projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix crash when setting a LE socket to ready
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
1890d36b
GP		 64static struct workqueue_struct *_busy_wq;
65
b5ad8b7f
JB		 66static LIST_HEAD(chan_list);
67static DEFINE_RWLOCK(chan_list_lock);
1da177e4 68
1890d36b
GP		 69static void l2cap_busy_work(struct work_struct *work);
70
1da177e4
LT		 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 73static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
74 void *data);
710f9b0a 75static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 76static void l2cap_send_disconn_req(struct l2cap_conn *conn,
77 struct l2cap_chan *chan, int err);
1da177e4 78
218bb9df
GP		 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
80
0139418c 81/* ---- L2CAP channels ---- */
71ba0e56
GP		 82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
baa7e1fa 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 95{
48454079 96 struct l2cap_chan *c;
baa7e1fa
GP		 97
98 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 99 if (c->dcid == cid)
baa7e1fa 100 return c;
0139418c 101 }
baa7e1fa
GP		 102 return NULL;
103
0139418c
MH		 104}
105
baa7e1fa 106static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 111 if (c->scid == cid)
baa7e1fa 112 return c;
0139418c 113 }
baa7e1fa 114 return NULL;
0139418c
MH		 115}
116
117/* Find channel with given SCID.
118 * Returns locked socket */
baa7e1fa 119static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 120{
48454079 121 struct l2cap_chan *c;
baa7e1fa
GP		 122
123 read_lock(&conn->chan_lock);
124 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 125 if (c)
126 bh_lock_sock(c->sk);
baa7e1fa 127 read_unlock(&conn->chan_lock);
48454079 128 return c;
0139418c
MH		 129}
130
baa7e1fa 131static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 132{
48454079 133 struct l2cap_chan *c;
baa7e1fa
GP		 134
135 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 136 if (c->ident == ident)
baa7e1fa 137 return c;
0139418c 138 }
baa7e1fa 139 return NULL;
0139418c
MH		 140}
141
baa7e1fa 142static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 143{
48454079 144 struct l2cap_chan *c;
baa7e1fa
GP		 145
146 read_lock(&conn->chan_lock);
147 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 148 if (c)
149 bh_lock_sock(c->sk);
baa7e1fa 150 read_unlock(&conn->chan_lock);
48454079 151 return c;
0139418c
MH		 152}
153
23691d75 154static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 155{
23691d75 156 struct l2cap_chan *c;
9e4425ff 157
23691d75
GP		 158 list_for_each_entry(c, &chan_list, global_l) {
159 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 160 goto found;
161 }
162
23691d75 163 c = NULL;
9e4425ff 164found:
23691d75 165 return c;
9e4425ff
GP		 166}
167
168int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
169{
73b2ec18
GP		 170 int err;
171
23691d75 172 write_lock_bh(&chan_list_lock);
9e4425ff 173
23691d75 174 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 175 err = -EADDRINUSE;
176 goto done;
9e4425ff
GP		 177 }
178
73b2ec18
GP		 179 if (psm) {
180 chan->psm = psm;
181 chan->sport = psm;
182 err = 0;
183 } else {
184 u16 p;
185
186 err = -EINVAL;
187 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 188 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 189 chan->psm = cpu_to_le16(p);
190 chan->sport = cpu_to_le16(p);
191 err = 0;
192 break;
193 }
194 }
9e4425ff 195
73b2ec18 196done:
23691d75 197 write_unlock_bh(&chan_list_lock);
73b2ec18 198 return err;
9e4425ff
GP		 199}
200
201int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
202{
23691d75 203 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 chan->scid = scid;
206
23691d75 207 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 208
209 return 0;
210}
211
baa7e1fa 212static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 213{
8db4dc46 214 u16 cid = L2CAP_CID_DYN_START;
0139418c 215
8db4dc46 216 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 217 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 218 return cid;
219 }
220
221 return 0;
222}
223
c9b66675 224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 225{
89bc500e
GP		 226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
227
c9b66675 228 if (!mod_timer(timer, jiffies + timeout))
71ba0e56 229 chan_hold(chan);
ab07801d
GP		 230}
231
c9b66675 232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 233{
89bc500e 234 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 235
c9b66675 236 if (timer_pending(timer) && del_timer(timer))
71ba0e56 237 chan_put(chan);
ab07801d
GP		 238}
239
89bc500e
GP		 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
244}
245
ab07801d
GP		 246static void l2cap_chan_timeout(unsigned long arg)
247{
248 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
249 struct sock *sk = chan->sk;
250 int reason;
251
89bc500e 252 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 253
254 bh_lock_sock(sk);
255
256 if (sock_owned_by_user(sk)) {
257 /* sk is owned by user. Try again later */
c9b66675 258 __set_chan_timer(chan, HZ / 5);
ab07801d 259 bh_unlock_sock(sk);
71ba0e56 260 chan_put(chan);
ab07801d
GP		 261 return;
262 }
263
89bc500e 264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 265 reason = ECONNREFUSED;
89bc500e 266 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 267 chan->sec_level != BT_SECURITY_SDP)
268 reason = ECONNREFUSED;
269 else
270 reason = ETIMEDOUT;
271
0f852724 272 l2cap_chan_close(chan, reason);
ab07801d
GP		 273
274 bh_unlock_sock(sk);
275
ba3bd0ee 276 chan->ops->close(chan->data);
71ba0e56 277 chan_put(chan);
ab07801d
GP		 278}
279
23691d75 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 281{
282 struct l2cap_chan *chan;
283
284 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
285 if (!chan)
286 return NULL;
287
288 chan->sk = sk;
289
23691d75
GP		 290 write_lock_bh(&chan_list_lock);
291 list_add(&chan->global_l, &chan_list);
292 write_unlock_bh(&chan_list_lock);
293
ab07801d
GP		 294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
295
89bc500e
GP		 296 chan->state = BT_OPEN;
297
71ba0e56
GP		 298 atomic_set(&chan->refcnt, 1);
299
48454079
GP		 300 return chan;
301}
302
23691d75 303void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 304{
23691d75
GP		 305 write_lock_bh(&chan_list_lock);
306 list_del(&chan->global_l);
307 write_unlock_bh(&chan_list_lock);
308
71ba0e56 309 chan_put(chan);
6ff5abbf
GP		 310}
311
48454079 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 313{
af05b30b 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 315 chan->psm, chan->dcid);
0139418c 316
2950f21a
MH		 317 conn->disc_reason = 0x13;
318
8c1d787b 319 chan->conn = conn;
0139418c 320
715ec005 321 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 322 if (conn->hcon->type == LE_LINK) {
323 /* LE connection */
0c1bc5c6 324 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 325 chan->scid = L2CAP_CID_LE_DATA;
326 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 327 } else {
328 /* Alloc CID for connection-oriented socket */
fe4128e0 329 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 330 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 331 }
715ec005 332 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 333 /* Connectionless socket */
fe4128e0
GP		 334 chan->scid = L2CAP_CID_CONN_LESS;
335 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 336 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 337 } else {
338 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 339 chan->scid = L2CAP_CID_SIGNALING;
340 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 341 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 342 }
343
71ba0e56 344 chan_hold(chan);
baa7e1fa
GP		 345
346 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 347}
348
8e87d142 349/* Delete channel.
0139418c 350 * Must be called on the locked socket. */
4519de9a 351static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 352{
48454079 353 struct sock *sk = chan->sk;
8c1d787b 354 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 355 struct sock *parent = bt_sk(sk)->parent;
356
c9b66675 357 __clear_chan_timer(chan);
0139418c 358
49208c9c 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 360
8e87d142 361 if (conn) {
baa7e1fa
GP		 362 /* Delete from channel list */
363 write_lock_bh(&conn->chan_lock);
364 list_del(&chan->list);
365 write_unlock_bh(&conn->chan_lock);
71ba0e56 366 chan_put(chan);
baa7e1fa 367
8c1d787b 368 chan->conn = NULL;
0139418c
MH		 369 hci_conn_put(conn->hcon);
370 }
371
89bc500e 372 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 373 sock_set_flag(sk, SOCK_ZAPPED);
374
375 if (err)
376 sk->sk_err = err;
377
378 if (parent) {
379 bt_accept_unlink(sk);
380 parent->sk_data_ready(parent, 0);
381 } else
382 sk->sk_state_change(sk);
c13ffa62 383
c1360a1c
GP		 384 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
385 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 386 return;
2ead70b8 387
58d35f87 388 skb_queue_purge(&chan->tx_q);
c13ffa62 389
0c1bc5c6 390 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 391 struct srej_list *l, *tmp;
392
1a09bcb9
GP		 393 __clear_retrans_timer(chan);
394 __clear_monitor_timer(chan);
395 __clear_ack_timer(chan);
c13ffa62 396
f1c6775b
GP		 397 skb_queue_purge(&chan->srej_q);
398 skb_queue_purge(&chan->busy_q);
c13ffa62 399
39d5a3ee 400 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 401 list_del(&l->list);
402 kfree(l);
403 }
404 }
0139418c
MH		 405}
406
4519de9a
GP		 407static void l2cap_chan_cleanup_listen(struct sock *parent)
408{
409 struct sock *sk;
410
411 BT_DBG("parent %p", parent);
412
413 /* Close not yet accepted channels */
0f852724 414 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 416 __clear_chan_timer(chan);
0f852724 417 lock_sock(sk);
ba3bd0ee 418 l2cap_chan_close(chan, ECONNRESET);
0f852724 419 release_sock(sk);
ba3bd0ee 420 chan->ops->close(chan->data);
0f852724 421 }
4519de9a
GP		 422}
423
0f852724 424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 425{
426 struct l2cap_conn *conn = chan->conn;
427 struct sock *sk = chan->sk;
428
89bc500e 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 430
89bc500e 431 switch (chan->state) {
4519de9a
GP		 432 case BT_LISTEN:
433 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 437 break;
438
439 case BT_CONNECTED:
440 case BT_CONFIG:
715ec005 441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 442 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 443 __clear_chan_timer(chan);
444 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 445 l2cap_send_disconn_req(conn, chan, reason);
446 } else
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT2:
715ec005 451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 452 conn->hcon->type == ACL_LINK) {
453 struct l2cap_conn_rsp rsp;
454 __u16 result;
455
456 if (bt_sk(sk)->defer_setup)
457 result = L2CAP_CR_SEC_BLOCK;
458 else
459 result = L2CAP_CR_BAD_PSM;
89bc500e 460 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 461
462 rsp.scid = cpu_to_le16(chan->dcid);
463 rsp.dcid = cpu_to_le16(chan->scid);
464 rsp.result = cpu_to_le16(result);
465 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
467 sizeof(rsp), &rsp);
468 }
469
470 l2cap_chan_del(chan, reason);
471 break;
472
473 case BT_CONNECT:
474 case BT_DISCONN:
475 l2cap_chan_del(chan, reason);
476 break;
477
478 default:
479 sock_set_flag(sk, SOCK_ZAPPED);
480 break;
481 }
482}
483
4343478f 484static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 485{
715ec005 486 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 487 switch (chan->sec_level) {
8556edd3
JH		 488 case BT_SECURITY_HIGH:
489 return HCI_AT_DEDICATED_BONDING_MITM;
490 case BT_SECURITY_MEDIUM:
491 return HCI_AT_DEDICATED_BONDING;
492 default:
493 return HCI_AT_NO_BONDING;
494 }
fe4128e0 495 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 496 if (chan->sec_level == BT_SECURITY_LOW)
497 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 498
4343478f 499 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 500 return HCI_AT_NO_BONDING_MITM;
00ae4af9 501 else
8556edd3 502 return HCI_AT_NO_BONDING;
00ae4af9 503 } else {
4343478f 504 switch (chan->sec_level) {
00ae4af9 505 case BT_SECURITY_HIGH:
8556edd3 506 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 507 case BT_SECURITY_MEDIUM:
8556edd3 508 return HCI_AT_GENERAL_BONDING;
00ae4af9 509 default:
8556edd3 510 return HCI_AT_NO_BONDING;
00ae4af9 511 }
0684e5f9 512 }
8556edd3
JH		 513}
514
515/* Service level security */
4343478f 516static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 517{
8c1d787b 518 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 519 __u8 auth_type;
520
4343478f 521 auth_type = l2cap_get_auth_type(chan);
79d554a6 522
4343478f 523 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 524}
525
b5ad8b7f 526static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 527{
528 u8 id;
529
530 /* Get next available identificator.
531 * 1 - 128 are used by kernel.
532 * 129 - 199 are reserved.
533 * 200 - 254 are used by utilities like l2ping, etc.
