projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add blacklisting support for mgmt interface
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
1890d36b
GP		 64static struct workqueue_struct *_busy_wq;
65
b5ad8b7f
JB		 66static LIST_HEAD(chan_list);
67static DEFINE_RWLOCK(chan_list_lock);
1da177e4 68
1890d36b
GP		 69static void l2cap_busy_work(struct work_struct *work);
70
1da177e4
LT		 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 73static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
74 void *data);
710f9b0a 75static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 76static void l2cap_send_disconn_req(struct l2cap_conn *conn,
77 struct l2cap_chan *chan, int err);
1da177e4 78
218bb9df
GP		 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
80
0139418c 81/* ---- L2CAP channels ---- */
71ba0e56
GP		 82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
baa7e1fa 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 95{
48454079 96 struct l2cap_chan *c;
baa7e1fa
GP		 97
98 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 99 if (c->dcid == cid)
baa7e1fa 100 return c;
0139418c 101 }
baa7e1fa
GP		 102 return NULL;
103
0139418c
MH		 104}
105
baa7e1fa 106static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 111 if (c->scid == cid)
baa7e1fa 112 return c;
0139418c 113 }
baa7e1fa 114 return NULL;
0139418c
MH		 115}
116
117/* Find channel with given SCID.
118 * Returns locked socket */
baa7e1fa 119static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 120{
48454079 121 struct l2cap_chan *c;
baa7e1fa
GP		 122
123 read_lock(&conn->chan_lock);
124 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 125 if (c)
126 bh_lock_sock(c->sk);
baa7e1fa 127 read_unlock(&conn->chan_lock);
48454079 128 return c;
0139418c
MH		 129}
130
baa7e1fa 131static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 132{
48454079 133 struct l2cap_chan *c;
baa7e1fa
GP		 134
135 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 136 if (c->ident == ident)
baa7e1fa 137 return c;
0139418c 138 }
baa7e1fa 139 return NULL;
0139418c
MH		 140}
141
baa7e1fa 142static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 143{
48454079 144 struct l2cap_chan *c;
baa7e1fa
GP		 145
146 read_lock(&conn->chan_lock);
147 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 148 if (c)
149 bh_lock_sock(c->sk);
baa7e1fa 150 read_unlock(&conn->chan_lock);
48454079 151 return c;
0139418c
MH		 152}
153
23691d75 154static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 155{
23691d75 156 struct l2cap_chan *c;
9e4425ff 157
23691d75
GP		 158 list_for_each_entry(c, &chan_list, global_l) {
159 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 160 goto found;
161 }
162
23691d75 163 c = NULL;
9e4425ff 164found:
23691d75 165 return c;
9e4425ff
GP		 166}
167
168int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
169{
73b2ec18
GP		 170 int err;
171
23691d75 172 write_lock_bh(&chan_list_lock);
9e4425ff 173
23691d75 174 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 175 err = -EADDRINUSE;
176 goto done;
9e4425ff
GP		 177 }
178
73b2ec18
GP		 179 if (psm) {
180 chan->psm = psm;
181 chan->sport = psm;
182 err = 0;
183 } else {
184 u16 p;
185
186 err = -EINVAL;
187 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 188 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 189 chan->psm = cpu_to_le16(p);
190 chan->sport = cpu_to_le16(p);
191 err = 0;
192 break;
193 }
194 }
9e4425ff 195
73b2ec18 196done:
23691d75 197 write_unlock_bh(&chan_list_lock);
73b2ec18 198 return err;
9e4425ff
GP		 199}
200
201int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
202{
23691d75 203 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 chan->scid = scid;
206
23691d75 207 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 208
209 return 0;
210}
211
baa7e1fa 212static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 213{
8db4dc46 214 u16 cid = L2CAP_CID_DYN_START;
0139418c 215
8db4dc46 216 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 217 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 218 return cid;
219 }
220
221 return 0;
222}
223
c9b66675 224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 225{
89bc500e
GP		 226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
227
c9b66675 228 if (!mod_timer(timer, jiffies + timeout))
71ba0e56 229 chan_hold(chan);
ab07801d
GP		 230}
231
c9b66675 232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 233{
89bc500e 234 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 235
c9b66675 236 if (timer_pending(timer) && del_timer(timer))
71ba0e56 237 chan_put(chan);
ab07801d
GP		 238}
239
89bc500e
GP		 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
244}
245
ab07801d
GP		 246static void l2cap_chan_timeout(unsigned long arg)
247{
248 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
249 struct sock *sk = chan->sk;
250 int reason;
251
89bc500e 252 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 253
254 bh_lock_sock(sk);
255
256 if (sock_owned_by_user(sk)) {
257 /* sk is owned by user. Try again later */
c9b66675 258 __set_chan_timer(chan, HZ / 5);
ab07801d 259 bh_unlock_sock(sk);
71ba0e56 260 chan_put(chan);
ab07801d
GP		 261 return;
262 }
263
89bc500e 264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 265 reason = ECONNREFUSED;
89bc500e 266 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 267 chan->sec_level != BT_SECURITY_SDP)
268 reason = ECONNREFUSED;
269 else
270 reason = ETIMEDOUT;
271
0f852724 272 l2cap_chan_close(chan, reason);
ab07801d
GP		 273
274 bh_unlock_sock(sk);
275
ba3bd0ee 276 chan->ops->close(chan->data);
71ba0e56 277 chan_put(chan);
ab07801d
GP		 278}
279
23691d75 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 281{
282 struct l2cap_chan *chan;
283
284 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
285 if (!chan)
286 return NULL;
287
288 chan->sk = sk;
289
23691d75
GP		 290 write_lock_bh(&chan_list_lock);
291 list_add(&chan->global_l, &chan_list);
292 write_unlock_bh(&chan_list_lock);
293
ab07801d
GP		 294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
295
89bc500e
GP		 296 chan->state = BT_OPEN;
297
71ba0e56
GP		 298 atomic_set(&chan->refcnt, 1);
299
48454079
GP		 300 return chan;
301}
302
23691d75 303void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 304{
23691d75
GP		 305 write_lock_bh(&chan_list_lock);
306 list_del(&chan->global_l);
307 write_unlock_bh(&chan_list_lock);
308
71ba0e56 309 chan_put(chan);
6ff5abbf
GP		 310}
311
48454079 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 313{
af05b30b 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 315 chan->psm, chan->dcid);
0139418c 316
2950f21a
MH		 317 conn->disc_reason = 0x13;
318
8c1d787b 319 chan->conn = conn;
0139418c 320
715ec005 321 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 322 if (conn->hcon->type == LE_LINK) {
323 /* LE connection */
0c1bc5c6 324 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 325 chan->scid = L2CAP_CID_LE_DATA;
326 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 327 } else {
328 /* Alloc CID for connection-oriented socket */
fe4128e0 329 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 330 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 331 }
715ec005 332 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 333 /* Connectionless socket */
fe4128e0
GP		 334 chan->scid = L2CAP_CID_CONN_LESS;
335 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 336 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 337 } else {
338 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 339 chan->scid = L2CAP_CID_SIGNALING;
340 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 341 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 342 }
343
71ba0e56 344 chan_hold(chan);
baa7e1fa
GP		 345
346 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 347}
348
8e87d142 349/* Delete channel.
