2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth L2CAP core and sockets. */
27 #include <linux/module.h>
29 #include <linux/types.h>
30 #include <linux/capability.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/uaccess.h>
44 #include <linux/crc16.h>
47 #include <asm/system.h>
48 #include <asm/unaligned.h>
50 #include <net/bluetooth/bluetooth.h>
51 #include <net/bluetooth/hci_core.h>
52 #include <net/bluetooth/l2cap.h>
54 #define VERSION "2.14"
56 static int enable_ertm = 0;
58 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
59 static u8 l2cap_fixed_chan[8] = { 0x02, };
61 static const struct proto_ops l2cap_sock_ops;
63 static struct bt_sock_list l2cap_sk_list = {
64 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
67 static void __l2cap_sock_close(struct sock *sk, int reason);
68 static void l2cap_sock_close(struct sock *sk);
69 static void l2cap_sock_kill(struct sock *sk);
71 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
74 /* ---- L2CAP timers ---- */
75 static void l2cap_sock_timeout(unsigned long arg)
77 struct sock *sk = (struct sock *) arg;
80 BT_DBG("sock %p state %d", sk, sk->sk_state);
84 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
85 reason = ECONNREFUSED;
86 else if (sk->sk_state == BT_CONNECT &&
87 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
88 reason = ECONNREFUSED;
92 __l2cap_sock_close(sk, reason);
100 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
102 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
103 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
106 static void l2cap_sock_clear_timer(struct sock *sk)
108 BT_DBG("sock %p state %d", sk, sk->sk_state);
109 sk_stop_timer(sk, &sk->sk_timer);
112 /* ---- L2CAP channels ---- */
113 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
116 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
117 if (l2cap_pi(s)->dcid == cid)
123 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
126 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
127 if (l2cap_pi(s)->scid == cid)
133 /* Find channel with given SCID.
134 * Returns locked socket */
135 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
139 s = __l2cap_get_chan_by_scid(l, cid);
142 read_unlock(&l->lock);
146 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
149 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
150 if (l2cap_pi(s)->ident == ident)
156 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
160 s = __l2cap_get_chan_by_ident(l, ident);
163 read_unlock(&l->lock);
167 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
169 u16 cid = L2CAP_CID_DYN_START;
171 for (; cid < L2CAP_CID_DYN_END; cid++) {
172 if (!__l2cap_get_chan_by_scid(l, cid))
179 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
184 l2cap_pi(l->head)->prev_c = sk;
186 l2cap_pi(sk)->next_c = l->head;
187 l2cap_pi(sk)->prev_c = NULL;
191 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
193 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
195 write_lock_bh(&l->lock);
200 l2cap_pi(next)->prev_c = prev;
202 l2cap_pi(prev)->next_c = next;
203 write_unlock_bh(&l->lock);
208 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
210 struct l2cap_chan_list *l = &conn->chan_list;
212 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
213 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
215 conn->disc_reason = 0x13;
217 l2cap_pi(sk)->conn = conn;
219 if (sk->sk_type == SOCK_SEQPACKET) {
220 /* Alloc CID for connection-oriented socket */
221 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
222 } else if (sk->sk_type == SOCK_DGRAM) {
223 /* Connectionless socket */
224 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
225 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
226 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
228 /* Raw socket can send/recv signalling messages only */
229 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
230 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
231 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
234 __l2cap_chan_link(l, sk);
237 bt_accept_enqueue(parent, sk);
241 * Must be called on the locked socket. */
242 static void l2cap_chan_del(struct sock *sk, int err)
244 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
245 struct sock *parent = bt_sk(sk)->parent;
247 l2cap_sock_clear_timer(sk);
249 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
252 /* Unlink from channel list */
253 l2cap_chan_unlink(&conn->chan_list, sk);
254 l2cap_pi(sk)->conn = NULL;
255 hci_conn_put(conn->hcon);
258 sk->sk_state = BT_CLOSED;
259 sock_set_flag(sk, SOCK_ZAPPED);
265 bt_accept_unlink(sk);
266 parent->sk_data_ready(parent, 0);
268 sk->sk_state_change(sk);
271 /* Service level security */
272 static inline int l2cap_check_security(struct sock *sk)
274 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
277 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
278 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
279 auth_type = HCI_AT_NO_BONDING_MITM;
281 auth_type = HCI_AT_NO_BONDING;
283 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
284 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
286 switch (l2cap_pi(sk)->sec_level) {
287 case BT_SECURITY_HIGH:
288 auth_type = HCI_AT_GENERAL_BONDING_MITM;
290 case BT_SECURITY_MEDIUM:
291 auth_type = HCI_AT_GENERAL_BONDING;
294 auth_type = HCI_AT_NO_BONDING;
299 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
303 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
307 /* Get next available identificator.
308 * 1 - 128 are used by kernel.
309 * 129 - 199 are reserved.
310 * 200 - 254 are used by utilities like l2ping, etc.
313 spin_lock_bh(&conn->lock);
315 if (++conn->tx_ident > 128)
320 spin_unlock_bh(&conn->lock);
325 static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
327 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
329 BT_DBG("code 0x%2.2x", code);
334 return hci_send_acl(conn->hcon, skb, 0);
337 static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
340 struct l2cap_hdr *lh;
341 struct l2cap_conn *conn = pi->conn;
342 int count, hlen = L2CAP_HDR_SIZE + 2;
344 if (pi->fcs == L2CAP_FCS_CRC16)
347 BT_DBG("pi %p, control 0x%2.2x", pi, control);
349 count = min_t(unsigned int, conn->mtu, hlen);
350 control |= L2CAP_CTRL_FRAME_TYPE;
352 skb = bt_skb_alloc(count, GFP_ATOMIC);
356 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
357 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
358 lh->cid = cpu_to_le16(pi->dcid);
359 put_unaligned_le16(control, skb_put(skb, 2));
361 if (pi->fcs == L2CAP_FCS_CRC16) {
362 u16 fcs = crc16(0, (u8 *)lh, count - 2);
363 put_unaligned_le16(fcs, skb_put(skb, 2));
366 return hci_send_acl(pi->conn->hcon, skb, 0);
369 static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
371 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
372 control |= L2CAP_SUPER_RCV_NOT_READY;
374 control |= L2CAP_SUPER_RCV_READY;
376 return l2cap_send_sframe(pi, control);
379 static void l2cap_do_start(struct sock *sk)
381 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
383 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
384 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
387 if (l2cap_check_security(sk)) {
388 struct l2cap_conn_req req;
389 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
390 req.psm = l2cap_pi(sk)->psm;
392 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
394 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
395 L2CAP_CONN_REQ, sizeof(req), &req);
398 struct l2cap_info_req req;
399 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
402 conn->info_ident = l2cap_get_ident(conn);
404 mod_timer(&conn->info_timer, jiffies +
405 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
407 l2cap_send_cmd(conn, conn->info_ident,
408 L2CAP_INFO_REQ, sizeof(req), &req);
412 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
414 struct l2cap_disconn_req req;
416 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
417 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
418 l2cap_send_cmd(conn, l2cap_get_ident(conn),
419 L2CAP_DISCONN_REQ, sizeof(req), &req);
422 /* ---- L2CAP connections ---- */
423 static void l2cap_conn_start(struct l2cap_conn *conn)
425 struct l2cap_chan_list *l = &conn->chan_list;
428 BT_DBG("conn %p", conn);
432 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
435 if (sk->sk_type != SOCK_SEQPACKET) {
440 if (sk->sk_state == BT_CONNECT) {
441 if (l2cap_check_security(sk)) {
442 struct l2cap_conn_req req;
443 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
444 req.psm = l2cap_pi(sk)->psm;
446 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
448 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
449 L2CAP_CONN_REQ, sizeof(req), &req);
451 } else if (sk->sk_state == BT_CONNECT2) {
452 struct l2cap_conn_rsp rsp;
453 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
454 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
456 if (l2cap_check_security(sk)) {
457 if (bt_sk(sk)->defer_setup) {
458 struct sock *parent = bt_sk(sk)->parent;
459 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
460 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
461 parent->sk_data_ready(parent, 0);
464 sk->sk_state = BT_CONFIG;
465 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
466 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
470 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
473 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
474 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
480 read_unlock(&l->lock);
483 static void l2cap_conn_ready(struct l2cap_conn *conn)
485 struct l2cap_chan_list *l = &conn->chan_list;
488 BT_DBG("conn %p", conn);
492 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
495 if (sk->sk_type != SOCK_SEQPACKET) {
496 l2cap_sock_clear_timer(sk);
497 sk->sk_state = BT_CONNECTED;
498 sk->sk_state_change(sk);
499 } else if (sk->sk_state == BT_CONNECT)
505 read_unlock(&l->lock);
508 /* Notify sockets that we cannot guaranty reliability anymore */
509 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
511 struct l2cap_chan_list *l = &conn->chan_list;
514 BT_DBG("conn %p", conn);
518 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
519 if (l2cap_pi(sk)->force_reliable)
523 read_unlock(&l->lock);
526 static void l2cap_info_timeout(unsigned long arg)
528 struct l2cap_conn *conn = (void *) arg;
530 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
531 conn->info_ident = 0;
533 l2cap_conn_start(conn);
536 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
538 struct l2cap_conn *conn = hcon->l2cap_data;
543 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
547 hcon->l2cap_data = conn;
550 BT_DBG("hcon %p conn %p", hcon, conn);
552 conn->mtu = hcon->hdev->acl_mtu;
553 conn->src = &hcon->hdev->bdaddr;
554 conn->dst = &hcon->dst;
558 spin_lock_init(&conn->lock);
559 rwlock_init(&conn->chan_list.lock);
561 setup_timer(&conn->info_timer, l2cap_info_timeout,
562 (unsigned long) conn);
564 conn->disc_reason = 0x13;
569 static void l2cap_conn_del(struct hci_conn *hcon, int err)
571 struct l2cap_conn *conn = hcon->l2cap_data;
577 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
579 kfree_skb(conn->rx_skb);
582 while ((sk = conn->chan_list.head)) {
584 l2cap_chan_del(sk, err);
589 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
590 del_timer_sync(&conn->info_timer);
592 hcon->l2cap_data = NULL;
596 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
598 struct l2cap_chan_list *l = &conn->chan_list;
599 write_lock_bh(&l->lock);
600 __l2cap_chan_add(conn, sk, parent);
601 write_unlock_bh(&l->lock);
604 /* ---- Socket interface ---- */
605 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
608 struct hlist_node *node;
609 sk_for_each(sk, node, &l2cap_sk_list.head)
610 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
617 /* Find socket with psm and source bdaddr.
