aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/Kconfig13
-rw-r--r--net/bluetooth/bnep/bnep.h8
-rw-r--r--net/bluetooth/bnep/netdev.c2
-rw-r--r--net/bluetooth/hci_conn.c7
-rw-r--r--net/bluetooth/hci_core.c204
-rw-r--r--net/bluetooth/hci_event.c10
-rw-r--r--net/bluetooth/hci_sock.c90
-rw-r--r--net/bluetooth/hci_sysfs.c38
-rw-r--r--net/bluetooth/l2cap.c677
9 files changed, 715 insertions, 334 deletions
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index ee3b3049d385..ed371684c133 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -43,19 +43,6 @@ config BT_L2CAP
43 Say Y here to compile L2CAP support into the kernel or say M to 43 Say Y here to compile L2CAP support into the kernel or say M to
44 compile it as module (l2cap). 44 compile it as module (l2cap).
45 45
46config BT_L2CAP_EXT_FEATURES
47 bool "L2CAP Extended Features support (EXPERIMENTAL)"
48 depends on BT_L2CAP && EXPERIMENTAL
49 help
50 This option enables the L2CAP Extended Features support. These
51 new features include the Enhanced Retransmission and Streaming
52 Modes, the Frame Check Sequence (FCS), and Segmentation and
53 Reassembly (SAR) for L2CAP packets. They are a required for the
54 new Alternate MAC/PHY and the Bluetooth Medical Profile.
55
56 You should say N unless you know what you are doing. Note that
57 this is in an experimental state yet.
58
59config BT_SCO 46config BT_SCO
60 tristate "SCO links support" 47 tristate "SCO links support"
61 depends on BT 48 depends on BT
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 0d9e506f5d5a..70672544db86 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -86,26 +86,26 @@ struct bnep_setup_conn_req {
86 __u8 ctrl; 86 __u8 ctrl;
87 __u8 uuid_size; 87 __u8 uuid_size;
88 __u8 service[0]; 88 __u8 service[0];
89} __attribute__((packed)); 89} __packed;
90 90
91struct bnep_set_filter_req { 91struct bnep_set_filter_req {
92 __u8 type; 92 __u8 type;
93 __u8 ctrl; 93 __u8 ctrl;
94 __be16 len; 94 __be16 len;
95 __u8 list[0]; 95 __u8 list[0];
96} __attribute__((packed)); 96} __packed;
97 97
98struct bnep_control_rsp { 98struct bnep_control_rsp {
99 __u8 type; 99 __u8 type;
100 __u8 ctrl; 100 __u8 ctrl;
101 __be16 resp; 101 __be16 resp;
102} __attribute__((packed)); 102} __packed;
103 103
104struct bnep_ext_hdr { 104struct bnep_ext_hdr {
105 __u8 type; 105 __u8 type;
106 __u8 len; 106 __u8 len;
107 __u8 data[0]; 107 __u8 data[0];
108} __attribute__((packed)); 108} __packed;
109 109
110/* BNEP ioctl defines */ 110/* BNEP ioctl defines */
111#define BNEPCONNADD _IOW('B', 200, int) 111#define BNEPCONNADD _IOW('B', 200, int)
diff --git a/net/bluetooth/bnep/netdev.c b/net/bluetooth/bnep/netdev.c
index 0faad5ce6dc4..8c100c9dae28 100644
--- a/net/bluetooth/bnep/netdev.c
+++ b/net/bluetooth/bnep/netdev.c
@@ -104,6 +104,8 @@ static void bnep_net_set_mc_list(struct net_device *dev)
104 break; 104 break;
105 memcpy(__skb_put(skb, ETH_ALEN), ha->addr, ETH_ALEN); 105 memcpy(__skb_put(skb, ETH_ALEN), ha->addr, ETH_ALEN);
106 memcpy(__skb_put(skb, ETH_ALEN), ha->addr, ETH_ALEN); 106 memcpy(__skb_put(skb, ETH_ALEN), ha->addr, ETH_ALEN);
107
108 i++;
107 } 109 }
108 r->len = htons(skb->len - len); 110 r->len = htons(skb->len - len);
109 } 111 }
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b10e3cdb08f8..e9fef83449f8 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1,6 +1,6 @@
1/* 1/*
2 BlueZ - Bluetooth protocol stack for Linux 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 6
@@ -358,6 +358,11 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
358 acl->sec_level = sec_level; 358 acl->sec_level = sec_level;
359 acl->auth_type = auth_type; 359 acl->auth_type = auth_type;
360 hci_acl_connect(acl); 360 hci_acl_connect(acl);
361 } else {
362 if (acl->sec_level < sec_level)
363 acl->sec_level = sec_level;
364 if (acl->auth_type < auth_type)
365 acl->auth_type = auth_type;
361 } 366 }
362 367
363 if (type == ACL_LINK) 368 if (type == ACL_LINK)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2f768de87011..995c9f9b84d0 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -562,6 +562,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
562 hci_dev_lock_bh(hdev); 562 hci_dev_lock_bh(hdev);
563 inquiry_cache_flush(hdev); 563 inquiry_cache_flush(hdev);
564 hci_conn_hash_flush(hdev); 564 hci_conn_hash_flush(hdev);
565 hci_blacklist_clear(hdev);
565 hci_dev_unlock_bh(hdev); 566 hci_dev_unlock_bh(hdev);
566 567
567 hci_notify(hdev, HCI_DEV_DOWN); 568 hci_notify(hdev, HCI_DEV_DOWN);
@@ -913,7 +914,7 @@ int hci_register_dev(struct hci_dev *hdev)
913 skb_queue_head_init(&hdev->cmd_q); 914 skb_queue_head_init(&hdev->cmd_q);
914 skb_queue_head_init(&hdev->raw_q); 915 skb_queue_head_init(&hdev->raw_q);
915 916
916 for (i = 0; i < 3; i++) 917 for (i = 0; i < NUM_REASSEMBLY; i++)
917 hdev->reassembly[i] = NULL; 918 hdev->reassembly[i] = NULL;
918 919
919 init_waitqueue_head(&hdev->req_wait_q); 920 init_waitqueue_head(&hdev->req_wait_q);
@@ -923,6 +924,8 @@ int hci_register_dev(struct hci_dev *hdev)
923 924
924 hci_conn_hash_init(hdev); 925 hci_conn_hash_init(hdev);
925 926
927 INIT_LIST_HEAD(&hdev->blacklist.list);
928
926 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats)); 929 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
927 930
928 atomic_set(&hdev->promisc, 0); 931 atomic_set(&hdev->promisc, 0);
@@ -970,7 +973,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
970 973
971 hci_dev_do_close(hdev); 974 hci_dev_do_close(hdev);
972 975
973 for (i = 0; i < 3; i++) 976 for (i = 0; i < NUM_REASSEMBLY; i++)
974 kfree_skb(hdev->reassembly[i]); 977 kfree_skb(hdev->reassembly[i]);
975 978
976 hci_notify(hdev, HCI_DEV_UNREG); 979 hci_notify(hdev, HCI_DEV_UNREG);
@@ -1030,89 +1033,170 @@ int hci_recv_frame(struct sk_buff *skb)
1030} 1033}
1031EXPORT_SYMBOL(hci_recv_frame); 1034EXPORT_SYMBOL(hci_recv_frame);
1032 1035
1033/* Receive packet type fragment */ 1036static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1034#define __reassembly(hdev, type) ((hdev)->reassembly[(type) - 2]) 1037 int count, __u8 index, gfp_t gfp_mask)
1035
1036int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1037{ 1038{
1038 if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) 1039 int len = 0;
1040 int hlen = 0;
1041 int remain = count;
1042 struct sk_buff *skb;
1043 struct bt_skb_cb *scb;
1044
1045 if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
1046 index >= NUM_REASSEMBLY)
1039 return -EILSEQ; 1047 return -EILSEQ;
1040 1048
1049 skb = hdev->reassembly[index];
1050
1051 if (!skb) {
1052 switch (type) {
1053 case HCI_ACLDATA_PKT:
1054 len = HCI_MAX_FRAME_SIZE;
1055 hlen = HCI_ACL_HDR_SIZE;
1056 break;
1057 case HCI_EVENT_PKT:
1058 len = HCI_MAX_EVENT_SIZE;
1059 hlen = HCI_EVENT_HDR_SIZE;
1060 break;
1061 case HCI_SCODATA_PKT:
1062 len = HCI_MAX_SCO_SIZE;
1063 hlen = HCI_SCO_HDR_SIZE;
1064 break;
1065 }
1066
1067 skb = bt_skb_alloc(len, gfp_mask);
1068 if (!skb)
1069 return -ENOMEM;
1070
1071 scb = (void *) skb->cb;
1072 scb->expect = hlen;
1073 scb->pkt_type = type;
1074
1075 skb->dev = (void *) hdev;
1076 hdev->reassembly[index] = skb;
1077 }
1078
1041 while (count) { 1079 while (count) {
1042 struct sk_buff *skb = __reassembly(hdev, type); 1080 scb = (void *) skb->cb;
1043 struct { int expect; } *scb; 1081 len = min(scb->expect, (__u16)count);
1044 int len = 0;
1045 1082
1046 if (!skb) { 1083 memcpy(skb_put(skb, len), data, len);
1047 /* Start of the frame */
1048 1084
1049 switch (type) { 1085 count -= len;
1050 case HCI_EVENT_PKT: 1086 data += len;
1051 if (count >= HCI_EVENT_HDR_SIZE) { 1087 scb->expect -= len;
1052 struct hci_event_hdr *h = data; 1088 remain = count;
1053 len = HCI_EVENT_HDR_SIZE + h->plen;
1054 } else
1055 return -EILSEQ;
1056 break;
1057 1089
1058 case HCI_ACLDATA_PKT: 1090 switch (type) {
1059 if (count >= HCI_ACL_HDR_SIZE) { 1091 case HCI_EVENT_PKT:
1060 struct hci_acl_hdr *h = data; 1092 if (skb->len == HCI_EVENT_HDR_SIZE) {
1061 len = HCI_ACL_HDR_SIZE + __le16_to_cpu(h->dlen); 1093 struct hci_event_hdr *h = hci_event_hdr(skb);
1062 } else 1094 scb->expect = h->plen;
1063 return -EILSEQ; 1095
1064 break; 1096 if (skb_tailroom(skb) < scb->expect) {
1097 kfree_skb(skb);
1098 hdev->reassembly[index] = NULL;
1099 return -ENOMEM;
1100 }
1101 }
1102 break;
1065 1103
1066 case HCI_SCODATA_PKT: 1104 case HCI_ACLDATA_PKT:
1067 if (count >= HCI_SCO_HDR_SIZE) { 1105 if (skb->len == HCI_ACL_HDR_SIZE) {
1068 struct hci_sco_hdr *h = data; 1106 struct hci_acl_hdr *h = hci_acl_hdr(skb);
1069 len = HCI_SCO_HDR_SIZE + h->dlen; 1107 scb->expect = __le16_to_cpu(h->dlen);
1070 } else 1108
1071 return -EILSEQ; 1109 if (skb_tailroom(skb) < scb->expect) {
1072 break; 1110 kfree_skb(skb);
1111 hdev->reassembly[index] = NULL;
1112 return -ENOMEM;
1113 }
1073 } 1114 }
1115 break;
1074 1116
1075 skb = bt_skb_alloc(len, GFP_ATOMIC); 1117 case HCI_SCODATA_PKT:
1076 if (!skb) { 1118 if (skb->len == HCI_SCO_HDR_SIZE) {
1077 BT_ERR("%s no memory for packet", hdev->name); 1119 struct hci_sco_hdr *h = hci_sco_hdr(skb);
1078 return -ENOMEM; 1120 scb->expect = h->dlen;
1121
1122 if (skb_tailroom(skb) < scb->expect) {
1123 kfree_skb(skb);
1124 hdev->reassembly[index] = NULL;
1125 return -ENOMEM;
1126 }
1079 } 1127 }
1128 break;
1129 }
1130
1131 if (scb->expect == 0) {
1132 /* Complete frame */
1080 1133
1081 skb->dev = (void *) hdev;
1082 bt_cb(skb)->pkt_type = type; 1134 bt_cb(skb)->pkt_type = type;
1135 hci_recv_frame(skb);
1083 1136
1084 __reassembly(hdev, type) = skb; 1137 hdev->reassembly[index] = NULL;
1138 return remain;
1139 }
1140 }
1085 1141
1086 scb = (void *) skb->cb; 1142 return remain;
1087 scb->expect = len; 1143}
1088 } else {
1089 /* Continuation */
1090 1144
1091 scb = (void *) skb->cb; 1145int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1092 len = scb->expect; 1146{
1093 } 1147 int rem = 0;
1094 1148
1095 len = min(len, count); 1149 if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
1150 return -EILSEQ;
1096 1151
1097 memcpy(skb_put(skb, len), data, len); 1152 do {
1153 rem = hci_reassembly(hdev, type, data, count,
1154 type - 1, GFP_ATOMIC);
1155 if (rem < 0)
1156 return rem;
1098 1157
1099 scb->expect -= len; 1158 data += (count - rem);
1159 count = rem;
1160 } while (count);
1100 1161
