projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Handle fragmented skbs in bt_sock_stream_recvmsg()
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
218bb9df
GP		 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
76
0139418c 77/* ---- L2CAP channels ---- */
71ba0e56
GP		 78
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
baa7e1fa 90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa
GP		 93
94 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 95 if (c->dcid == cid)
baa7e1fa 96 return c;
0139418c 97 }
baa7e1fa
GP		 98 return NULL;
99
0139418c
MH		 100}
101
baa7e1fa 102static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa
GP		 105
106 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 107 if (c->scid == cid)
baa7e1fa 108 return c;
0139418c 109 }
baa7e1fa 110 return NULL;
0139418c
MH		 111}
112
113/* Find channel with given SCID.
114 * Returns locked socket */
baa7e1fa 115static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 116{
48454079 117 struct l2cap_chan *c;
baa7e1fa
GP		 118
119 read_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 121 if (c)
122 bh_lock_sock(c->sk);
baa7e1fa 123 read_unlock(&conn->chan_lock);
48454079 124 return c;
0139418c
MH		 125}
126
baa7e1fa 127static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 128{
48454079 129 struct l2cap_chan *c;
baa7e1fa
GP		 130
131 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 132 if (c->ident == ident)
baa7e1fa 133 return c;
0139418c 134 }
baa7e1fa 135 return NULL;
0139418c
MH		 136}
137
baa7e1fa 138static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 139{
48454079 140 struct l2cap_chan *c;
baa7e1fa
GP		 141
142 read_lock(&conn->chan_lock);
143 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 144 if (c)
145 bh_lock_sock(c->sk);
baa7e1fa 146 read_unlock(&conn->chan_lock);
48454079 147 return c;
0139418c
MH		 148}
149
23691d75 150static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 151{
23691d75 152 struct l2cap_chan *c;
9e4425ff 153
23691d75
GP		 154 list_for_each_entry(c, &chan_list, global_l) {
155 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 156 goto found;
157 }
158
23691d75 159 c = NULL;
9e4425ff 160found:
23691d75 161 return c;
9e4425ff
GP		 162}
163
164int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
165{
73b2ec18
GP		 166 int err;
167
23691d75 168 write_lock_bh(&chan_list_lock);
9e4425ff 169
23691d75 170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 171 err = -EADDRINUSE;
172 goto done;
9e4425ff
GP		 173 }
174
73b2ec18
GP		 175 if (psm) {
176 chan->psm = psm;
177 chan->sport = psm;
178 err = 0;
179 } else {
180 u16 p;
181
182 err = -EINVAL;
183 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 184 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 185 chan->psm = cpu_to_le16(p);
186 chan->sport = cpu_to_le16(p);
187 err = 0;
188 break;
189 }
190 }
9e4425ff 191
73b2ec18 192done:
23691d75 193 write_unlock_bh(&chan_list_lock);
73b2ec18 194 return err;
9e4425ff
GP		 195}
196
197int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
198{
23691d75 199 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 200
201 chan->scid = scid;
202
23691d75 203 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 return 0;
206}
207
baa7e1fa 208static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 209{
8db4dc46 210 u16 cid = L2CAP_CID_DYN_START;
0139418c 211
8db4dc46 212 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 213 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 214 return cid;
215 }
216
217 return 0;
218}
219
c9b66675 220static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 221{
774e5651 222 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 223
942ecc9c 224 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 225 chan_hold(chan);
ab07801d
GP		 226}
227
c9b66675 228static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 229{
774e5651 230 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 231
774e5651
MM		 232 if (timer_pending(timer) && del_timer(timer))
233 chan_put(chan);
ab07801d
GP		 234}
235
89bc500e
GP		 236static void l2cap_state_change(struct l2cap_chan *chan, int state)
237{
238 chan->state = state;
239 chan->ops->state_change(chan->data, state);
240}
241
ab07801d
GP		 242static void l2cap_chan_timeout(unsigned long arg)
243{
244 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
245 struct sock *sk = chan->sk;
246 int reason;
247
89bc500e 248 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 249
250 bh_lock_sock(sk);
251
252 if (sock_owned_by_user(sk)) {
253 /* sk is owned by user. Try again later */
c9b66675 254 __set_chan_timer(chan, HZ / 5);
ab07801d 255 bh_unlock_sock(sk);
71ba0e56 256 chan_put(chan);
ab07801d
GP		 257 return;
258 }
259
89bc500e 260 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 261 reason = ECONNREFUSED;
89bc500e 262 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 263 chan->sec_level != BT_SECURITY_SDP)
264 reason = ECONNREFUSED;
265 else
266 reason = ETIMEDOUT;
267
0f852724 268 l2cap_chan_close(chan, reason);
ab07801d
GP		 269
270 bh_unlock_sock(sk);
271
ba3bd0ee 272 chan->ops->close(chan->data);
71ba0e56 273 chan_put(chan);
ab07801d
GP		 274}
275
23691d75 276struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 277{
278 struct l2cap_chan *chan;
279
280 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
281 if (!chan)
282 return NULL;
283
284 chan->sk = sk;
285
23691d75
GP		 286 write_lock_bh(&chan_list_lock);
287 list_add(&chan->global_l, &chan_list);
288 write_unlock_bh(&chan_list_lock);
289
ab07801d
GP		 290 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
291
89bc500e
GP		 292 chan->state = BT_OPEN;
293
71ba0e56
GP		 294 atomic_set(&chan->refcnt, 1);
295
48454079
GP		 296 return chan;
297}
298
23691d75 299void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 300{
23691d75
GP		 301 write_lock_bh(&chan_list_lock);
302 list_del(&chan->global_l);
303 write_unlock_bh(&chan_list_lock);
304
71ba0e56 305 chan_put(chan);
6ff5abbf
GP		 306}
307
48454079 308static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 309{
af05b30b 310 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 311 chan->psm, chan->dcid);
0139418c 312
2950f21a
MH		 313 conn->disc_reason = 0x13;
314
8c1d787b 315 chan->conn = conn;
0139418c 316
715ec005 317 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 318 if (conn->hcon->type == LE_LINK) {
319 /* LE connection */
0c1bc5c6 320 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 321 chan->scid = L2CAP_CID_LE_DATA;
322 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 323 } else {
324 /* Alloc CID for connection-oriented socket */
fe4128e0 325 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 326 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 327 }
715ec005 328 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 329 /* Connectionless socket */
fe4128e0
GP		 330 chan->scid = L2CAP_CID_CONN_LESS;
331 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 332 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 333 } else {
334 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 335 chan->scid = L2CAP_CID_SIGNALING;
336 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 337 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 338 }
339
71ba0e56 340 chan_hold(chan);
baa7e1fa
GP		 341
342 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 343}
344
8e87d142 345/* Delete channel.
0139418c 346 * Must be called on the locked socket. */
4519de9a 347static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 348{
48454079 349 struct sock *sk = chan->sk;
8c1d787b 350 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 351 struct sock *parent = bt_sk(sk)->parent;
352
c9b66675 353 __clear_chan_timer(chan);
0139418c 354
49208c9c 355 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 356
8e87d142 357 if (conn) {
baa7e1fa
GP		 358 /* Delete from channel list */
359 write_lock_bh(&conn->chan_lock);
360 list_del(&chan->list);
361 write_unlock_bh(&conn->chan_lock);
71ba0e56 362 chan_put(chan);
baa7e1fa 363
8c1d787b 364 chan->conn = NULL;
0139418c
MH		 365 hci_conn_put(conn->hcon);
366 }
367
89bc500e 368 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 369 sock_set_flag(sk, SOCK_ZAPPED);
370
371 if (err)
372 sk->sk_err = err;
373
374 if (parent) {
375 bt_accept_unlink(sk);
376 parent->sk_data_ready(parent, 0);
377 } else
378 sk->sk_state_change(sk);
c13ffa62 379
c1360a1c
GP		 380 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
381 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 382 return;
2ead70b8 383
58d35f87 384 skb_queue_purge(&chan->tx_q);
c13ffa62 385
0c1bc5c6 386 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 387 struct srej_list *l, *tmp;
388
1a09bcb9
GP		 389 __clear_retrans_timer(chan);
390 __clear_monitor_timer(chan);
391 __clear_ack_timer(chan);
c13ffa62 392
f1c6775b 393 skb_queue_purge(&chan->srej_q);
c13ffa62 394
39d5a3ee 395 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 396 list_del(&l->list);
397 kfree(l);
398 }
399 }
0139418c
MH		 400}
401
4519de9a
GP		 402static void l2cap_chan_cleanup_listen(struct sock *parent)
403{
404 struct sock *sk;
405
406 BT_DBG("parent %p", parent);
407
408 /* Close not yet accepted channels */
0f852724 409 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 410 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 411 __clear_chan_timer(chan);
0f852724 412 lock_sock(sk);
ba3bd0ee 413 l2cap_chan_close(chan, ECONNRESET);
0f852724 414 release_sock(sk);
ba3bd0ee 415 chan->ops->close(chan->data);
0f852724 416 }
4519de9a
GP		 417}
418
0f852724 419void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 420{
421 struct l2cap_conn *conn = chan->conn;
422 struct sock *sk = chan->sk;
423
89bc500e 424 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 425
89bc500e 426 switch (chan->state) {
4519de9a
GP		 427 case BT_LISTEN:
428 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 429
430 l2cap_state_change(chan, BT_CLOSED);
431 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 432 break;
433
434 case BT_CONNECTED:
435 case BT_CONFIG:
715ec005 436 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 437 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 438 __clear_chan_timer(chan);
439 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 440 l2cap_send_disconn_req(conn, chan, reason);
441 } else
442 l2cap_chan_del(chan, reason);
443 break;
444
445 case BT_CONNECT2:
715ec005 446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 447 conn->hcon->type == ACL_LINK) {
448 struct l2cap_conn_rsp rsp;
449 __u16 result;
450
451 if (bt_sk(sk)->defer_setup)
452 result = L2CAP_CR_SEC_BLOCK;
453 else
454 result = L2CAP_CR_BAD_PSM;
89bc500e 455 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 456
457 rsp.scid = cpu_to_le16(chan->dcid);
458 rsp.dcid = cpu_to_le16(chan->scid);
459 rsp.result = cpu_to_le16(result);
460 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
461 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
462 sizeof(rsp), &rsp);
463 }
464
465 l2cap_chan_del(chan, reason);
466 break;
467
468 case BT_CONNECT:
469 case BT_DISCONN:
470 l2cap_chan_del(chan, reason);
471 break;
472
473 default:
474 sock_set_flag(sk, SOCK_ZAPPED);
475 break;
476 }
477}
478
4343478f 479static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 480{
715ec005 481 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 482 switch (chan->sec_level) {
8556edd3
JH		 483 case BT_SECURITY_HIGH:
484 return HCI_AT_DEDICATED_BONDING_MITM;
485 case BT_SECURITY_MEDIUM:
486 return HCI_AT_DEDICATED_BONDING;
487 default:
488 return HCI_AT_NO_BONDING;
489 }
fe4128e0 490 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 491 if (chan->sec_level == BT_SECURITY_LOW)
492 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 493
4343478f 494 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 495 return HCI_AT_NO_BONDING_MITM;
00ae4af9 496 else
8556edd3 497 return HCI_AT_NO_BONDING;
00ae4af9 498 } else {
4343478f 499 switch (chan->sec_level) {
00ae4af9 500 case BT_SECURITY_HIGH:
8556edd3 501 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 502 case BT_SECURITY_MEDIUM:
8556edd3 503 return HCI_AT_GENERAL_BONDING;
00ae4af9 504 default:
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 }
0684e5f9 507 }
8556edd3
JH		 508}
509
510/* Service level security */
4343478f 511static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 512{
8c1d787b 513 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 514 __u8 auth_type;
515
4343478f 516 auth_type = l2cap_get_auth_type(chan);
79d554a6 517
4343478f 518 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 519}
520
b5ad8b7f 521static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 522{
523 u8 id;
524
525 /* Get next available identificator.
526 * 1 - 128 are used by kernel.
527 * 129 - 199 are reserved.
528 * 200 - 254 are used by utilities like l2ping, etc.
