2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
24 SOFTWARE IS DISCLAIMED.
27 /* Bluetooth L2CAP core and sockets. */
29 #include <linux/module.h>
31 #include <linux/types.h>
32 #include <linux/capability.h>
33 #include <linux/errno.h>
34 #include <linux/kernel.h>
35 #include <linux/sched.h>
36 #include <linux/slab.h>
37 #include <linux/poll.h>
38 #include <linux/fcntl.h>
39 #include <linux/init.h>
40 #include <linux/interrupt.h>
41 #include <linux/socket.h>
42 #include <linux/skbuff.h>
43 #include <linux/list.h>
44 #include <linux/device.h>
45 #include <linux/debugfs.h>
46 #include <linux/seq_file.h>
47 #include <linux/uaccess.h>
48 #include <linux/crc16.h>
51 #include <asm/system.h>
52 #include <asm/unaligned.h>
54 #include <net/bluetooth/bluetooth.h>
55 #include <net/bluetooth/hci_core.h>
56 #include <net/bluetooth/l2cap.h>
58 #define VERSION "2.15"
60 static int disable_ertm = 0;
62 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63 static u8 l2cap_fixed_chan[8] = { 0x02, };
65 static const struct proto_ops l2cap_sock_ops;
67 static struct workqueue_struct *_busy_wq;
69 static struct bt_sock_list l2cap_sk_list = {
70 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
73 static void l2cap_busy_work(struct work_struct *work);
75 static void __l2cap_sock_close(struct sock *sk, int reason);
76 static void l2cap_sock_close(struct sock *sk);
77 static void l2cap_sock_kill(struct sock *sk);
79 static int l2cap_build_conf_req(struct sock *sk, void *data);
80 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
81 u8 code, u8 ident, u16 dlen, void *data);
83 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
85 /* ---- L2CAP timers ---- */
86 static void l2cap_sock_timeout(unsigned long arg)
88 struct sock *sk = (struct sock *) arg;
91 BT_DBG("sock %p state %d", sk, sk->sk_state);
95 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
96 reason = ECONNREFUSED;
97 else if (sk->sk_state == BT_CONNECT &&
98 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
99 reason = ECONNREFUSED;
103 __l2cap_sock_close(sk, reason);
111 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
113 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
114 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
117 static void l2cap_sock_clear_timer(struct sock *sk)
119 BT_DBG("sock %p state %d", sk, sk->sk_state);
120 sk_stop_timer(sk, &sk->sk_timer);
123 /* ---- L2CAP channels ---- */
124 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
127 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
128 if (l2cap_pi(s)->dcid == cid)
134 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
137 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
138 if (l2cap_pi(s)->scid == cid)
144 /* Find channel with given SCID.
145 * Returns locked socket */
146 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
150 s = __l2cap_get_chan_by_scid(l, cid);
153 read_unlock(&l->lock);
157 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
160 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
161 if (l2cap_pi(s)->ident == ident)
167 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
171 s = __l2cap_get_chan_by_ident(l, ident);
174 read_unlock(&l->lock);
178 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
180 u16 cid = L2CAP_CID_DYN_START;
182 for (; cid < L2CAP_CID_DYN_END; cid++) {
183 if (!__l2cap_get_chan_by_scid(l, cid))
190 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
195 l2cap_pi(l->head)->prev_c = sk;
197 l2cap_pi(sk)->next_c = l->head;
198 l2cap_pi(sk)->prev_c = NULL;
202 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
204 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
206 write_lock_bh(&l->lock);
211 l2cap_pi(next)->prev_c = prev;
213 l2cap_pi(prev)->next_c = next;
214 write_unlock_bh(&l->lock);
219 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
221 struct l2cap_chan_list *l = &conn->chan_list;
223 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
224 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
226 conn->disc_reason = 0x13;
228 l2cap_pi(sk)->conn = conn;
230 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
231 /* Alloc CID for connection-oriented socket */
232 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
233 } else if (sk->sk_type == SOCK_DGRAM) {
234 /* Connectionless socket */
235 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
236 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
237 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
239 /* Raw socket can send/recv signalling messages only */
240 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
241 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
242 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
245 __l2cap_chan_link(l, sk);
248 bt_accept_enqueue(parent, sk);
252 * Must be called on the locked socket. */
253 static void l2cap_chan_del(struct sock *sk, int err)
255 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
256 struct sock *parent = bt_sk(sk)->parent;
258 l2cap_sock_clear_timer(sk);
260 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
263 /* Unlink from channel list */
264 l2cap_chan_unlink(&conn->chan_list, sk);
265 l2cap_pi(sk)->conn = NULL;
266 hci_conn_put(conn->hcon);
269 sk->sk_state = BT_CLOSED;
270 sock_set_flag(sk, SOCK_ZAPPED);
276 bt_accept_unlink(sk);
277 parent->sk_data_ready(parent, 0);
279 sk->sk_state_change(sk);
281 skb_queue_purge(TX_QUEUE(sk));
283 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
284 struct srej_list *l, *tmp;
286 del_timer(&l2cap_pi(sk)->retrans_timer);
287 del_timer(&l2cap_pi(sk)->monitor_timer);
288 del_timer(&l2cap_pi(sk)->ack_timer);
290 skb_queue_purge(SREJ_QUEUE(sk));
291 skb_queue_purge(BUSY_QUEUE(sk));
293 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
300 /* Service level security */
301 static inline int l2cap_check_security(struct sock *sk)
303 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
306 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
307 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
308 auth_type = HCI_AT_NO_BONDING_MITM;
310 auth_type = HCI_AT_NO_BONDING;
312 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
313 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
315 switch (l2cap_pi(sk)->sec_level) {
316 case BT_SECURITY_HIGH:
317 auth_type = HCI_AT_GENERAL_BONDING_MITM;
319 case BT_SECURITY_MEDIUM:
320 auth_type = HCI_AT_GENERAL_BONDING;
323 auth_type = HCI_AT_NO_BONDING;
328 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
332 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
336 /* Get next available identificator.
337 * 1 - 128 are used by kernel.
338 * 129 - 199 are reserved.
339 * 200 - 254 are used by utilities like l2ping, etc.
342 spin_lock_bh(&conn->lock);
344 if (++conn->tx_ident > 128)
349 spin_unlock_bh(&conn->lock);
354 static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
356 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
358 BT_DBG("code 0x%2.2x", code);
363 hci_send_acl(conn->hcon, skb, 0);
366 static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
369 struct l2cap_hdr *lh;
370 struct l2cap_conn *conn = pi->conn;
371 struct sock *sk = (struct sock *)pi;
372 int count, hlen = L2CAP_HDR_SIZE + 2;
374 if (sk->sk_state != BT_CONNECTED)
377 if (pi->fcs == L2CAP_FCS_CRC16)
380 BT_DBG("pi %p, control 0x%2.2x", pi, control);
382 count = min_t(unsigned int, conn->mtu, hlen);
383 control |= L2CAP_CTRL_FRAME_TYPE;
385 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
386 control |= L2CAP_CTRL_FINAL;
387 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
390 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
391 control |= L2CAP_CTRL_POLL;
392 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
395 skb = bt_skb_alloc(count, GFP_ATOMIC);
399 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
400 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
401 lh->cid = cpu_to_le16(pi->dcid);
402 put_unaligned_le16(control, skb_put(skb, 2));
404 if (pi->fcs == L2CAP_FCS_CRC16) {
405 u16 fcs = crc16(0, (u8 *)lh, count - 2);
406 put_unaligned_le16(fcs, skb_put(skb, 2));
409 hci_send_acl(pi->conn->hcon, skb, 0);
412 static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
414 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
415 control |= L2CAP_SUPER_RCV_NOT_READY;
416 pi->conn_state |= L2CAP_CONN_RNR_SENT;
418 control |= L2CAP_SUPER_RCV_READY;
420 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
422 l2cap_send_sframe(pi, control);
425 static inline int __l2cap_no_conn_pending(struct sock *sk)
427 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
430 static void l2cap_do_start(struct sock *sk)
432 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
434 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
435 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
438 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
439 struct l2cap_conn_req req;
440 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
441 req.psm = l2cap_pi(sk)->psm;
443 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
444 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
446 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
447 L2CAP_CONN_REQ, sizeof(req), &req);
450 struct l2cap_info_req req;
451 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
453 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
454 conn->info_ident = l2cap_get_ident(conn);
456 mod_timer(&conn->info_timer, jiffies +
457 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
459 l2cap_send_cmd(conn, conn->info_ident,
460 L2CAP_INFO_REQ, sizeof(req), &req);
464 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
466 u32 local_feat_mask = l2cap_feat_mask;
468 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
471 case L2CAP_MODE_ERTM:
472 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
473 case L2CAP_MODE_STREAMING:
474 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
480 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
482 struct l2cap_disconn_req req;
487 skb_queue_purge(TX_QUEUE(sk));
489 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
490 del_timer(&l2cap_pi(sk)->retrans_timer);
491 del_timer(&l2cap_pi(sk)->monitor_timer);
492 del_timer(&l2cap_pi(sk)->ack_timer);
495 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
496 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
497 l2cap_send_cmd(conn, l2cap_get_ident(conn),
498 L2CAP_DISCONN_REQ, sizeof(req), &req);
500 sk->sk_state = BT_DISCONN;
504 /* ---- L2CAP connections ---- */
505 static void l2cap_conn_start(struct l2cap_conn *conn)
507 struct l2cap_chan_list *l = &conn->chan_list;
508 struct sock_del_list del, *tmp1, *tmp2;
511 BT_DBG("conn %p", conn);
513 INIT_LIST_HEAD(&del.list);
517 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
520 if (sk->sk_type != SOCK_SEQPACKET &&
521 sk->sk_type != SOCK_STREAM) {
526 if (sk->sk_state == BT_CONNECT) {
527 struct l2cap_conn_req req;
529 if (!l2cap_check_security(sk) ||
530 !__l2cap_no_conn_pending(sk)) {
535 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
537 && l2cap_pi(sk)->conf_state &
538 L2CAP_CONF_STATE2_DEVICE) {
539 tmp1 = kzalloc(sizeof(struct sock_del_list),
542 list_add_tail(&tmp1->list, &del.list);
547 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
548 req.psm = l2cap_pi(sk)->psm;
550 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
551 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
553 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
554 L2CAP_CONN_REQ, sizeof(req), &req);
556 } else if (sk->sk_state == BT_CONNECT2) {
557 struct l2cap_conn_rsp rsp;
559 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
560 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
562 if (l2cap_check_security(sk)) {
563 if (bt_sk(sk)->defer_setup) {
564 struct sock *parent = bt_sk(sk)->parent;
565 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
566 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
567 parent->sk_data_ready(parent, 0);
570 sk->sk_state = BT_CONFIG;
571 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
572 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
575 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
576 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
579 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
580 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
582 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
583 rsp.result != L2CAP_CR_SUCCESS) {
588 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
589 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
590 l2cap_build_conf_req(sk, buf), buf);
591 l2cap_pi(sk)->num_conf_req++;
597 read_unlock(&l->lock);
599 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
600 bh_lock_sock(tmp1->sk);
601 __l2cap_sock_close(tmp1->sk, ECONNRESET);
602 bh_unlock_sock(tmp1->sk);
603 list_del(&tmp1->list);
608 static void l2cap_conn_ready(struct l2cap_conn *conn)
610 struct l2cap_chan_list *l = &conn->chan_list;
613 BT_DBG("conn %p", conn);
617 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
620 if (sk->sk_type != SOCK_SEQPACKET &&
621 sk->sk_type != SOCK_STREAM) {
622 l2cap_sock_clear_timer(sk);
623 sk->sk_state = BT_CONNECTED;
624 sk->sk_state_change(sk);
625 } else if (sk->sk_state == BT_CONNECT)
631 read_unlock(&l->lock);
634 /* Notify sockets that we cannot guaranty reliability anymore */
635 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
637 struct l2cap_chan_list *l = &conn->chan_list;
640 BT_DBG("conn %p", conn);
644 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
645 if (l2cap_pi(sk)->force_reliable)
649 read_unlock(&l->lock);
652 static void l2cap_info_timeout(unsigned long arg)
654 struct l2cap_conn *conn = (void *) arg;
656 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
657 conn->info_ident = 0;
659 l2cap_conn_start(conn);
662 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
664 struct l2cap_conn *conn = hcon->l2cap_data;
669 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
673 hcon->l2cap_data = conn;
676 BT_DBG("hcon %p conn %p", hcon, conn);
678 conn->mtu = hcon->hdev->acl_mtu;
679 conn->src = &hcon->hdev->bdaddr;
680 conn->dst = &hcon->dst;
684 spin_lock_init(&conn->lock);
685 rwlock_init(&conn->chan_list.lock);
687 setup_timer(&conn->info_timer, l2cap_info_timeout,
688 (unsigned long) conn);
690 conn->disc_reason = 0x13;
695 static void l2cap_conn_del(struct hci_conn *hcon, int err)
697 struct l2cap_conn *conn = hcon->l2cap_data;
703 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
705 kfree_skb(conn->rx_skb);
708 while ((sk = conn->chan_list.head)) {
710 l2cap_chan_del(sk, err);
715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
716 del_timer_sync(&conn->info_timer);
718 hcon->l2cap_data = NULL;
722 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
724 struct l2cap_chan_list *l = &conn->chan_list;
725 write_lock_bh(&l->lock);
726 __l2cap_chan_add(conn, sk, parent);
727 write_unlock_bh(&l->lock);
730 /* ---- Socket interface ---- */
731 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
734 struct hlist_node *node;
735 sk_for_each(sk, node, &l2cap_sk_list.head)
736 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
743 /* Find socket with psm and source bdaddr.
