projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move more channel info to struct l2cap_chan
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
bb58f747 65struct bt_sock_list l2cap_sk_list = {
d5fb2962 66 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 67};
68
1890d36b
GP		 69static void l2cap_busy_work(struct work_struct *work);
70
1da177e4
LT		 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
710f9b0a 73static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
1da177e4 74
218bb9df
GP		 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
76
0139418c 77/* ---- L2CAP channels ---- */
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
48454079 80 struct l2cap_chan *c;
baa7e1fa
GP		 81
82 list_for_each_entry(c, &conn->chan_l, list) {
83 struct sock *s = c->sk;
84 if (l2cap_pi(s)->dcid == cid)
85 return c;
0139418c 86 }
baa7e1fa
GP		 87 return NULL;
88
0139418c
MH		 89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 struct sock *s = c->sk;
97 if (l2cap_pi(s)->scid == cid)
98 return c;
0139418c 99 }
baa7e1fa 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
104 * Returns locked socket */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa
GP		 108
109 read_lock(&conn->chan_lock);
110 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 111 if (c)
112 bh_lock_sock(c->sk);
baa7e1fa 113 read_unlock(&conn->chan_lock);
48454079 114 return c;
0139418c
MH		 115}
116
baa7e1fa 117static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 118{
48454079 119 struct l2cap_chan *c;
baa7e1fa
GP		 120
121 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 122 if (c->ident == ident)
baa7e1fa 123 return c;
0139418c 124 }
baa7e1fa 125 return NULL;
0139418c
MH		 126}
127
baa7e1fa 128static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 read_lock(&conn->chan_lock);
133 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 134 if (c)
135 bh_lock_sock(c->sk);
baa7e1fa 136 read_unlock(&conn->chan_lock);
48454079 137 return c;
0139418c
MH		 138}
139
baa7e1fa 140static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 141{
8db4dc46 142 u16 cid = L2CAP_CID_DYN_START;
0139418c 143
8db4dc46 144 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 145 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 146 return cid;
147 }
148
149 return 0;
150}
151
5d41ce1d 152struct l2cap_chan *l2cap_chan_alloc(struct sock *sk)
48454079
GP		 153{
154 struct l2cap_chan *chan;
155
156 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
157 if (!chan)
158 return NULL;
159
160 chan->sk = sk;
161
162 return chan;
163}
164
48454079 165static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 166{
48454079 167 struct sock *sk = chan->sk;
0139418c 168
af05b30b
GP		 169 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
170 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 171
2950f21a
MH		 172 conn->disc_reason = 0x13;
173
0139418c
MH		 174 l2cap_pi(sk)->conn = conn;
175
bd3c9e25 176 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
b62f328b
VT		 177 if (conn->hcon->type == LE_LINK) {
178 /* LE connection */
0c1bc5c6 179 chan->omtu = L2CAP_LE_DEFAULT_MTU;
b62f328b
VT		 180 l2cap_pi(sk)->scid = L2CAP_CID_LE_DATA;
181 l2cap_pi(sk)->dcid = L2CAP_CID_LE_DATA;
182 } else {
183 /* Alloc CID for connection-oriented socket */
baa7e1fa 184 l2cap_pi(sk)->scid = l2cap_alloc_cid(conn);
0c1bc5c6 185 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 186 }
0139418c
MH		 187 } else if (sk->sk_type == SOCK_DGRAM) {
188 /* Connectionless socket */
8db4dc46
GP		 189 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
190 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 191 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 192 } else {
193 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 194 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
195 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 196 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 197 }
198
baa7e1fa
GP		 199 sock_hold(sk);
200
201 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 202}
203
8e87d142 204/* Delete channel.
0139418c 205 * Must be called on the locked socket. */
48454079 206void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 207{
48454079 208 struct sock *sk = chan->sk;
0139418c
MH		 209 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
210 struct sock *parent = bt_sk(sk)->parent;
211
212 l2cap_sock_clear_timer(sk);
213
49208c9c 214 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 215
8e87d142 216 if (conn) {
baa7e1fa
GP		 217 /* Delete from channel list */
218 write_lock_bh(&conn->chan_lock);
219 list_del(&chan->list);
220 write_unlock_bh(&conn->chan_lock);
221 __sock_put(sk);
222
0139418c
MH		 223 l2cap_pi(sk)->conn = NULL;
224 hci_conn_put(conn->hcon);
225 }
226
b1235d79 227 sk->sk_state = BT_CLOSED;
0139418c
MH		 228 sock_set_flag(sk, SOCK_ZAPPED);
229
230 if (err)
231 sk->sk_err = err;
232
233 if (parent) {
234 bt_accept_unlink(sk);
235 parent->sk_data_ready(parent, 0);
236 } else
237 sk->sk_state_change(sk);
c13ffa62 238
b4450035
GP		 239 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
240 chan->conf_state & L2CAP_CONF_INPUT_DONE))
2ead70b8
GP		 241 goto free;
242
58d35f87 243 skb_queue_purge(&chan->tx_q);
c13ffa62 244
0c1bc5c6 245 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 246 struct srej_list *l, *tmp;
247
e92c8e70
GP		 248 del_timer(&chan->retrans_timer);
249 del_timer(&chan->monitor_timer);
250 del_timer(&chan->ack_timer);
c13ffa62 251
f1c6775b
GP		 252 skb_queue_purge(&chan->srej_q);
253 skb_queue_purge(&chan->busy_q);
c13ffa62 254
39d5a3ee 255 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 256 list_del(&l->list);
257 kfree(l);
258 }
259 }
48454079 260
2ead70b8 261free:
48454079 262 kfree(chan);
0139418c
MH		 263}
264
4343478f 265static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 266{
4343478f
GP		 267 struct sock *sk = chan->sk;
268
8556edd3 269 if (sk->sk_type == SOCK_RAW) {
4343478f 270 switch (chan->sec_level) {
8556edd3
JH		 271 case BT_SECURITY_HIGH:
272 return HCI_AT_DEDICATED_BONDING_MITM;
273 case BT_SECURITY_MEDIUM:
274 return HCI_AT_DEDICATED_BONDING;
275 default:
276 return HCI_AT_NO_BONDING;
277 }
278 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 279 if (chan->sec_level == BT_SECURITY_LOW)
280 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 281
4343478f 282 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 283 return HCI_AT_NO_BONDING_MITM;
00ae4af9 284 else
8556edd3 285 return HCI_AT_NO_BONDING;
00ae4af9 286 } else {
4343478f 287 switch (chan->sec_level) {
00ae4af9 288 case BT_SECURITY_HIGH:
8556edd3 289 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 290 case BT_SECURITY_MEDIUM:
8556edd3 291 return HCI_AT_GENERAL_BONDING;
00ae4af9 292 default:
8556edd3 293 return HCI_AT_NO_BONDING;
00ae4af9 294 }
0684e5f9 295 }
8556edd3
JH		 296}
297
298/* Service level security */
4343478f 299static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 300{
4343478f 301 struct l2cap_conn *conn = l2cap_pi(chan->sk)->conn;
8556edd3
JH		 302 __u8 auth_type;
303
4343478f 304 auth_type = l2cap_get_auth_type(chan);
79d554a6 305
4343478f 306 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 307}
308
68983259 309u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 310{
311 u8 id;
312
313 /* Get next available identificator.
314 * 1 - 128 are used by kernel.
315 * 129 - 199 are reserved.
316 * 200 - 254 are used by utilities like l2ping, etc.
317 */
318
319 spin_lock_bh(&conn->lock);
320
321 if (++conn->tx_ident > 128)
322 conn->tx_ident = 1;
323
324 id = conn->tx_ident;
325
326 spin_unlock_bh(&conn->lock);
327
328 return id;
329}
330
68983259 331void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 332{
333 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 334 u8 flags;
4e8402a3
MH		 335
336 BT_DBG("code 0x%2.2x", code);
337
338 if (!skb)
9a9c6a34 339 return;
4e8402a3 340
e702112f
AE		 341 if (lmp_no_flush_capable(conn->hcon->hdev))
342 flags = ACL_START_NO_FLUSH;
343 else
344 flags = ACL_START;
345
346 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 347}
348
525cd185 349static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 350{
351 struct sk_buff *skb;
352 struct l2cap_hdr *lh;
525cd185 353 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
1c2acffb 354 struct l2cap_conn *conn = pi->conn;
c13ffa62 355 struct sock *sk = (struct sock *)pi;
fcc203c3 356 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 357 u8 flags;
fcc203c3 358
c13ffa62
GP		 359 if (sk->sk_state != BT_CONNECTED)
360 return;
361
47d1ec61 362 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 363 hlen += 2;
1c2acffb 364
49208c9c 365 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 366
fcc203c3 367 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 368 control |= L2CAP_CTRL_FRAME_TYPE;
369
525cd185 370 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 371 control |= L2CAP_CTRL_FINAL;
525cd185 372 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 373 }
374
525cd185 375 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 376 control |= L2CAP_CTRL_POLL;
525cd185 377 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 378 }
379
1c2acffb
GP		 380 skb = bt_skb_alloc(count, GFP_ATOMIC);
381 if (!skb)
9a9c6a34 382 return;
1c2acffb
GP		 383
384 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 385 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 386 lh->cid = cpu_to_le16(pi->dcid);
387 put_unaligned_le16(control, skb_put(skb, 2));
388
47d1ec61 389 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 390 u16 fcs = crc16(0, (u8 *)lh, count - 2);
391 put_unaligned_le16(fcs, skb_put(skb, 2));
392 }
393
e702112f
AE		 394 if (lmp_no_flush_capable(conn->hcon->hdev))
395 flags = ACL_START_NO_FLUSH;
396 else
397 flags = ACL_START;
398
399 hci_send_acl(pi->conn->hcon, skb, flags);
1c2acffb
GP		 400}
401
525cd185 402static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 403{
525cd185 404 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 405 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 406 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 407 } else
7e743090
GP		 408 control |= L2CAP_SUPER_RCV_READY;
409
42e5c802 410 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 411
525cd185 412 l2cap_send_sframe(chan, control);
7e743090
GP		 413}
414
b4450035 415static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 416{
b4450035 417 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 418}
419
fc7f8a7e 420static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 421{
fc7f8a7e 422 struct sock *sk = chan->sk;
79d554a6
MH		 423 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
424
425 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 426 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
427 return;
428
4343478f
GP		 429 if (l2cap_check_security(chan) &&
430 __l2cap_no_conn_pending(chan)) {
b1235d79
MH		 431 struct l2cap_conn_req req;
432 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
433 req.psm = l2cap_pi(sk)->psm;
79d554a6 434
fc7f8a7e 435 chan->ident = l2cap_get_ident(conn);
b4450035 436 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 437
fc7f8a7e
GP		 438 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
439 sizeof(req), &req);
b1235d79 440 }
79d554a6
MH		 441 } else {
442 struct l2cap_info_req req;
443 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
444
445 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
446 conn->info_ident = l2cap_get_ident(conn);
447
448 mod_timer(&conn->info_timer, jiffies +
449 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
450
451 l2cap_send_cmd(conn, conn->info_ident,
452 L2CAP_INFO_REQ, sizeof(req), &req);
453 }
454}
455
cf6c2c0b
GP		 456static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
457{
458 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 459 if (!disable_ertm)
cf6c2c0b
GP		 460 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
461
462 switch (mode) {
463 case L2CAP_MODE_ERTM:
464 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
465 case L2CAP_MODE_STREAMING:
466 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
467 default:
468 return 0x00;
469 }
470}
471
e92c8e70 472void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 473{
e92c8e70 474 struct sock *sk;
22121fc9
GP		 475 struct l2cap_disconn_req req;
476
c13ffa62
GP		 477 if (!conn)
478 return;
479
e92c8e70
GP		 480 sk = chan->sk;
481
0c1bc5c6 482 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 483 del_timer(&chan->retrans_timer);
484 del_timer(&chan->monitor_timer);
485 del_timer(&chan->ack_timer);
c13ffa62
GP		 486 }
487
22121fc9
GP		 488 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
489 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
490 l2cap_send_cmd(conn, l2cap_get_ident(conn),
491 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 492
493 sk->sk_state = BT_DISCONN;
9b108fc0 494 sk->sk_err = err;
22121fc9
GP		 495}
496
1da177e4 497/* ---- L2CAP connections ---- */
4e8402a3
MH		 498static void l2cap_conn_start(struct l2cap_conn *conn)
499{
820ffdb3 500 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 501
502 BT_DBG("conn %p", conn);
503
baa7e1fa 504 read_lock(&conn->chan_lock);
4e8402a3 505
820ffdb3 506 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 507 struct sock *sk = chan->sk;
baa7e1fa 508
4e8402a3
MH		 509 bh_lock_sock(sk);
510
bd3c9e25
GP		 511 if (sk->sk_type != SOCK_SEQPACKET &&
512 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 513 bh_unlock_sock(sk);
514 continue;
515 }
516
517 if (sk->sk_state == BT_CONNECT) {
47731de7 518 struct l2cap_conn_req req;
79d554a6 519
4343478f 520 if (!l2cap_check_security(chan) ||
b4450035 521 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 522 bh_unlock_sock(sk);
523 continue;
524 }
79d554a6 525
0c1bc5c6 526 if (!l2cap_mode_supported(chan->mode,
47731de7 527 conn->feat_mask)
b4450035 528 && chan->conf_state &
47731de7 529 L2CAP_CONF_STATE2_DEVICE) {
820ffdb3
GP		 530 /* __l2cap_sock_close() calls list_del(chan)
531 * so release the lock */
532 read_unlock_bh(&conn->chan_lock);
533 __l2cap_sock_close(sk, ECONNRESET);
534 read_lock_bh(&conn->chan_lock);
47731de7
GP		 535 bh_unlock_sock(sk);
536 continue;
b1235d79 537 }
47731de7
GP		 538
539 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
540 req.psm = l2cap_pi(sk)->psm;
541
fc7f8a7e 542 chan->ident = l2cap_get_ident(conn);
b4450035 543 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 544
fc7f8a7e
GP		 545 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
546 sizeof(req), &req);
47731de7 547
79d554a6
MH		 548 } else if (sk->sk_state == BT_CONNECT2) {
549 struct l2cap_conn_rsp rsp;
e9aeb2dd 550 char buf[128];
79d554a6
MH		 551 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
552 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
553
4343478f 554 if (l2cap_check_security(chan)) {
f66dc81f
MH		 555 if (bt_sk(sk)->defer_setup) {
556 struct sock *parent = bt_sk(sk)->parent;
557 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
558 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
559 parent->sk_data_ready(parent, 0);
560
561 } else {
562 sk->sk_state = BT_CONFIG;
563 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
564 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
565 }
79d554a6
MH		 566 } else {
567 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
568 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
569 }
570
fc7f8a7e
GP		 571 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
572 sizeof(rsp), &rsp);
e9aeb2dd 573
b4450035 574 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 575 rsp.result != L2CAP_CR_SUCCESS) {
576 bh_unlock_sock(sk);
577 continue;
578 }
579
b4450035 580 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 581 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 582 l2cap_build_conf_req(chan, buf), buf);
583 chan->num_conf_req++;
4e8402a3
MH		 584 }
585
586 bh_unlock_sock(sk);
587 }
588
baa7e1fa 589 read_unlock(&conn->chan_lock);
4e8402a3
MH		 590}
591
b62f328b
VT		 592/* Find socket with cid and source bdaddr.