529 */
530
531 spin_lock_bh(&conn->lock);
532
533 if (++conn->tx_ident > 128)
534 conn->tx_ident = 1;
535
536 id = conn->tx_ident;
537
538 spin_unlock_bh(&conn->lock);
539
540 return id;
541}
542
4519de9a 543static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 544{
545 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 546 u8 flags;
4e8402a3
MH		 547
548 BT_DBG("code 0x%2.2x", code);
549
550 if (!skb)
9a9c6a34 551 return;
4e8402a3 552
e702112f
AE		 553 if (lmp_no_flush_capable(conn->hcon->hdev))
554 flags = ACL_START_NO_FLUSH;
555 else
556 flags = ACL_START;
557
14b12d0b
JG		 558 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
559
e702112f 560 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 561}
562
525cd185 563static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 564{
565 struct sk_buff *skb;
566 struct l2cap_hdr *lh;
8c1d787b 567 struct l2cap_conn *conn = chan->conn;
fcc203c3 568 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 569 u8 flags;
fcc203c3 570
89bc500e 571 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 572 return;
573
47d1ec61 574 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 575 hlen += 2;
1c2acffb 576
49208c9c 577 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 578
fcc203c3 579 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 580 control |= L2CAP_CTRL_FRAME_TYPE;
581
e2ab4353 582 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
9e917af1 583 control |= L2CAP_CTRL_FINAL;
9e917af1 584
e2ab4353 585 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
f0946ccf 586 control |= L2CAP_CTRL_POLL;
f0946ccf 587
1c2acffb
GP		 588 skb = bt_skb_alloc(count, GFP_ATOMIC);
589 if (!skb)
9a9c6a34 590 return;
1c2acffb
GP		 591
592 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 593 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 594 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 595 put_unaligned_le16(control, skb_put(skb, 2));
596
47d1ec61 597 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 598 u16 fcs = crc16(0, (u8 *)lh, count - 2);
599 put_unaligned_le16(fcs, skb_put(skb, 2));
600 }
601
e702112f
AE		 602 if (lmp_no_flush_capable(conn->hcon->hdev))
603 flags = ACL_START_NO_FLUSH;
604 else
605 flags = ACL_START;
606
14b12d0b
JG		 607 bt_cb(skb)->force_active = chan->force_active;
608
8c1d787b 609 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 610}
611
525cd185 612static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 613{
e2ab4353 614 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
7e743090 615 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 616 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 617 } else
7e743090
GP		 618 control |= L2CAP_SUPER_RCV_READY;
619
42e5c802 620 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 621
525cd185 622 l2cap_send_sframe(chan, control);
7e743090
GP		 623}
624
b4450035 625static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 626{
c1360a1c 627 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 628}
629
fc7f8a7e 630static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 631{
8c1d787b 632 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 633
634 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 635 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
636 return;
637
4343478f
GP		 638 if (l2cap_check_security(chan) &&
639 __l2cap_no_conn_pending(chan)) {
b1235d79 640 struct l2cap_conn_req req;
fe4128e0
GP		 641 req.scid = cpu_to_le16(chan->scid);
642 req.psm = chan->psm;
79d554a6 643
fc7f8a7e 644 chan->ident = l2cap_get_ident(conn);
c1360a1c 645 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 646
fc7f8a7e
GP		 647 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
648 sizeof(req), &req);
b1235d79 649 }
79d554a6
MH		 650 } else {
651 struct l2cap_info_req req;
652 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
653
654 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
655 conn->info_ident = l2cap_get_ident(conn);
656
657 mod_timer(&conn->info_timer, jiffies +
658 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
659
660 l2cap_send_cmd(conn, conn->info_ident,
661 L2CAP_INFO_REQ, sizeof(req), &req);
662 }
663}
664
cf6c2c0b
GP		 665static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
666{
667 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 668 if (!disable_ertm)
cf6c2c0b
GP		 669 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
670
671 switch (mode) {
672 case L2CAP_MODE_ERTM:
673 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
674 case L2CAP_MODE_STREAMING:
675 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
676 default:
677 return 0x00;
678 }
679}
680
4519de9a 681static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 682{
e92c8e70 683 struct sock *sk;
22121fc9
GP		 684 struct l2cap_disconn_req req;
685
c13ffa62
GP		 686 if (!conn)
687 return;
688
e92c8e70
GP		 689 sk = chan->sk;
690
0c1bc5c6 691 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 692 __clear_retrans_timer(chan);
693 __clear_monitor_timer(chan);
694 __clear_ack_timer(chan);
c13ffa62
GP		 695 }
696
fe4128e0
GP		 697 req.dcid = cpu_to_le16(chan->dcid);
698 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 699 l2cap_send_cmd(conn, l2cap_get_ident(conn),
700 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 701
89bc500e 702 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 703 sk->sk_err = err;
22121fc9
GP		 704}
705
1da177e4 706/* ---- L2CAP connections ---- */
4e8402a3
MH		 707static void l2cap_conn_start(struct l2cap_conn *conn)
708{
820ffdb3 709 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 710
711 BT_DBG("conn %p", conn);
712
baa7e1fa 713 read_lock(&conn->chan_lock);
4e8402a3 714
820ffdb3 715 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 716 struct sock *sk = chan->sk;
baa7e1fa 717
4e8402a3
MH		 718 bh_lock_sock(sk);
719
715ec005 720 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 721 bh_unlock_sock(sk);
722 continue;
723 }
724
89bc500e 725 if (chan->state == BT_CONNECT) {
47731de7 726 struct l2cap_conn_req req;
79d554a6 727
4343478f 728 if (!l2cap_check_security(chan) ||
b4450035 729 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 730 bh_unlock_sock(sk);
731 continue;
732 }
79d554a6 733
c1360a1c
GP		 734 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
735 && test_bit(CONF_STATE2_DEVICE,
736 &chan->conf_state)) {
0f852724 737 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 738 * so release the lock */
2461daac 739 read_unlock(&conn->chan_lock);
89bc500e 740 l2cap_chan_close(chan, ECONNRESET);
2461daac 741 read_lock(&conn->chan_lock);
47731de7
GP		 742 bh_unlock_sock(sk);
743 continue;
b1235d79 744 }
47731de7 745
fe4128e0
GP		 746 req.scid = cpu_to_le16(chan->scid);
747 req.psm = chan->psm;
47731de7 748
fc7f8a7e 749 chan->ident = l2cap_get_ident(conn);
c1360a1c 750 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 751
fc7f8a7e
GP		 752 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
753 sizeof(req), &req);
47731de7 754
89bc500e 755 } else if (chan->state == BT_CONNECT2) {
79d554a6 756 struct l2cap_conn_rsp rsp;
e9aeb2dd 757 char buf[128];
fe4128e0
GP		 758 rsp.scid = cpu_to_le16(chan->dcid);
759 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 760
4343478f 761 if (l2cap_check_security(chan)) {
f66dc81f
MH		 762 if (bt_sk(sk)->defer_setup) {
763 struct sock *parent = bt_sk(sk)->parent;
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 766 if (parent)
767 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 768
769 } else {
89bc500e 770 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 771 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
773 }
79d554a6
MH		 774 } else {
775 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
776 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
777 }
778
fc7f8a7e
GP		 779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
780 sizeof(rsp), &rsp);
e9aeb2dd 781
c1360a1c 782 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 783 rsp.result != L2CAP_CR_SUCCESS) {
784 bh_unlock_sock(sk);
785 continue;
786 }
787
c1360a1c 788 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 789 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 790 l2cap_build_conf_req(chan, buf), buf);
791 chan->num_conf_req++;
4e8402a3
MH		 792 }
793
794 bh_unlock_sock(sk);
795 }
796
baa7e1fa 797 read_unlock(&conn->chan_lock);
4e8402a3
MH		 798}
799
b62f328b
VT		 800/* Find socket with cid and source bdaddr.
801 * Returns closest match, locked.
802 */
23691d75 803static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 804{
23691d75 805 struct l2cap_chan *c, *c1 = NULL;
b62f328b 806
23691d75 807 read_lock(&chan_list_lock);
b62f328b 808
23691d75
GP		 809 list_for_each_entry(c, &chan_list, global_l) {
810 struct sock *sk = c->sk;
fe4128e0 811
89bc500e 812 if (state && c->state != state)
b62f328b
VT		 813 continue;
814
23691d75 815 if (c->scid == cid) {
b62f328b 816 /* Exact match. */
23691d75
GP		 817 if (!bacmp(&bt_sk(sk)->src, src)) {
818 read_unlock(&chan_list_lock);
819 return c;
820 }
b62f328b
VT		 821
822 /* Closest match */
823 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 824 c1 = c;
b62f328b
VT		 825 }
826 }
280f294f 827
23691d75 828 read_unlock(&chan_list_lock);
b62f328b 829
23691d75 830 return c1;
b62f328b
VT		 831}
832
833static void l2cap_le_conn_ready(struct l2cap_conn *conn)
834{
c916fbe4 835 struct sock *parent, *sk;
23691d75 836 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 837
838 BT_DBG("");
839
840 /* Check if we have socket listening on cid */
23691d75 841 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 842 conn->src);
23691d75 843 if (!pchan)
b62f328b
VT		 844 return;
845
23691d75
GP		 846 parent = pchan->sk;
847
62f3a2cf
GP		 848 bh_lock_sock(parent);
849
b62f328b
VT		 850 /* Check for backlog size */
851 if (sk_acceptq_is_full(parent)) {
852 BT_DBG("backlog full %d", parent->sk_ack_backlog);
853 goto clean;
854 }
855
80808e43
GP		 856 chan = pchan->ops->new_connection(pchan->data);
857 if (!chan)
b62f328b
VT		 858 goto clean;
859
80808e43 860 sk = chan->sk;
5d41ce1d 861
baa7e1fa 862 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 863
864 hci_conn_hold(conn->hcon);
865
b62f328b
VT		 866 bacpy(&bt_sk(sk)->src, conn->src);
867 bacpy(&bt_sk(sk)->dst, conn->dst);
868
d1010240
GP		 869 bt_accept_enqueue(parent, sk);
870
48454079
GP		 871 __l2cap_chan_add(conn, chan);
872
c9b66675 873 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 874
89bc500e 875 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 876 parent->sk_data_ready(parent, 0);
877
baa7e1fa 878 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 879
880clean:
881 bh_unlock_sock(parent);
882}
883
f1cb9af5
VCG		 884static void l2cap_chan_ready(struct sock *sk)
885{
886 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
887 struct sock *parent = bt_sk(sk)->parent;
888
889 BT_DBG("sk %p, parent %p", sk, parent);
890
891 chan->conf_state = 0;
892 __clear_chan_timer(chan);
893
43f3dc41 894 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 895 sk->sk_state_change(sk);
896
897 if (parent)
898 parent->sk_data_ready(parent, 0);
899}
900
4e8402a3
MH		 901static void l2cap_conn_ready(struct l2cap_conn *conn)
902{
48454079 903 struct l2cap_chan *chan;
4e8402a3 904
79d554a6 905 BT_DBG("conn %p", conn);
4e8402a3 906
b62f328b
VT		 907 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
908 l2cap_le_conn_ready(conn);
909
160dc6ac
VCG		 910 if (conn->hcon->out && conn->hcon->type == LE_LINK)
911 smp_conn_security(conn, conn->hcon->pending_sec_level);
912
baa7e1fa 913 read_lock(&conn->chan_lock);
4e8402a3 914
baa7e1fa 915 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 916 struct sock *sk = chan->sk;
baa7e1fa 917
79d554a6 918 bh_lock_sock(sk);
4e8402a3 919
63128451 920 if (conn->hcon->type == LE_LINK) {
b501d6a1 921 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 922 l2cap_chan_ready(sk);
acd7d370 923
63128451 924 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 925 __clear_chan_timer(chan);
89bc500e 926 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 927 sk->sk_state_change(sk);
b501d6a1 928
89bc500e 929 } else if (chan->state == BT_CONNECT)
fc7f8a7e 930 l2cap_do_start(chan);
4e8402a3 931
79d554a6 932 bh_unlock_sock(sk);
4e8402a3 933 }
79d554a6 934
baa7e1fa 935 read_unlock(&conn->chan_lock);
4e8402a3
MH		 936}
937
938/* Notify sockets that we cannot guaranty reliability anymore */
939static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
940{
48454079 941 struct l2cap_chan *chan;
4e8402a3
MH		 942
943 BT_DBG("conn %p", conn);
944
baa7e1fa 945 read_lock(&conn->chan_lock);
4e8402a3 946
baa7e1fa 947 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 948 struct sock *sk = chan->sk;
baa7e1fa 949
4343478f 950 if (chan->force_reliable)
4e8402a3
MH		 951 sk->sk_err = err;
952 }
953
baa7e1fa 954 read_unlock(&conn->chan_lock);
4e8402a3
MH		 955}
956
957static void l2cap_info_timeout(unsigned long arg)
958{
959 struct l2cap_conn *conn = (void *) arg;
960
984947dc 961 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 962 conn->info_ident = 0;
984947dc 963
4e8402a3
MH		 964 l2cap_conn_start(conn);
965}
966
5d3de7df
VCG		 967static void l2cap_conn_del(struct hci_conn *hcon, int err)
968{
969 struct l2cap_conn *conn = hcon->l2cap_data;
970 struct l2cap_chan *chan, *l;
971 struct sock *sk;
972
973 if (!conn)
974 return;
975
976 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
977
978 kfree_skb(conn->rx_skb);
979
980 /* Kill channels */
981 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
982 sk = chan->sk;
983 bh_lock_sock(sk);
984 l2cap_chan_del(chan, err);
985 bh_unlock_sock(sk);
986 chan->ops->close(chan->data);
987 }
988
989 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
990 del_timer_sync(&conn->info_timer);
991
d26a2345 992 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 993 del_timer(&conn->security_timer);
8aab4757 994 smp_chan_destroy(conn);
d26a2345 995 }
5d3de7df
VCG		 996
997 hcon->l2cap_data = NULL;
998 kfree(conn);
999}
1000
1001static void security_timeout(unsigned long arg)
1002{
1003 struct l2cap_conn *conn = (void *) arg;
1004
1005 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1006}
1007
1da177e4
LT		 1008static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1009{
0139418c 1010 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1011
0139418c 1012 if (conn || status)
1da177e4
LT		 1013 return conn;
1014
0139418c
MH		 1015 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1016 if (!conn)
1da177e4 1017 return NULL;
1da177e4
LT		 1018
1019 hcon->l2cap_data = conn;
1020 conn->hcon = hcon;
1021
0139418c
MH		 1022 BT_DBG("hcon %p conn %p", hcon, conn);
1023
acd7d370
VT		 1024 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1025 conn->mtu = hcon->hdev->le_mtu;
1026 else
1027 conn->mtu = hcon->hdev->acl_mtu;
1028
1da177e4
LT		 1029 conn->src = &hcon->hdev->bdaddr;
1030 conn->dst = &hcon->dst;
1031
4e8402a3
MH		 1032 conn->feat_mask = 0;
1033
1da177e4 1034 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1035 rwlock_init(&conn->chan_lock);
1036
1037 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1038
5d3de7df
VCG		 1039 if (hcon->type == LE_LINK)
1040 setup_timer(&conn->security_timer, security_timeout,
1041 (unsigned long) conn);
1042 else
b62f328b 1043 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1044 (unsigned long) conn);
1045
2950f21a
MH		 1046 conn->disc_reason = 0x13;
1047
1da177e4
LT		 1048 return conn;
1049}
1050
48454079 1051static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1052{
baa7e1fa 1053 write_lock_bh(&conn->chan_lock);
48454079 1054 __l2cap_chan_add(conn, chan);
baa7e1fa 1055 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1056}
1057
1da177e4 1058/* ---- Socket interface ---- */
1da177e4
LT		 1059
1060/* Find socket with psm and source bdaddr.
1061 * Returns closest match.