534 */
535
536 spin_lock_bh(&conn->lock);
537
538 if (++conn->tx_ident > 128)
539 conn->tx_ident = 1;
540
541 id = conn->tx_ident;
542
543 spin_unlock_bh(&conn->lock);
544
545 return id;
546}
547
4519de9a 548static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 549{
550 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 551 u8 flags;
4e8402a3
MH		 552
553 BT_DBG("code 0x%2.2x", code);
554
555 if (!skb)
9a9c6a34 556 return;
4e8402a3 557
e702112f
AE		 558 if (lmp_no_flush_capable(conn->hcon->hdev))
559 flags = ACL_START_NO_FLUSH;
560 else
561 flags = ACL_START;
562
14b12d0b
JG		 563 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
564
e702112f 565 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 566}
567
525cd185 568static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 569{
570 struct sk_buff *skb;
571 struct l2cap_hdr *lh;
8c1d787b 572 struct l2cap_conn *conn = chan->conn;
fcc203c3 573 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 574 u8 flags;
fcc203c3 575
89bc500e 576 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 577 return;
578
47d1ec61 579 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 580 hlen += 2;
1c2acffb 581
49208c9c 582 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 583
fcc203c3 584 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 585 control |= L2CAP_CTRL_FRAME_TYPE;
586
e2ab4353 587 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
9e917af1 588 control |= L2CAP_CTRL_FINAL;
9e917af1 589
e2ab4353 590 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
f0946ccf 591 control |= L2CAP_CTRL_POLL;
f0946ccf 592
1c2acffb
GP		 593 skb = bt_skb_alloc(count, GFP_ATOMIC);
594 if (!skb)
9a9c6a34 595 return;
1c2acffb
GP		 596
597 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 598 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 599 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 600 put_unaligned_le16(control, skb_put(skb, 2));
601
47d1ec61 602 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 603 u16 fcs = crc16(0, (u8 *)lh, count - 2);
604 put_unaligned_le16(fcs, skb_put(skb, 2));
605 }
606
e702112f
AE		 607 if (lmp_no_flush_capable(conn->hcon->hdev))
608 flags = ACL_START_NO_FLUSH;
609 else
610 flags = ACL_START;
611
14b12d0b
JG		 612 bt_cb(skb)->force_active = chan->force_active;
613
8c1d787b 614 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 615}
616
525cd185 617static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 618{
e2ab4353 619 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
7e743090 620 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 621 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 622 } else
7e743090
GP		 623 control |= L2CAP_SUPER_RCV_READY;
624
42e5c802 625 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 626
525cd185 627 l2cap_send_sframe(chan, control);
7e743090
GP		 628}
629
b4450035 630static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 631{
c1360a1c 632 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 633}
634
fc7f8a7e 635static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 636{
8c1d787b 637 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 638
639 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 640 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
641 return;
642
4343478f
GP		 643 if (l2cap_check_security(chan) &&
644 __l2cap_no_conn_pending(chan)) {
b1235d79 645 struct l2cap_conn_req req;
fe4128e0
GP		 646 req.scid = cpu_to_le16(chan->scid);
647 req.psm = chan->psm;
79d554a6 648
fc7f8a7e 649 chan->ident = l2cap_get_ident(conn);
c1360a1c 650 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 651
fc7f8a7e
GP		 652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
653 sizeof(req), &req);
b1235d79 654 }
79d554a6
MH		 655 } else {
656 struct l2cap_info_req req;
657 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
658
659 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
660 conn->info_ident = l2cap_get_ident(conn);
661
662 mod_timer(&conn->info_timer, jiffies +
663 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
664
665 l2cap_send_cmd(conn, conn->info_ident,
666 L2CAP_INFO_REQ, sizeof(req), &req);
667 }
668}
669
cf6c2c0b
GP		 670static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
671{
672 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 673 if (!disable_ertm)
cf6c2c0b
GP		 674 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
675
676 switch (mode) {
677 case L2CAP_MODE_ERTM:
678 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
679 case L2CAP_MODE_STREAMING:
680 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
681 default:
682 return 0x00;
683 }
684}
685
4519de9a 686static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 687{
e92c8e70 688 struct sock *sk;
22121fc9
GP		 689 struct l2cap_disconn_req req;
690
c13ffa62
GP		 691 if (!conn)
692 return;
693
e92c8e70
GP		 694 sk = chan->sk;
695
0c1bc5c6 696 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 697 __clear_retrans_timer(chan);
698 __clear_monitor_timer(chan);
699 __clear_ack_timer(chan);
c13ffa62
GP		 700 }
701
fe4128e0
GP		 702 req.dcid = cpu_to_le16(chan->dcid);
703 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 704 l2cap_send_cmd(conn, l2cap_get_ident(conn),
705 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 706
89bc500e 707 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 708 sk->sk_err = err;
22121fc9
GP		 709}
710
1da177e4 711/* ---- L2CAP connections ---- */
4e8402a3
MH		 712static void l2cap_conn_start(struct l2cap_conn *conn)
713{
820ffdb3 714 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 715
716 BT_DBG("conn %p", conn);
717
baa7e1fa 718 read_lock(&conn->chan_lock);
4e8402a3 719
820ffdb3 720 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 721 struct sock *sk = chan->sk;
baa7e1fa 722
4e8402a3
MH		 723 bh_lock_sock(sk);
724
715ec005 725 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 726 bh_unlock_sock(sk);
727 continue;
728 }
729
89bc500e 730 if (chan->state == BT_CONNECT) {
47731de7 731 struct l2cap_conn_req req;
79d554a6 732
4343478f 733 if (!l2cap_check_security(chan) ||
b4450035 734 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 735 bh_unlock_sock(sk);
736 continue;
737 }
79d554a6 738
c1360a1c
GP		 739 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
740 && test_bit(CONF_STATE2_DEVICE,
741 &chan->conf_state)) {
0f852724 742 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 743 * so release the lock */
744 read_unlock_bh(&conn->chan_lock);
89bc500e 745 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 746 read_lock_bh(&conn->chan_lock);
47731de7
GP		 747 bh_unlock_sock(sk);
748 continue;
b1235d79 749 }
47731de7 750
fe4128e0
GP		 751 req.scid = cpu_to_le16(chan->scid);
752 req.psm = chan->psm;
47731de7 753
fc7f8a7e 754 chan->ident = l2cap_get_ident(conn);
c1360a1c 755 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 756
fc7f8a7e
GP		 757 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
758 sizeof(req), &req);
47731de7 759
89bc500e 760 } else if (chan->state == BT_CONNECT2) {
79d554a6 761 struct l2cap_conn_rsp rsp;
e9aeb2dd 762 char buf[128];
fe4128e0
GP		 763 rsp.scid = cpu_to_le16(chan->dcid);
764 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 765
4343478f 766 if (l2cap_check_security(chan)) {
f66dc81f
MH		 767 if (bt_sk(sk)->defer_setup) {
768 struct sock *parent = bt_sk(sk)->parent;
769 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
770 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
771 parent->sk_data_ready(parent, 0);
772
773 } else {
89bc500e 774 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 775 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
776 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
777 }
79d554a6
MH		 778 } else {
779 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
780 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
781 }
782
fc7f8a7e
GP		 783 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
784 sizeof(rsp), &rsp);
e9aeb2dd 785
c1360a1c 786 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 787 rsp.result != L2CAP_CR_SUCCESS) {
788 bh_unlock_sock(sk);
789 continue;
790 }
791
c1360a1c 792 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 793 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 794 l2cap_build_conf_req(chan, buf), buf);
795 chan->num_conf_req++;
4e8402a3
MH		 796 }
797
798 bh_unlock_sock(sk);
799 }
800
baa7e1fa 801 read_unlock(&conn->chan_lock);
4e8402a3
MH		 802}
803
b62f328b
VT		 804/* Find socket with cid and source bdaddr.
805 * Returns closest match, locked.
806 */
23691d75 807static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 808{
23691d75 809 struct l2cap_chan *c, *c1 = NULL;
b62f328b 810
23691d75 811 read_lock(&chan_list_lock);
b62f328b 812
23691d75
GP		 813 list_for_each_entry(c, &chan_list, global_l) {
814 struct sock *sk = c->sk;
fe4128e0 815
89bc500e 816 if (state && c->state != state)
b62f328b
VT		 817 continue;
818
23691d75 819 if (c->scid == cid) {
b62f328b 820 /* Exact match. */
23691d75
GP		 821 if (!bacmp(&bt_sk(sk)->src, src)) {
822 read_unlock(&chan_list_lock);
823 return c;
824 }
b62f328b
VT		 825
826 /* Closest match */
827 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 828 c1 = c;
b62f328b
VT		 829 }
830 }
280f294f 831
23691d75 832 read_unlock(&chan_list_lock);
b62f328b 833
23691d75 834 return c1;
b62f328b
VT		 835}
836
837static void l2cap_le_conn_ready(struct l2cap_conn *conn)
838{
c916fbe4 839 struct sock *parent, *sk;
23691d75 840 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 841
842 BT_DBG("");
843
844 /* Check if we have socket listening on cid */
23691d75 845 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 846 conn->src);
23691d75 847 if (!pchan)
b62f328b
VT		 848 return;
849
23691d75
GP		 850 parent = pchan->sk;
851
62f3a2cf
GP		 852 bh_lock_sock(parent);
853
b62f328b
VT		 854 /* Check for backlog size */
855 if (sk_acceptq_is_full(parent)) {
856 BT_DBG("backlog full %d", parent->sk_ack_backlog);
857 goto clean;
858 }
859
80808e43
GP		 860 chan = pchan->ops->new_connection(pchan->data);
861 if (!chan)
b62f328b
VT		 862 goto clean;
863
80808e43 864 sk = chan->sk;
5d41ce1d 865
baa7e1fa 866 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 867
868 hci_conn_hold(conn->hcon);
869
b62f328b
VT		 870 bacpy(&bt_sk(sk)->src, conn->src);
871 bacpy(&bt_sk(sk)->dst, conn->dst);
872
d1010240
GP		 873 bt_accept_enqueue(parent, sk);
874
48454079
GP		 875 __l2cap_chan_add(conn, chan);
876
c9b66675 877 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 878
89bc500e 879 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 880 parent->sk_data_ready(parent, 0);
881
baa7e1fa 882 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 883
884clean:
885 bh_unlock_sock(parent);
886}
887
f1cb9af5
VCG		 888static void l2cap_chan_ready(struct sock *sk)
889{
890 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
891 struct sock *parent = bt_sk(sk)->parent;
892
893 BT_DBG("sk %p, parent %p", sk, parent);
894
895 chan->conf_state = 0;
896 __clear_chan_timer(chan);
897
898 sk->sk_state = BT_CONNECTED;
899 sk->sk_state_change(sk);
900
901 if (parent)
902 parent->sk_data_ready(parent, 0);
903}
904
4e8402a3
MH		 905static void l2cap_conn_ready(struct l2cap_conn *conn)
906{
48454079 907 struct l2cap_chan *chan;
4e8402a3 908
79d554a6 909 BT_DBG("conn %p", conn);
4e8402a3 910
b62f328b
VT		 911 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
912 l2cap_le_conn_ready(conn);
913
baa7e1fa 914 read_lock(&conn->chan_lock);
4e8402a3 915
baa7e1fa 916 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 917 struct sock *sk = chan->sk;
baa7e1fa 918
79d554a6 919 bh_lock_sock(sk);
4e8402a3 920
63128451 921 if (conn->hcon->type == LE_LINK) {
b501d6a1 922 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 923 l2cap_chan_ready(sk);
acd7d370 924
63128451 925 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 926 __clear_chan_timer(chan);
89bc500e 927 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 928 sk->sk_state_change(sk);
b501d6a1 929
89bc500e 930 } else if (chan->state == BT_CONNECT)
fc7f8a7e 931 l2cap_do_start(chan);
4e8402a3 932
79d554a6 933 bh_unlock_sock(sk);
4e8402a3 934 }
79d554a6 935
baa7e1fa 936 read_unlock(&conn->chan_lock);
4e8402a3
MH		 937}
938
939/* Notify sockets that we cannot guaranty reliability anymore */
940static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
941{
48454079 942 struct l2cap_chan *chan;
4e8402a3
MH		 943
944 BT_DBG("conn %p", conn);
945
baa7e1fa 946 read_lock(&conn->chan_lock);
4e8402a3 947
baa7e1fa 948 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 949 struct sock *sk = chan->sk;
baa7e1fa 950
4343478f 951 if (chan->force_reliable)
4e8402a3
MH		 952 sk->sk_err = err;
953 }
954
baa7e1fa 955 read_unlock(&conn->chan_lock);
4e8402a3
MH		 956}
957
958static void l2cap_info_timeout(unsigned long arg)
959{
960 struct l2cap_conn *conn = (void *) arg;
961
984947dc 962 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 963 conn->info_ident = 0;
984947dc 964
4e8402a3
MH		 965 l2cap_conn_start(conn);
966}
967
5d3de7df
VCG		 968static void l2cap_conn_del(struct hci_conn *hcon, int err)
969{
970 struct l2cap_conn *conn = hcon->l2cap_data;
971 struct l2cap_chan *chan, *l;
972 struct sock *sk;
973
974 if (!conn)
975 return;
976
977 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
978
979 kfree_skb(conn->rx_skb);
980
981 /* Kill channels */
982 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
983 sk = chan->sk;
984 bh_lock_sock(sk);
985 l2cap_chan_del(chan, err);
986 bh_unlock_sock(sk);
987 chan->ops->close(chan->data);
988 }
989
990 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
991 del_timer_sync(&conn->info_timer);
992
993 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
994 del_timer(&conn->security_timer);
995
996 hcon->l2cap_data = NULL;
997 kfree(conn);
998}
999
1000static void security_timeout(unsigned long arg)
1001{
1002 struct l2cap_conn *conn = (void *) arg;
1003
1004 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1005}
1006
1da177e4
LT		 1007static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1008{
0139418c 1009 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1010
0139418c 1011 if (conn || status)
1da177e4
LT		 1012 return conn;
1013
0139418c
MH		 1014 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1015 if (!conn)
1da177e4 1016 return NULL;
1da177e4
LT		 1017
1018 hcon->l2cap_data = conn;
1019 conn->hcon = hcon;
1020
0139418c
MH		 1021 BT_DBG("hcon %p conn %p", hcon, conn);
1022
acd7d370
VT		 1023 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1024 conn->mtu = hcon->hdev->le_mtu;
1025 else
1026 conn->mtu = hcon->hdev->acl_mtu;
1027
1da177e4
LT		 1028 conn->src = &hcon->hdev->bdaddr;
1029 conn->dst = &hcon->dst;
1030
4e8402a3
MH		 1031 conn->feat_mask = 0;
1032
1da177e4 1033 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1034 rwlock_init(&conn->chan_lock);
1035
1036 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1037
5d3de7df
VCG		 1038 if (hcon->type == LE_LINK)
1039 setup_timer(&conn->security_timer, security_timeout,
1040 (unsigned long) conn);
1041 else
b62f328b 1042 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1043 (unsigned long) conn);
1044
2950f21a
MH		 1045 conn->disc_reason = 0x13;
1046
1da177e4
LT		 1047 return conn;
1048}
1049
48454079 1050static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1051{
baa7e1fa 1052 write_lock_bh(&conn->chan_lock);
48454079 1053 __l2cap_chan_add(conn, chan);
baa7e1fa 1054 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1055}
1056
1da177e4 1057/* ---- Socket interface ---- */
1da177e4
LT		 1058
1059/* Find socket with psm and source bdaddr.
1060 * Returns closest match.
