aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth/l2cap.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth/l2cap.c')
-rw-r--r--net/bluetooth/l2cap.c1645
1 files changed, 1223 insertions, 422 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 1120cf14a548..0b54b7dd8401 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1,6 +1,8 @@
1/* 1/*
2 BlueZ - Bluetooth protocol stack for Linux 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
4 6
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 8
@@ -40,6 +42,8 @@
40#include <linux/skbuff.h> 42#include <linux/skbuff.h>
41#include <linux/list.h> 43#include <linux/list.h>
42#include <linux/device.h> 44#include <linux/device.h>
45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
43#include <linux/uaccess.h> 47#include <linux/uaccess.h>
44#include <linux/crc16.h> 48#include <linux/crc16.h>
45#include <net/sock.h> 49#include <net/sock.h>
@@ -51,27 +55,33 @@
51#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
52#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
53 57
54#define VERSION "2.14" 58#define VERSION "2.15"
55 59
56static int enable_ertm = 0; 60static int disable_ertm = 0;
57static int max_transmit = L2CAP_DEFAULT_MAX_TX;
58 61
59static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN; 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
60static u8 l2cap_fixed_chan[8] = { 0x02, }; 63static u8 l2cap_fixed_chan[8] = { 0x02, };
61 64
62static const struct proto_ops l2cap_sock_ops; 65static const struct proto_ops l2cap_sock_ops;
63 66
67static struct workqueue_struct *_busy_wq;
68
64static struct bt_sock_list l2cap_sk_list = { 69static struct bt_sock_list l2cap_sk_list = {
65 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 70 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
66}; 71};
67 72
73static void l2cap_busy_work(struct work_struct *work);
74
68static void __l2cap_sock_close(struct sock *sk, int reason); 75static void __l2cap_sock_close(struct sock *sk, int reason);
69static void l2cap_sock_close(struct sock *sk); 76static void l2cap_sock_close(struct sock *sk);
70static void l2cap_sock_kill(struct sock *sk); 77static void l2cap_sock_kill(struct sock *sk);
71 78
79static int l2cap_build_conf_req(struct sock *sk, void *data);
72static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 80static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
73 u8 code, u8 ident, u16 dlen, void *data); 81 u8 code, u8 ident, u16 dlen, void *data);
74 82
83static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
84
75/* ---- L2CAP timers ---- */ 85/* ---- L2CAP timers ---- */
76static void l2cap_sock_timeout(unsigned long arg) 86static void l2cap_sock_timeout(unsigned long arg)
77{ 87{
@@ -217,7 +227,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct so
217 227
218 l2cap_pi(sk)->conn = conn; 228 l2cap_pi(sk)->conn = conn;
219 229
220 if (sk->sk_type == SOCK_SEQPACKET) { 230 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
221 /* Alloc CID for connection-oriented socket */ 231 /* Alloc CID for connection-oriented socket */
222 l2cap_pi(sk)->scid = l2cap_alloc_cid(l); 232 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
223 } else if (sk->sk_type == SOCK_DGRAM) { 233 } else if (sk->sk_type == SOCK_DGRAM) {
@@ -267,6 +277,24 @@ static void l2cap_chan_del(struct sock *sk, int err)
267 parent->sk_data_ready(parent, 0); 277 parent->sk_data_ready(parent, 0);
268 } else 278 } else
269 sk->sk_state_change(sk); 279 sk->sk_state_change(sk);
280
281 skb_queue_purge(TX_QUEUE(sk));
282
283 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
284 struct srej_list *l, *tmp;
285
286 del_timer(&l2cap_pi(sk)->retrans_timer);
287 del_timer(&l2cap_pi(sk)->monitor_timer);
288 del_timer(&l2cap_pi(sk)->ack_timer);
289
290 skb_queue_purge(SREJ_QUEUE(sk));
291 skb_queue_purge(BUSY_QUEUE(sk));
292
293 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
294 list_del(&l->list);
295 kfree(l);
296 }
297 }
270} 298}
271 299
272/* Service level security */ 300/* Service level security */
@@ -323,25 +351,29 @@ static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
323 return id; 351 return id;
324} 352}
325 353
326static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data) 354static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
327{ 355{
328 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 356 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
329 357
330 BT_DBG("code 0x%2.2x", code); 358 BT_DBG("code 0x%2.2x", code);
331 359
332 if (!skb) 360 if (!skb)
333 return -ENOMEM; 361 return;
334 362
335 return hci_send_acl(conn->hcon, skb, 0); 363 hci_send_acl(conn->hcon, skb, 0);
336} 364}
337 365
338static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control) 366static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
339{ 367{
340 struct sk_buff *skb; 368 struct sk_buff *skb;
341 struct l2cap_hdr *lh; 369 struct l2cap_hdr *lh;
342 struct l2cap_conn *conn = pi->conn; 370 struct l2cap_conn *conn = pi->conn;
371 struct sock *sk = (struct sock *)pi;
343 int count, hlen = L2CAP_HDR_SIZE + 2; 372 int count, hlen = L2CAP_HDR_SIZE + 2;
344 373
374 if (sk->sk_state != BT_CONNECTED)
375 return;
376
345 if (pi->fcs == L2CAP_FCS_CRC16) 377 if (pi->fcs == L2CAP_FCS_CRC16)
346 hlen += 2; 378 hlen += 2;
347 379
@@ -350,9 +382,19 @@ static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
350 count = min_t(unsigned int, conn->mtu, hlen); 382 count = min_t(unsigned int, conn->mtu, hlen);
351 control |= L2CAP_CTRL_FRAME_TYPE; 383 control |= L2CAP_CTRL_FRAME_TYPE;
352 384
385 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
386 control |= L2CAP_CTRL_FINAL;
387 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
388 }
389
390 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
391 control |= L2CAP_CTRL_POLL;
392 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
393 }
394
353 skb = bt_skb_alloc(count, GFP_ATOMIC); 395 skb = bt_skb_alloc(count, GFP_ATOMIC);
354 if (!skb) 396 if (!skb)
355 return -ENOMEM; 397 return;
356 398
357 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 399 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
358 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 400 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
@@ -364,19 +406,25 @@ static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
364 put_unaligned_le16(fcs, skb_put(skb, 2)); 406 put_unaligned_le16(fcs, skb_put(skb, 2));
365 } 407 }
366 408
367 return hci_send_acl(pi->conn->hcon, skb, 0); 409 hci_send_acl(pi->conn->hcon, skb, 0);
368} 410}
369 411
370static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control) 412static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
371{ 413{
372 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) 414 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
373 control |= L2CAP_SUPER_RCV_NOT_READY; 415 control |= L2CAP_SUPER_RCV_NOT_READY;
374 else 416 pi->conn_state |= L2CAP_CONN_RNR_SENT;
417 } else
375 control |= L2CAP_SUPER_RCV_READY; 418 control |= L2CAP_SUPER_RCV_READY;
376 419
377 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 420 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
378 421
379 return l2cap_send_sframe(pi, control); 422 l2cap_send_sframe(pi, control);
423}
424
425static inline int __l2cap_no_conn_pending(struct sock *sk)
426{
427 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
380} 428}
381 429
382static void l2cap_do_start(struct sock *sk) 430static void l2cap_do_start(struct sock *sk)
@@ -387,12 +435,13 @@ static void l2cap_do_start(struct sock *sk)
387 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 435 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
388 return; 436 return;
389 437
390 if (l2cap_check_security(sk)) { 438 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
391 struct l2cap_conn_req req; 439 struct l2cap_conn_req req;
392 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 440 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
393 req.psm = l2cap_pi(sk)->psm; 441 req.psm = l2cap_pi(sk)->psm;
394 442
395 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 443 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
444 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
396 445
397 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 446 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
398 L2CAP_CONN_REQ, sizeof(req), &req); 447 L2CAP_CONN_REQ, sizeof(req), &req);
@@ -412,47 +461,101 @@ static void l2cap_do_start(struct sock *sk)
412 } 461 }
413} 462}
414 463
415static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk) 464static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
465{
466 u32 local_feat_mask = l2cap_feat_mask;
467 if (!disable_ertm)
468 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
469
470 switch (mode) {
471 case L2CAP_MODE_ERTM:
472 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
473 case L2CAP_MODE_STREAMING:
474 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
475 default:
476 return 0x00;
477 }
478}
479
480static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
416{ 481{
417 struct l2cap_disconn_req req; 482 struct l2cap_disconn_req req;
418 483
484 if (!conn)
485 return;
486
487 skb_queue_purge(TX_QUEUE(sk));
488
489 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
490 del_timer(&l2cap_pi(sk)->retrans_timer);
491 del_timer(&l2cap_pi(sk)->monitor_timer);
492 del_timer(&l2cap_pi(sk)->ack_timer);
493 }
494
419 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid); 495 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
420 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 496 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
421 l2cap_send_cmd(conn, l2cap_get_ident(conn), 497 l2cap_send_cmd(conn, l2cap_get_ident(conn),
422 L2CAP_DISCONN_REQ, sizeof(req), &req); 498 L2CAP_DISCONN_REQ, sizeof(req), &req);
499
500 sk->sk_state = BT_DISCONN;
501 sk->sk_err = err;
423} 502}
424 503
425/* ---- L2CAP connections ---- */ 504/* ---- L2CAP connections ---- */
426static void l2cap_conn_start(struct l2cap_conn *conn) 505static void l2cap_conn_start(struct l2cap_conn *conn)
427{ 506{
428 struct l2cap_chan_list *l = &conn->chan_list; 507 struct l2cap_chan_list *l = &conn->chan_list;
508 struct sock_del_list del, *tmp1, *tmp2;
429 struct sock *sk; 509 struct sock *sk;
430 510
431 BT_DBG("conn %p", conn); 511 BT_DBG("conn %p", conn);
432 512
513 INIT_LIST_HEAD(&del.list);
514
433 read_lock(&l->lock); 515 read_lock(&l->lock);
434 516
435 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 517 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
436 bh_lock_sock(sk); 518 bh_lock_sock(sk);
437 519
438 if (sk->sk_type != SOCK_SEQPACKET) { 520 if (sk->sk_type != SOCK_SEQPACKET &&
521 sk->sk_type != SOCK_STREAM) {
439 bh_unlock_sock(sk); 522 bh_unlock_sock(sk);
440 continue; 523 continue;
441 } 524 }
442 525
443 if (sk->sk_state == BT_CONNECT) { 526 if (sk->sk_state == BT_CONNECT) {
444 if (l2cap_check_security(sk)) { 527 struct l2cap_conn_req req;
445 struct l2cap_conn_req req;
446 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
447 req.psm = l2cap_pi(sk)->psm;
448 528
449 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 529 if (!l2cap_check_security(sk) ||
530 !__l2cap_no_conn_pending(sk)) {
531 bh_unlock_sock(sk);
532 continue;
533 }
450 534
451 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 535 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
452 L2CAP_CONN_REQ, sizeof(req), &req); 536 conn->feat_mask)
537 && l2cap_pi(sk)->conf_state &
538 L2CAP_CONF_STATE2_DEVICE) {
539 tmp1 = kzalloc(sizeof(struct sock_del_list),
540 GFP_ATOMIC);
541 tmp1->sk = sk;
542 list_add_tail(&tmp1->list, &del.list);
543 bh_unlock_sock(sk);
544 continue;
453 } 545 }
546
547 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
548 req.psm = l2cap_pi(sk)->psm;
549
550 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
551 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
552
553 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
554 L2CAP_CONN_REQ, sizeof(req), &req);
555
454 } else if (sk->sk_state == BT_CONNECT2) { 556 } else if (sk->sk_state == BT_CONNECT2) {
455 struct l2cap_conn_rsp rsp; 557 struct l2cap_conn_rsp rsp;
558 char buf[128];
456 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 559 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
457 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 560 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
458 561
@@ -475,12 +578,31 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
475 578
476 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 579 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
477 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 580 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
581
582 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
583 rsp.result != L2CAP_CR_SUCCESS) {
584 bh_unlock_sock(sk);
585 continue;
586 }
587
588 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
589 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
590 l2cap_build_conf_req(sk, buf), buf);
591 l2cap_pi(sk)->num_conf_req++;
478 } 592 }
479 593
480 bh_unlock_sock(sk); 594 bh_unlock_sock(sk);
481 } 595 }
482 596
483 read_unlock(&l->lock); 597 read_unlock(&l->lock);
598
599 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
600 bh_lock_sock(tmp1->sk);
601 __l2cap_sock_close(tmp1->sk, ECONNRESET);
602 bh_unlock_sock(tmp1->sk);
603 list_del(&tmp1->list);
604 kfree(tmp1);
605 }
484} 606}
485 607
486static void l2cap_conn_ready(struct l2cap_conn *conn) 608static void l2cap_conn_ready(struct l2cap_conn *conn)
