projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove export of l2cap_chan_clear_timer()
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
23691d75
GP		 65LIST_HEAD(chan_list);
66DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state,
214 timeout);
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d
GP		 220{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state);
222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
227static void l2cap_chan_timeout(unsigned long arg)
228{
229 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
230 struct sock *sk = chan->sk;
231 int reason;
232
233 BT_DBG("chan %p state %d", chan, sk->sk_state);
234
235 bh_lock_sock(sk);
236
237 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5);
240 bh_unlock_sock(sk);
241 sock_put(sk);
242 return;
243 }
244
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
246 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED;
250 else
251 reason = ETIMEDOUT;
252
253 __l2cap_chan_close(chan, reason);
254
255 bh_unlock_sock(sk);
256
257 l2cap_sock_kill(sk);
258 sock_put(sk);
259}
260
23691d75 261struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 262{
263 struct l2cap_chan *chan;
264
265 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
266 if (!chan)
267 return NULL;
268
269 chan->sk = sk;
270
23691d75
GP		 271 write_lock_bh(&chan_list_lock);
272 list_add(&chan->global_l, &chan_list);
273 write_unlock_bh(&chan_list_lock);
274
ab07801d
GP		 275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276
48454079
GP		 277 return chan;
278}
279
23691d75 280void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 281{
23691d75
GP		 282 write_lock_bh(&chan_list_lock);
283 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock);
285
6ff5abbf
GP		 286 kfree(chan);
287}
288
48454079 289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 290{
48454079 291 struct sock *sk = chan->sk;
0139418c 292
af05b30b 293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 294 chan->psm, chan->dcid);
0139418c 295
2950f21a
MH		 296 conn->disc_reason = 0x13;
297
8c1d787b 298 chan->conn = conn;
0139418c 299
715ec005 300 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 301 if (conn->hcon->type == LE_LINK) {
302 /* LE connection */
0c1bc5c6 303 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 304 chan->scid = L2CAP_CID_LE_DATA;
305 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 306 } else {
307 /* Alloc CID for connection-oriented socket */
fe4128e0 308 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 309 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 310 }
715ec005 311 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 316 } else {
317 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 318 chan->scid = L2CAP_CID_SIGNALING;
319 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 320 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 321 }
322
baa7e1fa
GP		 323 sock_hold(sk);
324
325 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 326}
327
8e87d142 328/* Delete channel.
0139418c 329 * Must be called on the locked socket. */
4519de9a 330static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 331{
48454079 332 struct sock *sk = chan->sk;
8c1d787b 333 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 334 struct sock *parent = bt_sk(sk)->parent;
335
ab07801d 336 l2cap_chan_clear_timer(chan);
0139418c 337
49208c9c 338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 339
8e87d142 340 if (conn) {
baa7e1fa
GP		 341 /* Delete from channel list */
342 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk);
346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
b1235d79 351 sk->sk_state = BT_CLOSED;
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
b4450035
GP		 363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
e92c8e70
GP		 372 del_timer(&chan->retrans_timer);
373 del_timer(&chan->monitor_timer);
374 del_timer(&chan->ack_timer);
c13ffa62 375
f1c6775b
GP		 376 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q);
c13ffa62 378
39d5a3ee 379 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 380 list_del(&l->list);
381 kfree(l);
382 }
383 }
0139418c
MH		 384}
385
4519de9a
GP		 386/* Must be called on unlocked socket. */
387static void l2cap_chan_close(struct sock *sk)
388{
ab07801d 389 l2cap_chan_clear_timer(l2cap_pi(sk)->chan);
4519de9a
GP		 390 lock_sock(sk);
391 __l2cap_chan_close(l2cap_pi(sk)->chan, ECONNRESET);
392 release_sock(sk);
393 l2cap_sock_kill(sk);
394}
395
396static void l2cap_chan_cleanup_listen(struct sock *parent)
397{
398 struct sock *sk;
399
400 BT_DBG("parent %p", parent);
401
402 /* Close not yet accepted channels */
403 while ((sk = bt_accept_dequeue(parent, NULL)))
404 l2cap_chan_close(sk);
405
406 parent->sk_state = BT_CLOSED;
407 sock_set_flag(parent, SOCK_ZAPPED);
408}
409
410void __l2cap_chan_close(struct l2cap_chan *chan, int reason)
411{
412 struct l2cap_conn *conn = chan->conn;
413 struct sock *sk = chan->sk;
414
415 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket);
416
417 switch (sk->sk_state) {
418 case BT_LISTEN:
419 l2cap_chan_cleanup_listen(sk);
420 break;
421
422 case BT_CONNECTED:
423 case BT_CONFIG:
715ec005 424 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 425 conn->hcon->type == ACL_LINK) {
500698d3 426 l2cap_chan_clear_timer(chan);
ab07801d 427 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 428 l2cap_send_disconn_req(conn, chan, reason);
429 } else
430 l2cap_chan_del(chan, reason);
431 break;
432
433 case BT_CONNECT2:
715ec005 434 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 435 conn->hcon->type == ACL_LINK) {
436 struct l2cap_conn_rsp rsp;
437 __u16 result;
438
439 if (bt_sk(sk)->defer_setup)
440 result = L2CAP_CR_SEC_BLOCK;
441 else
442 result = L2CAP_CR_BAD_PSM;
443
444 rsp.scid = cpu_to_le16(chan->dcid);
445 rsp.dcid = cpu_to_le16(chan->scid);
446 rsp.result = cpu_to_le16(result);
447 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
448 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
449 sizeof(rsp), &rsp);
450 }
451
452 l2cap_chan_del(chan, reason);
453 break;
454
455 case BT_CONNECT:
456 case BT_DISCONN:
457 l2cap_chan_del(chan, reason);
458 break;
459
460 default:
461 sock_set_flag(sk, SOCK_ZAPPED);
462 break;
463 }
464}
465
4343478f 466static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 467{
715ec005 468 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 469 switch (chan->sec_level) {
8556edd3
JH		 470 case BT_SECURITY_HIGH:
471 return HCI_AT_DEDICATED_BONDING_MITM;
472 case BT_SECURITY_MEDIUM:
473 return HCI_AT_DEDICATED_BONDING;
474 default:
475 return HCI_AT_NO_BONDING;
476 }
fe4128e0 477 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 478 if (chan->sec_level == BT_SECURITY_LOW)
479 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 480
4343478f 481 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 482 return HCI_AT_NO_BONDING_MITM;
00ae4af9 483 else
8556edd3 484 return HCI_AT_NO_BONDING;
00ae4af9 485 } else {
4343478f 486 switch (chan->sec_level) {
00ae4af9 487 case BT_SECURITY_HIGH:
8556edd3 488 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 489 case BT_SECURITY_MEDIUM:
8556edd3 490 return HCI_AT_GENERAL_BONDING;
00ae4af9 491 default:
8556edd3 492 return HCI_AT_NO_BONDING;
00ae4af9 493 }
0684e5f9 494 }
8556edd3
JH		 495}
496
497/* Service level security */
4343478f 498static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 499{
8c1d787b 500 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 501 __u8 auth_type;
502
4343478f 503 auth_type = l2cap_get_auth_type(chan);
79d554a6 504
4343478f 505 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 506}
507
68983259 508u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 509{
510 u8 id;
511
512 /* Get next available identificator.
513 * 1 - 128 are used by kernel.
514 * 129 - 199 are reserved.
515 * 200 - 254 are used by utilities like l2ping, etc.
516 */
517
518 spin_lock_bh(&conn->lock);
519
520 if (++conn->tx_ident > 128)
521 conn->tx_ident = 1;
522
523 id = conn->tx_ident;
524
525 spin_unlock_bh(&conn->lock);
526
527 return id;
528}
529
4519de9a 530static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 531{
532 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 533 u8 flags;
4e8402a3
MH		 534
535 BT_DBG("code 0x%2.2x", code);
536
537 if (!skb)
9a9c6a34 538 return;
4e8402a3 539
e702112f
AE		 540 if (lmp_no_flush_capable(conn->hcon->hdev))
541 flags = ACL_START_NO_FLUSH;
542 else
543 flags = ACL_START;
544
545 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 546}
547
525cd185 548static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 549{
550 struct sk_buff *skb;
551 struct l2cap_hdr *lh;
525cd185 552 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
8c1d787b 553 struct l2cap_conn *conn = chan->conn;
c13ffa62 554 struct sock *sk = (struct sock *)pi;
fcc203c3 555 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 556 u8 flags;
fcc203c3 557
c13ffa62
GP		 558 if (sk->sk_state != BT_CONNECTED)
559 return;
560
47d1ec61 561 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 562 hlen += 2;
1c2acffb 563
49208c9c 564 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 565
fcc203c3 566 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 567 control |= L2CAP_CTRL_FRAME_TYPE;
568
525cd185 569 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 570 control |= L2CAP_CTRL_FINAL;
525cd185 571 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 572 }
573
525cd185 574 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 575 control |= L2CAP_CTRL_POLL;
525cd185 576 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 577 }
578
1c2acffb
GP		 579 skb = bt_skb_alloc(count, GFP_ATOMIC);
580 if (!skb)
9a9c6a34 581 return;
1c2acffb
GP		 582
583 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 584 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 585 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 586 put_unaligned_le16(control, skb_put(skb, 2));
587
47d1ec61 588 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 589 u16 fcs = crc16(0, (u8 *)lh, count - 2);
590 put_unaligned_le16(fcs, skb_put(skb, 2));
591 }
592
e702112f
AE		 593 if (lmp_no_flush_capable(conn->hcon->hdev))
594 flags = ACL_START_NO_FLUSH;
595 else
596 flags = ACL_START;
597
8c1d787b 598 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 599}
600
525cd185 601static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 602{
525cd185 603 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 604 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 605 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 606 } else
7e743090
GP		 607 control |= L2CAP_SUPER_RCV_READY;
608
42e5c802 609 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 610
525cd185 611 l2cap_send_sframe(chan, control);
7e743090
GP		 612}
613
b4450035 614static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 615{
b4450035 616 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 617}
618
fc7f8a7e 619static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 620{
8c1d787b 621 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 622
623 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 624 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
625 return;
626
4343478f
GP		 627 if (l2cap_check_security(chan) &&
628 __l2cap_no_conn_pending(chan)) {
b1235d79 629 struct l2cap_conn_req req;
fe4128e0
GP		 630 req.scid = cpu_to_le16(chan->scid);
631 req.psm = chan->psm;
79d554a6 632
fc7f8a7e 633 chan->ident = l2cap_get_ident(conn);
b4450035 634 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 635
fc7f8a7e
GP		 636 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
637 sizeof(req), &req);
b1235d79 638 }
79d554a6
MH		 639 } else {
640 struct l2cap_info_req req;
641 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
642
643 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
644 conn->info_ident = l2cap_get_ident(conn);
645
646 mod_timer(&conn->info_timer, jiffies +
647 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
648
649 l2cap_send_cmd(conn, conn->info_ident,
650 L2CAP_INFO_REQ, sizeof(req), &req);
651 }
652}
653
cf6c2c0b
GP		 654static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
655{
656 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 657 if (!disable_ertm)
cf6c2c0b
GP		 658 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
659
660 switch (mode) {
661 case L2CAP_MODE_ERTM:
662 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
663 case L2CAP_MODE_STREAMING:
664 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
665 default:
666 return 0x00;
667 }
668}
669
4519de9a 670static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 671{
e92c8e70 672 struct sock *sk;
22121fc9
GP		 673 struct l2cap_disconn_req req;
674
c13ffa62
GP		 675 if (!conn)
676 return;
677
e92c8e70
GP		 678 sk = chan->sk;
679
0c1bc5c6 680 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 681 del_timer(&chan->retrans_timer);
682 del_timer(&chan->monitor_timer);
683 del_timer(&chan->ack_timer);
c13ffa62
GP		 684 }
685
fe4128e0
GP		 686 req.dcid = cpu_to_le16(chan->dcid);
687 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 688 l2cap_send_cmd(conn, l2cap_get_ident(conn),
689 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 690
691 sk->sk_state = BT_DISCONN;
9b108fc0 692 sk->sk_err = err;
22121fc9
GP		 693}
694
1da177e4 695/* ---- L2CAP connections ---- */
4e8402a3
MH		 696static void l2cap_conn_start(struct l2cap_conn *conn)
697{
820ffdb3 698 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 699
700 BT_DBG("conn %p", conn);
701
baa7e1fa 702 read_lock(&conn->chan_lock);
4e8402a3 703
820ffdb3 704 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 705 struct sock *sk = chan->sk;
baa7e1fa 706
4e8402a3
MH		 707 bh_lock_sock(sk);
708
715ec005 709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 710 bh_unlock_sock(sk);
711 continue;
712 }
713
714 if (sk->sk_state == BT_CONNECT) {
47731de7 715 struct l2cap_conn_req req;
79d554a6 716
4343478f 717 if (!l2cap_check_security(chan) ||
b4450035 718 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 719 bh_unlock_sock(sk);
720 continue;
721 }
79d554a6 722
0c1bc5c6 723 if (!l2cap_mode_supported(chan->mode,
47731de7 724 conn->feat_mask)
b4450035 725 && chan->conf_state &
47731de7 726 L2CAP_CONF_STATE2_DEVICE) {
4519de9a 727 /* __l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 728 * so release the lock */
729 read_unlock_bh(&conn->chan_lock);
4519de9a 730 __l2cap_chan_close(chan, ECONNRESET);
820ffdb3 731 read_lock_bh(&conn->chan_lock);
47731de7
GP		 732 bh_unlock_sock(sk);
733 continue;
b1235d79 734 }
47731de7 735
fe4128e0
GP		 736 req.scid = cpu_to_le16(chan->scid);
737 req.psm = chan->psm;
47731de7 738
fc7f8a7e 739 chan->ident = l2cap_get_ident(conn);
b4450035 740 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 741
fc7f8a7e
GP		 742 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
743 sizeof(req), &req);
47731de7 744
79d554a6
MH		 745 } else if (sk->sk_state == BT_CONNECT2) {
746 struct l2cap_conn_rsp rsp;
e9aeb2dd 747 char buf[128];
fe4128e0
GP		 748 rsp.scid = cpu_to_le16(chan->dcid);
749 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 750
4343478f 751 if (l2cap_check_security(chan)) {
f66dc81f
MH		 752 if (bt_sk(sk)->defer_setup) {
753 struct sock *parent = bt_sk(sk)->parent;
754 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
755 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
756 parent->sk_data_ready(parent, 0);
757
758 } else {
759 sk->sk_state = BT_CONFIG;
760 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
761 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
762 }
79d554a6
MH		 763 } else {
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
766 }
767
fc7f8a7e
GP		 768 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
769 sizeof(rsp), &rsp);
e9aeb2dd 770
b4450035 771 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 772 rsp.result != L2CAP_CR_SUCCESS) {
773 bh_unlock_sock(sk);
774 continue;
775 }
776
b4450035 777 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 778 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 779 l2cap_build_conf_req(chan, buf), buf);
780 chan->num_conf_req++;
4e8402a3
MH		 781 }
782
783 bh_unlock_sock(sk);
784 }
785
baa7e1fa 786 read_unlock(&conn->chan_lock);
4e8402a3
MH		 787}
788
b62f328b
VT		 789/* Find socket with cid and source bdaddr.