618 * Returns closest match.
620 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
622 struct sock *sk = NULL, *sk1 = NULL;
623 struct hlist_node *node;
625 sk_for_each(sk, node, &l2cap_sk_list.head) {
626 if (state && sk->sk_state != state)
629 if (l2cap_pi(sk)->psm == psm) {
631 if (!bacmp(&bt_sk(sk)->src, src))
635 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
639 return node ? sk : sk1;
642 /* Find socket with given address (psm, src).
643 * Returns locked socket */
644 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
647 read_lock(&l2cap_sk_list.lock);
648 s = __l2cap_get_sock_by_psm(state, psm, src);
651 read_unlock(&l2cap_sk_list.lock);
655 static void l2cap_sock_destruct(struct sock *sk)
659 skb_queue_purge(&sk->sk_receive_queue);
660 skb_queue_purge(&sk->sk_write_queue);
663 static void l2cap_sock_cleanup_listen(struct sock *parent)
667 BT_DBG("parent %p", parent);
669 /* Close not yet accepted channels */
670 while ((sk = bt_accept_dequeue(parent, NULL)))
671 l2cap_sock_close(sk);
673 parent->sk_state = BT_CLOSED;
674 sock_set_flag(parent, SOCK_ZAPPED);
677 /* Kill socket (only if zapped and orphan)
678 * Must be called on unlocked socket.
680 static void l2cap_sock_kill(struct sock *sk)
682 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
685 BT_DBG("sk %p state %d", sk, sk->sk_state);
687 /* Kill poor orphan */
688 bt_sock_unlink(&l2cap_sk_list, sk);
689 sock_set_flag(sk, SOCK_DEAD);
693 static void __l2cap_sock_close(struct sock *sk, int reason)
695 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
697 switch (sk->sk_state) {
699 l2cap_sock_cleanup_listen(sk);
704 if (sk->sk_type == SOCK_SEQPACKET) {
705 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
707 sk->sk_state = BT_DISCONN;
708 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
709 l2cap_send_disconn_req(conn, sk);
711 l2cap_chan_del(sk, reason);
715 if (sk->sk_type == SOCK_SEQPACKET) {
716 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
717 struct l2cap_conn_rsp rsp;
720 if (bt_sk(sk)->defer_setup)
721 result = L2CAP_CR_SEC_BLOCK;
723 result = L2CAP_CR_BAD_PSM;
725 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
726 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
727 rsp.result = cpu_to_le16(result);
728 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
729 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
730 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
732 l2cap_chan_del(sk, reason);
737 l2cap_chan_del(sk, reason);
741 sock_set_flag(sk, SOCK_ZAPPED);
746 /* Must be called on unlocked socket. */
747 static void l2cap_sock_close(struct sock *sk)
749 l2cap_sock_clear_timer(sk);
751 __l2cap_sock_close(sk, ECONNRESET);
756 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
758 struct l2cap_pinfo *pi = l2cap_pi(sk);
763 sk->sk_type = parent->sk_type;
764 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
766 pi->imtu = l2cap_pi(parent)->imtu;
767 pi->omtu = l2cap_pi(parent)->omtu;
768 pi->mode = l2cap_pi(parent)->mode;
769 pi->fcs = l2cap_pi(parent)->fcs;
770 pi->sec_level = l2cap_pi(parent)->sec_level;
771 pi->role_switch = l2cap_pi(parent)->role_switch;
772 pi->force_reliable = l2cap_pi(parent)->force_reliable;
774 pi->imtu = L2CAP_DEFAULT_MTU;
776 pi->mode = L2CAP_MODE_BASIC;
777 pi->fcs = L2CAP_FCS_CRC16;
778 pi->sec_level = BT_SECURITY_LOW;
780 pi->force_reliable = 0;
783 /* Default config options */
785 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
786 skb_queue_head_init(TX_QUEUE(sk));
787 skb_queue_head_init(SREJ_QUEUE(sk));
788 INIT_LIST_HEAD(SREJ_LIST(sk));
791 static struct proto l2cap_proto = {
793 .owner = THIS_MODULE,
794 .obj_size = sizeof(struct l2cap_pinfo)
797 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
801 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
805 sock_init_data(sock, sk);
806 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
808 sk->sk_destruct = l2cap_sock_destruct;
809 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
811 sock_reset_flag(sk, SOCK_ZAPPED);
813 sk->sk_protocol = proto;
814 sk->sk_state = BT_OPEN;
816 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
818 bt_sock_link(&l2cap_sk_list, sk);
822 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
826 BT_DBG("sock %p", sock);
828 sock->state = SS_UNCONNECTED;
830 if (sock->type != SOCK_SEQPACKET &&
831 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
832 return -ESOCKTNOSUPPORT;
834 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
837 sock->ops = &l2cap_sock_ops;
839 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
843 l2cap_sock_init(sk, NULL);
847 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
849 struct sock *sk = sock->sk;
850 struct sockaddr_l2 la;
855 if (!addr || addr->sa_family != AF_BLUETOOTH)
858 memset(&la, 0, sizeof(la));
859 len = min_t(unsigned int, sizeof(la), alen);
860 memcpy(&la, addr, len);
867 if (sk->sk_state != BT_OPEN) {
872 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
873 !capable(CAP_NET_BIND_SERVICE)) {
878 write_lock_bh(&l2cap_sk_list.lock);
880 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
883 /* Save source address */
884 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
885 l2cap_pi(sk)->psm = la.l2_psm;
886 l2cap_pi(sk)->sport = la.l2_psm;
887 sk->sk_state = BT_BOUND;
889 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
890 __le16_to_cpu(la.l2_psm) == 0x0003)
891 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
894 write_unlock_bh(&l2cap_sk_list.lock);
901 static int l2cap_do_connect(struct sock *sk)
903 bdaddr_t *src = &bt_sk(sk)->src;
904 bdaddr_t *dst = &bt_sk(sk)->dst;
905 struct l2cap_conn *conn;
906 struct hci_conn *hcon;
907 struct hci_dev *hdev;
911 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
914 hdev = hci_get_route(dst, src);
916 return -EHOSTUNREACH;
918 hci_dev_lock_bh(hdev);
922 if (sk->sk_type == SOCK_RAW) {
923 switch (l2cap_pi(sk)->sec_level) {
924 case BT_SECURITY_HIGH:
925 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
927 case BT_SECURITY_MEDIUM:
928 auth_type = HCI_AT_DEDICATED_BONDING;
931 auth_type = HCI_AT_NO_BONDING;
934 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
935 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
936 auth_type = HCI_AT_NO_BONDING_MITM;
938 auth_type = HCI_AT_NO_BONDING;
940 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
941 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
943 switch (l2cap_pi(sk)->sec_level) {
944 case BT_SECURITY_HIGH:
945 auth_type = HCI_AT_GENERAL_BONDING_MITM;
947 case BT_SECURITY_MEDIUM:
948 auth_type = HCI_AT_GENERAL_BONDING;
951 auth_type = HCI_AT_NO_BONDING;
956 hcon = hci_connect(hdev, ACL_LINK, dst,
957 l2cap_pi(sk)->sec_level, auth_type);
961 conn = l2cap_conn_add(hcon, 0);
969 /* Update source addr of the socket */
970 bacpy(src, conn->src);
972 l2cap_chan_add(conn, sk, NULL);
974 sk->sk_state = BT_CONNECT;
975 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
977 if (hcon->state == BT_CONNECTED) {
978 if (sk->sk_type != SOCK_SEQPACKET) {
979 l2cap_sock_clear_timer(sk);
980 sk->sk_state = BT_CONNECTED;
986 hci_dev_unlock_bh(hdev);
991 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
993 struct sock *sk = sock->sk;
994 struct sockaddr_l2 la;
999 if (!addr || addr->sa_family != AF_BLUETOOTH)
1002 memset(&la, 0, sizeof(la));
1003 len = min_t(unsigned int, sizeof(la), alen);
1004 memcpy(&la, addr, len);
1011 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1016 switch (l2cap_pi(sk)->mode) {
1017 case L2CAP_MODE_BASIC:
1019 case L2CAP_MODE_ERTM:
1020 case L2CAP_MODE_STREAMING:
1029 switch (sk->sk_state) {
1033 /* Already connecting */
1037 /* Already connected */
1050 /* Set destination address and psm */
1051 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1052 l2cap_pi(sk)->psm = la.l2_psm;
1054 err = l2cap_do_connect(sk);
1059 err = bt_sock_wait_state(sk, BT_CONNECTED,
1060 sock_sndtimeo(sk, flags & O_NONBLOCK));
1066 static int l2cap_sock_listen(struct socket *sock, int backlog)
1068 struct sock *sk = sock->sk;
1071 BT_DBG("sk %p backlog %d", sk, backlog);
1075 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1080 switch (l2cap_pi(sk)->mode) {
1081 case L2CAP_MODE_BASIC:
1083 case L2CAP_MODE_ERTM:
1084 case L2CAP_MODE_STREAMING:
1093 if (!l2cap_pi(sk)->psm) {
1094 bdaddr_t *src = &bt_sk(sk)->src;
1099 write_lock_bh(&l2cap_sk_list.lock);
1101 for (psm = 0x1001; psm < 0x1100; psm += 2)