1101 if (scb->expect == 0) { 1162 return rem;
1102 /* Complete frame */ 1163}
1164EXPORT_SYMBOL(hci_recv_fragment);
1103 1165
1104 __reassembly(hdev, type) = NULL; 1166#define STREAM_REASSEMBLY 0
1105 1167
1106 bt_cb(skb)->pkt_type = type; 1168int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1107 hci_recv_frame(skb); 1169{
1108 } 1170 int type;
1171 int rem = 0;
1109 1172
1110 count -= len; data += len; 1173 do {
1111 } 1174 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
1112 1175
1113 return 0; 1176 if (!skb) {
1177 struct { char type; } *pkt;
1178
1179 /* Start of the frame */
1180 pkt = data;
1181 type = pkt->type;
1182
1183 data++;
1184 count--;
1185 } else
1186 type = bt_cb(skb)->pkt_type;
1187
1188 rem = hci_reassembly(hdev, type, data,
1189 count, STREAM_REASSEMBLY, GFP_ATOMIC);
1190 if (rem < 0)
1191 return rem;
1192
1193 data += (count - rem);
1194 count = rem;
1195 } while (count);
1196
1197 return rem;
1114} 1198}
1115EXPORT_SYMBOL(hci_recv_fragment); 1199EXPORT_SYMBOL(hci_recv_stream_fragment);
1116 1200
1117/* ---- Interface to upper protocols ---- */ 1201/* ---- Interface to upper protocols ---- */
1118 1202
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6c57fc71c7e2..2069c3b05fda 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1,6 +1,6 @@
1/* 1/*
2 BlueZ - Bluetooth protocol stack for Linux 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 6
@@ -584,7 +584,7 @@ static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
584 conn->out = 1; 584 conn->out = 1;
585 conn->link_mode |= HCI_LM_MASTER; 585 conn->link_mode |= HCI_LM_MASTER;
586 } else 586 } else
587 BT_ERR("No memmory for new connection"); 587 BT_ERR("No memory for new connection");
588 } 588 }
589 } 589 }
590 590
@@ -952,7 +952,7 @@ static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *sk
952 952
953 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type); 953 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
954 954
955 if (mask & HCI_LM_ACCEPT) { 955 if ((mask & HCI_LM_ACCEPT) && !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
956 /* Connection accepted */ 956 /* Connection accepted */
957 struct inquiry_entry *ie; 957 struct inquiry_entry *ie;
958 struct hci_conn *conn; 958 struct hci_conn *conn;
@@ -965,7 +965,7 @@ static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *sk
965 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 965 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
966 if (!conn) { 966 if (!conn) {
967 if (!(conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr))) { 967 if (!(conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr))) {
968 BT_ERR("No memmory for new connection"); 968 BT_ERR("No memory for new connection");
969 hci_dev_unlock(hdev); 969 hci_dev_unlock(hdev);
970 return; 970 return;
971 } 971 }
@@ -1049,6 +1049,8 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
1049 if (conn) { 1049 if (conn) {
1050 if (!ev->status) 1050 if (!ev->status)
1051 conn->link_mode |= HCI_LM_AUTH; 1051 conn->link_mode |= HCI_LM_AUTH;
1052 else
1053 conn->sec_level = BT_SECURITY_LOW;
1052 1054
1053 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend); 1055 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1054 1056
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 38f08f6b86f6..4f170a595934 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -165,6 +165,86 @@ static int hci_sock_release(struct socket *sock)
165 return 0; 165 return 0;
166} 166}
167 167
168struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
169{
170 struct list_head *p;
171 struct bdaddr_list *blacklist = &hdev->blacklist;
172
173 list_for_each(p, &blacklist->list) {
174 struct bdaddr_list *b;
175
176 b = list_entry(p, struct bdaddr_list, list);
177
178 if (bacmp(bdaddr, &b->bdaddr) == 0)
179 return b;
180 }
181
182 return NULL;
183}
184
185static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg)
186{
187 bdaddr_t bdaddr;
188 struct bdaddr_list *entry;
189
190 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
191 return -EFAULT;
192
193 if (bacmp(&bdaddr, BDADDR_ANY) == 0)
194 return -EBADF;
195
196 if (hci_blacklist_lookup(hdev, &bdaddr))
197 return -EEXIST;
198
199 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
200 if (!entry)
201 return -ENOMEM;
202
203 bacpy(&entry->bdaddr, &bdaddr);
204
205 list_add(&entry->list, &hdev->blacklist.list);
206
207 return 0;
208}
209
210int hci_blacklist_clear(struct hci_dev *hdev)
211{
212 struct list_head *p, *n;
213 struct bdaddr_list *blacklist = &hdev->blacklist;
214
215 list_for_each_safe(p, n, &blacklist->list) {
216 struct bdaddr_list *b;
217
218 b = list_entry(p, struct bdaddr_list, list);
219
220 list_del(p);
221 kfree(b);
222 }
223
224 return 0;
225}
226
227static int hci_blacklist_del(struct hci_dev *hdev, void __user *arg)
228{
229 bdaddr_t bdaddr;
230 struct bdaddr_list *entry;
231
232 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
233 return -EFAULT;
234
235 if (bacmp(&bdaddr, BDADDR_ANY) == 0)
236 return hci_blacklist_clear(hdev);
237
238 entry = hci_blacklist_lookup(hdev, &bdaddr);
239 if (!entry)
240 return -ENOENT;
241
242 list_del(&entry->list);
243 kfree(entry);
244
245 return 0;
246}
247
168/* Ioctls that require bound socket */ 248/* Ioctls that require bound socket */
169static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) 249static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
170{ 250{
@@ -194,6 +274,16 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
194 case HCIGETAUTHINFO: 274 case HCIGETAUTHINFO:
195 return hci_get_auth_info(hdev, (void __user *) arg); 275 return hci_get_auth_info(hdev, (void __user *) arg);
196 276
277 case HCIBLOCKADDR:
278 if (!capable(CAP_NET_ADMIN))
279 return -EACCES;
280 return hci_blacklist_add(hdev, (void __user *) arg);
281
282 case HCIUNBLOCKADDR:
283 if (!capable(CAP_NET_ADMIN))
284 return -EACCES;
285 return hci_blacklist_del(hdev, (void __user *) arg);
286
197 default: 287 default:
198 if (hdev->ioctl) 288 if (hdev->ioctl)
199 return hdev->ioctl(hdev, cmd, arg); 289 return hdev->ioctl(hdev, cmd, arg);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 463ffa4fe042..ce44c47eeac1 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -436,6 +436,41 @@ static const struct file_operations inquiry_cache_fops = {
436 .release = single_release, 436 .release = single_release,
437}; 437};
438 438
439static int blacklist_show(struct seq_file *f, void *p)
440{
441 struct hci_dev *hdev = f->private;
442 struct bdaddr_list *blacklist = &hdev->blacklist;
443 struct list_head *l;
444
445 hci_dev_lock_bh(hdev);
446
447 list_for_each(l, &blacklist->list) {
448 struct bdaddr_list *b;
449 bdaddr_t bdaddr;
450
451 b = list_entry(l, struct bdaddr_list, list);
452
453 baswap(&bdaddr, &b->bdaddr);
454
455 seq_printf(f, "%s\n", batostr(&bdaddr));
456 }
457
458 hci_dev_unlock_bh(hdev);
459
460 return 0;
461}
462
463static int blacklist_open(struct inode *inode, struct file *file)
464{
465 return single_open(file, blacklist_show, inode->i_private);
466}
467
468static const struct file_operations blacklist_fops = {
469 .open = blacklist_open,
470 .read = seq_read,
471 .llseek = seq_lseek,
472 .release = single_release,
473};
439int hci_register_sysfs(struct hci_dev *hdev) 474int hci_register_sysfs(struct hci_dev *hdev)
440{ 475{
441 struct device *dev = &hdev->dev; 476 struct device *dev = &hdev->dev;
@@ -465,6 +500,9 @@ int hci_register_sysfs(struct hci_dev *hdev)
465 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs, 500 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
466 hdev, &inquiry_cache_fops); 501 hdev, &inquiry_cache_fops);
467 502
503 debugfs_create_file("blacklist", 0444, hdev->debugfs,
504 hdev, &blacklist_fops);
505
468 return 0; 506 return 0;
469} 507}
470 508
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 1b682a5aa061..9ba1e8eee37c 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1,6 +1,8 @@
1/* 1/*
2 BlueZ - Bluetooth protocol stack for Linux 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
4 6
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 8
@@ -53,15 +55,9 @@
53#include <net/bluetooth/hci_core.h> 55#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h> 56#include <net/bluetooth/l2cap.h>
55 57
56#define VERSION "2.14" 58#define VERSION "2.15"
57 59
58#ifdef CONFIG_BT_L2CAP_EXT_FEATURES 60static int disable_ertm = 0;
59static int enable_ertm = 1;
60#else
61static int enable_ertm = 0;
62#endif
63static int max_transmit = L2CAP_DEFAULT_MAX_TX;
64static int tx_window = L2CAP_DEFAULT_TX_WINDOW;
65 61
66static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN; 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
67static u8 l2cap_fixed_chan[8] = { 0x02, }; 63static u8 l2cap_fixed_chan[8] = { 0x02, };
@@ -80,9 +76,12 @@ static void __l2cap_sock_close(struct sock *sk, int reason);
80static void l2cap_sock_close(struct sock *sk); 76static void l2cap_sock_close(struct sock *sk);
81static void l2cap_sock_kill(struct sock *sk); 77static void l2cap_sock_kill(struct sock *sk);
82 78
79static int l2cap_build_conf_req(struct sock *sk, void *data);
83static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 80static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
84 u8 code, u8 ident, u16 dlen, void *data); 81 u8 code, u8 ident, u16 dlen, void *data);
85 82
83static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
84
86/* ---- L2CAP timers ---- */ 85/* ---- L2CAP timers ---- */
87static void l2cap_sock_timeout(unsigned long arg) 86static void l2cap_sock_timeout(unsigned long arg)
88{ 87{
@@ -278,6 +277,24 @@ static void l2cap_chan_del(struct sock *sk, int err)
278 parent->sk_data_ready(parent, 0); 277 parent->sk_data_ready(parent, 0);
279 } else 278 } else
280 sk->sk_state_change(sk); 279 sk->sk_state_change(sk);
280
281 skb_queue_purge(TX_QUEUE(sk));
282
283 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
284 struct srej_list *l, *tmp;
285
286 del_timer(&l2cap_pi(sk)->retrans_timer);
287 del_timer(&l2cap_pi(sk)->monitor_timer);
288 del_timer(&l2cap_pi(sk)->ack_timer);
289
290 skb_queue_purge(SREJ_QUEUE(sk));
291 skb_queue_purge(BUSY_QUEUE(sk));
292
293 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
294 list_del(&l->list);
295 kfree(l);
296 }
297 }