@@ -495,7 +617,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
495 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 617 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
496 bh_lock_sock(sk); 618 bh_lock_sock(sk);
497 619
498 if (sk->sk_type != SOCK_SEQPACKET) { 620 if (sk->sk_type != SOCK_SEQPACKET &&
621 sk->sk_type != SOCK_STREAM) {
499 l2cap_sock_clear_timer(sk); 622 l2cap_sock_clear_timer(sk);
500 sk->sk_state = BT_CONNECTED; 623 sk->sk_state = BT_CONNECTED;
501 sk->sk_state_change(sk); 624 sk->sk_state_change(sk);
@@ -704,18 +827,19 @@ static void __l2cap_sock_close(struct sock *sk, int reason)
704 827
705 case BT_CONNECTED: 828 case BT_CONNECTED:
706 case BT_CONFIG: 829 case BT_CONFIG:
707 if (sk->sk_type == SOCK_SEQPACKET) { 830 if (sk->sk_type == SOCK_SEQPACKET ||
831 sk->sk_type == SOCK_STREAM) {
708 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 832 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
709 833
710 sk->sk_state = BT_DISCONN;
711 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 834 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
712 l2cap_send_disconn_req(conn, sk); 835 l2cap_send_disconn_req(conn, sk, reason);
713 } else 836 } else
714 l2cap_chan_del(sk, reason); 837 l2cap_chan_del(sk, reason);
715 break; 838 break;
716 839
717 case BT_CONNECT2: 840 case BT_CONNECT2:
718 if (sk->sk_type == SOCK_SEQPACKET) { 841 if (sk->sk_type == SOCK_SEQPACKET ||
842 sk->sk_type == SOCK_STREAM) {
719 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 843 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
720 struct l2cap_conn_rsp rsp; 844 struct l2cap_conn_rsp rsp;
721 __u16 result; 845 __u16 result;
@@ -768,16 +892,26 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
768 892
769 pi->imtu = l2cap_pi(parent)->imtu; 893 pi->imtu = l2cap_pi(parent)->imtu;
770 pi->omtu = l2cap_pi(parent)->omtu; 894 pi->omtu = l2cap_pi(parent)->omtu;
895 pi->conf_state = l2cap_pi(parent)->conf_state;
771 pi->mode = l2cap_pi(parent)->mode; 896 pi->mode = l2cap_pi(parent)->mode;
772 pi->fcs = l2cap_pi(parent)->fcs; 897 pi->fcs = l2cap_pi(parent)->fcs;
898 pi->max_tx = l2cap_pi(parent)->max_tx;
899 pi->tx_win = l2cap_pi(parent)->tx_win;
773 pi->sec_level = l2cap_pi(parent)->sec_level; 900 pi->sec_level = l2cap_pi(parent)->sec_level;
774 pi->role_switch = l2cap_pi(parent)->role_switch; 901 pi->role_switch = l2cap_pi(parent)->role_switch;
775 pi->force_reliable = l2cap_pi(parent)->force_reliable; 902 pi->force_reliable = l2cap_pi(parent)->force_reliable;
776 } else { 903 } else {
777 pi->imtu = L2CAP_DEFAULT_MTU; 904 pi->imtu = L2CAP_DEFAULT_MTU;
778 pi->omtu = 0; 905 pi->omtu = 0;
779 pi->mode = L2CAP_MODE_BASIC; 906 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
907 pi->mode = L2CAP_MODE_ERTM;
908 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
909 } else {
910 pi->mode = L2CAP_MODE_BASIC;
911 }
912 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
780 pi->fcs = L2CAP_FCS_CRC16; 913 pi->fcs = L2CAP_FCS_CRC16;
914 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
781 pi->sec_level = BT_SECURITY_LOW; 915 pi->sec_level = BT_SECURITY_LOW;
782 pi->role_switch = 0; 916 pi->role_switch = 0;
783 pi->force_reliable = 0; 917 pi->force_reliable = 0;
@@ -788,6 +922,7 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
788 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO; 922 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
789 skb_queue_head_init(TX_QUEUE(sk)); 923 skb_queue_head_init(TX_QUEUE(sk));
790 skb_queue_head_init(SREJ_QUEUE(sk)); 924 skb_queue_head_init(SREJ_QUEUE(sk));
925 skb_queue_head_init(BUSY_QUEUE(sk));
791 INIT_LIST_HEAD(SREJ_LIST(sk)); 926 INIT_LIST_HEAD(SREJ_LIST(sk));
792} 927}
793 928
@@ -831,7 +966,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
831 966
832 sock->state = SS_UNCONNECTED; 967 sock->state = SS_UNCONNECTED;
833 968
834 if (sock->type != SOCK_SEQPACKET && 969 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
835 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 970 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
836 return -ESOCKTNOSUPPORT; 971 return -ESOCKTNOSUPPORT;
837 972
@@ -979,7 +1114,8 @@ static int l2cap_do_connect(struct sock *sk)
979 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 1114 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
980 1115
981 if (hcon->state == BT_CONNECTED) { 1116 if (hcon->state == BT_CONNECTED) {
982 if (sk->sk_type != SOCK_SEQPACKET) { 1117 if (sk->sk_type != SOCK_SEQPACKET &&
1118 sk->sk_type != SOCK_STREAM) {
983 l2cap_sock_clear_timer(sk); 1119 l2cap_sock_clear_timer(sk);
984 sk->sk_state = BT_CONNECTED; 1120 sk->sk_state = BT_CONNECTED;
985 } else 1121 } else
@@ -1000,7 +1136,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1000 1136
1001 BT_DBG("sk %p", sk); 1137 BT_DBG("sk %p", sk);
1002 1138
1003 if (!addr || addr->sa_family != AF_BLUETOOTH) 1139 if (!addr || alen < sizeof(addr->sa_family) ||
1140 addr->sa_family != AF_BLUETOOTH)
1004 return -EINVAL; 1141 return -EINVAL;
1005 1142
1006 memset(&la, 0, sizeof(la)); 1143 memset(&la, 0, sizeof(la));
@@ -1012,7 +1149,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1012 1149
1013 lock_sock(sk); 1150 lock_sock(sk);
1014 1151
1015 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) { 1152 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1153 && !la.l2_psm) {
1016 err = -EINVAL; 1154 err = -EINVAL;
1017 goto done; 1155 goto done;
1018 } 1156 }
@@ -1022,7 +1160,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1022 break; 1160 break;
1023 case L2CAP_MODE_ERTM: 1161 case L2CAP_MODE_ERTM:
1024 case L2CAP_MODE_STREAMING: 1162 case L2CAP_MODE_STREAMING:
1025 if (enable_ertm) 1163 if (!disable_ertm)
1026 break; 1164 break;
1027 /* fall through */ 1165 /* fall through */
1028 default: 1166 default:
@@ -1039,6 +1177,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1039 1177
1040 case BT_CONNECTED: 1178 case BT_CONNECTED:
1041 /* Already connected */ 1179 /* Already connected */
1180 err = -EISCONN;
1042 goto done; 1181 goto done;
1043 1182
1044 case BT_OPEN: 1183 case BT_OPEN:
@@ -1076,7 +1215,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
1076 1215
1077 lock_sock(sk); 1216 lock_sock(sk);
1078 1217
1079 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) { 1218 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1219 || sk->sk_state != BT_BOUND) {
1080 err = -EBADFD; 1220 err = -EBADFD;
1081 goto done; 1221 goto done;
1082 } 1222 }
@@ -1086,7 +1226,7 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
1086 break; 1226 break;
1087 case L2CAP_MODE_ERTM: 1227 case L2CAP_MODE_ERTM:
1088 case L2CAP_MODE_STREAMING: 1228 case L2CAP_MODE_STREAMING:
1089 if (enable_ertm) 1229 if (!disable_ertm)
1090 break; 1230 break;
1091 /* fall through */ 1231 /* fall through */
1092 default: 1232 default:
@@ -1144,7 +1284,7 @@ static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int fl
1144 BT_DBG("sk %p timeo %ld", sk, timeo); 1284 BT_DBG("sk %p timeo %ld", sk, timeo);
1145 1285
1146 /* Wait for an incoming connection. (wake-one). */ 1286 /* Wait for an incoming connection. (wake-one). */
1147 add_wait_queue_exclusive(sk->sk_sleep, &wait); 1287 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1148 while (!(nsk = bt_accept_dequeue(sk, newsock))) { 1288 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1149 set_current_state(TASK_INTERRUPTIBLE); 1289 set_current_state(TASK_INTERRUPTIBLE);
1150 if (!timeo) { 1290 if (!timeo) {
@@ -1167,7 +1307,7 @@ static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int fl
1167 } 1307 }
1168 } 1308 }
1169 set_current_state(TASK_RUNNING); 1309 set_current_state(TASK_RUNNING);
1170 remove_wait_queue(sk->sk_sleep, &wait); 1310 remove_wait_queue(sk_sleep(sk), &wait);
1171 1311
1172 if (err) 1312 if (err)
1173 goto done; 1313 goto done;
@@ -1204,14 +1344,46 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
1204 return 0; 1344 return 0;
1205} 1345}
1206 1346
1347static int __l2cap_wait_ack(struct sock *sk)
1348{
1349 DECLARE_WAITQUEUE(wait, current);
1350 int err = 0;
1351 int timeo = HZ/5;
1352
1353 add_wait_queue(sk_sleep(sk), &wait);
1354 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1355 set_current_state(TASK_INTERRUPTIBLE);
1356
1357 if (!timeo)
1358 timeo = HZ/5;
1359
1360 if (signal_pending(current)) {
1361 err = sock_intr_errno(timeo);
1362 break;
1363 }
1364
1365 release_sock(sk);
1366 timeo = schedule_timeout(timeo);
1367 lock_sock(sk);
1368
1369 err = sock_error(sk);
1370 if (err)
1371 break;
1372 }
1373 set_current_state(TASK_RUNNING);
1374 remove_wait_queue(sk_sleep(sk), &wait);
1375 return err;
1376}
1377
1207static void l2cap_monitor_timeout(unsigned long arg) 1378static void l2cap_monitor_timeout(unsigned long arg)
1208{ 1379{
1209 struct sock *sk = (void *) arg; 1380 struct sock *sk = (void *) arg;
1210 u16 control; 1381
1382 BT_DBG("sk %p", sk);
1211 1383
1212 bh_lock_sock(sk); 1384 bh_lock_sock(sk);
1213 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { 1385 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1214 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk); 1386 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
1215 bh_unlock_sock(sk); 1387 bh_unlock_sock(sk);
1216 return; 1388 return;
1217 } 1389 }
@@ -1219,15 +1391,15 @@ static void l2cap_monitor_timeout(unsigned long arg)
1219 l2cap_pi(sk)->retry_count++; 1391 l2cap_pi(sk)->retry_count++;
1220 __mod_monitor_timer(); 1392 __mod_monitor_timer();
1221 1393
1222 control = L2CAP_CTRL_POLL; 1394 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
1223 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1224 bh_unlock_sock(sk); 1395 bh_unlock_sock(sk);
1225} 1396}
1226 1397
1227static void l2cap_retrans_timeout(unsigned long arg) 1398static void l2cap_retrans_timeout(unsigned long arg)
1228{ 1399{
1229 struct sock *sk = (void *) arg; 1400 struct sock *sk = (void *) arg;
1230 u16 control; 1401
1402 BT_DBG("sk %p", sk);
1231 1403
1232 bh_lock_sock(sk); 1404 bh_lock_sock(sk);
1233 l2cap_pi(sk)->retry_count = 1; 1405 l2cap_pi(sk)->retry_count = 1;
@@ -1235,8 +1407,7 @@ static void l2cap_retrans_timeout(unsigned long arg)
1235 1407
1236 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F; 1408 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1237 1409
1238 control = L2CAP_CTRL_POLL; 1410 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
1239 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1240 bh_unlock_sock(sk); 1411 bh_unlock_sock(sk);
1241} 1412}
1242 1413
@@ -1244,7 +1415,8 @@ static void l2cap_drop_acked_frames(struct sock *sk)
1244{ 1415{
1245 struct sk_buff *skb; 1416 struct sk_buff *skb;
1246 1417
1247 while ((skb = skb_peek(TX_QUEUE(sk)))) { 1418 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1419 l2cap_pi(sk)->unacked_frames) {
1248 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq) 1420 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1249 break; 1421 break;
1250 1422
@@ -1256,104 +1428,84 @@ static void l2cap_drop_acked_frames(struct sock *sk)
1256 1428
1257 if (!l2cap_pi(sk)->unacked_frames) 1429 if (!l2cap_pi(sk)->unacked_frames)
1258 del_timer(&l2cap_pi(sk)->retrans_timer); 1430 del_timer(&l2cap_pi(sk)->retrans_timer);
1259
1260 return;
1261} 1431}
1262 1432
1263static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb) 1433static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1264{ 1434{
1265 struct l2cap_pinfo *pi = l2cap_pi(sk); 1435 struct l2cap_pinfo *pi = l2cap_pi(sk);
1266 int err;
1267 1436
1268 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len); 1437 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1269 1438
1270 err = hci_send_acl(pi->conn->hcon, skb, 0); 1439 hci_send_acl(pi->conn->hcon, skb, 0);
1271 if (err < 0)
1272 kfree_skb(skb);
1273
1274 return err;
1275} 1440}
1276 1441
1277static int l2cap_streaming_send(struct sock *sk) 1442static void l2cap_streaming_send(struct sock *sk)
1278{ 1443{
1279 struct sk_buff *skb, *tx_skb; 1444 struct sk_buff *skb;
1280 struct l2cap_pinfo *pi = l2cap_pi(sk); 1445 struct l2cap_pinfo *pi = l2cap_pi(sk);
1281 u16 control, fcs; 1446 u16 control, fcs;
1282 int err;
1283
1284 while ((skb = sk->sk_send_head)) {
1285 tx_skb = skb_clone(skb, GFP_ATOMIC);
1286 1447
1287 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1448 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
1449 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1288 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; 1450 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1289 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1451 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1290 1452
1291 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) { 1453 if (pi->fcs == L2CAP_FCS_CRC16) {
1292 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2); 1454 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1293 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2); 1455 put_unaligned_le16(fcs, skb->data + skb->len - 2);
1294 } 1456 }
1295 1457
1296 err = l2cap_do_send(sk, tx_skb); 1458 l2cap_do_send(sk, skb);
1297 if (err < 0) {
1298 l2cap_send_disconn_req(pi->conn, sk);
1299 return err;
1300 }
1301 1459
1302 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1460 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1303
1304 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1305 sk->sk_send_head = NULL;
1306 else
1307 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1308
1309 skb = skb_dequeue(TX_QUEUE(sk));
1310 kfree_skb(skb);
1311 } 1461 }
1312 return 0;
1313} 1462}
1314 1463
1315static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq) 1464static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1316{ 1465{