1102 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1103 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1104 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1109 write_unlock_bh(&l2cap_sk_list.lock);
1115 sk->sk_max_ack_backlog = backlog;
1116 sk->sk_ack_backlog = 0;
1117 sk->sk_state = BT_LISTEN;
1124 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1126 DECLARE_WAITQUEUE(wait, current);
1127 struct sock *sk = sock->sk, *nsk;
1131 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1133 if (sk->sk_state != BT_LISTEN) {
1138 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1140 BT_DBG("sk %p timeo %ld", sk, timeo);
1142 /* Wait for an incoming connection. (wake-one). */
1143 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1144 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1145 set_current_state(TASK_INTERRUPTIBLE);
1152 timeo = schedule_timeout(timeo);
1153 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1155 if (sk->sk_state != BT_LISTEN) {
1160 if (signal_pending(current)) {
1161 err = sock_intr_errno(timeo);
1165 set_current_state(TASK_RUNNING);
1166 remove_wait_queue(sk->sk_sleep, &wait);
1171 newsock->state = SS_CONNECTED;
1173 BT_DBG("new socket %p", nsk);
1180 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1182 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1183 struct sock *sk = sock->sk;
1185 BT_DBG("sock %p, sk %p", sock, sk);
1187 addr->sa_family = AF_BLUETOOTH;
1188 *len = sizeof(struct sockaddr_l2);
1191 la->l2_psm = l2cap_pi(sk)->psm;
1192 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1193 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1195 la->l2_psm = l2cap_pi(sk)->sport;
1196 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1197 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
1203 static void l2cap_monitor_timeout(unsigned long arg)
1205 struct sock *sk = (void *) arg;
1209 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1210 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
1214 l2cap_pi(sk)->retry_count++;
1215 __mod_monitor_timer();
1217 control = L2CAP_CTRL_POLL;
1218 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1222 static void l2cap_retrans_timeout(unsigned long arg)
1224 struct sock *sk = (void *) arg;
1228 l2cap_pi(sk)->retry_count = 1;
1229 __mod_monitor_timer();
1231 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1233 control = L2CAP_CTRL_POLL;
1234 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1238 static void l2cap_drop_acked_frames(struct sock *sk)
1240 struct sk_buff *skb;
1242 while ((skb = skb_peek(TX_QUEUE(sk)))) {
1243 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1246 skb = skb_dequeue(TX_QUEUE(sk));
1249 l2cap_pi(sk)->unacked_frames--;
1252 if (!l2cap_pi(sk)->unacked_frames)
1253 del_timer(&l2cap_pi(sk)->retrans_timer);
1258 static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1260 struct l2cap_pinfo *pi = l2cap_pi(sk);
1263 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1265 err = hci_send_acl(pi->conn->hcon, skb, 0);
1272 static int l2cap_streaming_send(struct sock *sk)
1274 struct sk_buff *skb, *tx_skb;
1275 struct l2cap_pinfo *pi = l2cap_pi(sk);
1279 while ((skb = sk->sk_send_head)) {
1280 tx_skb = skb_clone(skb, GFP_ATOMIC);
1282 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1283 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1284 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1286 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1287 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1288 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1291 err = l2cap_do_send(sk, tx_skb);
1293 l2cap_send_disconn_req(pi->conn, sk);
1297 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1299 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1300 sk->sk_send_head = NULL;
1302 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1304 skb = skb_dequeue(TX_QUEUE(sk));
1310 static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1312 struct l2cap_pinfo *pi = l2cap_pi(sk);
1313 struct sk_buff *skb, *tx_skb;
1317 skb = skb_peek(TX_QUEUE(sk));
1319 if (bt_cb(skb)->tx_seq != tx_seq) {
1320 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1322 skb = skb_queue_next(TX_QUEUE(sk), skb);
1326 if (pi->remote_max_tx &&
1327 bt_cb(skb)->retries == pi->remote_max_tx) {
1328 l2cap_send_disconn_req(pi->conn, sk);
1332 tx_skb = skb_clone(skb, GFP_ATOMIC);
1333 bt_cb(skb)->retries++;
1334 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1335 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1336 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1337 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1339 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1340 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1341 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1344 err = l2cap_do_send(sk, tx_skb);
1346 l2cap_send_disconn_req(pi->conn, sk);
1354 static int l2cap_ertm_send(struct sock *sk)
1356 struct sk_buff *skb, *tx_skb;
1357 struct l2cap_pinfo *pi = l2cap_pi(sk);
1361 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1364 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))
1365 && !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1366 tx_skb = skb_clone(skb, GFP_ATOMIC);
1368 if (pi->remote_max_tx &&
1369 bt_cb(skb)->retries == pi->remote_max_tx) {
1370 l2cap_send_disconn_req(pi->conn, sk);
1374 bt_cb(skb)->retries++;
1376 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1377 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1378 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1379 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1382 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1383 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1384 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1387 err = l2cap_do_send(sk, tx_skb);
1389 l2cap_send_disconn_req(pi->conn, sk);
1392 __mod_retrans_timer();
1394 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1395 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1397 pi->unacked_frames++;
1399 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1400 sk->sk_send_head = NULL;
1402 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1408 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1410 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1411 struct sk_buff **frag;
1414 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1421 /* Continuation fragments (no L2CAP header) */
1422 frag = &skb_shinfo(skb)->frag_list;
1424 count = min_t(unsigned int, conn->mtu, len);
1426 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1429 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1435 frag = &(*frag)->next;
1441 static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1443 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1444 struct sk_buff *skb;
1445 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1446 struct l2cap_hdr *lh;
1448 BT_DBG("sk %p len %d", sk, (int)len);
1450 count = min_t(unsigned int, (conn->mtu - hlen), len);
1451 skb = bt_skb_send_alloc(sk, count + hlen,
1452 msg->msg_flags & MSG_DONTWAIT, &err);
1454 return ERR_PTR(-ENOMEM);
1456 /* Create L2CAP header */
1457 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1458 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1459 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1460 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1462 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1463 if (unlikely(err < 0)) {
1465 return ERR_PTR(err);
1470 static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1472 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1473 struct sk_buff *skb;
1474 int err, count, hlen = L2CAP_HDR_SIZE;
1475 struct l2cap_hdr *lh;
1477 BT_DBG("sk %p len %d", sk, (int)len);
1479 count = min_t(unsigned int, (conn->mtu - hlen), len);
1480 skb = bt_skb_send_alloc(sk, count + hlen,
1481 msg->msg_flags & MSG_DONTWAIT, &err);
1483 return ERR_PTR(-ENOMEM);
1485 /* Create L2CAP header */
1486 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1487 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1488 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1490 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1491 if (unlikely(err < 0)) {
1493 return ERR_PTR(err);
1498 static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1500 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1501 struct sk_buff *skb;