790 * Returns closest match, locked.
791 */
23691d75 792static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 793{
23691d75 794 struct l2cap_chan *c, *c1 = NULL;
b62f328b 795
23691d75 796 read_lock(&chan_list_lock);
b62f328b 797
23691d75
GP		 798 list_for_each_entry(c, &chan_list, global_l) {
799 struct sock *sk = c->sk;
fe4128e0 800
b62f328b
VT		 801 if (state && sk->sk_state != state)
802 continue;
803
23691d75 804 if (c->scid == cid) {
b62f328b 805 /* Exact match. */
23691d75
GP		 806 if (!bacmp(&bt_sk(sk)->src, src)) {
807 read_unlock(&chan_list_lock);
808 return c;
809 }
b62f328b
VT		 810
811 /* Closest match */
812 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 813 c1 = c;
b62f328b
VT		 814 }
815 }
280f294f 816
23691d75 817 read_unlock(&chan_list_lock);
b62f328b 818
23691d75 819 return c1;
b62f328b
VT		 820}
821
822static void l2cap_le_conn_ready(struct l2cap_conn *conn)
823{
c916fbe4 824 struct sock *parent, *sk;
23691d75 825 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 826
827 BT_DBG("");
828
829 /* Check if we have socket listening on cid */
23691d75 830 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 831 conn->src);
23691d75 832 if (!pchan)
b62f328b
VT		 833 return;
834
23691d75
GP		 835 parent = pchan->sk;
836
62f3a2cf
GP		 837 bh_lock_sock(parent);
838
b62f328b
VT		 839 /* Check for backlog size */
840 if (sk_acceptq_is_full(parent)) {
841 BT_DBG("backlog full %d", parent->sk_ack_backlog);
842 goto clean;
843 }
844
845 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
846 if (!sk)
847 goto clean;
848
23691d75 849 chan = l2cap_chan_create(sk);
48454079
GP		 850 if (!chan) {
851 l2cap_sock_kill(sk);
852 goto clean;
853 }
854
5d41ce1d
GP		 855 l2cap_pi(sk)->chan = chan;
856
baa7e1fa 857 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 858
859 hci_conn_hold(conn->hcon);
860
861 l2cap_sock_init(sk, parent);
baa7e1fa 862
b62f328b
VT		 863 bacpy(&bt_sk(sk)->src, conn->src);
864 bacpy(&bt_sk(sk)->dst, conn->dst);
865
d1010240
GP		 866 bt_accept_enqueue(parent, sk);
867
48454079
GP		 868 __l2cap_chan_add(conn, chan);
869
ab07801d 870 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b
VT		 871
872 sk->sk_state = BT_CONNECTED;
873 parent->sk_data_ready(parent, 0);
874
baa7e1fa 875 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 876
877clean:
878 bh_unlock_sock(parent);
879}
880
4e8402a3
MH		 881static void l2cap_conn_ready(struct l2cap_conn *conn)
882{
48454079 883 struct l2cap_chan *chan;
4e8402a3 884
79d554a6 885 BT_DBG("conn %p", conn);
4e8402a3 886
b62f328b
VT		 887 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
888 l2cap_le_conn_ready(conn);
889
baa7e1fa 890 read_lock(&conn->chan_lock);
4e8402a3 891
baa7e1fa 892 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 893 struct sock *sk = chan->sk;
baa7e1fa 894
79d554a6 895 bh_lock_sock(sk);
4e8402a3 896
acd7d370 897 if (conn->hcon->type == LE_LINK) {
ab07801d 898 l2cap_chan_clear_timer(chan);
acd7d370
VT		 899 sk->sk_state = BT_CONNECTED;
900 sk->sk_state_change(sk);
901 }
902
715ec005 903 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 904 l2cap_chan_clear_timer(chan);
79d554a6
MH		 905 sk->sk_state = BT_CONNECTED;
906 sk->sk_state_change(sk);
907 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 908 l2cap_do_start(chan);
4e8402a3 909
79d554a6 910 bh_unlock_sock(sk);
4e8402a3 911 }
79d554a6 912
baa7e1fa 913 read_unlock(&conn->chan_lock);
4e8402a3
MH		 914}
915
916/* Notify sockets that we cannot guaranty reliability anymore */
917static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
918{
48454079 919 struct l2cap_chan *chan;
4e8402a3
MH		 920
921 BT_DBG("conn %p", conn);
922
baa7e1fa 923 read_lock(&conn->chan_lock);
4e8402a3 924
baa7e1fa 925 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 926 struct sock *sk = chan->sk;
baa7e1fa 927
4343478f 928 if (chan->force_reliable)
4e8402a3
MH		 929 sk->sk_err = err;
930 }
931
baa7e1fa 932 read_unlock(&conn->chan_lock);
4e8402a3
MH		 933}
934
935static void l2cap_info_timeout(unsigned long arg)
936{
937 struct l2cap_conn *conn = (void *) arg;
938
984947dc 939 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 940 conn->info_ident = 0;
984947dc 941
4e8402a3
MH		 942 l2cap_conn_start(conn);
943}
944
1da177e4
LT		 945static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
946{
0139418c 947 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 948
0139418c 949 if (conn || status)
1da177e4
LT		 950 return conn;
951
0139418c
MH		 952 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
953 if (!conn)
1da177e4 954 return NULL;
1da177e4
LT		 955
956 hcon->l2cap_data = conn;
957 conn->hcon = hcon;
958
0139418c
MH		 959 BT_DBG("hcon %p conn %p", hcon, conn);
960
acd7d370
VT		 961 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
962 conn->mtu = hcon->hdev->le_mtu;
963 else
964 conn->mtu = hcon->hdev->acl_mtu;
965
1da177e4
LT		 966 conn->src = &hcon->hdev->bdaddr;
967 conn->dst = &hcon->dst;
968
4e8402a3
MH		 969 conn->feat_mask = 0;
970
1da177e4 971 spin_lock_init(&conn->lock);
baa7e1fa
GP		 972 rwlock_init(&conn->chan_lock);
973
974 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 975
b62f328b
VT		 976 if (hcon->type != LE_LINK)
977 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 978 (unsigned long) conn);
979
2950f21a
MH		 980 conn->disc_reason = 0x13;
981
1da177e4
LT		 982 return conn;
983}
984
0139418c 985static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 986{
0139418c 987 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 988 struct l2cap_chan *chan, *l;
1da177e4
LT		 989 struct sock *sk;
990
0139418c
MH		 991 if (!conn)
992 return;
1da177e4
LT		 993
994 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
995
7585b97a 996 kfree_skb(conn->rx_skb);
1da177e4
LT		 997
998 /* Kill channels */
baa7e1fa 999 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 1000 sk = chan->sk;
1da177e4 1001 bh_lock_sock(sk);
48454079 1002 l2cap_chan_del(chan, err);
1da177e4
LT		 1003 bh_unlock_sock(sk);
1004 l2cap_sock_kill(sk);
1005 }
1006
8e8440f5
DY		 1007 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1008 del_timer_sync(&conn->info_timer);
3ab22731 1009
1da177e4
LT		 1010 hcon->l2cap_data = NULL;
1011 kfree(conn);
1da177e4
LT		 1012}
1013
48454079 1014static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1015{
baa7e1fa 1016 write_lock_bh(&conn->chan_lock);
48454079 1017 __l2cap_chan_add(conn, chan);
baa7e1fa 1018 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1019}
1020
1da177e4 1021/* ---- Socket interface ---- */
1da177e4
LT		 1022
1023/* Find socket with psm and source bdaddr.
1024 * Returns closest match.
1025 */
23691d75 1026static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1027{
23691d75 1028 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1029
23691d75 1030 read_lock(&chan_list_lock);
e0f0cb56 1031
23691d75
GP		 1032 list_for_each_entry(c, &chan_list, global_l) {
1033 struct sock *sk = c->sk;
fe4128e0 1034
1da177e4
LT		 1035 if (state && sk->sk_state != state)
1036 continue;
1037
23691d75 1038 if (c->psm == psm) {
1da177e4 1039 /* Exact match. */
23691d75 1040 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1041 read_unlock(&chan_list_lock);
23691d75
GP		 1042 return c;
1043 }
1da177e4
LT		 1044
1045 /* Closest match */
1046 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1047 c1 = c;
1da177e4
LT		 1048 }
1049 }
1da177e4 1050
23691d75 1051 read_unlock(&chan_list_lock);
e0f0cb56 1052
23691d75 1053 return c1;
1da177e4
LT		 1054}
1055
77a74c7e 1056int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1057{
5d41ce1d 1058 struct sock *sk = chan->sk;
1da177e4
LT		 1059 bdaddr_t *src = &bt_sk(sk)->src;
1060 bdaddr_t *dst = &bt_sk(sk)->dst;
1061 struct l2cap_conn *conn;
1062 struct hci_conn *hcon;
1063 struct hci_dev *hdev;
09ab6f4c 1064 __u8 auth_type;
44d0e48e 1065 int err;
1da177e4 1066
f29972de 1067 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1068 chan->psm);
1da177e4 1069
af05b30b
GP		 1070 hdev = hci_get_route(dst, src);
1071 if (!hdev)
1da177e4
LT		 1072 return -EHOSTUNREACH;
1073
1074 hci_dev_lock_bh(hdev);
1075
4343478f 1076 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1077
fe4128e0 1078 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1079 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1080 chan->sec_level, auth_type);
acd7d370
VT		 1081 else
1082 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1083 chan->sec_level, auth_type);
acd7d370 1084
30e76272
VT		 1085 if (IS_ERR(hcon)) {
1086 err = PTR_ERR(hcon);
1da177e4 1087 goto done;
30e76272 1088 }
1da177e4
LT		 1089
1090 conn = l2cap_conn_add(hcon, 0);
1091 if (!conn) {
1092 hci_conn_put(hcon);
30e76272 1093 err = -ENOMEM;
1da177e4
LT		 1094 goto done;
1095 }
1096
1da177e4
LT		 1097 /* Update source addr of the socket */
1098 bacpy(src, conn->src);
1099
48454079
GP		 1100 l2cap_chan_add(conn, chan);
1101
1da177e4 1102 sk->sk_state = BT_CONNECT;
ab07801d 1103 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1104
1105 if (hcon->state == BT_CONNECTED) {
715ec005 1106 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1107 l2cap_chan_clear_timer(chan);
4343478f 1108 if (l2cap_check_security(chan))
d00ef24f 1109 sk->sk_state = BT_CONNECTED;
79d554a6 1110 } else
fc7f8a7e 1111 l2cap_do_start(chan);
1da177e4
LT		 1112 }
1113
30e76272
VT		 1114 err = 0;
1115
1da177e4
LT		 1116done:
1117 hci_dev_unlock_bh(hdev);
1118 hci_dev_put(hdev);
1119 return err;
1120}
1121
dcba0dba 1122int __l2cap_wait_ack(struct sock *sk)
6161c038 1123{
8c1d787b 1124 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1125 DECLARE_WAITQUEUE(wait, current);
1126 int err = 0;
1127 int timeo = HZ/5;
1128
2b0b05dd 1129 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1130 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1131 set_current_state(TASK_INTERRUPTIBLE);
1132
1133 if (!timeo)
1134 timeo = HZ/5;
1135
1136 if (signal_pending(current)) {
1137 err = sock_intr_errno(timeo);
1138 break;
1139 }
1140
1141 release_sock(sk);
1142 timeo = schedule_timeout(timeo);
1143 lock_sock(sk);
1144
1145 err = sock_error(sk);
1146 if (err)
1147 break;
1148 }
1149 set_current_state(TASK_RUNNING);
2b0b05dd 1150 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1151 return err;
1152}
1153
e90bac06
GP		 1154static void l2cap_monitor_timeout(unsigned long arg)
1155{
525cd185
GP		 1156 struct l2cap_chan *chan = (void *) arg;
1157 struct sock *sk = chan->sk;
e90bac06 1158
525cd185 1159 BT_DBG("chan %p", chan);
0e98958d 1160
e686219a 1161 bh_lock_sock(sk);
2c03a7a4 1162 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1163 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1164 bh_unlock_sock(sk);
e90bac06
GP		 1165 return;
1166 }
1167
6a026610 1168 chan->retry_count++;
e90bac06
GP		 1169 __mod_monitor_timer();
1170
525cd185 1171 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1172 bh_unlock_sock(sk);
e90bac06
GP		 1173}
1174
1175static void l2cap_retrans_timeout(unsigned long arg)
1176{
525cd185
GP		 1177 struct l2cap_chan *chan = (void *) arg;
1178 struct sock *sk = chan->sk;
e90bac06 1179
49208c9c 1180 BT_DBG("chan %p", chan);
0e98958d 1181
e686219a 1182 bh_lock_sock(sk);
6a026610 1183 chan->retry_count = 1;
e90bac06
GP		 1184 __mod_monitor_timer();
1185
525cd185 1186 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1187
525cd185 1188 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1189 bh_unlock_sock(sk);
e90bac06
GP		 1190}
1191
42e5c802 1192static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1193{
1c2acffb 1194 struct sk_buff *skb;
1da177e4 1195
58d35f87 1196 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1197 chan->unacked_frames) {
42e5c802 1198 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1199 break;
1da177e4 1200
58d35f87 1201 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1202 kfree_skb(skb);
1da177e4 1203
6a026610 1204 chan->unacked_frames--;
1c2acffb 1205 }
1da177e4 1206
6a026610 1207 if (!chan->unacked_frames)
e92c8e70 1208 del_timer(&chan->retrans_timer);
1c2acffb 1209}
1da177e4 1210
4343478f 1211void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1212{
8c1d787b 1213 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1214 u16 flags;
1c2acffb 1215
4343478f 1216 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1217
4343478f 1218 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1219 flags = ACL_START_NO_FLUSH;
1220 else
1221 flags = ACL_START;
1222
1223 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1224}
1225
42e5c802 1226void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1227{
ccbb84af 1228 struct sk_buff *skb;
fcc203c3 1229 u16 control, fcs;
6840ed07 1230
58d35f87 1231 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1232 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1233 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1234 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1235
47d1ec61 1236 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1237 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1238 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1239 }
1240
4343478f 1241 l2cap_do_send(chan, skb);
6840ed07 1242