744 * Returns closest match.
746 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
748 struct sock *sk = NULL, *sk1 = NULL;
749 struct hlist_node *node;
751 sk_for_each(sk, node, &l2cap_sk_list.head) {
752 if (state && sk->sk_state != state)
755 if (l2cap_pi(sk)->psm == psm) {
757 if (!bacmp(&bt_sk(sk)->src, src))
761 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
765 return node ? sk : sk1;
768 /* Find socket with given address (psm, src).
769 * Returns locked socket */
770 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
773 read_lock(&l2cap_sk_list.lock);
774 s = __l2cap_get_sock_by_psm(state, psm, src);
777 read_unlock(&l2cap_sk_list.lock);
781 static void l2cap_sock_destruct(struct sock *sk)
785 skb_queue_purge(&sk->sk_receive_queue);
786 skb_queue_purge(&sk->sk_write_queue);
789 static void l2cap_sock_cleanup_listen(struct sock *parent)
793 BT_DBG("parent %p", parent);
795 /* Close not yet accepted channels */
796 while ((sk = bt_accept_dequeue(parent, NULL)))
797 l2cap_sock_close(sk);
799 parent->sk_state = BT_CLOSED;
800 sock_set_flag(parent, SOCK_ZAPPED);
803 /* Kill socket (only if zapped and orphan)
804 * Must be called on unlocked socket.
806 static void l2cap_sock_kill(struct sock *sk)
808 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
811 BT_DBG("sk %p state %d", sk, sk->sk_state);
813 /* Kill poor orphan */
814 bt_sock_unlink(&l2cap_sk_list, sk);
815 sock_set_flag(sk, SOCK_DEAD);
819 static void __l2cap_sock_close(struct sock *sk, int reason)
821 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
823 switch (sk->sk_state) {
825 l2cap_sock_cleanup_listen(sk);
830 if (sk->sk_type == SOCK_SEQPACKET ||
831 sk->sk_type == SOCK_STREAM) {
832 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
834 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
835 l2cap_send_disconn_req(conn, sk, reason);
837 l2cap_chan_del(sk, reason);
841 if (sk->sk_type == SOCK_SEQPACKET ||
842 sk->sk_type == SOCK_STREAM) {
843 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
844 struct l2cap_conn_rsp rsp;
847 if (bt_sk(sk)->defer_setup)
848 result = L2CAP_CR_SEC_BLOCK;
850 result = L2CAP_CR_BAD_PSM;
852 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
853 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
854 rsp.result = cpu_to_le16(result);
855 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
856 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
857 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
859 l2cap_chan_del(sk, reason);
864 l2cap_chan_del(sk, reason);
868 sock_set_flag(sk, SOCK_ZAPPED);
873 /* Must be called on unlocked socket. */
874 static void l2cap_sock_close(struct sock *sk)
876 l2cap_sock_clear_timer(sk);
878 __l2cap_sock_close(sk, ECONNRESET);
883 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
885 struct l2cap_pinfo *pi = l2cap_pi(sk);
890 sk->sk_type = parent->sk_type;
891 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
893 pi->imtu = l2cap_pi(parent)->imtu;
894 pi->omtu = l2cap_pi(parent)->omtu;
895 pi->conf_state = l2cap_pi(parent)->conf_state;
896 pi->mode = l2cap_pi(parent)->mode;
897 pi->fcs = l2cap_pi(parent)->fcs;
898 pi->max_tx = l2cap_pi(parent)->max_tx;
899 pi->tx_win = l2cap_pi(parent)->tx_win;
900 pi->sec_level = l2cap_pi(parent)->sec_level;
901 pi->role_switch = l2cap_pi(parent)->role_switch;
902 pi->force_reliable = l2cap_pi(parent)->force_reliable;
904 pi->imtu = L2CAP_DEFAULT_MTU;
906 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
907 pi->mode = L2CAP_MODE_ERTM;
908 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
910 pi->mode = L2CAP_MODE_BASIC;
912 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
913 pi->fcs = L2CAP_FCS_CRC16;
914 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
915 pi->sec_level = BT_SECURITY_LOW;
917 pi->force_reliable = 0;
920 /* Default config options */
922 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
923 skb_queue_head_init(TX_QUEUE(sk));
924 skb_queue_head_init(SREJ_QUEUE(sk));
925 skb_queue_head_init(BUSY_QUEUE(sk));
926 INIT_LIST_HEAD(SREJ_LIST(sk));
929 static struct proto l2cap_proto = {
931 .owner = THIS_MODULE,
932 .obj_size = sizeof(struct l2cap_pinfo)
935 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
939 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
943 sock_init_data(sock, sk);
944 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
946 sk->sk_destruct = l2cap_sock_destruct;
947 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
949 sock_reset_flag(sk, SOCK_ZAPPED);
951 sk->sk_protocol = proto;
952 sk->sk_state = BT_OPEN;
954 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
956 bt_sock_link(&l2cap_sk_list, sk);
960 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
965 BT_DBG("sock %p", sock);
967 sock->state = SS_UNCONNECTED;
969 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
970 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
971 return -ESOCKTNOSUPPORT;
973 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
976 sock->ops = &l2cap_sock_ops;
978 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
982 l2cap_sock_init(sk, NULL);
986 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
988 struct sock *sk = sock->sk;
989 struct sockaddr_l2 la;
994 if (!addr || addr->sa_family != AF_BLUETOOTH)
997 memset(&la, 0, sizeof(la));
998 len = min_t(unsigned int, sizeof(la), alen);
999 memcpy(&la, addr, len);
1006 if (sk->sk_state != BT_OPEN) {
1011 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
1012 !capable(CAP_NET_BIND_SERVICE)) {
1017 write_lock_bh(&l2cap_sk_list.lock);
1019 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1022 /* Save source address */
1023 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1024 l2cap_pi(sk)->psm = la.l2_psm;
1025 l2cap_pi(sk)->sport = la.l2_psm;
1026 sk->sk_state = BT_BOUND;
1028 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1029 __le16_to_cpu(la.l2_psm) == 0x0003)
1030 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1033 write_unlock_bh(&l2cap_sk_list.lock);
1040 static int l2cap_do_connect(struct sock *sk)
1042 bdaddr_t *src = &bt_sk(sk)->src;
1043 bdaddr_t *dst = &bt_sk(sk)->dst;
1044 struct l2cap_conn *conn;
1045 struct hci_conn *hcon;
1046 struct hci_dev *hdev;
1050 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1053 hdev = hci_get_route(dst, src);
1055 return -EHOSTUNREACH;
1057 hci_dev_lock_bh(hdev);
1061 if (sk->sk_type == SOCK_RAW) {
1062 switch (l2cap_pi(sk)->sec_level) {
1063 case BT_SECURITY_HIGH:
1064 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
1066 case BT_SECURITY_MEDIUM:
1067 auth_type = HCI_AT_DEDICATED_BONDING;
1070 auth_type = HCI_AT_NO_BONDING;
1073 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
1074 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
1075 auth_type = HCI_AT_NO_BONDING_MITM;
1077 auth_type = HCI_AT_NO_BONDING;
1079 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1080 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1082 switch (l2cap_pi(sk)->sec_level) {
1083 case BT_SECURITY_HIGH:
1084 auth_type = HCI_AT_GENERAL_BONDING_MITM;
1086 case BT_SECURITY_MEDIUM:
1087 auth_type = HCI_AT_GENERAL_BONDING;
1090 auth_type = HCI_AT_NO_BONDING;
1095 hcon = hci_connect(hdev, ACL_LINK, dst,
1096 l2cap_pi(sk)->sec_level, auth_type);
1100 conn = l2cap_conn_add(hcon, 0);
1108 /* Update source addr of the socket */
1109 bacpy(src, conn->src);
1111 l2cap_chan_add(conn, sk, NULL);
1113 sk->sk_state = BT_CONNECT;
1114 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1116 if (hcon->state == BT_CONNECTED) {
1117 if (sk->sk_type != SOCK_SEQPACKET &&
1118 sk->sk_type != SOCK_STREAM) {
1119 l2cap_sock_clear_timer(sk);
1120 sk->sk_state = BT_CONNECTED;
1126 hci_dev_unlock_bh(hdev);
1131 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1133 struct sock *sk = sock->sk;
1134 struct sockaddr_l2 la;
1137 BT_DBG("sk %p", sk);
1139 if (!addr || alen < sizeof(addr->sa_family) ||
1140 addr->sa_family != AF_BLUETOOTH)
1143 memset(&la, 0, sizeof(la));
1144 len = min_t(unsigned int, sizeof(la), alen);
1145 memcpy(&la, addr, len);
1152 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1158 switch (l2cap_pi(sk)->mode) {
1159 case L2CAP_MODE_BASIC:
1161 case L2CAP_MODE_ERTM:
1162 case L2CAP_MODE_STREAMING:
1171 switch (sk->sk_state) {
1175 /* Already connecting */
1179 /* Already connected */
1193 /* Set destination address and psm */
1194 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1195 l2cap_pi(sk)->psm = la.l2_psm;
1197 err = l2cap_do_connect(sk);
1202 err = bt_sock_wait_state(sk, BT_CONNECTED,
1203 sock_sndtimeo(sk, flags & O_NONBLOCK));
1209 static int l2cap_sock_listen(struct socket *sock, int backlog)
1211 struct sock *sk = sock->sk;
1214 BT_DBG("sk %p backlog %d", sk, backlog);
1218 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1219 || sk->sk_state != BT_BOUND) {
1224 switch (l2cap_pi(sk)->mode) {
1225 case L2CAP_MODE_BASIC:
1227 case L2CAP_MODE_ERTM:
1228 case L2CAP_MODE_STREAMING:
1237 if (!l2cap_pi(sk)->psm) {
1238 bdaddr_t *src = &bt_sk(sk)->src;
1243 write_lock_bh(&l2cap_sk_list.lock);
1245 for (psm = 0x1001; psm < 0x1100; psm += 2)
1246 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1247 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1248 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1253 write_unlock_bh(&l2cap_sk_list.lock);
1259 sk->sk_max_ack_backlog = backlog;
1260 sk->sk_ack_backlog = 0;
1261 sk->sk_state = BT_LISTEN;
1268 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1270 DECLARE_WAITQUEUE(wait, current);
1271 struct sock *sk = sock->sk, *nsk;
1275 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1277 if (sk->sk_state != BT_LISTEN) {
1282 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1284 BT_DBG("sk %p timeo %ld", sk, timeo);
1286 /* Wait for an incoming connection. (wake-one). */
1287 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1288 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1289 set_current_state(TASK_INTERRUPTIBLE);
1296 timeo = schedule_timeout(timeo);
1297 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1299 if (sk->sk_state != BT_LISTEN) {
1304 if (signal_pending(current)) {
1305 err = sock_intr_errno(timeo);
1309 set_current_state(TASK_RUNNING);
1310 remove_wait_queue(sk_sleep(sk), &wait);
1315 newsock->state = SS_CONNECTED;
1317 BT_DBG("new socket %p", nsk);
1324 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1326 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1327 struct sock *sk = sock->sk;
1329 BT_DBG("sock %p, sk %p", sock, sk);
1331 addr->sa_family = AF_BLUETOOTH;
1332 *len = sizeof(struct sockaddr_l2);
1335 la->l2_psm = l2cap_pi(sk)->psm;
1336 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1337 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1339 la->l2_psm = l2cap_pi(sk)->sport;
1340 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1341 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
1347 static int __l2cap_wait_ack(struct sock *sk)
1349 DECLARE_WAITQUEUE(wait, current);
1353 add_wait_queue(sk_sleep(sk), &wait);
1354 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1355 set_current_state(TASK_INTERRUPTIBLE);
1360 if (signal_pending(current)) {
1361 err = sock_intr_errno(timeo);
1366 timeo = schedule_timeout(timeo);
1369 err = sock_error(sk);
1373 set_current_state(TASK_RUNNING);
1374 remove_wait_queue(sk_sleep(sk), &wait);
1378 static void l2cap_monitor_timeout(unsigned long arg)
1380 struct sock *sk = (void *) arg;
1382 BT_DBG("sk %p", sk);
1385 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1386 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
1391 l2cap_pi(sk)->retry_count++;
1392 __mod_monitor_timer();
1394 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
1398 static void l2cap_retrans_timeout(unsigned long arg)
1400 struct sock *sk = (void *) arg;
1402 BT_DBG("sk %p", sk);
1405 l2cap_pi(sk)->retry_count = 1;
1406 __mod_monitor_timer();
1408 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1410 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