1062 */
23691d75 1063static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1064{
23691d75 1065 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1066
23691d75 1067 read_lock(&chan_list_lock);
e0f0cb56 1068
23691d75
GP		 1069 list_for_each_entry(c, &chan_list, global_l) {
1070 struct sock *sk = c->sk;
fe4128e0 1071
89bc500e 1072 if (state && c->state != state)
1da177e4
LT		 1073 continue;
1074
23691d75 1075 if (c->psm == psm) {
1da177e4 1076 /* Exact match. */
23691d75 1077 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1078 read_unlock(&chan_list_lock);
23691d75
GP		 1079 return c;
1080 }
1da177e4
LT		 1081
1082 /* Closest match */
1083 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1084 c1 = c;
1da177e4
LT		 1085 }
1086 }
1da177e4 1087
23691d75 1088 read_unlock(&chan_list_lock);
e0f0cb56 1089
23691d75 1090 return c1;
1da177e4
LT		 1091}
1092
77a74c7e 1093int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1094{
5d41ce1d 1095 struct sock *sk = chan->sk;
1da177e4
LT		 1096 bdaddr_t *src = &bt_sk(sk)->src;
1097 bdaddr_t *dst = &bt_sk(sk)->dst;
1098 struct l2cap_conn *conn;
1099 struct hci_conn *hcon;
1100 struct hci_dev *hdev;
09ab6f4c 1101 __u8 auth_type;
44d0e48e 1102 int err;
1da177e4 1103
f29972de 1104 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1105 chan->psm);
1da177e4 1106
af05b30b
GP		 1107 hdev = hci_get_route(dst, src);
1108 if (!hdev)
1da177e4
LT		 1109 return -EHOSTUNREACH;
1110
1111 hci_dev_lock_bh(hdev);
1112
4343478f 1113 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1114
fe4128e0 1115 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1116 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1117 chan->sec_level, auth_type);
acd7d370
VT		 1118 else
1119 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1120 chan->sec_level, auth_type);
acd7d370 1121
30e76272
VT		 1122 if (IS_ERR(hcon)) {
1123 err = PTR_ERR(hcon);
1da177e4 1124 goto done;
30e76272 1125 }
1da177e4
LT		 1126
1127 conn = l2cap_conn_add(hcon, 0);
1128 if (!conn) {
1129 hci_conn_put(hcon);
30e76272 1130 err = -ENOMEM;
1da177e4
LT		 1131 goto done;
1132 }
1133
1da177e4
LT		 1134 /* Update source addr of the socket */
1135 bacpy(src, conn->src);
1136
48454079
GP		 1137 l2cap_chan_add(conn, chan);
1138
89bc500e 1139 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1140 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1141
1142 if (hcon->state == BT_CONNECTED) {
715ec005 1143 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1144 __clear_chan_timer(chan);
4343478f 1145 if (l2cap_check_security(chan))
89bc500e 1146 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1147 } else
fc7f8a7e 1148 l2cap_do_start(chan);
1da177e4
LT		 1149 }
1150
30e76272
VT		 1151 err = 0;
1152
1da177e4
LT		 1153done:
1154 hci_dev_unlock_bh(hdev);
1155 hci_dev_put(hdev);
1156 return err;
1157}
1158
dcba0dba 1159int __l2cap_wait_ack(struct sock *sk)
6161c038 1160{
8c1d787b 1161 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1162 DECLARE_WAITQUEUE(wait, current);
1163 int err = 0;
1164 int timeo = HZ/5;
1165
2b0b05dd 1166 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1167 set_current_state(TASK_INTERRUPTIBLE);
1168 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1169 if (!timeo)
1170 timeo = HZ/5;
1171
1172 if (signal_pending(current)) {
1173 err = sock_intr_errno(timeo);
1174 break;
1175 }
1176
1177 release_sock(sk);
1178 timeo = schedule_timeout(timeo);
1179 lock_sock(sk);
a71a0cf4 1180 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1181
1182 err = sock_error(sk);
1183 if (err)
1184 break;
1185 }
1186 set_current_state(TASK_RUNNING);
2b0b05dd 1187 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1188 return err;
1189}
1190
e90bac06
GP		 1191static void l2cap_monitor_timeout(unsigned long arg)
1192{
525cd185
GP		 1193 struct l2cap_chan *chan = (void *) arg;
1194 struct sock *sk = chan->sk;
e90bac06 1195
525cd185 1196 BT_DBG("chan %p", chan);
0e98958d 1197
e686219a 1198 bh_lock_sock(sk);
2c03a7a4 1199 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1200 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1201 bh_unlock_sock(sk);
e90bac06
GP		 1202 return;
1203 }
1204
6a026610 1205 chan->retry_count++;
1a09bcb9 1206 __set_monitor_timer(chan);
e90bac06 1207
525cd185 1208 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1209 bh_unlock_sock(sk);
e90bac06
GP		 1210}
1211
1212static void l2cap_retrans_timeout(unsigned long arg)
1213{
525cd185
GP		 1214 struct l2cap_chan *chan = (void *) arg;
1215 struct sock *sk = chan->sk;
e90bac06 1216
49208c9c 1217 BT_DBG("chan %p", chan);
0e98958d 1218
e686219a 1219 bh_lock_sock(sk);
6a026610 1220 chan->retry_count = 1;
1a09bcb9 1221 __set_monitor_timer(chan);
e90bac06 1222
e2ab4353 1223 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1224
525cd185 1225 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1226 bh_unlock_sock(sk);
e90bac06
GP		 1227}
1228
42e5c802 1229static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1230{
1c2acffb 1231 struct sk_buff *skb;
1da177e4 1232
58d35f87 1233 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1234 chan->unacked_frames) {
42e5c802 1235 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1236 break;
1da177e4 1237
58d35f87 1238 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1239 kfree_skb(skb);
1da177e4 1240
6a026610 1241 chan->unacked_frames--;
1c2acffb 1242 }
1da177e4 1243
6a026610 1244 if (!chan->unacked_frames)
1a09bcb9 1245 __clear_retrans_timer(chan);
1c2acffb 1246}
1da177e4 1247
4343478f 1248void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1249{
8c1d787b 1250 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1251 u16 flags;
1c2acffb 1252
4343478f 1253 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1254
4343478f 1255 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1256 flags = ACL_START_NO_FLUSH;
1257 else
1258 flags = ACL_START;
1259
14b12d0b 1260 bt_cb(skb)->force_active = chan->force_active;
e702112f 1261 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1262}
1263
42e5c802 1264void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1265{
ccbb84af 1266 struct sk_buff *skb;
fcc203c3 1267 u16 control, fcs;
6840ed07 1268
58d35f87 1269 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1270 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1271 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1272 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1273
47d1ec61 1274 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1275 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1276 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1277 }
1278
4343478f 1279 l2cap_do_send(chan, skb);
6840ed07 1280
42e5c802 1281 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1282 }
6840ed07
GP		 1283}
1284
525cd185 1285static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1286{
8f17154f
GP		 1287 struct sk_buff *skb, *tx_skb;
1288 u16 control, fcs;
8f17154f 1289
58d35f87 1290 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1291 if (!skb)
1292 return;
8f17154f 1293
f11d676d
GP		 1294 do {
1295 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1296 break;
8f17154f 1297
58d35f87 1298 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1299 return;
8f17154f 1300
58d35f87 1301 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1302
2c03a7a4
GP		 1303 if (chan->remote_max_tx &&
1304 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1305 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1306 return;
1307 }
1308
1309 tx_skb = skb_clone(skb, GFP_ATOMIC);
1310 bt_cb(skb)->retries++;
1311 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1312 control &= L2CAP_CTRL_SAR;
3cb123d1 1313
e2ab4353 1314 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
3cb123d1 1315 control |= L2CAP_CTRL_FINAL;
95ffa978 1316
42e5c802 1317 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1318 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1319
f11d676d
GP		 1320 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1321
47d1ec61 1322 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1323 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1324 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1325 }
1326
4343478f 1327 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1328}
1329
525cd185 1330int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1331{
1332 struct sk_buff *skb, *tx_skb;
fcc203c3 1333 u16 control, fcs;
9a9c6a34 1334 int nsent = 0;
1c2acffb 1335
89bc500e 1336 if (chan->state != BT_CONNECTED)
c13ffa62 1337 return -ENOTCONN;
e90bac06 1338
58d35f87 1339 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1340
2c03a7a4
GP		 1341 if (chan->remote_max_tx &&
1342 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1343 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1344 break;
1345 }
1346
e420aba3
AE		 1347 tx_skb = skb_clone(skb, GFP_ATOMIC);
1348
e90bac06
GP		 1349 bt_cb(skb)->retries++;
1350
1c2acffb 1351 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1352 control &= L2CAP_CTRL_SAR;
1353
e2ab4353 1354 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
d5392c8f 1355 control |= L2CAP_CTRL_FINAL;
e2ab4353 1356
42e5c802
GP		 1357 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1358 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1359 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1360
e90bac06 1361
47d1ec61 1362 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1363 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1364 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1365 }
1366
4343478f 1367 l2cap_do_send(chan, tx_skb);
9a9c6a34 1368
1a09bcb9 1369 __set_retrans_timer(chan);
1c2acffb 1370
42e5c802
GP		 1371 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1372 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1373
23e9fde2 1374 if (bt_cb(skb)->retries == 1)
6a026610 1375 chan->unacked_frames++;
23e9fde2 1376
6a026610 1377 chan->frames_sent++;
1c2acffb 1378
58d35f87
GP		 1379 if (skb_queue_is_last(&chan->tx_q, skb))
1380 chan->tx_send_head = NULL;
1c2acffb 1381 else
58d35f87 1382 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1383
1384 nsent++;
1c2acffb
GP		 1385 }
1386
9e917af1
GP		 1387 return nsent;
1388}
1389
525cd185 1390static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1391{
dfc909be
GP		 1392 int ret;
1393
58d35f87
GP		 1394 if (!skb_queue_empty(&chan->tx_q))
1395 chan->tx_send_head = chan->tx_q.next;
dfc909be 1396
42e5c802 1397 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1398 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1399 return ret;
1400}
1401
525cd185 1402static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1403{
9e917af1
GP		 1404 u16 control = 0;
1405
42e5c802 1406 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1407
e2ab4353 1408 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
9e917af1 1409 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 1410 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1411 l2cap_send_sframe(chan, control);
9a9c6a34 1412 return;
9e917af1 1413 }
dfc909be 1414
525cd185 1415 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1416 return;
1417
1418 control |= L2CAP_SUPER_RCV_READY;
525cd185 1419 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1420}
1421
525cd185 1422static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1423{
1424 struct srej_list *tail;
1425 u16 control;
1426
1427 control = L2CAP_SUPER_SELECT_REJECT;
1428 control |= L2CAP_CTRL_FINAL;
1429
39d5a3ee 1430 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1431 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1432
525cd185 1433 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1434}
1435
1c2acffb
GP		 1436static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1437{
8c1d787b 1438 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1439 struct sk_buff **frag;
1440 int err, sent = 0;
1da177e4 1441
59203a21 1442 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1443 return -EFAULT;
1da177e4
LT		 1444
1445 sent += count;
1446 len -= count;
1447
1448 /* Continuation fragments (no L2CAP header) */
1449 frag = &skb_shinfo(skb)->frag_list;
1450 while (len) {
1451 count = min_t(unsigned int, conn->mtu, len);
1452
1453 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1454 if (!*frag)
0175d629 1455 return err;
1c2acffb
GP		 1456 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1457 return -EFAULT;
1da177e4
LT		 1458
1459 sent += count;
1460 len -= count;
1461
1462 frag = &(*frag)->next;
1463 }
1da177e4
LT		 1464
1465 return sent;
1c2acffb 1466}
1da177e4 1467
fe4128e0 1468struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1469{
fe4128e0 1470 struct sock *sk = chan->sk;
8c1d787b 1471 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1472 struct sk_buff *skb;
1473 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1474 struct l2cap_hdr *lh;
1475
1476 BT_DBG("sk %p len %d", sk, (int)len);
1477
1478 count = min_t(unsigned int, (conn->mtu - hlen), len);
1479 skb = bt_skb_send_alloc(sk, count + hlen,
1480 msg->msg_flags & MSG_DONTWAIT, &err);
1481 if (!skb)
0175d629 1482 return ERR_PTR(err);
1c2acffb
GP		 1483
1484 /* Create L2CAP header */
1485 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1486 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1487 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1488 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1489
1490 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1491 if (unlikely(err < 0)) {
1492 kfree_skb(skb);
1493 return ERR_PTR(err);
1494 }
1495 return skb;
1496}
1497
fe4128e0 1498struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1499{
fe4128e0 1500 struct sock *sk = chan->sk;
8c1d787b 1501 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1502 struct sk_buff *skb;
1503 int err, count, hlen = L2CAP_HDR_SIZE;
1504 struct l2cap_hdr *lh;
1505
1506 BT_DBG("sk %p len %d", sk, (int)len);
1507
1508 count = min_t(unsigned int, (conn->mtu - hlen), len);
1509 skb = bt_skb_send_alloc(sk, count + hlen,
1510 msg->msg_flags & MSG_DONTWAIT, &err);
1511 if (!skb)
0175d629 1512 return ERR_PTR(err);
1c2acffb
GP		 1513
1514 /* Create L2CAP header */
1515 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1516 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1517 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1518
1519 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1520 if (unlikely(err < 0)) {
1521 kfree_skb(skb);
1522 return ERR_PTR(err);
1523 }
1524 return skb;
1525}
1526
ab0ff76d
LAD		 1527static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1528 struct msghdr *msg, size_t len,
1529 u16 control, u16 sdulen)
1c2acffb 1530{
47d1ec61 1531 struct sock *sk = chan->sk;
8c1d787b 1532 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1533 struct sk_buff *skb;
1534 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1535 struct l2cap_hdr *lh;
1536
1537 BT_DBG("sk %p len %d", sk, (int)len);
1538
0ee0d208
GP		 1539 if (!conn)
1540 return ERR_PTR(-ENOTCONN);
1541
c74e560c
GP		 1542 if (sdulen)
1543 hlen += 2;
1544
47d1ec61 1545 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1546 hlen += 2;
1547
1c2acffb
GP		 1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
1549 skb = bt_skb_send_alloc(sk, count + hlen,
1550 msg->msg_flags & MSG_DONTWAIT, &err);
1551 if (!skb)
0175d629 1552 return ERR_PTR(err);
1c2acffb
GP		 1553
1554 /* Create L2CAP header */
1555 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1556 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1557 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1558 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1559 if (sdulen)
1560 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1561
1562 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1563 if (unlikely(err < 0)) {
1564 kfree_skb(skb);
1565 return ERR_PTR(err);
1566 }
e90bac06 1567
47d1ec61 1568 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1569 put_unaligned_le16(0, skb_put(skb, 2));
1570
e90bac06 1571 bt_cb(skb)->retries = 0;
1c2acffb 1572 return skb;
1da177e4
LT		 1573}
1574
2c03a7a4 1575int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1576{
c74e560c
GP		 1577 struct sk_buff *skb;
1578 struct sk_buff_head sar_queue;
1579 u16 control;
1580 size_t size = 0;
1581
ff12fd64 1582 skb_queue_head_init(&sar_queue);
c74e560c 1583 control = L2CAP_SDU_START;
47d1ec61 1584 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1585 if (IS_ERR(skb))
1586 return PTR_ERR(skb);
1587
1588 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1589 len -= chan->remote_mps;
1590 size += chan->remote_mps;
c74e560c
GP		 1591
1592 while (len > 0) {
1593 size_t buflen;
1594
2c03a7a4 1595 if (len > chan->remote_mps) {
44651b85 1596 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1597 buflen = chan->remote_mps;
c74e560c 1598 } else {
44651b85 1599 control = L2CAP_SDU_END;
c74e560c