42e5c802 1243 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1244 }
6840ed07
GP		 1245}
1246
525cd185 1247static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1248{
8f17154f
GP		 1249 struct sk_buff *skb, *tx_skb;
1250 u16 control, fcs;
8f17154f 1251
58d35f87 1252 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1253 if (!skb)
1254 return;
8f17154f 1255
f11d676d
GP		 1256 do {
1257 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1258 break;
8f17154f 1259
58d35f87 1260 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1261 return;
8f17154f 1262
58d35f87 1263 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1264
2c03a7a4
GP		 1265 if (chan->remote_max_tx &&
1266 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1267 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1268 return;
1269 }
1270
1271 tx_skb = skb_clone(skb, GFP_ATOMIC);
1272 bt_cb(skb)->retries++;
1273 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1274 control &= L2CAP_CTRL_SAR;
3cb123d1 1275
525cd185 1276 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1277 control |= L2CAP_CTRL_FINAL;
525cd185 1278 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1279 }
95ffa978 1280
42e5c802 1281 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1282 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1283
f11d676d
GP		 1284 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1285
47d1ec61 1286 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1287 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1288 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1289 }
1290
4343478f 1291 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1292}
1293
525cd185 1294int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1295{
1296 struct sk_buff *skb, *tx_skb;
525cd185 1297 struct sock *sk = chan->sk;
fcc203c3 1298 u16 control, fcs;
9a9c6a34 1299 int nsent = 0;
1c2acffb 1300
c13ffa62
GP		 1301 if (sk->sk_state != BT_CONNECTED)
1302 return -ENOTCONN;
e90bac06 1303
58d35f87 1304 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1305
2c03a7a4
GP		 1306 if (chan->remote_max_tx &&
1307 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1308 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1309 break;
1310 }
1311
e420aba3
AE		 1312 tx_skb = skb_clone(skb, GFP_ATOMIC);
1313
e90bac06
GP		 1314 bt_cb(skb)->retries++;
1315
1c2acffb 1316 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1317 control &= L2CAP_CTRL_SAR;
1318
525cd185 1319 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1320 control |= L2CAP_CTRL_FINAL;
525cd185 1321 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1322 }
42e5c802
GP		 1323 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1324 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1325 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1326
e90bac06 1327
47d1ec61 1328 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1329 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1330 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1331 }
1332
4343478f 1333 l2cap_do_send(chan, tx_skb);
9a9c6a34 1334
e90bac06 1335 __mod_retrans_timer();
1c2acffb 1336
42e5c802
GP		 1337 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1338 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1339
23e9fde2 1340 if (bt_cb(skb)->retries == 1)
6a026610 1341 chan->unacked_frames++;
23e9fde2 1342
6a026610 1343 chan->frames_sent++;
1c2acffb 1344
58d35f87
GP		 1345 if (skb_queue_is_last(&chan->tx_q, skb))
1346 chan->tx_send_head = NULL;
1c2acffb 1347 else
58d35f87 1348 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1349
1350 nsent++;
1c2acffb
GP		 1351 }
1352
9e917af1
GP		 1353 return nsent;
1354}
1355
525cd185 1356static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1357{
dfc909be
GP		 1358 int ret;
1359
58d35f87
GP		 1360 if (!skb_queue_empty(&chan->tx_q))
1361 chan->tx_send_head = chan->tx_q.next;
dfc909be 1362
42e5c802 1363 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1364 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1365 return ret;
1366}
1367
525cd185 1368static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1369{
9e917af1
GP		 1370 u16 control = 0;
1371
42e5c802 1372 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1373
525cd185 1374 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1375 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1376 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1377 l2cap_send_sframe(chan, control);
9a9c6a34 1378 return;
9e917af1 1379 }
dfc909be 1380
525cd185 1381 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1382 return;
1383
1384 control |= L2CAP_SUPER_RCV_READY;
525cd185 1385 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1386}
1387
525cd185 1388static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1389{
1390 struct srej_list *tail;
1391 u16 control;
1392
1393 control = L2CAP_SUPER_SELECT_REJECT;
1394 control |= L2CAP_CTRL_FINAL;
1395
39d5a3ee 1396 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1397 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1398
525cd185 1399 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1400}
1401
1c2acffb
GP		 1402static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1403{
8c1d787b 1404 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1405 struct sk_buff **frag;
1406 int err, sent = 0;
1da177e4 1407
59203a21 1408 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1409 return -EFAULT;
1da177e4
LT		 1410
1411 sent += count;
1412 len -= count;
1413
1414 /* Continuation fragments (no L2CAP header) */
1415 frag = &skb_shinfo(skb)->frag_list;
1416 while (len) {
1417 count = min_t(unsigned int, conn->mtu, len);
1418
1419 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1420 if (!*frag)
0175d629 1421 return err;
1c2acffb
GP		 1422 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1423 return -EFAULT;
1da177e4
LT		 1424
1425 sent += count;
1426 len -= count;
1427
1428 frag = &(*frag)->next;
1429 }
1da177e4
LT		 1430
1431 return sent;
1c2acffb 1432}
1da177e4 1433
fe4128e0 1434struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1435{
fe4128e0 1436 struct sock *sk = chan->sk;
8c1d787b 1437 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1438 struct sk_buff *skb;
1439 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1440 struct l2cap_hdr *lh;
1441
1442 BT_DBG("sk %p len %d", sk, (int)len);
1443
1444 count = min_t(unsigned int, (conn->mtu - hlen), len);
1445 skb = bt_skb_send_alloc(sk, count + hlen,
1446 msg->msg_flags & MSG_DONTWAIT, &err);
1447 if (!skb)
0175d629 1448 return ERR_PTR(err);
1c2acffb
GP		 1449
1450 /* Create L2CAP header */
1451 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1452 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1453 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1454 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1455
1456 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1457 if (unlikely(err < 0)) {
1458 kfree_skb(skb);
1459 return ERR_PTR(err);
1460 }
1461 return skb;
1462}
1463
fe4128e0 1464struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1465{
fe4128e0 1466 struct sock *sk = chan->sk;
8c1d787b 1467 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1468 struct sk_buff *skb;
1469 int err, count, hlen = L2CAP_HDR_SIZE;
1470 struct l2cap_hdr *lh;
1471
1472 BT_DBG("sk %p len %d", sk, (int)len);
1473
1474 count = min_t(unsigned int, (conn->mtu - hlen), len);
1475 skb = bt_skb_send_alloc(sk, count + hlen,
1476 msg->msg_flags & MSG_DONTWAIT, &err);
1477 if (!skb)
0175d629 1478 return ERR_PTR(err);
1c2acffb
GP		 1479
1480 /* Create L2CAP header */
1481 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1482 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1483 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1484
1485 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1486 if (unlikely(err < 0)) {
1487 kfree_skb(skb);
1488 return ERR_PTR(err);
1489 }
1490 return skb;
1491}
1492
47d1ec61 1493struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1494{
47d1ec61 1495 struct sock *sk = chan->sk;
8c1d787b 1496 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1497 struct sk_buff *skb;
1498 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1499 struct l2cap_hdr *lh;
1500
1501 BT_DBG("sk %p len %d", sk, (int)len);
1502
0ee0d208
GP		 1503 if (!conn)
1504 return ERR_PTR(-ENOTCONN);
1505
c74e560c
GP		 1506 if (sdulen)
1507 hlen += 2;
1508
47d1ec61 1509 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1510 hlen += 2;
1511
1c2acffb
GP		 1512 count = min_t(unsigned int, (conn->mtu - hlen), len);
1513 skb = bt_skb_send_alloc(sk, count + hlen,
1514 msg->msg_flags & MSG_DONTWAIT, &err);
1515 if (!skb)
0175d629 1516 return ERR_PTR(err);
1c2acffb
GP		 1517
1518 /* Create L2CAP header */
1519 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1520 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1521 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1522 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1523 if (sdulen)
1524 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1525
1526 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1527 if (unlikely(err < 0)) {
1528 kfree_skb(skb);
1529 return ERR_PTR(err);
1530 }
e90bac06 1531
47d1ec61 1532 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1533 put_unaligned_le16(0, skb_put(skb, 2));
1534
e90bac06 1535 bt_cb(skb)->retries = 0;
1c2acffb 1536 return skb;
1da177e4
LT		 1537}
1538
2c03a7a4 1539int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1540{
c74e560c
GP		 1541 struct sk_buff *skb;
1542 struct sk_buff_head sar_queue;
1543 u16 control;
1544 size_t size = 0;
1545
ff12fd64 1546 skb_queue_head_init(&sar_queue);
c74e560c 1547 control = L2CAP_SDU_START;
47d1ec61 1548 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1549 if (IS_ERR(skb))
1550 return PTR_ERR(skb);
1551
1552 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1553 len -= chan->remote_mps;
1554 size += chan->remote_mps;
c74e560c
GP		 1555
1556 while (len > 0) {
1557 size_t buflen;
1558
2c03a7a4 1559 if (len > chan->remote_mps) {
44651b85 1560 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1561 buflen = chan->remote_mps;
c74e560c 1562 } else {
44651b85 1563 control = L2CAP_SDU_END;
c74e560c
GP		 1564 buflen = len;
1565 }
1566
47d1ec61 1567 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1568 if (IS_ERR(skb)) {
1569 skb_queue_purge(&sar_queue);
1570 return PTR_ERR(skb);
1571 }
1572
1573 __skb_queue_tail(&sar_queue, skb);
1574 len -= buflen;
1575 size += buflen;
c74e560c 1576 }
58d35f87
GP		 1577 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1578 if (chan->tx_send_head == NULL)
1579 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1580
1581 return size;
1582}
1583
9a91a04a
GP		 1584int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1585{
9a91a04a
GP		 1586 struct sk_buff *skb;
1587 u16 control;
1588 int err;
1589
1590 /* Connectionless channel */
715ec005 1591 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1592 skb = l2cap_create_connless_pdu(chan, msg, len);
1593 if (IS_ERR(skb))
1594 return PTR_ERR(skb);
1595
1596 l2cap_do_send(chan, skb);
1597 return len;
1598 }
1599
1600 switch (chan->mode) {
1601 case L2CAP_MODE_BASIC:
1602 /* Check outgoing MTU */
1603 if (len > chan->omtu)
1604 return -EMSGSIZE;
1605
1606 /* Create a basic PDU */
1607 skb = l2cap_create_basic_pdu(chan, msg, len);
1608 if (IS_ERR(skb))
1609 return PTR_ERR(skb);
1610
1611 l2cap_do_send(chan, skb);
1612 err = len;
1613 break;
1614
1615 case L2CAP_MODE_ERTM:
1616 case L2CAP_MODE_STREAMING:
1617 /* Entire SDU fits into one PDU */
1618 if (len <= chan->remote_mps) {
1619 control = L2CAP_SDU_UNSEGMENTED;
1620 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1621 0);
1622 if (IS_ERR(skb))
1623 return PTR_ERR(skb);
1624
1625 __skb_queue_tail(&chan->tx_q, skb);
1626
1627 if (chan->tx_send_head == NULL)
1628 chan->tx_send_head = skb;
1629
1630 } else {
1631 /* Segment SDU into multiples PDUs */
1632 err = l2cap_sar_segment_sdu(chan, msg, len);
1633 if (err < 0)
1634 return err;
1635 }
1636
1637 if (chan->mode == L2CAP_MODE_STREAMING) {
1638 l2cap_streaming_send(chan);
1639 err = len;
1640 break;
1641 }
1642
1643 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1644 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1645 err = len;
1646 break;
1647 }
1648
1649 err = l2cap_ertm_send(chan);
1650 if (err >= 0)
1651 err = len;
1652
1653 break;
1654
1655 default:
1656 BT_DBG("bad state %1.1x", chan->mode);
1657 err = -EBADFD;
1658 }
1659
1660 return err;
1661}
1662
1da177e4
LT		 1663static void l2cap_chan_ready(struct sock *sk)
1664{
1665 struct sock *parent = bt_sk(sk)->parent;
b4450035 1666 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1667
1668 BT_DBG("sk %p, parent %p", sk, parent);
1669
b4450035 1670 chan->conf_state = 0;
ab07801d 1671 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1672
1673 if (!parent) {
1674 /* Outgoing channel.
1675 * Wake up socket sleeping on connect.
1676 */
1677 sk->sk_state = BT_CONNECTED;
1678 sk->sk_state_change(sk);
1679 } else {
1680 /* Incoming channel.
1681 * Wake up socket sleeping on accept.
