static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2478{
2479 struct l2cap_conf_rsp *rsp = data;
2480 void *ptr = rsp->data;
1da177e4 2481
5dee9e7c 2482 BT_DBG("sk %p", sk);
1da177e4 2483
aca3192c 2484 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2485 rsp->result = cpu_to_le16(result);
aca3192c 2486 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2487
2488 return ptr - data;
2489}
2490
4e8402a3
MH		 2491static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2492{
2493 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2494
2495 if (rej->reason != 0x0000)
2496 return 0;
2497
2498 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2499 cmd->ident == conn->info_ident) {
4e8402a3 2500 del_timer(&conn->info_timer);
984947dc
MH		 2501
2502 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2503 conn->info_ident = 0;
984947dc 2504
4e8402a3
MH		 2505 l2cap_conn_start(conn);
2506 }
2507
2508 return 0;
2509}
2510
1da177e4
LT		 2511static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2512{
2513 struct l2cap_chan_list *list = &conn->chan_list;
2514 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2515 struct l2cap_conn_rsp rsp;
2516 struct sock *sk, *parent;
e7c29cb1 2517 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2518
2519 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2520 __le16 psm = req->psm;
1da177e4
LT		 2521
2522 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2523
2524 /* Check if we have socket listening on psm */
2525 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2526 if (!parent) {
2527 result = L2CAP_CR_BAD_PSM;
2528 goto sendresp;
2529 }
2530
e7c29cb1
MH		 2531 /* Check if the ACL is secure enough (if not SDP) */
2532 if (psm != cpu_to_le16(0x0001) &&
2533 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2534 conn->disc_reason = 0x05;
e7c29cb1
MH		 2535 result = L2CAP_CR_SEC_BLOCK;
2536 goto response;
2537 }
2538
1da177e4
LT		 2539 result = L2CAP_CR_NO_MEM;
2540
2541 /* Check for backlog size */
2542 if (sk_acceptq_is_full(parent)) {
8e87d142 2543 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2544 goto response;
2545 }
2546
3b1e0a65 2547 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2548 if (!sk)
2549 goto response;
2550
fd1278d7 2551 write_lock_bh(&list->lock);
1da177e4
LT		 2552
2553 /* Check if we already have channel with that dcid */
2554 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2555 write_unlock_bh(&list->lock);
1da177e4
LT		 2556 sock_set_flag(sk, SOCK_ZAPPED);
2557 l2cap_sock_kill(sk);
2558 goto response;
2559 }
2560
2561 hci_conn_hold(conn->hcon);
2562
2563 l2cap_sock_init(sk, parent);
2564 bacpy(&bt_sk(sk)->src, conn->src);
2565 bacpy(&bt_sk(sk)->dst, conn->dst);
2566 l2cap_pi(sk)->psm = psm;
2567 l2cap_pi(sk)->dcid = scid;
2568
2569 __l2cap_chan_add(conn, sk, parent);
2570 dcid = l2cap_pi(sk)->scid;
2571
2572 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2573
1da177e4
LT		 2574 l2cap_pi(sk)->ident = cmd->ident;
2575
984947dc 2576 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2577 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2578 if (bt_sk(sk)->defer_setup) {
2579 sk->sk_state = BT_CONNECT2;
2580 result = L2CAP_CR_PEND;
2581 status = L2CAP_CS_AUTHOR_PEND;
2582 parent->sk_data_ready(parent, 0);
2583 } else {
2584 sk->sk_state = BT_CONFIG;
2585 result = L2CAP_CR_SUCCESS;
2586 status = L2CAP_CS_NO_INFO;
2587 }
79d554a6
MH		 2588 } else {
2589 sk->sk_state = BT_CONNECT2;
2590 result = L2CAP_CR_PEND;
2591 status = L2CAP_CS_AUTHEN_PEND;
2592 }
2593 } else {
2594 sk->sk_state = BT_CONNECT2;
2595 result = L2CAP_CR_PEND;
2596 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2597 }
2598
fd1278d7 2599 write_unlock_bh(&list->lock);
1da177e4
LT		 2600
2601response:
2602 bh_unlock_sock(parent);
2603
2604sendresp:
aca3192c
YH		 2605 rsp.scid = cpu_to_le16(scid);
2606 rsp.dcid = cpu_to_le16(dcid);
2607 rsp.result = cpu_to_le16(result);
2608 rsp.status = cpu_to_le16(status);
1da177e4 2609 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2610
2611 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2612 struct l2cap_info_req info;
2613 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2614
2615 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2616 conn->info_ident = l2cap_get_ident(conn);
2617
2618 mod_timer(&conn->info_timer, jiffies +
2619 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2620
2621 l2cap_send_cmd(conn, conn->info_ident,
2622 L2CAP_INFO_REQ, sizeof(info), &info);
2623 }
2624
1da177e4
LT		 2625 return 0;
2626}
2627
2628static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2629{
2630 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2631 u16 scid, dcid, result, status;
2632 struct sock *sk;
2633 u8 req[128];
2634
2635 scid = __le16_to_cpu(rsp->scid);
2636 dcid = __le16_to_cpu(rsp->dcid);
2637 result = __le16_to_cpu(rsp->result);
2638 status = __le16_to_cpu(rsp->status);
2639
2640 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2641
2642 if (scid) {
af05b30b
GP		 2643 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2644 if (!sk)
1da177e4
LT		 2645 return 0;
2646 } else {
af05b30b
GP		 2647 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2648 if (!sk)
1da177e4
LT		 2649 return 0;
2650 }
2651
2652 switch (result) {
2653 case L2CAP_CR_SUCCESS:
2654 sk->sk_state = BT_CONFIG;
2655 l2cap_pi(sk)->ident = 0;
2656 l2cap_pi(sk)->dcid = dcid;
2657 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2658
6a8d3010
MH		 2659 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2660
1da177e4
LT		 2661 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2662 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 2663 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2664 break;