593 * Returns closest match, locked.
594 */
595static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src)
596{
280f294f 597 struct sock *sk = NULL, *sk1 = NULL;
b62f328b
VT		 598 struct hlist_node *node;
599
600 read_lock(&l2cap_sk_list.lock);
601
602 sk_for_each(sk, node, &l2cap_sk_list.head) {
603 if (state && sk->sk_state != state)
604 continue;
605
606 if (l2cap_pi(sk)->scid == cid) {
607 /* Exact match. */
608 if (!bacmp(&bt_sk(sk)->src, src))
609 break;
610
611 /* Closest match */
612 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
613 sk1 = sk;
614 }
615 }
280f294f 616
b62f328b
VT		 617 read_unlock(&l2cap_sk_list.lock);
618
280f294f 619 return node ? sk : sk1;
b62f328b
VT		 620}
621
622static void l2cap_le_conn_ready(struct l2cap_conn *conn)
623{
c916fbe4 624 struct sock *parent, *sk;
48454079 625 struct l2cap_chan *chan;
b62f328b
VT		 626
627 BT_DBG("");
628
629 /* Check if we have socket listening on cid */
630 parent = l2cap_get_sock_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
631 conn->src);
632 if (!parent)
633 return;
634
62f3a2cf
GP		 635 bh_lock_sock(parent);
636
b62f328b
VT		 637 /* Check for backlog size */
638 if (sk_acceptq_is_full(parent)) {
639 BT_DBG("backlog full %d", parent->sk_ack_backlog);
640 goto clean;
641 }
642
643 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
644 if (!sk)
645 goto clean;
646
48454079
GP		 647 chan = l2cap_chan_alloc(sk);
648 if (!chan) {
649 l2cap_sock_kill(sk);
650 goto clean;
651 }
652
5d41ce1d
GP		 653 l2cap_pi(sk)->chan = chan;
654
baa7e1fa 655 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 656
657 hci_conn_hold(conn->hcon);
658
659 l2cap_sock_init(sk, parent);
baa7e1fa 660
b62f328b
VT		 661 bacpy(&bt_sk(sk)->src, conn->src);
662 bacpy(&bt_sk(sk)->dst, conn->dst);
663
d1010240
GP		 664 bt_accept_enqueue(parent, sk);
665
48454079
GP		 666 __l2cap_chan_add(conn, chan);
667
b62f328b
VT		 668 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
669
670 sk->sk_state = BT_CONNECTED;
671 parent->sk_data_ready(parent, 0);
672
baa7e1fa 673 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 674
675clean:
676 bh_unlock_sock(parent);
677}
678
4e8402a3
MH		 679static void l2cap_conn_ready(struct l2cap_conn *conn)
680{
48454079 681 struct l2cap_chan *chan;
4e8402a3 682
79d554a6 683 BT_DBG("conn %p", conn);
4e8402a3 684
b62f328b
VT		 685 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
686 l2cap_le_conn_ready(conn);
687
baa7e1fa 688 read_lock(&conn->chan_lock);
4e8402a3 689
baa7e1fa 690 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 691 struct sock *sk = chan->sk;
baa7e1fa 692
79d554a6 693 bh_lock_sock(sk);
4e8402a3 694
acd7d370
VT		 695 if (conn->hcon->type == LE_LINK) {
696 l2cap_sock_clear_timer(sk);
697 sk->sk_state = BT_CONNECTED;
698 sk->sk_state_change(sk);
699 }
700
bd3c9e25
GP		 701 if (sk->sk_type != SOCK_SEQPACKET &&
702 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 703 l2cap_sock_clear_timer(sk);
704 sk->sk_state = BT_CONNECTED;
705 sk->sk_state_change(sk);
706 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 707 l2cap_do_start(chan);
4e8402a3 708
79d554a6 709 bh_unlock_sock(sk);
4e8402a3 710 }
79d554a6 711
baa7e1fa 712 read_unlock(&conn->chan_lock);
4e8402a3
MH		 713}
714
715/* Notify sockets that we cannot guaranty reliability anymore */
716static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
717{
48454079 718 struct l2cap_chan *chan;
4e8402a3
MH		 719
720 BT_DBG("conn %p", conn);
721
baa7e1fa 722 read_lock(&conn->chan_lock);
4e8402a3 723
baa7e1fa 724 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 725 struct sock *sk = chan->sk;
baa7e1fa 726
4343478f 727 if (chan->force_reliable)
4e8402a3
MH		 728 sk->sk_err = err;
729 }
730
baa7e1fa 731 read_unlock(&conn->chan_lock);
4e8402a3
MH		 732}
733
734static void l2cap_info_timeout(unsigned long arg)
735{
736 struct l2cap_conn *conn = (void *) arg;
737
984947dc 738 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 739 conn->info_ident = 0;
984947dc 740
4e8402a3
MH		 741 l2cap_conn_start(conn);
742}
743
1da177e4
LT		 744static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
745{
0139418c 746 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 747
0139418c 748 if (conn || status)
1da177e4
LT		 749 return conn;
750
0139418c
MH		 751 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
752 if (!conn)
1da177e4 753 return NULL;
1da177e4
LT		 754
755 hcon->l2cap_data = conn;
756 conn->hcon = hcon;
757
0139418c
MH		 758 BT_DBG("hcon %p conn %p", hcon, conn);
759
acd7d370
VT		 760 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
761 conn->mtu = hcon->hdev->le_mtu;
762 else
763 conn->mtu = hcon->hdev->acl_mtu;
764
1da177e4
LT		 765 conn->src = &hcon->hdev->bdaddr;
766 conn->dst = &hcon->dst;
767
4e8402a3
MH		 768 conn->feat_mask = 0;
769
1da177e4 770 spin_lock_init(&conn->lock);
baa7e1fa
GP		 771 rwlock_init(&conn->chan_lock);
772
773 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 774
b62f328b
VT		 775 if (hcon->type != LE_LINK)
776 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 777 (unsigned long) conn);
778
2950f21a
MH		 779 conn->disc_reason = 0x13;
780
1da177e4
LT		 781 return conn;
782}
783
0139418c 784static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 785{
0139418c 786 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 787 struct l2cap_chan *chan, *l;
1da177e4
LT		 788 struct sock *sk;
789
0139418c
MH		 790 if (!conn)
791 return;
1da177e4
LT		 792
793 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
794
7585b97a 795 kfree_skb(conn->rx_skb);
1da177e4
LT		 796
797 /* Kill channels */
baa7e1fa 798 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 799 sk = chan->sk;
1da177e4 800 bh_lock_sock(sk);
48454079 801 l2cap_chan_del(chan, err);
1da177e4
LT		 802 bh_unlock_sock(sk);
803 l2cap_sock_kill(sk);
804 }
805
8e8440f5
DY		 806 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
807 del_timer_sync(&conn->info_timer);
3ab22731 808
1da177e4
LT		 809 hcon->l2cap_data = NULL;
810 kfree(conn);
1da177e4
LT		 811}
812
48454079 813static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 814{
baa7e1fa 815 write_lock_bh(&conn->chan_lock);
48454079 816 __l2cap_chan_add(conn, chan);
baa7e1fa 817 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 818}
819
1da177e4 820/* ---- Socket interface ---- */
1da177e4
LT		 821
822/* Find socket with psm and source bdaddr.
823 * Returns closest match.
824 */
e0f0cb56 825static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 826{
827 struct sock *sk = NULL, *sk1 = NULL;
828 struct hlist_node *node;
829
e0f0cb56
GP		 830 read_lock(&l2cap_sk_list.lock);
831
1da177e4
LT		 832 sk_for_each(sk, node, &l2cap_sk_list.head) {
833 if (state && sk->sk_state != state)
834 continue;
835
836 if (l2cap_pi(sk)->psm == psm) {
837 /* Exact match. */
838 if (!bacmp(&bt_sk(sk)->src, src))
839 break;
840
841 /* Closest match */
842 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
843 sk1 = sk;
844 }
845 }
1da177e4 846
1da177e4 847 read_unlock(&l2cap_sk_list.lock);
e0f0cb56
GP		 848
849 return node ? sk : sk1;
1da177e4
LT		 850}
851
77a74c7e 852int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 853{
5d41ce1d 854 struct sock *sk = chan->sk;
1da177e4
LT		 855 bdaddr_t *src = &bt_sk(sk)->src;
856 bdaddr_t *dst = &bt_sk(sk)->dst;
857 struct l2cap_conn *conn;
858 struct hci_conn *hcon;
859 struct hci_dev *hdev;
09ab6f4c 860 __u8 auth_type;
44d0e48e 861 int err;
1da177e4 862
f29972de
MH		 863 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
864 l2cap_pi(sk)->psm);
1da177e4 865
af05b30b
GP		 866 hdev = hci_get_route(dst, src);
867 if (!hdev)
1da177e4
LT		 868 return -EHOSTUNREACH;
869
870 hci_dev_lock_bh(hdev);
871
4343478f 872 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 873
acd7d370
VT		 874 if (l2cap_pi(sk)->dcid == L2CAP_CID_LE_DATA)
875 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 876 chan->sec_level, auth_type);
acd7d370
VT		 877 else
878 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 879 chan->sec_level, auth_type);
acd7d370 880
30e76272
VT		 881 if (IS_ERR(hcon)) {
882 err = PTR_ERR(hcon);
1da177e4 883 goto done;
30e76272 884 }
1da177e4
LT		 885
886 conn = l2cap_conn_add(hcon, 0);
887 if (!conn) {
888 hci_conn_put(hcon);
30e76272 889 err = -ENOMEM;
1da177e4
LT		 890 goto done;
891 }
892
1da177e4
LT		 893 /* Update source addr of the socket */
894 bacpy(src, conn->src);
895
48454079
GP		 896 l2cap_chan_add(conn, chan);
897
1da177e4
LT		 898 sk->sk_state = BT_CONNECT;
899 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
900
901 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 902 if (sk->sk_type != SOCK_SEQPACKET &&
903 sk->sk_type != SOCK_STREAM) {
1da177e4 904 l2cap_sock_clear_timer(sk);
4343478f 905 if (l2cap_check_security(chan))
d00ef24f 906 sk->sk_state = BT_CONNECTED;
79d554a6 907 } else
fc7f8a7e 908 l2cap_do_start(chan);
1da177e4
LT		 909 }
910
30e76272
VT		 911 err = 0;
912
1da177e4
LT		 913done:
914 hci_dev_unlock_bh(hdev);
915 hci_dev_put(hdev);
916 return err;
917}
918
dcba0dba 919int __l2cap_wait_ack(struct sock *sk)
6161c038
GP		 920{
921 DECLARE_WAITQUEUE(wait, current);
922 int err = 0;
923 int timeo = HZ/5;
924
2b0b05dd 925 add_wait_queue(sk_sleep(sk), &wait);
6a026610 926 while ((l2cap_pi(sk)->chan->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
6161c038
GP		 927 set_current_state(TASK_INTERRUPTIBLE);
928
929 if (!timeo)
930 timeo = HZ/5;
931
932 if (signal_pending(current)) {
933 err = sock_intr_errno(timeo);
934 break;
935 }
936
937 release_sock(sk);
938 timeo = schedule_timeout(timeo);
939 lock_sock(sk);
940
941 err = sock_error(sk);
942 if (err)
943 break;
944 }
945 set_current_state(TASK_RUNNING);
2b0b05dd 946 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 947 return err;
948}
949
e90bac06
GP		 950static void l2cap_monitor_timeout(unsigned long arg)
951{
525cd185
GP		 952 struct l2cap_chan *chan = (void *) arg;
953 struct sock *sk = chan->sk;
e90bac06 954
525cd185 955 BT_DBG("chan %p", chan);
0e98958d 956
e686219a 957 bh_lock_sock(sk);
2c03a7a4 958 if (chan->retry_count >= chan->remote_max_tx) {
e92c8e70 959 l2cap_send_disconn_req(l2cap_pi(sk)->conn, chan, ECONNABORTED);
b13f5860 960 bh_unlock_sock(sk);
e90bac06
GP		 961 return;
962 }
963
6a026610 964 chan->retry_count++;
e90bac06
GP		 965 __mod_monitor_timer();
966
525cd185 967 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 968 bh_unlock_sock(sk);
e90bac06
GP		 969}
970
971static void l2cap_retrans_timeout(unsigned long arg)
972{
525cd185
GP		 973 struct l2cap_chan *chan = (void *) arg;
974 struct sock *sk = chan->sk;
e90bac06 975
49208c9c 976 BT_DBG("chan %p", chan);
0e98958d 977
e686219a 978 bh_lock_sock(sk);
6a026610 979 chan->retry_count = 1;
e90bac06
GP		 980 __mod_monitor_timer();
981
525cd185 982 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 983
525cd185 984 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 985 bh_unlock_sock(sk);
e90bac06
GP		 986}
987
42e5c802 988static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 989{
1c2acffb 990 struct sk_buff *skb;
1da177e4 991
58d35f87 992 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 993 chan->unacked_frames) {
42e5c802 994 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 995 break;
1da177e4 996
58d35f87 997 skb = skb_dequeue(&chan->tx_q);
1c2acffb 998 kfree_skb(skb);
1da177e4 999
6a026610 1000 chan->unacked_frames--;
1c2acffb 1001 }
1da177e4 1002
6a026610 1003 if (!chan->unacked_frames)
e92c8e70 1004 del_timer(&chan->retrans_timer);
1c2acffb 1005}
1da177e4 1006
4343478f 1007void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1008{
4343478f
GP		 1009 struct sock *sk = chan->sk;
1010 struct hci_conn *hcon = l2cap_pi(sk)->conn->hcon;
e702112f 1011 u16 flags;
1c2acffb 1012
4343478f 1013 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1014
4343478f 1015 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1016 flags = ACL_START_NO_FLUSH;
1017 else
1018 flags = ACL_START;
1019
1020 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1021}
1022
42e5c802 1023void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1024{
ccbb84af 1025 struct sk_buff *skb;
fcc203c3 1026 u16 control, fcs;
6840ed07 1027
58d35f87 1028 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1029 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1030 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1031 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1032
47d1ec61 1033 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1034 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1035 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1036 }
1037
4343478f 1038 l2cap_do_send(chan, skb);
6840ed07 1039
42e5c802 1040 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1041 }
6840ed07
GP		 1042}
1043
525cd185 1044static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1045{
525cd185 1046 struct sock *sk = chan->sk;
8f17154f
GP		 1047 struct l2cap_pinfo *pi = l2cap_pi(sk);
1048 struct sk_buff *skb, *tx_skb;
1049 u16 control, fcs;
8f17154f 1050
58d35f87 1051 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1052 if (!skb)
1053 return;
8f17154f 1054
f11d676d
GP		 1055 do {
1056 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1057 break;
8f17154f 1058
58d35f87 1059 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1060 return;
8f17154f 1061
58d35f87 1062 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1063
2c03a7a4
GP		 1064 if (chan->remote_max_tx &&
1065 bt_cb(skb)->retries == chan->remote_max_tx) {
e92c8e70 1066 l2cap_send_disconn_req(pi->conn, chan, ECONNABORTED);
f11d676d
GP		 1067 return;
1068 }
1069
1070 tx_skb = skb_clone(skb, GFP_ATOMIC);
1071 bt_cb(skb)->retries++;
1072 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1073 control &= L2CAP_CTRL_SAR;
3cb123d1 1074
525cd185 1075 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1076 control |= L2CAP_CTRL_FINAL;
525cd185 1077 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1078 }
95ffa978 1079
42e5c802 1080 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1081 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1082
f11d676d
GP		 1083 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1084
47d1ec61 1085 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1086 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1087 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1088 }
1089
4343478f 1090 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1091}
1092
525cd185 1093int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1094{
1095 struct sk_buff *skb, *tx_skb;
525cd185 1096 struct sock *sk = chan->sk;
1c2acffb 1097 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1098 u16 control, fcs;
9a9c6a34 1099 int nsent = 0;
1c2acffb 1100
c13ffa62
GP		 1101 if (sk->sk_state != BT_CONNECTED)
1102 return -ENOTCONN;
e90bac06 1103
58d35f87 1104 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1105
2c03a7a4
GP		 1106 if (chan->remote_max_tx &&
1107 bt_cb(skb)->retries == chan->remote_max_tx) {
e92c8e70 1108 l2cap_send_disconn_req(pi->conn, chan, ECONNABORTED);
e90bac06
GP		 1109 break;
1110 }
1111
e420aba3
AE		 1112 tx_skb = skb_clone(skb, GFP_ATOMIC);
1113
e90bac06
GP		 1114 bt_cb(skb)->retries++;
1115
1c2acffb 1116 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1117 control &= L2CAP_CTRL_SAR;
1118
525cd185 1119 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1120 control |= L2CAP_CTRL_FINAL;
525cd185 1121 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1122 }
42e5c802
GP		 1123 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1124 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1125 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1126
e90bac06 1127
47d1ec61 1128 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1129 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1130 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1131 }
1132
4343478f 1133 l2cap_do_send(chan, tx_skb);
9a9c6a34 1134
e90bac06 1135 __mod_retrans_timer();
1c2acffb 1136
42e5c802
GP		 1137 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1138 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1139
23e9fde2 1140 if (bt_cb(skb)->retries == 1)
6a026610 1141 chan->unacked_frames++;
23e9fde2 1142
6a026610 1143 chan->frames_sent++;
1c2acffb 1144
58d35f87
GP		 1145 if (skb_queue_is_last(&chan->tx_q, skb))
1146 chan->tx_send_head = NULL;
1c2acffb 1147 else