1682 */
1683 parent->sk_data_ready(parent, 0);
1684 }
1685}
1686
1687/* Copy frame to all raw sockets on that connection */
1688static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1689{
1da177e4 1690 struct sk_buff *nskb;
48454079 1691 struct l2cap_chan *chan;
1da177e4
LT		 1692
1693 BT_DBG("conn %p", conn);
1694
baa7e1fa
GP		 1695 read_lock(&conn->chan_lock);
1696 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1697 struct sock *sk = chan->sk;
715ec005 1698 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1699 continue;
1700
1701 /* Don't send frame to the socket it came from */
1702 if (skb->sk == sk)
1703 continue;
af05b30b
GP		 1704 nskb = skb_clone(skb, GFP_ATOMIC);
1705 if (!nskb)
1da177e4
LT		 1706 continue;
1707
1708 if (sock_queue_rcv_skb(sk, nskb))
1709 kfree_skb(nskb);
1710 }
baa7e1fa 1711 read_unlock(&conn->chan_lock);
1da177e4
LT		 1712}
1713
1714/* ---- L2CAP signalling commands ---- */
1715static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1716 u8 code, u8 ident, u16 dlen, void *data)
1717{
1718 struct sk_buff *skb, **frag;
1719 struct l2cap_cmd_hdr *cmd;
1720 struct l2cap_hdr *lh;
1721 int len, count;
1722
af05b30b
GP		 1723 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1724 conn, code, ident, dlen);
1da177e4
LT		 1725
1726 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1727 count = min_t(unsigned int, conn->mtu, len);
1728
1729 skb = bt_skb_alloc(count, GFP_ATOMIC);
1730 if (!skb)
1731 return NULL;
1732
1733 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1734 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1735
1736 if (conn->hcon->type == LE_LINK)
1737 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1738 else
1739 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1740
1741 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1742 cmd->code = code;
1743 cmd->ident = ident;
aca3192c 1744 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1745
1746 if (dlen) {
1747 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1748 memcpy(skb_put(skb, count), data, count);
1749 data += count;
1750 }
1751
1752 len -= skb->len;
1753
1754 /* Continuation fragments (no L2CAP header) */
1755 frag = &skb_shinfo(skb)->frag_list;
1756 while (len) {
1757 count = min_t(unsigned int, conn->mtu, len);
1758
1759 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1760 if (!*frag)
1761 goto fail;
1762
1763 memcpy(skb_put(*frag, count), data, count);
1764
1765 len -= count;
1766 data += count;
1767
1768 frag = &(*frag)->next;
1769 }
1770
1771 return skb;
1772
1773fail:
1774 kfree_skb(skb);
1775 return NULL;
1776}
1777
1778static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1779{
1780 struct l2cap_conf_opt *opt = *ptr;
1781 int len;
1782
1783 len = L2CAP_CONF_OPT_SIZE + opt->len;
1784 *ptr += len;
1785
1786 *type = opt->type;
1787 *olen = opt->len;
1788
1789 switch (opt->len) {
1790 case 1:
1791 *val = *((u8 *) opt->val);
1792 break;
1793
1794 case 2:
bfaaeb3e 1795 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1796 break;
1797
1798 case 4:
bfaaeb3e 1799 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1800 break;
1801
1802 default:
1803 *val = (unsigned long) opt->val;
1804 break;
1805 }
1806
1807 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1808 return len;
1809}
1810
1da177e4
LT		 1811static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1812{
1813 struct l2cap_conf_opt *opt = *ptr;
1814
1815 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1816
1817 opt->type = type;
1818 opt->len = len;
1819
1820 switch (len) {
1821 case 1:
1822 *((u8 *) opt->val) = val;
1823 break;
1824
1825 case 2:
4f8b691c 1826 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1827 break;
1828
1829 case 4:
4f8b691c 1830 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1831 break;
1832
1833 default:
1834 memcpy(opt->val, (void *) val, len);
1835 break;
1836 }
1837
1838 *ptr += L2CAP_CONF_OPT_SIZE + len;
1839}
1840
c1b4f43b
GP		 1841static void l2cap_ack_timeout(unsigned long arg)
1842{
525cd185 1843 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1844
525cd185
GP		 1845 bh_lock_sock(chan->sk);
1846 l2cap_send_ack(chan);
1847 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1848}
1849
525cd185 1850static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1851{
525cd185
GP		 1852 struct sock *sk = chan->sk;
1853
42e5c802 1854 chan->expected_ack_seq = 0;
6a026610 1855 chan->unacked_frames = 0;
42e5c802 1856 chan->buffer_seq = 0;
6a026610
GP		 1857 chan->num_acked = 0;
1858 chan->frames_sent = 0;
0565c1c2 1859
e92c8e70
GP		 1860 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1861 (unsigned long) chan);
1862 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1863 (unsigned long) chan);
1864 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1865
f1c6775b
GP		 1866 skb_queue_head_init(&chan->srej_q);
1867 skb_queue_head_init(&chan->busy_q);
1890d36b 1868
39d5a3ee
GP		 1869 INIT_LIST_HEAD(&chan->srej_l);
1870
311bb895 1871 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1872
1873 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1874}
1875
f2fcfcd6
GP		 1876static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1877{
1878 switch (mode) {
1879 case L2CAP_MODE_STREAMING:
1880 case L2CAP_MODE_ERTM:
1881 if (l2cap_mode_supported(mode, remote_feat_mask))
1882 return mode;
1883 /* fall through */
1884 default:
1885 return L2CAP_MODE_BASIC;
1886 }
1887}
1888
710f9b0a 1889static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1890{
1da177e4 1891 struct l2cap_conf_req *req = data;
0c1bc5c6 1892 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1893 void *ptr = req->data;
1894
49208c9c 1895 BT_DBG("chan %p", chan);
1da177e4 1896
73ffa904 1897 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1898 goto done;
1899
0c1bc5c6 1900 switch (chan->mode) {
f2fcfcd6
GP		 1901 case L2CAP_MODE_STREAMING:
1902 case L2CAP_MODE_ERTM:
b4450035 1903 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1904 break;
85eb53c6 1905
2ba13ed6 1906 /* fall through */
f2fcfcd6 1907 default:
8c1d787b 1908 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1909 break;
1910 }
1911
1912done:
0c1bc5c6
GP		 1913 if (chan->imtu != L2CAP_DEFAULT_MTU)
1914 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1915
0c1bc5c6 1916 switch (chan->mode) {
65c7c491 1917 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1918 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1919 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1920 break;
1921
62547752
GP		 1922 rfc.mode = L2CAP_MODE_BASIC;
1923 rfc.txwin_size = 0;
1924 rfc.max_transmit = 0;
1925 rfc.retrans_timeout = 0;
1926 rfc.monitor_timeout = 0;
1927 rfc.max_pdu_size = 0;
1928
63406504
GP		 1929 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1930 (unsigned long) &rfc);
65c7c491
MH		 1931 break;
1932
1933 case L2CAP_MODE_ERTM:
1934 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1935 rfc.txwin_size = chan->tx_win;
1936 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1937 rfc.retrans_timeout = 0;
1938 rfc.monitor_timeout = 0;
c74e560c 1939 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1940 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1941 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1942
63406504
GP		 1943 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1944 (unsigned long) &rfc);
1945
8c1d787b 1946 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1947 break;
1948
47d1ec61 1949 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1950 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1951 chan->fcs = L2CAP_FCS_NONE;
1952 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1953 }
f2fcfcd6
GP		 1954 break;
1955
1956 case L2CAP_MODE_STREAMING:
1957 rfc.mode = L2CAP_MODE_STREAMING;
1958 rfc.txwin_size = 0;
1959 rfc.max_transmit = 0;
1960 rfc.retrans_timeout = 0;
1961 rfc.monitor_timeout = 0;
c74e560c 1962 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1963 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1964 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1965
63406504
GP		 1966 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1967 (unsigned long) &rfc);
1968
8c1d787b 1969 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1970 break;
1971
47d1ec61 1972 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1973 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1974 chan->fcs = L2CAP_FCS_NONE;
1975 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1976 }
65c7c491
MH		 1977 break;
1978 }
1da177e4 1979
fe4128e0 1980 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1981 req->flags = cpu_to_le16(0);
1da177e4
LT		 1982
1983 return ptr - data;
1984}
1985
73ffa904 1986static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1987{
5dee9e7c
MH		 1988 struct l2cap_conf_rsp *rsp = data;
1989 void *ptr = rsp->data;
73ffa904
GP		 1990 void *req = chan->conf_req;
1991 int len = chan->conf_len;
5dee9e7c
MH		 1992 int type, hint, olen;
1993 unsigned long val;
6464f35f 1994 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1995 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1996 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1997
73ffa904 1998 BT_DBG("chan %p", chan);
820ae1b8 1999
5dee9e7c
MH		 2000 while (len >= L2CAP_CONF_OPT_SIZE) {
2001 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2002
589d2746 2003 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2004 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2005
2006 switch (type) {
2007 case L2CAP_CONF_MTU:
861d6882 2008 mtu = val;
5dee9e7c
MH		 2009 break;
2010
2011 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2012 chan->flush_to = val;
5dee9e7c
MH		 2013 break;
2014
2015 case L2CAP_CONF_QOS:
2016 break;
2017
6464f35f
MH		 2018 case L2CAP_CONF_RFC:
2019 if (olen == sizeof(rfc))
2020 memcpy(&rfc, (void *) val, olen);
2021 break;
2022
fcc203c3
GP		 2023 case L2CAP_CONF_FCS:
2024 if (val == L2CAP_FCS_NONE)
b4450035 2025 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2026
2027 break;
2028
5dee9e7c
MH		 2029 default:
2030 if (hint)
2031 break;
2032
2033 result = L2CAP_CONF_UNKNOWN;
2034 *((u8 *) ptr++) = type;
2035 break;
2036 }
2037 }
2038
73ffa904 2039 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2040 goto done;
2041
0c1bc5c6 2042 switch (chan->mode) {
f2fcfcd6
GP		 2043 case L2CAP_MODE_STREAMING:
2044 case L2CAP_MODE_ERTM:
b4450035 2045 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2046 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2047 chan->conn->feat_mask);
85eb53c6
GP		 2048 break;
2049 }
2050
0c1bc5c6 2051 if (chan->mode != rfc.mode)
f2fcfcd6 2052 return -ECONNREFUSED;
742e519b 2053
f2fcfcd6 2054 break;
f2fcfcd6
GP		 2055 }
2056
2057done:
0c1bc5c6 2058 if (chan->mode != rfc.mode) {
f2fcfcd6 2059 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2060 rfc.mode = chan->mode;
f2fcfcd6 2061
73ffa904 2062 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2063 return -ECONNREFUSED;
2064
2065 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2066 sizeof(rfc), (unsigned long) &rfc);
2067 }
2068
2069
5dee9e7c
MH		 2070 if (result == L2CAP_CONF_SUCCESS) {
2071 /* Configure output options and let the other side know
2072 * which ones we don't like. */
2073
f2fcfcd6
GP		 2074 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2075 result = L2CAP_CONF_UNACCEPT;
2076 else {
0c1bc5c6 2077 chan->omtu = mtu;
b4450035 2078 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2079 }
0c1bc5c6 2080 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2081
f2fcfcd6
GP		 2082 switch (rfc.mode) {
2083 case L2CAP_MODE_BASIC:
47d1ec61 2084 chan->fcs = L2CAP_FCS_NONE;
b4450035 2085 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2086 break;
2087
2088 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2089 chan->remote_tx_win = rfc.txwin_size;
2090 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2091
8c1d787b
GP		 2092 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2093 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2094
2c03a7a4 2095 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2096
10467e9e
GP		 2097 rfc.retrans_timeout =
2098 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2099 rfc.monitor_timeout =
2100 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2101
b4450035 2102 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2103
2104 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2105 sizeof(rfc), (unsigned long) &rfc);
2106
f2fcfcd6
GP		 2107 break;
2108
2109 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2110 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2111 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2112
2c03a7a4 2113 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2114
b4450035 2115 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2116
2117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2118 sizeof(rfc), (unsigned long) &rfc);
2119
f2fcfcd6
GP		 2120 break;
2121
2122 default:
5dee9e7c 2123 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2124
6464f35f 2125 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2126 rfc.mode = chan->mode;
f2fcfcd6 2127 }
6464f35f 2128
f2fcfcd6 2129 if (result == L2CAP_CONF_SUCCESS)
b4450035 2130 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2131 }
fe4128e0 2132 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2133 rsp->result = cpu_to_le16(result);
2134 rsp->flags = cpu_to_le16(0x0000);
2135
2136 return ptr - data;
1da177e4
LT		 2137}
2138
b4450035 2139static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2140{
f2fcfcd6
GP		 2141 struct l2cap_conf_req *req = data;
2142 void *ptr = req->data;
2143 int type, olen;
2144 unsigned long val;
2145 struct l2cap_conf_rfc rfc;
2146
fe4128e0 2147 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2148
2149 while (len >= L2CAP_CONF_OPT_SIZE) {
2150 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2151
2152 switch (type) {
2153 case L2CAP_CONF_MTU:
2154 if (val < L2CAP_DEFAULT_MIN_MTU) {
2155 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2156 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2157 } else
0c1bc5c6
GP		 2158 chan->imtu = val;
2159 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2160 break;
2161
2162 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2163 chan->flush_to = val;
f2fcfcd6 2164 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2165 2, chan->flush_to);
f2fcfcd6
GP		 2166 break;
2167
2168 case L2CAP_CONF_RFC:
2169 if (olen == sizeof(rfc))
2170 memcpy(&rfc, (void *)val, olen);
2171
b4450035 2172 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2173 rfc.mode != chan->mode)
f2fcfcd6
GP		 2174 return -ECONNREFUSED;
2175
47d1ec61 2176 chan->fcs = 0;
f2fcfcd6
GP		 2177
2178 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2179 sizeof(rfc), (unsigned long) &rfc);
2180 break;
2181 }
2182 }
2183
0c1bc5c6 2184 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2185 return -ECONNREFUSED;
2186
0c1bc5c6 2187 chan->mode = rfc.mode;
6c2ea7a8 2188
f2fcfcd6
GP		 2189 if (*result == L2CAP_CONF_SUCCESS) {
2190 switch (rfc.mode) {
2191 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2192 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2193 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2194 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2195 break;
2196 case L2CAP_MODE_STREAMING:
47d1ec61 2197 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2198 }
2199 }
2200
fe4128e0 2201 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2202 req->flags = cpu_to_le16(0x0000);
2203
2204 return ptr - data;
2205}
2206
fe4128e0 2207static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2208{
2209 struct l2cap_conf_rsp *rsp = data;
2210 void *ptr = rsp->data;
1da177e4 2211
fe4128e0 2212 BT_DBG("chan %p", chan);
1da177e4 2213
fe4128e0 2214 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2215 rsp->result = cpu_to_le16(result);
aca3192c 2216 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2217
2218 return ptr - data;
2219}
2220
8c1d787b 2221void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2222{
2223 struct l2cap_conn_rsp rsp;
8c1d787b 2224 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2225 u8 buf[128];
2226
fe4128e0
GP		 2227 rsp.scid = cpu_to_le16(chan->dcid);
2228 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2229 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2230 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2231 l2cap_send_cmd(conn, chan->ident,
2232 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2233
b4450035 2234 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2235 return;
2236
b4450035 2237 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2238 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2239 l2cap_build_conf_req(chan, buf), buf);
2240 chan->num_conf_req++;
2241}
2242
47d1ec61 2243static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2244{
7b1c0049
GP		 2245 int type, olen;