1061 */
23691d75 1062static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1063{
23691d75 1064 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1065
23691d75 1066 read_lock(&chan_list_lock);
e0f0cb56 1067
23691d75
GP		 1068 list_for_each_entry(c, &chan_list, global_l) {
1069 struct sock *sk = c->sk;
fe4128e0 1070
89bc500e 1071 if (state && c->state != state)
1da177e4
LT		 1072 continue;
1073
23691d75 1074 if (c->psm == psm) {
1da177e4 1075 /* Exact match. */
23691d75 1076 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1077 read_unlock(&chan_list_lock);
23691d75
GP		 1078 return c;
1079 }
1da177e4
LT		 1080
1081 /* Closest match */
1082 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1083 c1 = c;
1da177e4
LT		 1084 }
1085 }
1da177e4 1086
23691d75 1087 read_unlock(&chan_list_lock);
e0f0cb56 1088
23691d75 1089 return c1;
1da177e4
LT		 1090}
1091
77a74c7e 1092int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1093{
5d41ce1d 1094 struct sock *sk = chan->sk;
1da177e4
LT		 1095 bdaddr_t *src = &bt_sk(sk)->src;
1096 bdaddr_t *dst = &bt_sk(sk)->dst;
1097 struct l2cap_conn *conn;
1098 struct hci_conn *hcon;
1099 struct hci_dev *hdev;
09ab6f4c 1100 __u8 auth_type;
44d0e48e 1101 int err;
1da177e4 1102
f29972de 1103 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1104 chan->psm);
1da177e4 1105
af05b30b
GP		 1106 hdev = hci_get_route(dst, src);
1107 if (!hdev)
1da177e4
LT		 1108 return -EHOSTUNREACH;
1109
1110 hci_dev_lock_bh(hdev);
1111
4343478f 1112 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1113
fe4128e0 1114 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1115 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1116 chan->sec_level, auth_type);
acd7d370
VT		 1117 else
1118 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1119 chan->sec_level, auth_type);
acd7d370 1120
30e76272
VT		 1121 if (IS_ERR(hcon)) {
1122 err = PTR_ERR(hcon);
1da177e4 1123 goto done;
30e76272 1124 }
1da177e4
LT		 1125
1126 conn = l2cap_conn_add(hcon, 0);
1127 if (!conn) {
1128 hci_conn_put(hcon);
30e76272 1129 err = -ENOMEM;
1da177e4
LT		 1130 goto done;
1131 }
1132
1da177e4
LT		 1133 /* Update source addr of the socket */
1134 bacpy(src, conn->src);
1135
48454079
GP		 1136 l2cap_chan_add(conn, chan);
1137
89bc500e 1138 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1139 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1140
1141 if (hcon->state == BT_CONNECTED) {
715ec005 1142 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1143 __clear_chan_timer(chan);
4343478f 1144 if (l2cap_check_security(chan))
89bc500e 1145 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1146 } else
fc7f8a7e 1147 l2cap_do_start(chan);
1da177e4
LT		 1148 }
1149
30e76272
VT		 1150 err = 0;
1151
1da177e4
LT		 1152done:
1153 hci_dev_unlock_bh(hdev);
1154 hci_dev_put(hdev);
1155 return err;
1156}
1157
dcba0dba 1158int __l2cap_wait_ack(struct sock *sk)
6161c038 1159{
8c1d787b 1160 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1161 DECLARE_WAITQUEUE(wait, current);
1162 int err = 0;
1163 int timeo = HZ/5;
1164
2b0b05dd 1165 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1166 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1167 set_current_state(TASK_INTERRUPTIBLE);
1168
1169 if (!timeo)
1170 timeo = HZ/5;
1171
1172 if (signal_pending(current)) {
1173 err = sock_intr_errno(timeo);
1174 break;
1175 }
1176
1177 release_sock(sk);
1178 timeo = schedule_timeout(timeo);
1179 lock_sock(sk);
1180
1181 err = sock_error(sk);
1182 if (err)
1183 break;
1184 }
1185 set_current_state(TASK_RUNNING);
2b0b05dd 1186 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1187 return err;
1188}
1189
e90bac06
GP		 1190static void l2cap_monitor_timeout(unsigned long arg)
1191{
525cd185
GP		 1192 struct l2cap_chan *chan = (void *) arg;
1193 struct sock *sk = chan->sk;
e90bac06 1194
525cd185 1195 BT_DBG("chan %p", chan);
0e98958d 1196
e686219a 1197 bh_lock_sock(sk);
2c03a7a4 1198 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1199 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1200 bh_unlock_sock(sk);
e90bac06
GP		 1201 return;
1202 }
1203
6a026610 1204 chan->retry_count++;
1a09bcb9 1205 __set_monitor_timer(chan);
e90bac06 1206
525cd185 1207 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1208 bh_unlock_sock(sk);
e90bac06
GP		 1209}
1210
1211static void l2cap_retrans_timeout(unsigned long arg)
1212{
525cd185
GP		 1213 struct l2cap_chan *chan = (void *) arg;
1214 struct sock *sk = chan->sk;
e90bac06 1215
49208c9c 1216 BT_DBG("chan %p", chan);
0e98958d 1217
e686219a 1218 bh_lock_sock(sk);
6a026610 1219 chan->retry_count = 1;
1a09bcb9 1220 __set_monitor_timer(chan);
e90bac06 1221
e2ab4353 1222 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1223
525cd185 1224 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1225 bh_unlock_sock(sk);
e90bac06
GP		 1226}
1227
42e5c802 1228static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1229{
1c2acffb 1230 struct sk_buff *skb;
1da177e4 1231
58d35f87 1232 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1233 chan->unacked_frames) {
42e5c802 1234 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1235 break;
1da177e4 1236
58d35f87 1237 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1238 kfree_skb(skb);
1da177e4 1239
6a026610 1240 chan->unacked_frames--;
1c2acffb 1241 }
1da177e4 1242
6a026610 1243 if (!chan->unacked_frames)
1a09bcb9 1244 __clear_retrans_timer(chan);
1c2acffb 1245}
1da177e4 1246
4343478f 1247void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1248{
8c1d787b 1249 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1250 u16 flags;
1c2acffb 1251
4343478f 1252 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1253
4343478f 1254 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1255 flags = ACL_START_NO_FLUSH;
1256 else
1257 flags = ACL_START;
1258
14b12d0b 1259 bt_cb(skb)->force_active = chan->force_active;
e702112f 1260 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1261}
1262
42e5c802 1263void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1264{
ccbb84af 1265 struct sk_buff *skb;
fcc203c3 1266 u16 control, fcs;
6840ed07 1267
58d35f87 1268 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1269 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1270 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1271 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1272
47d1ec61 1273 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1274 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1275 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1276 }
1277
4343478f 1278 l2cap_do_send(chan, skb);
6840ed07 1279
42e5c802 1280 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1281 }
6840ed07
GP		 1282}
1283
525cd185 1284static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1285{
8f17154f
GP		 1286 struct sk_buff *skb, *tx_skb;
1287 u16 control, fcs;
8f17154f 1288
58d35f87 1289 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1290 if (!skb)
1291 return;
8f17154f 1292
f11d676d
GP		 1293 do {
1294 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1295 break;
8f17154f 1296
58d35f87 1297 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1298 return;
8f17154f 1299
58d35f87 1300 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1301
2c03a7a4
GP		 1302 if (chan->remote_max_tx &&
1303 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1304 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1305 return;
1306 }
1307
1308 tx_skb = skb_clone(skb, GFP_ATOMIC);
1309 bt_cb(skb)->retries++;
1310 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1311 control &= L2CAP_CTRL_SAR;
3cb123d1 1312
e2ab4353 1313 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
3cb123d1 1314 control |= L2CAP_CTRL_FINAL;
95ffa978 1315
42e5c802 1316 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1317 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1318
f11d676d
GP		 1319 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1320
47d1ec61 1321 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1322 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1323 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1324 }
1325
4343478f 1326 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1327}
1328
525cd185 1329int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1330{
1331 struct sk_buff *skb, *tx_skb;
fcc203c3 1332 u16 control, fcs;
9a9c6a34 1333 int nsent = 0;
1c2acffb 1334
89bc500e 1335 if (chan->state != BT_CONNECTED)
c13ffa62 1336 return -ENOTCONN;
e90bac06 1337
58d35f87 1338 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1339
2c03a7a4
GP		 1340 if (chan->remote_max_tx &&
1341 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1342 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1343 break;
1344 }
1345
e420aba3
AE		 1346 tx_skb = skb_clone(skb, GFP_ATOMIC);
1347
e90bac06
GP		 1348 bt_cb(skb)->retries++;
1349
1c2acffb 1350 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1351 control &= L2CAP_CTRL_SAR;
1352
e2ab4353 1353 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
d5392c8f 1354 control |= L2CAP_CTRL_FINAL;
e2ab4353 1355
42e5c802
GP		 1356 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1357 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1358 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1359
e90bac06 1360
47d1ec61 1361 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1362 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1363 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1364 }
1365
4343478f 1366 l2cap_do_send(chan, tx_skb);
9a9c6a34 1367
1a09bcb9 1368 __set_retrans_timer(chan);
1c2acffb 1369
42e5c802
GP		 1370 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1371 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1372
23e9fde2 1373 if (bt_cb(skb)->retries == 1)
6a026610 1374 chan->unacked_frames++;
23e9fde2 1375
6a026610 1376 chan->frames_sent++;
1c2acffb 1377
58d35f87
GP		 1378 if (skb_queue_is_last(&chan->tx_q, skb))
1379 chan->tx_send_head = NULL;
1c2acffb 1380 else
58d35f87 1381 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1382
1383 nsent++;
1c2acffb
GP		 1384 }
1385
9e917af1
GP		 1386 return nsent;
1387}
1388
525cd185 1389static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1390{
dfc909be
GP		 1391 int ret;
1392
58d35f87
GP		 1393 if (!skb_queue_empty(&chan->tx_q))
1394 chan->tx_send_head = chan->tx_q.next;
dfc909be 1395
42e5c802 1396 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1397 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1398 return ret;
1399}
1400
525cd185 1401static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1402{
9e917af1
GP		 1403 u16 control = 0;
1404
42e5c802 1405 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1406
e2ab4353 1407 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
9e917af1 1408 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 1409 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1410 l2cap_send_sframe(chan, control);
9a9c6a34 1411 return;
9e917af1 1412 }
dfc909be 1413
525cd185 1414 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1415 return;
1416
1417 control |= L2CAP_SUPER_RCV_READY;
525cd185 1418 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1419}
1420
525cd185 1421static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1422{
1423 struct srej_list *tail;
1424 u16 control;
1425
1426 control = L2CAP_SUPER_SELECT_REJECT;
1427 control |= L2CAP_CTRL_FINAL;
1428
39d5a3ee 1429 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1430 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1431
525cd185 1432 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1433}
1434
1c2acffb
GP		 1435static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1436{
8c1d787b 1437 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1438 struct sk_buff **frag;
1439 int err, sent = 0;
1da177e4 1440
59203a21 1441 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1442 return -EFAULT;
1da177e4
LT		 1443
1444 sent += count;
1445 len -= count;
1446
1447 /* Continuation fragments (no L2CAP header) */
1448 frag = &skb_shinfo(skb)->frag_list;
1449 while (len) {
1450 count = min_t(unsigned int, conn->mtu, len);
1451
1452 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1453 if (!*frag)
0175d629 1454 return err;
1c2acffb
GP		 1455 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1456 return -EFAULT;
1da177e4
LT		 1457
1458 sent += count;
1459 len -= count;
1460
1461 frag = &(*frag)->next;
1462 }
1da177e4
LT		 1463
1464 return sent;
1c2acffb 1465}
1da177e4 1466
fe4128e0 1467struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1468{
fe4128e0 1469 struct sock *sk = chan->sk;
8c1d787b 1470 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1471 struct sk_buff *skb;
1472 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1473 struct l2cap_hdr *lh;
1474
1475 BT_DBG("sk %p len %d", sk, (int)len);
1476
1477 count = min_t(unsigned int, (conn->mtu - hlen), len);
1478 skb = bt_skb_send_alloc(sk, count + hlen,
1479 msg->msg_flags & MSG_DONTWAIT, &err);
1480 if (!skb)
0175d629 1481 return ERR_PTR(err);
1c2acffb
GP		 1482
1483 /* Create L2CAP header */
1484 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1485 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1486 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1487 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1488
1489 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1490 if (unlikely(err < 0)) {
1491 kfree_skb(skb);
1492 return ERR_PTR(err);
1493 }
1494 return skb;
1495}
1496
fe4128e0 1497struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1498{
fe4128e0 1499 struct sock *sk = chan->sk;
8c1d787b 1500 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1501 struct sk_buff *skb;
1502 int err, count, hlen = L2CAP_HDR_SIZE;
1503 struct l2cap_hdr *lh;
1504
1505 BT_DBG("sk %p len %d", sk, (int)len);
1506
1507 count = min_t(unsigned int, (conn->mtu - hlen), len);
1508 skb = bt_skb_send_alloc(sk, count + hlen,
1509 msg->msg_flags & MSG_DONTWAIT, &err);
1510 if (!skb)
0175d629 1511 return ERR_PTR(err);
1c2acffb
GP		 1512
1513 /* Create L2CAP header */
1514 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1515 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1516 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1517
1518 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1519 if (unlikely(err < 0)) {
1520 kfree_skb(skb);
1521 return ERR_PTR(err);
1522 }
1523 return skb;
1524}
1525
47d1ec61 1526struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1527{
47d1ec61 1528 struct sock *sk = chan->sk;
8c1d787b 1529 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1530 struct sk_buff *skb;
1531 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1532 struct l2cap_hdr *lh;
1533
1534 BT_DBG("sk %p len %d", sk, (int)len);
1535
0ee0d208
GP		 1536 if (!conn)
1537 return ERR_PTR(-ENOTCONN);
1538
c74e560c
GP		 1539 if (sdulen)
1540 hlen += 2;
1541
47d1ec61 1542 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1543 hlen += 2;
1544
1c2acffb
GP		 1545 count = min_t(unsigned int, (conn->mtu - hlen), len);
1546 skb = bt_skb_send_alloc(sk, count + hlen,
1547 msg->msg_flags & MSG_DONTWAIT, &err);
1548 if (!skb)
0175d629 1549 return ERR_PTR(err);
1c2acffb
GP		 1550
1551 /* Create L2CAP header */
1552 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1553 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1554 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1555 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1556 if (sdulen)
1557 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1558
1559 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1560 if (unlikely(err < 0)) {
1561 kfree_skb(skb);
1562 return ERR_PTR(err);
1563 }
e90bac06 1564
47d1ec61 1565 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1566 put_unaligned_le16(0, skb_put(skb, 2));
1567
e90bac06 1568 bt_cb(skb)->retries = 0;
1c2acffb 1569 return skb;
1da177e4
LT		 1570}
1571
2c03a7a4 1572int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1573{
c74e560c
GP		 1574 struct sk_buff *skb;
1575 struct sk_buff_head sar_queue;
1576 u16 control;
1577 size_t size = 0;
1578
ff12fd64 1579 skb_queue_head_init(&sar_queue);
c74e560c 1580 control = L2CAP_SDU_START;
47d1ec61 1581 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1582 if (IS_ERR(skb))
1583 return PTR_ERR(skb);
1584
1585 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1586 len -= chan->remote_mps;
1587 size += chan->remote_mps;
c74e560c
GP		 1588
1589 while (len > 0) {
1590 size_t buflen;
1591
2c03a7a4 1592 if (len > chan->remote_mps) {
44651b85 1593 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1594 buflen = chan->remote_mps;
c74e560c 1595 } else {
44651b85 1596 control = L2CAP_SDU_END;
c74e560c
GP		 1597 buflen = len;
1598 }
1599
47d1ec61 1600 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1601 if (IS_ERR(skb)) {
1602 skb_queue_purge(&sar_queue);
1603 return PTR_ERR(skb);
1604 }
1605
1606 __skb_queue_tail(&sar_queue, skb);
1607 len -= buflen;
1608 size += buflen;
c74e560c 1609 }
58d35f87
GP		 1610 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1611 if (chan->tx_send_head == NULL)
1612 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1613
1614 return size;
1615}
1616
9a91a04a
GP		 1617int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1618{
9a91a04a
GP		 1619 struct sk_buff *skb;
1620 u16 control;
1621 int err;
1622
1623 /* Connectionless channel */