1414 static void l2cap_drop_acked_frames(struct sock *sk)
1416 struct sk_buff *skb;
1418 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1419 l2cap_pi(sk)->unacked_frames) {
1420 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1423 skb = skb_dequeue(TX_QUEUE(sk));
1426 l2cap_pi(sk)->unacked_frames--;
1429 if (!l2cap_pi(sk)->unacked_frames)
1430 del_timer(&l2cap_pi(sk)->retrans_timer);
1433 static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1435 struct l2cap_pinfo *pi = l2cap_pi(sk);
1437 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1439 hci_send_acl(pi->conn->hcon, skb, 0);
1442 static void l2cap_streaming_send(struct sock *sk)
1444 struct sk_buff *skb, *tx_skb;
1445 struct l2cap_pinfo *pi = l2cap_pi(sk);
1448 while ((skb = sk->sk_send_head)) {
1449 tx_skb = skb_clone(skb, GFP_ATOMIC);
1451 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1452 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1453 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1455 if (pi->fcs == L2CAP_FCS_CRC16) {
1456 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1457 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1460 l2cap_do_send(sk, tx_skb);
1462 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1464 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1465 sk->sk_send_head = NULL;
1467 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1469 skb = skb_dequeue(TX_QUEUE(sk));
1474 static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1476 struct l2cap_pinfo *pi = l2cap_pi(sk);
1477 struct sk_buff *skb, *tx_skb;
1480 skb = skb_peek(TX_QUEUE(sk));
1485 if (bt_cb(skb)->tx_seq == tx_seq)
1488 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1491 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
1493 if (pi->remote_max_tx &&
1494 bt_cb(skb)->retries == pi->remote_max_tx) {
1495 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1499 tx_skb = skb_clone(skb, GFP_ATOMIC);
1500 bt_cb(skb)->retries++;
1501 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1503 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1504 control |= L2CAP_CTRL_FINAL;
1505 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1508 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1509 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1511 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1513 if (pi->fcs == L2CAP_FCS_CRC16) {
1514 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1515 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1518 l2cap_do_send(sk, tx_skb);
1521 static int l2cap_ertm_send(struct sock *sk)
1523 struct sk_buff *skb, *tx_skb;
1524 struct l2cap_pinfo *pi = l2cap_pi(sk);
1528 if (sk->sk_state != BT_CONNECTED)
1531 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1533 if (pi->remote_max_tx &&
1534 bt_cb(skb)->retries == pi->remote_max_tx) {
1535 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1539 tx_skb = skb_clone(skb, GFP_ATOMIC);
1541 bt_cb(skb)->retries++;
1543 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1544 control &= L2CAP_CTRL_SAR;
1546 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1547 control |= L2CAP_CTRL_FINAL;
1548 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1550 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1551 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1552 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1555 if (pi->fcs == L2CAP_FCS_CRC16) {
1556 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1557 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1560 l2cap_do_send(sk, tx_skb);
1562 __mod_retrans_timer();
1564 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1565 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1567 pi->unacked_frames++;
1570 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1571 sk->sk_send_head = NULL;
1573 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1581 static int l2cap_retransmit_frames(struct sock *sk)
1583 struct l2cap_pinfo *pi = l2cap_pi(sk);
1586 if (!skb_queue_empty(TX_QUEUE(sk)))
1587 sk->sk_send_head = TX_QUEUE(sk)->next;
1589 pi->next_tx_seq = pi->expected_ack_seq;
1590 ret = l2cap_ertm_send(sk);
1594 static void l2cap_send_ack(struct l2cap_pinfo *pi)
1596 struct sock *sk = (struct sock *)pi;
1599 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1601 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1602 control |= L2CAP_SUPER_RCV_NOT_READY;
1603 pi->conn_state |= L2CAP_CONN_RNR_SENT;
1604 l2cap_send_sframe(pi, control);
1608 if (l2cap_ertm_send(sk) > 0)
1611 control |= L2CAP_SUPER_RCV_READY;
1612 l2cap_send_sframe(pi, control);
1615 static void l2cap_send_srejtail(struct sock *sk)
1617 struct srej_list *tail;
1620 control = L2CAP_SUPER_SELECT_REJECT;
1621 control |= L2CAP_CTRL_FINAL;
1623 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1624 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1626 l2cap_send_sframe(l2cap_pi(sk), control);
1629 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1631 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1632 struct sk_buff **frag;
1635 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1641 /* Continuation fragments (no L2CAP header) */
1642 frag = &skb_shinfo(skb)->frag_list;
1644 count = min_t(unsigned int, conn->mtu, len);
1646 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1649 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1655 frag = &(*frag)->next;
1661 static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1663 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1664 struct sk_buff *skb;
1665 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1666 struct l2cap_hdr *lh;
1668 BT_DBG("sk %p len %d", sk, (int)len);
1670 count = min_t(unsigned int, (conn->mtu - hlen), len);
1671 skb = bt_skb_send_alloc(sk, count + hlen,
1672 msg->msg_flags & MSG_DONTWAIT, &err);
1674 return ERR_PTR(-ENOMEM);
1676 /* Create L2CAP header */
1677 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1678 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1679 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1680 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1682 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1683 if (unlikely(err < 0)) {
1685 return ERR_PTR(err);
1690 static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1692 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1693 struct sk_buff *skb;
1694 int err, count, hlen = L2CAP_HDR_SIZE;
1695 struct l2cap_hdr *lh;
1697 BT_DBG("sk %p len %d", sk, (int)len);
1699 count = min_t(unsigned int, (conn->mtu - hlen), len);
1700 skb = bt_skb_send_alloc(sk, count + hlen,
1701 msg->msg_flags & MSG_DONTWAIT, &err);
1703 return ERR_PTR(-ENOMEM);
1705 /* Create L2CAP header */
1706 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1707 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1708 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1710 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1711 if (unlikely(err < 0)) {
1713 return ERR_PTR(err);
1718 static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1720 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1721 struct sk_buff *skb;
1722 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1723 struct l2cap_hdr *lh;
1725 BT_DBG("sk %p len %d", sk, (int)len);
1728 return ERR_PTR(-ENOTCONN);
1733 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1736 count = min_t(unsigned int, (conn->mtu - hlen), len);
1737 skb = bt_skb_send_alloc(sk, count + hlen,
1738 msg->msg_flags & MSG_DONTWAIT, &err);
1740 return ERR_PTR(-ENOMEM);
1742 /* Create L2CAP header */
1743 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1744 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1745 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1746 put_unaligned_le16(control, skb_put(skb, 2));
1748 put_unaligned_le16(sdulen, skb_put(skb, 2));
1750 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1751 if (unlikely(err < 0)) {
1753 return ERR_PTR(err);
1756 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1757 put_unaligned_le16(0, skb_put(skb, 2));
1759 bt_cb(skb)->retries = 0;
1763 static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1765 struct l2cap_pinfo *pi = l2cap_pi(sk);
1766 struct sk_buff *skb;
1767 struct sk_buff_head sar_queue;
1771 skb_queue_head_init(&sar_queue);
1772 control = L2CAP_SDU_START;
1773 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
1775 return PTR_ERR(skb);
1777 __skb_queue_tail(&sar_queue, skb);
1778 len -= pi->remote_mps;
1779 size += pi->remote_mps;
1784 if (len > pi->remote_mps) {
1785 control = L2CAP_SDU_CONTINUE;
1786 buflen = pi->remote_mps;
1788 control = L2CAP_SDU_END;
1792 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
1794 skb_queue_purge(&sar_queue);
1795 return PTR_ERR(skb);
1798 __skb_queue_tail(&sar_queue, skb);
1802 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1803 if (sk->sk_send_head == NULL)
1804 sk->sk_send_head = sar_queue.next;
1809 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1811 struct sock *sk = sock->sk;
1812 struct l2cap_pinfo *pi = l2cap_pi(sk);
1813 struct sk_buff *skb;
1817 BT_DBG("sock %p, sk %p", sock, sk);
1819 err = sock_error(sk);
1823 if (msg->msg_flags & MSG_OOB)
1828 if (sk->sk_state != BT_CONNECTED) {
1833 /* Connectionless channel */
1834 if (sk->sk_type == SOCK_DGRAM) {
1835 skb = l2cap_create_connless_pdu(sk, msg, len);
1839 l2cap_do_send(sk, skb);
1846 case L2CAP_MODE_BASIC:
1847 /* Check outgoing MTU */
1848 if (len > pi->omtu) {
1853 /* Create a basic PDU */
1854 skb = l2cap_create_basic_pdu(sk, msg, len);
1860 l2cap_do_send(sk, skb);
1864 case L2CAP_MODE_ERTM:
1865 case L2CAP_MODE_STREAMING:
1866 /* Entire SDU fits into one PDU */
1867 if (len <= pi->remote_mps) {
1868 control = L2CAP_SDU_UNSEGMENTED;
1869 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1874 __skb_queue_tail(TX_QUEUE(sk), skb);
1876 if (sk->sk_send_head == NULL)
1877 sk->sk_send_head = skb;
1880 /* Segment SDU into multiples PDUs */
1881 err = l2cap_sar_segment_sdu(sk, msg, len);
1886 if (pi->mode == L2CAP_MODE_STREAMING) {
1887 l2cap_streaming_send(sk);
1889 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1890 pi->conn_state && L2CAP_CONN_WAIT_F) {
1894 err = l2cap_ertm_send(sk);
1902 BT_DBG("bad state %1.1x", pi->mode);
1911 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1913 struct sock *sk = sock->sk;
1917 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1918 struct l2cap_conn_rsp rsp;
1919 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1922 sk->sk_state = BT_CONFIG;
1924 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1925 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1926 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1927 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1928 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1929 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1931 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1936 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1937 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1938 l2cap_build_conf_req(sk, buf), buf);
1939 l2cap_pi(sk)->num_conf_req++;
1947 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1950 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1952 struct sock *sk = sock->sk;
1953 struct l2cap_options opts;
1957 BT_DBG("sk %p", sk);
1963 opts.imtu = l2cap_pi(sk)->imtu;
1964 opts.omtu = l2cap_pi(sk)->omtu;
1965 opts.flush_to = l2cap_pi(sk)->flush_to;
1966 opts.mode = l2cap_pi(sk)->mode;
1967 opts.fcs = l2cap_pi(sk)->fcs;
1968 opts.max_tx = l2cap_pi(sk)->max_tx;
1969 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1971 len = min_t(unsigned int, sizeof(opts), optlen);
1972 if (copy_from_user((char *) &opts, optval, len)) {
1977 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1982 l2cap_pi(sk)->mode = opts.mode;
1983 switch (l2cap_pi(sk)->mode) {
1984 case L2CAP_MODE_BASIC:
1985 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
1987 case L2CAP_MODE_ERTM:
1988 case L2CAP_MODE_STREAMING:
1997 l2cap_pi(sk)->imtu = opts.imtu;