58d35f87 1148 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1149
1150 nsent++;
1c2acffb
GP		 1151 }
1152
9e917af1
GP		 1153 return nsent;
1154}
1155
525cd185 1156static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1157{
dfc909be
GP		 1158 int ret;
1159
58d35f87
GP		 1160 if (!skb_queue_empty(&chan->tx_q))
1161 chan->tx_send_head = chan->tx_q.next;
dfc909be 1162
42e5c802 1163 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1164 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1165 return ret;
1166}
1167
525cd185 1168static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1169{
9e917af1
GP		 1170 u16 control = 0;
1171
42e5c802 1172 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1173
525cd185 1174 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1175 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1176 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1177 l2cap_send_sframe(chan, control);
9a9c6a34 1178 return;
9e917af1 1179 }
dfc909be 1180
525cd185 1181 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1182 return;
1183
1184 control |= L2CAP_SUPER_RCV_READY;
525cd185 1185 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1186}
1187
525cd185 1188static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1189{
1190 struct srej_list *tail;
1191 u16 control;
1192
1193 control = L2CAP_SUPER_SELECT_REJECT;
1194 control |= L2CAP_CTRL_FINAL;
1195
39d5a3ee 1196 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1197 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1198
525cd185 1199 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1200}
1201
1c2acffb
GP		 1202static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1203{
1204 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1205 struct sk_buff **frag;
1206 int err, sent = 0;
1da177e4 1207
59203a21 1208 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1209 return -EFAULT;
1da177e4
LT		 1210
1211 sent += count;
1212 len -= count;
1213
1214 /* Continuation fragments (no L2CAP header) */
1215 frag = &skb_shinfo(skb)->frag_list;
1216 while (len) {
1217 count = min_t(unsigned int, conn->mtu, len);
1218
1219 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1220 if (!*frag)
0175d629 1221 return err;
1c2acffb
GP		 1222 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1223 return -EFAULT;
1da177e4
LT		 1224
1225 sent += count;
1226 len -= count;
1227
1228 frag = &(*frag)->next;
1229 }
1da177e4
LT		 1230
1231 return sent;
1c2acffb 1232}
1da177e4 1233
fd83ccdb 1234struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1c2acffb
GP		 1235{
1236 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1237 struct sk_buff *skb;
1238 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1239 struct l2cap_hdr *lh;
1240
1241 BT_DBG("sk %p len %d", sk, (int)len);
1242
1243 count = min_t(unsigned int, (conn->mtu - hlen), len);
1244 skb = bt_skb_send_alloc(sk, count + hlen,
1245 msg->msg_flags & MSG_DONTWAIT, &err);
1246 if (!skb)
0175d629 1247 return ERR_PTR(err);
1c2acffb
GP		 1248
1249 /* Create L2CAP header */
1250 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1251 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1252 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1253 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1254
1255 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1256 if (unlikely(err < 0)) {
1257 kfree_skb(skb);
1258 return ERR_PTR(err);
1259 }
1260 return skb;
1261}
1262
fd83ccdb 1263struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1c2acffb
GP		 1264{
1265 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1266 struct sk_buff *skb;
1267 int err, count, hlen = L2CAP_HDR_SIZE;
1268 struct l2cap_hdr *lh;
1269
1270 BT_DBG("sk %p len %d", sk, (int)len);
1271
1272 count = min_t(unsigned int, (conn->mtu - hlen), len);
1273 skb = bt_skb_send_alloc(sk, count + hlen,
1274 msg->msg_flags & MSG_DONTWAIT, &err);
1275 if (!skb)
0175d629 1276 return ERR_PTR(err);
1c2acffb
GP		 1277
1278 /* Create L2CAP header */
1279 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1280 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1281 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1282
1283 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1284 if (unlikely(err < 0)) {
1285 kfree_skb(skb);
1286 return ERR_PTR(err);
1287 }
1288 return skb;
1289}
1290
47d1ec61 1291struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1292{
47d1ec61 1293 struct sock *sk = chan->sk;
1c2acffb
GP		 1294 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1295 struct sk_buff *skb;
1296 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1297 struct l2cap_hdr *lh;
1298
1299 BT_DBG("sk %p len %d", sk, (int)len);
1300
0ee0d208
GP		 1301 if (!conn)
1302 return ERR_PTR(-ENOTCONN);
1303
c74e560c
GP		 1304 if (sdulen)
1305 hlen += 2;
1306
47d1ec61 1307 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1308 hlen += 2;
1309
1c2acffb
GP		 1310 count = min_t(unsigned int, (conn->mtu - hlen), len);
1311 skb = bt_skb_send_alloc(sk, count + hlen,
1312 msg->msg_flags & MSG_DONTWAIT, &err);
1313 if (!skb)
0175d629 1314 return ERR_PTR(err);
1c2acffb
GP		 1315
1316 /* Create L2CAP header */
1317 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1318 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1319 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1320 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1321 if (sdulen)
1322 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1323
1324 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1325 if (unlikely(err < 0)) {
1326 kfree_skb(skb);
1327 return ERR_PTR(err);
1328 }
e90bac06 1329
47d1ec61 1330 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1331 put_unaligned_le16(0, skb_put(skb, 2));
1332
e90bac06 1333 bt_cb(skb)->retries = 0;
1c2acffb 1334 return skb;
1da177e4
LT		 1335}
1336
2c03a7a4 1337int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1338{
c74e560c
GP		 1339 struct sk_buff *skb;
1340 struct sk_buff_head sar_queue;
1341 u16 control;
1342 size_t size = 0;
1343
ff12fd64 1344 skb_queue_head_init(&sar_queue);
c74e560c 1345 control = L2CAP_SDU_START;
47d1ec61 1346 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1347 if (IS_ERR(skb))
1348 return PTR_ERR(skb);
1349
1350 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1351 len -= chan->remote_mps;
1352 size += chan->remote_mps;
c74e560c
GP		 1353
1354 while (len > 0) {
1355 size_t buflen;
1356
2c03a7a4 1357 if (len > chan->remote_mps) {
44651b85 1358 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1359 buflen = chan->remote_mps;
c74e560c 1360 } else {
44651b85 1361 control = L2CAP_SDU_END;
c74e560c
GP		 1362 buflen = len;
1363 }
1364
47d1ec61 1365 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1366 if (IS_ERR(skb)) {
1367 skb_queue_purge(&sar_queue);
1368 return PTR_ERR(skb);
1369 }
1370
1371 __skb_queue_tail(&sar_queue, skb);
1372 len -= buflen;
1373 size += buflen;
c74e560c 1374 }
58d35f87
GP		 1375 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1376 if (chan->tx_send_head == NULL)
1377 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1378
1379 return size;
1380}
1381
1da177e4
LT		 1382static void l2cap_chan_ready(struct sock *sk)
1383{
1384 struct sock *parent = bt_sk(sk)->parent;
b4450035 1385 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1386
1387 BT_DBG("sk %p, parent %p", sk, parent);
1388
b4450035 1389 chan->conf_state = 0;
1da177e4
LT		 1390 l2cap_sock_clear_timer(sk);
1391
1392 if (!parent) {
1393 /* Outgoing channel.
1394 * Wake up socket sleeping on connect.
1395 */
1396 sk->sk_state = BT_CONNECTED;
1397 sk->sk_state_change(sk);
1398 } else {
1399 /* Incoming channel.
1400 * Wake up socket sleeping on accept.
1401 */
1402 parent->sk_data_ready(parent, 0);
1403 }
1404}
1405
1406/* Copy frame to all raw sockets on that connection */
1407static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1408{
1da177e4 1409 struct sk_buff *nskb;
48454079 1410 struct l2cap_chan *chan;
1da177e4
LT		 1411
1412 BT_DBG("conn %p", conn);
1413
baa7e1fa
GP		 1414 read_lock(&conn->chan_lock);
1415 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1416 struct sock *sk = chan->sk;
1da177e4
LT		 1417 if (sk->sk_type != SOCK_RAW)
1418 continue;
1419
1420 /* Don't send frame to the socket it came from */
1421 if (skb->sk == sk)
1422 continue;
af05b30b
GP		 1423 nskb = skb_clone(skb, GFP_ATOMIC);
1424 if (!nskb)
1da177e4
LT		 1425 continue;
1426
1427 if (sock_queue_rcv_skb(sk, nskb))
1428 kfree_skb(nskb);
1429 }
baa7e1fa 1430 read_unlock(&conn->chan_lock);
1da177e4
LT		 1431}
1432
1433/* ---- L2CAP signalling commands ---- */
1434static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1435 u8 code, u8 ident, u16 dlen, void *data)
1436{
1437 struct sk_buff *skb, **frag;
1438 struct l2cap_cmd_hdr *cmd;
1439 struct l2cap_hdr *lh;
1440 int len, count;
1441
af05b30b
GP		 1442 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1443 conn, code, ident, dlen);
1da177e4
LT		 1444
1445 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1446 count = min_t(unsigned int, conn->mtu, len);
1447
1448 skb = bt_skb_alloc(count, GFP_ATOMIC);
1449 if (!skb)
1450 return NULL;
1451
1452 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1453 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1454
1455 if (conn->hcon->type == LE_LINK)
1456 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1457 else
1458 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1459
1460 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1461 cmd->code = code;
1462 cmd->ident = ident;
aca3192c 1463 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1464
1465 if (dlen) {
1466 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1467 memcpy(skb_put(skb, count), data, count);
1468 data += count;
1469 }
1470
1471 len -= skb->len;
1472
1473 /* Continuation fragments (no L2CAP header) */
1474 frag = &skb_shinfo(skb)->frag_list;
1475 while (len) {
1476 count = min_t(unsigned int, conn->mtu, len);
1477
1478 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1479 if (!*frag)
1480 goto fail;
1481
1482 memcpy(skb_put(*frag, count), data, count);
1483
1484 len -= count;
1485 data += count;
1486
1487 frag = &(*frag)->next;
1488 }
1489
1490 return skb;
1491
1492fail:
1493 kfree_skb(skb);
1494 return NULL;
1495}
1496
1497static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1498{
1499 struct l2cap_conf_opt *opt = *ptr;
1500 int len;
1501
1502 len = L2CAP_CONF_OPT_SIZE + opt->len;
1503 *ptr += len;
1504
1505 *type = opt->type;
1506 *olen = opt->len;
1507
1508 switch (opt->len) {
1509 case 1:
1510 *val = *((u8 *) opt->val);
1511 break;
1512
1513 case 2:
bfaaeb3e 1514 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1515 break;
1516
1517 case 4:
bfaaeb3e 1518 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1519 break;
1520
1521 default:
1522 *val = (unsigned long) opt->val;
1523 break;
1524 }
1525
1526 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1527 return len;
1528}
1529
1da177e4
LT		 1530static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1531{
1532 struct l2cap_conf_opt *opt = *ptr;
1533
1534 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1535
1536 opt->type = type;
1537 opt->len = len;
1538
1539 switch (len) {
1540 case 1:
1541 *((u8 *) opt->val) = val;
1542 break;
1543
1544 case 2:
4f8b691c 1545 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1546 break;
1547
1548 case 4:
4f8b691c 1549 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1550 break;
1551
1552 default:
1553 memcpy(opt->val, (void *) val, len);
1554 break;
1555 }
1556
1557 *ptr += L2CAP_CONF_OPT_SIZE + len;
1558}
1559
c1b4f43b
GP		 1560static void l2cap_ack_timeout(unsigned long arg)
1561{
525cd185 1562 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1563
525cd185
GP		 1564 bh_lock_sock(chan->sk);
1565 l2cap_send_ack(chan);
1566 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1567}
1568
525cd185 1569static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1570{
525cd185
GP		 1571 struct sock *sk = chan->sk;
1572
42e5c802 1573 chan->expected_ack_seq = 0;
6a026610 1574 chan->unacked_frames = 0;
42e5c802 1575 chan->buffer_seq = 0;
6a026610
GP		 1576 chan->num_acked = 0;
1577 chan->frames_sent = 0;
0565c1c2 1578
e92c8e70
GP		 1579 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1580 (unsigned long) chan);
1581 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1582 (unsigned long) chan);
1583 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1584
f1c6775b
GP		 1585 skb_queue_head_init(&chan->srej_q);
1586 skb_queue_head_init(&chan->busy_q);
1890d36b 1587
39d5a3ee
GP		 1588 INIT_LIST_HEAD(&chan->srej_l);
1589
311bb895 1590 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1591
1592 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1593}
1594
f2fcfcd6
GP		 1595static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1596{
1597 switch (mode) {
1598 case L2CAP_MODE_STREAMING:
1599 case L2CAP_MODE_ERTM:
1600 if (l2cap_mode_supported(mode, remote_feat_mask))
1601 return mode;
1602 /* fall through */
1603 default:
1604 return L2CAP_MODE_BASIC;
1605 }
1606}
1607
710f9b0a 1608static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1609{
49208c9c 1610 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
1da177e4 1611 struct l2cap_conf_req *req = data;
0c1bc5c6 1612 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1613 void *ptr = req->data;
1614
49208c9c 1615 BT_DBG("chan %p", chan);
1da177e4 1616
73ffa904 1617 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1618 goto done;
1619
0c1bc5c6 1620 switch (chan->mode) {
f2fcfcd6
GP		 1621 case L2CAP_MODE_STREAMING:
1622 case L2CAP_MODE_ERTM:
b4450035 1623 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1624 break;
85eb53c6 1625
2ba13ed6 1626 /* fall through */
f2fcfcd6 1627 default:
0c1bc5c6 1628 chan->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
f2fcfcd6
GP		 1629 break;
1630 }
1631
1632done:
0c1bc5c6
GP		 1633 if (chan->imtu != L2CAP_DEFAULT_MTU)
1634 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1635
0c1bc5c6 1636 switch (chan->mode) {
65c7c491 1637 case L2CAP_MODE_BASIC:
63406504
GP		 1638 if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1639 !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
1640 break;
1641
62547752
GP		 1642 rfc.mode = L2CAP_MODE_BASIC;
1643 rfc.txwin_size = 0;
1644 rfc.max_transmit = 0;
1645 rfc.retrans_timeout = 0;
1646 rfc.monitor_timeout = 0;
1647 rfc.max_pdu_size = 0;
1648
63406504
GP		 1649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1650 (unsigned long) &rfc);
65c7c491
MH		 1651 break;
1652
1653 case L2CAP_MODE_ERTM:
1654 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1655 rfc.txwin_size = chan->tx_win;
1656 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1657 rfc.retrans_timeout = 0;
1658 rfc.monitor_timeout = 0;
c74e560c 1659 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 1660 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 1661 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 1662
63406504
GP		 1663 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1664 (unsigned long) &rfc);
1665
fcc203c3
GP		 1666 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
1667 break;
1668
47d1ec61 1669 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1670 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1671 chan->fcs = L2CAP_FCS_NONE;
1672 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1673 }
f2fcfcd6
GP		 1674 break;
1675
1676 case L2CAP_MODE_STREAMING:
1677 rfc.mode = L2CAP_MODE_STREAMING;
1678 rfc.txwin_size = 0;
1679 rfc.max_transmit = 0;
1680 rfc.retrans_timeout = 0;
1681 rfc.monitor_timeout = 0;
c74e560c 1682 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 1683 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 1684 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 1685
63406504
GP		 1686 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1687 (unsigned long) &rfc);
1688
fcc203c3
GP		 1689 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
1690 break;
1691
47d1ec61 1692 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1693 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1694 chan->fcs = L2CAP_FCS_NONE;
1695 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1696 }
65c7c491
MH		 1697 break;
1698 }
1da177e4 1699
aca3192c
YH		 1700 req->dcid = cpu_to_le16(pi->dcid);