1317 struct l2cap_pinfo *pi = l2cap_pi(sk); 1466 struct l2cap_pinfo *pi = l2cap_pi(sk);
1318 struct sk_buff *skb, *tx_skb; 1467 struct sk_buff *skb, *tx_skb;
1319 u16 control, fcs; 1468 u16 control, fcs;
1320 int err;
1321 1469
1322 skb = skb_peek(TX_QUEUE(sk)); 1470 skb = skb_peek(TX_QUEUE(sk));
1323 do { 1471 if (!skb)
1324 if (bt_cb(skb)->tx_seq != tx_seq) { 1472 return;
1325 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1326 break;
1327 skb = skb_queue_next(TX_QUEUE(sk), skb);
1328 continue;
1329 }
1330 1473
1331 if (pi->remote_max_tx && 1474 do {
1332 bt_cb(skb)->retries == pi->remote_max_tx) { 1475 if (bt_cb(skb)->tx_seq == tx_seq)
1333 l2cap_send_disconn_req(pi->conn, sk);
1334 break; 1476 break;
1335 }
1336 1477
1337 tx_skb = skb_clone(skb, GFP_ATOMIC); 1478 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1338 bt_cb(skb)->retries++; 1479 return;
1339 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1340 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1341 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1342 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1343 1480
1344 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) { 1481 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
1345 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1346 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1347 }
1348 1482
1349 err = l2cap_do_send(sk, tx_skb); 1483 if (pi->remote_max_tx &&
1350 if (err < 0) { 1484 bt_cb(skb)->retries == pi->remote_max_tx) {
1351 l2cap_send_disconn_req(pi->conn, sk); 1485 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1352 return err; 1486 return;
1353 } 1487 }
1354 break; 1488
1355 } while(1); 1489 tx_skb = skb_clone(skb, GFP_ATOMIC);
1356 return 0; 1490 bt_cb(skb)->retries++;
1491 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1492
1493 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1494 control |= L2CAP_CTRL_FINAL;
1495 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1496 }
1497
1498 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1499 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1500
1501 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1502
1503 if (pi->fcs == L2CAP_FCS_CRC16) {
1504 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1505 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1506 }
1507
1508 l2cap_do_send(sk, tx_skb);
1357} 1509}
1358 1510
1359static int l2cap_ertm_send(struct sock *sk) 1511static int l2cap_ertm_send(struct sock *sk)
@@ -1361,53 +1513,107 @@ static int l2cap_ertm_send(struct sock *sk)
1361 struct sk_buff *skb, *tx_skb; 1513 struct sk_buff *skb, *tx_skb;
1362 struct l2cap_pinfo *pi = l2cap_pi(sk); 1514 struct l2cap_pinfo *pi = l2cap_pi(sk);
1363 u16 control, fcs; 1515 u16 control, fcs;
1364 int err; 1516 int nsent = 0;
1365 1517
1366 if (pi->conn_state & L2CAP_CONN_WAIT_F) 1518 if (sk->sk_state != BT_CONNECTED)
1367 return 0; 1519 return -ENOTCONN;
1368 1520
1369 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) && 1521 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1370 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1371 tx_skb = skb_clone(skb, GFP_ATOMIC);
1372 1522
1373 if (pi->remote_max_tx && 1523 if (pi->remote_max_tx &&
1374 bt_cb(skb)->retries == pi->remote_max_tx) { 1524 bt_cb(skb)->retries == pi->remote_max_tx) {
1375 l2cap_send_disconn_req(pi->conn, sk); 1525 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1376 break; 1526 break;
1377 } 1527 }
1378 1528
1529 tx_skb = skb_clone(skb, GFP_ATOMIC);
1530
1379 bt_cb(skb)->retries++; 1531 bt_cb(skb)->retries++;
1380 1532
1381 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1533 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1534 control &= L2CAP_CTRL_SAR;
1535
1536 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1537 control |= L2CAP_CTRL_FINAL;
1538 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1539 }
1382 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1540 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1383 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1541 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1384 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1542 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1385 1543
1386 1544
1387 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) { 1545 if (pi->fcs == L2CAP_FCS_CRC16) {
1388 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2); 1546 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1389 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2); 1547 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1390 } 1548 }
1391 1549
1392 err = l2cap_do_send(sk, tx_skb); 1550 l2cap_do_send(sk, tx_skb);
1393 if (err < 0) { 1551
1394 l2cap_send_disconn_req(pi->conn, sk);
1395 return err;
1396 }
1397 __mod_retrans_timer(); 1552 __mod_retrans_timer();
1398 1553
1399 bt_cb(skb)->tx_seq = pi->next_tx_seq; 1554 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1400 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1555 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1401 1556
1402 pi->unacked_frames++; 1557 pi->unacked_frames++;
1558 pi->frames_sent++;
1403 1559
1404 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1560 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1405 sk->sk_send_head = NULL; 1561 sk->sk_send_head = NULL;
1406 else 1562 else
1407 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb); 1563 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1564
1565 nsent++;
1408 } 1566 }
1409 1567
1410 return 0; 1568 return nsent;
1569}
1570
1571static int l2cap_retransmit_frames(struct sock *sk)
1572{
1573 struct l2cap_pinfo *pi = l2cap_pi(sk);
1574 int ret;
1575
1576 if (!skb_queue_empty(TX_QUEUE(sk)))
1577 sk->sk_send_head = TX_QUEUE(sk)->next;
1578
1579 pi->next_tx_seq = pi->expected_ack_seq;
1580 ret = l2cap_ertm_send(sk);
1581 return ret;
1582}
1583
1584static void l2cap_send_ack(struct l2cap_pinfo *pi)
1585{
1586 struct sock *sk = (struct sock *)pi;
1587 u16 control = 0;
1588
1589 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1590
1591 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1592 control |= L2CAP_SUPER_RCV_NOT_READY;
1593 pi->conn_state |= L2CAP_CONN_RNR_SENT;
1594 l2cap_send_sframe(pi, control);
1595 return;
1596 }
1597
1598 if (l2cap_ertm_send(sk) > 0)
1599 return;
1600
1601 control |= L2CAP_SUPER_RCV_READY;
1602 l2cap_send_sframe(pi, control);
1603}
1604
1605static void l2cap_send_srejtail(struct sock *sk)
1606{
1607 struct srej_list *tail;
1608 u16 control;
1609
1610 control = L2CAP_SUPER_SELECT_REJECT;
1611 control |= L2CAP_CTRL_FINAL;
1612
1613 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1614 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1615
1616 l2cap_send_sframe(l2cap_pi(sk), control);
1411} 1617}
1412 1618
1413static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb) 1619static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
@@ -1416,9 +1622,8 @@ static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, in
1416 struct sk_buff **frag; 1622 struct sk_buff **frag;
1417 int err, sent = 0; 1623 int err, sent = 0;
1418 1624
1419 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) { 1625 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1420 return -EFAULT; 1626 return -EFAULT;
1421 }
1422 1627
1423 sent += count; 1628 sent += count;
1424 len -= count; 1629 len -= count;
@@ -1509,6 +1714,9 @@ static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *m
1509 1714
1510 BT_DBG("sk %p len %d", sk, (int)len); 1715 BT_DBG("sk %p len %d", sk, (int)len);
1511 1716
1717 if (!conn)
1718 return ERR_PTR(-ENOTCONN);
1719
1512 if (sdulen) 1720 if (sdulen)
1513 hlen += 2; 1721 hlen += 2;
1514 1722
@@ -1550,25 +1758,24 @@ static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, siz
1550 u16 control; 1758 u16 control;
1551 size_t size = 0; 1759 size_t size = 0;
1552 1760
1553 __skb_queue_head_init(&sar_queue); 1761 skb_queue_head_init(&sar_queue);
1554 control = L2CAP_SDU_START; 1762 control = L2CAP_SDU_START;
1555 skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len); 1763 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
1556 if (IS_ERR(skb)) 1764 if (IS_ERR(skb))
1557 return PTR_ERR(skb); 1765 return PTR_ERR(skb);
1558 1766
1559 __skb_queue_tail(&sar_queue, skb); 1767 __skb_queue_tail(&sar_queue, skb);
1560 len -= pi->max_pdu_size; 1768 len -= pi->remote_mps;
1561 size +=pi->max_pdu_size; 1769 size += pi->remote_mps;
1562 control = 0;
1563 1770
1564 while (len > 0) { 1771 while (len > 0) {
1565 size_t buflen; 1772 size_t buflen;
1566 1773
1567 if (len > pi->max_pdu_size) { 1774 if (len > pi->remote_mps) {
1568 control |= L2CAP_SDU_CONTINUE; 1775 control = L2CAP_SDU_CONTINUE;
1569 buflen = pi->max_pdu_size; 1776 buflen = pi->remote_mps;
1570 } else { 1777 } else {
1571 control |= L2CAP_SDU_END; 1778 control = L2CAP_SDU_END;
1572 buflen = len; 1779 buflen = len;
1573 } 1780 }
1574 1781
@@ -1581,7 +1788,6 @@ static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, siz
1581 __skb_queue_tail(&sar_queue, skb); 1788 __skb_queue_tail(&sar_queue, skb);
1582 len -= buflen; 1789 len -= buflen;
1583 size += buflen; 1790 size += buflen;
1584 control = 0;
1585 } 1791 }
1586 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk)); 1792 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1587 if (sk->sk_send_head == NULL) 1793 if (sk->sk_send_head == NULL)
@@ -1607,11 +1813,6 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1607 if (msg->msg_flags & MSG_OOB) 1813 if (msg->msg_flags & MSG_OOB)
1608 return -EOPNOTSUPP; 1814 return -EOPNOTSUPP;
1609 1815
1610 /* Check outgoing MTU */
1611 if (sk->sk_type == SOCK_SEQPACKET && pi->mode == L2CAP_MODE_BASIC &&
1612 len > pi->omtu)
1613 return -EINVAL;
1614
1615 lock_sock(sk); 1816 lock_sock(sk);
1616 1817
1617 if (sk->sk_state != BT_CONNECTED) { 1818 if (sk->sk_state != BT_CONNECTED) {
@@ -1622,12 +1823,23 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1622 /* Connectionless channel */ 1823 /* Connectionless channel */
1623 if (sk->sk_type == SOCK_DGRAM) { 1824 if (sk->sk_type == SOCK_DGRAM) {
1624 skb = l2cap_create_connless_pdu(sk, msg, len); 1825 skb = l2cap_create_connless_pdu(sk, msg, len);
1625 err = l2cap_do_send(sk, skb); 1826 if (IS_ERR(skb)) {
1827 err = PTR_ERR(skb);
1828 } else {
1829 l2cap_do_send(sk, skb);
1830 err = len;
1831 }
1626 goto done; 1832 goto done;
1627 } 1833 }
1628 1834
1629 switch (pi->mode) { 1835 switch (pi->mode) {
1630 case L2CAP_MODE_BASIC: 1836 case L2CAP_MODE_BASIC:
1837 /* Check outgoing MTU */
1838 if (len > pi->omtu) {
1839 err = -EMSGSIZE;
1840 goto done;
1841 }
1842
1631 /* Create a basic PDU */ 1843 /* Create a basic PDU */
1632 skb = l2cap_create_basic_pdu(sk, msg, len); 1844 skb = l2cap_create_basic_pdu(sk, msg, len);
1633 if (IS_ERR(skb)) { 1845 if (IS_ERR(skb)) {
@@ -1635,15 +1847,14 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1635 goto done; 1847 goto done;
1636 } 1848 }
1637 1849
1638 err = l2cap_do_send(sk, skb); 1850 l2cap_do_send(sk, skb);
1639 if (!err) 1851 err = len;
1640 err = len;
1641 break; 1852 break;
1642 1853
1643 case L2CAP_MODE_ERTM: 1854 case L2CAP_MODE_ERTM:
1644 case L2CAP_MODE_STREAMING: 1855 case L2CAP_MODE_STREAMING:
1645 /* Entire SDU fits into one PDU */ 1856 /* Entire SDU fits into one PDU */
1646 if (len <= pi->max_pdu_size) { 1857 if (len <= pi->remote_mps) {
1647 control = L2CAP_SDU_UNSEGMENTED; 1858 control = L2CAP_SDU_UNSEGMENTED;
1648 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0); 1859 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1649 if (IS_ERR(skb)) { 1860 if (IS_ERR(skb)) {
@@ -1651,8 +1862,10 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1651 goto done; 1862 goto done;
1652 } 1863 }
1653 __skb_queue_tail(TX_QUEUE(sk), skb); 1864 __skb_queue_tail(TX_QUEUE(sk), skb);
1865
1654 if (sk->sk_send_head == NULL) 1866 if (sk->sk_send_head == NULL)
1655 sk->sk_send_head = skb; 1867 sk->sk_send_head = skb;
1868
1656 } else { 1869 } else {
1657 /* Segment SDU into multiples PDUs */ 1870 /* Segment SDU into multiples PDUs */
1658 err = l2cap_sar_segment_sdu(sk, msg, len); 1871 err = l2cap_sar_segment_sdu(sk, msg, len);
@@ -1660,18 +1873,24 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1660 goto done; 1873 goto done;
1661 } 1874 }
1662 1875
1663 if (pi->mode == L2CAP_MODE_STREAMING) 1876 if (pi->mode == L2CAP_MODE_STREAMING) {
1664 err = l2cap_streaming_send(sk); 1877 l2cap_streaming_send(sk);
1665 else 1878 } else {
1879 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1880 pi->conn_state && L2CAP_CONN_WAIT_F) {
1881 err = len;
1882 break;
1883 }
1666 err = l2cap_ertm_send(sk); 1884 err = l2cap_ertm_send(sk);
1885 }
1667 1886
1668 if (!err) 1887 if (err >= 0)
1669 err = len; 1888 err = len;
1670 break; 1889 break;
1671 1890
1672 default: 1891 default:
1673 BT_DBG("bad state %1.1x", pi->mode); 1892 BT_DBG("bad state %1.1x", pi->mode);
1674 err = -EINVAL; 1893 err = -EBADFD;
1675 } 1894 }
1676 1895
1677done: 1896done:
@@ -1687,6 +1906,8 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
1687 1906
1688 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 1907 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1689 struct l2cap_conn_rsp rsp; 1908 struct l2cap_conn_rsp rsp;
1909 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1910 u8 buf[128];
1690 1911
1691 sk->sk_state = BT_CONFIG; 1912 sk->sk_state = BT_CONFIG;
1692 1913
@@ -1697,6 +1918,16 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