1998 l2cap_pi(sk)->omtu = opts.omtu;
1999 l2cap_pi(sk)->fcs = opts.fcs;
2000 l2cap_pi(sk)->max_tx = opts.max_tx;
2001 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
2005 if (get_user(opt, (u32 __user *) optval)) {
2010 if (opt & L2CAP_LM_AUTH)
2011 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
2012 if (opt & L2CAP_LM_ENCRYPT)
2013 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
2014 if (opt & L2CAP_LM_SECURE)
2015 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
2017 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
2018 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
2030 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
2032 struct sock *sk = sock->sk;
2033 struct bt_security sec;
2037 BT_DBG("sk %p", sk);
2039 if (level == SOL_L2CAP)
2040 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2042 if (level != SOL_BLUETOOTH)
2043 return -ENOPROTOOPT;
2049 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2050 && sk->sk_type != SOCK_RAW) {
2055 sec.level = BT_SECURITY_LOW;
2057 len = min_t(unsigned int, sizeof(sec), optlen);
2058 if (copy_from_user((char *) &sec, optval, len)) {
2063 if (sec.level < BT_SECURITY_LOW ||
2064 sec.level > BT_SECURITY_HIGH) {
2069 l2cap_pi(sk)->sec_level = sec.level;
2072 case BT_DEFER_SETUP:
2073 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2078 if (get_user(opt, (u32 __user *) optval)) {
2083 bt_sk(sk)->defer_setup = opt;
2095 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
2097 struct sock *sk = sock->sk;
2098 struct l2cap_options opts;
2099 struct l2cap_conninfo cinfo;
2103 BT_DBG("sk %p", sk);
2105 if (get_user(len, optlen))
2112 opts.imtu = l2cap_pi(sk)->imtu;
2113 opts.omtu = l2cap_pi(sk)->omtu;
2114 opts.flush_to = l2cap_pi(sk)->flush_to;
2115 opts.mode = l2cap_pi(sk)->mode;
2116 opts.fcs = l2cap_pi(sk)->fcs;
2117 opts.max_tx = l2cap_pi(sk)->max_tx;
2118 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
2120 len = min_t(unsigned int, len, sizeof(opts));
2121 if (copy_to_user(optval, (char *) &opts, len))
2127 switch (l2cap_pi(sk)->sec_level) {
2128 case BT_SECURITY_LOW:
2129 opt = L2CAP_LM_AUTH;
2131 case BT_SECURITY_MEDIUM:
2132 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2134 case BT_SECURITY_HIGH:
2135 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2143 if (l2cap_pi(sk)->role_switch)
2144 opt |= L2CAP_LM_MASTER;
2146 if (l2cap_pi(sk)->force_reliable)
2147 opt |= L2CAP_LM_RELIABLE;
2149 if (put_user(opt, (u32 __user *) optval))
2153 case L2CAP_CONNINFO:
2154 if (sk->sk_state != BT_CONNECTED &&
2155 !(sk->sk_state == BT_CONNECT2 &&
2156 bt_sk(sk)->defer_setup)) {
2161 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2162 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2164 len = min_t(unsigned int, len, sizeof(cinfo));
2165 if (copy_to_user(optval, (char *) &cinfo, len))
2179 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2181 struct sock *sk = sock->sk;
2182 struct bt_security sec;
2185 BT_DBG("sk %p", sk);
2187 if (level == SOL_L2CAP)
2188 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2190 if (level != SOL_BLUETOOTH)
2191 return -ENOPROTOOPT;
2193 if (get_user(len, optlen))
2200 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2201 && sk->sk_type != SOCK_RAW) {
2206 sec.level = l2cap_pi(sk)->sec_level;
2208 len = min_t(unsigned int, len, sizeof(sec));
2209 if (copy_to_user(optval, (char *) &sec, len))
2214 case BT_DEFER_SETUP:
2215 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2220 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2234 static int l2cap_sock_shutdown(struct socket *sock, int how)
2236 struct sock *sk = sock->sk;
2239 BT_DBG("sock %p, sk %p", sock, sk);
2245 if (!sk->sk_shutdown) {
2246 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2247 err = __l2cap_wait_ack(sk);
2249 sk->sk_shutdown = SHUTDOWN_MASK;
2250 l2cap_sock_clear_timer(sk);
2251 __l2cap_sock_close(sk, 0);
2253 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
2254 err = bt_sock_wait_state(sk, BT_CLOSED,
2258 if (!err && sk->sk_err)
2265 static int l2cap_sock_release(struct socket *sock)
2267 struct sock *sk = sock->sk;
2270 BT_DBG("sock %p, sk %p", sock, sk);
2275 err = l2cap_sock_shutdown(sock, 2);
2278 l2cap_sock_kill(sk);
2282 static void l2cap_chan_ready(struct sock *sk)
2284 struct sock *parent = bt_sk(sk)->parent;
2286 BT_DBG("sk %p, parent %p", sk, parent);
2288 l2cap_pi(sk)->conf_state = 0;
2289 l2cap_sock_clear_timer(sk);
2292 /* Outgoing channel.
2293 * Wake up socket sleeping on connect.
2295 sk->sk_state = BT_CONNECTED;
2296 sk->sk_state_change(sk);
2298 /* Incoming channel.
2299 * Wake up socket sleeping on accept.
2301 parent->sk_data_ready(parent, 0);
2305 /* Copy frame to all raw sockets on that connection */
2306 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2308 struct l2cap_chan_list *l = &conn->chan_list;
2309 struct sk_buff *nskb;
2312 BT_DBG("conn %p", conn);
2314 read_lock(&l->lock);
2315 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2316 if (sk->sk_type != SOCK_RAW)
2319 /* Don't send frame to the socket it came from */
2322 nskb = skb_clone(skb, GFP_ATOMIC);
2326 if (sock_queue_rcv_skb(sk, nskb))
2329 read_unlock(&l->lock);
2332 /* ---- L2CAP signalling commands ---- */
2333 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2334 u8 code, u8 ident, u16 dlen, void *data)
2336 struct sk_buff *skb, **frag;
2337 struct l2cap_cmd_hdr *cmd;
2338 struct l2cap_hdr *lh;
2341 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2342 conn, code, ident, dlen);
2344 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2345 count = min_t(unsigned int, conn->mtu, len);
2347 skb = bt_skb_alloc(count, GFP_ATOMIC);
2351 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2352 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2353 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2355 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2358 cmd->len = cpu_to_le16(dlen);
2361 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2362 memcpy(skb_put(skb, count), data, count);
2368 /* Continuation fragments (no L2CAP header) */
2369 frag = &skb_shinfo(skb)->frag_list;
2371 count = min_t(unsigned int, conn->mtu, len);
2373 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2377 memcpy(skb_put(*frag, count), data, count);
2382 frag = &(*frag)->next;
2392 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2394 struct l2cap_conf_opt *opt = *ptr;
2397 len = L2CAP_CONF_OPT_SIZE + opt->len;
2405 *val = *((u8 *) opt->val);
2409 *val = __le16_to_cpu(*((__le16 *) opt->val));
2413 *val = __le32_to_cpu(*((__le32 *) opt->val));
2417 *val = (unsigned long) opt->val;
2421 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2425 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2427 struct l2cap_conf_opt *opt = *ptr;
2429 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2436 *((u8 *) opt->val) = val;
2440 *((__le16 *) opt->val) = cpu_to_le16(val);
2444 *((__le32 *) opt->val) = cpu_to_le32(val);
2448 memcpy(opt->val, (void *) val, len);
2452 *ptr += L2CAP_CONF_OPT_SIZE + len;
2455 static void l2cap_ack_timeout(unsigned long arg)
2457 struct sock *sk = (void *) arg;
2460 l2cap_send_ack(l2cap_pi(sk));
2464 static inline void l2cap_ertm_init(struct sock *sk)
2466 l2cap_pi(sk)->expected_ack_seq = 0;
2467 l2cap_pi(sk)->unacked_frames = 0;
2468 l2cap_pi(sk)->buffer_seq = 0;
2469 l2cap_pi(sk)->num_acked = 0;
2470 l2cap_pi(sk)->frames_sent = 0;
2472 setup_timer(&l2cap_pi(sk)->retrans_timer,
2473 l2cap_retrans_timeout, (unsigned long) sk);
2474 setup_timer(&l2cap_pi(sk)->monitor_timer,
2475 l2cap_monitor_timeout, (unsigned long) sk);
2476 setup_timer(&l2cap_pi(sk)->ack_timer,
2477 l2cap_ack_timeout, (unsigned long) sk);
2479 __skb_queue_head_init(SREJ_QUEUE(sk));
2480 __skb_queue_head_init(BUSY_QUEUE(sk));
2482 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
2484 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
2487 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2490 case L2CAP_MODE_STREAMING:
2491 case L2CAP_MODE_ERTM:
2492 if (l2cap_mode_supported(mode, remote_feat_mask))
2496 return L2CAP_MODE_BASIC;
2500 static int l2cap_build_conf_req(struct sock *sk, void *data)
2502 struct l2cap_pinfo *pi = l2cap_pi(sk);
2503 struct l2cap_conf_req *req = data;
2504 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
2505 void *ptr = req->data;
2507 BT_DBG("sk %p", sk);
2509 if (pi->num_conf_req || pi->num_conf_rsp)
2513 case L2CAP_MODE_STREAMING:
2514 case L2CAP_MODE_ERTM:
2515 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
2520 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2526 case L2CAP_MODE_BASIC:
2527 if (pi->imtu != L2CAP_DEFAULT_MTU)
2528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2530 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2531 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
2534 rfc.mode = L2CAP_MODE_BASIC;
2536 rfc.max_transmit = 0;
2537 rfc.retrans_timeout = 0;
2538 rfc.monitor_timeout = 0;
2539 rfc.max_pdu_size = 0;
2541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2542 (unsigned long) &rfc);
2545 case L2CAP_MODE_ERTM:
2546 rfc.mode = L2CAP_MODE_ERTM;
2547 rfc.txwin_size = pi->tx_win;
2548 rfc.max_transmit = pi->max_tx;
2549 rfc.retrans_timeout = 0;
2550 rfc.monitor_timeout = 0;
2551 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2552 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2553 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2555 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2556 (unsigned long) &rfc);
2558 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2561 if (pi->fcs == L2CAP_FCS_NONE ||
2562 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2563 pi->fcs = L2CAP_FCS_NONE;
2564 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2568 case L2CAP_MODE_STREAMING:
2569 rfc.mode = L2CAP_MODE_STREAMING;
2571 rfc.max_transmit = 0;
2572 rfc.retrans_timeout = 0;
2573 rfc.monitor_timeout = 0;
2574 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2575 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2576 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2578 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2579 (unsigned long) &rfc);
2581 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2584 if (pi->fcs == L2CAP_FCS_NONE ||
2585 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2586 pi->fcs = L2CAP_FCS_NONE;
2587 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2592 /* FIXME: Need actual value of the flush timeout */
2593 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2594 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2596 req->dcid = cpu_to_le16(pi->dcid);
2597 req->flags = cpu_to_le16(0);
2602 static int l2cap_parse_conf_req(struct sock *sk, void *data)
2604 struct l2cap_pinfo *pi = l2cap_pi(sk);
2605 struct l2cap_conf_rsp *rsp = data;
2606 void *ptr = rsp->data;
2607 void *req = pi->conf_req;
2608 int len = pi->conf_len;
2609 int type, hint, olen;
2611 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2612 u16 mtu = L2CAP_DEFAULT_MTU;
2613 u16 result = L2CAP_CONF_SUCCESS;
2615 BT_DBG("sk %p", sk);
2617 while (len >= L2CAP_CONF_OPT_SIZE) {
2618 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2620 hint = type & L2CAP_CONF_HINT;
2621 type &= L2CAP_CONF_MASK;
2624 case L2CAP_CONF_MTU:
2628 case L2CAP_CONF_FLUSH_TO:
2632 case L2CAP_CONF_QOS:
2635 case L2CAP_CONF_RFC:
2636 if (olen == sizeof(rfc))
2637 memcpy(&rfc, (void *) val, olen);
2640 case L2CAP_CONF_FCS:
2641 if (val == L2CAP_FCS_NONE)
2642 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2650 result = L2CAP_CONF_UNKNOWN;
2651 *((u8 *) ptr++) = type;
2656 if (pi->num_conf_rsp || pi->num_conf_req > 1)
2660 case L2CAP_MODE_STREAMING:
2661 case L2CAP_MODE_ERTM:
2662 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2663 pi->mode = l2cap_select_mode(rfc.mode,
2664 pi->conn->feat_mask);
2668 if (pi->mode != rfc.mode)
2669 return -ECONNREFUSED;
2675 if (pi->mode != rfc.mode) {
2676 result = L2CAP_CONF_UNACCEPT;
2677 rfc.mode = pi->mode;
2679 if (pi->num_conf_rsp == 1)