1701 req->flags = cpu_to_le16(0);
1da177e4
LT		 1702
1703 return ptr - data;
1704}
1705
73ffa904 1706static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1707{
73ffa904 1708 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
5dee9e7c
MH		 1709 struct l2cap_conf_rsp *rsp = data;
1710 void *ptr = rsp->data;
73ffa904
GP		 1711 void *req = chan->conf_req;
1712 int len = chan->conf_len;
5dee9e7c
MH		 1713 int type, hint, olen;
1714 unsigned long val;
6464f35f 1715 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1716 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1717 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1718
73ffa904 1719 BT_DBG("chan %p", chan);
820ae1b8 1720
5dee9e7c
MH		 1721 while (len >= L2CAP_CONF_OPT_SIZE) {
1722 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1723
589d2746 1724 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1725 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1726
1727 switch (type) {
1728 case L2CAP_CONF_MTU:
861d6882 1729 mtu = val;
5dee9e7c
MH		 1730 break;
1731
1732 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 1733 chan->flush_to = val;
5dee9e7c
MH		 1734 break;
1735
1736 case L2CAP_CONF_QOS:
1737 break;
1738
6464f35f
MH		 1739 case L2CAP_CONF_RFC:
1740 if (olen == sizeof(rfc))
1741 memcpy(&rfc, (void *) val, olen);
1742 break;
1743
fcc203c3
GP		 1744 case L2CAP_CONF_FCS:
1745 if (val == L2CAP_FCS_NONE)
b4450035 1746 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 1747
1748 break;
1749
5dee9e7c
MH		 1750 default:
1751 if (hint)
1752 break;
1753
1754 result = L2CAP_CONF_UNKNOWN;
1755 *((u8 *) ptr++) = type;
1756 break;
1757 }
1758 }
1759
73ffa904 1760 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 1761 goto done;
1762
0c1bc5c6 1763 switch (chan->mode) {
f2fcfcd6
GP		 1764 case L2CAP_MODE_STREAMING:
1765 case L2CAP_MODE_ERTM:
b4450035 1766 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 1767 chan->mode = l2cap_select_mode(rfc.mode,
85eb53c6
GP		 1768 pi->conn->feat_mask);
1769 break;
1770 }
1771
0c1bc5c6 1772 if (chan->mode != rfc.mode)
f2fcfcd6 1773 return -ECONNREFUSED;
742e519b 1774
f2fcfcd6 1775 break;
f2fcfcd6
GP		 1776 }
1777
1778done:
0c1bc5c6 1779 if (chan->mode != rfc.mode) {
f2fcfcd6 1780 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 1781 rfc.mode = chan->mode;
f2fcfcd6 1782
73ffa904 1783 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 1784 return -ECONNREFUSED;
1785
1786 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1787 sizeof(rfc), (unsigned long) &rfc);
1788 }
1789
1790
5dee9e7c
MH		 1791 if (result == L2CAP_CONF_SUCCESS) {
1792 /* Configure output options and let the other side know
1793 * which ones we don't like. */
1794
f2fcfcd6
GP		 1795 if (mtu < L2CAP_DEFAULT_MIN_MTU)
1796 result = L2CAP_CONF_UNACCEPT;
1797 else {
0c1bc5c6 1798 chan->omtu = mtu;
b4450035 1799 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 1800 }
0c1bc5c6 1801 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 1802
f2fcfcd6
GP		 1803 switch (rfc.mode) {
1804 case L2CAP_MODE_BASIC:
47d1ec61 1805 chan->fcs = L2CAP_FCS_NONE;
b4450035 1806 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 1807 break;
1808
1809 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 1810 chan->remote_tx_win = rfc.txwin_size;
1811 chan->remote_max_tx = rfc.max_transmit;
86b1b263
MM		 1812
1813 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1814 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159 1815
2c03a7a4 1816 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 1817
10467e9e
GP		 1818 rfc.retrans_timeout =
1819 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
1820 rfc.monitor_timeout =
1821 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 1822
b4450035 1823 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 1824
1825 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1826 sizeof(rfc), (unsigned long) &rfc);
1827
f2fcfcd6
GP		 1828 break;
1829
1830 case L2CAP_MODE_STREAMING:
86b1b263
MM		 1831 if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
1832 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
1c762159 1833
2c03a7a4 1834 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 1835
b4450035 1836 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 1837
1838 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1839 sizeof(rfc), (unsigned long) &rfc);
1840
f2fcfcd6
GP		 1841 break;
1842
1843 default:
5dee9e7c 1844 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 1845
6464f35f 1846 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 1847 rfc.mode = chan->mode;
f2fcfcd6 1848 }
6464f35f 1849
f2fcfcd6 1850 if (result == L2CAP_CONF_SUCCESS)
b4450035 1851 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 1852 }
5dee9e7c
MH		 1853 rsp->scid = cpu_to_le16(pi->dcid);
1854 rsp->result = cpu_to_le16(result);
1855 rsp->flags = cpu_to_le16(0x0000);
1856
1857 return ptr - data;
1da177e4
LT		 1858}
1859
b4450035 1860static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 1861{
b4450035 1862 struct sock *sk = chan->sk;
f2fcfcd6
GP		 1863 struct l2cap_pinfo *pi = l2cap_pi(sk);
1864 struct l2cap_conf_req *req = data;
1865 void *ptr = req->data;
1866 int type, olen;
1867 unsigned long val;
1868 struct l2cap_conf_rfc rfc;
1869
1870 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
1871
1872 while (len >= L2CAP_CONF_OPT_SIZE) {
1873 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
1874
1875 switch (type) {
1876 case L2CAP_CONF_MTU:
1877 if (val < L2CAP_DEFAULT_MIN_MTU) {
1878 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 1879 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 1880 } else
0c1bc5c6
GP		 1881 chan->imtu = val;
1882 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 1883 break;
1884
1885 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 1886 chan->flush_to = val;
f2fcfcd6 1887 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 1888 2, chan->flush_to);
f2fcfcd6
GP		 1889 break;
1890
1891 case L2CAP_CONF_RFC:
1892 if (olen == sizeof(rfc))
1893 memcpy(&rfc, (void *)val, olen);
1894
b4450035 1895 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 1896 rfc.mode != chan->mode)
f2fcfcd6
GP		 1897 return -ECONNREFUSED;
1898
47d1ec61 1899 chan->fcs = 0;
f2fcfcd6
GP		 1900
1901 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1902 sizeof(rfc), (unsigned long) &rfc);
1903 break;
1904 }
1905 }
1906
0c1bc5c6 1907 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 1908 return -ECONNREFUSED;
1909
0c1bc5c6 1910 chan->mode = rfc.mode;
6c2ea7a8 1911
f2fcfcd6
GP		 1912 if (*result == L2CAP_CONF_SUCCESS) {
1913 switch (rfc.mode) {
1914 case L2CAP_MODE_ERTM:
47d1ec61
GP		 1915 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1916 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1917 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 1918 break;
1919 case L2CAP_MODE_STREAMING:
47d1ec61 1920 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 1921 }
1922 }
1923
1924 req->dcid = cpu_to_le16(pi->dcid);
1925 req->flags = cpu_to_le16(0x0000);
1926
1927 return ptr - data;
1928}
1929
5dee9e7c 1930static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 1931{
1932 struct l2cap_conf_rsp *rsp = data;
1933 void *ptr = rsp->data;
1da177e4 1934
5dee9e7c 1935 BT_DBG("sk %p", sk);
1da177e4 1936
aca3192c 1937 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 1938 rsp->result = cpu_to_le16(result);
aca3192c 1939 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 1940
1941 return ptr - data;
1942}
1943
710f9b0a
GP		 1944void __l2cap_connect_rsp_defer(struct sock *sk)
1945{
1946 struct l2cap_conn_rsp rsp;
1947 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1948 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1949 u8 buf[128];
1950
1951 sk->sk_state = BT_CONFIG;
1952
1953 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1954 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1955 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1956 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1957 l2cap_send_cmd(conn, chan->ident,
1958 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1959
b4450035 1960 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 1961 return;
1962
b4450035 1963 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 1964 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1965 l2cap_build_conf_req(chan, buf), buf);
1966 chan->num_conf_req++;
1967}
1968
47d1ec61 1969static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 1970{
7b1c0049
GP		 1971 int type, olen;
1972 unsigned long val;
1973 struct l2cap_conf_rfc rfc;
1974
47d1ec61 1975 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 1976
0c1bc5c6 1977 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 1978 return;
1979
1980 while (len >= L2CAP_CONF_OPT_SIZE) {
1981 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
1982
1983 switch (type) {
1984 case L2CAP_CONF_RFC:
1985 if (olen == sizeof(rfc))
1986 memcpy(&rfc, (void *)val, olen);
1987 goto done;
1988 }
1989 }
1990
1991done:
1992 switch (rfc.mode) {
1993 case L2CAP_MODE_ERTM:
47d1ec61
GP		 1994 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1995 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1996 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 1997 break;
1998 case L2CAP_MODE_STREAMING:
47d1ec61 1999 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2000 }
2001}
2002
4e8402a3
MH		 2003static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2004{
2005 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2006
2007 if (rej->reason != 0x0000)
2008 return 0;
2009
2010 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2011 cmd->ident == conn->info_ident) {
4e8402a3 2012 del_timer(&conn->info_timer);
984947dc
MH		 2013
2014 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2015 conn->info_ident = 0;
984947dc 2016
4e8402a3
MH		 2017 l2cap_conn_start(conn);
2018 }
2019
2020 return 0;
2021}
2022
1da177e4
LT		 2023static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2024{
1da177e4
LT		 2025 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2026 struct l2cap_conn_rsp rsp;
73ffa904 2027 struct l2cap_chan *chan = NULL;
d793fe8c 2028 struct sock *parent, *sk = NULL;
e7c29cb1 2029 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2030
2031 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2032 __le16 psm = req->psm;
1da177e4
LT		 2033
2034 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2035
2036 /* Check if we have socket listening on psm */
2037 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2038 if (!parent) {
2039 result = L2CAP_CR_BAD_PSM;
2040 goto sendresp;
2041 }
2042
e0f0cb56
GP		 2043 bh_lock_sock(parent);
2044
e7c29cb1
MH		 2045 /* Check if the ACL is secure enough (if not SDP) */
2046 if (psm != cpu_to_le16(0x0001) &&
2047 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2048 conn->disc_reason = 0x05;
e7c29cb1
MH		 2049 result = L2CAP_CR_SEC_BLOCK;
2050 goto response;
2051 }
2052
1da177e4
LT		 2053 result = L2CAP_CR_NO_MEM;
2054
2055 /* Check for backlog size */
2056 if (sk_acceptq_is_full(parent)) {
8e87d142 2057 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2058 goto response;
2059 }
2060
3b1e0a65 2061 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2062 if (!sk)
2063 goto response;
2064
48454079
GP		 2065 chan = l2cap_chan_alloc(sk);
2066 if (!chan) {
2067 l2cap_sock_kill(sk);
2068 goto response;
2069 }
2070
5d41ce1d
GP		 2071 l2cap_pi(sk)->chan = chan;
2072
baa7e1fa 2073 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2074
2075 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2076 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2077 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2078 sock_set_flag(sk, SOCK_ZAPPED);
2079 l2cap_sock_kill(sk);
2080 goto response;
2081 }
2082
2083 hci_conn_hold(conn->hcon);
2084
2085 l2cap_sock_init(sk, parent);
2086 bacpy(&bt_sk(sk)->src, conn->src);
2087 bacpy(&bt_sk(sk)->dst, conn->dst);
2088 l2cap_pi(sk)->psm = psm;
2089 l2cap_pi(sk)->dcid = scid;
2090
d1010240
GP		 2091 bt_accept_enqueue(parent, sk);
2092
48454079
GP		 2093 __l2cap_chan_add(conn, chan);
2094
1da177e4
LT		 2095 dcid = l2cap_pi(sk)->scid;
2096
2097 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2098
fc7f8a7e 2099 chan->ident = cmd->ident;
1da177e4 2100
984947dc 2101 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2102 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2103 if (bt_sk(sk)->defer_setup) {
2104 sk->sk_state = BT_CONNECT2;
2105 result = L2CAP_CR_PEND;
2106 status = L2CAP_CS_AUTHOR_PEND;
2107 parent->sk_data_ready(parent, 0);
2108 } else {
2109 sk->sk_state = BT_CONFIG;
2110 result = L2CAP_CR_SUCCESS;
2111 status = L2CAP_CS_NO_INFO;
2112 }
79d554a6
MH		 2113 } else {
2114 sk->sk_state = BT_CONNECT2;
2115 result = L2CAP_CR_PEND;
2116 status = L2CAP_CS_AUTHEN_PEND;
2117 }
2118 } else {
2119 sk->sk_state = BT_CONNECT2;
2120 result = L2CAP_CR_PEND;
2121 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2122 }
2123
baa7e1fa 2124 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2125
2126response:
2127 bh_unlock_sock(parent);
2128
2129sendresp:
aca3192c
YH		 2130 rsp.scid = cpu_to_le16(scid);
2131 rsp.dcid = cpu_to_le16(dcid);
2132 rsp.result = cpu_to_le16(result);
2133 rsp.status = cpu_to_le16(status);
1da177e4 2134 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2135
2136 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2137 struct l2cap_info_req info;
2138 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2139
2140 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2141 conn->info_ident = l2cap_get_ident(conn);
2142
2143 mod_timer(&conn->info_timer, jiffies +
2144 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2145
2146 l2cap_send_cmd(conn, conn->info_ident,
2147 L2CAP_INFO_REQ, sizeof(info), &info);
2148 }
2149
b4450035 2150 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2151 result == L2CAP_CR_SUCCESS) {
2152 u8 buf[128];
b4450035 2153 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2154 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2155 l2cap_build_conf_req(chan, buf), buf);
2156 chan->num_conf_req++;
e9aeb2dd
GP		 2157 }
2158
1da177e4
LT		 2159 return 0;
2160}
2161
2162static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2163{
2164 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2165 u16 scid, dcid, result, status;
48454079 2166 struct l2cap_chan *chan;
1da177e4
LT		 2167 struct sock *sk;
2168 u8 req[128];
2169
2170 scid = __le16_to_cpu(rsp->scid);
2171 dcid = __le16_to_cpu(rsp->dcid);
2172 result = __le16_to_cpu(rsp->result);
2173 status = __le16_to_cpu(rsp->status);
2174
2175 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2176
2177 if (scid) {
baa7e1fa 2178 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2179 if (!chan)
57d3b22b 2180 return -EFAULT;
1da177e4 2181 } else {
baa7e1fa 2182 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2183 if (!chan)
57d3b22b 2184 return -EFAULT;
1da177e4
LT		 2185 }
2186
48454079
GP		 2187 sk = chan->sk;
2188
1da177e4
LT		 2189 switch (result) {
2190 case L2CAP_CR_SUCCESS:
2191 sk->sk_state = BT_CONFIG;
fc7f8a7e 2192 chan->ident = 0;
1da177e4 2193 l2cap_pi(sk)->dcid = dcid;
b4450035 2194 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2195
b4450035 2196 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2197 break;
2198
b4450035 2199 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2200
1da177e4 2201 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2202 l2cap_build_conf_req(chan, req), req);
2203 chan->num_conf_req++;
1da177e4
LT		 2204 break;
2205
2206 case L2CAP_CR_PEND:
b4450035 2207 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2208 break;
2209
2210 default:
a49184c2
AE		 2211 /* don't delete l2cap channel if sk is owned by user */
2212 if (sock_owned_by_user(sk)) {
2213 sk->sk_state = BT_DISCONN;
2214 l2cap_sock_clear_timer(sk);
2215 l2cap_sock_set_timer(sk, HZ / 5);
2216 break;
2217 }
2218
48454079 2219 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2220 break;
2221 }
2222
2223 bh_unlock_sock(sk);
2224 return 0;
2225}
2226
47d1ec61 2227static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2228{
47d1ec61
GP		 2229 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2230
8c462b60
MM		 2231 /* FCS is enabled only in ERTM or streaming mode, if one or both
2232 * sides request it.