1697 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident, 1918 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1698 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 1919 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1699 1920
1921 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1922 release_sock(sk);
1923 return 0;
1924 }
1925
1926 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1927 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1928 l2cap_build_conf_req(sk, buf), buf);
1929 l2cap_pi(sk)->num_conf_req++;
1930
1700 release_sock(sk); 1931 release_sock(sk);
1701 return 0; 1932 return 0;
1702 } 1933 }
@@ -1719,11 +1950,18 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
1719 1950
1720 switch (optname) { 1951 switch (optname) {
1721 case L2CAP_OPTIONS: 1952 case L2CAP_OPTIONS:
1953 if (sk->sk_state == BT_CONNECTED) {
1954 err = -EINVAL;
1955 break;
1956 }
1957
1722 opts.imtu = l2cap_pi(sk)->imtu; 1958 opts.imtu = l2cap_pi(sk)->imtu;
1723 opts.omtu = l2cap_pi(sk)->omtu; 1959 opts.omtu = l2cap_pi(sk)->omtu;
1724 opts.flush_to = l2cap_pi(sk)->flush_to; 1960 opts.flush_to = l2cap_pi(sk)->flush_to;
1725 opts.mode = l2cap_pi(sk)->mode; 1961 opts.mode = l2cap_pi(sk)->mode;
1726 opts.fcs = l2cap_pi(sk)->fcs; 1962 opts.fcs = l2cap_pi(sk)->fcs;
1963 opts.max_tx = l2cap_pi(sk)->max_tx;
1964 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1727 1965
1728 len = min_t(unsigned int, sizeof(opts), optlen); 1966 len = min_t(unsigned int, sizeof(opts), optlen);
1729 if (copy_from_user((char *) &opts, optval, len)) { 1967 if (copy_from_user((char *) &opts, optval, len)) {
@@ -1731,10 +1969,31 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
1731 break; 1969 break;
1732 } 1970 }
1733 1971
1972 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1973 err = -EINVAL;
1974 break;
1975 }
1976
1977 l2cap_pi(sk)->mode = opts.mode;
1978 switch (l2cap_pi(sk)->mode) {
1979 case L2CAP_MODE_BASIC:
1980 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
1981 break;
1982 case L2CAP_MODE_ERTM:
1983 case L2CAP_MODE_STREAMING:
1984 if (!disable_ertm)
1985 break;
1986 /* fall through */
1987 default:
1988 err = -EINVAL;
1989 break;
1990 }
1991
1734 l2cap_pi(sk)->imtu = opts.imtu; 1992 l2cap_pi(sk)->imtu = opts.imtu;
1735 l2cap_pi(sk)->omtu = opts.omtu; 1993 l2cap_pi(sk)->omtu = opts.omtu;
1736 l2cap_pi(sk)->mode = opts.mode;
1737 l2cap_pi(sk)->fcs = opts.fcs; 1994 l2cap_pi(sk)->fcs = opts.fcs;
1995 l2cap_pi(sk)->max_tx = opts.max_tx;
1996 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1738 break; 1997 break;
1739 1998
1740 case L2CAP_LM: 1999 case L2CAP_LM:
@@ -1782,7 +2041,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
1782 2041
1783 switch (optname) { 2042 switch (optname) {
1784 case BT_SECURITY: 2043 case BT_SECURITY:
1785 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) { 2044 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2045 && sk->sk_type != SOCK_RAW) {
1786 err = -EINVAL; 2046 err = -EINVAL;
1787 break; 2047 break;
1788 } 2048 }
@@ -1849,6 +2109,8 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
1849 opts.flush_to = l2cap_pi(sk)->flush_to; 2109 opts.flush_to = l2cap_pi(sk)->flush_to;
1850 opts.mode = l2cap_pi(sk)->mode; 2110 opts.mode = l2cap_pi(sk)->mode;
1851 opts.fcs = l2cap_pi(sk)->fcs; 2111 opts.fcs = l2cap_pi(sk)->fcs;
2112 opts.max_tx = l2cap_pi(sk)->max_tx;
2113 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1852 2114
1853 len = min_t(unsigned int, len, sizeof(opts)); 2115 len = min_t(unsigned int, len, sizeof(opts));
1854 if (copy_to_user(optval, (char *) &opts, len)) 2116 if (copy_to_user(optval, (char *) &opts, len))
@@ -1930,7 +2192,8 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
1930 2192
1931 switch (optname) { 2193 switch (optname) {
1932 case BT_SECURITY: 2194 case BT_SECURITY:
1933 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) { 2195 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2196 && sk->sk_type != SOCK_RAW) {
1934 err = -EINVAL; 2197 err = -EINVAL;
1935 break; 2198 break;
1936 } 2199 }
@@ -1975,6 +2238,9 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
1975 2238
1976 lock_sock(sk); 2239 lock_sock(sk);
1977 if (!sk->sk_shutdown) { 2240 if (!sk->sk_shutdown) {
2241 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2242 err = __l2cap_wait_ack(sk);
2243
1978 sk->sk_shutdown = SHUTDOWN_MASK; 2244 sk->sk_shutdown = SHUTDOWN_MASK;
1979 l2cap_sock_clear_timer(sk); 2245 l2cap_sock_clear_timer(sk);
1980 __l2cap_sock_close(sk, 0); 2246 __l2cap_sock_close(sk, 0);
@@ -1983,6 +2249,10 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
1983 err = bt_sock_wait_state(sk, BT_CLOSED, 2249 err = bt_sock_wait_state(sk, BT_CLOSED,
1984 sk->sk_lingertime); 2250 sk->sk_lingertime);
1985 } 2251 }
2252
2253 if (!err && sk->sk_err)
2254 err = -sk->sk_err;
2255
1986 release_sock(sk); 2256 release_sock(sk);
1987 return err; 2257 return err;
1988} 2258}
@@ -2177,35 +2447,36 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2177 *ptr += L2CAP_CONF_OPT_SIZE + len; 2447 *ptr += L2CAP_CONF_OPT_SIZE + len;
2178} 2448}
2179 2449
2450static void l2cap_ack_timeout(unsigned long arg)
2451{
2452 struct sock *sk = (void *) arg;
2453
2454 bh_lock_sock(sk);
2455 l2cap_send_ack(l2cap_pi(sk));
2456 bh_unlock_sock(sk);
2457}
2458
2180static inline void l2cap_ertm_init(struct sock *sk) 2459static inline void l2cap_ertm_init(struct sock *sk)
2181{ 2460{
2182 l2cap_pi(sk)->expected_ack_seq = 0; 2461 l2cap_pi(sk)->expected_ack_seq = 0;
2183 l2cap_pi(sk)->unacked_frames = 0; 2462 l2cap_pi(sk)->unacked_frames = 0;
2184 l2cap_pi(sk)->buffer_seq = 0; 2463 l2cap_pi(sk)->buffer_seq = 0;
2185 l2cap_pi(sk)->num_to_ack = 0; 2464 l2cap_pi(sk)->num_acked = 0;
2465 l2cap_pi(sk)->frames_sent = 0;
2186 2466
2187 setup_timer(&l2cap_pi(sk)->retrans_timer, 2467 setup_timer(&l2cap_pi(sk)->retrans_timer,
2188 l2cap_retrans_timeout, (unsigned long) sk); 2468 l2cap_retrans_timeout, (unsigned long) sk);
2189 setup_timer(&l2cap_pi(sk)->monitor_timer, 2469 setup_timer(&l2cap_pi(sk)->monitor_timer,
2190 l2cap_monitor_timeout, (unsigned long) sk); 2470 l2cap_monitor_timeout, (unsigned long) sk);
2471 setup_timer(&l2cap_pi(sk)->ack_timer,
2472 l2cap_ack_timeout, (unsigned long) sk);
2191 2473
2192 __skb_queue_head_init(SREJ_QUEUE(sk)); 2474 __skb_queue_head_init(SREJ_QUEUE(sk));
2193} 2475 __skb_queue_head_init(BUSY_QUEUE(sk));
2194 2476
2195static int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 2477 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
2196{
2197 u32 local_feat_mask = l2cap_feat_mask;
2198 if (enable_ertm)
2199 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
2200 2478
2201 switch (mode) { 2479 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
2202 case L2CAP_MODE_ERTM:
2203 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2204 case L2CAP_MODE_STREAMING:
2205 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2206 default:
2207 return 0x00;
2208 }
2209} 2480}
2210 2481
2211static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 2482static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
@@ -2225,7 +2496,7 @@ static int l2cap_build_conf_req(struct sock *sk, void *data)
2225{ 2496{
2226 struct l2cap_pinfo *pi = l2cap_pi(sk); 2497 struct l2cap_pinfo *pi = l2cap_pi(sk);
2227 struct l2cap_conf_req *req = data; 2498 struct l2cap_conf_req *req = data;
2228 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 2499 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
2229 void *ptr = req->data; 2500 void *ptr = req->data;
2230 2501
2231 BT_DBG("sk %p", sk); 2502 BT_DBG("sk %p", sk);
@@ -2236,10 +2507,10 @@ static int l2cap_build_conf_req(struct sock *sk, void *data)
2236 switch (pi->mode) { 2507 switch (pi->mode) {
2237 case L2CAP_MODE_STREAMING: 2508 case L2CAP_MODE_STREAMING:
2238 case L2CAP_MODE_ERTM: 2509 case L2CAP_MODE_ERTM:
2239 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE; 2510 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
2240 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask)) 2511 break;
2241 l2cap_send_disconn_req(pi->conn, sk); 2512
2242 break; 2513 /* fall through */
2243 default: 2514 default:
2244 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask); 2515 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2245 break; 2516 break;
@@ -2250,18 +2521,34 @@ done:
2250 case L2CAP_MODE_BASIC: 2521 case L2CAP_MODE_BASIC:
2251 if (pi->imtu != L2CAP_DEFAULT_MTU) 2522 if (pi->imtu != L2CAP_DEFAULT_MTU)
2252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); 2523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2524
2525 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2526 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
2527 break;
2528
2529 rfc.mode = L2CAP_MODE_BASIC;
2530 rfc.txwin_size = 0;
2531 rfc.max_transmit = 0;
2532 rfc.retrans_timeout = 0;
2533 rfc.monitor_timeout = 0;
2534 rfc.max_pdu_size = 0;
2535
2536 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2537 (unsigned long) &rfc);
2253 break; 2538 break;
2254 2539
2255 case L2CAP_MODE_ERTM: 2540 case L2CAP_MODE_ERTM:
2256 rfc.mode = L2CAP_MODE_ERTM; 2541 rfc.mode = L2CAP_MODE_ERTM;
2257 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 2542 rfc.txwin_size = pi->tx_win;
2258 rfc.max_transmit = max_transmit; 2543 rfc.max_transmit = pi->max_tx;
2259 rfc.retrans_timeout = 0; 2544 rfc.retrans_timeout = 0;
2260 rfc.monitor_timeout = 0; 2545 rfc.monitor_timeout = 0;
2261 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); 2546 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2547 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2548 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2262 2549
2263 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2550 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2264 sizeof(rfc), (unsigned long) &rfc); 2551 (unsigned long) &rfc);
2265 2552
2266 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 2553 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2267 break; 2554 break;
@@ -2280,9 +2567,11 @@ done:
2280 rfc.retrans_timeout = 0; 2567 rfc.retrans_timeout = 0;
2281 rfc.monitor_timeout = 0; 2568 rfc.monitor_timeout = 0;
2282 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE); 2569 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2570 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2571 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2283 2572
2284 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2573 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2285 sizeof(rfc), (unsigned long) &rfc); 2574 (unsigned long) &rfc);
2286 2575
2287 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 2576 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2288 break; 2577 break;
@@ -2359,18 +2648,21 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
2359 } 2648 }
2360 } 2649 }
2361 2650
2362 if (pi->num_conf_rsp || pi->num_conf_req) 2651 if (pi->num_conf_rsp || pi->num_conf_req > 1)
2363 goto done; 2652 goto done;
2364 2653
2365 switch (pi->mode) { 2654 switch (pi->mode) {
2366 case L2CAP_MODE_STREAMING: 2655 case L2CAP_MODE_STREAMING:
2367 case L2CAP_MODE_ERTM: 2656 case L2CAP_MODE_ERTM:
2368 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE; 2657 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2369 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask)) 2658 pi->mode = l2cap_select_mode(rfc.mode,
2659 pi->conn->feat_mask);
2660 break;
2661 }
2662
2663 if (pi->mode != rfc.mode)
2370 return -ECONNREFUSED; 2664 return -ECONNREFUSED;
2371 break; 2665
2372 default:
2373 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2374 break; 2666 break;
2375 } 2667 }
2376 2668
@@ -2408,10 +2700,16 @@ done:
2408 case L2CAP_MODE_ERTM: 2700 case L2CAP_MODE_ERTM:
2409 pi->remote_tx_win = rfc.txwin_size; 2701 pi->remote_tx_win = rfc.txwin_size;
2410 pi->remote_max_tx = rfc.max_transmit; 2702 pi->remote_max_tx = rfc.max_transmit;
2411 pi->max_pdu_size = rfc.max_pdu_size;
2412 2703
2413 rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; 2704 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2414 rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; 2705 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2706
2707 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2708
2709 rfc.retrans_timeout =
2710 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2711 rfc.monitor_timeout =
2712 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2415 2713
2416 pi->conf_state |= L2CAP_CONF_MODE_DONE; 2714 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2417 2715
@@ -2421,8 +2719,10 @@ done:
2421 break; 2719 break;
2422 2720
2423 case L2CAP_MODE_STREAMING: 2721 case L2CAP_MODE_STREAMING:
2424 pi->remote_tx_win = rfc.txwin_size; 2722 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2425 pi->max_pdu_size = rfc.max_pdu_size; 2723 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2724
2725 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2426 2726
2427 pi->conf_state |= L2CAP_CONF_MODE_DONE; 2727 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2428 2728
@@ -2466,10 +2766,10 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2466 case L2CAP_CONF_MTU: 2766 case L2CAP_CONF_MTU:
2467 if (val < L2CAP_DEFAULT_MIN_MTU) { 2767 if (val < L2CAP_DEFAULT_MIN_MTU) {
2468 *result = L2CAP_CONF_UNACCEPT; 2768 *result = L2CAP_CONF_UNACCEPT;
2469 pi->omtu = L2CAP_DEFAULT_MIN_MTU; 2769 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
2470 } else 2770 } else
2471 pi->omtu = val; 2771 pi->imtu = val;
2472 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu); 2772 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2473 break; 2773 break;
2474 2774
2475 case L2CAP_CONF_FLUSH_TO: 2775 case L2CAP_CONF_FLUSH_TO:
@@ -2486,7 +2786,6 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2486 rfc.mode != pi->mode) 2786 rfc.mode != pi->mode)
2487 return -ECONNREFUSED; 2787 return -ECONNREFUSED;
2488 2788
2489 pi->mode = rfc.mode;
2490 pi->fcs = 0; 2789 pi->fcs = 0;
2491 2790
2492 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2791 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
@@ -2495,17 +2794,20 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2495 } 2794 }
2496 } 2795 }
2497 2796
2797 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2798 return -ECONNREFUSED;
2799
2800 pi->mode = rfc.mode;
2801
2498 if (*result == L2CAP_CONF_SUCCESS) { 2802 if (*result == L2CAP_CONF_SUCCESS) {
2499 switch (rfc.mode) { 2803 switch (rfc.mode) {
2500 case L2CAP_MODE_ERTM: 2804 case L2CAP_MODE_ERTM:
2501 pi->remote_tx_win = rfc.txwin_size; 2805 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2502 pi->retrans_timeout = rfc.retrans_timeout; 2806 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2503 pi->monitor_timeout = rfc.monitor_timeout; 2807 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2504 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2505 break; 2808 break;
2506 case L2CAP_MODE_STREAMING: 2809 case L2CAP_MODE_STREAMING:
2507 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size); 2810 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2508 break;
2509 } 2811 }
2510 } 2812 }
2511 2813
@@ -2529,6 +2831,41 @@ static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 fla
2529 return ptr - data; 2831 return ptr - data;
2530} 2832}
2531 2833
2834static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2835{
2836 struct l2cap_pinfo *pi = l2cap_pi(sk);
2837 int type, olen;
2838 unsigned long val;
2839 struct l2cap_conf_rfc rfc;
2840
2841 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2842
2843 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2844 return;
2845
2846 while (len >= L2CAP_CONF_OPT_SIZE) {
2847 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2848
2849 switch (type) {
2850 case L2CAP_CONF_RFC:
2851 if (olen == sizeof(rfc))
2852 memcpy(&rfc, (void *)val, olen);
2853 goto done;
2854 }
2855 }
2856
2857done:
2858 switch (rfc.mode) {
2859 case L2CAP_MODE_ERTM:
2860 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2861 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2862 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2863 break;
2864 case L2CAP_MODE_STREAMING:
2865 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2866 }
2867}
2868
2532static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 2869static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2533{ 2870{
2534 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data; 2871 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
@@ -2554,7 +2891,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2554 struct l2cap_chan_list *list = &conn->chan_list; 2891 struct l2cap_chan_list *list = &conn->chan_list;
2555 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 2892 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2556 struct l2cap_conn_rsp rsp; 2893 struct l2cap_conn_rsp rsp;
2557 struct sock *sk, *parent; 2894 struct sock *parent, *uninitialized_var(sk);
2558 int result, status = L2CAP_CS_NO_INFO; 2895 int result, status = L2CAP_CS_NO_INFO;
2559 2896
2560 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 2897 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -2663,6 +3000,15 @@ sendresp:
2663 L2CAP_INFO_REQ, sizeof(info), &info); 3000 L2CAP_INFO_REQ, sizeof(info), &info);
2664 } 3001 }
2665 3002
3003 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
3004 result == L2CAP_CR_SUCCESS) {
3005 u8 buf[128];
3006 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3007 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3008 l2cap_build_conf_req(sk, buf), buf);
3009 l2cap_pi(sk)->num_conf_req++;
3010 }
3011
2666 return 0; 3012 return 0;
2667} 3013}
2668 3014
@@ -2683,11 +3029,11 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2683 if (scid) { 3029 if (scid) {
2684 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 3030 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2685 if (!sk) 3031 if (!sk)
2686 return 0; 3032 return -EFAULT;
2687 } else { 3033 } else {
2688 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident); 3034 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2689 if (!sk) 3035 if (!sk)
2690 return 0; 3036 return -EFAULT;
2691 } 3037 }
2692 3038
2693 switch (result) { 3039 switch (result) {
@@ -2695,10 +3041,13 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2695 sk->sk_state = BT_CONFIG; 3041 sk->sk_state = BT_CONFIG;
2696 l2cap_pi(sk)->ident = 0; 3042 l2cap_pi(sk)->ident = 0;
2697 l2cap_pi(sk)->dcid = dcid; 3043 l2cap_pi(sk)->dcid = dcid;
2698 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2699
2700 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 3044 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2701 3045
3046 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3047 break;
3048
3049 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3050
2702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3051 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2703 l2cap_build_conf_req(sk, req), req); 3052 l2cap_build_conf_req(sk, req), req);
2704 l2cap_pi(sk)->num_conf_req++; 3053 l2cap_pi(sk)->num_conf_req++;
@@ -2717,6 +3066,17 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2717 return 0; 3066 return 0;
2718} 3067}
2719 3068
3069static inline void set_default_fcs(struct l2cap_pinfo *pi)
3070{
3071 /* FCS is enabled only in ERTM or streaming mode, if one or both
3072 * sides request it.
3073 */
3074 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
3075 pi->fcs = L2CAP_FCS_NONE;
3076 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
3077 pi->fcs = L2CAP_FCS_CRC16;
3078}
3079
2720static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 3080static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2721{ 3081{
2722 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 3082 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
@@ -2761,7 +3121,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2761 /* Complete config. */ 3121 /* Complete config. */
2762 len = l2cap_parse_conf_req(sk, rsp); 3122 len = l2cap_parse_conf_req(sk, rsp);
2763 if (len < 0) { 3123 if (len < 0) {
2764 l2cap_send_disconn_req(conn, sk); 3124 l2cap_send_disconn_req(conn, sk, ECONNRESET);
2765 goto unlock; 3125 goto unlock;
2766 } 3126 }
2767 3127
@@ -2775,9 +3135,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2775 goto unlock; 3135 goto unlock;
2776 3136
2777 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) { 3137 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2778 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || 3138 set_default_fcs(l2cap_pi(sk));
2779 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2780 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2781 3139
2782 sk->sk_state = BT_CONNECTED; 3140 sk->sk_state = BT_CONNECTED;
2783 3141
@@ -2808,6 +3166,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2808 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 3166 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2809 u16 scid, flags, result; 3167 u16 scid, flags, result;
2810 struct sock *sk; 3168 struct sock *sk;
3169 int len = cmd->len - sizeof(*rsp);
2811 3170
2812 scid = __le16_to_cpu(rsp->scid); 3171 scid = __le16_to_cpu(rsp->scid);
2813 flags = __le16_to_cpu(rsp->flags); 3172 flags = __le16_to_cpu(rsp->flags);
@@ -2822,19 +3181,24 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2822 3181
2823 switch (result) { 3182 switch (result) {
2824 case L2CAP_CONF_SUCCESS: 3183 case L2CAP_CONF_SUCCESS:
3184 l2cap_conf_rfc_get(sk, rsp->data, len);
2825 break; 3185 break;
2826 3186
2827 case L2CAP_CONF_UNACCEPT: 3187 case L2CAP_CONF_UNACCEPT:
2828 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 3188 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2829 int len = cmd->len - sizeof(*rsp);
2830 char req[64]; 3189 char req[64];
2831 3190
3191 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3192 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3193 goto done;
3194 }
3195
2832 /* throw out any old stored conf requests */ 3196 /* throw out any old stored conf requests */
2833 result = L2CAP_CONF_SUCCESS; 3197 result = L2CAP_CONF_SUCCESS;
2834 len = l2cap_parse_conf_rsp(sk, rsp->data, 3198 len = l2cap_parse_conf_rsp(sk, rsp->data,
2835 len, req, &result); 3199 len, req, &result);
2836 if (len < 0) { 3200 if (len < 0) {
2837 l2cap_send_disconn_req(conn, sk); 3201 l2cap_send_disconn_req(conn, sk, ECONNRESET);
2838 goto done; 3202 goto done;
2839 } 3203 }
2840 3204
@@ -2847,10 +3211,9 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2847 } 3211 }
2848 3212
2849 default: 3213 default:
2850 sk->sk_state = BT_DISCONN;
2851 sk->sk_err = ECONNRESET; 3214 sk->sk_err = ECONNRESET;
2852 l2cap_sock_set_timer(sk, HZ * 5); 3215 l2cap_sock_set_timer(sk, HZ * 5);
2853 l2cap_send_disconn_req(conn, sk); 3216 l2cap_send_disconn_req(conn, sk, ECONNRESET);
2854 goto done; 3217 goto done;
2855 } 3218 }
2856 3219
@@ -2860,9 +3223,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2860 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE; 3223 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2861 3224
2862 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) { 3225 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2863 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || 3226 set_default_fcs(l2cap_pi(sk));
2864 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2865 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2866 3227
2867 sk->sk_state = BT_CONNECTED; 3228 sk->sk_state = BT_CONNECTED;
2868 l2cap_pi(sk)->next_tx_seq = 0; 3229 l2cap_pi(sk)->next_tx_seq = 0;
@@ -2901,14 +3262,6 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
2901 3262
2902 sk->sk_shutdown = SHUTDOWN_MASK; 3263 sk->sk_shutdown = SHUTDOWN_MASK;
2903 3264
2904 skb_queue_purge(TX_QUEUE(sk));
2905
2906 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
2907 skb_queue_purge(SREJ_QUEUE(sk));
2908 del_timer(&l2cap_pi(sk)->retrans_timer);
2909 del_timer(&l2cap_pi(sk)->monitor_timer);
2910 }
2911
2912 l2cap_chan_del(sk, ECONNRESET); 3265 l2cap_chan_del(sk, ECONNRESET);
2913 bh_unlock_sock(sk); 3266 bh_unlock_sock(sk);
2914 3267
@@ -2931,14 +3284,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
2931 if (!sk) 3284 if (!sk)
2932 return 0; 3285 return 0;
2933 3286
2934 skb_queue_purge(TX_QUEUE(sk));
2935
2936 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
2937 skb_queue_purge(SREJ_QUEUE(sk));
2938 del_timer(&l2cap_pi(sk)->retrans_timer);
2939 del_timer(&l2cap_pi(sk)->monitor_timer);
2940 }
2941
2942 l2cap_chan_del(sk, 0); 3287 l2cap_chan_del(sk, 0);
2943 bh_unlock_sock(sk); 3288 bh_unlock_sock(sk);
2944 3289
@@ -2961,7 +3306,7 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
2961 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 3306 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2962 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 3307 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2963 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 3308 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2964 if (enable_ertm) 3309 if (!disable_ertm)
2965 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 3310 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2966 | L2CAP_FEAT_FCS; 3311 | L2CAP_FEAT_FCS;
2967 put_unaligned_le32(feat_mask, rsp->data); 3312 put_unaligned_le32(feat_mask, rsp->data);
@@ -2998,6 +3343,15 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
2998 3343
2999 del_timer(&conn->info_timer); 3344 del_timer(&conn->info_timer);
3000 3345
3346 if (result != L2CAP_IR_SUCCESS) {
3347 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3348 conn->info_ident = 0;
3349
3350 l2cap_conn_start(conn);
3351
3352 return 0;
3353 }
3354
3001 if (type == L2CAP_IT_FEAT_MASK) { 3355 if (type == L2CAP_IT_FEAT_MASK) {
3002 conn->feat_mask = get_unaligned_le32(rsp->data); 3356 conn->feat_mask = get_unaligned_le32(rsp->data);
3003 3357
@@ -3126,14 +3480,43 @@ static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3126 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 3480 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3127 3481
3128 if (our_fcs != rcv_fcs) 3482 if (our_fcs != rcv_fcs)
3129 return -EINVAL; 3483 return -EBADMSG;
3130 } 3484 }
3131 return 0; 3485 return 0;
3132} 3486}
3133 3487
3134static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) 3488static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3489{
3490 struct l2cap_pinfo *pi = l2cap_pi(sk);
3491 u16 control = 0;
3492
3493 pi->frames_sent = 0;
3494
3495 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3496
3497 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3498 control |= L2CAP_SUPER_RCV_NOT_READY;
3499 l2cap_send_sframe(pi, control);
3500 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3501 }
3502
3503 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3504 l2cap_retransmit_frames(sk);
3505
3506 l2cap_ertm_send(sk);
3507
3508 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3509 pi->frames_sent == 0) {
3510 control |= L2CAP_SUPER_RCV_READY;
3511 l2cap_send_sframe(pi, control);
3512 }
3513}
3514
3515static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3135{ 3516{
3136 struct sk_buff *next_skb; 3517 struct sk_buff *next_skb;
3518 struct l2cap_pinfo *pi = l2cap_pi(sk);
3519 int tx_seq_offset, next_tx_seq_offset;
3137 3520