2246 unsigned long val;
2247 struct l2cap_conf_rfc rfc;
2248
47d1ec61 2249 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2250
0c1bc5c6 2251 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2252 return;
2253
2254 while (len >= L2CAP_CONF_OPT_SIZE) {
2255 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2256
2257 switch (type) {
2258 case L2CAP_CONF_RFC:
2259 if (olen == sizeof(rfc))
2260 memcpy(&rfc, (void *)val, olen);
2261 goto done;
2262 }
2263 }
2264
2265done:
2266 switch (rfc.mode) {
2267 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2268 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2269 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2270 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2271 break;
2272 case L2CAP_MODE_STREAMING:
47d1ec61 2273 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2274 }
2275}
2276
4e8402a3
MH		 2277static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2278{
2279 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2280
2281 if (rej->reason != 0x0000)
2282 return 0;
2283
2284 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2285 cmd->ident == conn->info_ident) {
4e8402a3 2286 del_timer(&conn->info_timer);
984947dc
MH		 2287
2288 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2289 conn->info_ident = 0;
984947dc 2290
4e8402a3
MH		 2291 l2cap_conn_start(conn);
2292 }
2293
2294 return 0;
2295}
2296
1da177e4
LT		 2297static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2298{
1da177e4
LT		 2299 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2300 struct l2cap_conn_rsp rsp;
23691d75 2301 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2302 struct sock *parent, *sk = NULL;
e7c29cb1 2303 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2304
2305 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2306 __le16 psm = req->psm;
1da177e4
LT		 2307
2308 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2309
2310 /* Check if we have socket listening on psm */
23691d75
GP		 2311 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2312 if (!pchan) {
1da177e4
LT		 2313 result = L2CAP_CR_BAD_PSM;
2314 goto sendresp;
2315 }
2316
23691d75
GP		 2317 parent = pchan->sk;
2318
e0f0cb56
GP		 2319 bh_lock_sock(parent);
2320
e7c29cb1
MH		 2321 /* Check if the ACL is secure enough (if not SDP) */
2322 if (psm != cpu_to_le16(0x0001) &&
2323 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2324 conn->disc_reason = 0x05;
e7c29cb1
MH		 2325 result = L2CAP_CR_SEC_BLOCK;
2326 goto response;
2327 }
2328
1da177e4
LT		 2329 result = L2CAP_CR_NO_MEM;
2330
2331 /* Check for backlog size */
2332 if (sk_acceptq_is_full(parent)) {
8e87d142 2333 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2334 goto response;
2335 }
2336
3b1e0a65 2337 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2338 if (!sk)
2339 goto response;
2340
23691d75 2341 chan = l2cap_chan_create(sk);
48454079
GP		 2342 if (!chan) {
2343 l2cap_sock_kill(sk);
2344 goto response;
2345 }
2346
5d41ce1d
GP		 2347 l2cap_pi(sk)->chan = chan;
2348
baa7e1fa 2349 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2350
2351 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2352 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2353 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2354 sock_set_flag(sk, SOCK_ZAPPED);
2355 l2cap_sock_kill(sk);
2356 goto response;
2357 }
2358
2359 hci_conn_hold(conn->hcon);
2360
2361 l2cap_sock_init(sk, parent);
2362 bacpy(&bt_sk(sk)->src, conn->src);
2363 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2364 chan->psm = psm;
2365 chan->dcid = scid;
1da177e4 2366
d1010240
GP		 2367 bt_accept_enqueue(parent, sk);
2368
48454079
GP		 2369 __l2cap_chan_add(conn, chan);
2370
fe4128e0 2371 dcid = chan->scid;
1da177e4 2372
ab07801d 2373 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2374
fc7f8a7e 2375 chan->ident = cmd->ident;
1da177e4 2376
984947dc 2377 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2378 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2379 if (bt_sk(sk)->defer_setup) {
2380 sk->sk_state = BT_CONNECT2;
2381 result = L2CAP_CR_PEND;
2382 status = L2CAP_CS_AUTHOR_PEND;
2383 parent->sk_data_ready(parent, 0);
2384 } else {
2385 sk->sk_state = BT_CONFIG;
2386 result = L2CAP_CR_SUCCESS;
2387 status = L2CAP_CS_NO_INFO;
2388 }
79d554a6
MH		 2389 } else {
2390 sk->sk_state = BT_CONNECT2;
2391 result = L2CAP_CR_PEND;
2392 status = L2CAP_CS_AUTHEN_PEND;
2393 }
2394 } else {
2395 sk->sk_state = BT_CONNECT2;
2396 result = L2CAP_CR_PEND;
2397 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2398 }
2399
baa7e1fa 2400 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2401
2402response:
2403 bh_unlock_sock(parent);
2404
2405sendresp:
aca3192c
YH		 2406 rsp.scid = cpu_to_le16(scid);
2407 rsp.dcid = cpu_to_le16(dcid);
2408 rsp.result = cpu_to_le16(result);
2409 rsp.status = cpu_to_le16(status);
1da177e4 2410 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2411
2412 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2413 struct l2cap_info_req info;
2414 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2415
2416 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2417 conn->info_ident = l2cap_get_ident(conn);
2418
2419 mod_timer(&conn->info_timer, jiffies +
2420 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2421
2422 l2cap_send_cmd(conn, conn->info_ident,
2423 L2CAP_INFO_REQ, sizeof(info), &info);
2424 }
2425
b4450035 2426 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2427 result == L2CAP_CR_SUCCESS) {
2428 u8 buf[128];
b4450035 2429 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2430 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2431 l2cap_build_conf_req(chan, buf), buf);
2432 chan->num_conf_req++;
e9aeb2dd
GP		 2433 }
2434
1da177e4
LT		 2435 return 0;
2436}
2437
2438static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2439{
2440 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2441 u16 scid, dcid, result, status;
48454079 2442 struct l2cap_chan *chan;
1da177e4
LT		 2443 struct sock *sk;
2444 u8 req[128];
2445
2446 scid = __le16_to_cpu(rsp->scid);
2447 dcid = __le16_to_cpu(rsp->dcid);
2448 result = __le16_to_cpu(rsp->result);
2449 status = __le16_to_cpu(rsp->status);
2450
2451 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2452
2453 if (scid) {
baa7e1fa 2454 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2455 if (!chan)
57d3b22b 2456 return -EFAULT;
1da177e4 2457 } else {
baa7e1fa 2458 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2459 if (!chan)
57d3b22b 2460 return -EFAULT;
1da177e4
LT		 2461 }
2462
48454079
GP		 2463 sk = chan->sk;
2464
1da177e4
LT		 2465 switch (result) {
2466 case L2CAP_CR_SUCCESS:
2467 sk->sk_state = BT_CONFIG;
fc7f8a7e 2468 chan->ident = 0;
fe4128e0 2469 chan->dcid = dcid;
b4450035 2470 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2471
b4450035 2472 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2473 break;
2474
b4450035 2475 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2476
1da177e4 2477 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2478 l2cap_build_conf_req(chan, req), req);
2479 chan->num_conf_req++;
1da177e4
LT		 2480 break;
2481
2482 case L2CAP_CR_PEND:
b4450035 2483 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2484 break;
2485
2486 default:
a49184c2
AE		 2487 /* don't delete l2cap channel if sk is owned by user */
2488 if (sock_owned_by_user(sk)) {
2489 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2490 l2cap_chan_clear_timer(chan);
2491 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2492 break;
2493 }
2494
48454079 2495 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2496 break;
2497 }
2498
2499 bh_unlock_sock(sk);
2500 return 0;
2501}
2502
47d1ec61 2503static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2504{
47d1ec61
GP		 2505 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2506
8c462b60
MM		 2507 /* FCS is enabled only in ERTM or streaming mode, if one or both
2508 * sides request it.
2509 */
0c1bc5c6 2510 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2511 chan->fcs = L2CAP_FCS_NONE;
b4450035 2512 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2513 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2514}
2515
88219a0f 2516static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2517{
2518 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2519 u16 dcid, flags;
2520 u8 rsp[64];
48454079 2521 struct l2cap_chan *chan;
1da177e4 2522 struct sock *sk;
5dee9e7c 2523 int len;
1da177e4
LT		 2524
2525 dcid = __le16_to_cpu(req->dcid);
2526 flags = __le16_to_cpu(req->flags);
2527
2528 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2529
baa7e1fa 2530 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2531 if (!chan)
1da177e4
LT		 2532 return -ENOENT;
2533
48454079
GP		 2534 sk = chan->sk;
2535
df6bd743
GP		 2536 if (sk->sk_state != BT_CONFIG) {
2537 struct l2cap_cmd_rej rej;
2538
2539 rej.reason = cpu_to_le16(0x0002);
2540 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2541 sizeof(rej), &rej);
354f60a9 2542 goto unlock;
df6bd743 2543 }
354f60a9 2544
5dee9e7c 2545 /* Reject if config buffer is too small. */
88219a0f 2546 len = cmd_len - sizeof(*req);
73ffa904 2547 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2548 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2549 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2550 L2CAP_CONF_REJECT, flags), rsp);
2551 goto unlock;
2552 }
2553
2554 /* Store config. */
73ffa904
GP		 2555 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2556 chan->conf_len += len;
1da177e4
LT		 2557
2558 if (flags & 0x0001) {
2559 /* Incomplete config. Send empty response. */
2560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2561 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2562 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2563 goto unlock;
2564 }
2565
2566 /* Complete config. */
73ffa904 2567 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2568 if (len < 0) {
e92c8e70 2569 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2570 goto unlock;
f2fcfcd6 2571 }
1da177e4 2572
5dee9e7c 2573 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2574 chan->num_conf_rsp++;
5dee9e7c 2575
5dee9e7c 2576 /* Reset config buffer. */
73ffa904 2577 chan->conf_len = 0;
5dee9e7c 2578
b4450035 2579 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2580 goto unlock;
2581
b4450035 2582 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2583 set_default_fcs(chan);
fcc203c3 2584
1da177e4 2585 sk->sk_state = BT_CONNECTED;
e90bac06 2586
42e5c802
GP		 2587 chan->next_tx_seq = 0;
2588 chan->expected_tx_seq = 0;
58d35f87 2589 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2590 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2591 l2cap_ertm_init(chan);
0565c1c2 2592
1da177e4 2593 l2cap_chan_ready(sk);
876d9484
MH		 2594 goto unlock;
2595 }
2596
b4450035 2597 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2598 u8 buf[64];
b4450035 2599 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2600 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2601 l2cap_build_conf_req(chan, buf), buf);
2602 chan->num_conf_req++;
1da177e4
LT		 2603 }
2604
2605unlock:
2606 bh_unlock_sock(sk);
2607 return 0;
2608}
2609
2610static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2611{
2612 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2613 u16 scid, flags, result;
48454079 2614 struct l2cap_chan *chan;
1da177e4 2615 struct sock *sk;
7b1c0049 2616 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2617
2618 scid = __le16_to_cpu(rsp->scid);
2619 flags = __le16_to_cpu(rsp->flags);
2620 result = __le16_to_cpu(rsp->result);
2621
af05b30b
GP		 2622 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2623 scid, flags, result);
1da177e4 2624
baa7e1fa 2625 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2626 if (!chan)
1da177e4
LT		 2627 return 0;
2628
48454079
GP		 2629 sk = chan->sk;
2630
1da177e4
LT		 2631 switch (result) {
2632 case L2CAP_CONF_SUCCESS:
47d1ec61 2633 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2634 break;
2635
2636 case L2CAP_CONF_UNACCEPT:
73ffa904 2637 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2638 char req[64];
2639
c2c77ec8 2640 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2641 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2642 goto done;
2643 }
2644
f2fcfcd6
GP		 2645 /* throw out any old stored conf requests */
2646 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2647 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2648 req, &result);
f2fcfcd6 2649 if (len < 0) {
e92c8e70 2650 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2651 goto done;
2652 }
2653
2654 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2655 L2CAP_CONF_REQ, len, req);
73ffa904 2656 chan->num_conf_req++;
f2fcfcd6
GP		 2657 if (result != L2CAP_CONF_SUCCESS)
2658 goto done;
2659 break;
1da177e4
LT		 2660 }
2661
8e87d142 2662 default:
b1235d79 2663 sk->sk_err = ECONNRESET;
ab07801d 2664 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2665 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2666 goto done;
2667 }
2668
2669 if (flags & 0x01)
2670 goto done;
2671
b4450035 2672 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2673
b4450035 2674 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2675 set_default_fcs(chan);
fcc203c3 2676
1da177e4 2677 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2678 chan->next_tx_seq = 0;
2679 chan->expected_tx_seq = 0;
58d35f87 2680 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2681 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2682 l2cap_ertm_init(chan);
0565c1c2 2683
1da177e4
LT		 2684 l2cap_chan_ready(sk);
2685 }
2686
2687done:
2688 bh_unlock_sock(sk);
2689 return 0;
2690}
2691
2692static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2693{
2694 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2695 struct l2cap_disconn_rsp rsp;
2696 u16 dcid, scid;
48454079 2697 struct l2cap_chan *chan;
1da177e4
LT		 2698 struct sock *sk;
2699
2700 scid = __le16_to_cpu(req->scid);
2701 dcid = __le16_to_cpu(req->dcid);
2702
2703 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2704
baa7e1fa 2705 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2706 if (!chan)
1da177e4
LT		 2707 return 0;
2708
48454079
GP		 2709 sk = chan->sk;
2710
fe4128e0
GP		 2711 rsp.dcid = cpu_to_le16(chan->scid);
2712 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2713 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2714
2715 sk->sk_shutdown = SHUTDOWN_MASK;
2716
a49184c2
AE		 2717 /* don't delete l2cap channel if sk is owned by user */
2718 if (sock_owned_by_user(sk)) {
2719 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2720 l2cap_chan_clear_timer(chan);
2721 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2722 bh_unlock_sock(sk);
2723 return 0;
2724 }
2725
48454079 2726 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2727 bh_unlock_sock(sk);
2728
2729 l2cap_sock_kill(sk);
2730 return 0;
2731}
2732
2733static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2734{
2735 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2736 u16 dcid, scid;
48454079 2737 struct l2cap_chan *chan;
1da177e4
LT		 2738 struct sock *sk;
2739
2740 scid = __le16_to_cpu(rsp->scid);
2741 dcid = __le16_to_cpu(rsp->dcid);
2742
2743 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2744
baa7e1fa 2745 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2746 if (!chan)
1da177e4
LT		 2747 return 0;
2748
48454079
GP		 2749 sk = chan->sk;
2750
a49184c2
AE		 2751 /* don't delete l2cap channel if sk is owned by user */
2752 if (sock_owned_by_user(sk)) {
2753 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2754 l2cap_chan_clear_timer(chan);
2755 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2756 bh_unlock_sock(sk);
2757 return 0;
2758 }
2759
48454079 2760 l2cap_chan_del(chan, 0);
1da177e4
LT		 2761 bh_unlock_sock(sk);
2762
2763 l2cap_sock_kill(sk);
2764 return 0;
2765}
2766
2767static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2768{
2769 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2770 u16 type;
2771
2772 type = __le16_to_cpu(req->type);
2773
2774 BT_DBG("type 0x%4.4x", type);
2775
f0709e03
MH		 2776 if (type == L2CAP_IT_FEAT_MASK) {
2777 u8 buf[8];
44dd46de 2778 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2779 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2780 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2781 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2782 if (!disable_ertm)
fcc203c3
GP		 2783 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2784 | L2CAP_FEAT_FCS;
1b7bf4ed 2785 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2786 l2cap_send_cmd(conn, cmd->ident,
2787 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2788 } else if (type == L2CAP_IT_FIXED_CHAN) {
2789 u8 buf[12];