GP		 1600 buflen = len;
1601 }
1602
47d1ec61 1603 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1604 if (IS_ERR(skb)) {
1605 skb_queue_purge(&sar_queue);
1606 return PTR_ERR(skb);
1607 }
1608
1609 __skb_queue_tail(&sar_queue, skb);
1610 len -= buflen;
1611 size += buflen;
c74e560c 1612 }
58d35f87
GP		 1613 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1614 if (chan->tx_send_head == NULL)
1615 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1616
1617 return size;
1618}
1619
9a91a04a
GP		 1620int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1621{
9a91a04a
GP		 1622 struct sk_buff *skb;
1623 u16 control;
1624 int err;
1625
1626 /* Connectionless channel */
715ec005 1627 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1628 skb = l2cap_create_connless_pdu(chan, msg, len);
1629 if (IS_ERR(skb))
1630 return PTR_ERR(skb);
1631
1632 l2cap_do_send(chan, skb);
1633 return len;
1634 }
1635
1636 switch (chan->mode) {
1637 case L2CAP_MODE_BASIC:
1638 /* Check outgoing MTU */
1639 if (len > chan->omtu)
1640 return -EMSGSIZE;
1641
1642 /* Create a basic PDU */
1643 skb = l2cap_create_basic_pdu(chan, msg, len);
1644 if (IS_ERR(skb))
1645 return PTR_ERR(skb);
1646
1647 l2cap_do_send(chan, skb);
1648 err = len;
1649 break;
1650
1651 case L2CAP_MODE_ERTM:
1652 case L2CAP_MODE_STREAMING:
1653 /* Entire SDU fits into one PDU */
1654 if (len <= chan->remote_mps) {
1655 control = L2CAP_SDU_UNSEGMENTED;
1656 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1657 0);
1658 if (IS_ERR(skb))
1659 return PTR_ERR(skb);
1660
1661 __skb_queue_tail(&chan->tx_q, skb);
1662
1663 if (chan->tx_send_head == NULL)
1664 chan->tx_send_head = skb;
1665
1666 } else {
1667 /* Segment SDU into multiples PDUs */
1668 err = l2cap_sar_segment_sdu(chan, msg, len);
1669 if (err < 0)
1670 return err;
1671 }
1672
1673 if (chan->mode == L2CAP_MODE_STREAMING) {
1674 l2cap_streaming_send(chan);
1675 err = len;
1676 break;
1677 }
1678
e2ab4353
GP		 1679 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1680 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1681 err = len;
1682 break;
1683 }
1684
1685 err = l2cap_ertm_send(chan);
1686 if (err >= 0)
1687 err = len;
1688
1689 break;
1690
1691 default:
1692 BT_DBG("bad state %1.1x", chan->mode);
1693 err = -EBADFD;
1694 }
1695
1696 return err;
1697}
1698
1da177e4
LT		 1699/* Copy frame to all raw sockets on that connection */
1700static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1701{
1da177e4 1702 struct sk_buff *nskb;
48454079 1703 struct l2cap_chan *chan;
1da177e4
LT		 1704
1705 BT_DBG("conn %p", conn);
1706
baa7e1fa
GP		 1707 read_lock(&conn->chan_lock);
1708 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1709 struct sock *sk = chan->sk;
715ec005 1710 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1711 continue;
1712
1713 /* Don't send frame to the socket it came from */
1714 if (skb->sk == sk)
1715 continue;
af05b30b
GP		 1716 nskb = skb_clone(skb, GFP_ATOMIC);
1717 if (!nskb)
1da177e4
LT		 1718 continue;
1719
23070494 1720 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1721 kfree_skb(nskb);
1722 }
baa7e1fa 1723 read_unlock(&conn->chan_lock);
1da177e4
LT		 1724}
1725
1726/* ---- L2CAP signalling commands ---- */
1727static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1728 u8 code, u8 ident, u16 dlen, void *data)
1729{
1730 struct sk_buff *skb, **frag;
1731 struct l2cap_cmd_hdr *cmd;
1732 struct l2cap_hdr *lh;
1733 int len, count;
1734
af05b30b
GP		 1735 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1736 conn, code, ident, dlen);
1da177e4
LT		 1737
1738 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1739 count = min_t(unsigned int, conn->mtu, len);
1740
1741 skb = bt_skb_alloc(count, GFP_ATOMIC);
1742 if (!skb)
1743 return NULL;
1744
1745 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1746 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1747
1748 if (conn->hcon->type == LE_LINK)
1749 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1750 else
1751 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1752
1753 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1754 cmd->code = code;
1755 cmd->ident = ident;
aca3192c 1756 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1757
1758 if (dlen) {
1759 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1760 memcpy(skb_put(skb, count), data, count);
1761 data += count;
1762 }
1763
1764 len -= skb->len;
1765
1766 /* Continuation fragments (no L2CAP header) */
1767 frag = &skb_shinfo(skb)->frag_list;
1768 while (len) {
1769 count = min_t(unsigned int, conn->mtu, len);
1770
1771 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1772 if (!*frag)
1773 goto fail;
1774
1775 memcpy(skb_put(*frag, count), data, count);
1776
1777 len -= count;
1778 data += count;
1779
1780 frag = &(*frag)->next;
1781 }
1782
1783 return skb;
1784
1785fail:
1786 kfree_skb(skb);
1787 return NULL;
1788}
1789
1790static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1791{
1792 struct l2cap_conf_opt *opt = *ptr;
1793 int len;
1794
1795 len = L2CAP_CONF_OPT_SIZE + opt->len;
1796 *ptr += len;
1797
1798 *type = opt->type;
1799 *olen = opt->len;
1800
1801 switch (opt->len) {
1802 case 1:
1803 *val = *((u8 *) opt->val);
1804 break;
1805
1806 case 2:
bfaaeb3e 1807 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1808 break;
1809
1810 case 4:
bfaaeb3e 1811 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1812 break;
1813
1814 default:
1815 *val = (unsigned long) opt->val;
1816 break;
1817 }
1818
1819 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1820 return len;
1821}
1822
1da177e4
LT		 1823static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1824{
1825 struct l2cap_conf_opt *opt = *ptr;
1826
1827 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1828
1829 opt->type = type;
1830 opt->len = len;
1831
1832 switch (len) {
1833 case 1:
1834 *((u8 *) opt->val) = val;
1835 break;
1836
1837 case 2:
4f8b691c 1838 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1839 break;
1840
1841 case 4:
4f8b691c 1842 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1843 break;
1844
1845 default:
1846 memcpy(opt->val, (void *) val, len);
1847 break;
1848 }
1849
1850 *ptr += L2CAP_CONF_OPT_SIZE + len;
1851}
1852
c1b4f43b
GP		 1853static void l2cap_ack_timeout(unsigned long arg)
1854{
525cd185 1855 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1856
525cd185
GP		 1857 bh_lock_sock(chan->sk);
1858 l2cap_send_ack(chan);
1859 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1860}
1861
525cd185 1862static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1863{
525cd185
GP		 1864 struct sock *sk = chan->sk;
1865
42e5c802 1866 chan->expected_ack_seq = 0;
6a026610 1867 chan->unacked_frames = 0;
42e5c802 1868 chan->buffer_seq = 0;
6a026610
GP		 1869 chan->num_acked = 0;
1870 chan->frames_sent = 0;
0565c1c2 1871
e92c8e70
GP		 1872 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1873 (unsigned long) chan);
1874 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1875 (unsigned long) chan);
1876 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1877
f1c6775b 1878 skb_queue_head_init(&chan->srej_q);
1890d36b 1879
39d5a3ee
GP		 1880 INIT_LIST_HEAD(&chan->srej_l);
1881
218bb9df
GP		 1882
1883 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1884}
1885
f2fcfcd6
GP		 1886static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1887{
1888 switch (mode) {
1889 case L2CAP_MODE_STREAMING:
1890 case L2CAP_MODE_ERTM:
1891 if (l2cap_mode_supported(mode, remote_feat_mask))
1892 return mode;
1893 /* fall through */
1894 default:
1895 return L2CAP_MODE_BASIC;
1896 }
1897}
1898
710f9b0a 1899static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1900{
1da177e4 1901 struct l2cap_conf_req *req = data;
0c1bc5c6 1902 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1903 void *ptr = req->data;
1904
49208c9c 1905 BT_DBG("chan %p", chan);
1da177e4 1906
73ffa904 1907 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1908 goto done;
1909
0c1bc5c6 1910 switch (chan->mode) {
f2fcfcd6
GP		 1911 case L2CAP_MODE_STREAMING:
1912 case L2CAP_MODE_ERTM:
c1360a1c 1913 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1914 break;
85eb53c6 1915
2ba13ed6 1916 /* fall through */
f2fcfcd6 1917 default:
8c1d787b 1918 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1919 break;
1920 }
1921
1922done:
0c1bc5c6
GP		 1923 if (chan->imtu != L2CAP_DEFAULT_MTU)
1924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1925
0c1bc5c6 1926 switch (chan->mode) {
65c7c491 1927 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1928 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1929 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1930 break;
1931
62547752
GP		 1932 rfc.mode = L2CAP_MODE_BASIC;
1933 rfc.txwin_size = 0;
1934 rfc.max_transmit = 0;
1935 rfc.retrans_timeout = 0;
1936 rfc.monitor_timeout = 0;
1937 rfc.max_pdu_size = 0;
1938
63406504
GP		 1939 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1940 (unsigned long) &rfc);
65c7c491
MH		 1941 break;
1942
1943 case L2CAP_MODE_ERTM:
1944 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1945 rfc.txwin_size = chan->tx_win;
1946 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1947 rfc.retrans_timeout = 0;
1948 rfc.monitor_timeout = 0;
c74e560c 1949 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1950 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1951 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1952
63406504
GP		 1953 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1954 (unsigned long) &rfc);
1955
8c1d787b 1956 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1957 break;
1958
47d1ec61 1959 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1960 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1961 chan->fcs = L2CAP_FCS_NONE;
1962 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1963 }
f2fcfcd6
GP		 1964 break;
1965
1966 case L2CAP_MODE_STREAMING:
1967 rfc.mode = L2CAP_MODE_STREAMING;
1968 rfc.txwin_size = 0;
1969 rfc.max_transmit = 0;
1970 rfc.retrans_timeout = 0;
1971 rfc.monitor_timeout = 0;
c74e560c 1972 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1973 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1974 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1975
63406504
GP		 1976 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1977 (unsigned long) &rfc);
1978
8c1d787b 1979 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1980 break;
1981
47d1ec61 1982 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1983 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1984 chan->fcs = L2CAP_FCS_NONE;
1985 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1986 }
65c7c491
MH		 1987 break;
1988 }
1da177e4 1989
fe4128e0 1990 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1991 req->flags = cpu_to_le16(0);
1da177e4
LT		 1992
1993 return ptr - data;
1994}
1995
73ffa904 1996static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1997{
5dee9e7c
MH		 1998 struct l2cap_conf_rsp *rsp = data;
1999 void *ptr = rsp->data;
73ffa904
GP		 2000 void *req = chan->conf_req;
2001 int len = chan->conf_len;
5dee9e7c
MH		 2002 int type, hint, olen;
2003 unsigned long val;
6464f35f 2004 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2005 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2006 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2007
73ffa904 2008 BT_DBG("chan %p", chan);
820ae1b8 2009
5dee9e7c
MH		 2010 while (len >= L2CAP_CONF_OPT_SIZE) {
2011 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2012
589d2746 2013 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2014 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2015
2016 switch (type) {
2017 case L2CAP_CONF_MTU:
861d6882 2018 mtu = val;
5dee9e7c
MH		 2019 break;
2020
2021 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2022 chan->flush_to = val;
5dee9e7c
MH		 2023 break;
2024
2025 case L2CAP_CONF_QOS:
2026 break;
2027
6464f35f
MH		 2028 case L2CAP_CONF_RFC:
2029 if (olen == sizeof(rfc))
2030 memcpy(&rfc, (void *) val, olen);
2031 break;
2032
fcc203c3
GP		 2033 case L2CAP_CONF_FCS:
2034 if (val == L2CAP_FCS_NONE)
c1360a1c 2035 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2036
2037 break;
2038
5dee9e7c
MH		 2039 default:
2040 if (hint)
2041 break;
2042
2043 result = L2CAP_CONF_UNKNOWN;
2044 *((u8 *) ptr++) = type;
2045 break;
2046 }
2047 }
2048
73ffa904 2049 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2050 goto done;
2051
0c1bc5c6 2052 switch (chan->mode) {
f2fcfcd6
GP		 2053 case L2CAP_MODE_STREAMING:
2054 case L2CAP_MODE_ERTM:
c1360a1c 2055 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2056 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2057 chan->conn->feat_mask);
85eb53c6
GP		 2058 break;
2059 }
2060
0c1bc5c6 2061 if (chan->mode != rfc.mode)
f2fcfcd6 2062 return -ECONNREFUSED;
742e519b 2063
f2fcfcd6 2064 break;
f2fcfcd6
GP		 2065 }
2066
2067done:
0c1bc5c6 2068 if (chan->mode != rfc.mode) {
f2fcfcd6 2069 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2070 rfc.mode = chan->mode;
f2fcfcd6 2071
73ffa904 2072 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2073 return -ECONNREFUSED;
2074
2075 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2076 sizeof(rfc), (unsigned long) &rfc);
2077 }
2078
2079
5dee9e7c
MH		 2080 if (result == L2CAP_CONF_SUCCESS) {
2081 /* Configure output options and let the other side know
2082 * which ones we don't like. */
2083
f2fcfcd6
GP		 2084 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2085 result = L2CAP_CONF_UNACCEPT;
2086 else {
0c1bc5c6 2087 chan->omtu = mtu;
c1360a1c 2088 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2089 }
0c1bc5c6 2090 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2091
f2fcfcd6
GP		 2092 switch (rfc.mode) {
2093 case L2CAP_MODE_BASIC:
47d1ec61 2094 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2095 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2096 break;
2097
2098 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2099 chan->remote_tx_win = rfc.txwin_size;
2100 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2101
8c1d787b
GP		 2102 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2103 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2104
2c03a7a4 2105 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2106
10467e9e
GP		 2107 rfc.retrans_timeout =
2108 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2109 rfc.monitor_timeout =
2110 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2111
c1360a1c 2112 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2113
2114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2115 sizeof(rfc), (unsigned long) &rfc);
2116
f2fcfcd6
GP		 2117 break;
2118
2119 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2120 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2121 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2122
2c03a7a4 2123 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2124
c1360a1c 2125 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2126
2127 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2128 sizeof(rfc), (unsigned long) &rfc);
2129
f2fcfcd6
GP		 2130 break;
2131
2132 default:
5dee9e7c 2133 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2134
6464f35f 2135 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2136 rfc.mode = chan->mode;
f2fcfcd6 2137 }
6464f35f 2138
f2fcfcd6 2139 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2140 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2141 }
fe4128e0 2142 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2143 rsp->result = cpu_to_le16(result);
2144 rsp->flags = cpu_to_le16(0x0000);
2145
2146 return ptr - data;
1da177e4
LT		 2147}
2148
b4450035 2149static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2150{
f2fcfcd6
GP		 2151 struct l2cap_conf_req *req = data;
2152 void *ptr = req->data;
2153 int type, olen;
2154 unsigned long val;
2155 struct l2cap_conf_rfc rfc;
2156
fe4128e0 2157 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2158
2159 while (len >= L2CAP_CONF_OPT_SIZE) {
2160 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2161
2162 switch (type) {
2163 case L2CAP_CONF_MTU:
2164 if (val < L2CAP_DEFAULT_MIN_MTU) {
2165 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2166 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2167 } else
0c1bc5c6
GP		 2168 chan->imtu = val;
2169 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2170 break;
2171
2172 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2173 chan->flush_to = val;
f2fcfcd6 2174 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2175 2, chan->flush_to);
f2fcfcd6
GP		 2176 break;
2177
2178 case L2CAP_CONF_RFC:
2179 if (olen == sizeof(rfc))
2180 memcpy(&rfc, (void *)val, olen);
2181
c1360a1c 2182 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2183 rfc.mode != chan->mode)
f2fcfcd6
GP		 2184 return -ECONNREFUSED;
2185