281} 298}
282 299
283/* Service level security */ 300/* Service level security */
@@ -351,8 +368,12 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
351 struct sk_buff *skb; 368 struct sk_buff *skb;
352 struct l2cap_hdr *lh; 369 struct l2cap_hdr *lh;
353 struct l2cap_conn *conn = pi->conn; 370 struct l2cap_conn *conn = pi->conn;
371 struct sock *sk = (struct sock *)pi;
354 int count, hlen = L2CAP_HDR_SIZE + 2; 372 int count, hlen = L2CAP_HDR_SIZE + 2;
355 373
374 if (sk->sk_state != BT_CONNECTED)
375 return;
376
356 if (pi->fcs == L2CAP_FCS_CRC16) 377 if (pi->fcs == L2CAP_FCS_CRC16)
357 hlen += 2; 378 hlen += 2;
358 379
@@ -401,6 +422,11 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
401 l2cap_send_sframe(pi, control); 422 l2cap_send_sframe(pi, control);
402} 423}
403 424
425static inline int __l2cap_no_conn_pending(struct sock *sk)
426{
427 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
428}
429
404static void l2cap_do_start(struct sock *sk) 430static void l2cap_do_start(struct sock *sk)
405{ 431{
406 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 432 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
@@ -409,12 +435,13 @@ static void l2cap_do_start(struct sock *sk)
409 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 435 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
410 return; 436 return;
411 437
412 if (l2cap_check_security(sk)) { 438 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
413 struct l2cap_conn_req req; 439 struct l2cap_conn_req req;
414 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 440 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
415 req.psm = l2cap_pi(sk)->psm; 441 req.psm = l2cap_pi(sk)->psm;
416 442
417 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 443 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
444 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
418 445
419 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 446 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
420 L2CAP_CONN_REQ, sizeof(req), &req); 447 L2CAP_CONN_REQ, sizeof(req), &req);
@@ -434,24 +461,57 @@ static void l2cap_do_start(struct sock *sk)
434 } 461 }
435} 462}
436 463
437static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk) 464static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
465{
466 u32 local_feat_mask = l2cap_feat_mask;
467 if (!disable_ertm)
468 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
469
470 switch (mode) {
471 case L2CAP_MODE_ERTM:
472 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
473 case L2CAP_MODE_STREAMING:
474 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
475 default:
476 return 0x00;
477 }
478}
479
480static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
438{ 481{
439 struct l2cap_disconn_req req; 482 struct l2cap_disconn_req req;
440 483
484 if (!conn)
485 return;
486
487 skb_queue_purge(TX_QUEUE(sk));
488
489 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
490 del_timer(&l2cap_pi(sk)->retrans_timer);
491 del_timer(&l2cap_pi(sk)->monitor_timer);
492 del_timer(&l2cap_pi(sk)->ack_timer);
493 }
494
441 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid); 495 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
442 req.scid = cpu_to_le16(l2cap_pi(sk)->scid); 496 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
443 l2cap_send_cmd(conn, l2cap_get_ident(conn), 497 l2cap_send_cmd(conn, l2cap_get_ident(conn),
444 L2CAP_DISCONN_REQ, sizeof(req), &req); 498 L2CAP_DISCONN_REQ, sizeof(req), &req);
499
500 sk->sk_state = BT_DISCONN;
501 sk->sk_err = err;
445} 502}
446 503
447/* ---- L2CAP connections ---- */ 504/* ---- L2CAP connections ---- */
448static void l2cap_conn_start(struct l2cap_conn *conn) 505static void l2cap_conn_start(struct l2cap_conn *conn)
449{ 506{
450 struct l2cap_chan_list *l = &conn->chan_list; 507 struct l2cap_chan_list *l = &conn->chan_list;
508 struct sock_del_list del, *tmp1, *tmp2;
451 struct sock *sk; 509 struct sock *sk;
452 510
453 BT_DBG("conn %p", conn); 511 BT_DBG("conn %p", conn);
454 512
513 INIT_LIST_HEAD(&del.list);
514
455 read_lock(&l->lock); 515 read_lock(&l->lock);
456 516
457 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) { 517 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
@@ -464,18 +524,38 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
464 } 524 }
465 525
466 if (sk->sk_state == BT_CONNECT) { 526 if (sk->sk_state == BT_CONNECT) {
467 if (l2cap_check_security(sk)) { 527 struct l2cap_conn_req req;
468 struct l2cap_conn_req req;
469 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
470 req.psm = l2cap_pi(sk)->psm;
471 528
472 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 529 if (!l2cap_check_security(sk) ||
530 !__l2cap_no_conn_pending(sk)) {
531 bh_unlock_sock(sk);
532 continue;
533 }
473 534
474 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 535 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
475 L2CAP_CONN_REQ, sizeof(req), &req); 536 conn->feat_mask)
537 && l2cap_pi(sk)->conf_state &
538 L2CAP_CONF_STATE2_DEVICE) {
539 tmp1 = kzalloc(sizeof(struct sock_del_list),
540 GFP_ATOMIC);
541 tmp1->sk = sk;
542 list_add_tail(&tmp1->list, &del.list);
543 bh_unlock_sock(sk);
544 continue;
476 } 545 }
546
547 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
548 req.psm = l2cap_pi(sk)->psm;
549
550 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
551 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
552
553 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
554 L2CAP_CONN_REQ, sizeof(req), &req);
555
477 } else if (sk->sk_state == BT_CONNECT2) { 556 } else if (sk->sk_state == BT_CONNECT2) {
478 struct l2cap_conn_rsp rsp; 557 struct l2cap_conn_rsp rsp;
558 char buf[128];
479 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid); 559 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
480 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid); 560 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
481 561
@@ -498,12 +578,31 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
498 578
499 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 579 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
500 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 580 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
581
582 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
583 rsp.result != L2CAP_CR_SUCCESS) {
584 bh_unlock_sock(sk);
585 continue;
586 }
587
588 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
589 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
590 l2cap_build_conf_req(sk, buf), buf);
591 l2cap_pi(sk)->num_conf_req++;
501 } 592 }
502 593
503 bh_unlock_sock(sk); 594 bh_unlock_sock(sk);
504 } 595 }
505 596
506 read_unlock(&l->lock); 597 read_unlock(&l->lock);
598
599 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
600 bh_lock_sock(tmp1->sk);
601 __l2cap_sock_close(tmp1->sk, ECONNRESET);
602 bh_unlock_sock(tmp1->sk);
603 list_del(&tmp1->list);
604 kfree(tmp1);
605 }
507} 606}
508 607
509static void l2cap_conn_ready(struct l2cap_conn *conn) 608static void l2cap_conn_ready(struct l2cap_conn *conn)
@@ -732,9 +831,8 @@ static void __l2cap_sock_close(struct sock *sk, int reason)
732 sk->sk_type == SOCK_STREAM) { 831 sk->sk_type == SOCK_STREAM) {
733 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 832 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
734 833
735 sk->sk_state = BT_DISCONN;
736 l2cap_sock_set_timer(sk, sk->sk_sndtimeo); 834 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
737 l2cap_send_disconn_req(conn, sk); 835 l2cap_send_disconn_req(conn, sk, reason);
738 } else 836 } else
739 l2cap_chan_del(sk, reason); 837 l2cap_chan_del(sk, reason);
740 break; 838 break;
@@ -794,6 +892,7 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
794 892
795 pi->imtu = l2cap_pi(parent)->imtu; 893 pi->imtu = l2cap_pi(parent)->imtu;
796 pi->omtu = l2cap_pi(parent)->omtu; 894 pi->omtu = l2cap_pi(parent)->omtu;
895 pi->conf_state = l2cap_pi(parent)->conf_state;
797 pi->mode = l2cap_pi(parent)->mode; 896 pi->mode = l2cap_pi(parent)->mode;
798 pi->fcs = l2cap_pi(parent)->fcs; 897 pi->fcs = l2cap_pi(parent)->fcs;
799 pi->max_tx = l2cap_pi(parent)->max_tx; 898 pi->max_tx = l2cap_pi(parent)->max_tx;
@@ -804,13 +903,15 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
804 } else { 903 } else {
805 pi->imtu = L2CAP_DEFAULT_MTU; 904 pi->imtu = L2CAP_DEFAULT_MTU;
806 pi->omtu = 0; 905 pi->omtu = 0;
807 if (enable_ertm && sk->sk_type == SOCK_STREAM) 906 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
808 pi->mode = L2CAP_MODE_ERTM; 907 pi->mode = L2CAP_MODE_ERTM;
809 else 908 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
909 } else {
810 pi->mode = L2CAP_MODE_BASIC; 910 pi->mode = L2CAP_MODE_BASIC;
811 pi->max_tx = max_transmit; 911 }
912 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
812 pi->fcs = L2CAP_FCS_CRC16; 913 pi->fcs = L2CAP_FCS_CRC16;
813 pi->tx_win = tx_window; 914 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
814 pi->sec_level = BT_SECURITY_LOW; 915 pi->sec_level = BT_SECURITY_LOW;
815 pi->role_switch = 0; 916 pi->role_switch = 0;
816 pi->force_reliable = 0; 917 pi->force_reliable = 0;
@@ -1059,7 +1160,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1059 break; 1160 break;
1060 case L2CAP_MODE_ERTM: 1161 case L2CAP_MODE_ERTM:
1061 case L2CAP_MODE_STREAMING: 1162 case L2CAP_MODE_STREAMING:
1062 if (enable_ertm) 1163 if (!disable_ertm)
1063 break; 1164 break;
1064 /* fall through */ 1165 /* fall through */
1065 default: 1166 default:
@@ -1076,6 +1177,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
1076 1177
1077 case BT_CONNECTED: 1178 case BT_CONNECTED:
1078 /* Already connected */ 1179 /* Already connected */
1180 err = -EISCONN;
1079 goto done; 1181 goto done;
1080 1182
1081 case BT_OPEN: 1183 case BT_OPEN:
@@ -1124,7 +1226,7 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
1124 break; 1226 break;
1125 case L2CAP_MODE_ERTM: 1227 case L2CAP_MODE_ERTM:
1126 case L2CAP_MODE_STREAMING: 1228 case L2CAP_MODE_STREAMING:
1127 if (enable_ertm) 1229 if (!disable_ertm)
1128 break; 1230 break;
1129 /* fall through */ 1231 /* fall through */
1130 default: 1232 default:
@@ -1277,9 +1379,11 @@ static void l2cap_monitor_timeout(unsigned long arg)