2790 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2791 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2792 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2793 memcpy(buf + 4, l2cap_fixed_chan, 8);
2794 l2cap_send_cmd(conn, cmd->ident,
2795 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2796 } else {
2797 struct l2cap_info_rsp rsp;
2798 rsp.type = cpu_to_le16(type);
2799 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2800 l2cap_send_cmd(conn, cmd->ident,
2801 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2802 }
1da177e4
LT		 2803
2804 return 0;
2805}
2806
2807static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2808{
2809 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2810 u16 type, result;
2811
2812 type = __le16_to_cpu(rsp->type);
2813 result = __le16_to_cpu(rsp->result);
2814
2815 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2816
e90165be
AE		 2817 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2818 if (cmd->ident != conn->info_ident ||
2819 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2820 return 0;
2821
4e8402a3
MH		 2822 del_timer(&conn->info_timer);
2823
adb08ede
VT		 2824 if (result != L2CAP_IR_SUCCESS) {
2825 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2826 conn->info_ident = 0;
2827
2828 l2cap_conn_start(conn);
2829
2830 return 0;
2831 }
2832
984947dc 2833 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2834 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2835
47ec1dcd 2836 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2837 struct l2cap_info_req req;
2838 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2839
2840 conn->info_ident = l2cap_get_ident(conn);
2841
2842 l2cap_send_cmd(conn, conn->info_ident,
2843 L2CAP_INFO_REQ, sizeof(req), &req);
2844 } else {
2845 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2846 conn->info_ident = 0;
2847
2848 l2cap_conn_start(conn);
2849 }
2850 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2851 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2852 conn->info_ident = 0;
984947dc
MH		 2853
2854 l2cap_conn_start(conn);
2855 }
4e8402a3 2856
1da177e4
LT		 2857 return 0;
2858}
2859
e2174ca4 2860static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2861 u16 to_multiplier)
2862{
2863 u16 max_latency;
2864
2865 if (min > max || min < 6 || max > 3200)
2866 return -EINVAL;
2867
2868 if (to_multiplier < 10 || to_multiplier > 3200)
2869 return -EINVAL;
2870
2871 if (max >= to_multiplier * 8)
2872 return -EINVAL;
2873
2874 max_latency = (to_multiplier * 8 / max) - 1;
2875 if (latency > 499 || latency > max_latency)
2876 return -EINVAL;
2877
2878 return 0;
2879}
2880
2881static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2882 struct l2cap_cmd_hdr *cmd, u8 *data)
2883{
2884 struct hci_conn *hcon = conn->hcon;
2885 struct l2cap_conn_param_update_req *req;
2886 struct l2cap_conn_param_update_rsp rsp;
2887 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2888 int err;
de73115a
CT		 2889
2890 if (!(hcon->link_mode & HCI_LM_MASTER))
2891 return -EINVAL;
2892
2893 cmd_len = __le16_to_cpu(cmd->len);
2894 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2895 return -EPROTO;
2896
2897 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2898 min = __le16_to_cpu(req->min);
2899 max = __le16_to_cpu(req->max);
de73115a
CT		 2900 latency = __le16_to_cpu(req->latency);
2901 to_multiplier = __le16_to_cpu(req->to_multiplier);
2902
2903 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2904 min, max, latency, to_multiplier);
2905
2906 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2907
2908 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2909 if (err)
de73115a
CT		 2910 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2911 else
2912 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2913
2914 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2915 sizeof(rsp), &rsp);
2916
2ce603eb
CT		 2917 if (!err)
2918 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2919
de73115a
CT		 2920 return 0;
2921}
2922
3300d9a9
CT		 2923static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2924 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2925{
2926 int err = 0;
2927
2928 switch (cmd->code) {
2929 case L2CAP_COMMAND_REJ:
2930 l2cap_command_rej(conn, cmd, data);
2931 break;
2932
2933 case L2CAP_CONN_REQ:
2934 err = l2cap_connect_req(conn, cmd, data);
2935 break;
2936
2937 case L2CAP_CONN_RSP:
2938 err = l2cap_connect_rsp(conn, cmd, data);
2939 break;
2940
2941 case L2CAP_CONF_REQ:
2942 err = l2cap_config_req(conn, cmd, cmd_len, data);
2943 break;
2944
2945 case L2CAP_CONF_RSP:
2946 err = l2cap_config_rsp(conn, cmd, data);
2947 break;
2948
2949 case L2CAP_DISCONN_REQ:
2950 err = l2cap_disconnect_req(conn, cmd, data);
2951 break;
2952
2953 case L2CAP_DISCONN_RSP:
2954 err = l2cap_disconnect_rsp(conn, cmd, data);
2955 break;
2956
2957 case L2CAP_ECHO_REQ:
2958 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2959 break;
2960
2961 case L2CAP_ECHO_RSP:
2962 break;
2963
2964 case L2CAP_INFO_REQ:
2965 err = l2cap_information_req(conn, cmd, data);
2966 break;
2967
2968 case L2CAP_INFO_RSP:
2969 err = l2cap_information_rsp(conn, cmd, data);
2970 break;
2971
2972 default:
2973 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2974 err = -EINVAL;
2975 break;
2976 }
2977
2978 return err;
2979}
2980
2981static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2982 struct l2cap_cmd_hdr *cmd, u8 *data)
2983{
2984 switch (cmd->code) {
2985 case L2CAP_COMMAND_REJ:
2986 return 0;
2987
2988 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2989 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2990
2991 case L2CAP_CONN_PARAM_UPDATE_RSP:
2992 return 0;
2993
2994 default:
2995 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2996 return -EINVAL;
2997 }
2998}
2999
3000static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3001 struct sk_buff *skb)
1da177e4
LT		 3002{
3003 u8 *data = skb->data;
3004 int len = skb->len;
3005 struct l2cap_cmd_hdr cmd;
3300d9a9 3006 int err;
1da177e4
LT		 3007
3008 l2cap_raw_recv(conn, skb);
3009
3010 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3011 u16 cmd_len;
1da177e4
LT		 3012 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3013 data += L2CAP_CMD_HDR_SIZE;
3014 len -= L2CAP_CMD_HDR_SIZE;
3015
88219a0f 3016 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3017
88219a0f 3018 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3019
88219a0f 3020 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3021 BT_DBG("corrupted command");
3022 break;
3023 }
3024
3300d9a9
CT		 3025 if (conn->hcon->type == LE_LINK)
3026 err = l2cap_le_sig_cmd(conn, &cmd, data);
3027 else
3028 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3029
3030 if (err) {
3031 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3032
3033 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3034
3035 /* FIXME: Map err to a valid reason */
aca3192c 3036 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3037 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3038 }
3039
88219a0f
AV		 3040 data += cmd_len;
3041 len -= cmd_len;
1da177e4
LT		 3042 }
3043
3044 kfree_skb(skb);
3045}
3046
47d1ec61 3047static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3048{
3049 u16 our_fcs, rcv_fcs;
3050 int hdr_size = L2CAP_HDR_SIZE + 2;
3051
47d1ec61 3052 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3053 skb_trim(skb, skb->len - 2);
3054 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3055 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3056
3057 if (our_fcs != rcv_fcs)
7a560e5c 3058 return -EBADMSG;
fcc203c3
GP		 3059 }
3060 return 0;
3061}
3062
525cd185 3063static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3064{
d5392c8f
GP		 3065 u16 control = 0;
3066
6a026610 3067 chan->frames_sent = 0;
d5392c8f 3068
42e5c802 3069 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3070
525cd185 3071 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3072 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3073 l2cap_send_sframe(chan, control);
3074 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3075 }
3076
525cd185
GP		 3077 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3078 l2cap_retransmit_frames(chan);
d5392c8f 3079
525cd185 3080 l2cap_ertm_send(chan);
d5392c8f 3081
525cd185 3082 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3083 chan->frames_sent == 0) {
d5392c8f 3084 control |= L2CAP_SUPER_RCV_READY;
525cd185 3085 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3086 }
3087}
3088
42e5c802 3089static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3090{
3091 struct sk_buff *next_skb;
bfbacc11 3092 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3093
3094 bt_cb(skb)->tx_seq = tx_seq;
3095 bt_cb(skb)->sar = sar;
3096
f1c6775b 3097 next_skb = skb_peek(&chan->srej_q);
8f17154f 3098 if (!next_skb) {
f1c6775b 3099 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3100 return 0;
8f17154f
GP		 3101 }
3102
42e5c802 3103 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3104 if (tx_seq_offset < 0)
3105 tx_seq_offset += 64;
3106
8f17154f 3107 do {
9b53350d
JPRV		 3108 if (bt_cb(next_skb)->tx_seq == tx_seq)
3109 return -EINVAL;
3110
bfbacc11 3111 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3112 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3113 if (next_tx_seq_offset < 0)
3114 next_tx_seq_offset += 64;
3115
3116 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3117 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3118 return 0;
8f17154f
GP		 3119 }
3120
f1c6775b 3121 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3122 break;
3123
f1c6775b 3124 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3125
f1c6775b 3126 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3127
3128 return 0;
8f17154f
GP		 3129}
3130
525cd185 3131static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3132{
18778a63 3133 struct sk_buff *_skb;
1890d36b 3134 int err;
18778a63
GP		 3135
3136 switch (control & L2CAP_CTRL_SAR) {
3137 case L2CAP_SDU_UNSEGMENTED:
525cd185 3138 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3139 goto drop;
3140
224f8af0 3141 return sock_queue_rcv_skb(chan->sk, skb);
18778a63
GP		 3142
3143 case L2CAP_SDU_START:
525cd185 3144 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3145 goto drop;
3146
6f61fd47 3147 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3148
0c1bc5c6 3149 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3150 goto disconnect;
3151
6f61fd47
GP		 3152 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3153 if (!chan->sdu)
1890d36b
GP		 3154 return -ENOMEM;
3155
3156 /* pull sdu_len bytes only after alloc, because of Local Busy
3157 * condition we have to be sure that this will be executed
3158 * only once, i.e., when alloc does not fail */
3159 skb_pull(skb, 2);
18778a63 3160
6f61fd47 3161 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3162
525cd185 3163 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3164 chan->partial_sdu_len = skb->len;
18778a63
GP		 3165 break;
3166
3167 case L2CAP_SDU_CONTINUE:
525cd185 3168 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3169 goto disconnect;
3170
6f61fd47 3171 if (!chan->sdu)
18778a63
GP		 3172 goto disconnect;
3173
6f61fd47
GP		 3174 chan->partial_sdu_len += skb->len;
3175 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3176 goto drop;
3177
6f61fd47 3178 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3179
18778a63
GP		 3180 break;
3181
3182 case L2CAP_SDU_END:
525cd185 3183 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3184 goto disconnect;
3185
6f61fd47 3186 if (!chan->sdu)
18778a63
GP		 3187 goto disconnect;
3188
525cd185 3189 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3190 chan->partial_sdu_len += skb->len;
18778a63 3191
0c1bc5c6 3192 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3193 goto drop;
18778a63 3194
6f61fd47 3195 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3196 goto drop;
4178ba46 3197
6f61fd47 3198 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3199 }
18778a63 3200
6f61fd47 3201 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3202 if (!_skb) {
525cd185 3203 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3204 return -ENOMEM;
3205 }
3206
525cd185 3207 err = sock_queue_rcv_skb(chan->sk, _skb);
1890d36b 3208 if (err < 0) {
18778a63 3209 kfree_skb(_skb);
525cd185 3210 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3211 return err;
3212 }
3213
525cd185
GP		 3214 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3215 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3216
6f61fd47 3217 kfree_skb(chan->sdu);
18778a63
GP		 3218 break;
3219 }
3220
3221 kfree_skb(skb);
1890d36b 3222 return 0;
18778a63
GP		 3223
3224drop:
6f61fd47
GP		 3225 kfree_skb(chan->sdu);
3226 chan->sdu = NULL;
18778a63
GP		 3227
3228disconnect:
8c1d787b 3229 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3230 kfree_skb(skb);
3231 return 0;
3232}
3233
525cd185 3234static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3235{
712132eb
GP		 3236 struct sk_buff *skb;
3237 u16 control;
3238 int err;
3239
f1c6775b 3240 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3241 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3242 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3243 if (err < 0) {
f1c6775b 3244 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3245 return -EBUSY;
3246 }
3247
42e5c802 3248 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3249 }
3250
525cd185 3251 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3252 goto done;
3253
42e5c802 3254 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3255 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3256 l2cap_send_sframe(chan, control);
6a026610 3257 chan->retry_count = 1;
712132eb 3258
e92c8e70 3259 del_timer(&chan->retrans_timer);
712132eb
GP		 3260 __mod_monitor_timer();
3261
525cd185 3262 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3263
3264done:
525cd185
GP		 3265 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3266 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3267
49208c9c 3268 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3269
3270 return 0;
3271}
3272
1890d36b
GP		 3273static void l2cap_busy_work(struct work_struct *work)
3274{
3275 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3276 struct l2cap_chan *chan =
3277 container_of(work, struct l2cap_chan, busy_work);
3278 struct sock *sk = chan->sk;
1890d36b
GP		 3279 int n_tries = 0, timeo = HZ/5, err;
3280 struct sk_buff *skb;
1890d36b
GP		 3281
3282 lock_sock(sk);
3283
2b0b05dd 3284 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3285 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3286 set_current_state(TASK_INTERRUPTIBLE);
3287
3288 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3289 err = -EBUSY;
8c1d787b 3290 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3291 break;
1890d36b
GP		 3292 }
3293
3294 if (!timeo)
3295 timeo = HZ/5;
3296
3297 if (signal_pending(current)) {
3298 err = sock_intr_errno(timeo);
712132eb 3299 break;
1890d36b
GP		 3300 }
3301
3302 release_sock(sk);
3303 timeo = schedule_timeout(timeo);
3304 lock_sock(sk);
3305
3306 err = sock_error(sk);
3307 if (err)
712132eb 3308 break;
1890d36b 3309
311bb895 3310 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3311 break;
3312 }
3313
1890d36b 3314 set_current_state(TASK_RUNNING);
2b0b05dd 3315 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3316
3317 release_sock(sk);
3318}
3319
525cd185 3320static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3321{
1890d36b
GP		 3322 int sctrl, err;
3323
525cd185 3324 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3325 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3326 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3327 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3328
3329
1890d36b
GP		 3330 }
3331
525cd185 3332 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3333 if (err >= 0) {
42e5c802 3334 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3335 return err;
3336 }
3337
3338 /* Busy Condition */
311bb895 3339 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3340
525cd185 3341 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3342 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3343 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3344
42e5c802 3345 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3346 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3347 l2cap_send_sframe(chan, sctrl);
1890d36b 3348
525cd185 3349 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3350
e92c8e70 3351 del_timer(&chan->ack_timer);
7fe9b298 3352
311bb895 3353 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3354
3355 return err;
3356}
3357
525cd185 3358static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3359{
c74e560c
GP		 3360 struct sk_buff *_skb;
3361 int err = -EINVAL;
3362
18778a63
GP		 3363 /*
3364 * TODO: We have to notify the userland if some data is lost with the
3365 * Streaming Mode.