3138 bt_cb(skb)->tx_seq = tx_seq; 3521 bt_cb(skb)->tx_seq = tx_seq;
3139 bt_cb(skb)->sar = sar; 3522 bt_cb(skb)->sar = sar;
@@ -3141,29 +3524,282 @@ static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_
3141 next_skb = skb_peek(SREJ_QUEUE(sk)); 3524 next_skb = skb_peek(SREJ_QUEUE(sk));
3142 if (!next_skb) { 3525 if (!next_skb) {
3143 __skb_queue_tail(SREJ_QUEUE(sk), skb); 3526 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3144 return; 3527 return 0;
3145 } 3528 }
3146 3529
3530 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3531 if (tx_seq_offset < 0)
3532 tx_seq_offset += 64;
3533
3147 do { 3534 do {
3148 if (bt_cb(next_skb)->tx_seq > tx_seq) { 3535 if (bt_cb(next_skb)->tx_seq == tx_seq)
3536 return -EINVAL;
3537
3538 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3539 pi->buffer_seq) % 64;
3540 if (next_tx_seq_offset < 0)
3541 next_tx_seq_offset += 64;
3542
3543 if (next_tx_seq_offset > tx_seq_offset) {
3149 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); 3544 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3150 return; 3545 return 0;
3151 } 3546 }
3152 3547
3153 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb)) 3548 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3154 break; 3549 break;
3155 3550
3156 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb))); 3551 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3157 3552
3158 __skb_queue_tail(SREJ_QUEUE(sk), skb); 3553 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3554
3555 return 0;
3159} 3556}
3160 3557
3161static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control) 3558static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3559{
3560 struct l2cap_pinfo *pi = l2cap_pi(sk);
3561 struct sk_buff *_skb;
3562 int err;
3563
3564 switch (control & L2CAP_CTRL_SAR) {
3565 case L2CAP_SDU_UNSEGMENTED:
3566 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3567 goto drop;
3568
3569 err = sock_queue_rcv_skb(sk, skb);
3570 if (!err)
3571 return err;
3572
3573 break;
3574
3575 case L2CAP_SDU_START:
3576 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3577 goto drop;
3578
3579 pi->sdu_len = get_unaligned_le16(skb->data);
3580
3581 if (pi->sdu_len > pi->imtu)
3582 goto disconnect;
3583
3584 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3585 if (!pi->sdu)
3586 return -ENOMEM;
3587
3588 /* pull sdu_len bytes only after alloc, because of Local Busy
3589 * condition we have to be sure that this will be executed
3590 * only once, i.e., when alloc does not fail */
3591 skb_pull(skb, 2);
3592
3593 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3594
3595 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3596 pi->partial_sdu_len = skb->len;
3597 break;
3598
3599 case L2CAP_SDU_CONTINUE:
3600 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3601 goto disconnect;
3602
3603 if (!pi->sdu)
3604 goto disconnect;
3605
3606 pi->partial_sdu_len += skb->len;
3607 if (pi->partial_sdu_len > pi->sdu_len)
3608 goto drop;
3609
3610 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3611
3612 break;
3613
3614 case L2CAP_SDU_END:
3615 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3616 goto disconnect;
3617
3618 if (!pi->sdu)
3619 goto disconnect;
3620
3621 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
3622 pi->partial_sdu_len += skb->len;
3623
3624 if (pi->partial_sdu_len > pi->imtu)
3625 goto drop;
3626
3627 if (pi->partial_sdu_len != pi->sdu_len)
3628 goto drop;
3629
3630 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3631 }
3632
3633 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3634 if (!_skb) {
3635 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3636 return -ENOMEM;
3637 }
3638
3639 err = sock_queue_rcv_skb(sk, _skb);
3640 if (err < 0) {
3641 kfree_skb(_skb);
3642 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3643 return err;
3644 }
3645
3646 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3647 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3648
3649 kfree_skb(pi->sdu);
3650 break;
3651 }
3652
3653 kfree_skb(skb);
3654 return 0;
3655
3656drop:
3657 kfree_skb(pi->sdu);
3658 pi->sdu = NULL;
3659
3660disconnect:
3661 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3662 kfree_skb(skb);
3663 return 0;
3664}
3665
3666static int l2cap_try_push_rx_skb(struct sock *sk)
3667{
3668 struct l2cap_pinfo *pi = l2cap_pi(sk);
3669 struct sk_buff *skb;
3670 u16 control;
3671 int err;
3672
3673 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3674 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3675 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3676 if (err < 0) {
3677 skb_queue_head(BUSY_QUEUE(sk), skb);
3678 return -EBUSY;
3679 }
3680
3681 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3682 }
3683
3684 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3685 goto done;
3686
3687 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3688 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3689 l2cap_send_sframe(pi, control);
3690 l2cap_pi(sk)->retry_count = 1;
3691
3692 del_timer(&pi->retrans_timer);
3693 __mod_monitor_timer();
3694
3695 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3696
3697done:
3698 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3699 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3700
3701 BT_DBG("sk %p, Exit local busy", sk);
3702
3703 return 0;
3704}
3705
3706static void l2cap_busy_work(struct work_struct *work)
3707{
3708 DECLARE_WAITQUEUE(wait, current);
3709 struct l2cap_pinfo *pi =
3710 container_of(work, struct l2cap_pinfo, busy_work);
3711 struct sock *sk = (struct sock *)pi;
3712 int n_tries = 0, timeo = HZ/5, err;
3713 struct sk_buff *skb;
3714
3715 lock_sock(sk);
3716
3717 add_wait_queue(sk_sleep(sk), &wait);
3718 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3719 set_current_state(TASK_INTERRUPTIBLE);
3720
3721 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3722 err = -EBUSY;
3723 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
3724 break;
3725 }
3726
3727 if (!timeo)
3728 timeo = HZ/5;
3729
3730 if (signal_pending(current)) {
3731 err = sock_intr_errno(timeo);
3732 break;
3733 }
3734
3735 release_sock(sk);
3736 timeo = schedule_timeout(timeo);
3737 lock_sock(sk);
3738
3739 err = sock_error(sk);
3740 if (err)
3741 break;
3742
3743 if (l2cap_try_push_rx_skb(sk) == 0)
3744 break;
3745 }
3746
3747 set_current_state(TASK_RUNNING);
3748 remove_wait_queue(sk_sleep(sk), &wait);
3749
3750 release_sock(sk);
3751}
3752
3753static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3754{
3755 struct l2cap_pinfo *pi = l2cap_pi(sk);
3756 int sctrl, err;
3757
3758 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3759 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3760 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3761 return l2cap_try_push_rx_skb(sk);
3762
3763
3764 }
3765
3766 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3767 if (err >= 0) {
3768 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3769 return err;
3770 }
3771
3772 /* Busy Condition */
3773 BT_DBG("sk %p, Enter local busy", sk);
3774
3775 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3776 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3777 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3778
3779 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3780 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3781 l2cap_send_sframe(pi, sctrl);
3782
3783 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3784
3785 del_timer(&pi->ack_timer);
3786
3787 queue_work(_busy_wq, &pi->busy_work);
3788
3789 return err;
3790}
3791
3792static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3162{ 3793{
3163 struct l2cap_pinfo *pi = l2cap_pi(sk); 3794 struct l2cap_pinfo *pi = l2cap_pi(sk);
3164 struct sk_buff *_skb; 3795 struct sk_buff *_skb;
3165 int err = -EINVAL; 3796 int err = -EINVAL;
3166 3797
3798 /*
3799 * TODO: We have to notify the userland if some data is lost with the
3800 * Streaming Mode.
3801 */
3802
3167 switch (control & L2CAP_CTRL_SAR) { 3803 switch (control & L2CAP_CTRL_SAR) {
3168 case L2CAP_SDU_UNSEGMENTED: 3804 case L2CAP_SDU_UNSEGMENTED:
3169 if (pi->conn_state & L2CAP_CONN_SAR_SDU) { 3805 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
@@ -3186,6 +3822,11 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
3186 pi->sdu_len = get_unaligned_le16(skb->data); 3822 pi->sdu_len = get_unaligned_le16(skb->data);
3187 skb_pull(skb, 2); 3823 skb_pull(skb, 2);
3188 3824
3825 if (pi->sdu_len > pi->imtu) {
3826 err = -EMSGSIZE;
3827 break;
3828 }
3829
3189 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC); 3830 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3190 if (!pi->sdu) { 3831 if (!pi->sdu) {
3191 err = -ENOMEM; 3832 err = -ENOMEM;
@@ -3222,15 +3863,19 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
3222 pi->conn_state &= ~L2CAP_CONN_SAR_SDU; 3863 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3223 pi->partial_sdu_len += skb->len; 3864 pi->partial_sdu_len += skb->len;
3224 3865
3866 if (pi->partial_sdu_len > pi->imtu)
3867 goto drop;
3868
3225 if (pi->partial_sdu_len == pi->sdu_len) { 3869 if (pi->partial_sdu_len == pi->sdu_len) {
3226 _skb = skb_clone(pi->sdu, GFP_ATOMIC); 3870 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3227 err = sock_queue_rcv_skb(sk, _skb); 3871 err = sock_queue_rcv_skb(sk, _skb);
3228 if (err < 0) 3872 if (err < 0)
3229 kfree_skb(_skb); 3873 kfree_skb(_skb);
3230 } 3874 }
3231 kfree_skb(pi->sdu);
3232 err = 0; 3875 err = 0;
3233 3876
3877drop:
3878 kfree_skb(pi->sdu);
3234 break; 3879 break;
3235 } 3880 }
3236 3881
@@ -3241,18 +3886,18 @@ static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 co
3241static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq) 3886static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3242{ 3887{
3243 struct sk_buff *skb; 3888 struct sk_buff *skb;
3244 u16 control = 0; 3889 u16 control;
3245 3890
3246 while((skb = skb_peek(SREJ_QUEUE(sk)))) { 3891 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
3247 if (bt_cb(skb)->tx_seq != tx_seq) 3892 if (bt_cb(skb)->tx_seq != tx_seq)
3248 break; 3893 break;
3249 3894
3250 skb = skb_dequeue(SREJ_QUEUE(sk)); 3895 skb = skb_dequeue(SREJ_QUEUE(sk));
3251 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT; 3896 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3252 l2cap_sar_reassembly_sdu(sk, skb, control); 3897 l2cap_ertm_reassembly_sdu(sk, skb, control);
3253 l2cap_pi(sk)->buffer_seq_srej = 3898 l2cap_pi(sk)->buffer_seq_srej =
3254 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64; 3899 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3255 tx_seq++; 3900 tx_seq = (tx_seq + 1) % 64;
3256 } 3901 }
3257} 3902}
3258 3903
@@ -3262,7 +3907,7 @@ static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3262 struct srej_list *l, *tmp; 3907 struct srej_list *l, *tmp;
3263 u16 control; 3908 u16 control;
3264 3909
3265 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) { 3910 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
3266 if (l->tx_seq == tx_seq) { 3911 if (l->tx_seq == tx_seq) {
3267 list_del(&l->list); 3912 list_del(&l->list);
3268 kfree(l); 3913 kfree(l);
@@ -3285,17 +3930,14 @@ static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3285 while (tx_seq != pi->expected_tx_seq) { 3930 while (tx_seq != pi->expected_tx_seq) {
3286 control = L2CAP_SUPER_SELECT_REJECT; 3931 control = L2CAP_SUPER_SELECT_REJECT;
3287 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3932 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3288 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
3289 control |= L2CAP_CTRL_POLL;
3290 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
3291 }
3292 l2cap_send_sframe(pi, control); 3933 l2cap_send_sframe(pi, control);
3293 3934
3294 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC); 3935 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3295 new->tx_seq = pi->expected_tx_seq++; 3936 new->tx_seq = pi->expected_tx_seq;
3937 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3296 list_add_tail(&new->list, SREJ_LIST(sk)); 3938 list_add_tail(&new->list, SREJ_LIST(sk));
3297 } 3939 }
3298 pi->expected_tx_seq++; 3940 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3299} 3941}
3300 3942
3301static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3943static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
@@ -3303,11 +3945,21 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3303 struct l2cap_pinfo *pi = l2cap_pi(sk); 3945 struct l2cap_pinfo *pi = l2cap_pi(sk);
3304 u8 tx_seq = __get_txseq(rx_control); 3946 u8 tx_seq = __get_txseq(rx_control);
3305 u8 req_seq = __get_reqseq(rx_control); 3947 u8 req_seq = __get_reqseq(rx_control);
3306 u16 tx_control = 0;
3307 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT; 3948 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3949 int tx_seq_offset, expected_tx_seq_offset;
3950 int num_to_ack = (pi->tx_win/6) + 1;
3308 int err = 0; 3951 int err = 0;
3309 3952
3310 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len); 3953 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3954 rx_control);
3955
3956 if (L2CAP_CTRL_FINAL & rx_control &&
3957 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
3958 del_timer(&pi->monitor_timer);
3959 if (pi->unacked_frames > 0)
3960 __mod_retrans_timer();
3961 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3962 }
3311 3963
3312 pi->expected_ack_seq = req_seq; 3964 pi->expected_ack_seq = req_seq;
3313 l2cap_drop_acked_frames(sk); 3965 l2cap_drop_acked_frames(sk);
@@ -3315,6 +3967,19 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3315 if (tx_seq == pi->expected_tx_seq) 3967 if (tx_seq == pi->expected_tx_seq)