47d1ec61 2186 chan->fcs = 0;
f2fcfcd6
GP		 2187
2188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2189 sizeof(rfc), (unsigned long) &rfc);
2190 break;
2191 }
2192 }
2193
0c1bc5c6 2194 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2195 return -ECONNREFUSED;
2196
0c1bc5c6 2197 chan->mode = rfc.mode;
6c2ea7a8 2198
f2fcfcd6
GP		 2199 if (*result == L2CAP_CONF_SUCCESS) {
2200 switch (rfc.mode) {
2201 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2202 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2203 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2204 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2205 break;
2206 case L2CAP_MODE_STREAMING:
47d1ec61 2207 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2208 }
2209 }
2210
fe4128e0 2211 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2212 req->flags = cpu_to_le16(0x0000);
2213
2214 return ptr - data;
2215}
2216
fe4128e0 2217static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2218{
2219 struct l2cap_conf_rsp *rsp = data;
2220 void *ptr = rsp->data;
1da177e4 2221
fe4128e0 2222 BT_DBG("chan %p", chan);
1da177e4 2223
fe4128e0 2224 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2225 rsp->result = cpu_to_le16(result);
aca3192c 2226 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2227
2228 return ptr - data;
2229}
2230
8c1d787b 2231void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2232{
2233 struct l2cap_conn_rsp rsp;
8c1d787b 2234 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2235 u8 buf[128];
2236
fe4128e0
GP		 2237 rsp.scid = cpu_to_le16(chan->dcid);
2238 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2239 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2240 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2241 l2cap_send_cmd(conn, chan->ident,
2242 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2243
c1360a1c 2244 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2245 return;
2246
710f9b0a
GP		 2247 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2248 l2cap_build_conf_req(chan, buf), buf);
2249 chan->num_conf_req++;
2250}
2251
47d1ec61 2252static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2253{
7b1c0049
GP		 2254 int type, olen;
2255 unsigned long val;
2256 struct l2cap_conf_rfc rfc;
2257
47d1ec61 2258 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2259
0c1bc5c6 2260 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2261 return;
2262
2263 while (len >= L2CAP_CONF_OPT_SIZE) {
2264 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2265
2266 switch (type) {
2267 case L2CAP_CONF_RFC:
2268 if (olen == sizeof(rfc))
2269 memcpy(&rfc, (void *)val, olen);
2270 goto done;
2271 }
2272 }
2273
2274done:
2275 switch (rfc.mode) {
2276 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2277 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2278 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2279 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2280 break;
2281 case L2CAP_MODE_STREAMING:
47d1ec61 2282 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2283 }
2284}
2285
4e8402a3
MH		 2286static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2287{
e2fd318e 2288 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2289
e2fd318e 2290 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2291 return 0;
2292
2293 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2294 cmd->ident == conn->info_ident) {
4e8402a3 2295 del_timer(&conn->info_timer);
984947dc
MH		 2296
2297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2298 conn->info_ident = 0;
984947dc 2299
4e8402a3
MH		 2300 l2cap_conn_start(conn);
2301 }
2302
2303 return 0;
2304}
2305
1da177e4
LT		 2306static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2307{
1da177e4
LT		 2308 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2309 struct l2cap_conn_rsp rsp;
23691d75 2310 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2311 struct sock *parent, *sk = NULL;
e7c29cb1 2312 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2313
2314 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2315 __le16 psm = req->psm;
1da177e4
LT		 2316
2317 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2318
2319 /* Check if we have socket listening on psm */
23691d75
GP		 2320 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2321 if (!pchan) {
1da177e4
LT		 2322 result = L2CAP_CR_BAD_PSM;
2323 goto sendresp;
2324 }
2325
23691d75
GP		 2326 parent = pchan->sk;
2327
e0f0cb56
GP		 2328 bh_lock_sock(parent);
2329
e7c29cb1
MH		 2330 /* Check if the ACL is secure enough (if not SDP) */
2331 if (psm != cpu_to_le16(0x0001) &&
2332 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2333 conn->disc_reason = 0x05;
e7c29cb1
MH		 2334 result = L2CAP_CR_SEC_BLOCK;
2335 goto response;
2336 }
2337
1da177e4
LT		 2338 result = L2CAP_CR_NO_MEM;
2339
2340 /* Check for backlog size */
2341 if (sk_acceptq_is_full(parent)) {
8e87d142 2342 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2343 goto response;
2344 }
2345
80808e43
GP		 2346 chan = pchan->ops->new_connection(pchan->data);
2347 if (!chan)
1da177e4
LT		 2348 goto response;
2349
80808e43
GP		 2350 sk = chan->sk;
2351
baa7e1fa 2352 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2353
2354 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2355 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2356 write_unlock_bh(&conn->chan_lock);
1da177e4 2357 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2358 chan->ops->close(chan->data);
1da177e4
LT		 2359 goto response;
2360 }
2361
2362 hci_conn_hold(conn->hcon);
2363
1da177e4
LT		 2364 bacpy(&bt_sk(sk)->src, conn->src);
2365 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2366 chan->psm = psm;
2367 chan->dcid = scid;
1da177e4 2368
d1010240
GP		 2369 bt_accept_enqueue(parent, sk);
2370
48454079
GP		 2371 __l2cap_chan_add(conn, chan);
2372
fe4128e0 2373 dcid = chan->scid;
1da177e4 2374
c9b66675 2375 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2376
fc7f8a7e 2377 chan->ident = cmd->ident;
1da177e4 2378
984947dc 2379 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2380 if (l2cap_check_security(chan)) {
f66dc81f 2381 if (bt_sk(sk)->defer_setup) {
89bc500e 2382 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2383 result = L2CAP_CR_PEND;
2384 status = L2CAP_CS_AUTHOR_PEND;
2385 parent->sk_data_ready(parent, 0);
2386 } else {
89bc500e 2387 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2388 result = L2CAP_CR_SUCCESS;
2389 status = L2CAP_CS_NO_INFO;
2390 }
79d554a6 2391 } else {
89bc500e 2392 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2393 result = L2CAP_CR_PEND;
2394 status = L2CAP_CS_AUTHEN_PEND;
2395 }
2396 } else {
89bc500e 2397 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2398 result = L2CAP_CR_PEND;
2399 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2400 }
2401
baa7e1fa 2402 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2403
2404response:
2405 bh_unlock_sock(parent);
2406
2407sendresp:
aca3192c
YH		 2408 rsp.scid = cpu_to_le16(scid);
2409 rsp.dcid = cpu_to_le16(dcid);
2410 rsp.result = cpu_to_le16(result);
2411 rsp.status = cpu_to_le16(status);
1da177e4 2412 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2413
2414 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2415 struct l2cap_info_req info;
2416 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2417
2418 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2419 conn->info_ident = l2cap_get_ident(conn);
2420
2421 mod_timer(&conn->info_timer, jiffies +
2422 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2423
2424 l2cap_send_cmd(conn, conn->info_ident,
2425 L2CAP_INFO_REQ, sizeof(info), &info);
2426 }
2427
c1360a1c 2428 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2429 result == L2CAP_CR_SUCCESS) {
2430 u8 buf[128];
c1360a1c 2431 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2432 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2433 l2cap_build_conf_req(chan, buf), buf);
2434 chan->num_conf_req++;
e9aeb2dd
GP		 2435 }
2436
1da177e4
LT		 2437 return 0;
2438}
2439
2440static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2441{
2442 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2443 u16 scid, dcid, result, status;
48454079 2444 struct l2cap_chan *chan;
1da177e4
LT		 2445 struct sock *sk;
2446 u8 req[128];
2447
2448 scid = __le16_to_cpu(rsp->scid);
2449 dcid = __le16_to_cpu(rsp->dcid);
2450 result = __le16_to_cpu(rsp->result);
2451 status = __le16_to_cpu(rsp->status);
2452
2453 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2454
2455 if (scid) {
baa7e1fa 2456 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2457 if (!chan)
57d3b22b 2458 return -EFAULT;
1da177e4 2459 } else {
baa7e1fa 2460 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2461 if (!chan)
57d3b22b 2462 return -EFAULT;
1da177e4
LT		 2463 }
2464
48454079
GP		 2465 sk = chan->sk;
2466
1da177e4
LT		 2467 switch (result) {
2468 case L2CAP_CR_SUCCESS:
89bc500e 2469 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2470 chan->ident = 0;
fe4128e0 2471 chan->dcid = dcid;
c1360a1c 2472 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2473
c1360a1c 2474 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2475 break;
2476
1da177e4 2477 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2478 l2cap_build_conf_req(chan, req), req);
2479 chan->num_conf_req++;
1da177e4
LT		 2480 break;
2481
2482 case L2CAP_CR_PEND:
c1360a1c 2483 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2484 break;
2485
2486 default:
a49184c2
AE		 2487 /* don't delete l2cap channel if sk is owned by user */
2488 if (sock_owned_by_user(sk)) {
89bc500e 2489 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2490 __clear_chan_timer(chan);
2491 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2492 break;
2493 }
2494
48454079 2495 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2496 break;
2497 }
2498
2499 bh_unlock_sock(sk);
2500 return 0;
2501}
2502
47d1ec61 2503static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2504{
2505 /* FCS is enabled only in ERTM or streaming mode, if one or both
2506 * sides request it.
2507 */
0c1bc5c6 2508 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2509 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2510 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2511 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2512}
2513
88219a0f 2514static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2515{
2516 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2517 u16 dcid, flags;
2518 u8 rsp[64];
48454079 2519 struct l2cap_chan *chan;
1da177e4 2520 struct sock *sk;
5dee9e7c 2521 int len;
1da177e4
LT		 2522
2523 dcid = __le16_to_cpu(req->dcid);
2524 flags = __le16_to_cpu(req->flags);
2525
2526 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2527
baa7e1fa 2528 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2529 if (!chan)
1da177e4
LT		 2530 return -ENOENT;
2531
48454079
GP		 2532 sk = chan->sk;
2533
033b1142 2534 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2535 struct l2cap_cmd_rej_cid rej;
2536
2537 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2538 rej.scid = cpu_to_le16(chan->scid);
2539 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2540
df6bd743
GP		 2541 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2542 sizeof(rej), &rej);
354f60a9 2543 goto unlock;
df6bd743 2544 }
354f60a9 2545
5dee9e7c 2546 /* Reject if config buffer is too small. */
88219a0f 2547 len = cmd_len - sizeof(*req);
7ac28817 2548 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2549 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2550 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2551 L2CAP_CONF_REJECT, flags), rsp);
2552 goto unlock;
2553 }
2554
2555 /* Store config. */
73ffa904
GP		 2556 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2557 chan->conf_len += len;
1da177e4
LT		 2558
2559 if (flags & 0x0001) {
2560 /* Incomplete config. Send empty response. */
2561 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2562 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2563 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2564 goto unlock;
2565 }
2566
2567 /* Complete config. */
73ffa904 2568 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2569 if (len < 0) {
e92c8e70 2570 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2571 goto unlock;
f2fcfcd6 2572 }
1da177e4 2573
5dee9e7c 2574 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2575 chan->num_conf_rsp++;
5dee9e7c 2576
5dee9e7c 2577 /* Reset config buffer. */
73ffa904 2578 chan->conf_len = 0;
5dee9e7c 2579
c1360a1c 2580 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2581 goto unlock;
2582
c1360a1c 2583 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2584 set_default_fcs(chan);
fcc203c3 2585
89bc500e 2586 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2587
42e5c802
GP		 2588 chan->next_tx_seq = 0;
2589 chan->expected_tx_seq = 0;
58d35f87 2590 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2591 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2592 l2cap_ertm_init(chan);
0565c1c2 2593
1da177e4 2594 l2cap_chan_ready(sk);
876d9484
MH		 2595 goto unlock;
2596 }
2597
c1360a1c 2598 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2599 u8 buf[64];
1da177e4 2600 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2601 l2cap_build_conf_req(chan, buf), buf);
2602 chan->num_conf_req++;
1da177e4
LT		 2603 }
2604
2605unlock:
2606 bh_unlock_sock(sk);
2607 return 0;
2608}
2609
2610static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2611{
2612 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2613 u16 scid, flags, result;
48454079 2614 struct l2cap_chan *chan;
1da177e4 2615 struct sock *sk;
7b1c0049 2616 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2617
2618 scid = __le16_to_cpu(rsp->scid);
2619 flags = __le16_to_cpu(rsp->flags);
2620 result = __le16_to_cpu(rsp->result);
2621
af05b30b
GP		 2622 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2623 scid, flags, result);
1da177e4 2624
baa7e1fa 2625 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2626 if (!chan)
1da177e4
LT		 2627 return 0;
2628
48454079
GP		 2629 sk = chan->sk;
2630
1da177e4
LT		 2631 switch (result) {
2632 case L2CAP_CONF_SUCCESS:
47d1ec61 2633 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2634 break;
2635
2636 case L2CAP_CONF_UNACCEPT:
73ffa904 2637 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2638 char req[64];
2639
c2c77ec8 2640 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2641 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2642 goto done;
2643 }
2644
f2fcfcd6
GP		 2645 /* throw out any old stored conf requests */
2646 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2647 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2648 req, &result);
f2fcfcd6 2649 if (len < 0) {
e92c8e70 2650 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2651 goto done;
2652 }
2653
2654 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2655 L2CAP_CONF_REQ, len, req);
73ffa904 2656 chan->num_conf_req++;
f2fcfcd6
GP		 2657 if (result != L2CAP_CONF_SUCCESS)
2658 goto done;
2659 break;
1da177e4
LT		 2660 }
2661
8e87d142 2662 default:
b1235d79 2663 sk->sk_err = ECONNRESET;
c9b66675 2664 __set_chan_timer(chan, HZ * 5);
e92c8e70 2665 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2666 goto done;
2667 }
2668
2669 if (flags & 0x01)
2670 goto done;
2671
c1360a1c 2672 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2673
c1360a1c 2674 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2675 set_default_fcs(chan);
fcc203c3 2676
89bc500e 2677 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2678 chan->next_tx_seq = 0;
2679 chan->expected_tx_seq = 0;
58d35f87 2680 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2681 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2682 l2cap_ertm_init(chan);
0565c1c2 2683
1da177e4
LT		 2684 l2cap_chan_ready(sk);
2685 }
2686
2687done:
2688 bh_unlock_sock(sk);
2689 return 0;
2690}
2691
2692static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2693{
2694 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2695 struct l2cap_disconn_rsp rsp;
2696 u16 dcid, scid;
48454079 2697 struct l2cap_chan *chan;
1da177e4
LT		 2698 struct sock *sk;
2699
2700 scid = __le16_to_cpu(req->scid);
2701 dcid = __le16_to_cpu(req->dcid);
2702
2703 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2704
baa7e1fa 2705 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2706 if (!chan)
1da177e4
LT		 2707 return 0;
2708
48454079
GP		 2709 sk = chan->sk;
2710
fe4128e0
GP		 2711 rsp.dcid = cpu_to_le16(chan->scid);
2712 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2713 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2714
2715 sk->sk_shutdown = SHUTDOWN_MASK;
2716
a49184c2
AE		 2717 /* don't delete l2cap channel if sk is owned by user */
2718 if (sock_owned_by_user(sk)) {