2233 */
0c1bc5c6 2234 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2235 chan->fcs = L2CAP_FCS_NONE;
b4450035 2236 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2237 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2238}
2239
88219a0f 2240static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2241{
2242 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2243 u16 dcid, flags;
2244 u8 rsp[64];
48454079 2245 struct l2cap_chan *chan;
1da177e4 2246 struct sock *sk;
5dee9e7c 2247 int len;
1da177e4
LT		 2248
2249 dcid = __le16_to_cpu(req->dcid);
2250 flags = __le16_to_cpu(req->flags);
2251
2252 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2253
baa7e1fa 2254 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2255 if (!chan)
1da177e4
LT		 2256 return -ENOENT;
2257
48454079
GP		 2258 sk = chan->sk;
2259
df6bd743
GP		 2260 if (sk->sk_state != BT_CONFIG) {
2261 struct l2cap_cmd_rej rej;
2262
2263 rej.reason = cpu_to_le16(0x0002);
2264 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2265 sizeof(rej), &rej);
354f60a9 2266 goto unlock;
df6bd743 2267 }
354f60a9 2268
5dee9e7c 2269 /* Reject if config buffer is too small. */
88219a0f 2270 len = cmd_len - sizeof(*req);
73ffa904 2271 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c
MH		 2272 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2273 l2cap_build_conf_rsp(sk, rsp,
2274 L2CAP_CONF_REJECT, flags), rsp);
2275 goto unlock;
2276 }
2277
2278 /* Store config. */
73ffa904
GP		 2279 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2280 chan->conf_len += len;
1da177e4
LT		 2281
2282 if (flags & 0x0001) {
2283 /* Incomplete config. Send empty response. */
2284 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 2285 l2cap_build_conf_rsp(sk, rsp,
2286 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2287 goto unlock;
2288 }
2289
2290 /* Complete config. */
73ffa904 2291 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2292 if (len < 0) {
e92c8e70 2293 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2294 goto unlock;
f2fcfcd6 2295 }
1da177e4 2296
5dee9e7c 2297 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2298 chan->num_conf_rsp++;
5dee9e7c 2299
5dee9e7c 2300 /* Reset config buffer. */
73ffa904 2301 chan->conf_len = 0;
5dee9e7c 2302
b4450035 2303 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2304 goto unlock;
2305
b4450035 2306 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2307 set_default_fcs(chan);
fcc203c3 2308
1da177e4 2309 sk->sk_state = BT_CONNECTED;
e90bac06 2310
42e5c802
GP		 2311 chan->next_tx_seq = 0;
2312 chan->expected_tx_seq = 0;
58d35f87 2313 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2314 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2315 l2cap_ertm_init(chan);
0565c1c2 2316
1da177e4 2317 l2cap_chan_ready(sk);
876d9484
MH		 2318 goto unlock;
2319 }
2320
b4450035 2321 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2322 u8 buf[64];
b4450035 2323 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2324 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2325 l2cap_build_conf_req(chan, buf), buf);
2326 chan->num_conf_req++;
1da177e4
LT		 2327 }
2328
2329unlock:
2330 bh_unlock_sock(sk);
2331 return 0;
2332}
2333
2334static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2335{
2336 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2337 u16 scid, flags, result;
48454079 2338 struct l2cap_chan *chan;
1da177e4 2339 struct sock *sk;
7b1c0049 2340 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2341
2342 scid = __le16_to_cpu(rsp->scid);
2343 flags = __le16_to_cpu(rsp->flags);
2344 result = __le16_to_cpu(rsp->result);
2345
af05b30b
GP		 2346 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2347 scid, flags, result);
1da177e4 2348
baa7e1fa 2349 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2350 if (!chan)
1da177e4
LT		 2351 return 0;
2352
48454079
GP		 2353 sk = chan->sk;
2354
1da177e4
LT		 2355 switch (result) {
2356 case L2CAP_CONF_SUCCESS:
47d1ec61 2357 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2358 break;
2359
2360 case L2CAP_CONF_UNACCEPT:
73ffa904 2361 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2362 char req[64];
2363
c2c77ec8 2364 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2365 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2366 goto done;
2367 }
2368
f2fcfcd6
GP		 2369 /* throw out any old stored conf requests */
2370 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2371 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2372 req, &result);
f2fcfcd6 2373 if (len < 0) {
e92c8e70 2374 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2375 goto done;
2376 }
2377
2378 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2379 L2CAP_CONF_REQ, len, req);
73ffa904 2380 chan->num_conf_req++;
f2fcfcd6
GP		 2381 if (result != L2CAP_CONF_SUCCESS)
2382 goto done;
2383 break;
1da177e4
LT		 2384 }
2385
8e87d142 2386 default:
b1235d79 2387 sk->sk_err = ECONNRESET;
1da177e4 2388 l2cap_sock_set_timer(sk, HZ * 5);
e92c8e70 2389 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2390 goto done;
2391 }
2392
2393 if (flags & 0x01)
2394 goto done;
2395
b4450035 2396 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2397
b4450035 2398 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2399 set_default_fcs(chan);
fcc203c3 2400
1da177e4 2401 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2402 chan->next_tx_seq = 0;
2403 chan->expected_tx_seq = 0;
58d35f87 2404 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2405 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2406 l2cap_ertm_init(chan);
0565c1c2 2407
1da177e4
LT		 2408 l2cap_chan_ready(sk);
2409 }
2410
2411done:
2412 bh_unlock_sock(sk);
2413 return 0;
2414}
2415
2416static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2417{
2418 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2419 struct l2cap_disconn_rsp rsp;
2420 u16 dcid, scid;
48454079 2421 struct l2cap_chan *chan;
1da177e4
LT		 2422 struct sock *sk;
2423
2424 scid = __le16_to_cpu(req->scid);
2425 dcid = __le16_to_cpu(req->dcid);
2426
2427 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2428
baa7e1fa 2429 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2430 if (!chan)
1da177e4
LT		 2431 return 0;
2432
48454079
GP		 2433 sk = chan->sk;
2434
aca3192c
YH		 2435 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2436 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 2437 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2438
2439 sk->sk_shutdown = SHUTDOWN_MASK;
2440
a49184c2
AE		 2441 /* don't delete l2cap channel if sk is owned by user */
2442 if (sock_owned_by_user(sk)) {
2443 sk->sk_state = BT_DISCONN;
2444 l2cap_sock_clear_timer(sk);
2445 l2cap_sock_set_timer(sk, HZ / 5);
2446 bh_unlock_sock(sk);
2447 return 0;
2448 }
2449
48454079 2450 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2451 bh_unlock_sock(sk);
2452
2453 l2cap_sock_kill(sk);
2454 return 0;
2455}
2456
2457static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2458{
2459 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2460 u16 dcid, scid;
48454079 2461 struct l2cap_chan *chan;
1da177e4
LT		 2462 struct sock *sk;
2463
2464 scid = __le16_to_cpu(rsp->scid);
2465 dcid = __le16_to_cpu(rsp->dcid);
2466
2467 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2468
baa7e1fa 2469 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2470 if (!chan)
1da177e4
LT		 2471 return 0;
2472
48454079
GP		 2473 sk = chan->sk;
2474
a49184c2
AE		 2475 /* don't delete l2cap channel if sk is owned by user */
2476 if (sock_owned_by_user(sk)) {
2477 sk->sk_state = BT_DISCONN;
2478 l2cap_sock_clear_timer(sk);
2479 l2cap_sock_set_timer(sk, HZ / 5);
2480 bh_unlock_sock(sk);
2481 return 0;
2482 }
2483
48454079 2484 l2cap_chan_del(chan, 0);
1da177e4
LT		 2485 bh_unlock_sock(sk);
2486
2487 l2cap_sock_kill(sk);
2488 return 0;
2489}
2490
2491static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2492{
2493 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2494 u16 type;
2495
2496 type = __le16_to_cpu(req->type);
2497
2498 BT_DBG("type 0x%4.4x", type);
2499
f0709e03
MH		 2500 if (type == L2CAP_IT_FEAT_MASK) {
2501 u8 buf[8];
44dd46de 2502 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2503 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2504 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2505 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2506 if (!disable_ertm)
fcc203c3
GP		 2507 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2508 | L2CAP_FEAT_FCS;
1b7bf4ed 2509 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2510 l2cap_send_cmd(conn, cmd->ident,
2511 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2512 } else if (type == L2CAP_IT_FIXED_CHAN) {
2513 u8 buf[12];
2514 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2515 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2516 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2517 memcpy(buf + 4, l2cap_fixed_chan, 8);
2518 l2cap_send_cmd(conn, cmd->ident,
2519 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2520 } else {
2521 struct l2cap_info_rsp rsp;
2522 rsp.type = cpu_to_le16(type);
2523 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2524 l2cap_send_cmd(conn, cmd->ident,
2525 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2526 }
1da177e4
LT		 2527
2528 return 0;
2529}
2530
2531static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2532{
2533 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2534 u16 type, result;
2535
2536 type = __le16_to_cpu(rsp->type);
2537 result = __le16_to_cpu(rsp->result);
2538
2539 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2540
e90165be
AE		 2541 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2542 if (cmd->ident != conn->info_ident ||
2543 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2544 return 0;
2545
4e8402a3
MH		 2546 del_timer(&conn->info_timer);
2547
adb08ede
VT		 2548 if (result != L2CAP_IR_SUCCESS) {
2549 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2550 conn->info_ident = 0;
2551
2552 l2cap_conn_start(conn);
2553
2554 return 0;
2555 }
2556
984947dc 2557 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2558 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2559
47ec1dcd 2560 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2561 struct l2cap_info_req req;
2562 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2563
2564 conn->info_ident = l2cap_get_ident(conn);
2565
2566 l2cap_send_cmd(conn, conn->info_ident,
2567 L2CAP_INFO_REQ, sizeof(req), &req);
2568 } else {
2569 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2570 conn->info_ident = 0;
2571
2572 l2cap_conn_start(conn);
2573 }
2574 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2575 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2576 conn->info_ident = 0;
984947dc
MH		 2577
2578 l2cap_conn_start(conn);
2579 }
4e8402a3 2580
1da177e4
LT		 2581 return 0;
2582}
2583
e2174ca4 2584static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2585 u16 to_multiplier)
2586{
2587 u16 max_latency;
2588
2589 if (min > max || min < 6 || max > 3200)
2590 return -EINVAL;
2591
2592 if (to_multiplier < 10 || to_multiplier > 3200)
2593 return -EINVAL;
2594
2595 if (max >= to_multiplier * 8)
2596 return -EINVAL;
2597
2598 max_latency = (to_multiplier * 8 / max) - 1;
2599 if (latency > 499 || latency > max_latency)
2600 return -EINVAL;
2601
2602 return 0;
2603}
2604
2605static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2606 struct l2cap_cmd_hdr *cmd, u8 *data)
2607{
2608 struct hci_conn *hcon = conn->hcon;
2609 struct l2cap_conn_param_update_req *req;
2610 struct l2cap_conn_param_update_rsp rsp;
2611 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2612 int err;
de73115a
CT		 2613
2614 if (!(hcon->link_mode & HCI_LM_MASTER))
2615 return -EINVAL;
2616
2617 cmd_len = __le16_to_cpu(cmd->len);
2618 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2619 return -EPROTO;
2620
2621 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2622 min = __le16_to_cpu(req->min);
2623 max = __le16_to_cpu(req->max);
de73115a
CT		 2624 latency = __le16_to_cpu(req->latency);
2625 to_multiplier = __le16_to_cpu(req->to_multiplier);
2626
2627 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2628 min, max, latency, to_multiplier);
2629
2630 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2631
2632 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2633 if (err)
de73115a
CT		 2634 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2635 else
2636 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2637
2638 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2639 sizeof(rsp), &rsp);
2640
2ce603eb
CT		 2641 if (!err)
2642 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2643
de73115a
CT		 2644 return 0;
2645}
2646
3300d9a9
CT		 2647static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2648 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2649{
2650 int err = 0;
2651
2652 switch (cmd->code) {