0139418c 350 * Must be called on the locked socket. */
4519de9a 351static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 352{
48454079 353 struct sock *sk = chan->sk;
8c1d787b 354 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 355 struct sock *parent = bt_sk(sk)->parent;
356
c9b66675 357 __clear_chan_timer(chan);
0139418c 358
49208c9c 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 360
8e87d142 361 if (conn) {
baa7e1fa
GP		 362 /* Delete from channel list */
363 write_lock_bh(&conn->chan_lock);
364 list_del(&chan->list);
365 write_unlock_bh(&conn->chan_lock);
71ba0e56 366 chan_put(chan);
baa7e1fa 367
8c1d787b 368 chan->conn = NULL;
0139418c
MH		 369 hci_conn_put(conn->hcon);
370 }
371
89bc500e 372 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 373 sock_set_flag(sk, SOCK_ZAPPED);
374
375 if (err)
376 sk->sk_err = err;
377
378 if (parent) {
379 bt_accept_unlink(sk);
380 parent->sk_data_ready(parent, 0);
381 } else
382 sk->sk_state_change(sk);
c13ffa62 383
b4450035
GP		 384 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
385 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 386 return;
2ead70b8 387
58d35f87 388 skb_queue_purge(&chan->tx_q);
c13ffa62 389
0c1bc5c6 390 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 391 struct srej_list *l, *tmp;
392
1a09bcb9
GP		 393 __clear_retrans_timer(chan);
394 __clear_monitor_timer(chan);
395 __clear_ack_timer(chan);
c13ffa62 396
f1c6775b
GP		 397 skb_queue_purge(&chan->srej_q);
398 skb_queue_purge(&chan->busy_q);
c13ffa62 399
39d5a3ee 400 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 401 list_del(&l->list);
402 kfree(l);
403 }
404 }
0139418c
MH		 405}
406
4519de9a
GP		 407static void l2cap_chan_cleanup_listen(struct sock *parent)
408{
409 struct sock *sk;
410
411 BT_DBG("parent %p", parent);
412
413 /* Close not yet accepted channels */
0f852724 414 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 416 __clear_chan_timer(chan);
0f852724 417 lock_sock(sk);
ba3bd0ee 418 l2cap_chan_close(chan, ECONNRESET);
0f852724 419 release_sock(sk);
ba3bd0ee 420 chan->ops->close(chan->data);
0f852724 421 }
4519de9a
GP		 422}
423
0f852724 424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 425{
426 struct l2cap_conn *conn = chan->conn;
427 struct sock *sk = chan->sk;
428
89bc500e 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 430
89bc500e 431 switch (chan->state) {
4519de9a
GP		 432 case BT_LISTEN:
433 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 437 break;
438
439 case BT_CONNECTED:
440 case BT_CONFIG:
715ec005 441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 442 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 443 __clear_chan_timer(chan);
444 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 445 l2cap_send_disconn_req(conn, chan, reason);
446 } else
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT2:
715ec005 451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 452 conn->hcon->type == ACL_LINK) {
453 struct l2cap_conn_rsp rsp;
454 __u16 result;
455
456 if (bt_sk(sk)->defer_setup)
457 result = L2CAP_CR_SEC_BLOCK;
458 else
459 result = L2CAP_CR_BAD_PSM;
89bc500e 460 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 461
462 rsp.scid = cpu_to_le16(chan->dcid);
463 rsp.dcid = cpu_to_le16(chan->scid);
464 rsp.result = cpu_to_le16(result);
465 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
467 sizeof(rsp), &rsp);
468 }
469
470 l2cap_chan_del(chan, reason);
471 break;
472
473 case BT_CONNECT:
474 case BT_DISCONN:
475 l2cap_chan_del(chan, reason);
476 break;
477
478 default:
479 sock_set_flag(sk, SOCK_ZAPPED);
480 break;
481 }
482}
483
4343478f 484static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 485{
715ec005 486 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 487 switch (chan->sec_level) {
8556edd3
JH		 488 case BT_SECURITY_HIGH:
489 return HCI_AT_DEDICATED_BONDING_MITM;
490 case BT_SECURITY_MEDIUM:
491 return HCI_AT_DEDICATED_BONDING;
492 default:
493 return HCI_AT_NO_BONDING;
494 }
fe4128e0 495 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 496 if (chan->sec_level == BT_SECURITY_LOW)
497 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 498
4343478f 499 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 500 return HCI_AT_NO_BONDING_MITM;
00ae4af9 501 else
8556edd3 502 return HCI_AT_NO_BONDING;
00ae4af9 503 } else {
4343478f 504 switch (chan->sec_level) {
00ae4af9 505 case BT_SECURITY_HIGH:
8556edd3 506 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 507 case BT_SECURITY_MEDIUM:
8556edd3 508 return HCI_AT_GENERAL_BONDING;
00ae4af9 509 default:
8556edd3 510 return HCI_AT_NO_BONDING;
00ae4af9 511 }
0684e5f9 512 }
8556edd3
JH		 513}
514
515/* Service level security */
4343478f 516static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 517{
8c1d787b 518 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 519 __u8 auth_type;
520
4343478f 521 auth_type = l2cap_get_auth_type(chan);
79d554a6 522
4343478f 523 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 524}
525
b5ad8b7f 526static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 527{
528 u8 id;
529
530 /* Get next available identificator.
531 * 1 - 128 are used by kernel.
532 * 129 - 199 are reserved.
533 * 200 - 254 are used by utilities like l2ping, etc.