715ec005 1624 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1625 skb = l2cap_create_connless_pdu(chan, msg, len);
1626 if (IS_ERR(skb))
1627 return PTR_ERR(skb);
1628
1629 l2cap_do_send(chan, skb);
1630 return len;
1631 }
1632
1633 switch (chan->mode) {
1634 case L2CAP_MODE_BASIC:
1635 /* Check outgoing MTU */
1636 if (len > chan->omtu)
1637 return -EMSGSIZE;
1638
1639 /* Create a basic PDU */
1640 skb = l2cap_create_basic_pdu(chan, msg, len);
1641 if (IS_ERR(skb))
1642 return PTR_ERR(skb);
1643
1644 l2cap_do_send(chan, skb);
1645 err = len;
1646 break;
1647
1648 case L2CAP_MODE_ERTM:
1649 case L2CAP_MODE_STREAMING:
1650 /* Entire SDU fits into one PDU */
1651 if (len <= chan->remote_mps) {
1652 control = L2CAP_SDU_UNSEGMENTED;
1653 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1654 0);
1655 if (IS_ERR(skb))
1656 return PTR_ERR(skb);
1657
1658 __skb_queue_tail(&chan->tx_q, skb);
1659
1660 if (chan->tx_send_head == NULL)
1661 chan->tx_send_head = skb;
1662
1663 } else {
1664 /* Segment SDU into multiples PDUs */
1665 err = l2cap_sar_segment_sdu(chan, msg, len);
1666 if (err < 0)
1667 return err;
1668 }
1669
1670 if (chan->mode == L2CAP_MODE_STREAMING) {
1671 l2cap_streaming_send(chan);
1672 err = len;
1673 break;
1674 }
1675
e2ab4353
GP		 1676 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1677 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1678 err = len;
1679 break;
1680 }
1681
1682 err = l2cap_ertm_send(chan);
1683 if (err >= 0)
1684 err = len;
1685
1686 break;
1687
1688 default:
1689 BT_DBG("bad state %1.1x", chan->mode);
1690 err = -EBADFD;
1691 }
1692
1693 return err;
1694}
1695
1da177e4
LT		 1696/* Copy frame to all raw sockets on that connection */
1697static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1698{
1da177e4 1699 struct sk_buff *nskb;
48454079 1700 struct l2cap_chan *chan;
1da177e4
LT		 1701
1702 BT_DBG("conn %p", conn);
1703
baa7e1fa
GP		 1704 read_lock(&conn->chan_lock);
1705 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1706 struct sock *sk = chan->sk;
715ec005 1707 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1708 continue;
1709
1710 /* Don't send frame to the socket it came from */
1711 if (skb->sk == sk)
1712 continue;
af05b30b
GP		 1713 nskb = skb_clone(skb, GFP_ATOMIC);
1714 if (!nskb)
1da177e4
LT		 1715 continue;
1716
23070494 1717 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1718 kfree_skb(nskb);
1719 }
baa7e1fa 1720 read_unlock(&conn->chan_lock);
1da177e4
LT		 1721}
1722
1723/* ---- L2CAP signalling commands ---- */
1724static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1725 u8 code, u8 ident, u16 dlen, void *data)
1726{
1727 struct sk_buff *skb, **frag;
1728 struct l2cap_cmd_hdr *cmd;
1729 struct l2cap_hdr *lh;
1730 int len, count;
1731
af05b30b
GP		 1732 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1733 conn, code, ident, dlen);
1da177e4
LT		 1734
1735 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1736 count = min_t(unsigned int, conn->mtu, len);
1737
1738 skb = bt_skb_alloc(count, GFP_ATOMIC);
1739 if (!skb)
1740 return NULL;
1741
1742 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1743 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1744
1745 if (conn->hcon->type == LE_LINK)
1746 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1747 else
1748 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1749
1750 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1751 cmd->code = code;
1752 cmd->ident = ident;
aca3192c 1753 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1754
1755 if (dlen) {
1756 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1757 memcpy(skb_put(skb, count), data, count);
1758 data += count;
1759 }
1760
1761 len -= skb->len;
1762
1763 /* Continuation fragments (no L2CAP header) */
1764 frag = &skb_shinfo(skb)->frag_list;
1765 while (len) {
1766 count = min_t(unsigned int, conn->mtu, len);
1767
1768 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1769 if (!*frag)
1770 goto fail;
1771
1772 memcpy(skb_put(*frag, count), data, count);
1773
1774 len -= count;
1775 data += count;
1776
1777 frag = &(*frag)->next;
1778 }
1779
1780 return skb;
1781
1782fail:
1783 kfree_skb(skb);
1784 return NULL;
1785}
1786
1787static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1788{
1789 struct l2cap_conf_opt *opt = *ptr;
1790 int len;
1791
1792 len = L2CAP_CONF_OPT_SIZE + opt->len;
1793 *ptr += len;
1794
1795 *type = opt->type;
1796 *olen = opt->len;
1797
1798 switch (opt->len) {
1799 case 1:
1800 *val = *((u8 *) opt->val);
1801 break;
1802
1803 case 2:
bfaaeb3e 1804 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1805 break;
1806
1807 case 4:
bfaaeb3e 1808 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1809 break;
1810
1811 default:
1812 *val = (unsigned long) opt->val;
1813 break;
1814 }
1815
1816 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1817 return len;
1818}
1819
1da177e4
LT		 1820static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1821{
1822 struct l2cap_conf_opt *opt = *ptr;
1823
1824 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1825
1826 opt->type = type;
1827 opt->len = len;
1828
1829 switch (len) {
1830 case 1:
1831 *((u8 *) opt->val) = val;
1832 break;
1833
1834 case 2:
4f8b691c 1835 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1836 break;
1837
1838 case 4:
4f8b691c 1839 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1840 break;
1841
1842 default:
1843 memcpy(opt->val, (void *) val, len);
1844 break;
1845 }
1846
1847 *ptr += L2CAP_CONF_OPT_SIZE + len;
1848}
1849
c1b4f43b
GP		 1850static void l2cap_ack_timeout(unsigned long arg)
1851{
525cd185 1852 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1853
525cd185
GP		 1854 bh_lock_sock(chan->sk);
1855 l2cap_send_ack(chan);
1856 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1857}
1858
525cd185 1859static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1860{
525cd185
GP		 1861 struct sock *sk = chan->sk;
1862
42e5c802 1863 chan->expected_ack_seq = 0;
6a026610 1864 chan->unacked_frames = 0;
42e5c802 1865 chan->buffer_seq = 0;
6a026610
GP		 1866 chan->num_acked = 0;
1867 chan->frames_sent = 0;
0565c1c2 1868
e92c8e70
GP		 1869 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1870 (unsigned long) chan);
1871 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1872 (unsigned long) chan);
1873 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1874
f1c6775b
GP		 1875 skb_queue_head_init(&chan->srej_q);
1876 skb_queue_head_init(&chan->busy_q);
1890d36b 1877
39d5a3ee
GP		 1878 INIT_LIST_HEAD(&chan->srej_l);
1879
311bb895 1880 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1881
1882 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1883}
1884
f2fcfcd6
GP		 1885static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1886{
1887 switch (mode) {
1888 case L2CAP_MODE_STREAMING:
1889 case L2CAP_MODE_ERTM:
1890 if (l2cap_mode_supported(mode, remote_feat_mask))
1891 return mode;
1892 /* fall through */
1893 default:
1894 return L2CAP_MODE_BASIC;
1895 }
1896}
1897
710f9b0a 1898static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1899{
1da177e4 1900 struct l2cap_conf_req *req = data;
0c1bc5c6 1901 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1902 void *ptr = req->data;
1903
49208c9c 1904 BT_DBG("chan %p", chan);
1da177e4 1905
73ffa904 1906 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1907 goto done;
1908
0c1bc5c6 1909 switch (chan->mode) {
f2fcfcd6
GP		 1910 case L2CAP_MODE_STREAMING:
1911 case L2CAP_MODE_ERTM:
c1360a1c 1912 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1913 break;
85eb53c6 1914
2ba13ed6 1915 /* fall through */
f2fcfcd6 1916 default:
8c1d787b 1917 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1918 break;
1919 }
1920
1921done:
0c1bc5c6
GP		 1922 if (chan->imtu != L2CAP_DEFAULT_MTU)
1923 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1924
0c1bc5c6 1925 switch (chan->mode) {
65c7c491 1926 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1927 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1928 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1929 break;
1930
62547752
GP		 1931 rfc.mode = L2CAP_MODE_BASIC;
1932 rfc.txwin_size = 0;
1933 rfc.max_transmit = 0;
1934 rfc.retrans_timeout = 0;
1935 rfc.monitor_timeout = 0;
1936 rfc.max_pdu_size = 0;
1937
63406504
GP		 1938 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1939 (unsigned long) &rfc);
65c7c491
MH		 1940 break;
1941
1942 case L2CAP_MODE_ERTM:
1943 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1944 rfc.txwin_size = chan->tx_win;
1945 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1946 rfc.retrans_timeout = 0;
1947 rfc.monitor_timeout = 0;
c74e560c 1948 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1949 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1950 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1951
63406504
GP		 1952 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1953 (unsigned long) &rfc);
1954
8c1d787b 1955 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1956 break;
1957
47d1ec61 1958 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1959 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1960 chan->fcs = L2CAP_FCS_NONE;
1961 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1962 }
f2fcfcd6
GP		 1963 break;
1964
1965 case L2CAP_MODE_STREAMING:
1966 rfc.mode = L2CAP_MODE_STREAMING;
1967 rfc.txwin_size = 0;
1968 rfc.max_transmit = 0;
1969 rfc.retrans_timeout = 0;
1970 rfc.monitor_timeout = 0;
c74e560c 1971 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1972 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1973 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1974
63406504
GP		 1975 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1976 (unsigned long) &rfc);
1977
8c1d787b 1978 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1979 break;
1980
47d1ec61 1981 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1982 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1983 chan->fcs = L2CAP_FCS_NONE;
1984 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1985 }
65c7c491
MH		 1986 break;
1987 }
1da177e4 1988
fe4128e0 1989 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1990 req->flags = cpu_to_le16(0);
1da177e4
LT		 1991
1992 return ptr - data;
1993}
1994
73ffa904 1995static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1996{
5dee9e7c
MH		 1997 struct l2cap_conf_rsp *rsp = data;
1998 void *ptr = rsp->data;
73ffa904
GP		 1999 void *req = chan->conf_req;
2000 int len = chan->conf_len;
5dee9e7c
MH		 2001 int type, hint, olen;
2002 unsigned long val;
6464f35f 2003 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2004 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2005 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2006
73ffa904 2007 BT_DBG("chan %p", chan);
820ae1b8 2008
5dee9e7c
MH		 2009 while (len >= L2CAP_CONF_OPT_SIZE) {
2010 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2011
589d2746 2012 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2013 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2014
2015 switch (type) {
2016 case L2CAP_CONF_MTU:
861d6882 2017 mtu = val;
5dee9e7c
MH		 2018 break;
2019
2020 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2021 chan->flush_to = val;
5dee9e7c
MH		 2022 break;
2023
2024 case L2CAP_CONF_QOS:
2025 break;
2026
6464f35f
MH		 2027 case L2CAP_CONF_RFC:
2028 if (olen == sizeof(rfc))
2029 memcpy(&rfc, (void *) val, olen);
2030 break;
2031
fcc203c3
GP		 2032 case L2CAP_CONF_FCS:
2033 if (val == L2CAP_FCS_NONE)
c1360a1c 2034 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2035
2036 break;
2037
5dee9e7c
MH		 2038 default:
2039 if (hint)
2040 break;
2041
2042 result = L2CAP_CONF_UNKNOWN;
2043 *((u8 *) ptr++) = type;
2044 break;
2045 }
2046 }
2047
73ffa904 2048 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2049 goto done;
2050
0c1bc5c6 2051 switch (chan->mode) {
f2fcfcd6
GP		 2052 case L2CAP_MODE_STREAMING:
2053 case L2CAP_MODE_ERTM:
c1360a1c 2054 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2055 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2056 chan->conn->feat_mask);
85eb53c6
GP		 2057 break;
2058 }
2059
0c1bc5c6 2060 if (chan->mode != rfc.mode)
f2fcfcd6 2061 return -ECONNREFUSED;
742e519b 2062
f2fcfcd6 2063 break;
f2fcfcd6
GP		 2064 }
2065
2066done:
0c1bc5c6 2067 if (chan->mode != rfc.mode) {
f2fcfcd6 2068 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2069 rfc.mode = chan->mode;
f2fcfcd6 2070
73ffa904 2071 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2072 return -ECONNREFUSED;
2073
2074 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2075 sizeof(rfc), (unsigned long) &rfc);
2076 }
2077
2078
5dee9e7c
MH		 2079 if (result == L2CAP_CONF_SUCCESS) {
2080 /* Configure output options and let the other side know
2081 * which ones we don't like. */
2082
f2fcfcd6
GP		 2083 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2084 result = L2CAP_CONF_UNACCEPT;
2085 else {
0c1bc5c6 2086 chan->omtu = mtu;
c1360a1c 2087 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2088 }
0c1bc5c6 2089 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2090
f2fcfcd6
GP		 2091 switch (rfc.mode) {
2092 case L2CAP_MODE_BASIC:
47d1ec61 2093 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2094 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2095 break;
2096
2097 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2098 chan->remote_tx_win = rfc.txwin_size;
2099 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2100
8c1d787b
GP		 2101 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2102 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2103
2c03a7a4 2104 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2105
10467e9e
GP		 2106 rfc.retrans_timeout =
2107 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2108 rfc.monitor_timeout =
2109 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2110
c1360a1c 2111 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2112
2113 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2114 sizeof(rfc), (unsigned long) &rfc);
2115
f2fcfcd6
GP		 2116 break;
2117
2118 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2119 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2120 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2121
2c03a7a4 2122 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2123
c1360a1c 2124 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2125
2126 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2127 sizeof(rfc), (unsigned long) &rfc);
2128
f2fcfcd6
GP		 2129 break;
2130
2131 default:
5dee9e7c 2132 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2133
6464f35f 2134 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2135 rfc.mode = chan->mode;
f2fcfcd6 2136 }
6464f35f 2137
f2fcfcd6 2138 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2139 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2140 }
fe4128e0 2141 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2142 rsp->result = cpu_to_le16(result);
2143 rsp->flags = cpu_to_le16(0x0000);
2144
2145 return ptr - data;
1da177e4
LT		 2146}
2147
b4450035 2148static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2149{
f2fcfcd6
GP		 2150 struct l2cap_conf_req *req = data;
2151 void *ptr = req->data;
2152 int type, olen;
2153 unsigned long val;
2154 struct l2cap_conf_rfc rfc;
2155
fe4128e0 2156 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2157
2158 while (len >= L2CAP_CONF_OPT_SIZE) {
2159 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2160
2161 switch (type) {
2162 case L2CAP_CONF_MTU:
2163 if (val < L2CAP_DEFAULT_MIN_MTU) {
2164 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2165 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2166 } else
0c1bc5c6
GP		 2167 chan->imtu = val;
2168 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2169 break;
2170
2171 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2172 chan->flush_to = val;
f2fcfcd6 2173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2174 2, chan->flush_to);
f2fcfcd6
GP		 2175 break;
2176
2177 case L2CAP_CONF_RFC:
2178 if (olen == sizeof(rfc))
2179 memcpy(&rfc, (void *)val, olen);
2180
c1360a1c 2181 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2182 rfc.mode != chan->mode)
f2fcfcd6
GP		 2183 return -ECONNREFUSED;
2184
47d1ec61 2185 chan->fcs = 0;
f2fcfcd6
GP		 2186
2187 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2188 sizeof(rfc), (unsigned long) &rfc);
2189 break;
2190 }
2191 }
2192
0c1bc5c6 2193 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2194 return -ECONNREFUSED;
2195
0c1bc5c6 2196 chan->mode = rfc.mode;
6c2ea7a8 2197
f2fcfcd6
GP		 2198 if (*result == L2CAP_CONF_SUCCESS) {
2199 switch (rfc.mode) {
2200 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2201 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2202 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2203 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2204 break;
2205 case L2CAP_MODE_STREAMING:
47d1ec61 2206 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2207 }
2208 }
2209
fe4128e0 2210 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2211 req->flags = cpu_to_le16(0x0000);
2212
2213 return ptr - data;
2214}
2215
fe4128e0 2216static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2217{
2218 struct l2cap_conf_rsp *rsp = data;
2219 void *ptr = rsp->data;
1da177e4 2220
fe4128e0 2221 BT_DBG("chan %p", chan);
1da177e4 2222