1277{ 1379{
1278 struct sock *sk = (void *) arg; 1380 struct sock *sk = (void *) arg;
1279 1381
1382 BT_DBG("sk %p", sk);
1383
1280 bh_lock_sock(sk); 1384 bh_lock_sock(sk);
1281 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { 1385 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1282 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk); 1386 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
1283 bh_unlock_sock(sk); 1387 bh_unlock_sock(sk);
1284 return; 1388 return;
1285 } 1389 }
@@ -1295,6 +1399,8 @@ static void l2cap_retrans_timeout(unsigned long arg)
1295{ 1399{
1296 struct sock *sk = (void *) arg; 1400 struct sock *sk = (void *) arg;
1297 1401
1402 BT_DBG("sk %p", sk);
1403
1298 bh_lock_sock(sk); 1404 bh_lock_sock(sk);
1299 l2cap_pi(sk)->retry_count = 1; 1405 l2cap_pi(sk)->retry_count = 1;
1300 __mod_monitor_timer(); 1406 __mod_monitor_timer();
@@ -1333,7 +1439,7 @@ static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1333 hci_send_acl(pi->conn->hcon, skb, 0); 1439 hci_send_acl(pi->conn->hcon, skb, 0);
1334} 1440}
1335 1441
1336static int l2cap_streaming_send(struct sock *sk) 1442static void l2cap_streaming_send(struct sock *sk)
1337{ 1443{
1338 struct sk_buff *skb, *tx_skb; 1444 struct sk_buff *skb, *tx_skb;
1339 struct l2cap_pinfo *pi = l2cap_pi(sk); 1445 struct l2cap_pinfo *pi = l2cap_pi(sk);
@@ -1363,7 +1469,6 @@ static int l2cap_streaming_send(struct sock *sk)
1363 skb = skb_dequeue(TX_QUEUE(sk)); 1469 skb = skb_dequeue(TX_QUEUE(sk));
1364 kfree_skb(skb); 1470 kfree_skb(skb);
1365 } 1471 }
1366 return 0;
1367} 1472}
1368 1473
1369static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq) 1474static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
@@ -1387,15 +1492,22 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
1387 1492
1388 if (pi->remote_max_tx && 1493 if (pi->remote_max_tx &&
1389 bt_cb(skb)->retries == pi->remote_max_tx) { 1494 bt_cb(skb)->retries == pi->remote_max_tx) {
1390 l2cap_send_disconn_req(pi->conn, sk); 1495 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1391 return; 1496 return;
1392 } 1497 }
1393 1498
1394 tx_skb = skb_clone(skb, GFP_ATOMIC); 1499 tx_skb = skb_clone(skb, GFP_ATOMIC);
1395 bt_cb(skb)->retries++; 1500 bt_cb(skb)->retries++;
1396 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1501 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1502
1503 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1504 control |= L2CAP_CTRL_FINAL;
1505 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1506 }
1507
1397 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT) 1508 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1398 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT); 1509 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1510
1399 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1511 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1400 1512
1401 if (pi->fcs == L2CAP_FCS_CRC16) { 1513 if (pi->fcs == L2CAP_FCS_CRC16) {
@@ -1413,15 +1525,14 @@ static int l2cap_ertm_send(struct sock *sk)
1413 u16 control, fcs; 1525 u16 control, fcs;
1414 int nsent = 0; 1526 int nsent = 0;
1415 1527
1416 if (pi->conn_state & L2CAP_CONN_WAIT_F) 1528 if (sk->sk_state != BT_CONNECTED)
1417 return 0; 1529 return -ENOTCONN;
1418 1530
1419 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) && 1531 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1420 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1421 1532
1422 if (pi->remote_max_tx && 1533 if (pi->remote_max_tx &&
1423 bt_cb(skb)->retries == pi->remote_max_tx) { 1534 bt_cb(skb)->retries == pi->remote_max_tx) {
1424 l2cap_send_disconn_req(pi->conn, sk); 1535 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
1425 break; 1536 break;
1426 } 1537 }
1427 1538
@@ -1430,6 +1541,8 @@ static int l2cap_ertm_send(struct sock *sk)
1430 bt_cb(skb)->retries++; 1541 bt_cb(skb)->retries++;
1431 1542
1432 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); 1543 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1544 control &= L2CAP_CTRL_SAR;
1545
1433 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) { 1546 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1434 control |= L2CAP_CTRL_FINAL; 1547 control |= L2CAP_CTRL_FINAL;
1435 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT; 1548 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
@@ -1470,16 +1583,11 @@ static int l2cap_retransmit_frames(struct sock *sk)
1470 struct l2cap_pinfo *pi = l2cap_pi(sk); 1583 struct l2cap_pinfo *pi = l2cap_pi(sk);
1471 int ret; 1584 int ret;
1472 1585
1473 spin_lock_bh(&pi->send_lock);
1474
1475 if (!skb_queue_empty(TX_QUEUE(sk))) 1586 if (!skb_queue_empty(TX_QUEUE(sk)))
1476 sk->sk_send_head = TX_QUEUE(sk)->next; 1587 sk->sk_send_head = TX_QUEUE(sk)->next;
1477 1588
1478 pi->next_tx_seq = pi->expected_ack_seq; 1589 pi->next_tx_seq = pi->expected_ack_seq;
1479 ret = l2cap_ertm_send(sk); 1590 ret = l2cap_ertm_send(sk);
1480
1481 spin_unlock_bh(&pi->send_lock);
1482
1483 return ret; 1591 return ret;
1484} 1592}
1485 1593
@@ -1487,7 +1595,6 @@ static void l2cap_send_ack(struct l2cap_pinfo *pi)
1487{ 1595{
1488 struct sock *sk = (struct sock *)pi; 1596 struct sock *sk = (struct sock *)pi;
1489 u16 control = 0; 1597 u16 control = 0;
1490 int nframes;
1491 1598
1492 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 1599 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1493 1600
@@ -1498,11 +1605,7 @@ static void l2cap_send_ack(struct l2cap_pinfo *pi)
1498 return; 1605 return;
1499 } 1606 }
1500 1607
1501 spin_lock_bh(&pi->send_lock); 1608 if (l2cap_ertm_send(sk) > 0)
1502 nframes = l2cap_ertm_send(sk);
1503 spin_unlock_bh(&pi->send_lock);
1504
1505 if (nframes > 0)
1506 return; 1609 return;
1507 1610
1508 control |= L2CAP_SUPER_RCV_READY; 1611 control |= L2CAP_SUPER_RCV_READY;
@@ -1697,10 +1800,8 @@ static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, siz
1697 size += buflen; 1800 size += buflen;
1698 } 1801 }
1699 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk)); 1802 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1700 spin_lock_bh(&pi->send_lock);
1701 if (sk->sk_send_head == NULL) 1803 if (sk->sk_send_head == NULL)
1702 sk->sk_send_head = sar_queue.next; 1804 sk->sk_send_head = sar_queue.next;
1703 spin_unlock_bh(&pi->send_lock);
1704 1805
1705 return size; 1806 return size;
1706} 1807}
@@ -1745,7 +1846,7 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1745 case L2CAP_MODE_BASIC: 1846 case L2CAP_MODE_BASIC:
1746 /* Check outgoing MTU */ 1847 /* Check outgoing MTU */
1747 if (len > pi->omtu) { 1848 if (len > pi->omtu) {
1748 err = -EINVAL; 1849 err = -EMSGSIZE;
1749 goto done; 1850 goto done;
1750 } 1851 }
1751 1852
@@ -1772,14 +1873,9 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1772 } 1873 }
1773 __skb_queue_tail(TX_QUEUE(sk), skb); 1874 __skb_queue_tail(TX_QUEUE(sk), skb);
1774 1875
1775 if (pi->mode == L2CAP_MODE_ERTM)
1776 spin_lock_bh(&pi->send_lock);
1777
1778 if (sk->sk_send_head == NULL) 1876 if (sk->sk_send_head == NULL)
1779 sk->sk_send_head = skb; 1877 sk->sk_send_head = skb;
1780 1878
1781 if (pi->mode == L2CAP_MODE_ERTM)
1782 spin_unlock_bh(&pi->send_lock);
1783 } else { 1879 } else {
1784 /* Segment SDU into multiples PDUs */ 1880 /* Segment SDU into multiples PDUs */
1785 err = l2cap_sar_segment_sdu(sk, msg, len); 1881 err = l2cap_sar_segment_sdu(sk, msg, len);
@@ -1788,11 +1884,14 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1788 } 1884 }
1789 1885
1790 if (pi->mode == L2CAP_MODE_STREAMING) { 1886 if (pi->mode == L2CAP_MODE_STREAMING) {
1791 err = l2cap_streaming_send(sk); 1887 l2cap_streaming_send(sk);
1792 } else { 1888 } else {
1793 spin_lock_bh(&pi->send_lock); 1889 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1890 pi->conn_state && L2CAP_CONN_WAIT_F) {
1891 err = len;
1892 break;
1893 }
1794 err = l2cap_ertm_send(sk); 1894 err = l2cap_ertm_send(sk);
1795 spin_unlock_bh(&pi->send_lock);
1796 } 1895 }
1797 1896
1798 if (err >= 0) 1897 if (err >= 0)
@@ -1801,7 +1900,7 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
1801 1900
1802 default: 1901 default:
1803 BT_DBG("bad state %1.1x", pi->mode); 1902 BT_DBG("bad state %1.1x", pi->mode);
1804 err = -EINVAL; 1903 err = -EBADFD;
1805 } 1904 }
1806 1905
1807done: 1906done:
@@ -1817,6 +1916,8 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
1817 1916
1818 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 1917 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1819 struct l2cap_conn_rsp rsp; 1918 struct l2cap_conn_rsp rsp;
1919 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1920 u8 buf[128];
1820 1921
1821 sk->sk_state = BT_CONFIG; 1922 sk->sk_state = BT_CONFIG;
1822 1923
@@ -1827,6 +1928,16 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
1827 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident, 1928 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1828 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 1929 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1829 1930
1931 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
1932 release_sock(sk);
1933 return 0;
1934 }
1935
1936 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
1937 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1938 l2cap_build_conf_req(sk, buf), buf);
1939 l2cap_pi(sk)->num_conf_req++;
1940
1830 release_sock(sk); 1941 release_sock(sk);
1831 return 0; 1942 return 0;
1832 } 1943 }
@@ -1863,13 +1974,19 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
1863 break; 1974 break;
1864 } 1975 }
1865 1976
1977 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1978 err = -EINVAL;
1979 break;
1980 }
1981
1866 l2cap_pi(sk)->mode = opts.mode; 1982 l2cap_pi(sk)->mode = opts.mode;
1867 switch (l2cap_pi(sk)->mode) { 1983 switch (l2cap_pi(sk)->mode) {
1868 case L2CAP_MODE_BASIC: 1984 case L2CAP_MODE_BASIC:
1985 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
1869 break; 1986 break;
1870 case L2CAP_MODE_ERTM: 1987 case L2CAP_MODE_ERTM:
1871 case L2CAP_MODE_STREAMING: 1988 case L2CAP_MODE_STREAMING:
1872 if (enable_ertm) 1989 if (!disable_ertm)
1873 break; 1990 break;
1874 /* fall through */ 1991 /* fall through */
1875 default: 1992 default:
@@ -2137,6 +2254,10 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
2137 err = bt_sock_wait_state(sk, BT_CLOSED, 2254 err = bt_sock_wait_state(sk, BT_CLOSED,
2138 sk->sk_lingertime); 2255 sk->sk_lingertime);
2139 } 2256 }
2257
2258 if (!err && sk->sk_err)
2259 err = -sk->sk_err;
2260
2140 release_sock(sk); 2261 release_sock(sk);
2141 return err; 2262 return err;
2142} 2263}
@@ -2357,25 +2478,10 @@ static inline void l2cap_ertm_init(struct sock *sk)
2357 2478
2358 __skb_queue_head_init(SREJ_QUEUE(sk)); 2479 __skb_queue_head_init(SREJ_QUEUE(sk));
2359 __skb_queue_head_init(BUSY_QUEUE(sk)); 2480 __skb_queue_head_init(BUSY_QUEUE(sk));
2360 spin_lock_init(&l2cap_pi(sk)->send_lock);
2361 2481
2362 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work); 2482 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
2363}
2364 2483
2365static int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 2484 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
2366{
2367 u32 local_feat_mask = l2cap_feat_mask;
2368 if (enable_ertm)
2369 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
2370
2371 switch (mode) {
2372 case L2CAP_MODE_ERTM:
2373 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2374 case L2CAP_MODE_STREAMING:
2375 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2376 default:
2377 return 0x00;
2378 }
2379} 2485}
2380 2486
2381static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 2487static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
@@ -2406,10 +2512,10 @@ static int l2cap_build_conf_req(struct sock *sk, void *data)
2406 switch (pi->mode) { 2512 switch (pi->mode) {
2407 case L2CAP_MODE_STREAMING: 2513 case L2CAP_MODE_STREAMING:
2408 case L2CAP_MODE_ERTM: 2514 case L2CAP_MODE_ERTM:
2409 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE; 2515 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
2410 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask)) 2516 break;
2411 l2cap_send_disconn_req(pi->conn, sk); 2517
2412 break; 2518 /* fall through */
2413 default: 2519 default:
2414 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask); 2520 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2415 break; 2521 break;
@@ -2420,6 +2526,14 @@ done:
2420 case L2CAP_MODE_BASIC: 2526 case L2CAP_MODE_BASIC:
2421 if (pi->imtu != L2CAP_DEFAULT_MTU) 2527 if (pi->imtu != L2CAP_DEFAULT_MTU)
2422 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); 2528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2529
2530 rfc.mode = L2CAP_MODE_BASIC;
2531 rfc.txwin_size = 0;
2532 rfc.max_transmit = 0;
2533 rfc.retrans_timeout = 0;
2534 rfc.monitor_timeout = 0;
2535 rfc.max_pdu_size = 0;
2536
2423 break; 2537 break;
2424 2538
2425 case L2CAP_MODE_ERTM: 2539 case L2CAP_MODE_ERTM:
@@ -2432,9 +2546,6 @@ done:
2432 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) 2546 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2433 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 2547 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2434 2548
2435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2436 sizeof(rfc), (unsigned long) &rfc);
2437
2438 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 2549 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2439 break; 2550 break;
2440 2551
@@ -2455,9 +2566,6 @@ done:
2455 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) 2566 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
2456 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); 2567 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2457 2568
2458 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2459 sizeof(rfc), (unsigned long) &rfc);
2460
2461 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) 2569 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2462 break; 2570 break;
2463 2571
@@ -2469,6 +2577,9 @@ done:
2469 break; 2577 break;
2470 } 2578 }
2471 2579
2580 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2581 (unsigned long) &rfc);
2582
2472 /* FIXME: Need actual value of the flush timeout */ 2583 /* FIXME: Need actual value of the flush timeout */
2473 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO) 2584 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2474 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to); 2585 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
@@ -2533,18 +2644,21 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
2533 } 2644 }
2534 } 2645 }
2535 2646
2536 if (pi->num_conf_rsp || pi->num_conf_req) 2647 if (pi->num_conf_rsp || pi->num_conf_req > 1)
2537 goto done; 2648 goto done;
2538 2649
2539 switch (pi->mode) { 2650 switch (pi->mode) {
2540 case L2CAP_MODE_STREAMING: 2651 case L2CAP_MODE_STREAMING:
2541 case L2CAP_MODE_ERTM: 2652 case L2CAP_MODE_ERTM:
2542 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE; 2653 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2543 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask)) 2654 pi->mode = l2cap_select_mode(rfc.mode,
2655 pi->conn->feat_mask);
2656 break;
2657 }
2658
2659 if (pi->mode != rfc.mode)
2544 return -ECONNREFUSED; 2660 return -ECONNREFUSED;
2545 break; 2661
2546 default:
2547 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2548 break; 2662 break;
2549 } 2663 }
2550 2664
@@ -2667,7 +2781,6 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2667 rfc.mode != pi->mode) 2781 rfc.mode != pi->mode)
2668 return -ECONNREFUSED; 2782 return -ECONNREFUSED;
2669 2783
2670 pi->mode = rfc.mode;
2671 pi->fcs = 0; 2784 pi->fcs = 0;
2672 2785
2673 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 2786 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
@@ -2676,6 +2789,11 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2676 } 2789 }
2677 } 2790 }
2678 2791
2792 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2793 return -ECONNREFUSED;
2794
2795 pi->mode = rfc.mode;
2796
2679 if (*result == L2CAP_CONF_SUCCESS) { 2797 if (*result == L2CAP_CONF_SUCCESS) {
2680 switch (rfc.mode) { 2798 switch (rfc.mode) {
2681 case L2CAP_MODE_ERTM: 2799 case L2CAP_MODE_ERTM:
@@ -2770,7 +2888,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2770 struct l2cap_chan_list *list = &conn->chan_list; 2888 struct l2cap_chan_list *list = &conn->chan_list;
2771 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 2889 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2772 struct l2cap_conn_rsp rsp; 2890 struct l2cap_conn_rsp rsp;
2773 struct sock *sk, *parent; 2891 struct sock *parent, *uninitialized_var(sk);
2774 int result, status = L2CAP_CS_NO_INFO; 2892 int result, status = L2CAP_CS_NO_INFO;
2775 2893
2776 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 2894 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -2879,6 +2997,15 @@ sendresp:
2879 L2CAP_INFO_REQ, sizeof(info), &info); 2997 L2CAP_INFO_REQ, sizeof(info), &info);
2880 } 2998 }
2881 2999
3000 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
3001 result == L2CAP_CR_SUCCESS) {
3002 u8 buf[128];
3003 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3004 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3005 l2cap_build_conf_req(sk, buf), buf);
3006 l2cap_pi(sk)->num_conf_req++;
3007 }
3008
2882 return 0; 3009 return 0;
2883} 3010}
2884 3011
@@ -2899,11 +3026,11 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2899 if (scid) { 3026 if (scid) {
2900 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid); 3027 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2901 if (!sk) 3028 if (!sk)
2902 return 0; 3029 return -EFAULT;
2903 } else { 3030 } else {
2904 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident); 3031 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2905 if (!sk) 3032 if (!sk)
2906 return 0; 3033 return -EFAULT;
2907 } 3034 }
2908 3035
2909 switch (result) { 3036 switch (result) {
@@ -2911,10 +3038,13 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2911 sk->sk_state = BT_CONFIG; 3038 sk->sk_state = BT_CONFIG;
2912 l2cap_pi(sk)->ident = 0; 3039 l2cap_pi(sk)->ident = 0;
2913 l2cap_pi(sk)->dcid = dcid; 3040 l2cap_pi(sk)->dcid = dcid;
2914 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2915
2916 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; 3041 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2917 3042
3043 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
3044 break;
3045
3046 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
3047
2918 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3048 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2919 l2cap_build_conf_req(sk, req), req); 3049 l2cap_build_conf_req(sk, req), req);
2920 l2cap_pi(sk)->num_conf_req++; 3050 l2cap_pi(sk)->num_conf_req++;
@@ -2950,8 +3080,14 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2950 if (!sk) 3080 if (!sk)
2951 return -ENOENT; 3081 return -ENOENT;
2952 3082
2953 if (sk->sk_state == BT_DISCONN) 3083 if (sk->sk_state != BT_CONFIG) {
3084 struct l2cap_cmd_rej rej;
3085
3086 rej.reason = cpu_to_le16(0x0002);
3087 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3088 sizeof(rej), &rej);
2954 goto unlock; 3089 goto unlock;
3090 }
2955 3091
2956 /* Reject if config buffer is too small. */ 3092 /* Reject if config buffer is too small. */
2957 len = cmd_len - sizeof(*req); 3093 len = cmd_len - sizeof(*req);
@@ -2977,7 +3113,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2977 /* Complete config. */ 3113 /* Complete config. */
2978 len = l2cap_parse_conf_req(sk, rsp); 3114 len = l2cap_parse_conf_req(sk, rsp);
2979 if (len < 0) { 3115 if (len < 0) {
2980 l2cap_send_disconn_req(conn, sk); 3116 l2cap_send_disconn_req(conn, sk, ECONNRESET);
2981 goto unlock; 3117 goto unlock;
2982 } 3118 }
2983 3119
@@ -3047,7 +3183,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3047 char req[64]; 3183 char req[64];
3048 3184
3049 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 3185 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3050 l2cap_send_disconn_req(conn, sk); 3186 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3051 goto done; 3187 goto done;
3052 } 3188 }
3053 3189
@@ -3056,7 +3192,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3056 len = l2cap_parse_conf_rsp(sk, rsp->data, 3192 len = l2cap_parse_conf_rsp(sk, rsp->data,
3057 len, req, &result); 3193 len, req, &result);