2653 case L2CAP_COMMAND_REJ:
2654 l2cap_command_rej(conn, cmd, data);
2655 break;
2656
2657 case L2CAP_CONN_REQ:
2658 err = l2cap_connect_req(conn, cmd, data);
2659 break;
2660
2661 case L2CAP_CONN_RSP:
2662 err = l2cap_connect_rsp(conn, cmd, data);
2663 break;
2664
2665 case L2CAP_CONF_REQ:
2666 err = l2cap_config_req(conn, cmd, cmd_len, data);
2667 break;
2668
2669 case L2CAP_CONF_RSP:
2670 err = l2cap_config_rsp(conn, cmd, data);
2671 break;
2672
2673 case L2CAP_DISCONN_REQ:
2674 err = l2cap_disconnect_req(conn, cmd, data);
2675 break;
2676
2677 case L2CAP_DISCONN_RSP:
2678 err = l2cap_disconnect_rsp(conn, cmd, data);
2679 break;
2680
2681 case L2CAP_ECHO_REQ:
2682 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2683 break;
2684
2685 case L2CAP_ECHO_RSP:
2686 break;
2687
2688 case L2CAP_INFO_REQ:
2689 err = l2cap_information_req(conn, cmd, data);
2690 break;
2691
2692 case L2CAP_INFO_RSP:
2693 err = l2cap_information_rsp(conn, cmd, data);
2694 break;
2695
2696 default:
2697 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2698 err = -EINVAL;
2699 break;
2700 }
2701
2702 return err;
2703}
2704
2705static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2706 struct l2cap_cmd_hdr *cmd, u8 *data)
2707{
2708 switch (cmd->code) {
2709 case L2CAP_COMMAND_REJ:
2710 return 0;
2711
2712 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2713 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2714
2715 case L2CAP_CONN_PARAM_UPDATE_RSP:
2716 return 0;
2717
2718 default:
2719 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2720 return -EINVAL;
2721 }
2722}
2723
2724static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2725 struct sk_buff *skb)
1da177e4
LT		 2726{
2727 u8 *data = skb->data;
2728 int len = skb->len;
2729 struct l2cap_cmd_hdr cmd;
3300d9a9 2730 int err;
1da177e4
LT		 2731
2732 l2cap_raw_recv(conn, skb);
2733
2734 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2735 u16 cmd_len;
1da177e4
LT		 2736 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2737 data += L2CAP_CMD_HDR_SIZE;
2738 len -= L2CAP_CMD_HDR_SIZE;
2739
88219a0f 2740 cmd_len = le16_to_cpu(cmd.len);
1da177e4 2741
88219a0f 2742 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 2743
88219a0f 2744 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 2745 BT_DBG("corrupted command");
2746 break;
2747 }
2748
3300d9a9
CT		 2749 if (conn->hcon->type == LE_LINK)
2750 err = l2cap_le_sig_cmd(conn, &cmd, data);
2751 else
2752 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 2753
2754 if (err) {
2755 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 2756
2757 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 2758
2759 /* FIXME: Map err to a valid reason */
aca3192c 2760 rej.reason = cpu_to_le16(0);
1da177e4
LT		 2761 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2762 }
2763
88219a0f
AV		 2764 data += cmd_len;
2765 len -= cmd_len;
1da177e4
LT		 2766 }
2767
2768 kfree_skb(skb);
2769}
2770
47d1ec61 2771static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 2772{
2773 u16 our_fcs, rcv_fcs;
2774 int hdr_size = L2CAP_HDR_SIZE + 2;
2775
47d1ec61 2776 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 2777 skb_trim(skb, skb->len - 2);
2778 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
2779 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
2780
2781 if (our_fcs != rcv_fcs)
7a560e5c 2782 return -EBADMSG;
fcc203c3
GP		 2783 }
2784 return 0;
2785}
2786
525cd185 2787static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 2788{
d5392c8f
GP		 2789 u16 control = 0;
2790
6a026610 2791 chan->frames_sent = 0;
d5392c8f 2792
42e5c802 2793 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 2794
525cd185 2795 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 2796 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 2797 l2cap_send_sframe(chan, control);
2798 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 2799 }
2800
525cd185
GP		 2801 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
2802 l2cap_retransmit_frames(chan);
d5392c8f 2803
525cd185 2804 l2cap_ertm_send(chan);
d5392c8f 2805
525cd185 2806 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 2807 chan->frames_sent == 0) {
d5392c8f 2808 control |= L2CAP_SUPER_RCV_READY;
525cd185 2809 l2cap_send_sframe(chan, control);
d5392c8f
GP		 2810 }
2811}
2812
42e5c802 2813static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 2814{
2815 struct sk_buff *next_skb;
bfbacc11 2816 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 2817
2818 bt_cb(skb)->tx_seq = tx_seq;
2819 bt_cb(skb)->sar = sar;
2820
f1c6775b 2821 next_skb = skb_peek(&chan->srej_q);
8f17154f 2822 if (!next_skb) {
f1c6775b 2823 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 2824 return 0;
8f17154f
GP		 2825 }
2826
42e5c802 2827 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 2828 if (tx_seq_offset < 0)
2829 tx_seq_offset += 64;
2830
8f17154f 2831 do {
9b53350d
JPRV		 2832 if (bt_cb(next_skb)->tx_seq == tx_seq)
2833 return -EINVAL;
2834
bfbacc11 2835 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 2836 chan->buffer_seq) % 64;
bfbacc11
JPRV		 2837 if (next_tx_seq_offset < 0)
2838 next_tx_seq_offset += 64;
2839
2840 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 2841 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 2842 return 0;
8f17154f
GP		 2843 }
2844
f1c6775b 2845 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 2846 break;
2847
f1c6775b 2848 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 2849
f1c6775b 2850 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 2851
2852 return 0;
8f17154f
GP		 2853}
2854
525cd185 2855static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 2856{
525cd185 2857 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
18778a63 2858 struct sk_buff *_skb;
1890d36b 2859 int err;
18778a63
GP		 2860
2861 switch (control & L2CAP_CTRL_SAR) {
2862 case L2CAP_SDU_UNSEGMENTED:
525cd185 2863 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 2864 goto drop;
2865
525cd185 2866 err = sock_queue_rcv_skb(chan->sk, skb);
18778a63
GP		 2867 if (!err)
2868 return err;
2869
2870 break;
2871
2872 case L2CAP_SDU_START:
525cd185 2873 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 2874 goto drop;
2875
6f61fd47 2876 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 2877
0c1bc5c6 2878 if (chan->sdu_len > chan->imtu)
18778a63
GP		 2879 goto disconnect;
2880
6f61fd47
GP		 2881 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
2882 if (!chan->sdu)
1890d36b
GP		 2883 return -ENOMEM;
2884
2885 /* pull sdu_len bytes only after alloc, because of Local Busy
2886 * condition we have to be sure that this will be executed
2887 * only once, i.e., when alloc does not fail */
2888 skb_pull(skb, 2);
18778a63 2889
6f61fd47 2890 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 2891
525cd185 2892 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 2893 chan->partial_sdu_len = skb->len;
18778a63
GP		 2894 break;
2895
2896 case L2CAP_SDU_CONTINUE:
525cd185 2897 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 2898 goto disconnect;
2899
6f61fd47 2900 if (!chan->sdu)
18778a63
GP		 2901 goto disconnect;
2902
6f61fd47
GP		 2903 chan->partial_sdu_len += skb->len;
2904 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 2905 goto drop;
2906
6f61fd47 2907 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 2908
18778a63
GP		 2909 break;
2910
2911 case L2CAP_SDU_END:
525cd185 2912 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 2913 goto disconnect;
2914
6f61fd47 2915 if (!chan->sdu)
18778a63
GP		 2916 goto disconnect;
2917
525cd185 2918 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 2919 chan->partial_sdu_len += skb->len;
18778a63 2920
0c1bc5c6 2921 if (chan->partial_sdu_len > chan->imtu)
1890d36b 2922 goto drop;
18778a63 2923
6f61fd47 2924 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 2925 goto drop;
4178ba46 2926
6f61fd47 2927 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 2928 }
18778a63 2929
6f61fd47 2930 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 2931 if (!_skb) {
525cd185 2932 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 2933 return -ENOMEM;
2934 }
2935
525cd185 2936 err = sock_queue_rcv_skb(chan->sk, _skb);
1890d36b 2937 if (err < 0) {
18778a63 2938 kfree_skb(_skb);
525cd185 2939 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 2940 return err;
2941 }
2942
525cd185
GP		 2943 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
2944 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 2945
6f61fd47 2946 kfree_skb(chan->sdu);
18778a63
GP		 2947 break;
2948 }
2949
2950 kfree_skb(skb);
1890d36b 2951 return 0;
18778a63
GP		 2952
2953drop:
6f61fd47
GP		 2954 kfree_skb(chan->sdu);
2955 chan->sdu = NULL;
18778a63
GP		 2956
2957disconnect:
e92c8e70 2958 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
18778a63
GP		 2959 kfree_skb(skb);
2960 return 0;
2961}
2962
525cd185 2963static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 2964{
712132eb
GP		 2965 struct sk_buff *skb;
2966 u16 control;
2967 int err;
2968
f1c6775b 2969 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 2970 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 2971 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 2972 if (err < 0) {
f1c6775b 2973 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 2974 return -EBUSY;
2975 }
2976
42e5c802 2977 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 2978 }
2979
525cd185 2980 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 2981 goto done;
2982
42e5c802 2983 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 2984 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 2985 l2cap_send_sframe(chan, control);
6a026610 2986 chan->retry_count = 1;
712132eb 2987
e92c8e70 2988 del_timer(&chan->retrans_timer);
712132eb
GP		 2989 __mod_monitor_timer();
2990
525cd185 2991 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 2992
2993done:
525cd185
GP		 2994 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
2995 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 2996
49208c9c 2997 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 2998
2999 return 0;
3000}
3001
1890d36b
GP		 3002static void l2cap_busy_work(struct work_struct *work)
3003{
3004 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3005 struct l2cap_chan *chan =
3006 container_of(work, struct l2cap_chan, busy_work);
3007 struct sock *sk = chan->sk;
1890d36b
GP		 3008 int n_tries = 0, timeo = HZ/5, err;
3009 struct sk_buff *skb;
1890d36b
GP		 3010
3011 lock_sock(sk);
3012
2b0b05dd 3013 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3014 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3015 set_current_state(TASK_INTERRUPTIBLE);
3016
3017 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3018 err = -EBUSY;
311bb895 3019 l2cap_send_disconn_req(l2cap_pi(sk)->conn, chan, EBUSY);
712132eb 3020 break;
1890d36b
GP		 3021 }
3022
3023 if (!timeo)
3024 timeo = HZ/5;
3025
3026 if (signal_pending(current)) {
3027 err = sock_intr_errno(timeo);
712132eb 3028 break;
1890d36b
GP		 3029 }
3030
3031 release_sock(sk);
3032 timeo = schedule_timeout(timeo);
3033 lock_sock(sk);
3034
3035 err = sock_error(sk);
3036 if (err)
712132eb 3037 break;
1890d36b 3038
311bb895 3039 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3040 break;
3041 }
3042
1890d36b 3043 set_current_state(TASK_RUNNING);
2b0b05dd 3044 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3045
3046 release_sock(sk);
3047}
3048
525cd185 3049static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3050{
1890d36b
GP		 3051 int sctrl, err;
3052
525cd185 3053 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3054 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3055 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3056 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3057
3058
1890d36b
GP		 3059 }
3060
525cd185 3061 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3062 if (err >= 0) {
42e5c802 3063 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3064 return err;
3065 }
3066
3067 /* Busy Condition */
311bb895 3068 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3069
525cd185 3070 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3071 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3072 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3073
42e5c802 3074 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3075 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3076 l2cap_send_sframe(chan, sctrl);
1890d36b 3077
525cd185 3078 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3079
e92c8e70 3080 del_timer(&chan->ack_timer);
7fe9b298 3081
311bb895 3082 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3083
3084 return err;
3085}
3086
525cd185 3087static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3088{
c74e560c
GP		 3089 struct sk_buff *_skb;
3090 int err = -EINVAL;
3091
18778a63
GP		 3092 /*
3093 * TODO: We have to notify the userland if some data is lost with the
3094 * Streaming Mode.