3366 */
3367
c74e560c
GP		 3368 switch (control & L2CAP_CTRL_SAR) {
3369 case L2CAP_SDU_UNSEGMENTED:
525cd185 3370 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3371 kfree_skb(chan->sdu);
c74e560c
GP		 3372 break;
3373 }
3374
525cd185 3375 err = sock_queue_rcv_skb(chan->sk, skb);
c74e560c
GP		 3376 if (!err)
3377 return 0;
3378
3379 break;
3380
3381 case L2CAP_SDU_START:
525cd185 3382 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3383 kfree_skb(chan->sdu);
c74e560c
GP		 3384 break;
3385 }
3386
6f61fd47 3387 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3388 skb_pull(skb, 2);
3389
0c1bc5c6 3390 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3391 err = -EMSGSIZE;
3392 break;
3393 }
3394
6f61fd47
GP		 3395 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3396 if (!chan->sdu) {
c74e560c
GP		 3397 err = -ENOMEM;
3398 break;
3399 }
3400
6f61fd47 3401 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3402
525cd185 3403 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3404 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3405 err = 0;
3406 break;
3407
3408 case L2CAP_SDU_CONTINUE:
525cd185 3409 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3410 break;
3411
6f61fd47 3412 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3413
6f61fd47
GP		 3414 chan->partial_sdu_len += skb->len;
3415 if (chan->partial_sdu_len > chan->sdu_len)
3416 kfree_skb(chan->sdu);
c74e560c
GP		 3417 else
3418 err = 0;
3419
3420 break;
3421
3422 case L2CAP_SDU_END:
525cd185 3423 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3424 break;
3425
6f61fd47 3426 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3427
525cd185 3428 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3429 chan->partial_sdu_len += skb->len;
c74e560c 3430
0c1bc5c6 3431 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3432 goto drop;
3433
6f61fd47
GP		 3434 if (chan->partial_sdu_len == chan->sdu_len) {
3435 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
525cd185 3436 err = sock_queue_rcv_skb(chan->sk, _skb);
c74e560c
GP		 3437 if (err < 0)
3438 kfree_skb(_skb);
3439 }
c74e560c
GP		 3440 err = 0;
3441
36f2fd58 3442drop:
6f61fd47 3443 kfree_skb(chan->sdu);
c74e560c
GP		 3444 break;
3445 }
3446
3447 kfree_skb(skb);
3448 return err;
3449}
3450
525cd185 3451static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3452{
3453 struct sk_buff *skb;
afefdbc4 3454 u16 control;
8f17154f 3455
f1c6775b 3456 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3457 if (bt_cb(skb)->tx_seq != tx_seq)
3458 break;
3459
f1c6775b 3460 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3461 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3462 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3463 chan->buffer_seq_srej =
3464 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3465 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3466 }
3467}
3468
525cd185 3469static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3470{
8f17154f
GP		 3471 struct srej_list *l, *tmp;
3472 u16 control;
3473
39d5a3ee 3474 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3475 if (l->tx_seq == tx_seq) {
3476 list_del(&l->list);
3477 kfree(l);
3478 return;
3479 }
3480 control = L2CAP_SUPER_SELECT_REJECT;
3481 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3482 l2cap_send_sframe(chan, control);
8f17154f 3483 list_del(&l->list);
39d5a3ee 3484 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3485 }
3486}
3487
525cd185 3488static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3489{
8f17154f
GP		 3490 struct srej_list *new;
3491 u16 control;
3492
42e5c802 3493 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3494 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3495 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3496 l2cap_send_sframe(chan, control);
8f17154f
GP		 3497
3498 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3499 new->tx_seq = chan->expected_tx_seq;
3500 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3501 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3502 }
42e5c802 3503 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3504}
3505
525cd185 3506static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3507{
1c2acffb 3508 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3509 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3510 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3511 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3512 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3513 int err = 0;
3514
525cd185
GP		 3515 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3516 tx_seq, rx_control);
1c2acffb 3517
9b16dc65 3518 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3519 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3520 del_timer(&chan->monitor_timer);
6a026610 3521 if (chan->unacked_frames > 0)
1d8f5d16 3522 __mod_retrans_timer();
525cd185 3523 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3524 }
3525
42e5c802
GP		 3526 chan->expected_ack_seq = req_seq;
3527 l2cap_drop_acked_frames(chan);
9f121a5a 3528
42e5c802 3529 if (tx_seq == chan->expected_tx_seq)
8f17154f 3530 goto expected;
1c2acffb 3531
42e5c802 3532 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3533 if (tx_seq_offset < 0)
3534 tx_seq_offset += 64;
3535
3536 /* invalid tx_seq */
47d1ec61 3537 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3538 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3539 goto drop;
3540 }
3541
525cd185 3542 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3543 goto drop;
3544
525cd185 3545 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3546 struct srej_list *first;
30afb5b2 3547
39d5a3ee 3548 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3549 struct srej_list, list);
3550 if (tx_seq == first->tx_seq) {
42e5c802 3551 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3552 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3553
3554 list_del(&first->list);
3555 kfree(first);
3556
39d5a3ee 3557 if (list_empty(&chan->srej_l)) {
42e5c802 3558 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3559 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3560 l2cap_send_ack(chan);
49208c9c 3561 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3562 }
3563 } else {
3564 struct srej_list *l;
9b53350d
JPRV		 3565
3566 /* duplicated tx_seq */
42e5c802 3567 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3568 goto drop;
8f17154f 3569
39d5a3ee 3570 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3571 if (l->tx_seq == tx_seq) {
525cd185 3572 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3573 return 0;
3574 }
3575 }
525cd185 3576 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3577 }
3578 } else {
9b53350d 3579 expected_tx_seq_offset =
42e5c802 3580 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3581 if (expected_tx_seq_offset < 0)
3582 expected_tx_seq_offset += 64;
3583
3584 /* duplicated tx_seq */
3585 if (tx_seq_offset < expected_tx_seq_offset)
3586 goto drop;
3587
525cd185 3588 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3589
49208c9c 3590 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3591
39d5a3ee 3592 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3593 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3594
f1c6775b
GP		 3595 __skb_queue_head_init(&chan->srej_q);
3596 __skb_queue_head_init(&chan->busy_q);
42e5c802 3597 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3598
525cd185 3599 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3600
525cd185 3601 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3602
e92c8e70 3603 del_timer(&chan->ack_timer);
1c2acffb 3604 }
30afb5b2
GP		 3605 return 0;
3606
8f17154f 3607expected:
42e5c802 3608 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3609
525cd185 3610 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3611 bt_cb(skb)->tx_seq = tx_seq;
3612 bt_cb(skb)->sar = sar;
f1c6775b 3613 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3614 return 0;
3615 }
3616
525cd185 3617 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3618 if (err < 0)
3619 return 0;
3620
4ec10d97 3621 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3622 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3623 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3624 else
525cd185 3625 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3626 }
3627
c1b4f43b
GP		 3628 __mod_ack_timer();
3629
6a026610
GP		 3630 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3631 if (chan->num_acked == num_to_ack - 1)
525cd185 3632 l2cap_send_ack(chan);
9e917af1 3633
8f17154f 3634 return 0;
9b53350d
JPRV		 3635
3636drop:
3637 kfree_skb(skb);
3638 return 0;
1c2acffb
GP		 3639}
3640
525cd185 3641static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3642{
49208c9c 3643 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3644 rx_control);
3645
42e5c802
GP		 3646 chan->expected_ack_seq = __get_reqseq(rx_control);
3647 l2cap_drop_acked_frames(chan);
1c2acffb 3648
e072745f 3649 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3650 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3651 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3652 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3653 (chan->unacked_frames > 0))
05fbd89d
GP		 3654 __mod_retrans_timer();
3655
525cd185
GP		 3656 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3657 l2cap_send_srejtail(chan);
05fbd89d 3658 } else {
525cd185 3659 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3660 }
1d8f5d16 3661
e072745f 3662 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3663 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3664
525cd185
GP		 3665 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3666 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3667 else
525cd185 3668 l2cap_retransmit_frames(chan);
2246b2f1 3669
e072745f 3670 } else {
525cd185 3671 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3672 (chan->unacked_frames > 0))
e072745f 3673 __mod_retrans_timer();
1c2acffb 3674
525cd185
GP		 3675 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3676 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3677 l2cap_send_ack(chan);
894718a6 3678 else
525cd185 3679 l2cap_ertm_send(chan);
e072745f
GP		 3680 }
3681}
2246b2f1 3682
525cd185 3683static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3684{
e072745f 3685 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3686
525cd185 3687 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3688
525cd185 3689 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3690
42e5c802
GP		 3691 chan->expected_ack_seq = tx_seq;
3692 l2cap_drop_acked_frames(chan);
e072745f
GP		 3693
3694 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3695 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3696 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3697 else
525cd185 3698 l2cap_retransmit_frames(chan);
e072745f 3699 } else {
525cd185 3700 l2cap_retransmit_frames(chan);
30afb5b2 3701
525cd185
GP		 3702 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3703 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3704 }
3705}
525cd185 3706static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3707{
e072745f 3708 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3709
525cd185 3710 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3711
525cd185 3712 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3713
e072745f 3714 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3715 chan->expected_ack_seq = tx_seq;
3716 l2cap_drop_acked_frames(chan);
3cb123d1 3717
525cd185
GP		 3718 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3719 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3720
525cd185 3721 l2cap_ertm_send(chan);
dfc909be 3722
525cd185 3723 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3724 chan->srej_save_reqseq = tx_seq;
525cd185 3725 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3726 }
e072745f 3727 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3728 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3729 chan->srej_save_reqseq == tx_seq)
525cd185 3730 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3731 else
525cd185 3732 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3733 } else {
525cd185
GP		 3734 l2cap_retransmit_one_frame(chan, tx_seq);
3735 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3736 chan->srej_save_reqseq = tx_seq;
525cd185 3737 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3738 }
e072745f
GP		 3739 }
3740}
3741
525cd185 3742static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3743{
e072745f
GP		 3744 u8 tx_seq = __get_reqseq(rx_control);
3745
525cd185 3746 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3747
525cd185 3748 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3749 chan->expected_ack_seq = tx_seq;
3750 l2cap_drop_acked_frames(chan);
e072745f 3751
3cb123d1 3752 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3753 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3754
525cd185 3755 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3756 del_timer(&chan->retrans_timer);
a2e12a2a 3757 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3758 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3759 return;
e072745f 3760 }
99b0d4b7
GP		 3761
3762 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3763 l2cap_send_srejtail(chan);
99b0d4b7 3764 else
525cd185 3765 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3766}
3767
525cd185 3768static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3769{
525cd185 3770 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3771
9b16dc65 3772 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3773 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3774 del_timer(&chan->monitor_timer);
6a026610 3775 if (chan->unacked_frames > 0)
e072745f 3776 __mod_retrans_timer();
525cd185 3777 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3778 }
3779
3780 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3781 case L2CAP_SUPER_RCV_READY:
525cd185 3782 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3783 break;
3784
e072745f 3785 case L2CAP_SUPER_REJECT:
525cd185 3786 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3787 break;
2246b2f1 3788
e072745f 3789 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3790 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3791 break;
3792
3793 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3794 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3795 break;
3796 }
3797
faaebd19 3798 kfree_skb(skb);
1c2acffb
GP		 3799 return 0;
3800}
3801
218bb9df
GP		 3802static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3803{
525cd185 3804 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3805 u16 control;
3806 u8 req_seq;
3807 int len, next_tx_seq_offset, req_seq_offset;
3808
3809 control = get_unaligned_le16(skb->data);
3810 skb_pull(skb, 2);
3811 len = skb->len;
3812
3813 /*
3814 * We can just drop the corrupted I-frame here.
3815 * Receiver will miss it and start proper recovery
3816 * procedures and ask retransmission.
3817 */
47d1ec61 3818 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3819 goto drop;
3820
3821 if (__is_sar_start(control) && __is_iframe(control))
3822 len -= 2;
3823
47d1ec61 3824 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3825 len -= 2;
3826
47d1ec61 3827 if (len > chan->mps) {
8c1d787b 3828 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3829 goto drop;
3830 }
3831
3832 req_seq = __get_reqseq(control);
42e5c802 3833 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3834 if (req_seq_offset < 0)
3835 req_seq_offset += 64;
3836
3837 next_tx_seq_offset =
42e5c802 3838 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3839 if (next_tx_seq_offset < 0)
3840 next_tx_seq_offset += 64;
3841
3842 /* check for invalid req-seq */
3843 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3844 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3845 goto drop;
3846 }
3847
3848 if (__is_iframe(control)) {
3849 if (len < 0) {
8c1d787b 3850 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3851 goto drop;
3852 }
3853
525cd185 3854 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3855 } else {
3856 if (len != 0) {
3857 BT_ERR("%d", len);
8c1d787b 3858 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3859 goto drop;
3860 }
3861
525cd185 3862 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3863 }
3864
3865 return 0;
3866
3867drop:
3868 kfree_skb(skb);
3869 return 0;
3870}
3871
1da177e4
LT		 3872static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3873{
48454079 3874 struct l2cap_chan *chan;
bf734843 3875 struct sock *sk = NULL;
51893f88 3876 u16 control;
218bb9df
GP		 3877 u8 tx_seq;
3878 int len;
1da177e4 3879
baa7e1fa 3880 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3881 if (!chan) {
1da177e4
LT		 3882 BT_DBG("unknown cid 0x%4.4x", cid);
3883 goto drop;
3884 }
3885
48454079 3886 sk = chan->sk;
6840ed07 3887
49208c9c 3888 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3889
3890 if (sk->sk_state != BT_CONNECTED)
3891 goto drop;
3892
0c1bc5c6 3893 switch (chan->mode) {
1c2acffb
GP		 3894 case L2CAP_MODE_BASIC:
3895 /* If socket recv buffers overflows we drop data here
3896 * which is *bad* because L2CAP has to be reliable.