89bc500e 2719 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2720 __clear_chan_timer(chan);
2721 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2722 bh_unlock_sock(sk);
2723 return 0;
2724 }
2725
48454079 2726 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2727 bh_unlock_sock(sk);
2728
ba3bd0ee 2729 chan->ops->close(chan->data);
1da177e4
LT		 2730 return 0;
2731}
2732
2733static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2734{
2735 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2736 u16 dcid, scid;
48454079 2737 struct l2cap_chan *chan;
1da177e4
LT		 2738 struct sock *sk;
2739
2740 scid = __le16_to_cpu(rsp->scid);
2741 dcid = __le16_to_cpu(rsp->dcid);
2742
2743 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2744
baa7e1fa 2745 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2746 if (!chan)
1da177e4
LT		 2747 return 0;
2748
48454079
GP		 2749 sk = chan->sk;
2750
a49184c2
AE		 2751 /* don't delete l2cap channel if sk is owned by user */
2752 if (sock_owned_by_user(sk)) {
89bc500e 2753 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2754 __clear_chan_timer(chan);
2755 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2756 bh_unlock_sock(sk);
2757 return 0;
2758 }
2759
48454079 2760 l2cap_chan_del(chan, 0);
1da177e4
LT		 2761 bh_unlock_sock(sk);
2762
ba3bd0ee 2763 chan->ops->close(chan->data);
1da177e4
LT		 2764 return 0;
2765}
2766
2767static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2768{
2769 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2770 u16 type;
2771
2772 type = __le16_to_cpu(req->type);
2773
2774 BT_DBG("type 0x%4.4x", type);
2775
f0709e03
MH		 2776 if (type == L2CAP_IT_FEAT_MASK) {
2777 u8 buf[8];
44dd46de 2778 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2779 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2780 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2781 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2782 if (!disable_ertm)
fcc203c3
GP		 2783 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2784 | L2CAP_FEAT_FCS;
1b7bf4ed 2785 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2786 l2cap_send_cmd(conn, cmd->ident,
2787 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2788 } else if (type == L2CAP_IT_FIXED_CHAN) {
2789 u8 buf[12];
2790 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2791 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2792 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2793 memcpy(buf + 4, l2cap_fixed_chan, 8);
2794 l2cap_send_cmd(conn, cmd->ident,
2795 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2796 } else {
2797 struct l2cap_info_rsp rsp;
2798 rsp.type = cpu_to_le16(type);
2799 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2800 l2cap_send_cmd(conn, cmd->ident,
2801 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2802 }
1da177e4
LT		 2803
2804 return 0;
2805}
2806
2807static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2808{
2809 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2810 u16 type, result;
2811
2812 type = __le16_to_cpu(rsp->type);
2813 result = __le16_to_cpu(rsp->result);
2814
2815 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2816
e90165be
AE		 2817 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2818 if (cmd->ident != conn->info_ident ||
2819 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2820 return 0;
2821
4e8402a3
MH		 2822 del_timer(&conn->info_timer);
2823
adb08ede
VT		 2824 if (result != L2CAP_IR_SUCCESS) {
2825 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2826 conn->info_ident = 0;
2827
2828 l2cap_conn_start(conn);
2829
2830 return 0;
2831 }
2832
984947dc 2833 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2834 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2835
47ec1dcd 2836 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2837 struct l2cap_info_req req;
2838 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2839
2840 conn->info_ident = l2cap_get_ident(conn);
2841
2842 l2cap_send_cmd(conn, conn->info_ident,
2843 L2CAP_INFO_REQ, sizeof(req), &req);
2844 } else {
2845 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2846 conn->info_ident = 0;
2847
2848 l2cap_conn_start(conn);
2849 }
2850 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2851 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2852 conn->info_ident = 0;
984947dc
MH		 2853
2854 l2cap_conn_start(conn);
2855 }
4e8402a3 2856
1da177e4
LT		 2857 return 0;
2858}
2859
e2174ca4 2860static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2861 u16 to_multiplier)
2862{
2863 u16 max_latency;
2864
2865 if (min > max || min < 6 || max > 3200)
2866 return -EINVAL;
2867
2868 if (to_multiplier < 10 || to_multiplier > 3200)
2869 return -EINVAL;
2870
2871 if (max >= to_multiplier * 8)
2872 return -EINVAL;
2873
2874 max_latency = (to_multiplier * 8 / max) - 1;
2875 if (latency > 499 || latency > max_latency)
2876 return -EINVAL;
2877
2878 return 0;
2879}
2880
2881static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2882 struct l2cap_cmd_hdr *cmd, u8 *data)
2883{
2884 struct hci_conn *hcon = conn->hcon;
2885 struct l2cap_conn_param_update_req *req;
2886 struct l2cap_conn_param_update_rsp rsp;
2887 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2888 int err;
de73115a
CT		 2889
2890 if (!(hcon->link_mode & HCI_LM_MASTER))
2891 return -EINVAL;
2892
2893 cmd_len = __le16_to_cpu(cmd->len);
2894 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2895 return -EPROTO;
2896
2897 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2898 min = __le16_to_cpu(req->min);
2899 max = __le16_to_cpu(req->max);
de73115a
CT		 2900 latency = __le16_to_cpu(req->latency);
2901 to_multiplier = __le16_to_cpu(req->to_multiplier);
2902
2903 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2904 min, max, latency, to_multiplier);
2905
2906 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2907
2908 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2909 if (err)
de73115a
CT		 2910 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2911 else
2912 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2913
2914 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2915 sizeof(rsp), &rsp);
2916
2ce603eb
CT		 2917 if (!err)
2918 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2919
de73115a
CT		 2920 return 0;
2921}
2922
3300d9a9
CT		 2923static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2924 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2925{
2926 int err = 0;
2927
2928 switch (cmd->code) {
2929 case L2CAP_COMMAND_REJ:
2930 l2cap_command_rej(conn, cmd, data);
2931 break;
2932
2933 case L2CAP_CONN_REQ:
2934 err = l2cap_connect_req(conn, cmd, data);
2935 break;
2936
2937 case L2CAP_CONN_RSP:
2938 err = l2cap_connect_rsp(conn, cmd, data);
2939 break;
2940
2941 case L2CAP_CONF_REQ:
2942 err = l2cap_config_req(conn, cmd, cmd_len, data);
2943 break;
2944
2945 case L2CAP_CONF_RSP:
2946 err = l2cap_config_rsp(conn, cmd, data);
2947 break;
2948
2949 case L2CAP_DISCONN_REQ:
2950 err = l2cap_disconnect_req(conn, cmd, data);
2951 break;
2952
2953 case L2CAP_DISCONN_RSP:
2954 err = l2cap_disconnect_rsp(conn, cmd, data);
2955 break;
2956
2957 case L2CAP_ECHO_REQ:
2958 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2959 break;
2960
2961 case L2CAP_ECHO_RSP:
2962 break;
2963
2964 case L2CAP_INFO_REQ:
2965 err = l2cap_information_req(conn, cmd, data);
2966 break;
2967
2968 case L2CAP_INFO_RSP:
2969 err = l2cap_information_rsp(conn, cmd, data);
2970 break;
2971
2972 default:
2973 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2974 err = -EINVAL;
2975 break;
2976 }
2977
2978 return err;
2979}
2980
2981static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2982 struct l2cap_cmd_hdr *cmd, u8 *data)
2983{
2984 switch (cmd->code) {
2985 case L2CAP_COMMAND_REJ:
2986 return 0;
2987
2988 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2989 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2990
2991 case L2CAP_CONN_PARAM_UPDATE_RSP:
2992 return 0;
2993
2994 default:
2995 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2996 return -EINVAL;
2997 }
2998}
2999
3000static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3001 struct sk_buff *skb)
1da177e4
LT		 3002{
3003 u8 *data = skb->data;
3004 int len = skb->len;
3005 struct l2cap_cmd_hdr cmd;
3300d9a9 3006 int err;
1da177e4
LT		 3007
3008 l2cap_raw_recv(conn, skb);
3009
3010 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3011 u16 cmd_len;
1da177e4
LT		 3012 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3013 data += L2CAP_CMD_HDR_SIZE;
3014 len -= L2CAP_CMD_HDR_SIZE;
3015
88219a0f 3016 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3017
88219a0f 3018 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3019
88219a0f 3020 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3021 BT_DBG("corrupted command");
3022 break;
3023 }
3024
3300d9a9
CT		 3025 if (conn->hcon->type == LE_LINK)
3026 err = l2cap_le_sig_cmd(conn, &cmd, data);
3027 else
3028 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3029
3030 if (err) {
e2fd318e 3031 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3032
3033 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3034
3035 /* FIXME: Map err to a valid reason */
e2fd318e 3036 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3037 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3038 }
3039
88219a0f
AV		 3040 data += cmd_len;
3041 len -= cmd_len;
1da177e4
LT		 3042 }
3043
3044 kfree_skb(skb);
3045}
3046
47d1ec61 3047static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3048{
3049 u16 our_fcs, rcv_fcs;
3050 int hdr_size = L2CAP_HDR_SIZE + 2;
3051
47d1ec61 3052 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3053 skb_trim(skb, skb->len - 2);
3054 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3055 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3056
3057 if (our_fcs != rcv_fcs)
7a560e5c 3058 return -EBADMSG;
fcc203c3
GP		 3059 }
3060 return 0;
3061}
3062
525cd185 3063static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3064{
d5392c8f
GP		 3065 u16 control = 0;
3066
6a026610 3067 chan->frames_sent = 0;
d5392c8f 3068
42e5c802 3069 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3070
e2ab4353 3071 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
64988868 3072 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3073 l2cap_send_sframe(chan, control);
e2ab4353 3074 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3075 }
3076
e2ab4353 3077 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3078 l2cap_retransmit_frames(chan);
d5392c8f 3079
525cd185 3080 l2cap_ertm_send(chan);
d5392c8f 3081
e2ab4353 3082 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3083 chan->frames_sent == 0) {
d5392c8f 3084 control |= L2CAP_SUPER_RCV_READY;
525cd185 3085 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3086 }
3087}
3088
42e5c802 3089static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3090{
3091 struct sk_buff *next_skb;
bfbacc11 3092 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3093
3094 bt_cb(skb)->tx_seq = tx_seq;
3095 bt_cb(skb)->sar = sar;
3096
f1c6775b 3097 next_skb = skb_peek(&chan->srej_q);
8f17154f 3098 if (!next_skb) {
f1c6775b 3099 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3100 return 0;
8f17154f
GP		 3101 }
3102
42e5c802 3103 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3104 if (tx_seq_offset < 0)
3105 tx_seq_offset += 64;
3106
8f17154f 3107 do {
9b53350d
JPRV		 3108 if (bt_cb(next_skb)->tx_seq == tx_seq)
3109 return -EINVAL;
3110
bfbacc11 3111 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3112 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3113 if (next_tx_seq_offset < 0)
3114 next_tx_seq_offset += 64;
3115
3116 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3117 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3118 return 0;
8f17154f
GP		 3119 }
3120
f1c6775b 3121 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3122 break;
3123
f1c6775b 3124 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3125
f1c6775b 3126 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3127
3128 return 0;
8f17154f
GP		 3129}
3130
525cd185 3131static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3132{
18778a63 3133 struct sk_buff *_skb;
1890d36b 3134 int err;
18778a63
GP		 3135
3136 switch (control & L2CAP_CTRL_SAR) {
3137 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3138 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3139 goto drop;
3140
23070494 3141 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3142
3143 case L2CAP_SDU_START:
e2ab4353 3144 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3145 goto drop;
3146
6f61fd47 3147 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3148
0c1bc5c6 3149 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3150 goto disconnect;
3151
6f61fd47
GP		 3152 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3153 if (!chan->sdu)
1890d36b
GP		 3154 return -ENOMEM;
3155
3156 /* pull sdu_len bytes only after alloc, because of Local Busy
3157 * condition we have to be sure that this will be executed
3158 * only once, i.e., when alloc does not fail */
3159 skb_pull(skb, 2);
18778a63 3160
6f61fd47 3161 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3162
e2ab4353 3163 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3164 chan->partial_sdu_len = skb->len;
18778a63
GP		 3165 break;
3166
3167 case L2CAP_SDU_CONTINUE:
e2ab4353 3168 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3169 goto disconnect;
3170
6f61fd47 3171 if (!chan->sdu)
18778a63
GP		 3172 goto disconnect;
3173
6f61fd47
GP		 3174 chan->partial_sdu_len += skb->len;
3175 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3176 goto drop;
3177
6f61fd47 3178 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3179
18778a63
GP		 3180 break;
3181
3182 case L2CAP_SDU_END:
e2ab4353 3183 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3184 goto disconnect;
3185
6f61fd47 3186 if (!chan->sdu)
18778a63
GP		 3187 goto disconnect;
3188
fadd192e 3189 chan->partial_sdu_len += skb->len;
18778a63 3190
fadd192e
MM		 3191 if (chan->partial_sdu_len > chan->imtu)
3192 goto drop;
18778a63 3193
fadd192e
MM		 3194 if (chan->partial_sdu_len != chan->sdu_len)
3195 goto drop;
4178ba46 3196
fadd192e 3197 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3198
6f61fd47 3199 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3200 if (!_skb) {
1890d36b
GP		 3201 return -ENOMEM;
3202 }
3203
23070494 3204 err = chan->ops->recv(chan->data, _skb);
1890d36b 3205 if (err < 0) {
18778a63 3206 kfree_skb(_skb);
1890d36b
GP		 3207 return err;
3208 }
3209
e2ab4353 3210 clear_bit(CONN_SAR_SDU, &chan->conn_state);
18778a63 3211
6f61fd47 3212 kfree_skb(chan->sdu);
18778a63
GP		 3213 break;
3214 }
3215
3216 kfree_skb(skb);
1890d36b 3217 return 0;
18778a63
GP		 3218
3219drop:
6f61fd47
GP		 3220 kfree_skb(chan->sdu);
3221 chan->sdu = NULL;
18778a63
GP		 3222
3223disconnect:
8c1d787b 3224 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3225 kfree_skb(skb);
3226 return 0;
3227}
3228
26f880d2 3229static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3230{
712132eb 3231 u16 control;
712132eb 3232
26f880d2 3233 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3234
26f880d2
MM		 3235 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3236
3237 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3238 control |= L2CAP_SUPER_RCV_NOT_READY;
3239 l2cap_send_sframe(chan, control);
3240
3241 set_bit(CONN_RNR_SENT, &chan->conn_state);
3242
3243 __clear_ack_timer(chan);
3244}
3245
3246static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3247{
3248 u16 control;
712132eb 3249
e2ab4353 3250 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3251 goto done;
3252
42e5c802 3253 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3254 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3255 l2cap_send_sframe(chan, control);
6a026610 3256 chan->retry_count = 1;
712132eb 3257
1a09bcb9
GP		 3258 __clear_retrans_timer(chan);
3259 __set_monitor_timer(chan);
712132eb 3260
e2ab4353 3261 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3262
3263done:
e2ab4353
GP		 3264 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3265 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3266
49208c9c 3267 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3268}
3269
e328140f 3270void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3271{
e328140f
MM		 3272 if (chan->mode == L2CAP_MODE_ERTM) {
3273 if (busy)
3274 l2cap_ertm_enter_local_busy(chan);
3275 else
3276 l2cap_ertm_exit_local_busy(chan);
1890d36b 3277 }
1890d36b
GP		 3278}
3279
525cd185 3280static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3281{
c74e560c
GP		 3282 struct sk_buff *_skb;
3283 int err = -EINVAL;
3284
18778a63
GP		 3285 /*
3286 * TODO: We have to notify the userland if some data is lost with the
3287 * Streaming Mode.