534 */
535
536 spin_lock_bh(&conn->lock);
537
538 if (++conn->tx_ident > 128)
539 conn->tx_ident = 1;
540
541 id = conn->tx_ident;
542
543 spin_unlock_bh(&conn->lock);
544
545 return id;
546}
547
4519de9a 548static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 549{
550 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 551 u8 flags;
4e8402a3
MH		 552
553 BT_DBG("code 0x%2.2x", code);
554
555 if (!skb)
9a9c6a34 556 return;
4e8402a3 557
e702112f
AE		 558 if (lmp_no_flush_capable(conn->hcon->hdev))
559 flags = ACL_START_NO_FLUSH;
560 else
561 flags = ACL_START;
562
14b12d0b
JG		 563 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
564
e702112f 565 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 566}
567
525cd185 568static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 569{
570 struct sk_buff *skb;
571 struct l2cap_hdr *lh;
8c1d787b 572 struct l2cap_conn *conn = chan->conn;
fcc203c3 573 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 574 u8 flags;
fcc203c3 575
89bc500e 576 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 577 return;
578
47d1ec61 579 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 580 hlen += 2;
1c2acffb 581
49208c9c 582 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 583
fcc203c3 584 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 585 control |= L2CAP_CTRL_FRAME_TYPE;
586
525cd185 587 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 588 control |= L2CAP_CTRL_FINAL;
525cd185 589 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 590 }
591
525cd185 592 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 593 control |= L2CAP_CTRL_POLL;
525cd185 594 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 595 }
596
1c2acffb
GP		 597 skb = bt_skb_alloc(count, GFP_ATOMIC);
598 if (!skb)
9a9c6a34 599 return;
1c2acffb
GP		 600
601 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 602 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 604 put_unaligned_le16(control, skb_put(skb, 2));
605
47d1ec61 606 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 607 u16 fcs = crc16(0, (u8 *)lh, count - 2);
608 put_unaligned_le16(fcs, skb_put(skb, 2));
609 }
610
e702112f
AE		 611 if (lmp_no_flush_capable(conn->hcon->hdev))
612 flags = ACL_START_NO_FLUSH;
613 else
614 flags = ACL_START;
615
14b12d0b
JG		 616 bt_cb(skb)->force_active = chan->force_active;
617
8c1d787b 618 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 619}
620
525cd185 621static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 622{
525cd185 623 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 624 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 625 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 626 } else
7e743090
GP		 627 control |= L2CAP_SUPER_RCV_READY;
628
42e5c802 629 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 630
525cd185 631 l2cap_send_sframe(chan, control);
7e743090
GP		 632}
633
b4450035 634static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 635{
b4450035 636 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 637}
638
fc7f8a7e 639static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 640{
8c1d787b 641 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 642
643 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 644 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
645 return;
646
4343478f
GP		 647 if (l2cap_check_security(chan) &&
648 __l2cap_no_conn_pending(chan)) {
b1235d79 649 struct l2cap_conn_req req;
fe4128e0
GP		 650 req.scid = cpu_to_le16(chan->scid);
651 req.psm = chan->psm;
79d554a6 652
fc7f8a7e 653 chan->ident = l2cap_get_ident(conn);
b4450035 654 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 655
fc7f8a7e
GP		 656 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
657 sizeof(req), &req);
b1235d79 658 }
79d554a6
MH		 659 } else {
660 struct l2cap_info_req req;
661 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
662
663 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
664 conn->info_ident = l2cap_get_ident(conn);
665
666 mod_timer(&conn->info_timer, jiffies +
667 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
668
669 l2cap_send_cmd(conn, conn->info_ident,
670 L2CAP_INFO_REQ, sizeof(req), &req);
671 }
672}
673
cf6c2c0b
GP		 674static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
675{
676 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 677 if (!disable_ertm)
cf6c2c0b
GP		 678 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
679
680 switch (mode) {
681 case L2CAP_MODE_ERTM:
682 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
683 case L2CAP_MODE_STREAMING:
684 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
685 default:
686 return 0x00;
687 }
688}
689
4519de9a 690static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 691{
e92c8e70 692 struct sock *sk;
22121fc9
GP		 693 struct l2cap_disconn_req req;
694
c13ffa62
GP		 695 if (!conn)
696 return;
697
e92c8e70
GP		 698 sk = chan->sk;
699
0c1bc5c6 700 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 701 __clear_retrans_timer(chan);
702 __clear_monitor_timer(chan);
703 __clear_ack_timer(chan);
c13ffa62
GP		 704 }
705
fe4128e0
GP		 706 req.dcid = cpu_to_le16(chan->dcid);
707 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 708 l2cap_send_cmd(conn, l2cap_get_ident(conn),
709 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 710
89bc500e 711 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 712 sk->sk_err = err;
22121fc9
GP		 713}
714
1da177e4 715/* ---- L2CAP connections ---- */
4e8402a3
MH		 716static void l2cap_conn_start(struct l2cap_conn *conn)
717{
820ffdb3 718 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 719
720 BT_DBG("conn %p", conn);
721
baa7e1fa 722 read_lock(&conn->chan_lock);
4e8402a3 723
820ffdb3 724 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 725 struct sock *sk = chan->sk;
baa7e1fa 726
4e8402a3
MH		 727 bh_lock_sock(sk);
728
715ec005 729 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 730 bh_unlock_sock(sk);
731 continue;
732 }
733
89bc500e 734 if (chan->state == BT_CONNECT) {
47731de7 735 struct l2cap_conn_req req;
79d554a6 736
4343478f 737 if (!l2cap_check_security(chan) ||
b4450035 738 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 739 bh_unlock_sock(sk);
740 continue;
741 }
79d554a6 742
0c1bc5c6 743 if (!l2cap_mode_supported(chan->mode,
47731de7 744 conn->feat_mask)
b4450035 745 && chan->conf_state &
47731de7 746 L2CAP_CONF_STATE2_DEVICE) {
0f852724 747 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 748 * so release the lock */
749 read_unlock_bh(&conn->chan_lock);
89bc500e 750 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 751 read_lock_bh(&conn->chan_lock);
47731de7
GP		 752 bh_unlock_sock(sk);
753 continue;
b1235d79 754 }
47731de7 755
fe4128e0
GP		 756 req.scid = cpu_to_le16(chan->scid);
757 req.psm = chan->psm;
47731de7 758
fc7f8a7e 759 chan->ident = l2cap_get_ident(conn);
b4450035 760 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 761
fc7f8a7e
GP		 762 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
763 sizeof(req), &req);
47731de7 764
89bc500e 765 } else if (chan->state == BT_CONNECT2) {
79d554a6 766 struct l2cap_conn_rsp rsp;
e9aeb2dd 767 char buf[128];
fe4128e0
GP		 768 rsp.scid = cpu_to_le16(chan->dcid);
769 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 770
4343478f 771 if (l2cap_check_security(chan)) {
f66dc81f
MH		 772 if (bt_sk(sk)->defer_setup) {
773 struct sock *parent = bt_sk(sk)->parent;
774 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
775 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
776 parent->sk_data_ready(parent, 0);
777
778 } else {
89bc500e 779 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 780 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
781 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
782 }
79d554a6
MH		 783 } else {
784 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
785 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
786 }
787
fc7f8a7e
GP		 788 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
789 sizeof(rsp), &rsp);
e9aeb2dd 790
b4450035 791 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 792 rsp.result != L2CAP_CR_SUCCESS) {
793 bh_unlock_sock(sk);
794 continue;
795 }
796
b4450035 797 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 798 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 799 l2cap_build_conf_req(chan, buf), buf);
800 chan->num_conf_req++;
4e8402a3
MH		 801 }
802
803 bh_unlock_sock(sk);
804 }
805
baa7e1fa 806 read_unlock(&conn->chan_lock);
4e8402a3
MH		 807}
808
b62f328b
VT		 809/* Find socket with cid and source bdaddr.