fe4128e0 2223 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2224 rsp->result = cpu_to_le16(result);
aca3192c 2225 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2226
2227 return ptr - data;
2228}
2229
8c1d787b 2230void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2231{
2232 struct l2cap_conn_rsp rsp;
8c1d787b 2233 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2234 u8 buf[128];
2235
fe4128e0
GP		 2236 rsp.scid = cpu_to_le16(chan->dcid);
2237 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2238 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2239 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2240 l2cap_send_cmd(conn, chan->ident,
2241 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2242
c1360a1c 2243 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2244 return;
2245
710f9b0a
GP		 2246 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2247 l2cap_build_conf_req(chan, buf), buf);
2248 chan->num_conf_req++;
2249}
2250
47d1ec61 2251static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2252{
7b1c0049
GP		 2253 int type, olen;
2254 unsigned long val;
2255 struct l2cap_conf_rfc rfc;
2256
47d1ec61 2257 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2258
0c1bc5c6 2259 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2260 return;
2261
2262 while (len >= L2CAP_CONF_OPT_SIZE) {
2263 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2264
2265 switch (type) {
2266 case L2CAP_CONF_RFC:
2267 if (olen == sizeof(rfc))
2268 memcpy(&rfc, (void *)val, olen);
2269 goto done;
2270 }
2271 }
2272
2273done:
2274 switch (rfc.mode) {
2275 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2276 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2277 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2278 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2279 break;
2280 case L2CAP_MODE_STREAMING:
47d1ec61 2281 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2282 }
2283}
2284
4e8402a3
MH		 2285static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2286{
2287 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2288
2289 if (rej->reason != 0x0000)
2290 return 0;
2291
2292 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2293 cmd->ident == conn->info_ident) {
4e8402a3 2294 del_timer(&conn->info_timer);
984947dc
MH		 2295
2296 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2297 conn->info_ident = 0;
984947dc 2298
4e8402a3
MH		 2299 l2cap_conn_start(conn);
2300 }
2301
2302 return 0;
2303}
2304
1da177e4
LT		 2305static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2306{
1da177e4
LT		 2307 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2308 struct l2cap_conn_rsp rsp;
23691d75 2309 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2310 struct sock *parent, *sk = NULL;
e7c29cb1 2311 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2312
2313 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2314 __le16 psm = req->psm;
1da177e4
LT		 2315
2316 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2317
2318 /* Check if we have socket listening on psm */
23691d75
GP		 2319 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2320 if (!pchan) {
1da177e4
LT		 2321 result = L2CAP_CR_BAD_PSM;
2322 goto sendresp;
2323 }
2324
23691d75
GP		 2325 parent = pchan->sk;
2326
e0f0cb56
GP		 2327 bh_lock_sock(parent);
2328
e7c29cb1
MH		 2329 /* Check if the ACL is secure enough (if not SDP) */
2330 if (psm != cpu_to_le16(0x0001) &&
2331 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2332 conn->disc_reason = 0x05;
e7c29cb1
MH		 2333 result = L2CAP_CR_SEC_BLOCK;
2334 goto response;
2335 }
2336
1da177e4
LT		 2337 result = L2CAP_CR_NO_MEM;
2338
2339 /* Check for backlog size */
2340 if (sk_acceptq_is_full(parent)) {
8e87d142 2341 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2342 goto response;
2343 }
2344
80808e43
GP		 2345 chan = pchan->ops->new_connection(pchan->data);
2346 if (!chan)
1da177e4
LT		 2347 goto response;
2348
80808e43
GP		 2349 sk = chan->sk;
2350
baa7e1fa 2351 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2352
2353 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2354 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2355 write_unlock_bh(&conn->chan_lock);
1da177e4 2356 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2357 chan->ops->close(chan->data);
1da177e4
LT		 2358 goto response;
2359 }
2360
2361 hci_conn_hold(conn->hcon);
2362
1da177e4
LT		 2363 bacpy(&bt_sk(sk)->src, conn->src);
2364 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2365 chan->psm = psm;
2366 chan->dcid = scid;
1da177e4 2367
d1010240
GP		 2368 bt_accept_enqueue(parent, sk);
2369
48454079
GP		 2370 __l2cap_chan_add(conn, chan);
2371
fe4128e0 2372 dcid = chan->scid;
1da177e4 2373
c9b66675 2374 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2375
fc7f8a7e 2376 chan->ident = cmd->ident;
1da177e4 2377
984947dc 2378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2379 if (l2cap_check_security(chan)) {
f66dc81f 2380 if (bt_sk(sk)->defer_setup) {
89bc500e 2381 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2382 result = L2CAP_CR_PEND;
2383 status = L2CAP_CS_AUTHOR_PEND;
2384 parent->sk_data_ready(parent, 0);
2385 } else {
89bc500e 2386 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2387 result = L2CAP_CR_SUCCESS;
2388 status = L2CAP_CS_NO_INFO;
2389 }
79d554a6 2390 } else {
89bc500e 2391 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2392 result = L2CAP_CR_PEND;
2393 status = L2CAP_CS_AUTHEN_PEND;
2394 }
2395 } else {
89bc500e 2396 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2397 result = L2CAP_CR_PEND;
2398 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2399 }
2400
baa7e1fa 2401 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2402
2403response:
2404 bh_unlock_sock(parent);
2405
2406sendresp:
aca3192c
YH		 2407 rsp.scid = cpu_to_le16(scid);
2408 rsp.dcid = cpu_to_le16(dcid);
2409 rsp.result = cpu_to_le16(result);
2410 rsp.status = cpu_to_le16(status);
1da177e4 2411 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2412
2413 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2414 struct l2cap_info_req info;
2415 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2416
2417 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2418 conn->info_ident = l2cap_get_ident(conn);
2419
2420 mod_timer(&conn->info_timer, jiffies +
2421 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2422
2423 l2cap_send_cmd(conn, conn->info_ident,
2424 L2CAP_INFO_REQ, sizeof(info), &info);
2425 }
2426
c1360a1c 2427 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2428 result == L2CAP_CR_SUCCESS) {
2429 u8 buf[128];
c1360a1c 2430 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2432 l2cap_build_conf_req(chan, buf), buf);
2433 chan->num_conf_req++;
e9aeb2dd
GP		 2434 }
2435
1da177e4
LT		 2436 return 0;
2437}
2438
2439static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2440{
2441 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2442 u16 scid, dcid, result, status;
48454079 2443 struct l2cap_chan *chan;
1da177e4
LT		 2444 struct sock *sk;
2445 u8 req[128];
2446
2447 scid = __le16_to_cpu(rsp->scid);
2448 dcid = __le16_to_cpu(rsp->dcid);
2449 result = __le16_to_cpu(rsp->result);
2450 status = __le16_to_cpu(rsp->status);
2451
2452 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2453
2454 if (scid) {
baa7e1fa 2455 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2456 if (!chan)
57d3b22b 2457 return -EFAULT;
1da177e4 2458 } else {
baa7e1fa 2459 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2460 if (!chan)
57d3b22b 2461 return -EFAULT;
1da177e4
LT		 2462 }
2463
48454079
GP		 2464 sk = chan->sk;
2465
1da177e4
LT		 2466 switch (result) {
2467 case L2CAP_CR_SUCCESS:
89bc500e 2468 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2469 chan->ident = 0;
fe4128e0 2470 chan->dcid = dcid;
c1360a1c 2471 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2472
c1360a1c 2473 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2474 break;
2475
1da177e4 2476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2477 l2cap_build_conf_req(chan, req), req);
2478 chan->num_conf_req++;
1da177e4
LT		 2479 break;
2480
2481 case L2CAP_CR_PEND:
c1360a1c 2482 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2483 break;
2484
2485 default:
a49184c2
AE		 2486 /* don't delete l2cap channel if sk is owned by user */
2487 if (sock_owned_by_user(sk)) {
89bc500e 2488 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2489 __clear_chan_timer(chan);
2490 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2491 break;
2492 }
2493
48454079 2494 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2495 break;
2496 }
2497
2498 bh_unlock_sock(sk);
2499 return 0;
2500}
2501
47d1ec61 2502static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2503{
2504 /* FCS is enabled only in ERTM or streaming mode, if one or both
2505 * sides request it.
2506 */
0c1bc5c6 2507 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2508 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2509 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2510 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2511}
2512
88219a0f 2513static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2514{
2515 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2516 u16 dcid, flags;
2517 u8 rsp[64];
48454079 2518 struct l2cap_chan *chan;
1da177e4 2519 struct sock *sk;
5dee9e7c 2520 int len;
1da177e4
LT		 2521
2522 dcid = __le16_to_cpu(req->dcid);
2523 flags = __le16_to_cpu(req->flags);
2524
2525 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2526
baa7e1fa 2527 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2528 if (!chan)
1da177e4
LT		 2529 return -ENOENT;
2530
48454079
GP		 2531 sk = chan->sk;
2532
89bc500e 2533 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2534 struct l2cap_cmd_rej rej;
2535
2536 rej.reason = cpu_to_le16(0x0002);
2537 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2538 sizeof(rej), &rej);
354f60a9 2539 goto unlock;
df6bd743 2540 }
354f60a9 2541
5dee9e7c 2542 /* Reject if config buffer is too small. */
88219a0f 2543 len = cmd_len - sizeof(*req);
73ffa904 2544 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2545 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2546 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2547 L2CAP_CONF_REJECT, flags), rsp);
2548 goto unlock;
2549 }
2550
2551 /* Store config. */
73ffa904
GP		 2552 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2553 chan->conf_len += len;
1da177e4
LT		 2554
2555 if (flags & 0x0001) {
2556 /* Incomplete config. Send empty response. */
2557 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2558 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2559 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2560 goto unlock;
2561 }
2562
2563 /* Complete config. */
73ffa904 2564 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2565 if (len < 0) {
e92c8e70 2566 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2567 goto unlock;
f2fcfcd6 2568 }
1da177e4 2569
5dee9e7c 2570 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2571 chan->num_conf_rsp++;
5dee9e7c 2572
5dee9e7c 2573 /* Reset config buffer. */
73ffa904 2574 chan->conf_len = 0;
5dee9e7c 2575
c1360a1c 2576 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2577 goto unlock;
2578
c1360a1c 2579 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2580 set_default_fcs(chan);
fcc203c3 2581
89bc500e 2582 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2583
42e5c802
GP		 2584 chan->next_tx_seq = 0;
2585 chan->expected_tx_seq = 0;
58d35f87 2586 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2587 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2588 l2cap_ertm_init(chan);
0565c1c2 2589
1da177e4 2590 l2cap_chan_ready(sk);
876d9484
MH		 2591 goto unlock;
2592 }
2593
c1360a1c 2594 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2595 u8 buf[64];
1da177e4 2596 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2597 l2cap_build_conf_req(chan, buf), buf);
2598 chan->num_conf_req++;
1da177e4
LT		 2599 }
2600
2601unlock:
2602 bh_unlock_sock(sk);
2603 return 0;
2604}
2605
2606static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2607{
2608 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2609 u16 scid, flags, result;
48454079 2610 struct l2cap_chan *chan;
1da177e4 2611 struct sock *sk;
7b1c0049 2612 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2613
2614 scid = __le16_to_cpu(rsp->scid);
2615 flags = __le16_to_cpu(rsp->flags);
2616 result = __le16_to_cpu(rsp->result);
2617
af05b30b
GP		 2618 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2619 scid, flags, result);
1da177e4 2620
baa7e1fa 2621 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2622 if (!chan)
1da177e4
LT		 2623 return 0;
2624
48454079
GP		 2625 sk = chan->sk;
2626
1da177e4
LT		 2627 switch (result) {
2628 case L2CAP_CONF_SUCCESS:
47d1ec61 2629 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2630 break;
2631
2632 case L2CAP_CONF_UNACCEPT:
73ffa904 2633 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2634 char req[64];
2635
c2c77ec8 2636 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2637 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2638 goto done;
2639 }
2640
f2fcfcd6
GP		 2641 /* throw out any old stored conf requests */
2642 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2643 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2644 req, &result);
f2fcfcd6 2645 if (len < 0) {
e92c8e70 2646 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2647 goto done;
2648 }
2649
2650 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2651 L2CAP_CONF_REQ, len, req);
73ffa904 2652 chan->num_conf_req++;
f2fcfcd6
GP		 2653 if (result != L2CAP_CONF_SUCCESS)
2654 goto done;
2655 break;
1da177e4
LT		 2656 }
2657
8e87d142 2658 default:
b1235d79 2659 sk->sk_err = ECONNRESET;
c9b66675 2660 __set_chan_timer(chan, HZ * 5);
e92c8e70 2661 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2662 goto done;
2663 }
2664
2665 if (flags & 0x01)
2666 goto done;
2667
c1360a1c 2668 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2669
c1360a1c 2670 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2671 set_default_fcs(chan);
fcc203c3 2672
89bc500e 2673 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2674 chan->next_tx_seq = 0;
2675 chan->expected_tx_seq = 0;
58d35f87 2676 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2677 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2678 l2cap_ertm_init(chan);
0565c1c2 2679
1da177e4
LT		 2680 l2cap_chan_ready(sk);
2681 }
2682
2683done:
2684 bh_unlock_sock(sk);
2685 return 0;
2686}
2687
2688static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2689{
2690 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2691 struct l2cap_disconn_rsp rsp;
2692 u16 dcid, scid;
48454079 2693 struct l2cap_chan *chan;
1da177e4
LT		 2694 struct sock *sk;
2695
2696 scid = __le16_to_cpu(req->scid);
2697 dcid = __le16_to_cpu(req->dcid);
2698
2699 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2700
baa7e1fa 2701 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2702 if (!chan)
1da177e4
LT		 2703 return 0;
2704
48454079
GP		 2705 sk = chan->sk;
2706
fe4128e0
GP		 2707 rsp.dcid = cpu_to_le16(chan->scid);
2708 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2709 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2710
2711 sk->sk_shutdown = SHUTDOWN_MASK;
2712
a49184c2
AE		 2713 /* don't delete l2cap channel if sk is owned by user */
2714 if (sock_owned_by_user(sk)) {
89bc500e 2715 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2716 __clear_chan_timer(chan);
2717 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2718 bh_unlock_sock(sk);
2719 return 0;
2720 }
2721
48454079 2722 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2723 bh_unlock_sock(sk);
2724
ba3bd0ee 2725 chan->ops->close(chan->data);
1da177e4
LT		 2726 return 0;
2727}
2728
2729static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2730{
2731 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2732 u16 dcid, scid;
48454079 2733 struct l2cap_chan *chan;
1da177e4
LT		 2734 struct sock *sk;
2735
2736 scid = __le16_to_cpu(rsp->scid);
2737 dcid = __le16_to_cpu(rsp->dcid);
2738
2739 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2740
baa7e1fa 2741 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2742 if (!chan)
1da177e4
LT		 2743 return 0;
2744
48454079
GP		 2745 sk = chan->sk;
2746
a49184c2
AE		 2747 /* don't delete l2cap channel if sk is owned by user */
2748 if (sock_owned_by_user(sk)) {
89bc500e 2749 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2750 __clear_chan_timer(chan);
2751 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2752 bh_unlock_sock(sk);
2753 return 0;
2754 }
2755
48454079 2756 l2cap_chan_del(chan, 0);
1da177e4
LT		 2757 bh_unlock_sock(sk);
2758
ba3bd0ee 2759 chan->ops->close(chan->data);
1da177e4
LT		 2760 return 0;
2761}
2762
2763static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2764{
2765 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2766 u16 type;
2767
2768 type = __le16_to_cpu(req->type);
2769
2770 BT_DBG("type 0x%4.4x", type);
2771
f0709e03
MH		 2772 if (type == L2CAP_IT_FEAT_MASK) {
2773 u8 buf[8];
44dd46de 2774 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2775 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2776 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2777 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2778 if (!disable_ertm)