3058 if (len < 0) { 3194 if (len < 0) {
3059 l2cap_send_disconn_req(conn, sk); 3195 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3060 goto done; 3196 goto done;
3061 } 3197 }
3062 3198
@@ -3069,10 +3205,9 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3069 } 3205 }
3070 3206
3071 default: 3207 default:
3072 sk->sk_state = BT_DISCONN;
3073 sk->sk_err = ECONNRESET; 3208 sk->sk_err = ECONNRESET;
3074 l2cap_sock_set_timer(sk, HZ * 5); 3209 l2cap_sock_set_timer(sk, HZ * 5);
3075 l2cap_send_disconn_req(conn, sk); 3210 l2cap_send_disconn_req(conn, sk, ECONNRESET);
3076 goto done; 3211 goto done;
3077 } 3212 }
3078 3213
@@ -3123,16 +3258,6 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
3123 3258
3124 sk->sk_shutdown = SHUTDOWN_MASK; 3259 sk->sk_shutdown = SHUTDOWN_MASK;
3125 3260
3126 skb_queue_purge(TX_QUEUE(sk));
3127
3128 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3129 skb_queue_purge(SREJ_QUEUE(sk));
3130 skb_queue_purge(BUSY_QUEUE(sk));
3131 del_timer(&l2cap_pi(sk)->retrans_timer);
3132 del_timer(&l2cap_pi(sk)->monitor_timer);
3133 del_timer(&l2cap_pi(sk)->ack_timer);
3134 }
3135
3136 l2cap_chan_del(sk, ECONNRESET); 3261 l2cap_chan_del(sk, ECONNRESET);
3137 bh_unlock_sock(sk); 3262 bh_unlock_sock(sk);
3138 3263
@@ -3155,16 +3280,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
3155 if (!sk) 3280 if (!sk)
3156 return 0; 3281 return 0;
3157 3282
3158 skb_queue_purge(TX_QUEUE(sk));
3159
3160 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
3161 skb_queue_purge(SREJ_QUEUE(sk));
3162 skb_queue_purge(BUSY_QUEUE(sk));
3163 del_timer(&l2cap_pi(sk)->retrans_timer);
3164 del_timer(&l2cap_pi(sk)->monitor_timer);
3165 del_timer(&l2cap_pi(sk)->ack_timer);
3166 }
3167
3168 l2cap_chan_del(sk, 0); 3283 l2cap_chan_del(sk, 0);
3169 bh_unlock_sock(sk); 3284 bh_unlock_sock(sk);
3170 3285
@@ -3187,7 +3302,7 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
3187 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 3302 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3188 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 3303 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3189 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 3304 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3190 if (enable_ertm) 3305 if (!disable_ertm)
3191 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 3306 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3192 | L2CAP_FEAT_FCS; 3307 | L2CAP_FEAT_FCS;
3193 put_unaligned_le32(feat_mask, rsp->data); 3308 put_unaligned_le32(feat_mask, rsp->data);
@@ -3352,7 +3467,7 @@ static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3352 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 3467 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3353 3468
3354 if (our_fcs != rcv_fcs) 3469 if (our_fcs != rcv_fcs)
3355 return -EINVAL; 3470 return -EBADMSG;
3356 } 3471 }
3357 return 0; 3472 return 0;
3358} 3473}
@@ -3363,25 +3478,19 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3363 u16 control = 0; 3478 u16 control = 0;
3364 3479
3365 pi->frames_sent = 0; 3480 pi->frames_sent = 0;
3366 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3367 3481
3368 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT; 3482 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3369 3483
3370 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3484 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3371 control |= L2CAP_SUPER_RCV_NOT_READY | L2CAP_CTRL_FINAL; 3485 control |= L2CAP_SUPER_RCV_NOT_READY;
3372 l2cap_send_sframe(pi, control); 3486 l2cap_send_sframe(pi, control);
3373 pi->conn_state |= L2CAP_CONN_RNR_SENT; 3487 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3374 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3375 } 3488 }
3376 3489
3377 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY && pi->unacked_frames > 0) 3490 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3378 __mod_retrans_timer(); 3491 l2cap_retransmit_frames(sk);
3379
3380 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3381 3492
3382 spin_lock_bh(&pi->send_lock);
3383 l2cap_ertm_send(sk); 3493 l2cap_ertm_send(sk);
3384 spin_unlock_bh(&pi->send_lock);
3385 3494
3386 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) && 3495 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3387 pi->frames_sent == 0) { 3496 pi->frames_sent == 0) {
@@ -3393,6 +3502,8 @@ static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3393static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar) 3502static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3394{ 3503{
3395 struct sk_buff *next_skb; 3504 struct sk_buff *next_skb;
3505 struct l2cap_pinfo *pi = l2cap_pi(sk);
3506 int tx_seq_offset, next_tx_seq_offset;
3396 3507
3397 bt_cb(skb)->tx_seq = tx_seq; 3508 bt_cb(skb)->tx_seq = tx_seq;
3398 bt_cb(skb)->sar = sar; 3509 bt_cb(skb)->sar = sar;
@@ -3403,11 +3514,20 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
3403 return 0; 3514 return 0;
3404 } 3515 }
3405 3516
3517 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3518 if (tx_seq_offset < 0)
3519 tx_seq_offset += 64;
3520
3406 do { 3521 do {
3407 if (bt_cb(next_skb)->tx_seq == tx_seq) 3522 if (bt_cb(next_skb)->tx_seq == tx_seq)
3408 return -EINVAL; 3523 return -EINVAL;
3409 3524
3410 if (bt_cb(next_skb)->tx_seq > tx_seq) { 3525 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3526 pi->buffer_seq) % 64;
3527 if (next_tx_seq_offset < 0)
3528 next_tx_seq_offset += 64;
3529
3530 if (next_tx_seq_offset > tx_seq_offset) {
3411 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb); 3531 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3412 return 0; 3532 return 0;
3413 } 3533 }
@@ -3525,11 +3645,51 @@ drop:
3525 pi->sdu = NULL; 3645 pi->sdu = NULL;
3526 3646
3527disconnect: 3647disconnect:
3528 l2cap_send_disconn_req(pi->conn, sk); 3648 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3529 kfree_skb(skb); 3649 kfree_skb(skb);
3530 return 0; 3650 return 0;
3531} 3651}
3532 3652
3653static int l2cap_try_push_rx_skb(struct sock *sk)
3654{
3655 struct l2cap_pinfo *pi = l2cap_pi(sk);
3656 struct sk_buff *skb;
3657 u16 control;
3658 int err;
3659
3660 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3661 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3662 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3663 if (err < 0) {
3664 skb_queue_head(BUSY_QUEUE(sk), skb);
3665 return -EBUSY;
3666 }
3667
3668 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3669 }
3670
3671 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3672 goto done;
3673
3674 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3675 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3676 l2cap_send_sframe(pi, control);
3677 l2cap_pi(sk)->retry_count = 1;
3678
3679 del_timer(&pi->retrans_timer);
3680 __mod_monitor_timer();
3681
3682 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3683
3684done:
3685 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3686 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3687
3688 BT_DBG("sk %p, Exit local busy", sk);
3689
3690 return 0;
3691}
3692
3533static void l2cap_busy_work(struct work_struct *work) 3693static void l2cap_busy_work(struct work_struct *work)
3534{ 3694{
3535 DECLARE_WAITQUEUE(wait, current); 3695 DECLARE_WAITQUEUE(wait, current);
@@ -3538,7 +3698,6 @@ static void l2cap_busy_work(struct work_struct *work)
3538 struct sock *sk = (struct sock *)pi; 3698 struct sock *sk = (struct sock *)pi;
3539 int n_tries = 0, timeo = HZ/5, err; 3699 int n_tries = 0, timeo = HZ/5, err;
3540 struct sk_buff *skb; 3700 struct sk_buff *skb;
3541 u16 control;
3542 3701
3543 lock_sock(sk); 3702 lock_sock(sk);
3544 3703
@@ -3548,8 +3707,8 @@ static void l2cap_busy_work(struct work_struct *work)
3548 3707
3549 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) { 3708 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3550 err = -EBUSY; 3709 err = -EBUSY;
3551 l2cap_send_disconn_req(pi->conn, sk); 3710 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
3552 goto done; 3711 break;
3553 } 3712 }
3554 3713
3555 if (!timeo) 3714 if (!timeo)
@@ -3557,7 +3716,7 @@ static void l2cap_busy_work(struct work_struct *work)
3557 3716
3558 if (signal_pending(current)) { 3717 if (signal_pending(current)) {
3559 err = sock_intr_errno(timeo); 3718 err = sock_intr_errno(timeo);
3560 goto done; 3719 break;
3561 } 3720 }
3562 3721
3563 release_sock(sk); 3722 release_sock(sk);
@@ -3566,40 +3725,12 @@ static void l2cap_busy_work(struct work_struct *work)
3566 3725
3567 err = sock_error(sk); 3726 err = sock_error(sk);
3568 if (err) 3727 if (err)
3569 goto done; 3728 break;
3570
3571 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3572 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3573 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3574 if (err < 0) {
3575 skb_queue_head(BUSY_QUEUE(sk), skb);
3576 break;
3577 }
3578
3579 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3580 }
3581 3729
3582 if (!skb) 3730 if (l2cap_try_push_rx_skb(sk) == 0)
3583 break; 3731 break;
3584 } 3732 }
3585 3733
3586 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3587 goto done;
3588
3589 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3590 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3591 l2cap_send_sframe(pi, control);
3592 l2cap_pi(sk)->retry_count = 1;
3593
3594 del_timer(&pi->retrans_timer);
3595 __mod_monitor_timer();
3596
3597 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3598
3599done:
3600 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3601 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3602
3603 set_current_state(TASK_RUNNING); 3734 set_current_state(TASK_RUNNING);
3604 remove_wait_queue(sk_sleep(sk), &wait); 3735 remove_wait_queue(sk_sleep(sk), &wait);
3605 3736
@@ -3614,7 +3745,9 @@ static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3614 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) { 3745 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3615 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3746 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3616 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3747 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3617 return -EBUSY; 3748 return l2cap_try_push_rx_skb(sk);