3897 * But we don't have any other choice. L2CAP doesn't
3898 * provide flow control mechanism. */
1da177e4 3899
0c1bc5c6 3900 if (chan->imtu < skb->len)
1c2acffb 3901 goto drop;
1da177e4 3902
1c2acffb
GP		 3903 if (!sock_queue_rcv_skb(sk, skb))
3904 goto done;
3905 break;
3906
3907 case L2CAP_MODE_ERTM:
218bb9df
GP		 3908 if (!sock_owned_by_user(sk)) {
3909 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3910 } else {
218bb9df 3911 if (sk_add_backlog(sk, skb))
277ffbe3 3912 goto drop;
277ffbe3 3913 }
1c2acffb 3914
fcafde2e 3915 goto done;
1c2acffb 3916
6840ed07
GP		 3917 case L2CAP_MODE_STREAMING:
3918 control = get_unaligned_le16(skb->data);
3919 skb_pull(skb, 2);
3920 len = skb->len;
3921
47d1ec61 3922 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3923 goto drop;
3924
6840ed07
GP		 3925 if (__is_sar_start(control))
3926 len -= 2;
3927
47d1ec61 3928 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3929 len -= 2;
3930
47d1ec61 3931 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3932 goto drop;
3933
3934 tx_seq = __get_txseq(control);
3935
42e5c802
GP		 3936 if (chan->expected_tx_seq == tx_seq)
3937 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3938 else
42e5c802 3939 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3940
525cd185 3941 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3942
3943 goto done;
3944
1c2acffb 3945 default:
0c1bc5c6 3946 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3947 break;
3948 }
1da177e4
LT		 3949
3950drop:
3951 kfree_skb(skb);
3952
3953done:
0139418c
MH		 3954 if (sk)
3955 bh_unlock_sock(sk);
3956
1da177e4
LT		 3957 return 0;
3958}
3959
8e036fc3 3960static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3961{
6dcae1ea 3962 struct sock *sk = NULL;
23691d75 3963 struct l2cap_chan *chan;
1da177e4 3964
23691d75
GP		 3965 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3966 if (!chan)
1da177e4
LT		 3967 goto drop;
3968
23691d75
GP		 3969 sk = chan->sk;
3970
e0f0cb56
GP		 3971 bh_lock_sock(sk);
3972
1da177e4
LT		 3973 BT_DBG("sk %p, len %d", sk, skb->len);
3974
3975 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3976 goto drop;
3977
0c1bc5c6 3978 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3979 goto drop;
3980
3981 if (!sock_queue_rcv_skb(sk, skb))
3982 goto done;
3983
3984drop:
3985 kfree_skb(skb);
3986
3987done:
af05b30b
GP		 3988 if (sk)
3989 bh_unlock_sock(sk);
1da177e4
LT		 3990 return 0;
3991}
3992
9f69bda6
GP		 3993static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3994{
6dcae1ea 3995 struct sock *sk = NULL;
23691d75 3996 struct l2cap_chan *chan;
9f69bda6 3997
23691d75
GP		 3998 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3999 if (!chan)
9f69bda6
GP		 4000 goto drop;
4001
23691d75
GP		 4002 sk = chan->sk;
4003
9f69bda6
GP		 4004 bh_lock_sock(sk);
4005
4006 BT_DBG("sk %p, len %d", sk, skb->len);
4007
4008 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4009 goto drop;
4010
0c1bc5c6 4011 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4012 goto drop;
4013
4014 if (!sock_queue_rcv_skb(sk, skb))
4015 goto done;
4016
4017drop:
4018 kfree_skb(skb);
4019
4020done:
4021 if (sk)
4022 bh_unlock_sock(sk);
4023 return 0;
4024}
4025
1da177e4
LT		 4026static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4027{
4028 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4029 u16 cid, len;
4030 __le16 psm;
1da177e4
LT		 4031
4032 skb_pull(skb, L2CAP_HDR_SIZE);
4033 cid = __le16_to_cpu(lh->cid);
4034 len = __le16_to_cpu(lh->len);
4035
1c2acffb
GP		 4036 if (len != skb->len) {
4037 kfree_skb(skb);
4038 return;
4039 }
4040
1da177e4
LT		 4041 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4042
4043 switch (cid) {
3300d9a9 4044 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4045 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4046 l2cap_sig_channel(conn, skb);
4047 break;
4048
8db4dc46 4049 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4050 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4051 skb_pull(skb, 2);
4052 l2cap_conless_channel(conn, psm, skb);
4053 break;
4054
9f69bda6
GP		 4055 case L2CAP_CID_LE_DATA:
4056 l2cap_att_channel(conn, cid, skb);
4057 break;
4058
1da177e4
LT		 4059 default:
4060 l2cap_data_channel(conn, cid, skb);
4061 break;
4062 }
4063}
4064
4065/* ---- L2CAP interface with lower layer (HCI) ---- */
4066
4067static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4068{
4069 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4070 struct l2cap_chan *c;
1da177e4
LT		 4071
4072 if (type != ACL_LINK)
963cf687 4073 return -EINVAL;
1da177e4
LT		 4074
4075 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4076
4077 /* Find listening sockets and check their link_mode */
23691d75
GP		 4078 read_lock(&chan_list_lock);
4079 list_for_each_entry(c, &chan_list, global_l) {
4080 struct sock *sk = c->sk;
4343478f 4081
1da177e4
LT		 4082 if (sk->sk_state != BT_LISTEN)
4083 continue;
4084
4085 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4086 lm1 |= HCI_LM_ACCEPT;
23691d75 4087 if (c->role_switch)
2af6b9d5 4088 lm1 |= HCI_LM_MASTER;
1da177e4 4089 exact++;
2af6b9d5
MH		 4090 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4091 lm2 |= HCI_LM_ACCEPT;
23691d75 4092 if (c->role_switch)
2af6b9d5
MH		 4093 lm2 |= HCI_LM_MASTER;
4094 }
1da177e4 4095 }
23691d75 4096 read_unlock(&chan_list_lock);
1da177e4
LT		 4097
4098 return exact ? lm1 : lm2;
4099}
4100
4101static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4102{
0139418c
MH		 4103 struct l2cap_conn *conn;
4104
1da177e4
LT		 4105 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4106
acd7d370 4107 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4108 return -EINVAL;
1da177e4
LT		 4109
4110 if (!status) {
1da177e4
LT		 4111 conn = l2cap_conn_add(hcon, status);
4112 if (conn)
4113 l2cap_conn_ready(conn);
0139418c 4114 } else
1da177e4
LT		 4115 l2cap_conn_del(hcon, bt_err(status));
4116
4117 return 0;
4118}
4119
2950f21a
MH		 4120static int l2cap_disconn_ind(struct hci_conn *hcon)
4121{
4122 struct l2cap_conn *conn = hcon->l2cap_data;
4123
4124 BT_DBG("hcon %p", hcon);
4125
4126 if (hcon->type != ACL_LINK || !conn)
4127 return 0x13;
4128
4129 return conn->disc_reason;
4130}
4131
4132static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4133{
4134 BT_DBG("hcon %p reason %d", hcon, reason);
4135
acd7d370 4136 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4137 return -EINVAL;
1da177e4
LT		 4138
4139 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4140
1da177e4
LT		 4141 return 0;
4142}
4143
4343478f 4144static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4145{
715ec005 4146 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4147 return;
4148
f62e4323 4149 if (encrypt == 0x00) {
4343478f 4150 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4151 l2cap_chan_clear_timer(chan);
4152 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4153 } else if (chan->sec_level == BT_SECURITY_HIGH)
4519de9a 4154 __l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4155 } else {
4343478f 4156 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4157 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4158 }
4159}
4160
8c1b2355 4161static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4162{
0139418c 4163 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4164 struct l2cap_chan *chan;
1da177e4 4165
0139418c 4166 if (!conn)
1da177e4 4167 return 0;
0139418c 4168
1da177e4
LT		 4169 BT_DBG("conn %p", conn);
4170
baa7e1fa 4171 read_lock(&conn->chan_lock);
1da177e4 4172
baa7e1fa 4173 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4174 struct sock *sk = chan->sk;
baa7e1fa 4175
1da177e4
LT		 4176 bh_lock_sock(sk);
4177
b4450035 4178 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4179 bh_unlock_sock(sk);
4180 continue;
4181 }
4182
f62e4323 4183 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4184 sk->sk_state == BT_CONFIG)) {
4343478f 4185 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4186 bh_unlock_sock(sk);
4187 continue;
4188 }
4189
b1235d79
MH		 4190 if (sk->sk_state == BT_CONNECT) {
4191 if (!status) {
4192 struct l2cap_conn_req req;
fe4128e0
GP		 4193 req.scid = cpu_to_le16(chan->scid);
4194 req.psm = chan->psm;
1da177e4 4195
fc7f8a7e 4196 chan->ident = l2cap_get_ident(conn);
b4450035 4197 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4198
fc7f8a7e 4199 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4200 L2CAP_CONN_REQ, sizeof(req), &req);
4201 } else {
ab07801d
GP		 4202 l2cap_chan_clear_timer(chan);
4203 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4204 }
4205 } else if (sk->sk_state == BT_CONNECT2) {
4206 struct l2cap_conn_rsp rsp;
4207 __u16 result;
1da177e4 4208
b1235d79
MH		 4209 if (!status) {
4210 sk->sk_state = BT_CONFIG;
4211 result = L2CAP_CR_SUCCESS;
4212 } else {
4213 sk->sk_state = BT_DISCONN;
ab07801d 4214 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4215 result = L2CAP_CR_SEC_BLOCK;
4216 }
4217
fe4128e0
GP		 4218 rsp.scid = cpu_to_le16(chan->dcid);
4219 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4220 rsp.result = cpu_to_le16(result);
e7c29cb1 4221 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4222 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4223 sizeof(rsp), &rsp);
b1235d79 4224 }
1da177e4
LT		 4225
4226 bh_unlock_sock(sk);
4227 }
4228
baa7e1fa 4229 read_unlock(&conn->chan_lock);
b1235d79 4230
1da177e4
LT		 4231 return 0;
4232}
4233
4234static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4235{
4236 struct l2cap_conn *conn = hcon->l2cap_data;
4237
5a08ecce
AE		 4238 if (!conn)
4239 conn = l2cap_conn_add(hcon, 0);
4240
4241 if (!conn)
1da177e4
LT		 4242 goto drop;
4243
4244 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4245
e702112f 4246 if (!(flags & ACL_CONT)) {
1da177e4 4247 struct l2cap_hdr *hdr;
48454079 4248 struct l2cap_chan *chan;
89794813 4249 u16 cid;
1da177e4
LT		 4250 int len;
4251
4252 if (conn->rx_len) {
4253 BT_ERR("Unexpected start frame (len %d)", skb->len);
4254 kfree_skb(conn->rx_skb);
4255 conn->rx_skb = NULL;
4256 conn->rx_len = 0;
4257 l2cap_conn_unreliable(conn, ECOMM);
4258 }
4259
aae7fe22
AE		 4260 /* Start fragment always begin with Basic L2CAP header */
4261 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4262 BT_ERR("Frame is too short (len %d)", skb->len);
4263 l2cap_conn_unreliable(conn, ECOMM);
4264 goto drop;
4265 }
4266
4267 hdr = (struct l2cap_hdr *) skb->data;
4268 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4269 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4270
4271 if (len == skb->len) {
4272 /* Complete frame received */
4273 l2cap_recv_frame(conn, skb);
4274 return 0;
4275 }
4276
4277 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4278
4279 if (skb->len > len) {
4280 BT_ERR("Frame is too long (len %d, expected len %d)",
4281 skb->len, len);
4282 l2cap_conn_unreliable(conn, ECOMM);
4283 goto drop;
4284 }
4285
baa7e1fa 4286 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4287
48454079
GP		 4288 if (chan && chan->sk) {
4289 struct sock *sk = chan->sk;
89794813 4290
0c1bc5c6 4291 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4292 BT_ERR("Frame exceeding recv MTU (len %d, "
4293 "MTU %d)", len,
0c1bc5c6 4294 chan->imtu);
48454079
GP		 4295 bh_unlock_sock(sk);
4296 l2cap_conn_unreliable(conn, ECOMM);
4297 goto drop;
4298 }
89794813 4299 bh_unlock_sock(sk);
48454079 4300 }
89794813 4301
1da177e4 4302 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4303 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4304 if (!conn->rx_skb)
1da177e4
LT		 4305 goto drop;
4306
d626f62b 4307 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4308 skb->len);
1da177e4
LT		 4309 conn->rx_len = len - skb->len;
4310 } else {
4311 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4312
4313 if (!conn->rx_len) {
4314 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4315 l2cap_conn_unreliable(conn, ECOMM);
4316 goto drop;
4317 }
4318
4319 if (skb->len > conn->rx_len) {
4320 BT_ERR("Fragment is too long (len %d, expected %d)",
4321 skb->len, conn->rx_len);
4322 kfree_skb(conn->rx_skb);
4323 conn->rx_skb = NULL;
4324 conn->rx_len = 0;
4325 l2cap_conn_unreliable(conn, ECOMM);
4326 goto drop;
4327 }
4328
d626f62b 4329 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4330 skb->len);
1da177e4
LT		 4331 conn->rx_len -= skb->len;
4332
4333 if (!conn->rx_len) {
4334 /* Complete frame received */
4335 l2cap_recv_frame(conn, conn->rx_skb);
4336 conn->rx_skb = NULL;
4337 }
4338 }
4339
4340drop:
4341 kfree_skb(skb);
4342 return 0;
4343}
4344
aef7d97c 4345static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4346{
23691d75 4347 struct l2cap_chan *c;
1da177e4 4348
23691d75 4349 read_lock_bh(&chan_list_lock);
1da177e4 4350
23691d75
GP		 4351 list_for_each_entry(c, &chan_list, global_l) {
4352 struct sock *sk = c->sk;
101545f6 4353
903d343e 4354 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4355 batostr(&bt_sk(sk)->src),
4356 batostr(&bt_sk(sk)->dst),
23691d75
GP		 4357 sk->sk_state, __le16_to_cpu(c->psm),
4358 c->scid, c->dcid, c->imtu, c->omtu,
4359 c->sec_level, c->mode);
be9d1227 4360 }
1da177e4 4361
23691d75 4362 read_unlock_bh(&chan_list_lock);
1da177e4 4363
aef7d97c 4364 return 0;
1da177e4
LT		 4365}
4366
aef7d97c
MH		 4367static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4368{
4369 return single_open(file, l2cap_debugfs_show, inode->i_private);
4370}
4371
4372static const struct file_operations l2cap_debugfs_fops = {
4373 .open = l2cap_debugfs_open,
4374 .read = seq_read,
4375 .llseek = seq_lseek,
4376 .release = single_release,
4377};
4378
4379static struct dentry *l2cap_debugfs;
1da177e4 4380
1da177e4
LT		 4381static struct hci_proto l2cap_hci_proto = {
4382 .name = "L2CAP",
4383 .id = HCI_PROTO_L2CAP,
4384 .connect_ind = l2cap_connect_ind,
4385 .connect_cfm = l2cap_connect_cfm,
4386 .disconn_ind = l2cap_disconn_ind,
2950f21a 4387 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4388 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4389 .recv_acldata = l2cap_recv_acldata
4390};
4391
64274518 4392int __init l2cap_init(void)
1da177e4
LT		 4393{
4394 int err;
be9d1227 4395
bb58f747 4396 err = l2cap_init_sockets();
1da177e4
LT		 4397 if (err < 0)
4398 return err;
4399
1890d36b 4400 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4401 if (!_busy_wq) {
bb58f747 4402 err = -ENOMEM;
1da177e4
LT		 4403 goto error;
4404 }
4405
4406 err = hci_register_proto(&l2cap_hci_proto);
4407 if (err < 0) {
4408 BT_ERR("L2CAP protocol registration failed");
4409 bt_sock_unregister(BTPROTO_L2CAP);
4410 goto error;
4411 }
4412
aef7d97c
MH		 4413 if (bt_debugfs) {
4414 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4415 bt_debugfs, NULL, &l2cap_debugfs_fops);
4416 if (!l2cap_debugfs)
4417 BT_ERR("Failed to create L2CAP debug file");
4418 }
1da177e4 4419
1da177e4
LT		 4420 return 0;
4421
4422error:
b78d7b4f 4423 destroy_workqueue(_busy_wq);
bb58f747 4424 l2cap_cleanup_sockets();
1da177e4
LT		 4425 return err;
4426}
4427
64274518 4428void l2cap_exit(void)
1da177e4 4429{
aef7d97c 4430 debugfs_remove(l2cap_debugfs);
1da177e4 4431
1890d36b
GP		 4432 flush_workqueue(_busy_wq);
4433 destroy_workqueue(_busy_wq);
4434
1da177e4
LT		 4435 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4436 BT_ERR("L2CAP protocol unregistration failed");
4437
bb58f747 4438 l2cap_cleanup_sockets();
1da177e4
LT		 4439}
4440
d1c4a17d
GP		 4441module_param(disable_ertm, bool, 0644);
4442MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)