2665
2666 case L2CAP_CR_PEND:
6a8d3010 2667 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2668 break;
2669
2670 default:
2671 l2cap_chan_del(sk, ECONNREFUSED);
2672 break;
2673 }
2674
2675 bh_unlock_sock(sk);
2676 return 0;
2677}
2678
88219a0f 2679static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2680{
2681 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2682 u16 dcid, flags;
2683 u8 rsp[64];
2684 struct sock *sk;
5dee9e7c 2685 int len;
1da177e4
LT		 2686
2687 dcid = __le16_to_cpu(req->dcid);
2688 flags = __le16_to_cpu(req->flags);
2689
2690 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2691
af05b30b
GP		 2692 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2693 if (!sk)
1da177e4
LT		 2694 return -ENOENT;
2695
354f60a9
MH		 2696 if (sk->sk_state == BT_DISCONN)
2697 goto unlock;
2698
5dee9e7c 2699 /* Reject if config buffer is too small. */
88219a0f 2700 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 2701 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2702 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2703 l2cap_build_conf_rsp(sk, rsp,
2704 L2CAP_CONF_REJECT, flags), rsp);
2705 goto unlock;
2706 }
2707
2708 /* Store config. */
2709 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2710 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 2711
2712 if (flags & 0x0001) {
2713 /* Incomplete config. Send empty response. */
2714 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2715 l2cap_build_conf_rsp(sk, rsp,
2716 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2717 goto unlock;
2718 }
2719
2720 /* Complete config. */
5dee9e7c 2721 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 2722 if (len < 0) {
22121fc9 2723 l2cap_send_disconn_req(conn, sk);
1da177e4 2724 goto unlock;
f2fcfcd6 2725 }
1da177e4 2726
5dee9e7c 2727 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 2728 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 2729
5dee9e7c
MH		 2730 /* Reset config buffer. */
2731 l2cap_pi(sk)->conf_len = 0;
2732
876d9484
MH		 2733 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2734 goto unlock;
2735
1da177e4 2736 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
fcc203c3
GP		 2737 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2738 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2739 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2740
1da177e4 2741 sk->sk_state = BT_CONNECTED;
1c2acffb
GP		 2742 l2cap_pi(sk)->next_tx_seq = 0;
2743 l2cap_pi(sk)->expected_ack_seq = 0;
2744 l2cap_pi(sk)->unacked_frames = 0;
e90bac06
GP		 2745
2746 setup_timer(&l2cap_pi(sk)->retrans_timer,
2747 l2cap_retrans_timeout, (unsigned long) sk);
2748 setup_timer(&l2cap_pi(sk)->monitor_timer,
2749 l2cap_monitor_timeout, (unsigned long) sk);
2750
1c2acffb 2751 __skb_queue_head_init(TX_QUEUE(sk));
8f17154f 2752 __skb_queue_head_init(SREJ_QUEUE(sk));
1da177e4 2753 l2cap_chan_ready(sk);
876d9484
MH		 2754 goto unlock;
2755 }
2756
2757 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2758 u8 buf[64];
1da177e4 2759 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 2760 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 2761 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 2762 }
2763
2764unlock:
2765 bh_unlock_sock(sk);
2766 return 0;
2767}
2768
2769static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2770{
2771 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2772 u16 scid, flags, result;
2773 struct sock *sk;
2774
2775 scid = __le16_to_cpu(rsp->scid);
2776 flags = __le16_to_cpu(rsp->flags);
2777 result = __le16_to_cpu(rsp->result);
2778
af05b30b
GP		 2779 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2780 scid, flags, result);
1da177e4 2781
af05b30b
GP		 2782 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2783 if (!sk)
1da177e4
LT		 2784 return 0;
2785
2786 switch (result) {
2787 case L2CAP_CONF_SUCCESS:
2788 break;
2789
2790 case L2CAP_CONF_UNACCEPT:
f2fcfcd6
GP		 2791 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2792 int len = cmd->len - sizeof(*rsp);
2793 char req[64];
2794
2795 /* throw out any old stored conf requests */
2796 result = L2CAP_CONF_SUCCESS;
2797 len = l2cap_parse_conf_rsp(sk, rsp->data,
2798 len, req, &result);
2799 if (len < 0) {
22121fc9 2800 l2cap_send_disconn_req(conn, sk);
f2fcfcd6
GP		 2801 goto done;
2802 }
2803
2804 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2805 L2CAP_CONF_REQ, len, req);
2806 l2cap_pi(sk)->num_conf_req++;
2807 if (result != L2CAP_CONF_SUCCESS)
2808 goto done;
2809 break;
1da177e4
LT		 2810 }
2811
8e87d142 2812 default:
1da177e4 2813 sk->sk_state = BT_DISCONN;
b1235d79 2814 sk->sk_err = ECONNRESET;
1da177e4 2815 l2cap_sock_set_timer(sk, HZ * 5);
22121fc9 2816 l2cap_send_disconn_req(conn, sk);
1da177e4
LT		 2817 goto done;
2818 }
2819
2820 if (flags & 0x01)
2821 goto done;
2822
1da177e4
LT		 2823 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2824
2825 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
fcc203c3
GP		 2826 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2827 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2828 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2829
1da177e4 2830 sk->sk_state = BT_CONNECTED;
1c2acffb 2831 l2cap_pi(sk)->expected_tx_seq = 0;
8f17154f 2832 l2cap_pi(sk)->buffer_seq = 0;
1c2acffb
GP		 2833 l2cap_pi(sk)->num_to_ack = 0;
2834 __skb_queue_head_init(TX_QUEUE(sk));
8f17154f 2835 __skb_queue_head_init(SREJ_QUEUE(sk));
1da177e4
LT		 2836 l2cap_chan_ready(sk);
2837 }
2838
2839done:
2840 bh_unlock_sock(sk);
2841 return 0;
2842}
2843
2844static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2845{