1502 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1503 struct l2cap_hdr *lh;
1505 BT_DBG("sk %p len %d", sk, (int)len);
1510 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1513 count = min_t(unsigned int, (conn->mtu - hlen), len);
1514 skb = bt_skb_send_alloc(sk, count + hlen,
1515 msg->msg_flags & MSG_DONTWAIT, &err);
1517 return ERR_PTR(-ENOMEM);
1519 /* Create L2CAP header */
1520 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1521 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1522 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1523 put_unaligned_le16(control, skb_put(skb, 2));
1525 put_unaligned_le16(sdulen, skb_put(skb, 2));
1527 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1528 if (unlikely(err < 0)) {
1530 return ERR_PTR(err);
1533 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1534 put_unaligned_le16(0, skb_put(skb, 2));
1536 bt_cb(skb)->retries = 0;
1540 static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1542 struct l2cap_pinfo *pi = l2cap_pi(sk);
1543 struct sk_buff *skb;
1544 struct sk_buff_head sar_queue;
1548 __skb_queue_head_init(&sar_queue);
1549 control = L2CAP_SDU_START;
1550 skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len);
1552 return PTR_ERR(skb);
1554 __skb_queue_tail(&sar_queue, skb);
1555 len -= pi->max_pdu_size;
1556 size +=pi->max_pdu_size;
1562 if (len > pi->max_pdu_size) {
1563 control |= L2CAP_SDU_CONTINUE;
1564 buflen = pi->max_pdu_size;
1566 control |= L2CAP_SDU_END;
1570 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
1572 skb_queue_purge(&sar_queue);
1573 return PTR_ERR(skb);
1576 __skb_queue_tail(&sar_queue, skb);
1581 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1582 if (sk->sk_send_head == NULL)
1583 sk->sk_send_head = sar_queue.next;
1588 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1590 struct sock *sk = sock->sk;
1591 struct l2cap_pinfo *pi = l2cap_pi(sk);
1592 struct sk_buff *skb;
1596 BT_DBG("sock %p, sk %p", sock, sk);
1598 err = sock_error(sk);
1602 if (msg->msg_flags & MSG_OOB)
1605 /* Check outgoing MTU */
1606 if (sk->sk_type == SOCK_SEQPACKET && pi->mode == L2CAP_MODE_BASIC
1612 if (sk->sk_state != BT_CONNECTED) {
1617 /* Connectionless channel */
1618 if (sk->sk_type == SOCK_DGRAM) {
1619 skb = l2cap_create_connless_pdu(sk, msg, len);
1620 err = l2cap_do_send(sk, skb);
1625 case L2CAP_MODE_BASIC:
1626 /* Create a basic PDU */
1627 skb = l2cap_create_basic_pdu(sk, msg, len);
1633 err = l2cap_do_send(sk, skb);
1638 case L2CAP_MODE_ERTM:
1639 case L2CAP_MODE_STREAMING:
1640 /* Entire SDU fits into one PDU */
1641 if (len <= pi->max_pdu_size) {
1642 control = L2CAP_SDU_UNSEGMENTED;
1643 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1648 __skb_queue_tail(TX_QUEUE(sk), skb);
1649 if (sk->sk_send_head == NULL)
1650 sk->sk_send_head = skb;
1652 /* Segment SDU into multiples PDUs */
1653 err = l2cap_sar_segment_sdu(sk, msg, len);
1658 if (pi->mode == L2CAP_MODE_STREAMING)
1659 err = l2cap_streaming_send(sk);
1661 err = l2cap_ertm_send(sk);
1668 BT_DBG("bad state %1.1x", pi->mode);
1677 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1679 struct sock *sk = sock->sk;
1683 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1684 struct l2cap_conn_rsp rsp;
1686 sk->sk_state = BT_CONFIG;
1688 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1689 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1690 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1691 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1692 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1693 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1701 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1704 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1706 struct sock *sk = sock->sk;
1707 struct l2cap_options opts;
1711 BT_DBG("sk %p", sk);
1717 opts.imtu = l2cap_pi(sk)->imtu;
1718 opts.omtu = l2cap_pi(sk)->omtu;
1719 opts.flush_to = l2cap_pi(sk)->flush_to;
1720 opts.mode = l2cap_pi(sk)->mode;
1721 opts.fcs = l2cap_pi(sk)->fcs;
1723 len = min_t(unsigned int, sizeof(opts), optlen);
1724 if (copy_from_user((char *) &opts, optval, len)) {
1729 l2cap_pi(sk)->imtu = opts.imtu;
1730 l2cap_pi(sk)->omtu = opts.omtu;
1731 l2cap_pi(sk)->mode = opts.mode;
1732 l2cap_pi(sk)->fcs = opts.fcs;
1736 if (get_user(opt, (u32 __user *) optval)) {
1741 if (opt & L2CAP_LM_AUTH)
1742 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1743 if (opt & L2CAP_LM_ENCRYPT)
1744 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1745 if (opt & L2CAP_LM_SECURE)
1746 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1748 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1749 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1761 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
1763 struct sock *sk = sock->sk;
1764 struct bt_security sec;
1768 BT_DBG("sk %p", sk);
1770 if (level == SOL_L2CAP)
1771 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1773 if (level != SOL_BLUETOOTH)
1774 return -ENOPROTOOPT;
1780 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1785 sec.level = BT_SECURITY_LOW;
1787 len = min_t(unsigned int, sizeof(sec), optlen);
1788 if (copy_from_user((char *) &sec, optval, len)) {
1793 if (sec.level < BT_SECURITY_LOW ||
1794 sec.level > BT_SECURITY_HIGH) {
1799 l2cap_pi(sk)->sec_level = sec.level;
1802 case BT_DEFER_SETUP:
1803 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1808 if (get_user(opt, (u32 __user *) optval)) {
1813 bt_sk(sk)->defer_setup = opt;
1825 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1827 struct sock *sk = sock->sk;
1828 struct l2cap_options opts;
1829 struct l2cap_conninfo cinfo;
1833 BT_DBG("sk %p", sk);
1835 if (get_user(len, optlen))
1842 opts.imtu = l2cap_pi(sk)->imtu;
1843 opts.omtu = l2cap_pi(sk)->omtu;
1844 opts.flush_to = l2cap_pi(sk)->flush_to;
1845 opts.mode = l2cap_pi(sk)->mode;
1846 opts.fcs = l2cap_pi(sk)->fcs;
1848 len = min_t(unsigned int, len, sizeof(opts));
1849 if (copy_to_user(optval, (char *) &opts, len))
1855 switch (l2cap_pi(sk)->sec_level) {
1856 case BT_SECURITY_LOW:
1857 opt = L2CAP_LM_AUTH;
1859 case BT_SECURITY_MEDIUM:
1860 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1862 case BT_SECURITY_HIGH:
1863 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1871 if (l2cap_pi(sk)->role_switch)
1872 opt |= L2CAP_LM_MASTER;
1874 if (l2cap_pi(sk)->force_reliable)
1875 opt |= L2CAP_LM_RELIABLE;
1877 if (put_user(opt, (u32 __user *) optval))
1881 case L2CAP_CONNINFO:
1882 if (sk->sk_state != BT_CONNECTED &&
1883 !(sk->sk_state == BT_CONNECT2 &&
1884 bt_sk(sk)->defer_setup)) {
1889 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1890 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1892 len = min_t(unsigned int, len, sizeof(cinfo));
1893 if (copy_to_user(optval, (char *) &cinfo, len))
1907 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1909 struct sock *sk = sock->sk;
1910 struct bt_security sec;
1913 BT_DBG("sk %p", sk);
1915 if (level == SOL_L2CAP)
1916 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1918 if (level != SOL_BLUETOOTH)
1919 return -ENOPROTOOPT;
1921 if (get_user(len, optlen))
1928 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1933 sec.level = l2cap_pi(sk)->sec_level;
1935 len = min_t(unsigned int, len, sizeof(sec));
1936 if (copy_to_user(optval, (char *) &sec, len))
1941 case BT_DEFER_SETUP:
1942 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1947 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1961 static int l2cap_sock_shutdown(struct socket *sock, int how)
1963 struct sock *sk = sock->sk;
1966 BT_DBG("sock %p, sk %p", sock, sk);
1972 if (!sk->sk_shutdown) {
1973 sk->sk_shutdown = SHUTDOWN_MASK;
1974 l2cap_sock_clear_timer(sk);
1975 __l2cap_sock_close(sk, 0);
1977 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1978 err = bt_sock_wait_state(sk, BT_CLOSED,
1985 static int l2cap_sock_release(struct socket *sock)
1987 struct sock *sk = sock->sk;
1990 BT_DBG("sock %p, sk %p", sock, sk);
1995 err = l2cap_sock_shutdown(sock, 2);
1998 l2cap_sock_kill(sk);
2002 static void l2cap_chan_ready(struct sock *sk)
2004 struct sock *parent = bt_sk(sk)->parent;
2006 BT_DBG("sk %p, parent %p", sk, parent);
2008 l2cap_pi(sk)->conf_state = 0;
2009 l2cap_sock_clear_timer(sk);
2012 /* Outgoing channel.
2013 * Wake up socket sleeping on connect.
2015 sk->sk_state = BT_CONNECTED;
2016 sk->sk_state_change(sk);
2018 /* Incoming channel.
2019 * Wake up socket sleeping on accept.