3095 */
3096
c74e560c
GP		 3097 switch (control & L2CAP_CTRL_SAR) {
3098 case L2CAP_SDU_UNSEGMENTED:
525cd185 3099 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3100 kfree_skb(chan->sdu);
c74e560c
GP		 3101 break;
3102 }
3103
525cd185 3104 err = sock_queue_rcv_skb(chan->sk, skb);
c74e560c
GP		 3105 if (!err)
3106 return 0;
3107
3108 break;
3109
3110 case L2CAP_SDU_START:
525cd185 3111 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3112 kfree_skb(chan->sdu);
c74e560c
GP		 3113 break;
3114 }
3115
6f61fd47 3116 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3117 skb_pull(skb, 2);
3118
0c1bc5c6 3119 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3120 err = -EMSGSIZE;
3121 break;
3122 }
3123
6f61fd47
GP		 3124 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3125 if (!chan->sdu) {
c74e560c
GP		 3126 err = -ENOMEM;
3127 break;
3128 }
3129
6f61fd47 3130 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3131
525cd185 3132 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3133 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3134 err = 0;
3135 break;
3136
3137 case L2CAP_SDU_CONTINUE:
525cd185 3138 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3139 break;
3140
6f61fd47 3141 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3142
6f61fd47
GP		 3143 chan->partial_sdu_len += skb->len;
3144 if (chan->partial_sdu_len > chan->sdu_len)
3145 kfree_skb(chan->sdu);
c74e560c
GP		 3146 else
3147 err = 0;
3148
3149 break;
3150
3151 case L2CAP_SDU_END:
525cd185 3152 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3153 break;
3154
6f61fd47 3155 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3156
525cd185 3157 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3158 chan->partial_sdu_len += skb->len;
c74e560c 3159
0c1bc5c6 3160 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3161 goto drop;
3162
6f61fd47
GP		 3163 if (chan->partial_sdu_len == chan->sdu_len) {
3164 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
525cd185 3165 err = sock_queue_rcv_skb(chan->sk, _skb);
c74e560c
GP		 3166 if (err < 0)
3167 kfree_skb(_skb);
3168 }
c74e560c
GP		 3169 err = 0;
3170
36f2fd58 3171drop:
6f61fd47 3172 kfree_skb(chan->sdu);
c74e560c
GP		 3173 break;
3174 }
3175
3176 kfree_skb(skb);
3177 return err;
3178}
3179
525cd185 3180static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3181{
3182 struct sk_buff *skb;
afefdbc4 3183 u16 control;
8f17154f 3184
f1c6775b 3185 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3186 if (bt_cb(skb)->tx_seq != tx_seq)
3187 break;
3188
f1c6775b 3189 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3190 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3191 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3192 chan->buffer_seq_srej =
3193 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3194 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3195 }
3196}
3197
525cd185 3198static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3199{
8f17154f
GP		 3200 struct srej_list *l, *tmp;
3201 u16 control;
3202
39d5a3ee 3203 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3204 if (l->tx_seq == tx_seq) {
3205 list_del(&l->list);
3206 kfree(l);
3207 return;
3208 }
3209 control = L2CAP_SUPER_SELECT_REJECT;
3210 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3211 l2cap_send_sframe(chan, control);
8f17154f 3212 list_del(&l->list);
39d5a3ee 3213 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3214 }
3215}
3216
525cd185 3217static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3218{
8f17154f
GP		 3219 struct srej_list *new;
3220 u16 control;
3221
42e5c802 3222 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3223 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3224 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3225 l2cap_send_sframe(chan, control);
8f17154f
GP		 3226
3227 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3228 new->tx_seq = chan->expected_tx_seq;
3229 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3230 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3231 }
42e5c802 3232 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3233}
3234
525cd185 3235static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3236{
49208c9c 3237 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
1c2acffb 3238 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3239 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3240 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3241 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3242 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3243 int err = 0;
3244
525cd185
GP		 3245 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3246 tx_seq, rx_control);
1c2acffb 3247
9b16dc65 3248 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3249 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3250 del_timer(&chan->monitor_timer);
6a026610 3251 if (chan->unacked_frames > 0)
1d8f5d16 3252 __mod_retrans_timer();
525cd185 3253 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3254 }
3255
42e5c802
GP		 3256 chan->expected_ack_seq = req_seq;
3257 l2cap_drop_acked_frames(chan);
9f121a5a 3258
42e5c802 3259 if (tx_seq == chan->expected_tx_seq)
8f17154f 3260 goto expected;
1c2acffb 3261
42e5c802 3262 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3263 if (tx_seq_offset < 0)
3264 tx_seq_offset += 64;
3265
3266 /* invalid tx_seq */
47d1ec61 3267 if (tx_seq_offset >= chan->tx_win) {
e92c8e70 3268 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
9b53350d
JPRV		 3269 goto drop;
3270 }
3271
525cd185 3272 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3273 goto drop;
3274
525cd185 3275 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3276 struct srej_list *first;
30afb5b2 3277
39d5a3ee 3278 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3279 struct srej_list, list);
3280 if (tx_seq == first->tx_seq) {
42e5c802 3281 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3282 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3283
3284 list_del(&first->list);
3285 kfree(first);
3286
39d5a3ee 3287 if (list_empty(&chan->srej_l)) {
42e5c802 3288 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3289 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3290 l2cap_send_ack(chan);
49208c9c 3291 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3292 }
3293 } else {
3294 struct srej_list *l;
9b53350d
JPRV		 3295
3296 /* duplicated tx_seq */
42e5c802 3297 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3298 goto drop;
8f17154f 3299
39d5a3ee 3300 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3301 if (l->tx_seq == tx_seq) {
525cd185 3302 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3303 return 0;
3304 }
3305 }
525cd185 3306 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3307 }
3308 } else {
9b53350d 3309 expected_tx_seq_offset =
42e5c802 3310 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3311 if (expected_tx_seq_offset < 0)
3312 expected_tx_seq_offset += 64;
3313
3314 /* duplicated tx_seq */
3315 if (tx_seq_offset < expected_tx_seq_offset)
3316 goto drop;
3317
525cd185 3318 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3319
49208c9c 3320 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3321
39d5a3ee 3322 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3323 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3324
f1c6775b
GP		 3325 __skb_queue_head_init(&chan->srej_q);
3326 __skb_queue_head_init(&chan->busy_q);
42e5c802 3327 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3328
525cd185 3329 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3330
525cd185 3331 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3332
e92c8e70 3333 del_timer(&chan->ack_timer);
1c2acffb 3334 }
30afb5b2
GP		 3335 return 0;
3336
8f17154f 3337expected:
42e5c802 3338 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3339
525cd185 3340 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3341 bt_cb(skb)->tx_seq = tx_seq;
3342 bt_cb(skb)->sar = sar;
f1c6775b 3343 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3344 return 0;
3345 }
3346
525cd185 3347 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3348 if (err < 0)
3349 return 0;
3350
4ec10d97 3351 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3352 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3353 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3354 else
525cd185 3355 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3356 }
3357
c1b4f43b
GP		 3358 __mod_ack_timer();
3359
6a026610
GP		 3360 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3361 if (chan->num_acked == num_to_ack - 1)
525cd185 3362 l2cap_send_ack(chan);
9e917af1 3363
8f17154f 3364 return 0;
9b53350d
JPRV		 3365
3366drop:
3367 kfree_skb(skb);
3368 return 0;
1c2acffb
GP		 3369}
3370
525cd185 3371static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3372{
49208c9c 3373 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3374 rx_control);
3375
42e5c802
GP		 3376 chan->expected_ack_seq = __get_reqseq(rx_control);
3377 l2cap_drop_acked_frames(chan);
1c2acffb 3378
e072745f 3379 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3380 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3381 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3382 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3383 (chan->unacked_frames > 0))
05fbd89d
GP		 3384 __mod_retrans_timer();
3385
525cd185
GP		 3386 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3387 l2cap_send_srejtail(chan);
05fbd89d 3388 } else {
525cd185 3389 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3390 }
1d8f5d16 3391
e072745f 3392 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3393 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3394
525cd185
GP		 3395 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3396 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3397 else
525cd185 3398 l2cap_retransmit_frames(chan);
2246b2f1 3399
e072745f 3400 } else {
525cd185 3401 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3402 (chan->unacked_frames > 0))
e072745f 3403 __mod_retrans_timer();
1c2acffb 3404
525cd185
GP		 3405 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3406 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3407 l2cap_send_ack(chan);
894718a6 3408 else
525cd185 3409 l2cap_ertm_send(chan);
e072745f
GP		 3410 }
3411}
2246b2f1 3412
525cd185 3413static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3414{
e072745f 3415 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3416
525cd185 3417 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3418
525cd185 3419 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3420
42e5c802
GP		 3421 chan->expected_ack_seq = tx_seq;
3422 l2cap_drop_acked_frames(chan);
e072745f
GP		 3423
3424 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3425 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3426 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3427 else
525cd185 3428 l2cap_retransmit_frames(chan);
e072745f 3429 } else {
525cd185 3430 l2cap_retransmit_frames(chan);
30afb5b2 3431
525cd185
GP		 3432 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3433 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3434 }
3435}
525cd185 3436static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3437{
e072745f 3438 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3439
525cd185 3440 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3441
525cd185 3442 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3443
e072745f 3444 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3445 chan->expected_ack_seq = tx_seq;
3446 l2cap_drop_acked_frames(chan);
3cb123d1 3447
525cd185
GP		 3448 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3449 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3450
525cd185 3451 l2cap_ertm_send(chan);
dfc909be 3452
525cd185 3453 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3454 chan->srej_save_reqseq = tx_seq;
525cd185 3455 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3456 }
e072745f 3457 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3458 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3459 chan->srej_save_reqseq == tx_seq)
525cd185 3460 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3461 else
525cd185 3462 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3463 } else {
525cd185
GP		 3464 l2cap_retransmit_one_frame(chan, tx_seq);
3465 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3466 chan->srej_save_reqseq = tx_seq;
525cd185 3467 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3468 }
e072745f
GP		 3469 }
3470}
3471
525cd185 3472static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3473{
e072745f
GP		 3474 u8 tx_seq = __get_reqseq(rx_control);
3475
525cd185 3476 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3477
525cd185 3478 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3479 chan->expected_ack_seq = tx_seq;
3480 l2cap_drop_acked_frames(chan);
e072745f 3481
3cb123d1 3482 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3483 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3484
525cd185 3485 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3486 del_timer(&chan->retrans_timer);
a2e12a2a 3487 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3488 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3489 return;
e072745f 3490 }
99b0d4b7
GP		 3491
3492 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3493 l2cap_send_srejtail(chan);
99b0d4b7 3494 else
525cd185 3495 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3496}
3497
525cd185 3498static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3499{
525cd185 3500 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3501
9b16dc65 3502 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3503 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3504 del_timer(&chan->monitor_timer);
6a026610 3505 if (chan->unacked_frames > 0)
e072745f 3506 __mod_retrans_timer();
525cd185 3507 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3508 }
3509
3510 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3511 case L2CAP_SUPER_RCV_READY:
525cd185 3512 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3513 break;
3514
e072745f 3515 case L2CAP_SUPER_REJECT:
525cd185 3516 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3517 break;
2246b2f1 3518
e072745f 3519 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3520 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3521 break;
3522
3523 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3524 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3525 break;
3526 }
3527
faaebd19 3528 kfree_skb(skb);
1c2acffb
GP		 3529 return 0;
3530}
3531
218bb9df
GP		 3532static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3533{
525cd185 3534 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3535 struct l2cap_pinfo *pi = l2cap_pi(sk);
3536 u16 control;
3537 u8 req_seq;
3538 int len, next_tx_seq_offset, req_seq_offset;
3539
3540 control = get_unaligned_le16(skb->data);
3541 skb_pull(skb, 2);
3542 len = skb->len;
3543
3544 /*
3545 * We can just drop the corrupted I-frame here.
3546 * Receiver will miss it and start proper recovery
3547 * procedures and ask retransmission.
3548 */
47d1ec61 3549 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3550 goto drop;
3551
3552 if (__is_sar_start(control) && __is_iframe(control))
3553 len -= 2;
3554
47d1ec61 3555 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3556 len -= 2;
3557
47d1ec61 3558 if (len > chan->mps) {
e92c8e70 3559 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
218bb9df
GP		 3560 goto drop;
3561 }
3562
3563 req_seq = __get_reqseq(control);
42e5c802 3564 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3565 if (req_seq_offset < 0)
3566 req_seq_offset += 64;
3567
3568 next_tx_seq_offset =
42e5c802 3569 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3570 if (next_tx_seq_offset < 0)
3571 next_tx_seq_offset += 64;
3572
3573 /* check for invalid req-seq */
3574 if (req_seq_offset > next_tx_seq_offset) {
e92c8e70 3575 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
218bb9df
GP		 3576 goto drop;
3577 }
3578
3579 if (__is_iframe(control)) {
3580 if (len < 0) {
e92c8e70 3581 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
218bb9df
GP		 3582 goto drop;
3583 }
3584
525cd185 3585 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3586 } else {
3587 if (len != 0) {
3588 BT_ERR("%d", len);
e92c8e70 3589 l2cap_send_disconn_req(pi->conn, chan, ECONNRESET);
218bb9df
GP		 3590 goto drop;
3591 }
3592
525cd185 3593 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3594 }
3595
3596 return 0;
3597
3598drop:
3599 kfree_skb(skb);
3600 return 0;
3601}
3602
1da177e4
LT		 3603static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3604{
48454079 3605 struct l2cap_chan *chan;
1da177e4 3606 struct sock *sk;
6840ed07 3607 struct l2cap_pinfo *pi;
51893f88 3608 u16 control;
218bb9df
GP		 3609 u8 tx_seq;
3610 int len;
1da177e4 3611
baa7e1fa 3612 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3613 if (!chan) {
1da177e4
LT		 3614 BT_DBG("unknown cid 0x%4.4x", cid);
3615 goto drop;
3616 }
3617
48454079 3618 sk = chan->sk;
6840ed07
GP		 3619 pi = l2cap_pi(sk);
3620
49208c9c 3621 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3622
3623 if (sk->sk_state != BT_CONNECTED)
3624 goto drop;
3625
0c1bc5c6 3626 switch (chan->mode) {
1c2acffb
GP		 3627 case L2CAP_MODE_BASIC:
3628 /* If socket recv buffers overflows we drop data here
3629 * which is *bad* because L2CAP has to be reliable.