810 * Returns closest match, locked.
811 */
23691d75 812static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 813{
23691d75 814 struct l2cap_chan *c, *c1 = NULL;
b62f328b 815
23691d75 816 read_lock(&chan_list_lock);
b62f328b 817
23691d75
GP		 818 list_for_each_entry(c, &chan_list, global_l) {
819 struct sock *sk = c->sk;
fe4128e0 820
89bc500e 821 if (state && c->state != state)
b62f328b
VT		 822 continue;
823
23691d75 824 if (c->scid == cid) {
b62f328b 825 /* Exact match. */
23691d75
GP		 826 if (!bacmp(&bt_sk(sk)->src, src)) {
827 read_unlock(&chan_list_lock);
828 return c;
829 }
b62f328b
VT		 830
831 /* Closest match */
832 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 833 c1 = c;
b62f328b
VT		 834 }
835 }
280f294f 836
23691d75 837 read_unlock(&chan_list_lock);
b62f328b 838
23691d75 839 return c1;
b62f328b
VT		 840}
841
842static void l2cap_le_conn_ready(struct l2cap_conn *conn)
843{
c916fbe4 844 struct sock *parent, *sk;
23691d75 845 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 846
847 BT_DBG("");
848
849 /* Check if we have socket listening on cid */
23691d75 850 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 851 conn->src);
23691d75 852 if (!pchan)
b62f328b
VT		 853 return;
854
23691d75
GP		 855 parent = pchan->sk;
856
62f3a2cf
GP		 857 bh_lock_sock(parent);
858
b62f328b
VT		 859 /* Check for backlog size */
860 if (sk_acceptq_is_full(parent)) {
861 BT_DBG("backlog full %d", parent->sk_ack_backlog);
862 goto clean;
863 }
864
80808e43
GP		 865 chan = pchan->ops->new_connection(pchan->data);
866 if (!chan)
b62f328b
VT		 867 goto clean;
868
80808e43 869 sk = chan->sk;
5d41ce1d 870
baa7e1fa 871 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 872
873 hci_conn_hold(conn->hcon);
874
b62f328b
VT		 875 bacpy(&bt_sk(sk)->src, conn->src);
876 bacpy(&bt_sk(sk)->dst, conn->dst);
877
d1010240
GP		 878 bt_accept_enqueue(parent, sk);
879
48454079
GP		 880 __l2cap_chan_add(conn, chan);
881
c9b66675 882 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 883
89bc500e 884 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 885 parent->sk_data_ready(parent, 0);
886
baa7e1fa 887 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 888
889clean:
890 bh_unlock_sock(parent);
891}
892
f1cb9af5
VCG		 893static void l2cap_chan_ready(struct sock *sk)
894{
895 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
896 struct sock *parent = bt_sk(sk)->parent;
897
898 BT_DBG("sk %p, parent %p", sk, parent);
899
900 chan->conf_state = 0;
901 __clear_chan_timer(chan);
902
903 sk->sk_state = BT_CONNECTED;
904 sk->sk_state_change(sk);
905
906 if (parent)
907 parent->sk_data_ready(parent, 0);
908}
909
4e8402a3
MH		 910static void l2cap_conn_ready(struct l2cap_conn *conn)
911{
48454079 912 struct l2cap_chan *chan;
4e8402a3 913
79d554a6 914 BT_DBG("conn %p", conn);
4e8402a3 915
b62f328b
VT		 916 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
917 l2cap_le_conn_ready(conn);
918
baa7e1fa 919 read_lock(&conn->chan_lock);
4e8402a3 920
baa7e1fa 921 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 922 struct sock *sk = chan->sk;
baa7e1fa 923
79d554a6 924 bh_lock_sock(sk);
4e8402a3 925
f1cb9af5 926 if (conn->hcon->type == LE_LINK)
b501d6a1 927 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 928 l2cap_chan_ready(sk);
acd7d370 929
715ec005 930 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 931 __clear_chan_timer(chan);
89bc500e 932 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 933 sk->sk_state_change(sk);
b501d6a1 934
89bc500e 935 } else if (chan->state == BT_CONNECT)
fc7f8a7e 936 l2cap_do_start(chan);
4e8402a3 937
79d554a6 938 bh_unlock_sock(sk);
4e8402a3 939 }
79d554a6 940
baa7e1fa 941 read_unlock(&conn->chan_lock);
4e8402a3
MH		 942}
943
944/* Notify sockets that we cannot guaranty reliability anymore */
945static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
946{
48454079 947 struct l2cap_chan *chan;
4e8402a3
MH		 948
949 BT_DBG("conn %p", conn);
950
baa7e1fa 951 read_lock(&conn->chan_lock);
4e8402a3 952
baa7e1fa 953 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 954 struct sock *sk = chan->sk;
baa7e1fa 955
4343478f 956 if (chan->force_reliable)
4e8402a3
MH		 957 sk->sk_err = err;
958 }
959
baa7e1fa 960 read_unlock(&conn->chan_lock);
4e8402a3
MH		 961}
962
963static void l2cap_info_timeout(unsigned long arg)
964{
965 struct l2cap_conn *conn = (void *) arg;
966
984947dc 967 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 968 conn->info_ident = 0;
984947dc 969
4e8402a3
MH		 970 l2cap_conn_start(conn);
971}
972
5d3de7df
VCG		 973static void l2cap_conn_del(struct hci_conn *hcon, int err)
974{
975 struct l2cap_conn *conn = hcon->l2cap_data;
976 struct l2cap_chan *chan, *l;
977 struct sock *sk;
978
979 if (!conn)
980 return;
981
982 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
983
984 kfree_skb(conn->rx_skb);
985
986 /* Kill channels */
987 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
988 sk = chan->sk;
989 bh_lock_sock(sk);
990 l2cap_chan_del(chan, err);
991 bh_unlock_sock(sk);
992 chan->ops->close(chan->data);
993 }
994
995 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
996 del_timer_sync(&conn->info_timer);
997
998 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
999 del_timer(&conn->security_timer);
1000
1001 hcon->l2cap_data = NULL;
1002 kfree(conn);
1003}
1004
1005static void security_timeout(unsigned long arg)
1006{
1007 struct l2cap_conn *conn = (void *) arg;
1008
1009 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1010}
1011
1da177e4
LT		 1012static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1013{
0139418c 1014 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1015
0139418c 1016 if (conn || status)
1da177e4
LT		 1017 return conn;
1018
0139418c
MH		 1019 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1020 if (!conn)
1da177e4 1021 return NULL;
1da177e4
LT		 1022
1023 hcon->l2cap_data = conn;
1024 conn->hcon = hcon;
1025
0139418c
MH		 1026 BT_DBG("hcon %p conn %p", hcon, conn);
1027
acd7d370
VT		 1028 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1029 conn->mtu = hcon->hdev->le_mtu;
1030 else
1031 conn->mtu = hcon->hdev->acl_mtu;