2846 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2847 struct l2cap_disconn_rsp rsp;
2848 u16 dcid, scid;
2849 struct sock *sk;
2850
2851 scid = __le16_to_cpu(req->scid);
2852 dcid = __le16_to_cpu(req->dcid);
2853
2854 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2855
af05b30b
GP		 2856 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2857 if (!sk)
1da177e4
LT		 2858 return 0;
2859
aca3192c
YH		 2860 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2861 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2862 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2863
2864 sk->sk_shutdown = SHUTDOWN_MASK;
2865
1c2acffb 2866 skb_queue_purge(TX_QUEUE(sk));
8f17154f 2867 skb_queue_purge(SREJ_QUEUE(sk));
e90bac06
GP		 2868 del_timer(&l2cap_pi(sk)->retrans_timer);
2869 del_timer(&l2cap_pi(sk)->monitor_timer);
1c2acffb 2870
1da177e4
LT		 2871 l2cap_chan_del(sk, ECONNRESET);
2872 bh_unlock_sock(sk);
2873
2874 l2cap_sock_kill(sk);
2875 return 0;
2876}
2877
2878static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2879{
2880 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2881 u16 dcid, scid;
2882 struct sock *sk;
2883
2884 scid = __le16_to_cpu(rsp->scid);
2885 dcid = __le16_to_cpu(rsp->dcid);
2886
2887 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2888
af05b30b
GP		 2889 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2890 if (!sk)
1da177e4
LT		 2891 return 0;
2892
1c2acffb 2893 skb_queue_purge(TX_QUEUE(sk));
8f17154f 2894 skb_queue_purge(SREJ_QUEUE(sk));
e90bac06
GP		 2895 del_timer(&l2cap_pi(sk)->retrans_timer);
2896 del_timer(&l2cap_pi(sk)->monitor_timer);
1c2acffb 2897
1da177e4
LT		 2898 l2cap_chan_del(sk, 0);
2899 bh_unlock_sock(sk);
2900
2901 l2cap_sock_kill(sk);
2902 return 0;
2903}
2904
2905static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2906{
2907 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2908 u16 type;
2909
2910 type = __le16_to_cpu(req->type);
2911
2912 BT_DBG("type 0x%4.4x", type);
2913
f0709e03
MH		 2914 if (type == L2CAP_IT_FEAT_MASK) {
2915 u8 buf[8];
44dd46de 2916 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2917 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2918 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2919 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 2920 if (enable_ertm)
fcc203c3
GP		 2921 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2922 | L2CAP_FEAT_FCS;
44dd46de 2923 put_unaligned(cpu_to_le32(feat_mask), (__le32 *) rsp->data);
f0709e03
MH		 2924 l2cap_send_cmd(conn, cmd->ident,
2925 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2926 } else if (type == L2CAP_IT_FIXED_CHAN) {
2927 u8 buf[12];
2928 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2929 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2930 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2931 memcpy(buf + 4, l2cap_fixed_chan, 8);
2932 l2cap_send_cmd(conn, cmd->ident,
2933 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2934 } else {
2935 struct l2cap_info_rsp rsp;
2936 rsp.type = cpu_to_le16(type);
2937 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2938 l2cap_send_cmd(conn, cmd->ident,
2939 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2940 }
1da177e4
LT		 2941
2942 return 0;
2943}
2944
2945static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2946{
2947 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2948 u16 type, result;
2949
2950 type = __le16_to_cpu(rsp->type);
2951 result = __le16_to_cpu(rsp->result);
2952
2953 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2954
4e8402a3
MH		 2955 del_timer(&conn->info_timer);
2956
984947dc 2957 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2958 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2959
47ec1dcd 2960 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2961 struct l2cap_info_req req;
2962 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2963
2964 conn->info_ident = l2cap_get_ident(conn);
2965
2966 l2cap_send_cmd(conn, conn->info_ident,
2967 L2CAP_INFO_REQ, sizeof(req), &req);
2968 } else {
2969 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2970 conn->info_ident = 0;
2971
2972 l2cap_conn_start(conn);
2973 }
2974 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2975 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2976 conn->info_ident = 0;
984947dc
MH		 2977
2978 l2cap_conn_start(conn);
2979 }
4e8402a3 2980
1da177e4
LT		 2981 return 0;
2982}
2983
2984static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
2985{
2986 u8 *data = skb->data;
2987 int len = skb->len;
2988 struct l2cap_cmd_hdr cmd;
2989 int err = 0;
2990
2991 l2cap_raw_recv(conn, skb);
2992
2993 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2994 u16 cmd_len;
1da177e4
LT		 2995 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2996 data += L2CAP_CMD_HDR_SIZE;
2997 len -= L2CAP_CMD_HDR_SIZE;
2998
88219a0f 2999 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3000
88219a0f 3001 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3002
88219a0f 3003 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3004 BT_DBG("corrupted command");
3005 break;
3006 }
3007
3008 switch (cmd.code) {
3009 case L2CAP_COMMAND_REJ:
4e8402a3 3010 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3011 break;
3012
3013 case L2CAP_CONN_REQ:
3014 err = l2cap_connect_req(conn, &cmd, data);
3015 break;
3016
3017 case L2CAP_CONN_RSP:
3018 err = l2cap_connect_rsp(conn, &cmd, data);
3019 break;
3020
3021 case L2CAP_CONF_REQ:
88219a0f 3022 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3023 break;
3024
3025 case L2CAP_CONF_RSP:
3026 err = l2cap_config_rsp(conn, &cmd, data);
3027 break;
3028