3288 */
3289
c74e560c
GP		 3290 switch (control & L2CAP_CTRL_SAR) {
3291 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3292 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3293 kfree_skb(chan->sdu);
c74e560c
GP		 3294 break;
3295 }
3296
23070494 3297 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3298 if (!err)
3299 return 0;
3300
3301 break;
3302
3303 case L2CAP_SDU_START:
e2ab4353 3304 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3305 kfree_skb(chan->sdu);
c74e560c
GP		 3306 break;
3307 }
3308
6f61fd47 3309 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3310 skb_pull(skb, 2);
3311
0c1bc5c6 3312 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3313 err = -EMSGSIZE;
3314 break;
3315 }
3316
6f61fd47
GP		 3317 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3318 if (!chan->sdu) {
c74e560c
GP		 3319 err = -ENOMEM;
3320 break;
3321 }
3322
6f61fd47 3323 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3324
e2ab4353 3325 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3326 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3327 err = 0;
3328 break;
3329
3330 case L2CAP_SDU_CONTINUE:
e2ab4353 3331 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3332 break;
3333
6f61fd47 3334 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3335
6f61fd47
GP		 3336 chan->partial_sdu_len += skb->len;
3337 if (chan->partial_sdu_len > chan->sdu_len)
3338 kfree_skb(chan->sdu);
c74e560c
GP		 3339 else
3340 err = 0;
3341
3342 break;
3343
3344 case L2CAP_SDU_END:
e2ab4353 3345 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3346 break;
3347
6f61fd47 3348 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3349
e2ab4353 3350 clear_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3351 chan->partial_sdu_len += skb->len;
c74e560c 3352
0c1bc5c6 3353 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3354 goto drop;
3355
6f61fd47
GP		 3356 if (chan->partial_sdu_len == chan->sdu_len) {
3357 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3358 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3359 if (err < 0)
3360 kfree_skb(_skb);
3361 }
c74e560c
GP		 3362 err = 0;
3363
36f2fd58 3364drop:
6f61fd47 3365 kfree_skb(chan->sdu);
c74e560c
GP		 3366 break;
3367 }
3368
3369 kfree_skb(skb);
3370 return err;
3371}
3372
525cd185 3373static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3374{
3375 struct sk_buff *skb;
afefdbc4 3376 u16 control;
8f17154f 3377
e328140f
MM		 3378 while ((skb = skb_peek(&chan->srej_q)) &&
3379 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3380 int err;
3381
8f17154f
GP		 3382 if (bt_cb(skb)->tx_seq != tx_seq)
3383 break;
3384
f1c6775b 3385 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3386 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
e328140f
MM		 3387 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3388
3389 if (err < 0) {
3390 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3391 break;
3392 }
3393
42e5c802
GP		 3394 chan->buffer_seq_srej =
3395 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3396 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3397 }
3398}
3399
525cd185 3400static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3401{
8f17154f
GP		 3402 struct srej_list *l, *tmp;
3403 u16 control;
3404
39d5a3ee 3405 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3406 if (l->tx_seq == tx_seq) {
3407 list_del(&l->list);
3408 kfree(l);
3409 return;
3410 }
3411 control = L2CAP_SUPER_SELECT_REJECT;
3412 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3413 l2cap_send_sframe(chan, control);
8f17154f 3414 list_del(&l->list);
39d5a3ee 3415 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3416 }
3417}
3418
525cd185 3419static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3420{
8f17154f
GP		 3421 struct srej_list *new;
3422 u16 control;
3423
42e5c802 3424 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3425 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3426 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3427 l2cap_send_sframe(chan, control);
8f17154f
GP		 3428
3429 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3430 new->tx_seq = chan->expected_tx_seq;
3431 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3432 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3433 }
42e5c802 3434 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3435}
3436
525cd185 3437static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3438{
1c2acffb 3439 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3440 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3441 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3442 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3443 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3444 int err = 0;
3445
525cd185
GP		 3446 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3447 tx_seq, rx_control);
1c2acffb 3448
9b16dc65 3449 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3450 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3451 __clear_monitor_timer(chan);
6a026610 3452 if (chan->unacked_frames > 0)
1a09bcb9 3453 __set_retrans_timer(chan);
e2ab4353 3454 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3455 }
3456
42e5c802
GP		 3457 chan->expected_ack_seq = req_seq;
3458 l2cap_drop_acked_frames(chan);
9f121a5a 3459
42e5c802 3460 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3461 if (tx_seq_offset < 0)
3462 tx_seq_offset += 64;
3463
3464 /* invalid tx_seq */
47d1ec61 3465 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3466 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3467 goto drop;
3468 }
3469
e2ab4353 3470 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3471 goto drop;
3472
02f1b641
MM		 3473 if (tx_seq == chan->expected_tx_seq)
3474 goto expected;
3475
e2ab4353 3476 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3477 struct srej_list *first;
30afb5b2 3478
39d5a3ee 3479 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3480 struct srej_list, list);
3481 if (tx_seq == first->tx_seq) {
42e5c802 3482 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3483 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3484
3485 list_del(&first->list);
3486 kfree(first);
3487
39d5a3ee 3488 if (list_empty(&chan->srej_l)) {
42e5c802 3489 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3490 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3491 l2cap_send_ack(chan);
49208c9c 3492 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3493 }
3494 } else {
3495 struct srej_list *l;
9b53350d
JPRV		 3496
3497 /* duplicated tx_seq */
42e5c802 3498 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3499 goto drop;
8f17154f 3500
39d5a3ee 3501 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3502 if (l->tx_seq == tx_seq) {
525cd185 3503 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3504 return 0;
3505 }
3506 }
525cd185 3507 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3508 }
3509 } else {
9b53350d 3510 expected_tx_seq_offset =
42e5c802 3511 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3512 if (expected_tx_seq_offset < 0)
3513 expected_tx_seq_offset += 64;
3514
3515 /* duplicated tx_seq */
3516 if (tx_seq_offset < expected_tx_seq_offset)
3517 goto drop;
3518
e2ab4353 3519 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3520
49208c9c 3521 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3522
39d5a3ee 3523 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3524 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3525
f1c6775b 3526 __skb_queue_head_init(&chan->srej_q);
42e5c802 3527 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3528
e2ab4353 3529 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3530
525cd185 3531 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3532
1a09bcb9 3533 __clear_ack_timer(chan);
1c2acffb 3534 }
30afb5b2
GP		 3535 return 0;
3536
8f17154f 3537expected:
42e5c802 3538 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3539
e2ab4353 3540 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3541 bt_cb(skb)->tx_seq = tx_seq;
3542 bt_cb(skb)->sar = sar;
f1c6775b 3543 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3544 return 0;
3545 }
3546
fadd192e
MM		 3547 err = l2cap_ertm_reassembly_sdu(chan, skb, rx_control);
3548 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
e328140f
MM		 3549 if (err < 0) {
3550 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3551 return err;
3552 }
2ece3684 3553
4ec10d97 3554 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3555 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3556 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3557 }
3558
1a09bcb9 3559 __set_ack_timer(chan);
c1b4f43b 3560
6a026610
GP		 3561 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3562 if (chan->num_acked == num_to_ack - 1)
525cd185 3563 l2cap_send_ack(chan);
9e917af1 3564
8f17154f 3565 return 0;
9b53350d
JPRV		 3566
3567drop:
3568 kfree_skb(skb);
3569 return 0;
1c2acffb
GP		 3570}
3571
525cd185 3572static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3573{
49208c9c 3574 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3575 rx_control);
3576
42e5c802
GP		 3577 chan->expected_ack_seq = __get_reqseq(rx_control);
3578 l2cap_drop_acked_frames(chan);
1c2acffb 3579
e072745f 3580 if (rx_control & L2CAP_CTRL_POLL) {
e2ab4353
GP		 3581 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3582 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3583 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3584 (chan->unacked_frames > 0))
1a09bcb9 3585 __set_retrans_timer(chan);
05fbd89d 3586
e2ab4353 3587 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3588 l2cap_send_srejtail(chan);
05fbd89d 3589 } else {
525cd185 3590 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3591 }
1d8f5d16 3592
e072745f 3593 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3594 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3595
e2ab4353 3596 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3597 l2cap_retransmit_frames(chan);
2246b2f1 3598
e072745f 3599 } else {
e2ab4353 3600 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3601 (chan->unacked_frames > 0))
1a09bcb9 3602 __set_retrans_timer(chan);
1c2acffb 3603
e2ab4353
GP		 3604 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3605 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3606 l2cap_send_ack(chan);
894718a6 3607 else
525cd185 3608 l2cap_ertm_send(chan);
e072745f
GP		 3609 }
3610}
2246b2f1 3611
525cd185 3612static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3613{
e072745f 3614 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3615
525cd185 3616 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3617
e2ab4353 3618 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3619
42e5c802
GP		 3620 chan->expected_ack_seq = tx_seq;
3621 l2cap_drop_acked_frames(chan);
e072745f
GP		 3622
3623 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3624 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3625 l2cap_retransmit_frames(chan);
e072745f 3626 } else {
525cd185 3627 l2cap_retransmit_frames(chan);
30afb5b2 3628
e2ab4353
GP		 3629 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3630 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3631 }
3632}
525cd185 3633static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3634{
e072745f 3635 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3636
525cd185 3637 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3638
e2ab4353 3639 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3640
e072745f 3641 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3642 chan->expected_ack_seq = tx_seq;
3643 l2cap_drop_acked_frames(chan);
3cb123d1 3644
e2ab4353 3645 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3646 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3647
525cd185 3648 l2cap_ertm_send(chan);
dfc909be 3649
e2ab4353 3650 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3651 chan->srej_save_reqseq = tx_seq;
e2ab4353 3652 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3653 }
e072745f 3654 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3655 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3656 chan->srej_save_reqseq == tx_seq)
e2ab4353 3657 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3658 else
525cd185 3659 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3660 } else {
525cd185 3661 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3662 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3663 chan->srej_save_reqseq = tx_seq;
e2ab4353 3664 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3665 }
e072745f
GP		 3666 }
3667}
3668
525cd185 3669static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3670{
e072745f
GP		 3671 u8 tx_seq = __get_reqseq(rx_control);
3672
525cd185 3673 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3674
e2ab4353 3675 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3676 chan->expected_ack_seq = tx_seq;
3677 l2cap_drop_acked_frames(chan);
e072745f 3678
3cb123d1 3679 if (rx_control & L2CAP_CTRL_POLL)
e2ab4353 3680 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3681
e2ab4353 3682 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3683 __clear_retrans_timer(chan);
a2e12a2a 3684 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3685 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3686 return;
e072745f 3687 }
99b0d4b7
GP		 3688
3689 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3690 l2cap_send_srejtail(chan);
99b0d4b7 3691 else
525cd185 3692 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3693}
3694
525cd185 3695static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3696{
525cd185 3697 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3698
9b16dc65 3699 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3700 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3701 __clear_monitor_timer(chan);
6a026610 3702 if (chan->unacked_frames > 0)
1a09bcb9 3703 __set_retrans_timer(chan);
e2ab4353 3704 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3705 }
3706
3707 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3708 case L2CAP_SUPER_RCV_READY:
525cd185 3709 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3710 break;
3711
e072745f 3712 case L2CAP_SUPER_REJECT:
525cd185 3713 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3714 break;
2246b2f1 3715
e072745f 3716 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3717 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3718 break;
3719
3720 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3721 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3722 break;
3723 }
3724
faaebd19 3725 kfree_skb(skb);
1c2acffb
GP		 3726 return 0;
3727}
3728
218bb9df
GP		 3729static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3730{
525cd185 3731 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3732 u16 control;
3733 u8 req_seq;
3734 int len, next_tx_seq_offset, req_seq_offset;
3735
3736 control = get_unaligned_le16(skb->data);
3737 skb_pull(skb, 2);
3738 len = skb->len;
3739
3740 /*
3741 * We can just drop the corrupted I-frame here.
3742 * Receiver will miss it and start proper recovery
3743 * procedures and ask retransmission.
3744 */
47d1ec61 3745 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3746 goto drop;
3747
3748 if (__is_sar_start(control) && __is_iframe(control))
3749 len -= 2;
3750
47d1ec61 3751 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3752 len -= 2;
3753
47d1ec61 3754 if (len > chan->mps) {
8c1d787b 3755 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3756 goto drop;
3757 }
3758
3759 req_seq = __get_reqseq(control);
42e5c802 3760 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3761 if (req_seq_offset < 0)
3762 req_seq_offset += 64;
3763
3764 next_tx_seq_offset =
42e5c802 3765 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3766 if (next_tx_seq_offset < 0)
3767 next_tx_seq_offset += 64;
3768
3769 /* check for invalid req-seq */
3770 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3771 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3772 goto drop;
3773 }
3774
3775 if (__is_iframe(control)) {
3776 if (len < 0) {
8c1d787b 3777 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3778 goto drop;
3779 }
3780
525cd185 3781 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3782 } else {
3783 if (len != 0) {
3784 BT_ERR("%d", len);
8c1d787b 3785 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3786 goto drop;
3787 }
3788
525cd185 3789 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3790 }
3791
3792 return 0;
3793
3794drop:
3795 kfree_skb(skb);
3796 return 0;
3797}
3798
1da177e4
LT		 3799static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3800{
48454079 3801 struct l2cap_chan *chan;
bf734843 3802 struct sock *sk = NULL;
51893f88 3803 u16 control;
218bb9df
GP		 3804 u8 tx_seq;
3805 int len;
1da177e4 3806
baa7e1fa 3807 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3808 if (!chan) {
1da177e4
LT		 3809 BT_DBG("unknown cid 0x%4.4x", cid);
3810 goto drop;
3811 }
3812
48454079 3813 sk = chan->sk;
6840ed07 3814
49208c9c 3815 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3816
89bc500e 3817 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3818 goto drop;
3819
0c1bc5c6 3820 switch (chan->mode) {
1c2acffb
GP		 3821 case L2CAP_MODE_BASIC:
3822 /* If socket recv buffers overflows we drop data here
3823 * which is *bad* because L2CAP has to be reliable.