3630 * But we don't have any other choice. L2CAP doesn't
3631 * provide flow control mechanism. */
1da177e4 3632
0c1bc5c6 3633 if (chan->imtu < skb->len)
1c2acffb 3634 goto drop;
1da177e4 3635
1c2acffb
GP		 3636 if (!sock_queue_rcv_skb(sk, skb))
3637 goto done;
3638 break;
3639
3640 case L2CAP_MODE_ERTM:
218bb9df
GP		 3641 if (!sock_owned_by_user(sk)) {
3642 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3643 } else {
218bb9df 3644 if (sk_add_backlog(sk, skb))
277ffbe3 3645 goto drop;
277ffbe3 3646 }
1c2acffb 3647
fcafde2e 3648 goto done;
1c2acffb 3649
6840ed07
GP		 3650 case L2CAP_MODE_STREAMING:
3651 control = get_unaligned_le16(skb->data);
3652 skb_pull(skb, 2);
3653 len = skb->len;
3654
47d1ec61 3655 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3656 goto drop;
3657
6840ed07
GP		 3658 if (__is_sar_start(control))
3659 len -= 2;
3660
47d1ec61 3661 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3662 len -= 2;
3663
47d1ec61 3664 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3665 goto drop;
3666
3667 tx_seq = __get_txseq(control);
3668
42e5c802
GP		 3669 if (chan->expected_tx_seq == tx_seq)
3670 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3671 else
42e5c802 3672 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3673
525cd185 3674 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3675
3676 goto done;
3677
1c2acffb 3678 default:
0c1bc5c6 3679 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3680 break;
3681 }
1da177e4
LT		 3682
3683drop:
3684 kfree_skb(skb);
3685
3686done:
0139418c
MH		 3687 if (sk)
3688 bh_unlock_sock(sk);
3689
1da177e4
LT		 3690 return 0;
3691}
3692
8e036fc3 3693static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 3694{
3695 struct sock *sk;
3696
3697 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3698 if (!sk)
3699 goto drop;
3700
e0f0cb56
GP		 3701 bh_lock_sock(sk);
3702
1da177e4
LT		 3703 BT_DBG("sk %p, len %d", sk, skb->len);
3704
3705 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3706 goto drop;
3707
0c1bc5c6 3708 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3709 goto drop;
3710
3711 if (!sock_queue_rcv_skb(sk, skb))
3712 goto done;
3713
3714drop:
3715 kfree_skb(skb);
3716
3717done:
af05b30b
GP		 3718 if (sk)
3719 bh_unlock_sock(sk);
1da177e4
LT		 3720 return 0;
3721}
3722
9f69bda6
GP		 3723static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3724{
3725 struct sock *sk;
3726
3727 sk = l2cap_get_sock_by_scid(0, cid, conn->src);
3728 if (!sk)
3729 goto drop;
3730
3731 bh_lock_sock(sk);
3732
3733 BT_DBG("sk %p, len %d", sk, skb->len);
3734
3735 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3736 goto drop;
3737
0c1bc5c6 3738 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 3739 goto drop;
3740
3741 if (!sock_queue_rcv_skb(sk, skb))
3742 goto done;
3743
3744drop:
3745 kfree_skb(skb);
3746
3747done:
3748 if (sk)
3749 bh_unlock_sock(sk);
3750 return 0;
3751}
3752
1da177e4
LT		 3753static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3754{
3755 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3756 u16 cid, len;
3757 __le16 psm;
1da177e4
LT		 3758
3759 skb_pull(skb, L2CAP_HDR_SIZE);
3760 cid = __le16_to_cpu(lh->cid);
3761 len = __le16_to_cpu(lh->len);
3762
1c2acffb
GP		 3763 if (len != skb->len) {
3764 kfree_skb(skb);
3765 return;
3766 }
3767
1da177e4
LT		 3768 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3769
3770 switch (cid) {
3300d9a9 3771 case L2CAP_CID_LE_SIGNALING:
8db4dc46 3772 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3773 l2cap_sig_channel(conn, skb);
3774 break;
3775
8db4dc46 3776 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3777 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3778 skb_pull(skb, 2);
3779 l2cap_conless_channel(conn, psm, skb);
3780 break;
3781
9f69bda6
GP		 3782 case L2CAP_CID_LE_DATA:
3783 l2cap_att_channel(conn, cid, skb);
3784 break;
3785
1da177e4
LT		 3786 default:
3787 l2cap_data_channel(conn, cid, skb);
3788 break;
3789 }
3790}
3791
3792/* ---- L2CAP interface with lower layer (HCI) ---- */
3793
3794static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3795{
3796 int exact = 0, lm1 = 0, lm2 = 0;
3797 register struct sock *sk;
3798 struct hlist_node *node;
3799
3800 if (type != ACL_LINK)
963cf687 3801 return -EINVAL;
1da177e4
LT		 3802
3803 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3804
3805 /* Find listening sockets and check their link_mode */
3806 read_lock(&l2cap_sk_list.lock);
3807 sk_for_each(sk, node, &l2cap_sk_list.head) {
4343478f
GP		 3808 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3809
1da177e4
LT		 3810 if (sk->sk_state != BT_LISTEN)
3811 continue;
3812
3813 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 3814 lm1 |= HCI_LM_ACCEPT;
4343478f 3815 if (chan->role_switch)
2af6b9d5 3816 lm1 |= HCI_LM_MASTER;
1da177e4 3817 exact++;
2af6b9d5
MH		 3818 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3819 lm2 |= HCI_LM_ACCEPT;
4343478f 3820 if (chan->role_switch)
2af6b9d5
MH		 3821 lm2 |= HCI_LM_MASTER;
3822 }
1da177e4
LT		 3823 }
3824 read_unlock(&l2cap_sk_list.lock);
3825
3826 return exact ? lm1 : lm2;
3827}
3828
3829static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3830{
0139418c
MH		 3831 struct l2cap_conn *conn;
3832
1da177e4
LT		 3833 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3834
acd7d370 3835 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 3836 return -EINVAL;
1da177e4
LT		 3837
3838 if (!status) {
1da177e4
LT		 3839 conn = l2cap_conn_add(hcon, status);
3840 if (conn)
3841 l2cap_conn_ready(conn);
0139418c 3842 } else
1da177e4
LT		 3843 l2cap_conn_del(hcon, bt_err(status));
3844
3845 return 0;
3846}
3847
2950f21a
MH		 3848static int l2cap_disconn_ind(struct hci_conn *hcon)
3849{
3850 struct l2cap_conn *conn = hcon->l2cap_data;
3851
3852 BT_DBG("hcon %p", hcon);
3853
3854 if (hcon->type != ACL_LINK || !conn)
3855 return 0x13;
3856
3857 return conn->disc_reason;
3858}
3859
3860static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 3861{
3862 BT_DBG("hcon %p reason %d", hcon, reason);
3863
acd7d370 3864 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 3865 return -EINVAL;
1da177e4
LT		 3866
3867 l2cap_conn_del(hcon, bt_err(reason));
0139418c 3868
1da177e4
LT		 3869 return 0;
3870}
3871
4343478f 3872static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 3873{
4343478f
GP		 3874 struct sock *sk = chan->sk;
3875
bd3c9e25 3876 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 3877 return;
3878
f62e4323 3879 if (encrypt == 0x00) {
4343478f 3880 if (chan->sec_level == BT_SECURITY_MEDIUM) {
f62e4323
MH		 3881 l2cap_sock_clear_timer(sk);
3882 l2cap_sock_set_timer(sk, HZ * 5);
4343478f 3883 } else if (chan->sec_level == BT_SECURITY_HIGH)
f62e4323
MH		 3884 __l2cap_sock_close(sk, ECONNREFUSED);
3885 } else {
4343478f 3886 if (chan->sec_level == BT_SECURITY_MEDIUM)
f62e4323
MH		 3887 l2cap_sock_clear_timer(sk);
3888 }
3889}
3890
8c1b2355 3891static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 3892{
0139418c 3893 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 3894 struct l2cap_chan *chan;
1da177e4 3895
0139418c 3896 if (!conn)
1da177e4 3897 return 0;
0139418c 3898
1da177e4
LT		 3899 BT_DBG("conn %p", conn);
3900
baa7e1fa 3901 read_lock(&conn->chan_lock);
1da177e4 3902
baa7e1fa 3903 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 3904 struct sock *sk = chan->sk;
baa7e1fa 3905
1da177e4
LT		 3906 bh_lock_sock(sk);
3907
b4450035 3908 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 3909 bh_unlock_sock(sk);
3910 continue;
3911 }
3912
f62e4323 3913 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 3914 sk->sk_state == BT_CONFIG)) {
4343478f 3915 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 3916 bh_unlock_sock(sk);
3917 continue;
3918 }
3919
b1235d79
MH		 3920 if (sk->sk_state == BT_CONNECT) {
3921 if (!status) {
3922 struct l2cap_conn_req req;
3923 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3924 req.psm = l2cap_pi(sk)->psm;
1da177e4 3925
fc7f8a7e 3926 chan->ident = l2cap_get_ident(conn);
b4450035 3927 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 3928
fc7f8a7e 3929 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 3930 L2CAP_CONN_REQ, sizeof(req), &req);
3931 } else {
3932 l2cap_sock_clear_timer(sk);
3933 l2cap_sock_set_timer(sk, HZ / 10);
3934 }
3935 } else if (sk->sk_state == BT_CONNECT2) {
3936 struct l2cap_conn_rsp rsp;
3937 __u16 result;
1da177e4 3938
b1235d79
MH		 3939 if (!status) {
3940 sk->sk_state = BT_CONFIG;
3941 result = L2CAP_CR_SUCCESS;
3942 } else {
3943 sk->sk_state = BT_DISCONN;
3944 l2cap_sock_set_timer(sk, HZ / 10);
3945 result = L2CAP_CR_SEC_BLOCK;
3946 }
3947
3948 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3949 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3950 rsp.result = cpu_to_le16(result);
e7c29cb1 3951 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 3952 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
3953 sizeof(rsp), &rsp);
b1235d79 3954 }
1da177e4
LT		 3955
3956 bh_unlock_sock(sk);
3957 }
3958
baa7e1fa 3959 read_unlock(&conn->chan_lock);
b1235d79 3960
1da177e4
LT		 3961 return 0;
3962}
3963
3964static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3965{
3966 struct l2cap_conn *conn = hcon->l2cap_data;
3967
5a08ecce
AE		 3968 if (!conn)
3969 conn = l2cap_conn_add(hcon, 0);
3970
3971 if (!conn)
1da177e4
LT		 3972 goto drop;
3973
3974 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3975
e702112f 3976 if (!(flags & ACL_CONT)) {
1da177e4 3977 struct l2cap_hdr *hdr;
48454079 3978 struct l2cap_chan *chan;
89794813 3979 u16 cid;
1da177e4
LT		 3980 int len;
3981
3982 if (conn->rx_len) {
3983 BT_ERR("Unexpected start frame (len %d)", skb->len);
3984 kfree_skb(conn->rx_skb);
3985 conn->rx_skb = NULL;
3986 conn->rx_len = 0;
3987 l2cap_conn_unreliable(conn, ECOMM);
3988 }
3989
aae7fe22
AE		 3990 /* Start fragment always begin with Basic L2CAP header */
3991 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 3992 BT_ERR("Frame is too short (len %d)", skb->len);
3993 l2cap_conn_unreliable(conn, ECOMM);
3994 goto drop;
3995 }
3996
3997 hdr = (struct l2cap_hdr *) skb->data;
3998 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 3999 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4000
4001 if (len == skb->len) {
4002 /* Complete frame received */
4003 l2cap_recv_frame(conn, skb);
4004 return 0;
4005 }
4006
4007 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4008
4009 if (skb->len > len) {
4010 BT_ERR("Frame is too long (len %d, expected len %d)",
4011 skb->len, len);
4012 l2cap_conn_unreliable(conn, ECOMM);
4013 goto drop;
4014 }
4015
baa7e1fa 4016 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4017
48454079
GP		 4018 if (chan && chan->sk) {
4019 struct sock *sk = chan->sk;
89794813 4020
0c1bc5c6 4021 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4022 BT_ERR("Frame exceeding recv MTU (len %d, "
4023 "MTU %d)", len,
0c1bc5c6 4024 chan->imtu);
48454079
GP		 4025 bh_unlock_sock(sk);
4026 l2cap_conn_unreliable(conn, ECOMM);
4027 goto drop;
4028 }
89794813 4029 bh_unlock_sock(sk);
48454079 4030 }
89794813 4031
1da177e4 4032 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4033 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4034 if (!conn->rx_skb)
1da177e4
LT		 4035 goto drop;
4036
d626f62b 4037 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4038 skb->len);
1da177e4
LT		 4039 conn->rx_len = len - skb->len;
4040 } else {
4041 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4042
4043 if (!conn->rx_len) {
4044 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4045 l2cap_conn_unreliable(conn, ECOMM);
4046 goto drop;
4047 }
4048
4049 if (skb->len > conn->rx_len) {
4050 BT_ERR("Fragment is too long (len %d, expected %d)",
4051 skb->len, conn->rx_len);
4052 kfree_skb(conn->rx_skb);
4053 conn->rx_skb = NULL;
4054 conn->rx_len = 0;
4055 l2cap_conn_unreliable(conn, ECOMM);
4056 goto drop;
4057 }
4058
d626f62b 4059 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4060 skb->len);
1da177e4
LT		 4061 conn->rx_len -= skb->len;
4062
4063 if (!conn->rx_len) {
4064 /* Complete frame received */
4065 l2cap_recv_frame(conn, conn->rx_skb);
4066 conn->rx_skb = NULL;
4067 }
4068 }
4069
4070drop:
4071 kfree_skb(skb);
4072 return 0;
4073}
4074
aef7d97c 4075static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4076{
4077 struct sock *sk;
4078 struct hlist_node *node;
1da177e4
LT		 4079
4080 read_lock_bh(&l2cap_sk_list.lock);
4081
be9d1227
MH		 4082 sk_for_each(sk, node, &l2cap_sk_list.head) {
4083 struct l2cap_pinfo *pi = l2cap_pi(sk);
0c1bc5c6 4084 struct l2cap_chan *chan = pi->chan;
101545f6 4085
903d343e 4086 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4087 batostr(&bt_sk(sk)->src),
4088 batostr(&bt_sk(sk)->dst),
4089 sk->sk_state, __le16_to_cpu(pi->psm),
4090 pi->scid, pi->dcid,
0c1bc5c6
GP		 4091 chan->imtu, chan->omtu, chan->sec_level,
4092 chan->mode);
be9d1227 4093 }
1da177e4 4094
1da177e4 4095 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4096
aef7d97c 4097 return 0;
1da177e4
LT		 4098}
4099
aef7d97c
MH		 4100static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4101{
4102 return single_open(file, l2cap_debugfs_show, inode->i_private);
4103}
4104
4105static const struct file_operations l2cap_debugfs_fops = {
4106 .open = l2cap_debugfs_open,
4107 .read = seq_read,
4108 .llseek = seq_lseek,
4109 .release = single_release,
4110};
4111
4112static struct dentry *l2cap_debugfs;
1da177e4 4113
1da177e4
LT		 4114static struct hci_proto l2cap_hci_proto = {
4115 .name = "L2CAP",
4116 .id = HCI_PROTO_L2CAP,
4117 .connect_ind = l2cap_connect_ind,
4118 .connect_cfm = l2cap_connect_cfm,
4119 .disconn_ind = l2cap_disconn_ind,
2950f21a 4120 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4121 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4122 .recv_acldata = l2cap_recv_acldata
4123};
4124
64274518 4125int __init l2cap_init(void)
1da177e4
LT		 4126{
4127 int err;
be9d1227 4128
bb58f747 4129 err = l2cap_init_sockets();
1da177e4
LT		 4130 if (err < 0)
4131 return err;
4132
1890d36b 4133 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4134 if (!_busy_wq) {
bb58f747 4135 err = -ENOMEM;
1da177e4
LT		 4136 goto error;
4137 }
4138
4139 err = hci_register_proto(&l2cap_hci_proto);
4140 if (err < 0) {
4141 BT_ERR("L2CAP protocol registration failed");
4142 bt_sock_unregister(BTPROTO_L2CAP);
4143 goto error;
4144 }
4145
aef7d97c
MH		 4146 if (bt_debugfs) {
4147 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4148 bt_debugfs, NULL, &l2cap_debugfs_fops);
4149 if (!l2cap_debugfs)
4150 BT_ERR("Failed to create L2CAP debug file");
4151 }
1da177e4 4152
1da177e4
LT		 4153 return 0;
4154
4155error:
b78d7b4f 4156 destroy_workqueue(_busy_wq);
bb58f747 4157 l2cap_cleanup_sockets();
1da177e4
LT		 4158 return err;
4159}
4160
64274518 4161void l2cap_exit(void)
1da177e4 4162{
aef7d97c 4163 debugfs_remove(l2cap_debugfs);
1da177e4 4164
1890d36b
GP		 4165 flush_workqueue(_busy_wq);
4166 destroy_workqueue(_busy_wq);
4167
1da177e4
LT		 4168 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4169 BT_ERR("L2CAP protocol unregistration failed");
4170
bb58f747 4171 l2cap_cleanup_sockets();
1da177e4
LT		 4172}
4173
d1c4a17d
GP		 4174module_param(disable_ertm, bool, 0644);
4175MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)