3029 case L2CAP_DISCONN_REQ:
3030 err = l2cap_disconnect_req(conn, &cmd, data);
3031 break;
3032
3033 case L2CAP_DISCONN_RSP:
3034 err = l2cap_disconnect_rsp(conn, &cmd, data);
3035 break;
3036
3037 case L2CAP_ECHO_REQ:
88219a0f 3038 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3039 break;
3040
3041 case L2CAP_ECHO_RSP:
3042 break;
3043
3044 case L2CAP_INFO_REQ:
3045 err = l2cap_information_req(conn, &cmd, data);
3046 break;
3047
3048 case L2CAP_INFO_RSP:
3049 err = l2cap_information_rsp(conn, &cmd, data);
3050 break;
3051
3052 default:
3053 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3054 err = -EINVAL;
3055 break;
3056 }
3057
3058 if (err) {
3059 struct l2cap_cmd_rej rej;
3060 BT_DBG("error %d", err);
3061
3062 /* FIXME: Map err to a valid reason */
aca3192c 3063 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3064 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3065 }
3066
88219a0f
AV		 3067 data += cmd_len;
3068 len -= cmd_len;
1da177e4
LT		 3069 }
3070
3071 kfree_skb(skb);
3072}
3073
fcc203c3
GP		 3074static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3075{
3076 u16 our_fcs, rcv_fcs;
3077 int hdr_size = L2CAP_HDR_SIZE + 2;
3078
3079 if (pi->fcs == L2CAP_FCS_CRC16) {
3080 skb_trim(skb, skb->len - 2);
3081 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3082 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3083
3084 if (our_fcs != rcv_fcs)
3085 return -EINVAL;
3086 }
3087 return 0;
3088}
3089
8f17154f
GP		 3090static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3091{
3092 struct sk_buff *next_skb;
3093
3094 bt_cb(skb)->tx_seq = tx_seq;
3095 bt_cb(skb)->sar = sar;
3096
3097 next_skb = skb_peek(SREJ_QUEUE(sk));
3098 if (!next_skb) {
3099 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3100 return;
3101 }
3102
3103 do {
3104 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3105 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3106 return;
3107 }
3108
3109 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3110 break;
3111
3112 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3113
3114 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3115}
3116
c74e560c
GP		 3117static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3118{
3119 struct l2cap_pinfo *pi = l2cap_pi(sk);
3120 struct sk_buff *_skb;
3121 int err = -EINVAL;
3122
3123 switch (control & L2CAP_CTRL_SAR) {
3124 case L2CAP_SDU_UNSEGMENTED:
3125 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3126 kfree_skb(pi->sdu);
3127 break;
3128 }
3129
3130 err = sock_queue_rcv_skb(sk, skb);
3131 if (!err)
3132 return 0;
3133
3134 break;
3135
3136 case L2CAP_SDU_START:
3137 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3138 kfree_skb(pi->sdu);
3139 break;
3140 }
3141
3142 pi->sdu_len = get_unaligned_le16(skb->data);
3143 skb_pull(skb, 2);
3144
3145 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3146 if (!pi->sdu) {
3147 err = -ENOMEM;
3148 break;
3149 }
3150
3151 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3152
3153 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3154 pi->partial_sdu_len = skb->len;
3155 err = 0;
3156 break;
3157
3158 case L2CAP_SDU_CONTINUE:
3159 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3160 break;
3161
3162 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3163
3164 pi->partial_sdu_len += skb->len;
3165 if (pi->partial_sdu_len > pi->sdu_len)
3166 kfree_skb(pi->sdu);
3167 else
3168 err = 0;
3169
3170 break;
3171
3172 case L2CAP_SDU_END:
3173 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3174 break;
3175
3176 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3177
3178 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3179 pi->partial_sdu_len += skb->len;
3180
3181 if (pi->partial_sdu_len == pi->sdu_len) {
3182 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3183 err = sock_queue_rcv_skb(sk, _skb);
3184 if (err < 0)
3185 kfree_skb(_skb);
3186 }
3187 kfree_skb(pi->sdu);
3188 err = 0;
3189
3190 break;
3191 }
3192
3193 kfree_skb(skb);
3194 return err;
3195}
3196
8f17154f
GP		 3197static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3198{
3199 struct sk_buff *skb;
3200 u16 control = 0;
3201
3202 while((skb = skb_peek(SREJ_QUEUE(sk)))) {
3203 if (bt_cb(skb)->tx_seq != tx_seq)
3204 break;
3205
3206 skb = skb_dequeue(SREJ_QUEUE(sk));
3207 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3208 l2cap_sar_reassembly_sdu(sk, skb, control);
3209 l2cap_pi(sk)->buffer_seq_srej =
3210 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3211 tx_seq++;
3212 }
3213}
3214
3215static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3216{
3217 struct l2cap_pinfo *pi = l2cap_pi(sk);
3218 struct srej_list *l, *tmp;
3219 u16 control;
3220
3221 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) {
3222 if (l->tx_seq == tx_seq) {
3223 list_del(&l->list);
3224 kfree(l);
3225 return;
3226 }
3227 control = L2CAP_SUPER_SELECT_REJECT;
3228 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3229 l2cap_send_sframe(pi, control);
3230 list_del(&l->list);
3231 list_add_tail(&l->list, SREJ_LIST(sk));
3232 }
3233}
3234
3235static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3236{
3237 struct l2cap_pinfo *pi = l2cap_pi(sk);
3238 struct srej_list *new;
3239 u16 control;
3240
3241 while (tx_seq != pi->expected_tx_seq) {
3242 control = L2CAP_SUPER_SELECT_REJECT;
3243 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
ef54fd93
GP		 3244 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
3245 control |= L2CAP_CTRL_POLL;
3246 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
3247 }
8f17154f
GP		 3248 l2cap_send_sframe(pi, control);
3249
3250 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3251 new->tx_seq = pi->expected_tx_seq++;