2021 parent->sk_data_ready(parent, 0);
2025 /* Copy frame to all raw sockets on that connection */
2026 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2028 struct l2cap_chan_list *l = &conn->chan_list;
2029 struct sk_buff *nskb;
2032 BT_DBG("conn %p", conn);
2034 read_lock(&l->lock);
2035 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2036 if (sk->sk_type != SOCK_RAW)
2039 /* Don't send frame to the socket it came from */
2042 nskb = skb_clone(skb, GFP_ATOMIC);
2046 if (sock_queue_rcv_skb(sk, nskb))
2049 read_unlock(&l->lock);
2052 /* ---- L2CAP signalling commands ---- */
2053 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2054 u8 code, u8 ident, u16 dlen, void *data)
2056 struct sk_buff *skb, **frag;
2057 struct l2cap_cmd_hdr *cmd;
2058 struct l2cap_hdr *lh;
2061 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2062 conn, code, ident, dlen);
2064 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2065 count = min_t(unsigned int, conn->mtu, len);
2067 skb = bt_skb_alloc(count, GFP_ATOMIC);
2071 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2072 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2073 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2075 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2078 cmd->len = cpu_to_le16(dlen);
2081 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2082 memcpy(skb_put(skb, count), data, count);
2088 /* Continuation fragments (no L2CAP header) */
2089 frag = &skb_shinfo(skb)->frag_list;
2091 count = min_t(unsigned int, conn->mtu, len);
2093 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2097 memcpy(skb_put(*frag, count), data, count);
2102 frag = &(*frag)->next;
2112 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2114 struct l2cap_conf_opt *opt = *ptr;
2117 len = L2CAP_CONF_OPT_SIZE + opt->len;
2125 *val = *((u8 *) opt->val);
2129 *val = __le16_to_cpu(*((__le16 *) opt->val));
2133 *val = __le32_to_cpu(*((__le32 *) opt->val));
2137 *val = (unsigned long) opt->val;
2141 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2145 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2147 struct l2cap_conf_opt *opt = *ptr;
2149 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2156 *((u8 *) opt->val) = val;
2160 *((__le16 *) opt->val) = cpu_to_le16(val);
2164 *((__le32 *) opt->val) = cpu_to_le32(val);
2168 memcpy(opt->val, (void *) val, len);
2172 *ptr += L2CAP_CONF_OPT_SIZE + len;
2175 static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2177 u32 local_feat_mask = l2cap_feat_mask;
2179 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
2182 case L2CAP_MODE_ERTM:
2183 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2184 case L2CAP_MODE_STREAMING:
2185 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2191 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2194 case L2CAP_MODE_STREAMING:
2195 case L2CAP_MODE_ERTM:
2196 if (l2cap_mode_supported(mode, remote_feat_mask))
2200 return L2CAP_MODE_BASIC;
2204 static int l2cap_build_conf_req(struct sock *sk, void *data)
2206 struct l2cap_pinfo *pi = l2cap_pi(sk);
2207 struct l2cap_conf_req *req = data;
2208 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_ERTM };
2209 void *ptr = req->data;
2211 BT_DBG("sk %p", sk);
2213 if (pi->num_conf_req || pi->num_conf_rsp)
2217 case L2CAP_MODE_STREAMING:
2218 case L2CAP_MODE_ERTM:
2219 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2220 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2221 l2cap_send_disconn_req(pi->conn, sk);
2224 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2230 case L2CAP_MODE_BASIC:
2231 if (pi->imtu != L2CAP_DEFAULT_MTU)
2232 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2235 case L2CAP_MODE_ERTM:
2236 rfc.mode = L2CAP_MODE_ERTM;
2237 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2238 rfc.max_transmit = L2CAP_DEFAULT_MAX_TX;
2239 rfc.retrans_timeout = 0;
2240 rfc.monitor_timeout = 0;
2241 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2243 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2244 sizeof(rfc), (unsigned long) &rfc);
2246 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2249 if (pi->fcs == L2CAP_FCS_NONE ||
2250 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2251 pi->fcs = L2CAP_FCS_NONE;
2252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2256 case L2CAP_MODE_STREAMING:
2257 rfc.mode = L2CAP_MODE_STREAMING;
2259 rfc.max_transmit = 0;
2260 rfc.retrans_timeout = 0;
2261 rfc.monitor_timeout = 0;
2262 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2264 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2265 sizeof(rfc), (unsigned long) &rfc);
2267 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2270 if (pi->fcs == L2CAP_FCS_NONE ||
2271 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2272 pi->fcs = L2CAP_FCS_NONE;
2273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2278 /* FIXME: Need actual value of the flush timeout */
2279 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2280 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2282 req->dcid = cpu_to_le16(pi->dcid);
2283 req->flags = cpu_to_le16(0);
2288 static int l2cap_parse_conf_req(struct sock *sk, void *data)
2290 struct l2cap_pinfo *pi = l2cap_pi(sk);
2291 struct l2cap_conf_rsp *rsp = data;
2292 void *ptr = rsp->data;
2293 void *req = pi->conf_req;
2294 int len = pi->conf_len;
2295 int type, hint, olen;
2297 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2298 u16 mtu = L2CAP_DEFAULT_MTU;
2299 u16 result = L2CAP_CONF_SUCCESS;
2301 BT_DBG("sk %p", sk);
2303 while (len >= L2CAP_CONF_OPT_SIZE) {
2304 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2306 hint = type & L2CAP_CONF_HINT;
2307 type &= L2CAP_CONF_MASK;
2310 case L2CAP_CONF_MTU:
2314 case L2CAP_CONF_FLUSH_TO:
2318 case L2CAP_CONF_QOS:
2321 case L2CAP_CONF_RFC:
2322 if (olen == sizeof(rfc))
2323 memcpy(&rfc, (void *) val, olen);
2326 case L2CAP_CONF_FCS:
2327 if (val == L2CAP_FCS_NONE)
2328 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2336 result = L2CAP_CONF_UNKNOWN;
2337 *((u8 *) ptr++) = type;
2342 if (pi->num_conf_rsp || pi->num_conf_req)
2346 case L2CAP_MODE_STREAMING:
2347 case L2CAP_MODE_ERTM:
2348 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2349 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2350 return -ECONNREFUSED;
2353 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2358 if (pi->mode != rfc.mode) {
2359 result = L2CAP_CONF_UNACCEPT;
2360 rfc.mode = pi->mode;
2362 if (pi->num_conf_rsp == 1)
2363 return -ECONNREFUSED;
2365 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2366 sizeof(rfc), (unsigned long) &rfc);
2370 if (result == L2CAP_CONF_SUCCESS) {
2371 /* Configure output options and let the other side know
2372 * which ones we don't like. */
2374 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2375 result = L2CAP_CONF_UNACCEPT;
2378 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2380 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2383 case L2CAP_MODE_BASIC:
2384 pi->fcs = L2CAP_FCS_NONE;
2385 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2388 case L2CAP_MODE_ERTM:
2389 pi->remote_tx_win = rfc.txwin_size;
2390 pi->remote_max_tx = rfc.max_transmit;
2391 pi->max_pdu_size = rfc.max_pdu_size;
2393 rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
2394 rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
2396 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2399 case L2CAP_MODE_STREAMING:
2400 pi->remote_tx_win = rfc.txwin_size;
2401 pi->max_pdu_size = rfc.max_pdu_size;
2403 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2407 result = L2CAP_CONF_UNACCEPT;
2409 memset(&rfc, 0, sizeof(rfc));
2410 rfc.mode = pi->mode;
2413 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2414 sizeof(rfc), (unsigned long) &rfc);
2416 if (result == L2CAP_CONF_SUCCESS)
2417 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2419 rsp->scid = cpu_to_le16(pi->dcid);
2420 rsp->result = cpu_to_le16(result);
2421 rsp->flags = cpu_to_le16(0x0000);
2426 static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2428 struct l2cap_pinfo *pi = l2cap_pi(sk);
2429 struct l2cap_conf_req *req = data;
2430 void *ptr = req->data;
2433 struct l2cap_conf_rfc rfc;
2435 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2437 while (len >= L2CAP_CONF_OPT_SIZE) {
2438 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2441 case L2CAP_CONF_MTU:
2442 if (val < L2CAP_DEFAULT_MIN_MTU) {
2443 *result = L2CAP_CONF_UNACCEPT;
2444 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2447 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2450 case L2CAP_CONF_FLUSH_TO:
2452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2456 case L2CAP_CONF_RFC:
2457 if (olen == sizeof(rfc))
2458 memcpy(&rfc, (void *)val, olen);
2460 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2461 rfc.mode != pi->mode)
2462 return -ECONNREFUSED;
2464 pi->mode = rfc.mode;
2467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2468 sizeof(rfc), (unsigned long) &rfc);
2473 if (*result == L2CAP_CONF_SUCCESS) {
2475 case L2CAP_MODE_ERTM:
2476 pi->remote_tx_win = rfc.txwin_size;
2477 pi->retrans_timeout = rfc.retrans_timeout;
2478 pi->monitor_timeout = rfc.monitor_timeout;
2479 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2481 case L2CAP_MODE_STREAMING:
2482 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2487 req->dcid = cpu_to_le16(pi->dcid);
2488 req->flags = cpu_to_le16(0x0000);
2493 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
2495 struct l2cap_conf_rsp *rsp = data;
2496 void *ptr = rsp->data;
2498 BT_DBG("sk %p", sk);
2500 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2501 rsp->result = cpu_to_le16(result);
2502 rsp->flags = cpu_to_le16(flags);
2507 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2509 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2511 if (rej->reason != 0x0000)
2514 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2515 cmd->ident == conn->info_ident) {
2516 del_timer(&conn->info_timer);
2518 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2519 conn->info_ident = 0;
2521 l2cap_conn_start(conn);
2527 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2529 struct l2cap_chan_list *list = &conn->chan_list;
2530 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2531 struct l2cap_conn_rsp rsp;
2532 struct sock *sk, *parent;
2533 int result, status = L2CAP_CS_NO_INFO;
2535 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2536 __le16 psm = req->psm;
2538 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2540 /* Check if we have socket listening on psm */