fcc203c3
GP		 2779 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2780 | L2CAP_FEAT_FCS;
1b7bf4ed 2781 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2782 l2cap_send_cmd(conn, cmd->ident,
2783 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2784 } else if (type == L2CAP_IT_FIXED_CHAN) {
2785 u8 buf[12];
2786 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2787 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2788 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2789 memcpy(buf + 4, l2cap_fixed_chan, 8);
2790 l2cap_send_cmd(conn, cmd->ident,
2791 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2792 } else {
2793 struct l2cap_info_rsp rsp;
2794 rsp.type = cpu_to_le16(type);
2795 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2796 l2cap_send_cmd(conn, cmd->ident,
2797 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2798 }
1da177e4
LT		 2799
2800 return 0;
2801}
2802
2803static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2804{
2805 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2806 u16 type, result;
2807
2808 type = __le16_to_cpu(rsp->type);
2809 result = __le16_to_cpu(rsp->result);
2810
2811 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2812
e90165be
AE		 2813 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2814 if (cmd->ident != conn->info_ident ||
2815 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2816 return 0;
2817
4e8402a3
MH		 2818 del_timer(&conn->info_timer);
2819
adb08ede
VT		 2820 if (result != L2CAP_IR_SUCCESS) {
2821 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2822 conn->info_ident = 0;
2823
2824 l2cap_conn_start(conn);
2825
2826 return 0;
2827 }
2828
984947dc 2829 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2830 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2831
47ec1dcd 2832 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2833 struct l2cap_info_req req;
2834 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2835
2836 conn->info_ident = l2cap_get_ident(conn);
2837
2838 l2cap_send_cmd(conn, conn->info_ident,
2839 L2CAP_INFO_REQ, sizeof(req), &req);
2840 } else {
2841 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2842 conn->info_ident = 0;
2843
2844 l2cap_conn_start(conn);
2845 }
2846 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2847 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2848 conn->info_ident = 0;
984947dc
MH		 2849
2850 l2cap_conn_start(conn);
2851 }
4e8402a3 2852
1da177e4
LT		 2853 return 0;
2854}
2855
e2174ca4 2856static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2857 u16 to_multiplier)
2858{
2859 u16 max_latency;
2860
2861 if (min > max || min < 6 || max > 3200)
2862 return -EINVAL;
2863
2864 if (to_multiplier < 10 || to_multiplier > 3200)
2865 return -EINVAL;
2866
2867 if (max >= to_multiplier * 8)
2868 return -EINVAL;
2869
2870 max_latency = (to_multiplier * 8 / max) - 1;
2871 if (latency > 499 || latency > max_latency)
2872 return -EINVAL;
2873
2874 return 0;
2875}
2876
2877static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2878 struct l2cap_cmd_hdr *cmd, u8 *data)
2879{
2880 struct hci_conn *hcon = conn->hcon;
2881 struct l2cap_conn_param_update_req *req;
2882 struct l2cap_conn_param_update_rsp rsp;
2883 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2884 int err;
de73115a
CT		 2885
2886 if (!(hcon->link_mode & HCI_LM_MASTER))
2887 return -EINVAL;
2888
2889 cmd_len = __le16_to_cpu(cmd->len);
2890 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2891 return -EPROTO;
2892
2893 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2894 min = __le16_to_cpu(req->min);
2895 max = __le16_to_cpu(req->max);
de73115a
CT		 2896 latency = __le16_to_cpu(req->latency);
2897 to_multiplier = __le16_to_cpu(req->to_multiplier);
2898
2899 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2900 min, max, latency, to_multiplier);
2901
2902 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2903
2904 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2905 if (err)
de73115a
CT		 2906 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2907 else
2908 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2909
2910 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2911 sizeof(rsp), &rsp);
2912
2ce603eb
CT		 2913 if (!err)
2914 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2915
de73115a
CT		 2916 return 0;
2917}
2918
3300d9a9
CT		 2919static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2920 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2921{
2922 int err = 0;
2923
2924 switch (cmd->code) {
2925 case L2CAP_COMMAND_REJ:
2926 l2cap_command_rej(conn, cmd, data);
2927 break;
2928
2929 case L2CAP_CONN_REQ:
2930 err = l2cap_connect_req(conn, cmd, data);
2931 break;
2932
2933 case L2CAP_CONN_RSP:
2934 err = l2cap_connect_rsp(conn, cmd, data);
2935 break;
2936
2937 case L2CAP_CONF_REQ:
2938 err = l2cap_config_req(conn, cmd, cmd_len, data);
2939 break;
2940
2941 case L2CAP_CONF_RSP:
2942 err = l2cap_config_rsp(conn, cmd, data);
2943 break;
2944
2945 case L2CAP_DISCONN_REQ:
2946 err = l2cap_disconnect_req(conn, cmd, data);
2947 break;
2948
2949 case L2CAP_DISCONN_RSP:
2950 err = l2cap_disconnect_rsp(conn, cmd, data);
2951 break;
2952
2953 case L2CAP_ECHO_REQ:
2954 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2955 break;
2956
2957 case L2CAP_ECHO_RSP:
2958 break;
2959
2960 case L2CAP_INFO_REQ:
2961 err = l2cap_information_req(conn, cmd, data);
2962 break;
2963
2964 case L2CAP_INFO_RSP:
2965 err = l2cap_information_rsp(conn, cmd, data);
2966 break;
2967
2968 default:
2969 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2970 err = -EINVAL;
2971 break;
2972 }
2973
2974 return err;
2975}
2976
2977static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2978 struct l2cap_cmd_hdr *cmd, u8 *data)
2979{
2980 switch (cmd->code) {
2981 case L2CAP_COMMAND_REJ:
2982 return 0;
2983
2984 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2985 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2986
2987 case L2CAP_CONN_PARAM_UPDATE_RSP:
2988 return 0;
2989
2990 default:
2991 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2992 return -EINVAL;
2993 }
2994}
2995
2996static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2997 struct sk_buff *skb)
1da177e4
LT		 2998{
2999 u8 *data = skb->data;
3000 int len = skb->len;
3001 struct l2cap_cmd_hdr cmd;
3300d9a9 3002 int err;
1da177e4
LT		 3003
3004 l2cap_raw_recv(conn, skb);
3005
3006 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3007 u16 cmd_len;
1da177e4
LT		 3008 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3009 data += L2CAP_CMD_HDR_SIZE;
3010 len -= L2CAP_CMD_HDR_SIZE;
3011
88219a0f 3012 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3013
88219a0f 3014 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3015
88219a0f 3016 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3017 BT_DBG("corrupted command");
3018 break;
3019 }
3020
3300d9a9
CT		 3021 if (conn->hcon->type == LE_LINK)
3022 err = l2cap_le_sig_cmd(conn, &cmd, data);
3023 else
3024 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3025
3026 if (err) {
3027 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3028
3029 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3030
3031 /* FIXME: Map err to a valid reason */
aca3192c 3032 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3033 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3034 }
3035
88219a0f
AV		 3036 data += cmd_len;
3037 len -= cmd_len;
1da177e4
LT		 3038 }
3039
3040 kfree_skb(skb);
3041}
3042
47d1ec61 3043static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3044{
3045 u16 our_fcs, rcv_fcs;
3046 int hdr_size = L2CAP_HDR_SIZE + 2;
3047
47d1ec61 3048 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3049 skb_trim(skb, skb->len - 2);
3050 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3051 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3052
3053 if (our_fcs != rcv_fcs)
7a560e5c 3054 return -EBADMSG;
fcc203c3
GP		 3055 }
3056 return 0;
3057}
3058
525cd185 3059static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3060{
d5392c8f
GP		 3061 u16 control = 0;
3062
6a026610 3063 chan->frames_sent = 0;
d5392c8f 3064
42e5c802 3065 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3066
e2ab4353 3067 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
64988868 3068 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3069 l2cap_send_sframe(chan, control);
e2ab4353 3070 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3071 }
3072
e2ab4353 3073 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3074 l2cap_retransmit_frames(chan);
d5392c8f 3075
525cd185 3076 l2cap_ertm_send(chan);
d5392c8f 3077
e2ab4353 3078 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3079 chan->frames_sent == 0) {
d5392c8f 3080 control |= L2CAP_SUPER_RCV_READY;
525cd185 3081 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3082 }
3083}
3084
42e5c802 3085static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3086{
3087 struct sk_buff *next_skb;
bfbacc11 3088 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3089
3090 bt_cb(skb)->tx_seq = tx_seq;
3091 bt_cb(skb)->sar = sar;
3092
f1c6775b 3093 next_skb = skb_peek(&chan->srej_q);
8f17154f 3094 if (!next_skb) {
f1c6775b 3095 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3096 return 0;
8f17154f
GP		 3097 }
3098
42e5c802 3099 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3100 if (tx_seq_offset < 0)
3101 tx_seq_offset += 64;
3102
8f17154f 3103 do {
9b53350d
JPRV		 3104 if (bt_cb(next_skb)->tx_seq == tx_seq)
3105 return -EINVAL;
3106
bfbacc11 3107 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3108 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3109 if (next_tx_seq_offset < 0)
3110 next_tx_seq_offset += 64;
3111
3112 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3113 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3114 return 0;
8f17154f
GP		 3115 }
3116
f1c6775b 3117 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3118 break;
3119
f1c6775b 3120 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3121
f1c6775b 3122 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3123
3124 return 0;
8f17154f
GP		 3125}
3126
525cd185 3127static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3128{
18778a63 3129 struct sk_buff *_skb;
1890d36b 3130 int err;
18778a63
GP		 3131
3132 switch (control & L2CAP_CTRL_SAR) {
3133 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3134 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3135 goto drop;
3136
23070494 3137 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3138
3139 case L2CAP_SDU_START:
e2ab4353 3140 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3141 goto drop;
3142
6f61fd47 3143 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3144
0c1bc5c6 3145 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3146 goto disconnect;
3147
6f61fd47
GP		 3148 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3149 if (!chan->sdu)
1890d36b
GP		 3150 return -ENOMEM;
3151
3152 /* pull sdu_len bytes only after alloc, because of Local Busy
3153 * condition we have to be sure that this will be executed
3154 * only once, i.e., when alloc does not fail */
3155 skb_pull(skb, 2);
18778a63 3156
6f61fd47 3157 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3158
e2ab4353 3159 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3160 chan->partial_sdu_len = skb->len;
18778a63
GP		 3161 break;
3162
3163 case L2CAP_SDU_CONTINUE:
e2ab4353 3164 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3165 goto disconnect;
3166
6f61fd47 3167 if (!chan->sdu)
18778a63
GP		 3168 goto disconnect;
3169
6f61fd47
GP		 3170 chan->partial_sdu_len += skb->len;
3171 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3172 goto drop;
3173
6f61fd47 3174 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3175
18778a63
GP		 3176 break;
3177
3178 case L2CAP_SDU_END:
e2ab4353 3179 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3180 goto disconnect;
3181
6f61fd47 3182 if (!chan->sdu)
18778a63
GP		 3183 goto disconnect;
3184
e2ab4353 3185 if (!test_bit(CONN_SAR_RETRY, &chan->conn_state)) {
6f61fd47 3186 chan->partial_sdu_len += skb->len;
18778a63 3187
0c1bc5c6 3188 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3189 goto drop;
18778a63 3190
6f61fd47 3191 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3192 goto drop;
4178ba46 3193
6f61fd47 3194 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3195 }
18778a63 3196
6f61fd47 3197 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3198 if (!_skb) {
e2ab4353 3199 set_bit(CONN_SAR_RETRY, &chan->conn_state);
1890d36b
GP		 3200 return -ENOMEM;
3201 }
3202
23070494 3203 err = chan->ops->recv(chan->data, _skb);
1890d36b 3204 if (err < 0) {
18778a63 3205 kfree_skb(_skb);
e2ab4353 3206 set_bit(CONN_SAR_RETRY, &chan->conn_state);
1890d36b
GP		 3207 return err;
3208 }
3209
e2ab4353
GP		 3210 clear_bit(CONN_SAR_RETRY, &chan->conn_state);
3211 clear_bit(CONN_SAR_SDU, &chan->conn_state);
18778a63 3212
6f61fd47 3213 kfree_skb(chan->sdu);
18778a63
GP		 3214 break;
3215 }
3216
3217 kfree_skb(skb);
1890d36b 3218 return 0;
18778a63
GP		 3219
3220drop:
6f61fd47
GP		 3221 kfree_skb(chan->sdu);
3222 chan->sdu = NULL;
18778a63
GP		 3223
3224disconnect:
8c1d787b 3225 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3226 kfree_skb(skb);
3227 return 0;
3228}
3229
525cd185 3230static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3231{
712132eb
GP		 3232 struct sk_buff *skb;
3233 u16 control;
3234 int err;
3235
f1c6775b 3236 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3237 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3238 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3239 if (err < 0) {
f1c6775b 3240 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3241 return -EBUSY;
3242 }
3243
42e5c802 3244 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3245 }
3246
e2ab4353 3247 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3248 goto done;
3249
42e5c802 3250 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3251 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3252 l2cap_send_sframe(chan, control);
6a026610 3253 chan->retry_count = 1;
712132eb 3254
1a09bcb9
GP		 3255 __clear_retrans_timer(chan);
3256 __set_monitor_timer(chan);
712132eb 3257
e2ab4353 3258 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3259
3260done:
e2ab4353
GP		 3261 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3262 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3263
49208c9c 3264 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3265
3266 return 0;
3267}
3268
1890d36b
GP		 3269static void l2cap_busy_work(struct work_struct *work)
3270{
3271 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3272 struct l2cap_chan *chan =
3273 container_of(work, struct l2cap_chan, busy_work);
3274 struct sock *sk = chan->sk;
1890d36b
GP		 3275 int n_tries = 0, timeo = HZ/5, err;
3276 struct sk_buff *skb;
1890d36b
GP		 3277
3278 lock_sock(sk);
3279
2b0b05dd 3280 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3281 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3282 set_current_state(TASK_INTERRUPTIBLE);
3283
3284 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3285 err = -EBUSY;
8c1d787b 3286 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3287 break;
1890d36b
GP		 3288 }
3289
3290 if (!timeo)
3291 timeo = HZ/5;
3292
3293 if (signal_pending(current)) {
3294 err = sock_intr_errno(timeo);
712132eb 3295 break;
1890d36b
GP		 3296 }
3297
3298 release_sock(sk);
3299 timeo = schedule_timeout(timeo);
3300 lock_sock(sk);
3301
3302 err = sock_error(sk);
3303 if (err)
712132eb 3304 break;
1890d36b 3305
311bb895 3306 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3307 break;
3308 }
3309
1890d36b 3310 set_current_state(TASK_RUNNING);
2b0b05dd 3311 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3312
3313 release_sock(sk);
3314}
3315
525cd185 3316static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3317{
1890d36b
GP		 3318 int sctrl, err;
3319
e2ab4353 3320 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1890d36b 3321 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3322 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3323 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3324
3325
1890d36b
GP		 3326 }
3327
525cd185 3328 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3329 if (err >= 0) {
42e5c802 3330 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3331 return err;
3332 }
3333
3334 /* Busy Condition */
311bb895 3335 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3336
e2ab4353 3337 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
1890d36b 3338 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3339 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3340
42e5c802 3341 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3342 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3343 l2cap_send_sframe(chan, sctrl);
1890d36b 3344
e2ab4353 3345 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 3346
1a09bcb9 3347 __clear_ack_timer(chan);
7fe9b298 3348
311bb895 3349 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3350
3351 return err;
3352}
3353
525cd185 3354static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3355{
c74e560c
GP		 3356 struct sk_buff *_skb;
3357 int err = -EINVAL;
3358
18778a63
GP		 3359 /*
3360 * TODO: We have to notify the userland if some data is lost with the
3361 * Streaming Mode.