3252 list_add_tail(&new->list, SREJ_LIST(sk));
3253 }
3254 pi->expected_tx_seq++;
3255}
3256
1c2acffb
GP		 3257static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3258{
3259 struct l2cap_pinfo *pi = l2cap_pi(sk);
3260 u8 tx_seq = __get_txseq(rx_control);
3261 u16 tx_control = 0;
8f17154f 3262 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
1c2acffb
GP		 3263 int err = 0;
3264
3265 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3266
8f17154f
GP		 3267 if (tx_seq == pi->expected_tx_seq)
3268 goto expected;
1c2acffb 3269
8f17154f
GP		 3270 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3271 struct srej_list *first;
30afb5b2 3272
8f17154f
GP		 3273 first = list_first_entry(SREJ_LIST(sk),
3274 struct srej_list, list);
3275 if (tx_seq == first->tx_seq) {
3276 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3277 l2cap_check_srej_gap(sk, tx_seq);
3278
3279 list_del(&first->list);
3280 kfree(first);
3281
3282 if (list_empty(SREJ_LIST(sk))) {
3283 pi->buffer_seq = pi->buffer_seq_srej;
3284 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3285 }
3286 } else {
3287 struct srej_list *l;
3288 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3289
3290 list_for_each_entry(l, SREJ_LIST(sk), list) {
3291 if (l->tx_seq == tx_seq) {
3292 l2cap_resend_srejframe(sk, tx_seq);
3293 return 0;
3294 }
3295 }
3296 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3297 }
3298 } else {
8f17154f 3299 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3300
8f17154f
GP		 3301 INIT_LIST_HEAD(SREJ_LIST(sk));
3302 pi->buffer_seq_srej = pi->buffer_seq;
3303
3304 __skb_queue_head_init(SREJ_QUEUE(sk));
3305 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3306
ef54fd93
GP		 3307 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3308
8f17154f 3309 l2cap_send_srejframe(sk, tx_seq);
1c2acffb 3310 }
30afb5b2
GP		 3311 return 0;
3312
8f17154f
GP		 3313expected:
3314 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3315
3316 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3317 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3318 return 0;
3319 }
3320
3321 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3322
3323 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3324 if (err < 0)
3325 return err;
3326
3327 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK;
3328 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1) {
3329 tx_control |= L2CAP_SUPER_RCV_READY;
3330 tx_control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3331 l2cap_send_sframe(pi, tx_control);
3332 }
3333 return 0;
1c2acffb
GP		 3334}
3335
3336static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3337{
3338 struct l2cap_pinfo *pi = l2cap_pi(sk);
8f17154f 3339 u8 tx_seq = __get_reqseq(rx_control);
1c2acffb
GP		 3340
3341 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3342
3343 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3344 case L2CAP_SUPER_RCV_READY:
e90bac06
GP		 3345 if (rx_control & L2CAP_CTRL_POLL) {
3346 u16 control = L2CAP_CTRL_FINAL;
3347 control |= L2CAP_SUPER_RCV_READY;
3348 l2cap_send_sframe(l2cap_pi(sk), control);
3349 } else if (rx_control & L2CAP_CTRL_FINAL) {
3350 if (!(pi->conn_state & L2CAP_CONN_WAIT_F))
3351 break;
3352
3353 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3354 del_timer(&pi->monitor_timer);
3355
3356 if (pi->unacked_frames > 0)
3357 __mod_retrans_timer();
3358 } else {
8f17154f 3359 pi->expected_ack_seq = tx_seq;
e90bac06
GP		 3360 l2cap_drop_acked_frames(sk);
3361 if (pi->unacked_frames > 0)
3362 __mod_retrans_timer();
3363 l2cap_ertm_send(sk);
3364 }
1c2acffb
GP		 3365 break;
3366
1c2acffb 3367 case L2CAP_SUPER_REJECT:
30afb5b2
GP		 3368 pi->expected_ack_seq = __get_reqseq(rx_control);
3369 l2cap_drop_acked_frames(sk);
3370
3371 sk->sk_send_head = TX_QUEUE(sk)->next;
3372 pi->next_tx_seq = pi->expected_ack_seq;
3373
3374 l2cap_ertm_send(sk);
3375
3376 break;
3377
1c2acffb 3378 case L2CAP_SUPER_SELECT_REJECT:
ef54fd93
GP		 3379 if (rx_control & L2CAP_CTRL_POLL) {
3380 l2cap_retransmit_frame(sk, tx_seq);
3381 pi->expected_ack_seq = tx_seq;
3382 l2cap_drop_acked_frames(sk);
3383 l2cap_ertm_send(sk);
3384 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3385 pi->srej_save_reqseq = tx_seq;
3386 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3387 }
3388 } else if (rx_control & L2CAP_CTRL_FINAL) {
3389 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3390 pi->srej_save_reqseq == tx_seq)
3391 pi->srej_save_reqseq &= ~L2CAP_CONN_SREJ_ACT;
3392 else
3393 l2cap_retransmit_frame(sk, tx_seq);
3394 }
3395 else {
3396 l2cap_retransmit_frame(sk, tx_seq);
3397 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3398 pi->srej_save_reqseq = tx_seq;
3399 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3400 }
3401 }
8f17154f
GP		 3402 break;
3403
3404 case L2CAP_SUPER_RCV_NOT_READY:
1c2acffb
GP		 3405 break;
3406 }
3407
3408 return 0;
3409}
3410
1da177e4
LT		 3411static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3412{
3413 struct sock *sk;
6840ed07 3414 struct l2cap_pinfo *pi;
c74e560c 3415 u16 control, len;
6840ed07 3416 u8 tx_seq;
1c2acffb 3417 int err;
1da177e4
LT		 3418
3419 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3420 if (!sk) {
3421 BT_DBG("unknown cid 0x%4.4x", cid);
3422 goto drop;
3423 }
3424
6840ed07
GP		 3425 pi = l2cap_pi(sk);
3426
1da177e4
LT		 3427 BT_DBG("sk %p, len %d", sk, skb->len);
3428
3429 if (sk->sk_state != BT_CONNECTED)
3430 goto drop;
3431
6840ed07 3432 switch (pi->mode) {
1c2acffb
GP		 3433 case L2CAP_MODE_BASIC:
3434 /* If socket recv buffers overflows we drop data here
3435 * which is *bad* because L2CAP has to be reliable.