2541 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2543 result = L2CAP_CR_BAD_PSM;
2547 /* Check if the ACL is secure enough (if not SDP) */
2548 if (psm != cpu_to_le16(0x0001) &&
2549 !hci_conn_check_link_mode(conn->hcon)) {
2550 conn->disc_reason = 0x05;
2551 result = L2CAP_CR_SEC_BLOCK;
2555 result = L2CAP_CR_NO_MEM;
2557 /* Check for backlog size */
2558 if (sk_acceptq_is_full(parent)) {
2559 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2563 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
2567 write_lock_bh(&list->lock);
2569 /* Check if we already have channel with that dcid */
2570 if (__l2cap_get_chan_by_dcid(list, scid)) {
2571 write_unlock_bh(&list->lock);
2572 sock_set_flag(sk, SOCK_ZAPPED);
2573 l2cap_sock_kill(sk);
2577 hci_conn_hold(conn->hcon);
2579 l2cap_sock_init(sk, parent);
2580 bacpy(&bt_sk(sk)->src, conn->src);
2581 bacpy(&bt_sk(sk)->dst, conn->dst);
2582 l2cap_pi(sk)->psm = psm;
2583 l2cap_pi(sk)->dcid = scid;
2585 __l2cap_chan_add(conn, sk, parent);
2586 dcid = l2cap_pi(sk)->scid;
2588 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2590 l2cap_pi(sk)->ident = cmd->ident;
2592 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2593 if (l2cap_check_security(sk)) {
2594 if (bt_sk(sk)->defer_setup) {
2595 sk->sk_state = BT_CONNECT2;
2596 result = L2CAP_CR_PEND;
2597 status = L2CAP_CS_AUTHOR_PEND;
2598 parent->sk_data_ready(parent, 0);
2600 sk->sk_state = BT_CONFIG;
2601 result = L2CAP_CR_SUCCESS;
2602 status = L2CAP_CS_NO_INFO;
2605 sk->sk_state = BT_CONNECT2;
2606 result = L2CAP_CR_PEND;
2607 status = L2CAP_CS_AUTHEN_PEND;
2610 sk->sk_state = BT_CONNECT2;
2611 result = L2CAP_CR_PEND;
2612 status = L2CAP_CS_NO_INFO;
2615 write_unlock_bh(&list->lock);
2618 bh_unlock_sock(parent);
2621 rsp.scid = cpu_to_le16(scid);
2622 rsp.dcid = cpu_to_le16(dcid);
2623 rsp.result = cpu_to_le16(result);
2624 rsp.status = cpu_to_le16(status);
2625 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2627 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2628 struct l2cap_info_req info;
2629 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2631 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2632 conn->info_ident = l2cap_get_ident(conn);
2634 mod_timer(&conn->info_timer, jiffies +
2635 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2637 l2cap_send_cmd(conn, conn->info_ident,
2638 L2CAP_INFO_REQ, sizeof(info), &info);
2644 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2646 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2647 u16 scid, dcid, result, status;
2651 scid = __le16_to_cpu(rsp->scid);
2652 dcid = __le16_to_cpu(rsp->dcid);
2653 result = __le16_to_cpu(rsp->result);
2654 status = __le16_to_cpu(rsp->status);
2656 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2659 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2663 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2669 case L2CAP_CR_SUCCESS:
2670 sk->sk_state = BT_CONFIG;
2671 l2cap_pi(sk)->ident = 0;
2672 l2cap_pi(sk)->dcid = dcid;
2673 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2675 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2677 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2678 l2cap_build_conf_req(sk, req), req);
2679 l2cap_pi(sk)->num_conf_req++;
2683 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
2687 l2cap_chan_del(sk, ECONNREFUSED);
2695 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2697 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2703 dcid = __le16_to_cpu(req->dcid);
2704 flags = __le16_to_cpu(req->flags);
2706 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2708 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2712 if (sk->sk_state == BT_DISCONN)
2715 /* Reject if config buffer is too small. */
2716 len = cmd_len - sizeof(*req);
2717 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2718 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2719 l2cap_build_conf_rsp(sk, rsp,
2720 L2CAP_CONF_REJECT, flags), rsp);
2725 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2726 l2cap_pi(sk)->conf_len += len;
2728 if (flags & 0x0001) {
2729 /* Incomplete config. Send empty response. */
2730 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2731 l2cap_build_conf_rsp(sk, rsp,
2732 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2736 /* Complete config. */
2737 len = l2cap_parse_conf_req(sk, rsp);
2739 l2cap_send_disconn_req(conn, sk);
2743 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2744 l2cap_pi(sk)->num_conf_rsp++;
2746 /* Reset config buffer. */
2747 l2cap_pi(sk)->conf_len = 0;
2749 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2752 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2753 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2754 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2755 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2757 sk->sk_state = BT_CONNECTED;
2758 l2cap_pi(sk)->next_tx_seq = 0;
2759 l2cap_pi(sk)->expected_ack_seq = 0;
2760 l2cap_pi(sk)->unacked_frames = 0;
2762 setup_timer(&l2cap_pi(sk)->retrans_timer,
2763 l2cap_retrans_timeout, (unsigned long) sk);
2764 setup_timer(&l2cap_pi(sk)->monitor_timer,
2765 l2cap_monitor_timeout, (unsigned long) sk);
2767 __skb_queue_head_init(TX_QUEUE(sk));
2768 __skb_queue_head_init(SREJ_QUEUE(sk));
2769 l2cap_chan_ready(sk);
2773 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2775 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2776 l2cap_build_conf_req(sk, buf), buf);
2777 l2cap_pi(sk)->num_conf_req++;
2785 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2787 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2788 u16 scid, flags, result;
2791 scid = __le16_to_cpu(rsp->scid);
2792 flags = __le16_to_cpu(rsp->flags);
2793 result = __le16_to_cpu(rsp->result);
2795 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2796 scid, flags, result);
2798 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2803 case L2CAP_CONF_SUCCESS:
2806 case L2CAP_CONF_UNACCEPT:
2807 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2808 int len = cmd->len - sizeof(*rsp);
2811 /* throw out any old stored conf requests */
2812 result = L2CAP_CONF_SUCCESS;
2813 len = l2cap_parse_conf_rsp(sk, rsp->data,
2816 l2cap_send_disconn_req(conn, sk);
2820 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2821 L2CAP_CONF_REQ, len, req);
2822 l2cap_pi(sk)->num_conf_req++;
2823 if (result != L2CAP_CONF_SUCCESS)
2829 sk->sk_state = BT_DISCONN;
2830 sk->sk_err = ECONNRESET;
2831 l2cap_sock_set_timer(sk, HZ * 5);
2832 l2cap_send_disconn_req(conn, sk);
2839 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2841 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2842 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2843 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2844 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2846 sk->sk_state = BT_CONNECTED;
2847 l2cap_pi(sk)->expected_tx_seq = 0;
2848 l2cap_pi(sk)->buffer_seq = 0;
2849 l2cap_pi(sk)->num_to_ack = 0;
2850 __skb_queue_head_init(TX_QUEUE(sk));
2851 __skb_queue_head_init(SREJ_QUEUE(sk));
2852 l2cap_chan_ready(sk);
2860 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2862 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2863 struct l2cap_disconn_rsp rsp;
2867 scid = __le16_to_cpu(req->scid);
2868 dcid = __le16_to_cpu(req->dcid);
2870 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2872 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2876 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2877 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2878 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2880 sk->sk_shutdown = SHUTDOWN_MASK;
2882 skb_queue_purge(TX_QUEUE(sk));
2883 skb_queue_purge(SREJ_QUEUE(sk));
2884 del_timer(&l2cap_pi(sk)->retrans_timer);
2885 del_timer(&l2cap_pi(sk)->monitor_timer);
2887 l2cap_chan_del(sk, ECONNRESET);
2890 l2cap_sock_kill(sk);
2894 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2896 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2900 scid = __le16_to_cpu(rsp->scid);
2901 dcid = __le16_to_cpu(rsp->dcid);
2903 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2905 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2909 skb_queue_purge(TX_QUEUE(sk));
2910 skb_queue_purge(SREJ_QUEUE(sk));
2911 del_timer(&l2cap_pi(sk)->retrans_timer);
2912 del_timer(&l2cap_pi(sk)->monitor_timer);
2914 l2cap_chan_del(sk, 0);
2917 l2cap_sock_kill(sk);
2921 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2923 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2926 type = __le16_to_cpu(req->type);
2928 BT_DBG("type 0x%4.4x", type);
2930 if (type == L2CAP_IT_FEAT_MASK) {
2932 u32 feat_mask = l2cap_feat_mask;
2933 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2934 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2935 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2937 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2939 put_unaligned_le32(feat_mask, rsp->data);
2940 l2cap_send_cmd(conn, cmd->ident,
2941 L2CAP_INFO_RSP, sizeof(buf), buf);
2942 } else if (type == L2CAP_IT_FIXED_CHAN) {
2944 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2945 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2946 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2947 memcpy(buf + 4, l2cap_fixed_chan, 8);
2948 l2cap_send_cmd(conn, cmd->ident,
2949 L2CAP_INFO_RSP, sizeof(buf), buf);
2951 struct l2cap_info_rsp rsp;
2952 rsp.type = cpu_to_le16(type);
2953 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2954 l2cap_send_cmd(conn, cmd->ident,
2955 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2961 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2963 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2966 type = __le16_to_cpu(rsp->type);
2967 result = __le16_to_cpu(rsp->result);
2969 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2971 del_timer(&conn->info_timer);
2973 if (type == L2CAP_IT_FEAT_MASK) {
2974 conn->feat_mask = get_unaligned_le32(rsp->data);
2976 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2977 struct l2cap_info_req req;
2978 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2980 conn->info_ident = l2cap_get_ident(conn);
2982 l2cap_send_cmd(conn, conn->info_ident,
2983 L2CAP_INFO_REQ, sizeof(req), &req);
2985 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2986 conn->info_ident = 0;
2988 l2cap_conn_start(conn);
2990 } else if (type == L2CAP_IT_FIXED_CHAN) {
2991 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2992 conn->info_ident = 0;
2994 l2cap_conn_start(conn);
3000 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3002 u8 *data = skb->data;