2680 return -ECONNREFUSED;
2682 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2683 sizeof(rfc), (unsigned long) &rfc);
2687 if (result == L2CAP_CONF_SUCCESS) {
2688 /* Configure output options and let the other side know
2689 * which ones we don't like. */
2691 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2692 result = L2CAP_CONF_UNACCEPT;
2695 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2697 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2700 case L2CAP_MODE_BASIC:
2701 pi->fcs = L2CAP_FCS_NONE;
2702 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2705 case L2CAP_MODE_ERTM:
2706 pi->remote_tx_win = rfc.txwin_size;
2707 pi->remote_max_tx = rfc.max_transmit;
2709 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2710 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2712 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2714 rfc.retrans_timeout =
2715 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2716 rfc.monitor_timeout =
2717 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2719 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2721 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2722 sizeof(rfc), (unsigned long) &rfc);
2726 case L2CAP_MODE_STREAMING:
2727 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2728 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2730 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2732 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2734 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2735 sizeof(rfc), (unsigned long) &rfc);
2740 result = L2CAP_CONF_UNACCEPT;
2742 memset(&rfc, 0, sizeof(rfc));
2743 rfc.mode = pi->mode;
2746 if (result == L2CAP_CONF_SUCCESS)
2747 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2749 rsp->scid = cpu_to_le16(pi->dcid);
2750 rsp->result = cpu_to_le16(result);
2751 rsp->flags = cpu_to_le16(0x0000);
2756 static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2758 struct l2cap_pinfo *pi = l2cap_pi(sk);
2759 struct l2cap_conf_req *req = data;
2760 void *ptr = req->data;
2763 struct l2cap_conf_rfc rfc;
2765 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2767 while (len >= L2CAP_CONF_OPT_SIZE) {
2768 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2771 case L2CAP_CONF_MTU:
2772 if (val < L2CAP_DEFAULT_MIN_MTU) {
2773 *result = L2CAP_CONF_UNACCEPT;
2774 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2777 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2780 case L2CAP_CONF_FLUSH_TO:
2782 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2786 case L2CAP_CONF_RFC:
2787 if (olen == sizeof(rfc))
2788 memcpy(&rfc, (void *)val, olen);
2790 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2791 rfc.mode != pi->mode)
2792 return -ECONNREFUSED;
2796 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2797 sizeof(rfc), (unsigned long) &rfc);
2802 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2803 return -ECONNREFUSED;
2805 pi->mode = rfc.mode;
2807 if (*result == L2CAP_CONF_SUCCESS) {
2809 case L2CAP_MODE_ERTM:
2810 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2811 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2812 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2814 case L2CAP_MODE_STREAMING:
2815 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2819 req->dcid = cpu_to_le16(pi->dcid);
2820 req->flags = cpu_to_le16(0x0000);
2825 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
2827 struct l2cap_conf_rsp *rsp = data;
2828 void *ptr = rsp->data;
2830 BT_DBG("sk %p", sk);
2832 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2833 rsp->result = cpu_to_le16(result);
2834 rsp->flags = cpu_to_le16(flags);
2839 static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2841 struct l2cap_pinfo *pi = l2cap_pi(sk);
2844 struct l2cap_conf_rfc rfc;
2846 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2848 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2851 while (len >= L2CAP_CONF_OPT_SIZE) {
2852 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2855 case L2CAP_CONF_RFC:
2856 if (olen == sizeof(rfc))
2857 memcpy(&rfc, (void *)val, olen);
2864 case L2CAP_MODE_ERTM:
2865 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2866 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2867 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2869 case L2CAP_MODE_STREAMING:
2870 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2874 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2876 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2878 if (rej->reason != 0x0000)
2881 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2882 cmd->ident == conn->info_ident) {
2883 del_timer(&conn->info_timer);
2885 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2886 conn->info_ident = 0;
2888 l2cap_conn_start(conn);
2894 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2896 struct l2cap_chan_list *list = &conn->chan_list;
2897 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2898 struct l2cap_conn_rsp rsp;
2899 struct sock *parent, *uninitialized_var(sk);
2900 int result, status = L2CAP_CS_NO_INFO;
2902 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2903 __le16 psm = req->psm;
2905 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2907 /* Check if we have socket listening on psm */
2908 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2910 result = L2CAP_CR_BAD_PSM;
2914 /* Check if the ACL is secure enough (if not SDP) */
2915 if (psm != cpu_to_le16(0x0001) &&
2916 !hci_conn_check_link_mode(conn->hcon)) {
2917 conn->disc_reason = 0x05;
2918 result = L2CAP_CR_SEC_BLOCK;
2922 result = L2CAP_CR_NO_MEM;
2924 /* Check for backlog size */
2925 if (sk_acceptq_is_full(parent)) {
2926 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2930 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
2934 write_lock_bh(&list->lock);
2936 /* Check if we already have channel with that dcid */
2937 if (__l2cap_get_chan_by_dcid(list, scid)) {
2938 write_unlock_bh(&list->lock);
2939 sock_set_flag(sk, SOCK_ZAPPED);
2940 l2cap_sock_kill(sk);
2944 hci_conn_hold(conn->hcon);
2946 l2cap_sock_init(sk, parent);
2947 bacpy(&bt_sk(sk)->src, conn->src);
2948 bacpy(&bt_sk(sk)->dst, conn->dst);
2949 l2cap_pi(sk)->psm = psm;
2950 l2cap_pi(sk)->dcid = scid;
2952 __l2cap_chan_add(conn, sk, parent);
2953 dcid = l2cap_pi(sk)->scid;
2955 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2957 l2cap_pi(sk)->ident = cmd->ident;
2959 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2960 if (l2cap_check_security(sk)) {
2961 if (bt_sk(sk)->defer_setup) {
2962 sk->sk_state = BT_CONNECT2;
2963 result = L2CAP_CR_PEND;
2964 status = L2CAP_CS_AUTHOR_PEND;
2965 parent->sk_data_ready(parent, 0);
2967 sk->sk_state = BT_CONFIG;
2968 result = L2CAP_CR_SUCCESS;
2969 status = L2CAP_CS_NO_INFO;
2972 sk->sk_state = BT_CONNECT2;
2973 result = L2CAP_CR_PEND;
2974 status = L2CAP_CS_AUTHEN_PEND;
2977 sk->sk_state = BT_CONNECT2;
2978 result = L2CAP_CR_PEND;
2979 status = L2CAP_CS_NO_INFO;
2982 write_unlock_bh(&list->lock);
2985 bh_unlock_sock(parent);
2988 rsp.scid = cpu_to_le16(scid);
2989 rsp.dcid = cpu_to_le16(dcid);
2990 rsp.result = cpu_to_le16(result);
2991 rsp.status = cpu_to_le16(status);
2992 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2994 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2995 struct l2cap_info_req info;
2996 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2998 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2999 conn->info_ident = l2cap_get_ident(conn);
3001 mod_timer(&conn->info_timer, jiffies +
3002 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
3004 l2cap_send_cmd(conn, conn->info_ident,
3005 L2CAP_INFO_REQ, sizeof(info), &info);
3008 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
3009 result == L2CAP_CR_SUCCESS) {
3011 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3012 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3013 l2cap_build_conf_req(sk, buf), buf);
3014 l2cap_pi(sk)->num_conf_req++;
3020 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3022 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3023 u16 scid, dcid, result, status;
3027 scid = __le16_to_cpu(rsp->scid);
3028 dcid = __le16_to_cpu(rsp->dcid);
3029 result = __le16_to_cpu(rsp->result);
3030 status = __le16_to_cpu(rsp->status);
3032 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
3035 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3039 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
3045 case L2CAP_CR_SUCCESS:
3046 sk->sk_state = BT_CONFIG;
3047 l2cap_pi(sk)->ident = 0;
3048 l2cap_pi(sk)->dcid = dcid;
3049 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
3051 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3054 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3056 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3057 l2cap_build_conf_req(sk, req), req);
3058 l2cap_pi(sk)->num_conf_req++;
3062 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
3066 l2cap_chan_del(sk, ECONNREFUSED);
3074 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3076 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3082 dcid = __le16_to_cpu(req->dcid);
3083 flags = __le16_to_cpu(req->flags);
3085 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3087 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3091 if (sk->sk_state != BT_CONFIG) {
3092 struct l2cap_cmd_rej rej;
3094 rej.reason = cpu_to_le16(0x0002);
3095 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3100 /* Reject if config buffer is too small. */
3101 len = cmd_len - sizeof(*req);
3102 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3103 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3104 l2cap_build_conf_rsp(sk, rsp,
3105 L2CAP_CONF_REJECT, flags), rsp);
3110 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3111 l2cap_pi(sk)->conf_len += len;
3113 if (flags & 0x0001) {
3114 /* Incomplete config. Send empty response. */
3115 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3116 l2cap_build_conf_rsp(sk, rsp,
3117 L2CAP_CONF_SUCCESS, 0x0001), rsp);
3121 /* Complete config. */
3122 len = l2cap_parse_conf_req(sk, rsp);
3124 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3128 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
3129 l2cap_pi(sk)->num_conf_rsp++;
3131 /* Reset config buffer. */
3132 l2cap_pi(sk)->conf_len = 0;
3134 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3137 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
3138 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3139 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
3140 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3142 sk->sk_state = BT_CONNECTED;
3144 l2cap_pi(sk)->next_tx_seq = 0;
3145 l2cap_pi(sk)->expected_tx_seq = 0;
3146 __skb_queue_head_init(TX_QUEUE(sk));
3147 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3148 l2cap_ertm_init(sk);
3150 l2cap_chan_ready(sk);
3154 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
3156 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3157 l2cap_build_conf_req(sk, buf), buf);
3158 l2cap_pi(sk)->num_conf_req++;
3166 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3168 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3169 u16 scid, flags, result;
3171 int len = cmd->len - sizeof(*rsp);
3173 scid = __le16_to_cpu(rsp->scid);
3174 flags = __le16_to_cpu(rsp->flags);
3175 result = __le16_to_cpu(rsp->result);
3177 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3178 scid, flags, result);
3180 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3185 case L2CAP_CONF_SUCCESS:
3186 l2cap_conf_rfc_get(sk, rsp->data, len);
3189 case L2CAP_CONF_UNACCEPT:
3190 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
3193 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3194 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3198 /* throw out any old stored conf requests */
3199 result = L2CAP_CONF_SUCCESS;
3200 len = l2cap_parse_conf_rsp(sk, rsp->data,
3203 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3207 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3208 L2CAP_CONF_REQ, len, req);