1032
1da177e4
LT		 1033 conn->src = &hcon->hdev->bdaddr;
1034 conn->dst = &hcon->dst;
1035
4e8402a3
MH		 1036 conn->feat_mask = 0;
1037
1da177e4 1038 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1039 rwlock_init(&conn->chan_lock);
1040
1041 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1042
5d3de7df
VCG		 1043 if (hcon->type == LE_LINK)
1044 setup_timer(&conn->security_timer, security_timeout,
1045 (unsigned long) conn);
1046 else
b62f328b 1047 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1048 (unsigned long) conn);
1049
2950f21a
MH		 1050 conn->disc_reason = 0x13;
1051
1da177e4
LT		 1052 return conn;
1053}
1054
48454079 1055static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1056{
baa7e1fa 1057 write_lock_bh(&conn->chan_lock);
48454079 1058 __l2cap_chan_add(conn, chan);
baa7e1fa 1059 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1060}
1061
1da177e4 1062/* ---- Socket interface ---- */
1da177e4
LT		 1063
1064/* Find socket with psm and source bdaddr.
1065 * Returns closest match.
1066 */
23691d75 1067static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1068{
23691d75 1069 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1070
23691d75 1071 read_lock(&chan_list_lock);
e0f0cb56 1072
23691d75
GP		 1073 list_for_each_entry(c, &chan_list, global_l) {
1074 struct sock *sk = c->sk;
fe4128e0 1075
89bc500e 1076 if (state && c->state != state)
1da177e4
LT		 1077 continue;
1078
23691d75 1079 if (c->psm == psm) {
1da177e4 1080 /* Exact match. */
23691d75 1081 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1082 read_unlock(&chan_list_lock);
23691d75
GP		 1083 return c;
1084 }
1da177e4
LT		 1085
1086 /* Closest match */
1087 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1088 c1 = c;
1da177e4
LT		 1089 }
1090 }
1da177e4 1091
23691d75 1092 read_unlock(&chan_list_lock);
e0f0cb56 1093
23691d75 1094 return c1;
1da177e4
LT		 1095}
1096
77a74c7e 1097int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1098{
5d41ce1d 1099 struct sock *sk = chan->sk;
1da177e4
LT		 1100 bdaddr_t *src = &bt_sk(sk)->src;
1101 bdaddr_t *dst = &bt_sk(sk)->dst;
1102 struct l2cap_conn *conn;
1103 struct hci_conn *hcon;
1104 struct hci_dev *hdev;
09ab6f4c 1105 __u8 auth_type;
44d0e48e 1106 int err;
1da177e4 1107
f29972de 1108 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1109 chan->psm);
1da177e4 1110
af05b30b
GP		 1111 hdev = hci_get_route(dst, src);
1112 if (!hdev)
1da177e4
LT		 1113 return -EHOSTUNREACH;
1114
1115 hci_dev_lock_bh(hdev);
1116
4343478f 1117 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1118
fe4128e0 1119 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1120 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1121 chan->sec_level, auth_type);
acd7d370
VT		 1122 else
1123 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1124 chan->sec_level, auth_type);
acd7d370 1125
30e76272
VT		 1126 if (IS_ERR(hcon)) {
1127 err = PTR_ERR(hcon);
1da177e4 1128 goto done;
30e76272 1129 }
1da177e4
LT		 1130
1131 conn = l2cap_conn_add(hcon, 0);
1132 if (!conn) {
1133 hci_conn_put(hcon);
30e76272 1134 err = -ENOMEM;
1da177e4
LT		 1135 goto done;
1136 }
1137
1da177e4
LT		 1138 /* Update source addr of the socket */
1139 bacpy(src, conn->src);
1140
48454079
GP		 1141 l2cap_chan_add(conn, chan);
1142
89bc500e 1143 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1144 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1145
1146 if (hcon->state == BT_CONNECTED) {
715ec005 1147 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1148 __clear_chan_timer(chan);
4343478f 1149 if (l2cap_check_security(chan))
89bc500e 1150 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1151 } else
fc7f8a7e 1152 l2cap_do_start(chan);
1da177e4
LT		 1153 }
1154
30e76272
VT		 1155 err = 0;
1156
1da177e4
LT		 1157done:
1158 hci_dev_unlock_bh(hdev);
1159 hci_dev_put(hdev);
1160 return err;
1161}
1162
dcba0dba 1163int __l2cap_wait_ack(struct sock *sk)
6161c038 1164{
8c1d787b 1165 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1166 DECLARE_WAITQUEUE(wait, current);
1167 int err = 0;
1168 int timeo = HZ/5;
1169
2b0b05dd 1170 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1171 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1172 set_current_state(TASK_INTERRUPTIBLE);
1173
1174 if (!timeo)
1175 timeo = HZ/5;
1176
1177 if (signal_pending(current)) {
1178 err = sock_intr_errno(timeo);
1179 break;
1180 }
1181
1182 release_sock(sk);
1183 timeo = schedule_timeout(timeo);
1184 lock_sock(sk);
1185
1186 err = sock_error(sk);
1187 if (err)
1188 break;
1189 }
1190 set_current_state(TASK_RUNNING);
2b0b05dd 1191 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1192 return err;
1193}
1194
e90bac06
GP		 1195static void l2cap_monitor_timeout(unsigned long arg)
1196{
525cd185
GP		 1197 struct l2cap_chan *chan = (void *) arg;
1198 struct sock *sk = chan->sk;
e90bac06 1199
525cd185 1200 BT_DBG("chan %p", chan);
0e98958d 1201
e686219a 1202 bh_lock_sock(sk);
2c03a7a4 1203 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1204 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1205 bh_unlock_sock(sk);
e90bac06
GP		 1206 return;
1207 }
1208
6a026610 1209 chan->retry_count++;
1a09bcb9 1210 __set_monitor_timer(chan);
e90bac06 1211
525cd185 1212 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1213 bh_unlock_sock(sk);
e90bac06
GP		 1214}
1215
1216static void l2cap_retrans_timeout(unsigned long arg)
1217{
525cd185
GP		 1218 struct l2cap_chan *chan = (void *) arg;
1219 struct sock *sk = chan->sk;
e90bac06 1220
49208c9c 1221 BT_DBG("chan %p", chan);
0e98958d 1222
e686219a 1223 bh_lock_sock(sk);
6a026610 1224 chan->retry_count = 1;
1a09bcb9 1225 __set_monitor_timer(chan);
e90bac06 1226
525cd185 1227 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1228
525cd185 1229 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1230 bh_unlock_sock(sk);
e90bac06
GP		 1231}
1232
42e5c802 1233static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1234{
1c2acffb 1235 struct sk_buff *skb;
1da177e4 1236
58d35f87 1237 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1238 chan->unacked_frames) {
42e5c802 1239 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1240 break;