3004 struct l2cap_cmd_hdr cmd;
3007 l2cap_raw_recv(conn, skb);
3009 while (len >= L2CAP_CMD_HDR_SIZE) {
3011 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3012 data += L2CAP_CMD_HDR_SIZE;
3013 len -= L2CAP_CMD_HDR_SIZE;
3015 cmd_len = le16_to_cpu(cmd.len);
3017 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3019 if (cmd_len > len || !cmd.ident) {
3020 BT_DBG("corrupted command");
3025 case L2CAP_COMMAND_REJ:
3026 l2cap_command_rej(conn, &cmd, data);
3029 case L2CAP_CONN_REQ:
3030 err = l2cap_connect_req(conn, &cmd, data);
3033 case L2CAP_CONN_RSP:
3034 err = l2cap_connect_rsp(conn, &cmd, data);
3037 case L2CAP_CONF_REQ:
3038 err = l2cap_config_req(conn, &cmd, cmd_len, data);
3041 case L2CAP_CONF_RSP:
3042 err = l2cap_config_rsp(conn, &cmd, data);
3045 case L2CAP_DISCONN_REQ:
3046 err = l2cap_disconnect_req(conn, &cmd, data);
3049 case L2CAP_DISCONN_RSP:
3050 err = l2cap_disconnect_rsp(conn, &cmd, data);
3053 case L2CAP_ECHO_REQ:
3054 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
3057 case L2CAP_ECHO_RSP:
3060 case L2CAP_INFO_REQ:
3061 err = l2cap_information_req(conn, &cmd, data);
3064 case L2CAP_INFO_RSP:
3065 err = l2cap_information_rsp(conn, &cmd, data);
3069 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3075 struct l2cap_cmd_rej rej;
3076 BT_DBG("error %d", err);
3078 /* FIXME: Map err to a valid reason */
3079 rej.reason = cpu_to_le16(0);
3080 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3090 static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3092 u16 our_fcs, rcv_fcs;
3093 int hdr_size = L2CAP_HDR_SIZE + 2;
3095 if (pi->fcs == L2CAP_FCS_CRC16) {
3096 skb_trim(skb, skb->len - 2);
3097 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3098 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3100 if (our_fcs != rcv_fcs)
3106 static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3108 struct sk_buff *next_skb;
3110 bt_cb(skb)->tx_seq = tx_seq;
3111 bt_cb(skb)->sar = sar;
3113 next_skb = skb_peek(SREJ_QUEUE(sk));
3115 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3120 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3121 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3125 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3128 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3130 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3133 static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3135 struct l2cap_pinfo *pi = l2cap_pi(sk);
3136 struct sk_buff *_skb;
3139 switch (control & L2CAP_CTRL_SAR) {
3140 case L2CAP_SDU_UNSEGMENTED:
3141 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3146 err = sock_queue_rcv_skb(sk, skb);
3152 case L2CAP_SDU_START:
3153 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3158 pi->sdu_len = get_unaligned_le16(skb->data);
3161 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3167 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3169 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3170 pi->partial_sdu_len = skb->len;
3174 case L2CAP_SDU_CONTINUE:
3175 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3178 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3180 pi->partial_sdu_len += skb->len;
3181 if (pi->partial_sdu_len > pi->sdu_len)
3189 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3192 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3194 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3195 pi->partial_sdu_len += skb->len;
3197 if (pi->partial_sdu_len == pi->sdu_len) {
3198 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3199 err = sock_queue_rcv_skb(sk, _skb);
3213 static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3215 struct sk_buff *skb;
3218 while((skb = skb_peek(SREJ_QUEUE(sk)))) {
3219 if (bt_cb(skb)->tx_seq != tx_seq)
3222 skb = skb_dequeue(SREJ_QUEUE(sk));
3223 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3224 l2cap_sar_reassembly_sdu(sk, skb, control);
3225 l2cap_pi(sk)->buffer_seq_srej =
3226 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3231 static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3233 struct l2cap_pinfo *pi = l2cap_pi(sk);
3234 struct srej_list *l, *tmp;
3237 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) {
3238 if (l->tx_seq == tx_seq) {
3243 control = L2CAP_SUPER_SELECT_REJECT;
3244 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3245 l2cap_send_sframe(pi, control);
3247 list_add_tail(&l->list, SREJ_LIST(sk));
3251 static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3253 struct l2cap_pinfo *pi = l2cap_pi(sk);
3254 struct srej_list *new;
3257 while (tx_seq != pi->expected_tx_seq) {
3258 control = L2CAP_SUPER_SELECT_REJECT;
3259 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3260 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
3261 control |= L2CAP_CTRL_POLL;
3262 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
3264 l2cap_send_sframe(pi, control);
3266 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3267 new->tx_seq = pi->expected_tx_seq++;
3268 list_add_tail(&new->list, SREJ_LIST(sk));
3270 pi->expected_tx_seq++;
3273 static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3275 struct l2cap_pinfo *pi = l2cap_pi(sk);
3276 u8 tx_seq = __get_txseq(rx_control);
3278 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3281 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3283 if (tx_seq == pi->expected_tx_seq)
3286 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3287 struct srej_list *first;
3289 first = list_first_entry(SREJ_LIST(sk),
3290 struct srej_list, list);
3291 if (tx_seq == first->tx_seq) {
3292 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3293 l2cap_check_srej_gap(sk, tx_seq);
3295 list_del(&first->list);
3298 if (list_empty(SREJ_LIST(sk))) {
3299 pi->buffer_seq = pi->buffer_seq_srej;
3300 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3303 struct srej_list *l;
3304 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3306 list_for_each_entry(l, SREJ_LIST(sk), list) {
3307 if (l->tx_seq == tx_seq) {
3308 l2cap_resend_srejframe(sk, tx_seq);
3312 l2cap_send_srejframe(sk, tx_seq);
3315 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
3317 INIT_LIST_HEAD(SREJ_LIST(sk));
3318 pi->buffer_seq_srej = pi->buffer_seq;
3320 __skb_queue_head_init(SREJ_QUEUE(sk));
3321 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3323 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3325 l2cap_send_srejframe(sk, tx_seq);
3330 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3332 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3333 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3337 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3339 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3343 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK;
3344 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1) {
3345 tx_control |= L2CAP_SUPER_RCV_READY;
3346 tx_control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3347 l2cap_send_sframe(pi, tx_control);
3352 static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3354 struct l2cap_pinfo *pi = l2cap_pi(sk);
3355 u8 tx_seq = __get_reqseq(rx_control);
3357 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3359 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3360 case L2CAP_SUPER_RCV_READY:
3361 if (rx_control & L2CAP_CTRL_POLL) {
3362 u16 control = L2CAP_CTRL_FINAL;
3363 control |= L2CAP_SUPER_RCV_READY |
3364 (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT);
3365 l2cap_send_sframe(l2cap_pi(sk), control);
3366 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3368 } else if (rx_control & L2CAP_CTRL_FINAL) {
3369 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3370 pi->expected_ack_seq = tx_seq;
3371 l2cap_drop_acked_frames(sk);
3373 if (!(pi->conn_state & L2CAP_CONN_WAIT_F))
3376 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3377 del_timer(&pi->monitor_timer);
3379 if (pi->unacked_frames > 0)
3380 __mod_retrans_timer();
3382 pi->expected_ack_seq = tx_seq;
3383 l2cap_drop_acked_frames(sk);
3385 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3386 && (pi->unacked_frames > 0))
3387 __mod_retrans_timer();
3389 l2cap_ertm_send(sk);
3390 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3394 case L2CAP_SUPER_REJECT:
3395 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3397 pi->expected_ack_seq = __get_reqseq(rx_control);
3398 l2cap_drop_acked_frames(sk);
3400 sk->sk_send_head = TX_QUEUE(sk)->next;
3401 pi->next_tx_seq = pi->expected_ack_seq;
3403 l2cap_ertm_send(sk);
3407 case L2CAP_SUPER_SELECT_REJECT:
3408 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3410 if (rx_control & L2CAP_CTRL_POLL) {
3411 l2cap_retransmit_frame(sk, tx_seq);
3412 pi->expected_ack_seq = tx_seq;
3413 l2cap_drop_acked_frames(sk);
3414 l2cap_ertm_send(sk);
3415 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3416 pi->srej_save_reqseq = tx_seq;
3417 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3419 } else if (rx_control & L2CAP_CTRL_FINAL) {
3420 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3421 pi->srej_save_reqseq == tx_seq)
3422 pi->srej_save_reqseq &= ~L2CAP_CONN_SREJ_ACT;
3424 l2cap_retransmit_frame(sk, tx_seq);
3427 l2cap_retransmit_frame(sk, tx_seq);
3428 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3429 pi->srej_save_reqseq = tx_seq;
3430 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3435 case L2CAP_SUPER_RCV_NOT_READY:
3436 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3437 pi->expected_ack_seq = tx_seq;
3438 l2cap_drop_acked_frames(sk);
3440 del_timer(&l2cap_pi(sk)->retrans_timer);
3441 if (rx_control & L2CAP_CTRL_POLL) {
3442 u16 control = L2CAP_CTRL_FINAL;
3443 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
3451 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3454 struct l2cap_pinfo *pi;
3459 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3461 BT_DBG("unknown cid 0x%4.4x", cid);
3467 BT_DBG("sk %p, len %d", sk, skb->len);
3469 if (sk->sk_state != BT_CONNECTED)
3473 case L2CAP_MODE_BASIC:
3474 /* If socket recv buffers overflows we drop data here
3475 * which is *bad* because L2CAP has to be reliable.
3476 * But we don't have any other choice. L2CAP doesn't
3477 * provide flow control mechanism. */
3479 if (pi->imtu < skb->len)
3482 if (!sock_queue_rcv_skb(sk, skb))
3486 case L2CAP_MODE_ERTM:
3487 control = get_unaligned_le16(skb->data);
3491 if (__is_sar_start(control))
3494 if (pi->fcs == L2CAP_FCS_CRC16)
3498 * We can just drop the corrupted I-frame here.
3499 * Receiver will miss it and start proper recovery
3500 * procedures and ask retransmission.