3824 * But we don't have any other choice. L2CAP doesn't
3825 * provide flow control mechanism. */
1da177e4 3826
0c1bc5c6 3827 if (chan->imtu < skb->len)
1c2acffb 3828 goto drop;
1da177e4 3829
23070494 3830 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3831 goto done;
3832 break;
3833
3834 case L2CAP_MODE_ERTM:
218bb9df
GP		 3835 if (!sock_owned_by_user(sk)) {
3836 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3837 } else {
218bb9df 3838 if (sk_add_backlog(sk, skb))
277ffbe3 3839 goto drop;
277ffbe3 3840 }
1c2acffb 3841
fcafde2e 3842 goto done;
1c2acffb 3843
6840ed07
GP		 3844 case L2CAP_MODE_STREAMING:
3845 control = get_unaligned_le16(skb->data);
3846 skb_pull(skb, 2);
3847 len = skb->len;
3848
47d1ec61 3849 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3850 goto drop;
3851
6840ed07
GP		 3852 if (__is_sar_start(control))
3853 len -= 2;
3854
47d1ec61 3855 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3856 len -= 2;
3857
47d1ec61 3858 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3859 goto drop;
3860
3861 tx_seq = __get_txseq(control);
3862
42e5c802
GP		 3863 if (chan->expected_tx_seq == tx_seq)
3864 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3865 else
42e5c802 3866 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3867
525cd185 3868 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3869
3870 goto done;
3871
1c2acffb 3872 default:
0c1bc5c6 3873 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3874 break;
3875 }
1da177e4
LT		 3876
3877drop:
3878 kfree_skb(skb);
3879
3880done:
0139418c
MH		 3881 if (sk)
3882 bh_unlock_sock(sk);
3883
1da177e4
LT		 3884 return 0;
3885}
3886
8e036fc3 3887static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3888{
6dcae1ea 3889 struct sock *sk = NULL;
23691d75 3890 struct l2cap_chan *chan;
1da177e4 3891
23691d75
GP		 3892 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3893 if (!chan)
1da177e4
LT		 3894 goto drop;
3895
23691d75
GP		 3896 sk = chan->sk;
3897
e0f0cb56
GP		 3898 bh_lock_sock(sk);
3899
1da177e4
LT		 3900 BT_DBG("sk %p, len %d", sk, skb->len);
3901
89bc500e 3902 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3903 goto drop;
3904
e13e21dc 3905 if (chan->imtu < skb->len)
1da177e4
LT		 3906 goto drop;
3907
23070494 3908 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3909 goto done;
3910
3911drop:
3912 kfree_skb(skb);
3913
3914done:
af05b30b
GP		 3915 if (sk)
3916 bh_unlock_sock(sk);
1da177e4
LT		 3917 return 0;
3918}
3919
9f69bda6
GP		 3920static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3921{
6dcae1ea 3922 struct sock *sk = NULL;
23691d75 3923 struct l2cap_chan *chan;
9f69bda6 3924
23691d75
GP		 3925 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3926 if (!chan)
9f69bda6
GP		 3927 goto drop;
3928
23691d75
GP		 3929 sk = chan->sk;
3930
9f69bda6
GP		 3931 bh_lock_sock(sk);
3932
3933 BT_DBG("sk %p, len %d", sk, skb->len);
3934
89bc500e 3935 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3936 goto drop;
3937
e13e21dc 3938 if (chan->imtu < skb->len)
9f69bda6
GP		 3939 goto drop;
3940
23070494 3941 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 3942 goto done;
3943
3944drop:
3945 kfree_skb(skb);
3946
3947done:
3948 if (sk)
3949 bh_unlock_sock(sk);
3950 return 0;
3951}
3952
1da177e4
LT		 3953static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3954{
3955 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3956 u16 cid, len;
3957 __le16 psm;
1da177e4
LT		 3958
3959 skb_pull(skb, L2CAP_HDR_SIZE);
3960 cid = __le16_to_cpu(lh->cid);
3961 len = __le16_to_cpu(lh->len);
3962
1c2acffb
GP		 3963 if (len != skb->len) {
3964 kfree_skb(skb);
3965 return;
3966 }
3967
1da177e4
LT		 3968 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3969
3970 switch (cid) {
3300d9a9 3971 case L2CAP_CID_LE_SIGNALING:
8db4dc46 3972 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3973 l2cap_sig_channel(conn, skb);
3974 break;
3975
8db4dc46 3976 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3977 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3978 skb_pull(skb, 2);
3979 l2cap_conless_channel(conn, psm, skb);
3980 break;
3981
9f69bda6
GP		 3982 case L2CAP_CID_LE_DATA:
3983 l2cap_att_channel(conn, cid, skb);
3984 break;
3985
b501d6a1
AB		 3986 case L2CAP_CID_SMP:
3987 if (smp_sig_channel(conn, skb))
3988 l2cap_conn_del(conn->hcon, EACCES);
3989 break;
3990
1da177e4
LT		 3991 default:
3992 l2cap_data_channel(conn, cid, skb);
3993 break;
3994 }
3995}
3996
3997/* ---- L2CAP interface with lower layer (HCI) ---- */
3998
3999static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4000{
4001 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4002 struct l2cap_chan *c;
1da177e4
LT		 4003
4004 if (type != ACL_LINK)
963cf687 4005 return -EINVAL;
1da177e4
LT		 4006
4007 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4008
4009 /* Find listening sockets and check their link_mode */
23691d75
GP		 4010 read_lock(&chan_list_lock);
4011 list_for_each_entry(c, &chan_list, global_l) {
4012 struct sock *sk = c->sk;
4343478f 4013
89bc500e 4014 if (c->state != BT_LISTEN)
1da177e4
LT		 4015 continue;
4016
4017 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4018 lm1 |= HCI_LM_ACCEPT;
23691d75 4019 if (c->role_switch)
2af6b9d5 4020 lm1 |= HCI_LM_MASTER;
1da177e4 4021 exact++;
2af6b9d5
MH		 4022 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4023 lm2 |= HCI_LM_ACCEPT;
23691d75 4024 if (c->role_switch)
2af6b9d5
MH		 4025 lm2 |= HCI_LM_MASTER;
4026 }
1da177e4 4027 }
23691d75 4028 read_unlock(&chan_list_lock);
1da177e4
LT		 4029
4030 return exact ? lm1 : lm2;
4031}
4032
4033static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4034{
0139418c
MH		 4035 struct l2cap_conn *conn;
4036
1da177e4
LT		 4037 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4038
acd7d370 4039 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4040 return -EINVAL;
1da177e4
LT		 4041
4042 if (!status) {
1da177e4
LT		 4043 conn = l2cap_conn_add(hcon, status);
4044 if (conn)
4045 l2cap_conn_ready(conn);
0139418c 4046 } else
e175072f 4047 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4048
4049 return 0;
4050}
4051
2950f21a
MH		 4052static int l2cap_disconn_ind(struct hci_conn *hcon)
4053{
4054 struct l2cap_conn *conn = hcon->l2cap_data;
4055
4056 BT_DBG("hcon %p", hcon);
4057
b5694506 4058 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4059 return 0x13;
4060
4061 return conn->disc_reason;
4062}
4063
4064static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4065{
4066 BT_DBG("hcon %p reason %d", hcon, reason);
4067
acd7d370 4068 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4069 return -EINVAL;
1da177e4 4070
e175072f 4071 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4072
1da177e4
LT		 4073 return 0;
4074}
4075
4343478f 4076static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4077{
715ec005 4078 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4079 return;
4080
f62e4323 4081 if (encrypt == 0x00) {
4343478f 4082 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4083 __clear_chan_timer(chan);
4084 __set_chan_timer(chan, HZ * 5);
4343478f 4085 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4086 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4087 } else {
4343478f 4088 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4089 __clear_chan_timer(chan);
f62e4323
MH		 4090 }
4091}
4092
8c1b2355 4093static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4094{
0139418c 4095 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4096 struct l2cap_chan *chan;
1da177e4 4097
0139418c 4098 if (!conn)
1da177e4 4099 return 0;
0139418c 4100
1da177e4
LT		 4101 BT_DBG("conn %p", conn);
4102
160dc6ac
VCG		 4103 if (hcon->type == LE_LINK) {
4104 smp_distribute_keys(conn, 0);
4105 del_timer(&conn->security_timer);
4106 }
4107
baa7e1fa 4108 read_lock(&conn->chan_lock);
1da177e4 4109
baa7e1fa 4110 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4111 struct sock *sk = chan->sk;
baa7e1fa 4112
1da177e4
LT		 4113 bh_lock_sock(sk);
4114
f1cb9af5
VCG		 4115 BT_DBG("chan->scid %d", chan->scid);
4116
4117 if (chan->scid == L2CAP_CID_LE_DATA) {
4118 if (!status && encrypt) {
4119 chan->sec_level = hcon->sec_level;
4120 l2cap_chan_ready(sk);
4121 }
4122
4123 bh_unlock_sock(sk);
4124 continue;
4125 }
4126
c1360a1c 4127 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4128 bh_unlock_sock(sk);
4129 continue;
4130 }
4131
89bc500e
GP		 4132 if (!status && (chan->state == BT_CONNECTED ||
4133 chan->state == BT_CONFIG)) {
4343478f 4134 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4135 bh_unlock_sock(sk);
4136 continue;
4137 }
4138
89bc500e 4139 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4140 if (!status) {
4141 struct l2cap_conn_req req;
fe4128e0
GP		 4142 req.scid = cpu_to_le16(chan->scid);
4143 req.psm = chan->psm;
1da177e4 4144
fc7f8a7e 4145 chan->ident = l2cap_get_ident(conn);
c1360a1c 4146 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4147
fc7f8a7e 4148 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4149 L2CAP_CONN_REQ, sizeof(req), &req);
4150 } else {
c9b66675
GP		 4151 __clear_chan_timer(chan);
4152 __set_chan_timer(chan, HZ / 10);
b1235d79 4153 }
89bc500e 4154 } else if (chan->state == BT_CONNECT2) {
b1235d79 4155 struct l2cap_conn_rsp rsp;
df3c3931 4156 __u16 res, stat;
1da177e4 4157
b1235d79 4158 if (!status) {
df3c3931
JH		 4159 if (bt_sk(sk)->defer_setup) {
4160 struct sock *parent = bt_sk(sk)->parent;
4161 res = L2CAP_CR_PEND;
4162 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4163 if (parent)
4164 parent->sk_data_ready(parent, 0);
df3c3931 4165 } else {
05558911 4166 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4167 res = L2CAP_CR_SUCCESS;
4168 stat = L2CAP_CS_NO_INFO;
4169 }
b1235d79 4170 } else {
89bc500e 4171 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4172 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4173 res = L2CAP_CR_SEC_BLOCK;
4174 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4175 }
4176
fe4128e0
GP		 4177 rsp.scid = cpu_to_le16(chan->dcid);
4178 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4179 rsp.result = cpu_to_le16(res);
4180 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4181 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4182 sizeof(rsp), &rsp);
b1235d79 4183 }
1da177e4
LT		 4184
4185 bh_unlock_sock(sk);
4186 }
4187
baa7e1fa 4188 read_unlock(&conn->chan_lock);
b1235d79 4189
1da177e4
LT		 4190 return 0;
4191}
4192
4193static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4194{
4195 struct l2cap_conn *conn = hcon->l2cap_data;
4196
5a08ecce
AE		 4197 if (!conn)
4198 conn = l2cap_conn_add(hcon, 0);
4199
4200 if (!conn)
1da177e4
LT		 4201 goto drop;
4202
4203 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4204
e702112f 4205 if (!(flags & ACL_CONT)) {
1da177e4 4206 struct l2cap_hdr *hdr;
48454079 4207 struct l2cap_chan *chan;
89794813 4208 u16 cid;
1da177e4
LT		 4209 int len;
4210
4211 if (conn->rx_len) {
4212 BT_ERR("Unexpected start frame (len %d)", skb->len);
4213 kfree_skb(conn->rx_skb);
4214 conn->rx_skb = NULL;
4215 conn->rx_len = 0;
4216 l2cap_conn_unreliable(conn, ECOMM);
4217 }
4218
aae7fe22
AE		 4219 /* Start fragment always begin with Basic L2CAP header */
4220 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4221 BT_ERR("Frame is too short (len %d)", skb->len);
4222 l2cap_conn_unreliable(conn, ECOMM);
4223 goto drop;
4224 }
4225
4226 hdr = (struct l2cap_hdr *) skb->data;
4227 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4228 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4229
4230 if (len == skb->len) {
4231 /* Complete frame received */
4232 l2cap_recv_frame(conn, skb);
4233 return 0;
4234 }
4235
4236 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4237
4238 if (skb->len > len) {
4239 BT_ERR("Frame is too long (len %d, expected len %d)",
4240 skb->len, len);
4241 l2cap_conn_unreliable(conn, ECOMM);
4242 goto drop;
4243 }
4244
baa7e1fa 4245 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4246
48454079
GP		 4247 if (chan && chan->sk) {
4248 struct sock *sk = chan->sk;
89794813 4249
0c1bc5c6 4250 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4251 BT_ERR("Frame exceeding recv MTU (len %d, "
4252 "MTU %d)", len,
0c1bc5c6 4253 chan->imtu);
48454079
GP		 4254 bh_unlock_sock(sk);
4255 l2cap_conn_unreliable(conn, ECOMM);
4256 goto drop;
4257 }
89794813 4258 bh_unlock_sock(sk);
48454079 4259 }
89794813 4260
1da177e4 4261 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4262 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4263 if (!conn->rx_skb)
1da177e4
LT		 4264 goto drop;
4265
d626f62b 4266 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4267 skb->len);
1da177e4
LT		 4268 conn->rx_len = len - skb->len;
4269 } else {
4270 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4271
4272 if (!conn->rx_len) {
4273 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4274 l2cap_conn_unreliable(conn, ECOMM);
4275 goto drop;
4276 }
4277
4278 if (skb->len > conn->rx_len) {
4279 BT_ERR("Fragment is too long (len %d, expected %d)",
4280 skb->len, conn->rx_len);
4281 kfree_skb(conn->rx_skb);
4282 conn->rx_skb = NULL;
4283 conn->rx_len = 0;
4284 l2cap_conn_unreliable(conn, ECOMM);
4285 goto drop;
4286 }
4287
d626f62b 4288 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4289 skb->len);
1da177e4
LT		 4290 conn->rx_len -= skb->len;
4291
4292 if (!conn->rx_len) {
4293 /* Complete frame received */
4294 l2cap_recv_frame(conn, conn->rx_skb);
4295 conn->rx_skb = NULL;
4296 }
4297 }
4298
4299drop:
4300 kfree_skb(skb);
4301 return 0;
4302}
4303
aef7d97c 4304static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4305{
23691d75 4306 struct l2cap_chan *c;
1da177e4 4307
23691d75 4308 read_lock_bh(&chan_list_lock);
1da177e4 4309
23691d75
GP		 4310 list_for_each_entry(c, &chan_list, global_l) {
4311 struct sock *sk = c->sk;
101545f6 4312
903d343e 4313 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4314 batostr(&bt_sk(sk)->src),
4315 batostr(&bt_sk(sk)->dst),
89bc500e 4316 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4317 c->scid, c->dcid, c->imtu, c->omtu,
4318 c->sec_level, c->mode);
05558911 4319}
1da177e4 4320
23691d75 4321 read_unlock_bh(&chan_list_lock);
1da177e4 4322
aef7d97c 4323 return 0;
1da177e4
LT		 4324}
4325
aef7d97c
MH		 4326static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4327{
4328 return single_open(file, l2cap_debugfs_show, inode->i_private);
4329}
4330
4331static const struct file_operations l2cap_debugfs_fops = {
4332 .open = l2cap_debugfs_open,
4333 .read = seq_read,
4334 .llseek = seq_lseek,
4335 .release = single_release,
4336};
4337
4338static struct dentry *l2cap_debugfs;
1da177e4 4339
1da177e4
LT		 4340static struct hci_proto l2cap_hci_proto = {
4341 .name = "L2CAP",
4342 .id = HCI_PROTO_L2CAP,
4343 .connect_ind = l2cap_connect_ind,
4344 .connect_cfm = l2cap_connect_cfm,
4345 .disconn_ind = l2cap_disconn_ind,
2950f21a 4346 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4347 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4348 .recv_acldata = l2cap_recv_acldata
4349};
4350
64274518 4351int __init l2cap_init(void)
1da177e4
LT		 4352{
4353 int err;
be9d1227 4354
bb58f747 4355 err = l2cap_init_sockets();
1da177e4
LT		 4356 if (err < 0)
4357 return err;
4358
1da177e4
LT		 4359 err = hci_register_proto(&l2cap_hci_proto);
4360 if (err < 0) {
4361 BT_ERR("L2CAP protocol registration failed");
4362 bt_sock_unregister(BTPROTO_L2CAP);
4363 goto error;
4364 }
4365
aef7d97c
MH		 4366 if (bt_debugfs) {
4367 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4368 bt_debugfs, NULL, &l2cap_debugfs_fops);
4369 if (!l2cap_debugfs)
4370 BT_ERR("Failed to create L2CAP debug file");
4371 }
1da177e4 4372
1da177e4
LT		 4373 return 0;
4374
4375error:
bb58f747 4376 l2cap_cleanup_sockets();
1da177e4
LT		 4377 return err;
4378}
4379
64274518 4380void l2cap_exit(void)
1da177e4 4381{
aef7d97c 4382 debugfs_remove(l2cap_debugfs);
1da177e4 4383
1da177e4
LT		 4384 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4385 BT_ERR("L2CAP protocol unregistration failed");
4386
bb58f747 4387 l2cap_cleanup_sockets();
1da177e4
LT		 4388}
4389
d1c4a17d
GP		 4390module_param(disable_ertm, bool, 0644);
4391MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)