3436 * But we don't have any other choice. L2CAP doesn't
3437 * provide flow control mechanism. */
1da177e4 3438
6840ed07 3439 if (pi->imtu < skb->len)
1c2acffb 3440 goto drop;
1da177e4 3441
1c2acffb
GP		 3442 if (!sock_queue_rcv_skb(sk, skb))
3443 goto done;
3444 break;
3445
3446 case L2CAP_MODE_ERTM:
3447 control = get_unaligned_le16(skb->data);
3448 skb_pull(skb, 2);
c74e560c 3449 len = skb->len;
1c2acffb 3450
c74e560c
GP		 3451 if (__is_sar_start(control))
3452 len -= 2;
3453
fcc203c3
GP		 3454 if (pi->fcs == L2CAP_FCS_CRC16)
3455 len -= 2;
3456
30afb5b2
GP		 3457 /*
3458 * We can just drop the corrupted I-frame here.
3459 * Receiver will miss it and start proper recovery
3460 * procedures and ask retransmission.
3461 */
c74e560c 3462 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE)
1c2acffb
GP		 3463 goto drop;
3464
fcc203c3
GP		 3465 if (l2cap_check_fcs(pi, skb))
3466 goto drop;
3467
1c2acffb
GP		 3468 if (__is_iframe(control))
3469 err = l2cap_data_channel_iframe(sk, control, skb);
3470 else
3471 err = l2cap_data_channel_sframe(sk, control, skb);
3472
3473 if (!err)
3474 goto done;
3475 break;
3476
6840ed07
GP		 3477 case L2CAP_MODE_STREAMING:
3478 control = get_unaligned_le16(skb->data);
3479 skb_pull(skb, 2);
3480 len = skb->len;
3481
3482 if (__is_sar_start(control))
3483 len -= 2;
3484
fcc203c3
GP		 3485 if (pi->fcs == L2CAP_FCS_CRC16)
3486 len -= 2;
3487
6840ed07
GP		 3488 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control))
3489 goto drop;
3490
fcc203c3
GP		 3491 if (l2cap_check_fcs(pi, skb))
3492 goto drop;
3493
6840ed07
GP		 3494 tx_seq = __get_txseq(control);
3495
3496 if (pi->expected_tx_seq == tx_seq)
3497 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3498 else
3499 pi->expected_tx_seq = tx_seq + 1;
3500
3501 err = l2cap_sar_reassembly_sdu(sk, skb, control);
3502
3503 goto done;
3504
1c2acffb
GP		 3505 default:
3506 BT_DBG("sk %p: bad mode 0x%2.2x", sk, l2cap_pi(sk)->mode);
3507 break;
3508 }
1da177e4
LT		 3509
3510drop:
3511 kfree_skb(skb);
3512
3513done:
0139418c
MH		 3514 if (sk)
3515 bh_unlock_sock(sk);
3516
1da177e4
LT		 3517 return 0;
3518}
3519
8e036fc3 3520static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3521{
3522 struct sock *sk;
3523
3524 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3525 if (!sk)
3526 goto drop;
3527
3528 BT_DBG("sk %p, len %d", sk, skb->len);
3529
3530 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3531 goto drop;
3532
3533 if (l2cap_pi(sk)->imtu < skb->len)
3534 goto drop;
3535
3536 if (!sock_queue_rcv_skb(sk, skb))
3537 goto done;
3538
3539drop:
3540 kfree_skb(skb);
3541
3542done:
af05b30b
GP		 3543 if (sk)
3544 bh_unlock_sock(sk);
1da177e4
LT		 3545 return 0;
3546}
3547
3548static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3549{
3550 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3551 u16 cid, len;
3552 __le16 psm;
1da177e4
LT		 3553
3554 skb_pull(skb, L2CAP_HDR_SIZE);
3555 cid = __le16_to_cpu(lh->cid);
3556 len = __le16_to_cpu(lh->len);
3557
1c2acffb
GP		 3558 if (len != skb->len) {
3559 kfree_skb(skb);
3560 return;
3561 }
3562
1da177e4
LT		 3563 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3564
3565 switch (cid) {
8db4dc46 3566 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3567 l2cap_sig_channel(conn, skb);
3568 break;
3569
8db4dc46 3570 case L2CAP_CID_CONN_LESS:
8e036fc3 3571 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 3572 skb_pull(skb, 2);
3573 l2cap_conless_channel(conn, psm, skb);
3574 break;
3575
3576 default:
3577 l2cap_data_channel(conn, cid, skb);
3578 break;
3579 }
3580}
3581
3582/* ---- L2CAP interface with lower layer (HCI) ---- */
3583
3584static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3585{
3586 int exact = 0, lm1 = 0, lm2 = 0;
3587 register struct sock *sk;
3588 struct hlist_node *node;
3589
3590 if (type != ACL_LINK)
3591 return 0;
3592
3593 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3594
3595 /* Find listening sockets and check their link_mode */
3596 read_lock(&l2cap_sk_list.lock);
3597 sk_for_each(sk, node, &l2cap_sk_list.head) {
3598 if (sk->sk_state != BT_LISTEN)
3599 continue;
3600
3601 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 3602 lm1 |= HCI_LM_ACCEPT;
3603 if (l2cap_pi(sk)->role_switch)
3604 lm1 |= HCI_LM_MASTER;
1da177e4 3605 exact++;
2af6b9d5
MH		 3606 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3607 lm2 |= HCI_LM_ACCEPT;
3608 if (l2cap_pi(sk)->role_switch)
3609 lm2 |= HCI_LM_MASTER;
3610 }
1da177e4
LT		 3611 }
3612 read_unlock(&l2cap_sk_list.lock);
3613
3614 return exact ? lm1 : lm2;
3615}
3616
3617static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3618{
0139418c
MH		 3619 struct l2cap_conn *conn;
3620
1da177e4
LT		 3621 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3622
3623 if (hcon->type != ACL_LINK)
3624 return 0;
3625
3626 if (!status) {
1da177e4
LT		 3627 conn = l2cap_conn_add(hcon, status);