3316 goto expected; 3968 goto expected;
3317 3969
3970 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3971 if (tx_seq_offset < 0)
3972 tx_seq_offset += 64;
3973
3974 /* invalid tx_seq */
3975 if (tx_seq_offset >= pi->tx_win) {
3976 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3977 goto drop;
3978 }
3979
3980 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3981 goto drop;
3982
3318 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 3983 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3319 struct srej_list *first; 3984 struct srej_list *first;
3320 3985
@@ -3330,10 +3995,15 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3330 if (list_empty(SREJ_LIST(sk))) { 3995 if (list_empty(SREJ_LIST(sk))) {
3331 pi->buffer_seq = pi->buffer_seq_srej; 3996 pi->buffer_seq = pi->buffer_seq_srej;
3332 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3997 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3998 l2cap_send_ack(pi);
3999 BT_DBG("sk %p, Exit SREJ_SENT", sk);
3333 } 4000 }
3334 } else { 4001 } else {
3335 struct srej_list *l; 4002 struct srej_list *l;
3336 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 4003
4004 /* duplicated tx_seq */
4005 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
4006 goto drop;
3337 4007
3338 list_for_each_entry(l, SREJ_LIST(sk), list) { 4008 list_for_each_entry(l, SREJ_LIST(sk), list) {
3339 if (l->tx_seq == tx_seq) { 4009 if (l->tx_seq == tx_seq) {
@@ -3344,17 +4014,31 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3344 l2cap_send_srejframe(sk, tx_seq); 4014 l2cap_send_srejframe(sk, tx_seq);
3345 } 4015 }
3346 } else { 4016 } else {
4017 expected_tx_seq_offset =
4018 (pi->expected_tx_seq - pi->buffer_seq) % 64;
4019 if (expected_tx_seq_offset < 0)
4020 expected_tx_seq_offset += 64;
4021
4022 /* duplicated tx_seq */
4023 if (tx_seq_offset < expected_tx_seq_offset)
4024 goto drop;
4025
3347 pi->conn_state |= L2CAP_CONN_SREJ_SENT; 4026 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
3348 4027
4028 BT_DBG("sk %p, Enter SREJ", sk);
4029
3349 INIT_LIST_HEAD(SREJ_LIST(sk)); 4030 INIT_LIST_HEAD(SREJ_LIST(sk));
3350 pi->buffer_seq_srej = pi->buffer_seq; 4031 pi->buffer_seq_srej = pi->buffer_seq;
3351 4032
3352 __skb_queue_head_init(SREJ_QUEUE(sk)); 4033 __skb_queue_head_init(SREJ_QUEUE(sk));
4034 __skb_queue_head_init(BUSY_QUEUE(sk));
3353 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 4035 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3354 4036
3355 pi->conn_state |= L2CAP_CONN_SEND_PBIT; 4037 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3356 4038
3357 l2cap_send_srejframe(sk, tx_seq); 4039 l2cap_send_srejframe(sk, tx_seq);
4040
4041 del_timer(&pi->ack_timer);
3358 } 4042 }
3359 return 0; 4043 return 0;
3360 4044
@@ -3362,163 +4046,280 @@ expected:
3362 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 4046 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3363 4047
3364 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 4048 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3365 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar); 4049 bt_cb(skb)->tx_seq = tx_seq;
4050 bt_cb(skb)->sar = sar;
4051 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3366 return 0; 4052 return 0;
3367 } 4053 }
3368 4054
4055 err = l2cap_push_rx_skb(sk, skb, rx_control);
4056 if (err < 0)
4057 return 0;
4058
3369 if (rx_control & L2CAP_CTRL_FINAL) { 4059 if (rx_control & L2CAP_CTRL_FINAL) {
3370 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 4060 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3371 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 4061 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3372 else { 4062 else
3373 sk->sk_send_head = TX_QUEUE(sk)->next; 4063 l2cap_retransmit_frames(sk);
3374 pi->next_tx_seq = pi->expected_ack_seq;
3375 l2cap_ertm_send(sk);
3376 }
3377 } 4064 }
3378 4065
3379 pi->buffer_seq = (pi->buffer_seq + 1) % 64; 4066 __mod_ack_timer();
3380 4067
3381 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control); 4068 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3382 if (err < 0) 4069 if (pi->num_acked == num_to_ack - 1)
3383 return err; 4070 l2cap_send_ack(pi);
3384 4071
3385 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK; 4072 return 0;
3386 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1) { 4073
3387 tx_control |= L2CAP_SUPER_RCV_READY; 4074drop:
3388 tx_control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 4075 kfree_skb(skb);
3389 l2cap_send_sframe(pi, tx_control);
3390 }
3391 return 0; 4076 return 0;
3392} 4077}
3393 4078
3394static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 4079static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
3395{ 4080{
3396 struct l2cap_pinfo *pi = l2cap_pi(sk); 4081 struct l2cap_pinfo *pi = l2cap_pi(sk);
3397 u8 tx_seq = __get_reqseq(rx_control);
3398 4082
3399 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len); 4083 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
3400 4084 rx_control);
3401 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3402 case L2CAP_SUPER_RCV_READY:
3403 if (rx_control & L2CAP_CTRL_POLL) {
3404 u16 control = L2CAP_CTRL_FINAL;
3405 control |= L2CAP_SUPER_RCV_READY |
3406 (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT);
3407 l2cap_send_sframe(l2cap_pi(sk), control);
3408 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3409
3410 } else if (rx_control & L2CAP_CTRL_FINAL) {
3411 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3412 pi->expected_ack_seq = tx_seq;
3413 l2cap_drop_acked_frames(sk);
3414
3415 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3416 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3417 else {
3418 sk->sk_send_head = TX_QUEUE(sk)->next;
3419 pi->next_tx_seq = pi->expected_ack_seq;
3420 l2cap_ertm_send(sk);
3421 }
3422
3423 if (!(pi->conn_state & L2CAP_CONN_WAIT_F))
3424 break;
3425 4085
3426 pi->conn_state &= ~L2CAP_CONN_WAIT_F; 4086 pi->expected_ack_seq = __get_reqseq(rx_control);
3427 del_timer(&pi->monitor_timer); 4087 l2cap_drop_acked_frames(sk);
3428
3429 if (pi->unacked_frames > 0)
3430 __mod_retrans_timer();
3431 } else {
3432 pi->expected_ack_seq = tx_seq;
3433 l2cap_drop_acked_frames(sk);
3434 4088
4089 if (rx_control & L2CAP_CTRL_POLL) {
4090 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4091 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3435 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 4092 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3436 (pi->unacked_frames > 0)) 4093 (pi->unacked_frames > 0))
3437 __mod_retrans_timer(); 4094 __mod_retrans_timer();
3438 4095
3439 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 4096 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3440 l2cap_ertm_send(sk); 4097 l2cap_send_srejtail(sk);
4098 } else {
4099 l2cap_send_i_or_rr_or_rnr(sk);
3441 } 4100 }
3442 break;
3443 4101
3444 case L2CAP_SUPER_REJECT: 4102 } else if (rx_control & L2CAP_CTRL_FINAL) {
3445 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 4103 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3446 4104
3447 pi->expected_ack_seq = __get_reqseq(rx_control); 4105 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3448 l2cap_drop_acked_frames(sk); 4106 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
4107 else
4108 l2cap_retransmit_frames(sk);
3449 4109
3450 if (rx_control & L2CAP_CTRL_FINAL) { 4110 } else {
3451 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 4111 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3452 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 4112 (pi->unacked_frames > 0))
3453 else { 4113 __mod_retrans_timer();
3454 sk->sk_send_head = TX_QUEUE(sk)->next; 4114
3455 pi->next_tx_seq = pi->expected_ack_seq; 4115 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3456 l2cap_ertm_send(sk); 4116 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3457 } 4117 l2cap_send_ack(pi);
3458 } else { 4118 } else {
3459 sk->sk_send_head = TX_QUEUE(sk)->next;
3460 pi->next_tx_seq = pi->expected_ack_seq;
3461 l2cap_ertm_send(sk); 4119 l2cap_ertm_send(sk);
3462
3463 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3464 pi->srej_save_reqseq = tx_seq;
3465 pi->conn_state |= L2CAP_CONN_REJ_ACT;
3466 }
3467 } 4120 }
4121 }
4122}
3468 4123
3469 break; 4124static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4125{
4126 struct l2cap_pinfo *pi = l2cap_pi(sk);
4127 u8 tx_seq = __get_reqseq(rx_control);
3470 4128
3471 case L2CAP_SUPER_SELECT_REJECT: 4129 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
3472 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3473 4130
3474 if (rx_control & L2CAP_CTRL_POLL) { 4131 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3475 pi->expected_ack_seq = tx_seq; 4132
3476 l2cap_drop_acked_frames(sk); 4133 pi->expected_ack_seq = tx_seq;
3477 l2cap_retransmit_frame(sk, tx_seq); 4134 l2cap_drop_acked_frames(sk);
3478 l2cap_ertm_send(sk); 4135
3479 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 4136 if (rx_control & L2CAP_CTRL_FINAL) {
3480 pi->srej_save_reqseq = tx_seq; 4137 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3481 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 4138 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3482 } 4139 else
3483 } else if (rx_control & L2CAP_CTRL_FINAL) { 4140 l2cap_retransmit_frames(sk);
3484 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) && 4141 } else {
3485 pi->srej_save_reqseq == tx_seq) 4142 l2cap_retransmit_frames(sk);
3486 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT; 4143
3487 else 4144 if (pi->conn_state & L2CAP_CONN_WAIT_F)
3488 l2cap_retransmit_frame(sk, tx_seq); 4145 pi->conn_state |= L2CAP_CONN_REJ_ACT;
4146 }
4147}
4148static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4149{
4150 struct l2cap_pinfo *pi = l2cap_pi(sk);
4151 u8 tx_seq = __get_reqseq(rx_control);
4152
4153 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4154
4155 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4156
4157 if (rx_control & L2CAP_CTRL_POLL) {
4158 pi->expected_ack_seq = tx_seq;
4159 l2cap_drop_acked_frames(sk);
4160
4161 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4162 l2cap_retransmit_one_frame(sk, tx_seq);
4163
4164 l2cap_ertm_send(sk);
4165
4166 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4167 pi->srej_save_reqseq = tx_seq;
4168 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3489 } 4169 }
3490 else { 4170 } else if (rx_control & L2CAP_CTRL_FINAL) {
3491 l2cap_retransmit_frame(sk, tx_seq); 4171 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3492 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 4172 pi->srej_save_reqseq == tx_seq)
3493 pi->srej_save_reqseq = tx_seq; 4173 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3494 pi->conn_state |= L2CAP_CONN_SREJ_ACT; 4174 else
3495 } 4175 l2cap_retransmit_one_frame(sk, tx_seq);
4176 } else {
4177 l2cap_retransmit_one_frame(sk, tx_seq);
4178 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4179 pi->srej_save_reqseq = tx_seq;
4180 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3496 } 4181 }
4182 }
4183}
4184
4185static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4186{
4187 struct l2cap_pinfo *pi = l2cap_pi(sk);
4188 u8 tx_seq = __get_reqseq(rx_control);
4189
4190 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4191
4192 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4193 pi->expected_ack_seq = tx_seq;
4194 l2cap_drop_acked_frames(sk);
4195
4196 if (rx_control & L2CAP_CTRL_POLL)
4197 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4198
4199 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4200 del_timer(&pi->retrans_timer);
4201 if (rx_control & L2CAP_CTRL_POLL)
4202 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
4203 return;
4204 }
4205
4206 if (rx_control & L2CAP_CTRL_POLL)
4207 l2cap_send_srejtail(sk);
4208 else
4209 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
4210}
4211
4212static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4213{
4214 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4215
4216 if (L2CAP_CTRL_FINAL & rx_control &&
4217 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
4218 del_timer(&l2cap_pi(sk)->monitor_timer);
4219 if (l2cap_pi(sk)->unacked_frames > 0)
4220 __mod_retrans_timer();
4221 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4222 }
4223
4224 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4225 case L2CAP_SUPER_RCV_READY:
4226 l2cap_data_channel_rrframe(sk, rx_control);
4227 break;
4228
4229 case L2CAP_SUPER_REJECT:
4230 l2cap_data_channel_rejframe(sk, rx_control);
4231 break;
4232
4233 case L2CAP_SUPER_SELECT_REJECT:
4234 l2cap_data_channel_srejframe(sk, rx_control);
3497 break; 4235 break;
3498 4236
3499 case L2CAP_SUPER_RCV_NOT_READY: 4237 case L2CAP_SUPER_RCV_NOT_READY:
3500 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY; 4238 l2cap_data_channel_rnrframe(sk, rx_control);
3501 pi->expected_ack_seq = tx_seq; 4239 break;
3502 l2cap_drop_acked_frames(sk); 4240 }
3503 4241
3504 del_timer(&l2cap_pi(sk)->retrans_timer); 4242 kfree_skb(skb);
3505 if (rx_control & L2CAP_CTRL_POLL) { 4243 return 0;
3506 u16 control = L2CAP_CTRL_FINAL; 4244}
3507 l2cap_send_rr_or_rnr(l2cap_pi(sk), control); 4245
4246static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4247{
4248 struct l2cap_pinfo *pi = l2cap_pi(sk);
4249 u16 control;
4250 u8 req_seq;
4251 int len, next_tx_seq_offset, req_seq_offset;
4252
4253 control = get_unaligned_le16(skb->data);
4254 skb_pull(skb, 2);
4255 len = skb->len;
4256
4257 /*
4258 * We can just drop the corrupted I-frame here.