1da177e4 1241
58d35f87 1242 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1243 kfree_skb(skb);
1da177e4 1244
6a026610 1245 chan->unacked_frames--;
1c2acffb 1246 }
1da177e4 1247
6a026610 1248 if (!chan->unacked_frames)
1a09bcb9 1249 __clear_retrans_timer(chan);
1c2acffb 1250}
1da177e4 1251
4343478f 1252void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1253{
8c1d787b 1254 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1255 u16 flags;
1c2acffb 1256
4343478f 1257 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1258
4343478f 1259 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1260 flags = ACL_START_NO_FLUSH;
1261 else
1262 flags = ACL_START;
1263
14b12d0b 1264 bt_cb(skb)->force_active = chan->force_active;
e702112f 1265 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1266}
1267
42e5c802 1268void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1269{
ccbb84af 1270 struct sk_buff *skb;
fcc203c3 1271 u16 control, fcs;
6840ed07 1272
58d35f87 1273 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1274 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1275 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1276 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1277
47d1ec61 1278 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1279 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1280 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1281 }
1282
4343478f 1283 l2cap_do_send(chan, skb);
6840ed07 1284
42e5c802 1285 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1286 }
6840ed07
GP		 1287}
1288
525cd185 1289static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1290{
8f17154f
GP		 1291 struct sk_buff *skb, *tx_skb;
1292 u16 control, fcs;
8f17154f 1293
58d35f87 1294 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1295 if (!skb)
1296 return;
8f17154f 1297
f11d676d
GP		 1298 do {
1299 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1300 break;
8f17154f 1301
58d35f87 1302 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1303 return;
8f17154f 1304
58d35f87 1305 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1306
2c03a7a4
GP		 1307 if (chan->remote_max_tx &&
1308 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1309 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1310 return;
1311 }
1312
1313 tx_skb = skb_clone(skb, GFP_ATOMIC);
1314 bt_cb(skb)->retries++;
1315 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1316 control &= L2CAP_CTRL_SAR;
3cb123d1 1317
525cd185 1318 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1319 control |= L2CAP_CTRL_FINAL;
525cd185 1320 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1321 }
95ffa978 1322
42e5c802 1323 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1324 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1325
f11d676d
GP		 1326 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1327
47d1ec61 1328 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1329 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1330 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1331 }
1332
4343478f 1333 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1334}
1335
525cd185 1336int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1337{
1338 struct sk_buff *skb, *tx_skb;
fcc203c3 1339 u16 control, fcs;
9a9c6a34 1340 int nsent = 0;
1c2acffb 1341
89bc500e 1342 if (chan->state != BT_CONNECTED)
c13ffa62 1343 return -ENOTCONN;
e90bac06 1344
58d35f87 1345 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1346
2c03a7a4
GP		 1347 if (chan->remote_max_tx &&
1348 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1349 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1350 break;
1351 }
1352
e420aba3
AE		 1353 tx_skb = skb_clone(skb, GFP_ATOMIC);
1354
e90bac06
GP		 1355 bt_cb(skb)->retries++;
1356
1c2acffb 1357 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1358 control &= L2CAP_CTRL_SAR;
1359
525cd185 1360 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1361 control |= L2CAP_CTRL_FINAL;
525cd185 1362 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1363 }
42e5c802
GP		 1364 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1365 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1366 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1367
e90bac06 1368
47d1ec61 1369 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1370 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1371 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1372 }
1373
4343478f 1374 l2cap_do_send(chan, tx_skb);
9a9c6a34 1375
1a09bcb9 1376 __set_retrans_timer(chan);
1c2acffb 1377
42e5c802
GP		 1378 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1379 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1380
23e9fde2 1381 if (bt_cb(skb)->retries == 1)
6a026610 1382 chan->unacked_frames++;
23e9fde2 1383
6a026610 1384 chan->frames_sent++;
1c2acffb 1385
58d35f87
GP		 1386 if (skb_queue_is_last(&chan->tx_q, skb))
1387 chan->tx_send_head = NULL;
1c2acffb 1388 else
58d35f87 1389 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1390
1391 nsent++;
1c2acffb
GP		 1392 }
1393
9e917af1
GP		 1394 return nsent;
1395}
1396
525cd185 1397static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1398{
dfc909be
GP		 1399 int ret;
1400
58d35f87
GP		 1401 if (!skb_queue_empty(&chan->tx_q))
1402 chan->tx_send_head = chan->tx_q.next;
dfc909be 1403
42e5c802 1404 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1405 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1406 return ret;
1407}
1408
525cd185 1409static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1410{
9e917af1
GP		 1411 u16 control = 0;
1412
42e5c802 1413 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1414
525cd185 1415 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1416 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1417 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1418 l2cap_send_sframe(chan, control);
9a9c6a34 1419 return;
9e917af1 1420 }
dfc909be 1421
525cd185 1422 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1423 return;
1424
1425 control |= L2CAP_SUPER_RCV_READY;