3362 */
3363
c74e560c
GP		 3364 switch (control & L2CAP_CTRL_SAR) {
3365 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3366 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3367 kfree_skb(chan->sdu);
c74e560c
GP		 3368 break;
3369 }
3370
23070494 3371 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3372 if (!err)
3373 return 0;
3374
3375 break;
3376
3377 case L2CAP_SDU_START:
e2ab4353 3378 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3379 kfree_skb(chan->sdu);
c74e560c
GP		 3380 break;
3381 }
3382
6f61fd47 3383 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3384 skb_pull(skb, 2);
3385
0c1bc5c6 3386 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3387 err = -EMSGSIZE;
3388 break;
3389 }
3390
6f61fd47
GP		 3391 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3392 if (!chan->sdu) {
c74e560c
GP		 3393 err = -ENOMEM;
3394 break;
3395 }
3396
6f61fd47 3397 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3398
e2ab4353 3399 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3400 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3401 err = 0;
3402 break;
3403
3404 case L2CAP_SDU_CONTINUE:
e2ab4353 3405 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3406 break;
3407
6f61fd47 3408 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3409
6f61fd47
GP		 3410 chan->partial_sdu_len += skb->len;
3411 if (chan->partial_sdu_len > chan->sdu_len)
3412 kfree_skb(chan->sdu);
c74e560c
GP		 3413 else
3414 err = 0;
3415
3416 break;
3417
3418 case L2CAP_SDU_END:
e2ab4353 3419 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3420 break;
3421
6f61fd47 3422 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3423
e2ab4353 3424 clear_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3425 chan->partial_sdu_len += skb->len;
c74e560c 3426
0c1bc5c6 3427 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3428 goto drop;
3429
6f61fd47
GP		 3430 if (chan->partial_sdu_len == chan->sdu_len) {
3431 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3432 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3433 if (err < 0)
3434 kfree_skb(_skb);
3435 }
c74e560c
GP		 3436 err = 0;
3437
36f2fd58 3438drop:
6f61fd47 3439 kfree_skb(chan->sdu);
c74e560c
GP		 3440 break;
3441 }
3442
3443 kfree_skb(skb);
3444 return err;
3445}
3446
525cd185 3447static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3448{
3449 struct sk_buff *skb;
afefdbc4 3450 u16 control;
8f17154f 3451
f1c6775b 3452 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3453 if (bt_cb(skb)->tx_seq != tx_seq)
3454 break;
3455
f1c6775b 3456 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3457 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3458 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3459 chan->buffer_seq_srej =
3460 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3461 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3462 }
3463}
3464
525cd185 3465static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3466{
8f17154f
GP		 3467 struct srej_list *l, *tmp;
3468 u16 control;
3469
39d5a3ee 3470 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3471 if (l->tx_seq == tx_seq) {
3472 list_del(&l->list);
3473 kfree(l);
3474 return;
3475 }
3476 control = L2CAP_SUPER_SELECT_REJECT;
3477 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3478 l2cap_send_sframe(chan, control);
8f17154f 3479 list_del(&l->list);
39d5a3ee 3480 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3481 }
3482}
3483
525cd185 3484static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3485{
8f17154f
GP		 3486 struct srej_list *new;
3487 u16 control;
3488
42e5c802 3489 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3490 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3491 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3492 l2cap_send_sframe(chan, control);
8f17154f
GP		 3493
3494 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3495 new->tx_seq = chan->expected_tx_seq;
3496 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3497 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3498 }
42e5c802 3499 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3500}
3501
525cd185 3502static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3503{
1c2acffb 3504 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3505 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3506 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3507 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3508 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3509 int err = 0;
3510
525cd185
GP		 3511 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3512 tx_seq, rx_control);
1c2acffb 3513
9b16dc65 3514 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3515 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3516 __clear_monitor_timer(chan);
6a026610 3517 if (chan->unacked_frames > 0)
1a09bcb9 3518 __set_retrans_timer(chan);
e2ab4353 3519 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3520 }
3521
42e5c802
GP		 3522 chan->expected_ack_seq = req_seq;
3523 l2cap_drop_acked_frames(chan);
9f121a5a 3524
42e5c802 3525 if (tx_seq == chan->expected_tx_seq)
8f17154f 3526 goto expected;
1c2acffb 3527
42e5c802 3528 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3529 if (tx_seq_offset < 0)
3530 tx_seq_offset += 64;
3531
3532 /* invalid tx_seq */
47d1ec61 3533 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3534 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3535 goto drop;
3536 }
3537
e2ab4353 3538 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3539 goto drop;
3540
e2ab4353 3541 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3542 struct srej_list *first;
30afb5b2 3543
39d5a3ee 3544 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3545 struct srej_list, list);
3546 if (tx_seq == first->tx_seq) {
42e5c802 3547 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3548 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3549
3550 list_del(&first->list);
3551 kfree(first);
3552
39d5a3ee 3553 if (list_empty(&chan->srej_l)) {
42e5c802 3554 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3555 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3556 l2cap_send_ack(chan);
49208c9c 3557 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3558 }
3559 } else {
3560 struct srej_list *l;
9b53350d
JPRV		 3561
3562 /* duplicated tx_seq */
42e5c802 3563 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3564 goto drop;
8f17154f 3565
39d5a3ee 3566 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3567 if (l->tx_seq == tx_seq) {
525cd185 3568 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3569 return 0;
3570 }
3571 }
525cd185 3572 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3573 }
3574 } else {
9b53350d 3575 expected_tx_seq_offset =
42e5c802 3576 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3577 if (expected_tx_seq_offset < 0)
3578 expected_tx_seq_offset += 64;
3579
3580 /* duplicated tx_seq */
3581 if (tx_seq_offset < expected_tx_seq_offset)
3582 goto drop;
3583
e2ab4353 3584 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3585
49208c9c 3586 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3587
39d5a3ee 3588 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3589 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3590
f1c6775b
GP		 3591 __skb_queue_head_init(&chan->srej_q);
3592 __skb_queue_head_init(&chan->busy_q);
42e5c802 3593 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3594
e2ab4353 3595 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3596
525cd185 3597 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3598
1a09bcb9 3599 __clear_ack_timer(chan);
1c2acffb 3600 }
30afb5b2
GP		 3601 return 0;
3602
8f17154f 3603expected:
42e5c802 3604 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3605
e2ab4353 3606 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3607 bt_cb(skb)->tx_seq = tx_seq;
3608 bt_cb(skb)->sar = sar;
f1c6775b 3609 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3610 return 0;
3611 }
3612
525cd185 3613 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3614 if (err < 0)
3615 return 0;
3616
4ec10d97 3617 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3618 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3619 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3620 }
3621
1a09bcb9 3622 __set_ack_timer(chan);
c1b4f43b 3623
6a026610
GP		 3624 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3625 if (chan->num_acked == num_to_ack - 1)
525cd185 3626 l2cap_send_ack(chan);
9e917af1 3627
8f17154f 3628 return 0;
9b53350d
JPRV		 3629
3630drop:
3631 kfree_skb(skb);
3632 return 0;
1c2acffb
GP		 3633}
3634
525cd185 3635static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3636{
49208c9c 3637 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3638 rx_control);
3639
42e5c802
GP		 3640 chan->expected_ack_seq = __get_reqseq(rx_control);
3641 l2cap_drop_acked_frames(chan);
1c2acffb 3642
e072745f 3643 if (rx_control & L2CAP_CTRL_POLL) {
e2ab4353
GP		 3644 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3645 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3646 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3647 (chan->unacked_frames > 0))
1a09bcb9 3648 __set_retrans_timer(chan);
05fbd89d 3649
e2ab4353 3650 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3651 l2cap_send_srejtail(chan);
05fbd89d 3652 } else {
525cd185 3653 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3654 }
1d8f5d16 3655
e072745f 3656 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3657 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3658
e2ab4353 3659 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3660 l2cap_retransmit_frames(chan);
2246b2f1 3661
e072745f 3662 } else {
e2ab4353 3663 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3664 (chan->unacked_frames > 0))
1a09bcb9 3665 __set_retrans_timer(chan);
1c2acffb 3666
e2ab4353
GP		 3667 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3668 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3669 l2cap_send_ack(chan);
894718a6 3670 else
525cd185 3671 l2cap_ertm_send(chan);
e072745f
GP		 3672 }
3673}
2246b2f1 3674
525cd185 3675static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3676{
e072745f 3677 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3678
525cd185 3679 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3680
e2ab4353 3681 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3682
42e5c802
GP		 3683 chan->expected_ack_seq = tx_seq;
3684 l2cap_drop_acked_frames(chan);
e072745f
GP		 3685
3686 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3687 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3688 l2cap_retransmit_frames(chan);
e072745f 3689 } else {
525cd185 3690 l2cap_retransmit_frames(chan);
30afb5b2 3691
e2ab4353
GP		 3692 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3693 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3694 }
3695}
525cd185 3696static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3697{
e072745f 3698 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3699
525cd185 3700 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3701
e2ab4353 3702 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3703
e072745f 3704 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3705 chan->expected_ack_seq = tx_seq;
3706 l2cap_drop_acked_frames(chan);
3cb123d1 3707
e2ab4353 3708 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3709 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3710
525cd185 3711 l2cap_ertm_send(chan);
dfc909be 3712
e2ab4353 3713 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3714 chan->srej_save_reqseq = tx_seq;
e2ab4353 3715 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3716 }
e072745f 3717 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3718 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3719 chan->srej_save_reqseq == tx_seq)
e2ab4353 3720 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3721 else
525cd185 3722 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3723 } else {
525cd185 3724 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3725 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3726 chan->srej_save_reqseq = tx_seq;
e2ab4353 3727 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3728 }
e072745f
GP		 3729 }
3730}
3731
525cd185 3732static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3733{
e072745f
GP		 3734 u8 tx_seq = __get_reqseq(rx_control);
3735
525cd185 3736 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3737
e2ab4353 3738 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3739 chan->expected_ack_seq = tx_seq;
3740 l2cap_drop_acked_frames(chan);
e072745f 3741
3cb123d1 3742 if (rx_control & L2CAP_CTRL_POLL)
e2ab4353 3743 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3744
e2ab4353 3745 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3746 __clear_retrans_timer(chan);
a2e12a2a 3747 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3748 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3749 return;
e072745f 3750 }
99b0d4b7
GP		 3751
3752 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3753 l2cap_send_srejtail(chan);
99b0d4b7 3754 else
525cd185 3755 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3756}
3757
525cd185 3758static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3759{
525cd185 3760 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3761
9b16dc65 3762 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3763 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3764 __clear_monitor_timer(chan);
6a026610 3765 if (chan->unacked_frames > 0)
1a09bcb9 3766 __set_retrans_timer(chan);
e2ab4353 3767 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3768 }
3769
3770 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3771 case L2CAP_SUPER_RCV_READY:
525cd185 3772 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3773 break;
3774
e072745f 3775 case L2CAP_SUPER_REJECT:
525cd185 3776 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3777 break;
2246b2f1 3778
e072745f 3779 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3780 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3781 break;
3782
3783 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3784 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3785 break;
3786 }
3787
faaebd19 3788 kfree_skb(skb);
1c2acffb
GP		 3789 return 0;
3790}
3791
218bb9df
GP		 3792static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3793{
525cd185 3794 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3795 u16 control;
3796 u8 req_seq;
3797 int len, next_tx_seq_offset, req_seq_offset;
3798
3799 control = get_unaligned_le16(skb->data);
3800 skb_pull(skb, 2);
3801 len = skb->len;
3802
3803 /*
3804 * We can just drop the corrupted I-frame here.
3805 * Receiver will miss it and start proper recovery
3806 * procedures and ask retransmission.
3807 */
47d1ec61 3808 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3809 goto drop;
3810
3811 if (__is_sar_start(control) && __is_iframe(control))
3812 len -= 2;
3813
47d1ec61 3814 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3815 len -= 2;
3816
47d1ec61 3817 if (len > chan->mps) {
8c1d787b 3818 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3819 goto drop;
3820 }
3821
3822 req_seq = __get_reqseq(control);
42e5c802 3823 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3824 if (req_seq_offset < 0)
3825 req_seq_offset += 64;
3826
3827 next_tx_seq_offset =
42e5c802 3828 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3829 if (next_tx_seq_offset < 0)
3830 next_tx_seq_offset += 64;
3831
3832 /* check for invalid req-seq */
3833 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3834 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3835 goto drop;
3836 }
3837
3838 if (__is_iframe(control)) {
3839 if (len < 0) {
8c1d787b 3840 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3841 goto drop;
3842 }
3843
525cd185 3844 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3845 } else {
3846 if (len != 0) {
3847 BT_ERR("%d", len);
8c1d787b 3848 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3849 goto drop;
3850 }
3851
525cd185 3852 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3853 }
3854
3855 return 0;
3856
3857drop:
3858 kfree_skb(skb);
3859 return 0;
3860}
3861
1da177e4
LT		 3862static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3863{
48454079 3864 struct l2cap_chan *chan;
bf734843 3865 struct sock *sk = NULL;
51893f88 3866 u16 control;
218bb9df
GP		 3867 u8 tx_seq;
3868 int len;
1da177e4 3869
baa7e1fa 3870 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3871 if (!chan) {
1da177e4
LT		 3872 BT_DBG("unknown cid 0x%4.4x", cid);
3873 goto drop;
3874 }
3875
48454079 3876 sk = chan->sk;
6840ed07 3877
49208c9c 3878 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3879
89bc500e 3880 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3881 goto drop;
3882
0c1bc5c6 3883 switch (chan->mode) {
1c2acffb
GP		 3884 case L2CAP_MODE_BASIC:
3885 /* If socket recv buffers overflows we drop data here
3886 * which is *bad* because L2CAP has to be reliable.