3628 if (conn)
3629 l2cap_conn_ready(conn);
0139418c 3630 } else
1da177e4
LT		 3631 l2cap_conn_del(hcon, bt_err(status));
3632
3633 return 0;
3634}
3635
2950f21a
MH		 3636static int l2cap_disconn_ind(struct hci_conn *hcon)
3637{
3638 struct l2cap_conn *conn = hcon->l2cap_data;
3639
3640 BT_DBG("hcon %p", hcon);
3641
3642 if (hcon->type != ACL_LINK || !conn)
3643 return 0x13;
3644
3645 return conn->disc_reason;
3646}
3647
3648static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 3649{
3650 BT_DBG("hcon %p reason %d", hcon, reason);
3651
3652 if (hcon->type != ACL_LINK)
3653 return 0;
3654
3655 l2cap_conn_del(hcon, bt_err(reason));
0139418c 3656
1da177e4
LT		 3657 return 0;
3658}
3659
f62e4323
MH		 3660static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3661{
255c7601
MH		 3662 if (sk->sk_type != SOCK_SEQPACKET)
3663 return;
3664
f62e4323
MH		 3665 if (encrypt == 0x00) {
3666 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3667 l2cap_sock_clear_timer(sk);
3668 l2cap_sock_set_timer(sk, HZ * 5);
3669 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3670 __l2cap_sock_close(sk, ECONNREFUSED);
3671 } else {
3672 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3673 l2cap_sock_clear_timer(sk);
3674 }
3675}
3676
8c1b2355 3677static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 3678{
3679 struct l2cap_chan_list *l;
0139418c 3680 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 3681 struct sock *sk;
1da177e4 3682
0139418c 3683 if (!conn)
1da177e4 3684 return 0;
0139418c 3685
1da177e4
LT		 3686 l = &conn->chan_list;
3687
3688 BT_DBG("conn %p", conn);
3689
3690 read_lock(&l->lock);
3691
3692 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3693 bh_lock_sock(sk);
3694
6a8d3010
MH		 3695 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
3696 bh_unlock_sock(sk);
3697 continue;
3698 }
3699
f62e4323 3700 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 3701 sk->sk_state == BT_CONFIG)) {
f62e4323 3702 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 3703 bh_unlock_sock(sk);
3704 continue;
3705 }
3706
b1235d79
MH		 3707 if (sk->sk_state == BT_CONNECT) {
3708 if (!status) {
3709 struct l2cap_conn_req req;
3710 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3711 req.psm = l2cap_pi(sk)->psm;
1da177e4 3712
b1235d79 3713 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
1da177e4 3714
b1235d79
MH		 3715 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3716 L2CAP_CONN_REQ, sizeof(req), &req);
3717 } else {
3718 l2cap_sock_clear_timer(sk);
3719 l2cap_sock_set_timer(sk, HZ / 10);
3720 }
3721 } else if (sk->sk_state == BT_CONNECT2) {
3722 struct l2cap_conn_rsp rsp;
3723 __u16 result;
1da177e4 3724
b1235d79
MH		 3725 if (!status) {
3726 sk->sk_state = BT_CONFIG;
3727 result = L2CAP_CR_SUCCESS;
3728 } else {
3729 sk->sk_state = BT_DISCONN;
3730 l2cap_sock_set_timer(sk, HZ / 10);
3731 result = L2CAP_CR_SEC_BLOCK;
3732 }
3733
3734 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3735 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3736 rsp.result = cpu_to_le16(result);
e7c29cb1 3737 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 3738 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3739 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3740 }
1da177e4
LT		 3741
3742 bh_unlock_sock(sk);
3743 }
3744
3745 read_unlock(&l->lock);
b1235d79 3746
1da177e4
LT		 3747 return 0;
3748}
3749
3750static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3751{
3752 struct l2cap_conn *conn = hcon->l2cap_data;
3753
3754 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
3755 goto drop;
3756
3757 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3758
3759 if (flags & ACL_START) {
3760 struct l2cap_hdr *hdr;
3761 int len;
3762
3763 if (conn->rx_len) {
3764 BT_ERR("Unexpected start frame (len %d)", skb->len);
3765 kfree_skb(conn->rx_skb);
3766 conn->rx_skb = NULL;
3767 conn->rx_len = 0;
3768 l2cap_conn_unreliable(conn, ECOMM);
3769 }
3770
3771 if (skb->len < 2) {
3772 BT_ERR("Frame is too short (len %d)", skb->len);
3773 l2cap_conn_unreliable(conn, ECOMM);
3774 goto drop;
3775 }
3776
3777 hdr = (struct l2cap_hdr *) skb->data;
3778 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
3779
3780 if (len == skb->len) {
3781 /* Complete frame received */
3782 l2cap_recv_frame(conn, skb);
3783 return 0;
3784 }
3785
3786 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
3787
3788 if (skb->len > len) {
3789 BT_ERR("Frame is too long (len %d, expected len %d)",
3790 skb->len, len);
3791 l2cap_conn_unreliable(conn, ECOMM);
3792 goto drop;
3793 }
3794
3795 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 3796 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
3797 if (!conn->rx_skb)
1da177e4
LT		 3798 goto drop;
3799
d626f62b 3800 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 3801 skb->len);
1da177e4
LT		 3802 conn->rx_len = len - skb->len;
3803 } else {