3209 l2cap_pi(sk)->num_conf_req++;
3210 if (result != L2CAP_CONF_SUCCESS)
3216 sk->sk_err = ECONNRESET;
3217 l2cap_sock_set_timer(sk, HZ * 5);
3218 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3225 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3227 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
3228 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3229 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
3230 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3232 sk->sk_state = BT_CONNECTED;
3233 l2cap_pi(sk)->next_tx_seq = 0;
3234 l2cap_pi(sk)->expected_tx_seq = 0;
3235 __skb_queue_head_init(TX_QUEUE(sk));
3236 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3237 l2cap_ertm_init(sk);
3239 l2cap_chan_ready(sk);
3247 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3249 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3250 struct l2cap_disconn_rsp rsp;
3254 scid = __le16_to_cpu(req->scid);
3255 dcid = __le16_to_cpu(req->dcid);
3257 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3259 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3263 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3264 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3265 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3267 sk->sk_shutdown = SHUTDOWN_MASK;
3269 l2cap_chan_del(sk, ECONNRESET);
3272 l2cap_sock_kill(sk);
3276 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3278 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3282 scid = __le16_to_cpu(rsp->scid);
3283 dcid = __le16_to_cpu(rsp->dcid);
3285 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3287 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3291 l2cap_chan_del(sk, 0);
3294 l2cap_sock_kill(sk);
3298 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3300 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3303 type = __le16_to_cpu(req->type);
3305 BT_DBG("type 0x%4.4x", type);
3307 if (type == L2CAP_IT_FEAT_MASK) {
3309 u32 feat_mask = l2cap_feat_mask;
3310 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3311 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3312 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3314 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3316 put_unaligned_le32(feat_mask, rsp->data);
3317 l2cap_send_cmd(conn, cmd->ident,
3318 L2CAP_INFO_RSP, sizeof(buf), buf);
3319 } else if (type == L2CAP_IT_FIXED_CHAN) {
3321 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3322 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3323 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3324 memcpy(buf + 4, l2cap_fixed_chan, 8);
3325 l2cap_send_cmd(conn, cmd->ident,
3326 L2CAP_INFO_RSP, sizeof(buf), buf);
3328 struct l2cap_info_rsp rsp;
3329 rsp.type = cpu_to_le16(type);
3330 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3331 l2cap_send_cmd(conn, cmd->ident,
3332 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3338 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3340 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3343 type = __le16_to_cpu(rsp->type);
3344 result = __le16_to_cpu(rsp->result);
3346 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3348 del_timer(&conn->info_timer);
3350 if (result != L2CAP_IR_SUCCESS) {
3351 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3352 conn->info_ident = 0;
3354 l2cap_conn_start(conn);
3359 if (type == L2CAP_IT_FEAT_MASK) {
3360 conn->feat_mask = get_unaligned_le32(rsp->data);
3362 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3363 struct l2cap_info_req req;
3364 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3366 conn->info_ident = l2cap_get_ident(conn);
3368 l2cap_send_cmd(conn, conn->info_ident,
3369 L2CAP_INFO_REQ, sizeof(req), &req);
3371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3372 conn->info_ident = 0;
3374 l2cap_conn_start(conn);
3376 } else if (type == L2CAP_IT_FIXED_CHAN) {
3377 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3378 conn->info_ident = 0;
3380 l2cap_conn_start(conn);
3386 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3388 u8 *data = skb->data;
3390 struct l2cap_cmd_hdr cmd;
3393 l2cap_raw_recv(conn, skb);
3395 while (len >= L2CAP_CMD_HDR_SIZE) {
3397 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3398 data += L2CAP_CMD_HDR_SIZE;
3399 len -= L2CAP_CMD_HDR_SIZE;
3401 cmd_len = le16_to_cpu(cmd.len);
3403 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3405 if (cmd_len > len || !cmd.ident) {
3406 BT_DBG("corrupted command");
3411 case L2CAP_COMMAND_REJ:
3412 l2cap_command_rej(conn, &cmd, data);
3415 case L2CAP_CONN_REQ:
3416 err = l2cap_connect_req(conn, &cmd, data);
3419 case L2CAP_CONN_RSP:
3420 err = l2cap_connect_rsp(conn, &cmd, data);
3423 case L2CAP_CONF_REQ:
3424 err = l2cap_config_req(conn, &cmd, cmd_len, data);
3427 case L2CAP_CONF_RSP:
3428 err = l2cap_config_rsp(conn, &cmd, data);
3431 case L2CAP_DISCONN_REQ:
3432 err = l2cap_disconnect_req(conn, &cmd, data);
3435 case L2CAP_DISCONN_RSP:
3436 err = l2cap_disconnect_rsp(conn, &cmd, data);
3439 case L2CAP_ECHO_REQ:
3440 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
3443 case L2CAP_ECHO_RSP:
3446 case L2CAP_INFO_REQ:
3447 err = l2cap_information_req(conn, &cmd, data);
3450 case L2CAP_INFO_RSP:
3451 err = l2cap_information_rsp(conn, &cmd, data);
3455 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3461 struct l2cap_cmd_rej rej;
3462 BT_DBG("error %d", err);
3464 /* FIXME: Map err to a valid reason */
3465 rej.reason = cpu_to_le16(0);
3466 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3476 static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3478 u16 our_fcs, rcv_fcs;
3479 int hdr_size = L2CAP_HDR_SIZE + 2;
3481 if (pi->fcs == L2CAP_FCS_CRC16) {
3482 skb_trim(skb, skb->len - 2);
3483 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3484 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3486 if (our_fcs != rcv_fcs)
3492 static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3494 struct l2cap_pinfo *pi = l2cap_pi(sk);
3497 pi->frames_sent = 0;
3499 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3501 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3502 control |= L2CAP_SUPER_RCV_NOT_READY;
3503 l2cap_send_sframe(pi, control);
3504 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3507 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3508 l2cap_retransmit_frames(sk);
3510 l2cap_ertm_send(sk);
3512 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3513 pi->frames_sent == 0) {
3514 control |= L2CAP_SUPER_RCV_READY;
3515 l2cap_send_sframe(pi, control);
3519 static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3521 struct sk_buff *next_skb;
3522 struct l2cap_pinfo *pi = l2cap_pi(sk);
3523 int tx_seq_offset, next_tx_seq_offset;
3525 bt_cb(skb)->tx_seq = tx_seq;
3526 bt_cb(skb)->sar = sar;
3528 next_skb = skb_peek(SREJ_QUEUE(sk));
3530 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3534 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3535 if (tx_seq_offset < 0)
3536 tx_seq_offset += 64;
3539 if (bt_cb(next_skb)->tx_seq == tx_seq)
3542 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3543 pi->buffer_seq) % 64;
3544 if (next_tx_seq_offset < 0)
3545 next_tx_seq_offset += 64;
3547 if (next_tx_seq_offset > tx_seq_offset) {
3548 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3552 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3555 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3557 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3562 static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3564 struct l2cap_pinfo *pi = l2cap_pi(sk);
3565 struct sk_buff *_skb;
3568 switch (control & L2CAP_CTRL_SAR) {
3569 case L2CAP_SDU_UNSEGMENTED:
3570 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3573 err = sock_queue_rcv_skb(sk, skb);
3579 case L2CAP_SDU_START:
3580 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3583 pi->sdu_len = get_unaligned_le16(skb->data);
3585 if (pi->sdu_len > pi->imtu)
3588 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3592 /* pull sdu_len bytes only after alloc, because of Local Busy
3593 * condition we have to be sure that this will be executed
3594 * only once, i.e., when alloc does not fail */
3597 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3599 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3600 pi->partial_sdu_len = skb->len;
3603 case L2CAP_SDU_CONTINUE:
3604 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3610 pi->partial_sdu_len += skb->len;
3611 if (pi->partial_sdu_len > pi->sdu_len)
3614 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3619 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3625 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
3626 pi->partial_sdu_len += skb->len;
3628 if (pi->partial_sdu_len > pi->imtu)
3631 if (pi->partial_sdu_len != pi->sdu_len)
3634 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3637 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3639 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3643 err = sock_queue_rcv_skb(sk, _skb);
3646 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3650 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3651 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3665 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3670 static int l2cap_try_push_rx_skb(struct sock *sk)
3672 struct l2cap_pinfo *pi = l2cap_pi(sk);
3673 struct sk_buff *skb;
3677 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3678 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3679 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3681 skb_queue_head(BUSY_QUEUE(sk), skb);
3685 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3688 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3691 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3692 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3693 l2cap_send_sframe(pi, control);
3694 l2cap_pi(sk)->retry_count = 1;
3696 del_timer(&pi->retrans_timer);
3697 __mod_monitor_timer();
3699 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3702 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3703 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3705 BT_DBG("sk %p, Exit local busy", sk);
3710 static void l2cap_busy_work(struct work_struct *work)
3712 DECLARE_WAITQUEUE(wait, current);
3713 struct l2cap_pinfo *pi =
3714 container_of(work, struct l2cap_pinfo, busy_work);
3715 struct sock *sk = (struct sock *)pi;
3716 int n_tries = 0, timeo = HZ/5, err;
3717 struct sk_buff *skb;
3721 add_wait_queue(sk_sleep(sk), &wait);
3722 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3723 set_current_state(TASK_INTERRUPTIBLE);
3725 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3727 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
3734 if (signal_pending(current)) {
3735 err = sock_intr_errno(timeo);
3740 timeo = schedule_timeout(timeo);
3743 err = sock_error(sk);
3747 if (l2cap_try_push_rx_skb(sk) == 0)
3751 set_current_state(TASK_RUNNING);
3752 remove_wait_queue(sk_sleep(sk), &wait);
3757 static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3759 struct l2cap_pinfo *pi = l2cap_pi(sk);
3762 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3763 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3764 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3765 return l2cap_try_push_rx_skb(sk);
3770 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3772 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3776 /* Busy Condition */
3777 BT_DBG("sk %p, Enter local busy", sk);
3779 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3780 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3781 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3783 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3784 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3785 l2cap_send_sframe(pi, sctrl);
3787 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3789 del_timer(&pi->ack_timer);
3791 queue_work(_busy_wq, &pi->busy_work);