3887 * But we don't have any other choice. L2CAP doesn't
3888 * provide flow control mechanism. */
1da177e4 3889
0c1bc5c6 3890 if (chan->imtu < skb->len)
1c2acffb 3891 goto drop;
1da177e4 3892
23070494 3893 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3894 goto done;
3895 break;
3896
3897 case L2CAP_MODE_ERTM:
218bb9df
GP		 3898 if (!sock_owned_by_user(sk)) {
3899 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3900 } else {
218bb9df 3901 if (sk_add_backlog(sk, skb))
277ffbe3 3902 goto drop;
277ffbe3 3903 }
1c2acffb 3904
fcafde2e 3905 goto done;
1c2acffb 3906
6840ed07
GP		 3907 case L2CAP_MODE_STREAMING:
3908 control = get_unaligned_le16(skb->data);
3909 skb_pull(skb, 2);
3910 len = skb->len;
3911
47d1ec61 3912 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3913 goto drop;
3914
6840ed07
GP		 3915 if (__is_sar_start(control))
3916 len -= 2;
3917
47d1ec61 3918 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3919 len -= 2;
3920
47d1ec61 3921 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3922 goto drop;
3923
3924 tx_seq = __get_txseq(control);
3925
42e5c802
GP		 3926 if (chan->expected_tx_seq == tx_seq)
3927 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3928 else
42e5c802 3929 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3930
525cd185 3931 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3932
3933 goto done;
3934
1c2acffb 3935 default:
0c1bc5c6 3936 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3937 break;
3938 }
1da177e4
LT		 3939
3940drop:
3941 kfree_skb(skb);
3942
3943done:
0139418c
MH		 3944 if (sk)
3945 bh_unlock_sock(sk);
3946
1da177e4
LT		 3947 return 0;
3948}
3949
8e036fc3 3950static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3951{
6dcae1ea 3952 struct sock *sk = NULL;
23691d75 3953 struct l2cap_chan *chan;
1da177e4 3954
23691d75
GP		 3955 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3956 if (!chan)
1da177e4
LT		 3957 goto drop;
3958
23691d75
GP		 3959 sk = chan->sk;
3960
e0f0cb56
GP		 3961 bh_lock_sock(sk);
3962
1da177e4
LT		 3963 BT_DBG("sk %p, len %d", sk, skb->len);
3964
89bc500e 3965 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3966 goto drop;
3967
0c1bc5c6 3968 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3969 goto drop;
3970
23070494 3971 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3972 goto done;
3973
3974drop:
3975 kfree_skb(skb);
3976
3977done:
af05b30b
GP		 3978 if (sk)
3979 bh_unlock_sock(sk);
1da177e4
LT		 3980 return 0;
3981}
3982
9f69bda6
GP		 3983static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3984{
6dcae1ea 3985 struct sock *sk = NULL;
23691d75 3986 struct l2cap_chan *chan;
9f69bda6 3987
23691d75
GP		 3988 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3989 if (!chan)
9f69bda6
GP		 3990 goto drop;
3991
23691d75
GP		 3992 sk = chan->sk;
3993
9f69bda6
GP		 3994 bh_lock_sock(sk);
3995
3996 BT_DBG("sk %p, len %d", sk, skb->len);
3997
89bc500e 3998 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3999 goto drop;
4000
0c1bc5c6 4001 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4002 goto drop;
4003
23070494 4004 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4005 goto done;
4006
4007drop:
4008 kfree_skb(skb);
4009
4010done:
4011 if (sk)
4012 bh_unlock_sock(sk);
4013 return 0;
4014}
4015
1da177e4
LT		 4016static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4017{
4018 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4019 u16 cid, len;
4020 __le16 psm;
1da177e4
LT		 4021
4022 skb_pull(skb, L2CAP_HDR_SIZE);
4023 cid = __le16_to_cpu(lh->cid);
4024 len = __le16_to_cpu(lh->len);
4025
1c2acffb
GP		 4026 if (len != skb->len) {
4027 kfree_skb(skb);
4028 return;
4029 }
4030
1da177e4
LT		 4031 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4032
4033 switch (cid) {
3300d9a9 4034 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4035 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4036 l2cap_sig_channel(conn, skb);
4037 break;
4038
8db4dc46 4039 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4040 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4041 skb_pull(skb, 2);
4042 l2cap_conless_channel(conn, psm, skb);
4043 break;
4044
9f69bda6
GP		 4045 case L2CAP_CID_LE_DATA:
4046 l2cap_att_channel(conn, cid, skb);
4047 break;
4048
b501d6a1
AB		 4049 case L2CAP_CID_SMP:
4050 if (smp_sig_channel(conn, skb))
4051 l2cap_conn_del(conn->hcon, EACCES);
4052 break;
4053
1da177e4
LT		 4054 default:
4055 l2cap_data_channel(conn, cid, skb);
4056 break;
4057 }
4058}
4059
4060/* ---- L2CAP interface with lower layer (HCI) ---- */
4061
4062static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4063{
4064 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4065 struct l2cap_chan *c;
1da177e4
LT		 4066
4067 if (type != ACL_LINK)
963cf687 4068 return -EINVAL;
1da177e4
LT		 4069
4070 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4071
4072 /* Find listening sockets and check their link_mode */
23691d75
GP		 4073 read_lock(&chan_list_lock);
4074 list_for_each_entry(c, &chan_list, global_l) {
4075 struct sock *sk = c->sk;
4343478f 4076
89bc500e 4077 if (c->state != BT_LISTEN)
1da177e4
LT		 4078 continue;
4079
4080 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4081 lm1 |= HCI_LM_ACCEPT;
23691d75 4082 if (c->role_switch)
2af6b9d5 4083 lm1 |= HCI_LM_MASTER;
1da177e4 4084 exact++;
2af6b9d5
MH		 4085 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4086 lm2 |= HCI_LM_ACCEPT;
23691d75 4087 if (c->role_switch)
2af6b9d5
MH		 4088 lm2 |= HCI_LM_MASTER;
4089 }
1da177e4 4090 }
23691d75 4091 read_unlock(&chan_list_lock);
1da177e4
LT		 4092
4093 return exact ? lm1 : lm2;
4094}
4095
4096static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4097{
0139418c
MH		 4098 struct l2cap_conn *conn;
4099
1da177e4
LT		 4100 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4101
acd7d370 4102 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4103 return -EINVAL;
1da177e4
LT		 4104
4105 if (!status) {
1da177e4
LT		 4106 conn = l2cap_conn_add(hcon, status);
4107 if (conn)
4108 l2cap_conn_ready(conn);
0139418c 4109 } else
1da177e4
LT		 4110 l2cap_conn_del(hcon, bt_err(status));
4111
4112 return 0;
4113}
4114
2950f21a
MH		 4115static int l2cap_disconn_ind(struct hci_conn *hcon)
4116{
4117 struct l2cap_conn *conn = hcon->l2cap_data;
4118
4119 BT_DBG("hcon %p", hcon);
4120
b5694506 4121 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4122 return 0x13;
4123
4124 return conn->disc_reason;
4125}
4126
4127static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4128{
4129 BT_DBG("hcon %p reason %d", hcon, reason);
4130
acd7d370 4131 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4132 return -EINVAL;
1da177e4
LT		 4133
4134 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4135
1da177e4
LT		 4136 return 0;
4137}
4138
4343478f 4139static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4140{
715ec005 4141 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4142 return;
4143
f62e4323 4144 if (encrypt == 0x00) {
4343478f 4145 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4146 __clear_chan_timer(chan);
4147 __set_chan_timer(chan, HZ * 5);
4343478f 4148 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4149 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4150 } else {
4343478f 4151 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4152 __clear_chan_timer(chan);
f62e4323
MH		 4153 }
4154}
4155
8c1b2355 4156static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4157{
0139418c 4158 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4159 struct l2cap_chan *chan;
1da177e4 4160
0139418c 4161 if (!conn)
1da177e4 4162 return 0;
0139418c 4163
1da177e4
LT		 4164 BT_DBG("conn %p", conn);
4165
baa7e1fa 4166 read_lock(&conn->chan_lock);
1da177e4 4167
baa7e1fa 4168 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4169 struct sock *sk = chan->sk;
baa7e1fa 4170
1da177e4
LT		 4171 bh_lock_sock(sk);
4172
f1cb9af5
VCG		 4173 BT_DBG("chan->scid %d", chan->scid);
4174
4175 if (chan->scid == L2CAP_CID_LE_DATA) {
4176 if (!status && encrypt) {
4177 chan->sec_level = hcon->sec_level;
5d3de7df 4178 del_timer(&conn->security_timer);
f1cb9af5
VCG		 4179 l2cap_chan_ready(sk);
4180 }
4181
4182 bh_unlock_sock(sk);
4183 continue;
4184 }
4185
c1360a1c 4186 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4187 bh_unlock_sock(sk);
4188 continue;
4189 }
4190
89bc500e
GP		 4191 if (!status && (chan->state == BT_CONNECTED ||
4192 chan->state == BT_CONFIG)) {
4343478f 4193 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4194 bh_unlock_sock(sk);
4195 continue;
4196 }
4197
89bc500e 4198 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4199 if (!status) {
4200 struct l2cap_conn_req req;
fe4128e0
GP		 4201 req.scid = cpu_to_le16(chan->scid);
4202 req.psm = chan->psm;
1da177e4 4203
fc7f8a7e 4204 chan->ident = l2cap_get_ident(conn);
c1360a1c 4205 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4206
fc7f8a7e 4207 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4208 L2CAP_CONN_REQ, sizeof(req), &req);
4209 } else {
c9b66675
GP		 4210 __clear_chan_timer(chan);
4211 __set_chan_timer(chan, HZ / 10);
b1235d79 4212 }
89bc500e 4213 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4214 struct l2cap_conn_rsp rsp;
4215 __u16 result;
1da177e4 4216
b1235d79 4217 if (!status) {
89bc500e 4218 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4219 result = L2CAP_CR_SUCCESS;
4220 } else {
89bc500e 4221 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4222 __set_chan_timer(chan, HZ / 10);
b1235d79
MH		 4223 result = L2CAP_CR_SEC_BLOCK;
4224 }
4225
fe4128e0
GP		 4226 rsp.scid = cpu_to_le16(chan->dcid);
4227 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4228 rsp.result = cpu_to_le16(result);
e7c29cb1 4229 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4230 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4231 sizeof(rsp), &rsp);
b1235d79 4232 }
1da177e4
LT		 4233
4234 bh_unlock_sock(sk);
4235 }
4236
baa7e1fa 4237 read_unlock(&conn->chan_lock);
b1235d79 4238
1da177e4
LT		 4239 return 0;
4240}
4241
4242static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4243{
4244 struct l2cap_conn *conn = hcon->l2cap_data;
4245
5a08ecce
AE		 4246 if (!conn)
4247 conn = l2cap_conn_add(hcon, 0);
4248
4249 if (!conn)
1da177e4
LT		 4250 goto drop;
4251
4252 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4253
e702112f 4254 if (!(flags & ACL_CONT)) {
1da177e4 4255 struct l2cap_hdr *hdr;
48454079 4256 struct l2cap_chan *chan;
89794813 4257 u16 cid;
1da177e4
LT		 4258 int len;
4259
4260 if (conn->rx_len) {
4261 BT_ERR("Unexpected start frame (len %d)", skb->len);
4262 kfree_skb(conn->rx_skb);
4263 conn->rx_skb = NULL;
4264 conn->rx_len = 0;
4265 l2cap_conn_unreliable(conn, ECOMM);
4266 }
4267
aae7fe22
AE		 4268 /* Start fragment always begin with Basic L2CAP header */
4269 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4270 BT_ERR("Frame is too short (len %d)", skb->len);
4271 l2cap_conn_unreliable(conn, ECOMM);
4272 goto drop;
4273 }
4274
4275 hdr = (struct l2cap_hdr *) skb->data;
4276 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4277 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4278
4279 if (len == skb->len) {
4280 /* Complete frame received */
4281 l2cap_recv_frame(conn, skb);
4282 return 0;
4283 }
4284
4285 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4286
4287 if (skb->len > len) {
4288 BT_ERR("Frame is too long (len %d, expected len %d)",
4289 skb->len, len);
4290 l2cap_conn_unreliable(conn, ECOMM);
4291 goto drop;
4292 }
4293
baa7e1fa 4294 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4295
48454079
GP		 4296 if (chan && chan->sk) {
4297 struct sock *sk = chan->sk;
89794813 4298
0c1bc5c6 4299 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4300 BT_ERR("Frame exceeding recv MTU (len %d, "
4301 "MTU %d)", len,
0c1bc5c6 4302 chan->imtu);
48454079
GP		 4303 bh_unlock_sock(sk);
4304 l2cap_conn_unreliable(conn, ECOMM);
4305 goto drop;
4306 }
89794813 4307 bh_unlock_sock(sk);
48454079 4308 }
89794813 4309
1da177e4 4310 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4311 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4312 if (!conn->rx_skb)
1da177e4
LT		 4313 goto drop;
4314
d626f62b 4315 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4316 skb->len);
1da177e4
LT		 4317 conn->rx_len = len - skb->len;
4318 } else {
4319 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4320
4321 if (!conn->rx_len) {
4322 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4323 l2cap_conn_unreliable(conn, ECOMM);
4324 goto drop;
4325 }
4326
4327 if (skb->len > conn->rx_len) {
4328 BT_ERR("Fragment is too long (len %d, expected %d)",
4329 skb->len, conn->rx_len);
4330 kfree_skb(conn->rx_skb);
4331 conn->rx_skb = NULL;
4332 conn->rx_len = 0;
4333 l2cap_conn_unreliable(conn, ECOMM);
4334 goto drop;
4335 }
4336
d626f62b 4337 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4338 skb->len);
1da177e4
LT		 4339 conn->rx_len -= skb->len;
4340
4341 if (!conn->rx_len) {
4342 /* Complete frame received */
4343 l2cap_recv_frame(conn, conn->rx_skb);
4344 conn->rx_skb = NULL;
4345 }
4346 }
4347
4348drop:
4349 kfree_skb(skb);
4350 return 0;
4351}
4352
aef7d97c 4353static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4354{
23691d75 4355 struct l2cap_chan *c;
1da177e4 4356
23691d75 4357 read_lock_bh(&chan_list_lock);
1da177e4 4358
23691d75
GP		 4359 list_for_each_entry(c, &chan_list, global_l) {
4360 struct sock *sk = c->sk;
101545f6 4361
903d343e 4362 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4363 batostr(&bt_sk(sk)->src),
4364 batostr(&bt_sk(sk)->dst),
89bc500e 4365 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4366 c->scid, c->dcid, c->imtu, c->omtu,
4367 c->sec_level, c->mode);
be9d1227 4368 }
1da177e4 4369
23691d75 4370 read_unlock_bh(&chan_list_lock);
1da177e4 4371
aef7d97c 4372 return 0;
1da177e4
LT		 4373}
4374
aef7d97c
MH		 4375static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4376{
4377 return single_open(file, l2cap_debugfs_show, inode->i_private);
4378}
4379
4380static const struct file_operations l2cap_debugfs_fops = {
4381 .open = l2cap_debugfs_open,
4382 .read = seq_read,
4383 .llseek = seq_lseek,
4384 .release = single_release,
4385};
4386
4387static struct dentry *l2cap_debugfs;
1da177e4 4388
1da177e4
LT		 4389static struct hci_proto l2cap_hci_proto = {
4390 .name = "L2CAP",
4391 .id = HCI_PROTO_L2CAP,
4392 .connect_ind = l2cap_connect_ind,
4393 .connect_cfm = l2cap_connect_cfm,
4394 .disconn_ind = l2cap_disconn_ind,
2950f21a 4395 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4396 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4397 .recv_acldata = l2cap_recv_acldata
4398};
4399
64274518 4400int __init l2cap_init(void)
1da177e4
LT		 4401{
4402 int err;
be9d1227 4403
bb58f747 4404 err = l2cap_init_sockets();
1da177e4
LT		 4405 if (err < 0)
4406 return err;
4407
1890d36b 4408 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4409 if (!_busy_wq) {
bb58f747 4410 err = -ENOMEM;
1da177e4
LT		 4411 goto error;
4412 }
4413
4414 err = hci_register_proto(&l2cap_hci_proto);
4415 if (err < 0) {
4416 BT_ERR("L2CAP protocol registration failed");
4417 bt_sock_unregister(BTPROTO_L2CAP);
4418 goto error;
4419 }
4420
aef7d97c
MH		 4421 if (bt_debugfs) {
4422 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4423 bt_debugfs, NULL, &l2cap_debugfs_fops);
4424 if (!l2cap_debugfs)
4425 BT_ERR("Failed to create L2CAP debug file");
4426 }
1da177e4 4427
1da177e4
LT		 4428 return 0;
4429
4430error:
b78d7b4f 4431 destroy_workqueue(_busy_wq);
bb58f747 4432 l2cap_cleanup_sockets();
1da177e4
LT		 4433 return err;
4434}
4435
64274518 4436void l2cap_exit(void)
1da177e4 4437{
aef7d97c 4438 debugfs_remove(l2cap_debugfs);
1da177e4 4439
1890d36b
GP		 4440 flush_workqueue(_busy_wq);
4441 destroy_workqueue(_busy_wq);
4442
1da177e4
LT		 4443 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4444 BT_ERR("L2CAP protocol unregistration failed");
4445
bb58f747 4446 l2cap_cleanup_sockets();
1da177e4
LT		 4447}
4448
d1c4a17d
GP		 4449module_param(disable_ertm, bool, 0644);
4450MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)