3749
3750
3618 } 3751 }
3619 3752
3620 err = l2cap_ertm_reassembly_sdu(sk, skb, control); 3753 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
@@ -3624,6 +3757,8 @@ static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3624 } 3757 }
3625 3758
3626 /* Busy Condition */ 3759 /* Busy Condition */
3760 BT_DBG("sk %p, Enter local busy", sk);
3761
3627 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY; 3762 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3628 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT; 3763 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3629 __skb_queue_tail(BUSY_QUEUE(sk), skb); 3764 __skb_queue_tail(BUSY_QUEUE(sk), skb);
@@ -3634,6 +3769,8 @@ static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3634 3769
3635 pi->conn_state |= L2CAP_CONN_RNR_SENT; 3770 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3636 3771
3772 del_timer(&pi->ack_timer);
3773
3637 queue_work(_busy_wq, &pi->busy_work); 3774 queue_work(_busy_wq, &pi->busy_work);
3638 3775
3639 return err; 3776 return err;
@@ -3747,7 +3884,7 @@ static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3747 l2cap_ertm_reassembly_sdu(sk, skb, control); 3884 l2cap_ertm_reassembly_sdu(sk, skb, control);
3748 l2cap_pi(sk)->buffer_seq_srej = 3885 l2cap_pi(sk)->buffer_seq_srej =
3749 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64; 3886 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3750 tx_seq++; 3887 tx_seq = (tx_seq + 1) % 64;
3751 } 3888 }
3752} 3889}
3753 3890
@@ -3783,10 +3920,11 @@ static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3783 l2cap_send_sframe(pi, control); 3920 l2cap_send_sframe(pi, control);
3784 3921
3785 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC); 3922 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3786 new->tx_seq = pi->expected_tx_seq++; 3923 new->tx_seq = pi->expected_tx_seq;
3924 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3787 list_add_tail(&new->list, SREJ_LIST(sk)); 3925 list_add_tail(&new->list, SREJ_LIST(sk));
3788 } 3926 }
3789 pi->expected_tx_seq++; 3927 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3790} 3928}
3791 3929
3792static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb) 3930static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
@@ -3795,11 +3933,12 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3795 u8 tx_seq = __get_txseq(rx_control); 3933 u8 tx_seq = __get_txseq(rx_control);
3796 u8 req_seq = __get_reqseq(rx_control); 3934 u8 req_seq = __get_reqseq(rx_control);
3797 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT; 3935 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3798 u8 tx_seq_offset, expected_tx_seq_offset; 3936 int tx_seq_offset, expected_tx_seq_offset;
3799 int num_to_ack = (pi->tx_win/6) + 1; 3937 int num_to_ack = (pi->tx_win/6) + 1;
3800 int err = 0; 3938 int err = 0;
3801 3939
3802 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len); 3940 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3941 rx_control);
3803 3942
3804 if (L2CAP_CTRL_FINAL & rx_control && 3943 if (L2CAP_CTRL_FINAL & rx_control &&
3805 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) { 3944 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
@@ -3821,7 +3960,7 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3821 3960
3822 /* invalid tx_seq */ 3961 /* invalid tx_seq */
3823 if (tx_seq_offset >= pi->tx_win) { 3962 if (tx_seq_offset >= pi->tx_win) {
3824 l2cap_send_disconn_req(pi->conn, sk); 3963 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
3825 goto drop; 3964 goto drop;
3826 } 3965 }
3827 3966
@@ -3844,6 +3983,7 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3844 pi->buffer_seq = pi->buffer_seq_srej; 3983 pi->buffer_seq = pi->buffer_seq_srej;
3845 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT; 3984 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3846 l2cap_send_ack(pi); 3985 l2cap_send_ack(pi);
3986 BT_DBG("sk %p, Exit SREJ_SENT", sk);
3847 } 3987 }
3848 } else { 3988 } else {
3849 struct srej_list *l; 3989 struct srej_list *l;
@@ -3872,6 +4012,8 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3872 4012
3873 pi->conn_state |= L2CAP_CONN_SREJ_SENT; 4013 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
3874 4014
4015 BT_DBG("sk %p, Enter SREJ", sk);
4016
3875 INIT_LIST_HEAD(SREJ_LIST(sk)); 4017 INIT_LIST_HEAD(SREJ_LIST(sk));
3876 pi->buffer_seq_srej = pi->buffer_seq; 4018 pi->buffer_seq_srej = pi->buffer_seq;
3877 4019
@@ -3882,6 +4024,8 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
3882 pi->conn_state |= L2CAP_CONN_SEND_PBIT; 4024 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3883 4025
3884 l2cap_send_srejframe(sk, tx_seq); 4026 l2cap_send_srejframe(sk, tx_seq);
4027
4028 del_timer(&pi->ack_timer);
3885 } 4029 }
3886 return 0; 4030 return 0;
3887 4031
@@ -3895,6 +4039,10 @@ expected:
3895 return 0; 4039 return 0;
3896 } 4040 }
3897 4041
4042 err = l2cap_push_rx_skb(sk, skb, rx_control);
4043 if (err < 0)
4044 return 0;
4045
3898 if (rx_control & L2CAP_CTRL_FINAL) { 4046 if (rx_control & L2CAP_CTRL_FINAL) {
3899 if (pi->conn_state & L2CAP_CONN_REJ_ACT) 4047 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3900 pi->conn_state &= ~L2CAP_CONN_REJ_ACT; 4048 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
@@ -3902,10 +4050,6 @@ expected:
3902 l2cap_retransmit_frames(sk); 4050 l2cap_retransmit_frames(sk);
3903 } 4051 }
3904 4052
3905 err = l2cap_push_rx_skb(sk, skb, rx_control);
3906 if (err < 0)
3907 return 0;
3908
3909 __mod_ack_timer(); 4053 __mod_ack_timer();
3910 4054
3911 pi->num_acked = (pi->num_acked + 1) % num_to_ack; 4055 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
@@ -3923,10 +4067,14 @@ static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
3923{ 4067{
3924 struct l2cap_pinfo *pi = l2cap_pi(sk); 4068 struct l2cap_pinfo *pi = l2cap_pi(sk);
3925 4069
4070 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4071 rx_control);
4072
3926 pi->expected_ack_seq = __get_reqseq(rx_control); 4073 pi->expected_ack_seq = __get_reqseq(rx_control);
3927 l2cap_drop_acked_frames(sk); 4074 l2cap_drop_acked_frames(sk);
3928 4075
3929 if (rx_control & L2CAP_CTRL_POLL) { 4076 if (rx_control & L2CAP_CTRL_POLL) {
4077 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3930 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 4078 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3931 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) && 4079 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3932 (pi->unacked_frames > 0)) 4080 (pi->unacked_frames > 0))
@@ -3955,9 +4103,7 @@ static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
3955 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) { 4103 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3956 l2cap_send_ack(pi); 4104 l2cap_send_ack(pi);
3957 } else { 4105 } else {
3958 spin_lock_bh(&pi->send_lock);
3959 l2cap_ertm_send(sk); 4106 l2cap_ertm_send(sk);
3960 spin_unlock_bh(&pi->send_lock);
3961 } 4107 }
3962 } 4108 }
3963} 4109}
@@ -3967,6 +4113,8 @@ static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
3967 struct l2cap_pinfo *pi = l2cap_pi(sk); 4113 struct l2cap_pinfo *pi = l2cap_pi(sk);
3968 u8 tx_seq = __get_reqseq(rx_control); 4114 u8 tx_seq = __get_reqseq(rx_control);
3969 4115
4116 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4117
3970 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 4118 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3971 4119
3972 pi->expected_ack_seq = tx_seq; 4120 pi->expected_ack_seq = tx_seq;
@@ -3989,16 +4137,18 @@ static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
3989 struct l2cap_pinfo *pi = l2cap_pi(sk); 4137 struct l2cap_pinfo *pi = l2cap_pi(sk);
3990 u8 tx_seq = __get_reqseq(rx_control); 4138 u8 tx_seq = __get_reqseq(rx_control);
3991 4139
4140 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4141
3992 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; 4142 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3993 4143
3994 if (rx_control & L2CAP_CTRL_POLL) { 4144 if (rx_control & L2CAP_CTRL_POLL) {
3995 pi->expected_ack_seq = tx_seq; 4145 pi->expected_ack_seq = tx_seq;
3996 l2cap_drop_acked_frames(sk); 4146 l2cap_drop_acked_frames(sk);
4147
4148 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
3997 l2cap_retransmit_one_frame(sk, tx_seq); 4149 l2cap_retransmit_one_frame(sk, tx_seq);
3998 4150
3999 spin_lock_bh(&pi->send_lock);
4000 l2cap_ertm_send(sk); 4151 l2cap_ertm_send(sk);
4001 spin_unlock_bh(&pi->send_lock);
4002 4152
4003 if (pi->conn_state & L2CAP_CONN_WAIT_F) { 4153 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4004 pi->srej_save_reqseq = tx_seq; 4154 pi->srej_save_reqseq = tx_seq;
@@ -4024,10 +4174,15 @@ static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4024 struct l2cap_pinfo *pi = l2cap_pi(sk); 4174 struct l2cap_pinfo *pi = l2cap_pi(sk);
4025 u8 tx_seq = __get_reqseq(rx_control); 4175 u8 tx_seq = __get_reqseq(rx_control);
4026 4176
4177 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4178
4027 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY; 4179 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4028 pi->expected_ack_seq = tx_seq; 4180 pi->expected_ack_seq = tx_seq;
4029 l2cap_drop_acked_frames(sk); 4181 l2cap_drop_acked_frames(sk);
4030 4182
4183 if (rx_control & L2CAP_CTRL_POLL)
4184 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4185
4031 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) { 4186 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4032 del_timer(&pi->retrans_timer); 4187 del_timer(&pi->retrans_timer);
4033 if (rx_control & L2CAP_CTRL_POLL) 4188 if (rx_control & L2CAP_CTRL_POLL)
@@ -4075,12 +4230,83 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
4075 return 0; 4230 return 0;
4076} 4231}
4077 4232
4233static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4234{
4235 struct l2cap_pinfo *pi = l2cap_pi(sk);
4236 u16 control;
4237 u8 req_seq;
4238 int len, next_tx_seq_offset, req_seq_offset;
4239
4240 control = get_unaligned_le16(skb->data);
4241 skb_pull(skb, 2);
4242 len = skb->len;
4243
4244 /*
4245 * We can just drop the corrupted I-frame here.