4259 * Receiver will miss it and start proper recovery
4260 * procedures and ask retransmission.
4261 */
4262 if (l2cap_check_fcs(pi, skb))
4263 goto drop;
4264
4265 if (__is_sar_start(control) && __is_iframe(control))
4266 len -= 2;
4267
4268 if (pi->fcs == L2CAP_FCS_CRC16)
4269 len -= 2;
4270
4271 if (len > pi->mps) {
4272 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4273 goto drop;
4274 }
4275
4276 req_seq = __get_reqseq(control);
4277 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4278 if (req_seq_offset < 0)
4279 req_seq_offset += 64;
4280
4281 next_tx_seq_offset =
4282 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4283 if (next_tx_seq_offset < 0)
4284 next_tx_seq_offset += 64;
4285
4286 /* check for invalid req-seq */
4287 if (req_seq_offset > next_tx_seq_offset) {
4288 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4289 goto drop;
4290 }
4291
4292 if (__is_iframe(control)) {
4293 if (len < 0) {
4294 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4295 goto drop;
3508 } 4296 }
3509 break; 4297
4298 l2cap_data_channel_iframe(sk, control, skb);
4299 } else {
4300 if (len != 0) {
4301 BT_ERR("%d", len);
4302 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4303 goto drop;
4304 }
4305
4306 l2cap_data_channel_sframe(sk, control, skb);
3510 } 4307 }
3511 4308
3512 return 0; 4309 return 0;
4310
4311drop:
4312 kfree_skb(skb);
4313 return 0;
3513} 4314}
3514 4315
3515static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb) 4316static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3516{ 4317{
3517 struct sock *sk; 4318 struct sock *sk;
3518 struct l2cap_pinfo *pi; 4319 struct l2cap_pinfo *pi;
3519 u16 control, len; 4320 u16 control;
3520 u8 tx_seq; 4321 u8 tx_seq;
3521 int err; 4322 int len;
3522 4323
3523 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 4324 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3524 if (!sk) { 4325 if (!sk) {
@@ -3548,51 +4349,30 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3548 break; 4349 break;
3549 4350
3550 case L2CAP_MODE_ERTM: 4351 case L2CAP_MODE_ERTM:
3551 control = get_unaligned_le16(skb->data); 4352 if (!sock_owned_by_user(sk)) {
3552 skb_pull(skb, 2); 4353 l2cap_ertm_data_rcv(sk, skb);
3553 len = skb->len; 4354 } else {
3554 4355 if (sk_add_backlog(sk, skb))
3555 if (__is_sar_start(control)) 4356 goto drop;
3556 len -= 2; 4357 }
3557
3558 if (pi->fcs == L2CAP_FCS_CRC16)
3559 len -= 2;
3560
3561 /*
3562 * We can just drop the corrupted I-frame here.
3563 * Receiver will miss it and start proper recovery
3564 * procedures and ask retransmission.
3565 */
3566 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE)
3567 goto drop;
3568
3569 if (l2cap_check_fcs(pi, skb))
3570 goto drop;
3571
3572 if (__is_iframe(control))
3573 err = l2cap_data_channel_iframe(sk, control, skb);
3574 else
3575 err = l2cap_data_channel_sframe(sk, control, skb);
3576 4358
3577 if (!err) 4359 goto done;
3578 goto done;
3579 break;
3580 4360
3581 case L2CAP_MODE_STREAMING: 4361 case L2CAP_MODE_STREAMING:
3582 control = get_unaligned_le16(skb->data); 4362 control = get_unaligned_le16(skb->data);
3583 skb_pull(skb, 2); 4363 skb_pull(skb, 2);
3584 len = skb->len; 4364 len = skb->len;
3585 4365
4366 if (l2cap_check_fcs(pi, skb))
4367 goto drop;
4368
3586 if (__is_sar_start(control)) 4369 if (__is_sar_start(control))
3587 len -= 2; 4370 len -= 2;
3588 4371
3589 if (pi->fcs == L2CAP_FCS_CRC16) 4372 if (pi->fcs == L2CAP_FCS_CRC16)
3590 len -= 2; 4373 len -= 2;
3591 4374
3592 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control)) 4375 if (len > pi->mps || len < 0 || __is_sframe(control))
3593 goto drop;
3594
3595 if (l2cap_check_fcs(pi, skb))
3596 goto drop; 4376 goto drop;
3597 4377
3598 tx_seq = __get_txseq(control); 4378 tx_seq = __get_txseq(control);
@@ -3600,14 +4380,14 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3600 if (pi->expected_tx_seq == tx_seq) 4380 if (pi->expected_tx_seq == tx_seq)
3601 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64; 4381 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3602 else 4382 else
3603 pi->expected_tx_seq = tx_seq + 1; 4383 pi->expected_tx_seq = (tx_seq + 1) % 64;
3604 4384
3605 err = l2cap_sar_reassembly_sdu(sk, skb, control); 4385 l2cap_streaming_reassembly_sdu(sk, skb, control);
3606 4386
3607 goto done; 4387 goto done;
3608 4388
3609 default: 4389 default:
3610 BT_DBG("sk %p: bad mode 0x%2.2x", sk, l2cap_pi(sk)->mode); 4390 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
3611 break; 4391 break;
3612 } 4392 }
3613 4393
@@ -3692,7 +4472,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3692 struct hlist_node *node; 4472 struct hlist_node *node;
3693 4473
3694 if (type != ACL_LINK) 4474 if (type != ACL_LINK)
3695 return 0; 4475 return -EINVAL;
3696 4476
3697 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 4477 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3698 4478
@@ -3725,7 +4505,7 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3725 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 4505 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3726 4506
3727 if (hcon->type != ACL_LINK) 4507 if (hcon->type != ACL_LINK)
3728 return 0; 4508 return -EINVAL;
3729 4509
3730 if (!status) { 4510 if (!status) {
3731 conn = l2cap_conn_add(hcon, status); 4511 conn = l2cap_conn_add(hcon, status);
@@ -3754,7 +4534,7 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3754 BT_DBG("hcon %p reason %d", hcon, reason); 4534 BT_DBG("hcon %p reason %d", hcon, reason);
3755 4535
3756 if (hcon->type != ACL_LINK) 4536 if (hcon->type != ACL_LINK)
3757 return 0; 4537 return -EINVAL;
3758 4538
3759 l2cap_conn_del(hcon, bt_err(reason)); 4539 l2cap_conn_del(hcon, bt_err(reason));
3760 4540
@@ -3763,7 +4543,7 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3763 4543
3764static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt) 4544static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3765{ 4545{
3766 if (sk->sk_type != SOCK_SEQPACKET) 4546 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3767 return; 4547 return;
3768 4548
3769 if (encrypt == 0x00) { 4549 if (encrypt == 0x00) {
@@ -3815,6 +4595,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3815 req.psm = l2cap_pi(sk)->psm; 4595 req.psm = l2cap_pi(sk)->psm;
3816 4596
3817 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 4597 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
4598 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
3818 4599
3819 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 4600 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3820 L2CAP_CONN_REQ, sizeof(req), &req); 4601 L2CAP_CONN_REQ, sizeof(req), &req);
@@ -3939,29 +4720,42 @@ drop:
3939 return 0; 4720 return 0;
3940} 4721}
3941 4722
3942static ssize_t l2cap_sysfs_show(struct class *dev, char *buf) 4723static int l2cap_debugfs_show(struct seq_file *f, void *p)
3943{ 4724{
3944 struct sock *sk; 4725 struct sock *sk;
3945 struct hlist_node *node; 4726 struct hlist_node *node;
3946 char *str = buf;
3947 4727
3948 read_lock_bh(&l2cap_sk_list.lock); 4728 read_lock_bh(&l2cap_sk_list.lock);
3949 4729
3950 sk_for_each(sk, node, &l2cap_sk_list.head) { 4730 sk_for_each(sk, node, &l2cap_sk_list.head) {
3951 struct l2cap_pinfo *pi = l2cap_pi(sk); 4731 struct l2cap_pinfo *pi = l2cap_pi(sk);
3952 4732
3953 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n", 4733 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
3954 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), 4734 batostr(&bt_sk(sk)->src),
3955 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid, 4735 batostr(&bt_sk(sk)->dst),
3956 pi->dcid, pi->imtu, pi->omtu, pi->sec_level); 4736 sk->sk_state, __le16_to_cpu(pi->psm),
4737 pi->scid, pi->dcid,
4738 pi->imtu, pi->omtu, pi->sec_level);
3957 } 4739 }
3958 4740
3959 read_unlock_bh(&l2cap_sk_list.lock); 4741 read_unlock_bh(&l2cap_sk_list.lock);
3960 4742
3961 return str - buf; 4743 return 0;
4744}
4745
4746static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4747{
4748 return single_open(file, l2cap_debugfs_show, inode->i_private);
3962} 4749}
3963 4750
3964static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL); 4751static const struct file_operations l2cap_debugfs_fops = {
4752 .open = l2cap_debugfs_open,
4753 .read = seq_read,
4754 .llseek = seq_lseek,
4755 .release = single_release,
4756};
4757
4758static struct dentry *l2cap_debugfs;
3965 4759
3966static const struct proto_ops l2cap_sock_ops = { 4760static const struct proto_ops l2cap_sock_ops = {
3967 .family = PF_BLUETOOTH, 4761 .family = PF_BLUETOOTH,
@@ -4008,6 +4802,10 @@ static int __init l2cap_init(void)
4008 if (err < 0) 4802 if (err < 0)
4009 return err; 4803 return err;
4010 4804
4805 _busy_wq = create_singlethread_workqueue("l2cap");
4806 if (!_busy_wq)
4807 goto error;
4808
4011 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 4809 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4012 if (err < 0) { 4810 if (err < 0) {
4013 BT_ERR("L2CAP socket registration failed"); 4811 BT_ERR("L2CAP socket registration failed");
@@ -4021,8 +4819,12 @@ static int __init l2cap_init(void)
4021 goto error; 4819 goto error;
4022 } 4820 }
4023 4821
4024 if (class_create_file(bt_class, &class_attr_l2cap) < 0) 4822 if (bt_debugfs) {
4025 BT_ERR("Failed to create L2CAP info file"); 4823 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4824 bt_debugfs, NULL, &l2cap_debugfs_fops);
4825 if (!l2cap_debugfs)
4826 BT_ERR("Failed to create L2CAP debug file");
4827 }
4026 4828
4027 BT_INFO("L2CAP ver %s", VERSION); 4829 BT_INFO("L2CAP ver %s", VERSION);
4028 BT_INFO("L2CAP socket layer initialized"); 4830 BT_INFO("L2CAP socket layer initialized");
@@ -4036,7 +4838,10 @@ error:
4036 4838
4037static void __exit l2cap_exit(void) 4839static void __exit l2cap_exit(void)
4038{ 4840{
4039 class_remove_file(bt_class, &class_attr_l2cap); 4841 debugfs_remove(l2cap_debugfs);
4842
4843 flush_workqueue(_busy_wq);
4844 destroy_workqueue(_busy_wq);
4040 4845
4041 if (bt_sock_unregister(BTPROTO_L2CAP) < 0) 4846 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4042 BT_ERR("L2CAP socket unregistration failed"); 4847 BT_ERR("L2CAP socket unregistration failed");
@@ -4052,18 +4857,14 @@ void l2cap_load(void)
4052 /* Dummy function to trigger automatic L2CAP module loading by 4857 /* Dummy function to trigger automatic L2CAP module loading by
4053 * other modules that use L2CAP sockets but don't use any other 4858 * other modules that use L2CAP sockets but don't use any other
4054 * symbols from it. */ 4859 * symbols from it. */
4055 return;
4056} 4860}
4057EXPORT_SYMBOL(l2cap_load); 4861EXPORT_SYMBOL(l2cap_load);
4058 4862
4059module_init(l2cap_init); 4863module_init(l2cap_init);
4060module_exit(l2cap_exit); 4864module_exit(l2cap_exit);
4061 4865
4062module_param(enable_ertm, bool, 0644); 4866module_param(disable_ertm, bool, 0644);
4063MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode"); 4867MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
4064
4065module_param(max_transmit, uint, 0644);
4066MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4067 4868
4068MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 4869MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4069MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION); 4870MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-12 12:36:23 -0500