525cd185 1426 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1427}
1428
525cd185 1429static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1430{
1431 struct srej_list *tail;
1432 u16 control;
1433
1434 control = L2CAP_SUPER_SELECT_REJECT;
1435 control |= L2CAP_CTRL_FINAL;
1436
39d5a3ee 1437 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1438 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1439
525cd185 1440 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1441}
1442
1c2acffb
GP		 1443static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1444{
8c1d787b 1445 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1446 struct sk_buff **frag;
1447 int err, sent = 0;
1da177e4 1448
59203a21 1449 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1450 return -EFAULT;
1da177e4
LT		 1451
1452 sent += count;
1453 len -= count;
1454
1455 /* Continuation fragments (no L2CAP header) */
1456 frag = &skb_shinfo(skb)->frag_list;
1457 while (len) {
1458 count = min_t(unsigned int, conn->mtu, len);
1459
1460 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1461 if (!*frag)
0175d629 1462 return err;
1c2acffb
GP		 1463 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1464 return -EFAULT;
1da177e4
LT		 1465
1466 sent += count;
1467 len -= count;
1468
1469 frag = &(*frag)->next;
1470 }
1da177e4
LT		 1471
1472 return sent;
1c2acffb 1473}
1da177e4 1474
fe4128e0 1475struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1476{
fe4128e0 1477 struct sock *sk = chan->sk;
8c1d787b 1478 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1479 struct sk_buff *skb;
1480 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1481 struct l2cap_hdr *lh;
1482
1483 BT_DBG("sk %p len %d", sk, (int)len);
1484
1485 count = min_t(unsigned int, (conn->mtu - hlen), len);
1486 skb = bt_skb_send_alloc(sk, count + hlen,
1487 msg->msg_flags & MSG_DONTWAIT, &err);
1488 if (!skb)
0175d629 1489 return ERR_PTR(err);
1c2acffb
GP		 1490
1491 /* Create L2CAP header */
1492 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1493 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1494 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1495 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1496
1497 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1498 if (unlikely(err < 0)) {
1499 kfree_skb(skb);
1500 return ERR_PTR(err);
1501 }
1502 return skb;
1503}
1504
fe4128e0 1505struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1506{
fe4128e0 1507 struct sock *sk = chan->sk;
8c1d787b 1508 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1509 struct sk_buff *skb;
1510 int err, count, hlen = L2CAP_HDR_SIZE;
1511 struct l2cap_hdr *lh;
1512
1513 BT_DBG("sk %p len %d", sk, (int)len);
1514
1515 count = min_t(unsigned int, (conn->mtu - hlen), len);
1516 skb = bt_skb_send_alloc(sk, count + hlen,
1517 msg->msg_flags & MSG_DONTWAIT, &err);
1518 if (!skb)
0175d629 1519 return ERR_PTR(err);
1c2acffb
GP		 1520
1521 /* Create L2CAP header */
1522 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1523 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1524 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1525
1526 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1527 if (unlikely(err < 0)) {
1528 kfree_skb(skb);
1529 return ERR_PTR(err);
1530 }
1531 return skb;
1532}
1533
47d1ec61 1534struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1535{
47d1ec61 1536 struct sock *sk = chan->sk;
8c1d787b 1537 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1538 struct sk_buff *skb;
1539 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1540 struct l2cap_hdr *lh;
1541
1542 BT_DBG("sk %p len %d", sk, (int)len);
1543
0ee0d208
GP		 1544 if (!conn)
1545 return ERR_PTR(-ENOTCONN);
1546
c74e560c
GP		 1547 if (sdulen)
1548 hlen += 2;
1549
47d1ec61 1550 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1551 hlen += 2;
1552
1c2acffb
GP		 1553 count = min_t(unsigned int, (conn->mtu - hlen), len);
1554 skb = bt_skb_send_alloc(sk, count + hlen,
1555 msg->msg_flags & MSG_DONTWAIT, &err);
1556 if (!skb)
0175d629 1557 return ERR_PTR(err);
1c2acffb
GP		 1558
1559 /* Create L2CAP header */
1560 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1561 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1562 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1563 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1564 if (sdulen)
1565 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1566
1567 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1568 if (unlikely(err < 0)) {
1569 kfree_skb(skb);
1570 return ERR_PTR(err);
1571 }
e90bac06 1572
47d1ec61 1573 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1574 put_unaligned_le16(0, skb_put(skb, 2));
1575
e90bac06 1576 bt_cb(skb)->retries = 0;
1c2acffb 1577 return skb;
1da177e4
LT		 1578}
1579
2c03a7a4 1580int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1581{
c74e560c
GP		 1582 struct sk_buff *skb;
1583 struct sk_buff_head sar_queue;
1584 u16 control;
1585 size_t size = 0;
1586
ff12fd64 1587 skb_queue_head_init(&sar_queue);
c74e560c 1588 control = L2CAP_SDU_START;
47d1ec61 1589 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1590 if (IS_ERR(skb))
1591 return PTR_ERR(skb);
1592
1593 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1594 len -= chan->remote_mps;
1595 size += chan->remote_mps;
c74e560c
GP		 1596
1597 while (len > 0) {
1598 size_t buflen;
1599
2c03a7a4 1600 if (len > chan->remote_mps) {
44651b85 1601 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1602 buflen = chan->remote_mps;
c74e560c 1603 } else {
44651b85 1604 control = L2CAP_SDU_END;
c74e560c
GP		 1605 buflen = len;
1606 }
1607
47d1ec61 1608 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1609 if (IS_ERR(skb)) {
1610 skb_queue_purge(&sar_queue);
1611 return PTR_ERR(skb);
1612 }
1613
1614 __skb_queue_tail(&sar_queue, skb);
1615 len -= buflen;
1616 size += buflen;
c74e560c 1617 }
58d35f87
GP		 1618 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1619 if (chan->tx_send_head == NULL)
1620 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1621
1622 return size;
1623}
1624
9a91a04a
GP		 1625int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1626{