3804 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
3805
3806 if (!conn->rx_len) {
3807 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
3808 l2cap_conn_unreliable(conn, ECOMM);
3809 goto drop;
3810 }
3811
3812 if (skb->len > conn->rx_len) {
3813 BT_ERR("Fragment is too long (len %d, expected %d)",
3814 skb->len, conn->rx_len);
3815 kfree_skb(conn->rx_skb);
3816 conn->rx_skb = NULL;
3817 conn->rx_len = 0;
3818 l2cap_conn_unreliable(conn, ECOMM);
3819 goto drop;
3820 }
3821
d626f62b 3822 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 3823 skb->len);
1da177e4
LT		 3824 conn->rx_len -= skb->len;
3825
3826 if (!conn->rx_len) {
3827 /* Complete frame received */
3828 l2cap_recv_frame(conn, conn->rx_skb);
3829 conn->rx_skb = NULL;
3830 }
3831 }
3832
3833drop:
3834 kfree_skb(skb);
3835 return 0;
3836}
3837
be9d1227 3838static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
1da177e4
LT		 3839{
3840 struct sock *sk;
3841 struct hlist_node *node;
be9d1227 3842 char *str = buf;
1da177e4
LT		 3843
3844 read_lock_bh(&l2cap_sk_list.lock);
3845
be9d1227
MH		 3846 sk_for_each(sk, node, &l2cap_sk_list.head) {
3847 struct l2cap_pinfo *pi = l2cap_pi(sk);
1da177e4 3848
2af6b9d5 3849 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
be9d1227 3850 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
b4324b5d
MH		 3851 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
3852 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
be9d1227 3853 }
1da177e4 3854
1da177e4 3855 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 3856
af05b30b 3857 return str - buf;
1da177e4
LT		 3858}
3859
be9d1227 3860static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
1da177e4 3861
90ddc4f0 3862static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 3863 .family = PF_BLUETOOTH,
3864 .owner = THIS_MODULE,
3865 .release = l2cap_sock_release,
3866 .bind = l2cap_sock_bind,
3867 .connect = l2cap_sock_connect,
3868 .listen = l2cap_sock_listen,
3869 .accept = l2cap_sock_accept,
3870 .getname = l2cap_sock_getname,
3871 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 3872 .recvmsg = l2cap_sock_recvmsg,
1da177e4 3873 .poll = bt_sock_poll,
3241ad82 3874 .ioctl = bt_sock_ioctl,
1da177e4
LT		 3875 .mmap = sock_no_mmap,
3876 .socketpair = sock_no_socketpair,
1da177e4
LT		 3877 .shutdown = l2cap_sock_shutdown,
3878 .setsockopt = l2cap_sock_setsockopt,
3879 .getsockopt = l2cap_sock_getsockopt
3880};
3881
3882static struct net_proto_family l2cap_sock_family_ops = {
3883 .family = PF_BLUETOOTH,
3884 .owner = THIS_MODULE,
3885 .create = l2cap_sock_create,
3886};
3887
3888static struct hci_proto l2cap_hci_proto = {
3889 .name = "L2CAP",
3890 .id = HCI_PROTO_L2CAP,
3891 .connect_ind = l2cap_connect_ind,
3892 .connect_cfm = l2cap_connect_cfm,
3893 .disconn_ind = l2cap_disconn_ind,
2950f21a 3894 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 3895 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 3896 .recv_acldata = l2cap_recv_acldata
3897};
3898
3899static int __init l2cap_init(void)
3900{
3901 int err;
be9d1227 3902
1da177e4
LT		 3903 err = proto_register(&l2cap_proto, 0);
3904 if (err < 0)
3905 return err;
3906
3907 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
3908 if (err < 0) {
3909 BT_ERR("L2CAP socket registration failed");
3910 goto error;
3911 }
3912
3913 err = hci_register_proto(&l2cap_hci_proto);
3914 if (err < 0) {
3915 BT_ERR("L2CAP protocol registration failed");
3916 bt_sock_unregister(BTPROTO_L2CAP);
3917 goto error;
3918 }
3919
df5c37ea
MH		 3920 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
3921 BT_ERR("Failed to create L2CAP info file");
1da177e4
LT		 3922
3923 BT_INFO("L2CAP ver %s", VERSION);
3924 BT_INFO("L2CAP socket layer initialized");
3925
3926 return 0;
3927
3928error:
3929 proto_unregister(&l2cap_proto);
3930 return err;
3931}
3932
3933static void __exit l2cap_exit(void)
3934{
a91f2e39 3935 class_remove_file(bt_class, &class_attr_l2cap);
1da177e4
LT		 3936
3937 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
3938 BT_ERR("L2CAP socket unregistration failed");
3939
3940 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
3941 BT_ERR("L2CAP protocol unregistration failed");
3942
3943 proto_unregister(&l2cap_proto);
3944}
3945
3946void l2cap_load(void)
3947{
3948 /* Dummy function to trigger automatic L2CAP module loading by
3949 * other modules that use L2CAP sockets but don't use any other
3950 * symbols from it. */
3951 return;
3952}
3953EXPORT_SYMBOL(l2cap_load);
3954
3955module_init(l2cap_init);
3956module_exit(l2cap_exit);
3957
44dd46de
MH		 3958module_param(enable_ertm, bool, 0644);
3959MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
3960
63fbd24e 3961MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 3962MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
3963MODULE_VERSION(VERSION);
3964MODULE_LICENSE("GPL");
3965MODULE_ALIAS("bt-proto-0");
Clone of davem's net-next-2.6 tree