3502 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE)
3505 if (l2cap_check_fcs(pi, skb))
3508 if (__is_iframe(control))
3509 err = l2cap_data_channel_iframe(sk, control, skb);
3511 err = l2cap_data_channel_sframe(sk, control, skb);
3517 case L2CAP_MODE_STREAMING:
3518 control = get_unaligned_le16(skb->data);
3522 if (__is_sar_start(control))
3525 if (pi->fcs == L2CAP_FCS_CRC16)
3528 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control))
3531 if (l2cap_check_fcs(pi, skb))
3534 tx_seq = __get_txseq(control);
3536 if (pi->expected_tx_seq == tx_seq)
3537 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3539 pi->expected_tx_seq = tx_seq + 1;
3541 err = l2cap_sar_reassembly_sdu(sk, skb, control);
3546 BT_DBG("sk %p: bad mode 0x%2.2x", sk, l2cap_pi(sk)->mode);
3560 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3564 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3568 BT_DBG("sk %p, len %d", sk, skb->len);
3570 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3573 if (l2cap_pi(sk)->imtu < skb->len)
3576 if (!sock_queue_rcv_skb(sk, skb))
3588 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3590 struct l2cap_hdr *lh = (void *) skb->data;
3594 skb_pull(skb, L2CAP_HDR_SIZE);
3595 cid = __le16_to_cpu(lh->cid);
3596 len = __le16_to_cpu(lh->len);
3598 if (len != skb->len) {
3603 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3606 case L2CAP_CID_SIGNALING:
3607 l2cap_sig_channel(conn, skb);
3610 case L2CAP_CID_CONN_LESS:
3611 psm = get_unaligned_le16(skb->data);
3613 l2cap_conless_channel(conn, psm, skb);
3617 l2cap_data_channel(conn, cid, skb);
3622 /* ---- L2CAP interface with lower layer (HCI) ---- */
3624 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3626 int exact = 0, lm1 = 0, lm2 = 0;
3627 register struct sock *sk;
3628 struct hlist_node *node;
3630 if (type != ACL_LINK)
3633 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3635 /* Find listening sockets and check their link_mode */
3636 read_lock(&l2cap_sk_list.lock);
3637 sk_for_each(sk, node, &l2cap_sk_list.head) {
3638 if (sk->sk_state != BT_LISTEN)
3641 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3642 lm1 |= HCI_LM_ACCEPT;
3643 if (l2cap_pi(sk)->role_switch)
3644 lm1 |= HCI_LM_MASTER;
3646 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3647 lm2 |= HCI_LM_ACCEPT;
3648 if (l2cap_pi(sk)->role_switch)
3649 lm2 |= HCI_LM_MASTER;
3652 read_unlock(&l2cap_sk_list.lock);
3654 return exact ? lm1 : lm2;
3657 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3659 struct l2cap_conn *conn;
3661 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3663 if (hcon->type != ACL_LINK)
3667 conn = l2cap_conn_add(hcon, status);
3669 l2cap_conn_ready(conn);
3671 l2cap_conn_del(hcon, bt_err(status));
3676 static int l2cap_disconn_ind(struct hci_conn *hcon)
3678 struct l2cap_conn *conn = hcon->l2cap_data;
3680 BT_DBG("hcon %p", hcon);
3682 if (hcon->type != ACL_LINK || !conn)
3685 return conn->disc_reason;
3688 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3690 BT_DBG("hcon %p reason %d", hcon, reason);
3692 if (hcon->type != ACL_LINK)
3695 l2cap_conn_del(hcon, bt_err(reason));
3700 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3702 if (sk->sk_type != SOCK_SEQPACKET)
3705 if (encrypt == 0x00) {
3706 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3707 l2cap_sock_clear_timer(sk);
3708 l2cap_sock_set_timer(sk, HZ * 5);
3709 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3710 __l2cap_sock_close(sk, ECONNREFUSED);
3712 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3713 l2cap_sock_clear_timer(sk);
3717 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3719 struct l2cap_chan_list *l;
3720 struct l2cap_conn *conn = hcon->l2cap_data;
3726 l = &conn->chan_list;
3728 BT_DBG("conn %p", conn);
3730 read_lock(&l->lock);
3732 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3735 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
3740 if (!status && (sk->sk_state == BT_CONNECTED ||
3741 sk->sk_state == BT_CONFIG)) {
3742 l2cap_check_encryption(sk, encrypt);
3747 if (sk->sk_state == BT_CONNECT) {
3749 struct l2cap_conn_req req;
3750 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3751 req.psm = l2cap_pi(sk)->psm;
3753 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
3755 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3756 L2CAP_CONN_REQ, sizeof(req), &req);
3758 l2cap_sock_clear_timer(sk);
3759 l2cap_sock_set_timer(sk, HZ / 10);
3761 } else if (sk->sk_state == BT_CONNECT2) {
3762 struct l2cap_conn_rsp rsp;
3766 sk->sk_state = BT_CONFIG;
3767 result = L2CAP_CR_SUCCESS;
3769 sk->sk_state = BT_DISCONN;
3770 l2cap_sock_set_timer(sk, HZ / 10);
3771 result = L2CAP_CR_SEC_BLOCK;
3774 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3775 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3776 rsp.result = cpu_to_le16(result);
3777 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3778 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3779 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3785 read_unlock(&l->lock);
3790 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3792 struct l2cap_conn *conn = hcon->l2cap_data;
3794 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
3797 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3799 if (flags & ACL_START) {
3800 struct l2cap_hdr *hdr;
3804 BT_ERR("Unexpected start frame (len %d)", skb->len);
3805 kfree_skb(conn->rx_skb);
3806 conn->rx_skb = NULL;
3808 l2cap_conn_unreliable(conn, ECOMM);
3812 BT_ERR("Frame is too short (len %d)", skb->len);
3813 l2cap_conn_unreliable(conn, ECOMM);
3817 hdr = (struct l2cap_hdr *) skb->data;
3818 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
3820 if (len == skb->len) {
3821 /* Complete frame received */
3822 l2cap_recv_frame(conn, skb);
3826 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
3828 if (skb->len > len) {
3829 BT_ERR("Frame is too long (len %d, expected len %d)",
3831 l2cap_conn_unreliable(conn, ECOMM);
3835 /* Allocate skb for the complete frame (with header) */
3836 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
3840 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3842 conn->rx_len = len - skb->len;
3844 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
3846 if (!conn->rx_len) {
3847 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
3848 l2cap_conn_unreliable(conn, ECOMM);
3852 if (skb->len > conn->rx_len) {
3853 BT_ERR("Fragment is too long (len %d, expected %d)",
3854 skb->len, conn->rx_len);
3855 kfree_skb(conn->rx_skb);
3856 conn->rx_skb = NULL;
3858 l2cap_conn_unreliable(conn, ECOMM);
3862 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3864 conn->rx_len -= skb->len;
3866 if (!conn->rx_len) {
3867 /* Complete frame received */
3868 l2cap_recv_frame(conn, conn->rx_skb);
3869 conn->rx_skb = NULL;
3878 static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
3881 struct hlist_node *node;
3884 read_lock_bh(&l2cap_sk_list.lock);
3886 sk_for_each(sk, node, &l2cap_sk_list.head) {
3887 struct l2cap_pinfo *pi = l2cap_pi(sk);
3889 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
3890 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
3891 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
3892 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
3895 read_unlock_bh(&l2cap_sk_list.lock);
3900 static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
3902 static const struct proto_ops l2cap_sock_ops = {
3903 .family = PF_BLUETOOTH,
3904 .owner = THIS_MODULE,
3905 .release = l2cap_sock_release,
3906 .bind = l2cap_sock_bind,
3907 .connect = l2cap_sock_connect,
3908 .listen = l2cap_sock_listen,
3909 .accept = l2cap_sock_accept,
3910 .getname = l2cap_sock_getname,
3911 .sendmsg = l2cap_sock_sendmsg,
3912 .recvmsg = l2cap_sock_recvmsg,
3913 .poll = bt_sock_poll,
3914 .ioctl = bt_sock_ioctl,
3915 .mmap = sock_no_mmap,
3916 .socketpair = sock_no_socketpair,
3917 .shutdown = l2cap_sock_shutdown,
3918 .setsockopt = l2cap_sock_setsockopt,
3919 .getsockopt = l2cap_sock_getsockopt
3922 static struct net_proto_family l2cap_sock_family_ops = {
3923 .family = PF_BLUETOOTH,
3924 .owner = THIS_MODULE,
3925 .create = l2cap_sock_create,
3928 static struct hci_proto l2cap_hci_proto = {
3930 .id = HCI_PROTO_L2CAP,
3931 .connect_ind = l2cap_connect_ind,
3932 .connect_cfm = l2cap_connect_cfm,
3933 .disconn_ind = l2cap_disconn_ind,
3934 .disconn_cfm = l2cap_disconn_cfm,
3935 .security_cfm = l2cap_security_cfm,
3936 .recv_acldata = l2cap_recv_acldata
3939 static int __init l2cap_init(void)
3943 err = proto_register(&l2cap_proto, 0);
3947 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
3949 BT_ERR("L2CAP socket registration failed");
3953 err = hci_register_proto(&l2cap_hci_proto);
3955 BT_ERR("L2CAP protocol registration failed");
3956 bt_sock_unregister(BTPROTO_L2CAP);
3960 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
3961 BT_ERR("Failed to create L2CAP info file");
3963 BT_INFO("L2CAP ver %s", VERSION);
3964 BT_INFO("L2CAP socket layer initialized");
3969 proto_unregister(&l2cap_proto);
3973 static void __exit l2cap_exit(void)
3975 class_remove_file(bt_class, &class_attr_l2cap);
3977 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
3978 BT_ERR("L2CAP socket unregistration failed");
3980 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
3981 BT_ERR("L2CAP protocol unregistration failed");
3983 proto_unregister(&l2cap_proto);
3986 void l2cap_load(void)
3988 /* Dummy function to trigger automatic L2CAP module loading by
3989 * other modules that use L2CAP sockets but don't use any other
3990 * symbols from it. */
3993 EXPORT_SYMBOL(l2cap_load);
3995 module_init(l2cap_init);
3996 module_exit(l2cap_exit);
3998 module_param(enable_ertm, bool, 0644);
3999 MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4001 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4002 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4003 MODULE_VERSION(VERSION);
4004 MODULE_LICENSE("GPL");
4005 MODULE_ALIAS("bt-proto-0");
git.openpandora.org / pandora-kernel.git / blob