4246 * Receiver will miss it and start proper recovery
4247 * procedures and ask retransmission.
4248 */
4249 if (l2cap_check_fcs(pi, skb))
4250 goto drop;
4251
4252 if (__is_sar_start(control) && __is_iframe(control))
4253 len -= 2;
4254
4255 if (pi->fcs == L2CAP_FCS_CRC16)
4256 len -= 2;
4257
4258 if (len > pi->mps) {
4259 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4260 goto drop;
4261 }
4262
4263 req_seq = __get_reqseq(control);
4264 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4265 if (req_seq_offset < 0)
4266 req_seq_offset += 64;
4267
4268 next_tx_seq_offset =
4269 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4270 if (next_tx_seq_offset < 0)
4271 next_tx_seq_offset += 64;
4272
4273 /* check for invalid req-seq */
4274 if (req_seq_offset > next_tx_seq_offset) {
4275 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4276 goto drop;
4277 }
4278
4279 if (__is_iframe(control)) {
4280 if (len < 0) {
4281 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4282 goto drop;
4283 }
4284
4285 l2cap_data_channel_iframe(sk, control, skb);
4286 } else {
4287 if (len != 0) {
4288 BT_ERR("%d", len);
4289 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
4290 goto drop;
4291 }
4292
4293 l2cap_data_channel_sframe(sk, control, skb);
4294 }
4295
4296 return 0;
4297
4298drop:
4299 kfree_skb(skb);
4300 return 0;
4301}
4302
4078static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb) 4303static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4079{ 4304{
4080 struct sock *sk; 4305 struct sock *sk;
4081 struct l2cap_pinfo *pi; 4306 struct l2cap_pinfo *pi;
4082 u16 control, len; 4307 u16 control;
4083 u8 tx_seq, req_seq, next_tx_seq_offset, req_seq_offset; 4308 u8 tx_seq;
4309 int len;
4084 4310
4085 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid); 4311 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4086 if (!sk) { 4312 if (!sk) {
@@ -4110,59 +4336,11 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4110 break; 4336 break;
4111 4337
4112 case L2CAP_MODE_ERTM: 4338 case L2CAP_MODE_ERTM:
4113 control = get_unaligned_le16(skb->data); 4339 if (!sock_owned_by_user(sk)) {
4114 skb_pull(skb, 2); 4340 l2cap_ertm_data_rcv(sk, skb);
4115 len = skb->len;
4116
4117 if (__is_sar_start(control))
4118 len -= 2;
4119
4120 if (pi->fcs == L2CAP_FCS_CRC16)
4121 len -= 2;
4122
4123 /*
4124 * We can just drop the corrupted I-frame here.
4125 * Receiver will miss it and start proper recovery
4126 * procedures and ask retransmission.
4127 */
4128 if (len > pi->mps) {
4129 l2cap_send_disconn_req(pi->conn, sk);
4130 goto drop;
4131 }
4132
4133 if (l2cap_check_fcs(pi, skb))
4134 goto drop;
4135
4136 req_seq = __get_reqseq(control);
4137 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4138 if (req_seq_offset < 0)
4139 req_seq_offset += 64;
4140
4141 next_tx_seq_offset =
4142 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4143 if (next_tx_seq_offset < 0)
4144 next_tx_seq_offset += 64;
4145
4146 /* check for invalid req-seq */
4147 if (req_seq_offset > next_tx_seq_offset) {
4148 l2cap_send_disconn_req(pi->conn, sk);
4149 goto drop;
4150 }
4151
4152 if (__is_iframe(control)) {
4153 if (len < 4) {
4154 l2cap_send_disconn_req(pi->conn, sk);
4155 goto drop;
4156 }
4157
4158 l2cap_data_channel_iframe(sk, control, skb);
4159 } else { 4341 } else {
4160 if (len != 0) { 4342 if (sk_add_backlog(sk, skb))
4161 l2cap_send_disconn_req(pi->conn, sk);
4162 goto drop; 4343 goto drop;
4163 }
4164
4165 l2cap_data_channel_sframe(sk, control, skb);
4166 } 4344 }
4167 4345
4168 goto done; 4346 goto done;
@@ -4172,16 +4350,16 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4172 skb_pull(skb, 2); 4350 skb_pull(skb, 2);
4173 len = skb->len; 4351 len = skb->len;
4174 4352
4353 if (l2cap_check_fcs(pi, skb))
4354 goto drop;
4355
4175 if (__is_sar_start(control)) 4356 if (__is_sar_start(control))
4176 len -= 2; 4357 len -= 2;
4177 4358
4178 if (pi->fcs == L2CAP_FCS_CRC16) 4359 if (pi->fcs == L2CAP_FCS_CRC16)
4179 len -= 2; 4360 len -= 2;
4180 4361
4181 if (len > pi->mps || len < 4 || __is_sframe(control)) 4362 if (len > pi->mps || len < 0 || __is_sframe(control))
4182 goto drop;
4183
4184 if (l2cap_check_fcs(pi, skb))
4185 goto drop; 4363 goto drop;
4186 4364
4187 tx_seq = __get_txseq(control); 4365 tx_seq = __get_txseq(control);
@@ -4281,7 +4459,7 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4281 struct hlist_node *node; 4459 struct hlist_node *node;
4282 4460
4283 if (type != ACL_LINK) 4461 if (type != ACL_LINK)
4284 return 0; 4462 return -EINVAL;
4285 4463
4286 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 4464 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4287 4465
@@ -4314,7 +4492,7 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4314 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 4492 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4315 4493
4316 if (hcon->type != ACL_LINK) 4494 if (hcon->type != ACL_LINK)
4317 return 0; 4495 return -EINVAL;
4318 4496
4319 if (!status) { 4497 if (!status) {
4320 conn = l2cap_conn_add(hcon, status); 4498 conn = l2cap_conn_add(hcon, status);
@@ -4343,7 +4521,7 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4343 BT_DBG("hcon %p reason %d", hcon, reason); 4521 BT_DBG("hcon %p reason %d", hcon, reason);
4344 4522
4345 if (hcon->type != ACL_LINK) 4523 if (hcon->type != ACL_LINK)
4346 return 0; 4524 return -EINVAL;
4347 4525
4348 l2cap_conn_del(hcon, bt_err(reason)); 4526 l2cap_conn_del(hcon, bt_err(reason));
4349 4527
@@ -4404,6 +4582,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4404 req.psm = l2cap_pi(sk)->psm; 4582 req.psm = l2cap_pi(sk)->psm;
4405 4583
4406 l2cap_pi(sk)->ident = l2cap_get_ident(conn); 4584 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
4585 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
4407 4586
4408 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 4587 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4409 L2CAP_CONN_REQ, sizeof(req), &req); 4588 L2CAP_CONN_REQ, sizeof(req), &req);
@@ -4671,14 +4850,8 @@ EXPORT_SYMBOL(l2cap_load);
4671module_init(l2cap_init); 4850module_init(l2cap_init);
4672module_exit(l2cap_exit); 4851module_exit(l2cap_exit);
4673 4852
4674module_param(enable_ertm, bool, 0644); 4853module_param(disable_ertm, bool, 0644);
4675MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode"); 4854MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
4676
4677module_param(max_transmit, uint, 0644);
4678MODULE_PARM_DESC(max_transmit, "Max transmit value (default = 3)");
4679
4680module_param(tx_window, uint, 0644);
4681MODULE_PARM_DESC(tx_window, "Transmission window size value (default = 63)");
4682 4855
4683MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 4856MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4684MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION); 4857MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-11 22:27:46 -0500