3796 static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3798 struct l2cap_pinfo *pi = l2cap_pi(sk);
3799 struct sk_buff *_skb;
3803 * TODO: We have to notify the userland if some data is lost with the
3807 switch (control & L2CAP_CTRL_SAR) {
3808 case L2CAP_SDU_UNSEGMENTED:
3809 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3814 err = sock_queue_rcv_skb(sk, skb);
3820 case L2CAP_SDU_START:
3821 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3826 pi->sdu_len = get_unaligned_le16(skb->data);
3829 if (pi->sdu_len > pi->imtu) {
3834 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3840 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3842 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3843 pi->partial_sdu_len = skb->len;
3847 case L2CAP_SDU_CONTINUE:
3848 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3851 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3853 pi->partial_sdu_len += skb->len;
3854 if (pi->partial_sdu_len > pi->sdu_len)
3862 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3865 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3867 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3868 pi->partial_sdu_len += skb->len;
3870 if (pi->partial_sdu_len > pi->imtu)
3873 if (pi->partial_sdu_len == pi->sdu_len) {
3874 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3875 err = sock_queue_rcv_skb(sk, _skb);
3890 static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3892 struct sk_buff *skb;
3895 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
3896 if (bt_cb(skb)->tx_seq != tx_seq)
3899 skb = skb_dequeue(SREJ_QUEUE(sk));
3900 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3901 l2cap_ertm_reassembly_sdu(sk, skb, control);
3902 l2cap_pi(sk)->buffer_seq_srej =
3903 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3904 tx_seq = (tx_seq + 1) % 64;
3908 static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3910 struct l2cap_pinfo *pi = l2cap_pi(sk);
3911 struct srej_list *l, *tmp;
3914 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
3915 if (l->tx_seq == tx_seq) {
3920 control = L2CAP_SUPER_SELECT_REJECT;
3921 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3922 l2cap_send_sframe(pi, control);
3924 list_add_tail(&l->list, SREJ_LIST(sk));
3928 static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3930 struct l2cap_pinfo *pi = l2cap_pi(sk);
3931 struct srej_list *new;
3934 while (tx_seq != pi->expected_tx_seq) {
3935 control = L2CAP_SUPER_SELECT_REJECT;
3936 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3937 l2cap_send_sframe(pi, control);
3939 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3940 new->tx_seq = pi->expected_tx_seq;
3941 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3942 list_add_tail(&new->list, SREJ_LIST(sk));
3944 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3947 static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3949 struct l2cap_pinfo *pi = l2cap_pi(sk);
3950 u8 tx_seq = __get_txseq(rx_control);
3951 u8 req_seq = __get_reqseq(rx_control);
3952 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3953 int tx_seq_offset, expected_tx_seq_offset;
3954 int num_to_ack = (pi->tx_win/6) + 1;
3957 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3960 if (L2CAP_CTRL_FINAL & rx_control &&
3961 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
3962 del_timer(&pi->monitor_timer);
3963 if (pi->unacked_frames > 0)
3964 __mod_retrans_timer();
3965 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3968 pi->expected_ack_seq = req_seq;
3969 l2cap_drop_acked_frames(sk);
3971 if (tx_seq == pi->expected_tx_seq)
3974 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3975 if (tx_seq_offset < 0)
3976 tx_seq_offset += 64;
3978 /* invalid tx_seq */
3979 if (tx_seq_offset >= pi->tx_win) {
3980 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3984 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3987 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3988 struct srej_list *first;
3990 first = list_first_entry(SREJ_LIST(sk),
3991 struct srej_list, list);
3992 if (tx_seq == first->tx_seq) {
3993 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3994 l2cap_check_srej_gap(sk, tx_seq);
3996 list_del(&first->list);
3999 if (list_empty(SREJ_LIST(sk))) {
4000 pi->buffer_seq = pi->buffer_seq_srej;
4001 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
4003 BT_DBG("sk %p, Exit SREJ_SENT", sk);
4006 struct srej_list *l;
4008 /* duplicated tx_seq */
4009 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
4012 list_for_each_entry(l, SREJ_LIST(sk), list) {
4013 if (l->tx_seq == tx_seq) {
4014 l2cap_resend_srejframe(sk, tx_seq);
4018 l2cap_send_srejframe(sk, tx_seq);
4021 expected_tx_seq_offset =
4022 (pi->expected_tx_seq - pi->buffer_seq) % 64;
4023 if (expected_tx_seq_offset < 0)
4024 expected_tx_seq_offset += 64;
4026 /* duplicated tx_seq */
4027 if (tx_seq_offset < expected_tx_seq_offset)
4030 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
4032 BT_DBG("sk %p, Enter SREJ", sk);
4034 INIT_LIST_HEAD(SREJ_LIST(sk));
4035 pi->buffer_seq_srej = pi->buffer_seq;
4037 __skb_queue_head_init(SREJ_QUEUE(sk));
4038 __skb_queue_head_init(BUSY_QUEUE(sk));
4039 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
4041 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
4043 l2cap_send_srejframe(sk, tx_seq);
4045 del_timer(&pi->ack_timer);
4050 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4052 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4053 bt_cb(skb)->tx_seq = tx_seq;
4054 bt_cb(skb)->sar = sar;
4055 __skb_queue_tail(SREJ_QUEUE(sk), skb);
4059 err = l2cap_push_rx_skb(sk, skb, rx_control);
4063 if (rx_control & L2CAP_CTRL_FINAL) {
4064 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4065 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
4067 l2cap_retransmit_frames(sk);
4072 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
4073 if (pi->num_acked == num_to_ack - 1)
4083 static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
4085 struct l2cap_pinfo *pi = l2cap_pi(sk);
4087 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4090 pi->expected_ack_seq = __get_reqseq(rx_control);
4091 l2cap_drop_acked_frames(sk);
4093 if (rx_control & L2CAP_CTRL_POLL) {
4094 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4095 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4096 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4097 (pi->unacked_frames > 0))
4098 __mod_retrans_timer();
4100 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4101 l2cap_send_srejtail(sk);
4103 l2cap_send_i_or_rr_or_rnr(sk);
4106 } else if (rx_control & L2CAP_CTRL_FINAL) {
4107 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4109 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4110 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
4112 l2cap_retransmit_frames(sk);
4115 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4116 (pi->unacked_frames > 0))
4117 __mod_retrans_timer();
4119 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4120 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4123 l2cap_ertm_send(sk);
4128 static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4130 struct l2cap_pinfo *pi = l2cap_pi(sk);
4131 u8 tx_seq = __get_reqseq(rx_control);
4133 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4135 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4137 pi->expected_ack_seq = tx_seq;
4138 l2cap_drop_acked_frames(sk);
4140 if (rx_control & L2CAP_CTRL_FINAL) {
4141 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4142 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
4144 l2cap_retransmit_frames(sk);
4146 l2cap_retransmit_frames(sk);
4148 if (pi->conn_state & L2CAP_CONN_WAIT_F)
4149 pi->conn_state |= L2CAP_CONN_REJ_ACT;
4152 static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4154 struct l2cap_pinfo *pi = l2cap_pi(sk);
4155 u8 tx_seq = __get_reqseq(rx_control);
4157 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4159 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4161 if (rx_control & L2CAP_CTRL_POLL) {
4162 pi->expected_ack_seq = tx_seq;
4163 l2cap_drop_acked_frames(sk);
4165 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4166 l2cap_retransmit_one_frame(sk, tx_seq);
4168 l2cap_ertm_send(sk);
4170 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4171 pi->srej_save_reqseq = tx_seq;
4172 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
4174 } else if (rx_control & L2CAP_CTRL_FINAL) {
4175 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4176 pi->srej_save_reqseq == tx_seq)
4177 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4179 l2cap_retransmit_one_frame(sk, tx_seq);
4181 l2cap_retransmit_one_frame(sk, tx_seq);
4182 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4183 pi->srej_save_reqseq = tx_seq;
4184 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
4189 static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4191 struct l2cap_pinfo *pi = l2cap_pi(sk);
4192 u8 tx_seq = __get_reqseq(rx_control);
4194 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4196 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4197 pi->expected_ack_seq = tx_seq;
4198 l2cap_drop_acked_frames(sk);
4200 if (rx_control & L2CAP_CTRL_POLL)
4201 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4203 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4204 del_timer(&pi->retrans_timer);
4205 if (rx_control & L2CAP_CTRL_POLL)
4206 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
4210 if (rx_control & L2CAP_CTRL_POLL)
4211 l2cap_send_srejtail(sk);
4213 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
4216 static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4218 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4220 if (L2CAP_CTRL_FINAL & rx_control &&
4221 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
4222 del_timer(&l2cap_pi(sk)->monitor_timer);
4223 if (l2cap_pi(sk)->unacked_frames > 0)
4224 __mod_retrans_timer();
4225 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4228 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4229 case L2CAP_SUPER_RCV_READY:
4230 l2cap_data_channel_rrframe(sk, rx_control);
4233 case L2CAP_SUPER_REJECT:
4234 l2cap_data_channel_rejframe(sk, rx_control);
4237 case L2CAP_SUPER_SELECT_REJECT:
4238 l2cap_data_channel_srejframe(sk, rx_control);
4241 case L2CAP_SUPER_RCV_NOT_READY:
4242 l2cap_data_channel_rnrframe(sk, rx_control);
4250 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4252 struct l2cap_pinfo *pi = l2cap_pi(sk);
4255 int len, next_tx_seq_offset, req_seq_offset;
4257 control = get_unaligned_le16(skb->data);
4262 * We can just drop the corrupted I-frame here.
4263 * Receiver will miss it and start proper recovery
4264 * procedures and ask retransmission.
4266 if (l2cap_check_fcs(pi, skb))
4269 if (__is_sar_start(control) && __is_iframe(control))
4272 if (pi->fcs == L2CAP_FCS_CRC16)
4275 if (len > pi->mps) {
4276 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4280 req_seq = __get_reqseq(control);
4281 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4282 if (req_seq_offset < 0)
4283 req_seq_offset += 64;
4285 next_tx_seq_offset =
4286 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4287 if (next_tx_seq_offset < 0)
4288 next_tx_seq_offset += 64;
4290 /* check for invalid req-seq */
4291 if (req_seq_offset > next_tx_seq_offset) {
4292 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4296 if (__is_iframe(control)) {
4298 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4302 l2cap_data_channel_iframe(sk, control, skb);
4306 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4310 l2cap_data_channel_sframe(sk, control, skb);
4320 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4323 struct l2cap_pinfo *pi;
4328 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4330 BT_DBG("unknown cid 0x%4.4x", cid);
4336 BT_DBG("sk %p, len %d", sk, skb->len);
4338 if (sk->sk_state != BT_CONNECTED)
4342 case L2CAP_MODE_BASIC:
4343 /* If socket recv buffers overflows we drop data here
4344 * which is *bad* because L2CAP has to be reliable.
4345 * But we don't have any other choice. L2CAP doesn't
4346 * provide flow control mechanism. */
4348 if (pi->imtu < skb->len)
4351 if (!sock_queue_rcv_skb(sk, skb))
4355 case L2CAP_MODE_ERTM:
4356 if (!sock_owned_by_user(sk)) {
4357 l2cap_ertm_data_rcv(sk, skb);
4359 if (sk_add_backlog(sk, skb))
4365 case L2CAP_MODE_STREAMING:
4366 control = get_unaligned_le16(skb->data);
4370 if (l2cap_check_fcs(pi, skb))
4373 if (__is_sar_start(control))
4376 if (pi->fcs == L2CAP_FCS_CRC16)
4379 if (len > pi->mps || len < 0 || __is_sframe(control))
4382 tx_seq = __get_txseq(control);
4384 if (pi->expected_tx_seq == tx_seq)
4385 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4387 pi->expected_tx_seq = (tx_seq + 1) % 64;
4389 l2cap_streaming_reassembly_sdu(sk, skb, control);
4394 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
4408 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4412 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4416 BT_DBG("sk %p, len %d", sk, skb->len);
4418 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4421 if (l2cap_pi(sk)->imtu < skb->len)
4424 if (!sock_queue_rcv_skb(sk, skb))
4436 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4438 struct l2cap_hdr *lh = (void *) skb->data;
4442 skb_pull(skb, L2CAP_HDR_SIZE);
4443 cid = __le16_to_cpu(lh->cid);
4444 len = __le16_to_cpu(lh->len);
4446 if (len != skb->len) {
4451 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4454 case L2CAP_CID_SIGNALING:
4455 l2cap_sig_channel(conn, skb);
4458 case L2CAP_CID_CONN_LESS:
4459 psm = get_unaligned_le16(skb->data);
4461 l2cap_conless_channel(conn, psm, skb);
4465 l2cap_data_channel(conn, cid, skb);
4470 /* ---- L2CAP interface with lower layer (HCI) ---- */
4472 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4474 int exact = 0, lm1 = 0, lm2 = 0;
4475 register struct sock *sk;
4476 struct hlist_node *node;
4478 if (type != ACL_LINK)
4481 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4483 /* Find listening sockets and check their link_mode */
4484 read_lock(&l2cap_sk_list.lock);
4485 sk_for_each(sk, node, &l2cap_sk_list.head) {
4486 if (sk->sk_state != BT_LISTEN)
4489 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4490 lm1 |= HCI_LM_ACCEPT;
4491 if (l2cap_pi(sk)->role_switch)
4492 lm1 |= HCI_LM_MASTER;
4494 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4495 lm2 |= HCI_LM_ACCEPT;
4496 if (l2cap_pi(sk)->role_switch)
4497 lm2 |= HCI_LM_MASTER;
4500 read_unlock(&l2cap_sk_list.lock);
4502 return exact ? lm1 : lm2;
4505 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4507 struct l2cap_conn *conn;
4509 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4511 if (hcon->type != ACL_LINK)
4515 conn = l2cap_conn_add(hcon, status);
4517 l2cap_conn_ready(conn);
4519 l2cap_conn_del(hcon, bt_err(status));
4524 static int l2cap_disconn_ind(struct hci_conn *hcon)
4526 struct l2cap_conn *conn = hcon->l2cap_data;
4528 BT_DBG("hcon %p", hcon);
4530 if (hcon->type != ACL_LINK || !conn)
4533 return conn->disc_reason;
4536 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4538 BT_DBG("hcon %p reason %d", hcon, reason);
4540 if (hcon->type != ACL_LINK)
4543 l2cap_conn_del(hcon, bt_err(reason));
4548 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4550 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
4553 if (encrypt == 0x00) {
4554 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4555 l2cap_sock_clear_timer(sk);
4556 l2cap_sock_set_timer(sk, HZ * 5);
4557 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4558 __l2cap_sock_close(sk, ECONNREFUSED);
4560 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4561 l2cap_sock_clear_timer(sk);
4565 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4567 struct l2cap_chan_list *l;
4568 struct l2cap_conn *conn = hcon->l2cap_data;
4574 l = &conn->chan_list;
4576 BT_DBG("conn %p", conn);
4578 read_lock(&l->lock);
4580 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4583 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4588 if (!status && (sk->sk_state == BT_CONNECTED ||
4589 sk->sk_state == BT_CONFIG)) {
4590 l2cap_check_encryption(sk, encrypt);
4595 if (sk->sk_state == BT_CONNECT) {
4597 struct l2cap_conn_req req;
4598 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4599 req.psm = l2cap_pi(sk)->psm;
4601 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
4602 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
4604 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4605 L2CAP_CONN_REQ, sizeof(req), &req);
4607 l2cap_sock_clear_timer(sk);
4608 l2cap_sock_set_timer(sk, HZ / 10);
4610 } else if (sk->sk_state == BT_CONNECT2) {
4611 struct l2cap_conn_rsp rsp;
4615 sk->sk_state = BT_CONFIG;
4616 result = L2CAP_CR_SUCCESS;
4618 sk->sk_state = BT_DISCONN;
4619 l2cap_sock_set_timer(sk, HZ / 10);
4620 result = L2CAP_CR_SEC_BLOCK;
4623 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4624 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4625 rsp.result = cpu_to_le16(result);
4626 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4627 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4628 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4634 read_unlock(&l->lock);
4639 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4641 struct l2cap_conn *conn = hcon->l2cap_data;
4643 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4646 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4648 if (flags & ACL_START) {
4649 struct l2cap_hdr *hdr;
4653 BT_ERR("Unexpected start frame (len %d)", skb->len);
4654 kfree_skb(conn->rx_skb);
4655 conn->rx_skb = NULL;
4657 l2cap_conn_unreliable(conn, ECOMM);
4661 BT_ERR("Frame is too short (len %d)", skb->len);
4662 l2cap_conn_unreliable(conn, ECOMM);
4666 hdr = (struct l2cap_hdr *) skb->data;
4667 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4669 if (len == skb->len) {
4670 /* Complete frame received */
4671 l2cap_recv_frame(conn, skb);
4675 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4677 if (skb->len > len) {
4678 BT_ERR("Frame is too long (len %d, expected len %d)",
4680 l2cap_conn_unreliable(conn, ECOMM);
4684 /* Allocate skb for the complete frame (with header) */
4685 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4689 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4691 conn->rx_len = len - skb->len;
4693 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4695 if (!conn->rx_len) {
4696 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4697 l2cap_conn_unreliable(conn, ECOMM);
4701 if (skb->len > conn->rx_len) {
4702 BT_ERR("Fragment is too long (len %d, expected %d)",
4703 skb->len, conn->rx_len);
4704 kfree_skb(conn->rx_skb);
4705 conn->rx_skb = NULL;
4707 l2cap_conn_unreliable(conn, ECOMM);
4711 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4713 conn->rx_len -= skb->len;
4715 if (!conn->rx_len) {
4716 /* Complete frame received */
4717 l2cap_recv_frame(conn, conn->rx_skb);
4718 conn->rx_skb = NULL;
4727 static int l2cap_debugfs_show(struct seq_file *f, void *p)
4730 struct hlist_node *node;
4732 read_lock_bh(&l2cap_sk_list.lock);
4734 sk_for_each(sk, node, &l2cap_sk_list.head) {
4735 struct l2cap_pinfo *pi = l2cap_pi(sk);
4737 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4738 batostr(&bt_sk(sk)->src),
4739 batostr(&bt_sk(sk)->dst),
4740 sk->sk_state, __le16_to_cpu(pi->psm),
4742 pi->imtu, pi->omtu, pi->sec_level);
4745 read_unlock_bh(&l2cap_sk_list.lock);
4750 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4752 return single_open(file, l2cap_debugfs_show, inode->i_private);
4755 static const struct file_operations l2cap_debugfs_fops = {
4756 .open = l2cap_debugfs_open,
4758 .llseek = seq_lseek,
4759 .release = single_release,
4762 static struct dentry *l2cap_debugfs;
4764 static const struct proto_ops l2cap_sock_ops = {
4765 .family = PF_BLUETOOTH,
4766 .owner = THIS_MODULE,
4767 .release = l2cap_sock_release,
4768 .bind = l2cap_sock_bind,
4769 .connect = l2cap_sock_connect,
4770 .listen = l2cap_sock_listen,
4771 .accept = l2cap_sock_accept,
4772 .getname = l2cap_sock_getname,
4773 .sendmsg = l2cap_sock_sendmsg,
4774 .recvmsg = l2cap_sock_recvmsg,
4775 .poll = bt_sock_poll,
4776 .ioctl = bt_sock_ioctl,
4777 .mmap = sock_no_mmap,
4778 .socketpair = sock_no_socketpair,
4779 .shutdown = l2cap_sock_shutdown,
4780 .setsockopt = l2cap_sock_setsockopt,
4781 .getsockopt = l2cap_sock_getsockopt
4784 static const struct net_proto_family l2cap_sock_family_ops = {
4785 .family = PF_BLUETOOTH,
4786 .owner = THIS_MODULE,
4787 .create = l2cap_sock_create,
4790 static struct hci_proto l2cap_hci_proto = {
4792 .id = HCI_PROTO_L2CAP,
4793 .connect_ind = l2cap_connect_ind,
4794 .connect_cfm = l2cap_connect_cfm,
4795 .disconn_ind = l2cap_disconn_ind,
4796 .disconn_cfm = l2cap_disconn_cfm,
4797 .security_cfm = l2cap_security_cfm,
4798 .recv_acldata = l2cap_recv_acldata
4801 static int __init l2cap_init(void)
4805 err = proto_register(&l2cap_proto, 0);
4809 _busy_wq = create_singlethread_workqueue("l2cap");
4813 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4815 BT_ERR("L2CAP socket registration failed");
4819 err = hci_register_proto(&l2cap_hci_proto);
4821 BT_ERR("L2CAP protocol registration failed");
4822 bt_sock_unregister(BTPROTO_L2CAP);
4827 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4828 bt_debugfs, NULL, &l2cap_debugfs_fops);
4830 BT_ERR("Failed to create L2CAP debug file");
4833 BT_INFO("L2CAP ver %s", VERSION);
4834 BT_INFO("L2CAP socket layer initialized");
4839 proto_unregister(&l2cap_proto);
4843 static void __exit l2cap_exit(void)
4845 debugfs_remove(l2cap_debugfs);
4847 flush_workqueue(_busy_wq);
4848 destroy_workqueue(_busy_wq);
4850 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4851 BT_ERR("L2CAP socket unregistration failed");
4853 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4854 BT_ERR("L2CAP protocol unregistration failed");
4856 proto_unregister(&l2cap_proto);
4859 void l2cap_load(void)
4861 /* Dummy function to trigger automatic L2CAP module loading by
4862 * other modules that use L2CAP sockets but don't use any other
4863 * symbols from it. */
4865 EXPORT_SYMBOL(l2cap_load);
4867 module_init(l2cap_init);
4868 module_exit(l2cap_exit);
4870 module_param(disable_ertm, bool, 0644);
4871 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
4873 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4874 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4875 MODULE_VERSION(VERSION);
4876 MODULE_LICENSE("GPL");
4877 MODULE_ALIAS("bt-proto-0");
git.openpandora.org / pandora-kernel.git / blob