9a91a04a
GP		 1627 struct sk_buff *skb;
1628 u16 control;
1629 int err;
1630
1631 /* Connectionless channel */
715ec005 1632 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1633 skb = l2cap_create_connless_pdu(chan, msg, len);
1634 if (IS_ERR(skb))
1635 return PTR_ERR(skb);
1636
1637 l2cap_do_send(chan, skb);
1638 return len;
1639 }
1640
1641 switch (chan->mode) {
1642 case L2CAP_MODE_BASIC:
1643 /* Check outgoing MTU */
1644 if (len > chan->omtu)
1645 return -EMSGSIZE;
1646
1647 /* Create a basic PDU */
1648 skb = l2cap_create_basic_pdu(chan, msg, len);
1649 if (IS_ERR(skb))
1650 return PTR_ERR(skb);
1651
1652 l2cap_do_send(chan, skb);
1653 err = len;
1654 break;
1655
1656 case L2CAP_MODE_ERTM:
1657 case L2CAP_MODE_STREAMING:
1658 /* Entire SDU fits into one PDU */
1659 if (len <= chan->remote_mps) {
1660 control = L2CAP_SDU_UNSEGMENTED;
1661 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1662 0);
1663 if (IS_ERR(skb))
1664 return PTR_ERR(skb);
1665
1666 __skb_queue_tail(&chan->tx_q, skb);
1667
1668 if (chan->tx_send_head == NULL)
1669 chan->tx_send_head = skb;
1670
1671 } else {
1672 /* Segment SDU into multiples PDUs */
1673 err = l2cap_sar_segment_sdu(chan, msg, len);
1674 if (err < 0)
1675 return err;
1676 }
1677
1678 if (chan->mode == L2CAP_MODE_STREAMING) {
1679 l2cap_streaming_send(chan);
1680 err = len;
1681 break;
1682 }
1683
1684 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1685 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1686 err = len;
1687 break;
1688 }
1689
1690 err = l2cap_ertm_send(chan);
1691 if (err >= 0)
1692 err = len;
1693
1694 break;
1695
1696 default:
1697 BT_DBG("bad state %1.1x", chan->mode);
1698 err = -EBADFD;
1699 }
1700
1701 return err;
1702}
1703
1da177e4
LT		 1704/* Copy frame to all raw sockets on that connection */
1705static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1706{
1da177e4 1707 struct sk_buff *nskb;
48454079 1708 struct l2cap_chan *chan;
1da177e4
LT		 1709
1710 BT_DBG("conn %p", conn);
1711
baa7e1fa
GP		 1712 read_lock(&conn->chan_lock);
1713 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1714 struct sock *sk = chan->sk;
715ec005 1715 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1716 continue;
1717
1718 /* Don't send frame to the socket it came from */
1719 if (skb->sk == sk)
1720 continue;
af05b30b
GP		 1721 nskb = skb_clone(skb, GFP_ATOMIC);
1722 if (!nskb)
1da177e4
LT		 1723 continue;
1724
23070494 1725 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1726 kfree_skb(nskb);
1727 }
baa7e1fa 1728 read_unlock(&conn->chan_lock);
1da177e4
LT		 1729}
1730
1731/* ---- L2CAP signalling commands ---- */
1732static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1733 u8 code, u8 ident, u16 dlen, void *data)
1734{
1735 struct sk_buff *skb, **frag;
1736 struct l2cap_cmd_hdr *cmd;
1737 struct l2cap_hdr *lh;
1738 int len, count;
1739
af05b30b
GP		 1740 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1741 conn, code, ident, dlen);
1da177e4
LT		 1742
1743 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1744 count = min_t(unsigned int, conn->mtu, len);
1745
1746 skb = bt_skb_alloc(count, GFP_ATOMIC);
1747 if (!skb)
1748 return NULL;
1749
1750 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1751 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1752
1753 if (conn->hcon->type == LE_LINK)
1754 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1755 else
1756 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1757
1758 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1759 cmd->code = code;
1760 cmd->ident = ident;
aca3192c 1761 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1762
1763 if (dlen) {
1764 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1765 memcpy(skb_put(skb, count), data, count);
1766 data += count;
1767 }
1768
1769 len -= skb->len;
1770
1771 /* Continuation fragments (no L2CAP header) */
1772 frag = &skb_shinfo(skb)->frag_list;
1773 while (len) {
1774 count = min_t(unsigned int, conn->mtu, len);
1775
1776 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1777 if (!*frag)
1778 goto fail;
1779
1780 memcpy(skb_put(*frag, count), data, count);
1781
1782 len -= count;
1783 data += count;
1784
1785 frag = &(*frag)->next;
1786 }
1787
1788 return skb;
1789
1790fail:
1791 kfree_skb(skb);
1792 return NULL;
1793}
1794
1795static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1796{
1797 struct l2cap_conf_opt *opt = *ptr;
1798 int len;
1799
1800 len = L2CAP_CONF_OPT_SIZE + opt->len;
1801 *ptr += len;
1802
1803 *type = opt->type;
1804 *olen = opt->len;
1805
1806 switch (opt->len) {
1807 case 1:
1808 *val = *((u8 *) opt->val);
1809 break;
1810
1811 case 2:
bfaaeb3e 1812 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1813 break;
1814
1815 case 4:
bfaaeb3e 1816 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1817 break;
1818
1819 default:
1820 *val = (unsigned long) opt->val;
1821 break;
1822 }
1823
1824 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1825 return len;
1826}
1827
1da177e4
LT		 1828static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1829{
1830 struct l2cap_conf_opt *opt = *ptr;
1831
1832 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1833
1834 opt->type = type;
1835 opt->len = len;
1836
1837 switch (len) {
1838 case 1:
1839 *((u8 *) opt->val) = val;
1840 break;
1841
1842 case 2:
4f8b691c 1843 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1844 break;
1845
1846 case 4:
4f8b691c 1847 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1848 break;
1849
1850 default:
1851 memcpy(opt->val, (void *) val, len);
1852 break;
1853 }
1854
1855 *ptr += L2CAP_CONF_OPT_SIZE + len;
1856}
1857
c1b4f43b
GP		 1858static void l2cap_ack_timeout(unsigned long arg)
1859{
525cd185 1860 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1861
525cd185
GP		 1862 bh_lock_sock(chan->sk);
1863 l2cap_send_ack(chan);
1864 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1865}
1866
525cd185 1867static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1868{
525cd185
GP		 1869 struct sock *sk = chan->sk;
1870
42e5c802 1871 chan->expected_ack_seq = 0;
6a026610 1872 chan->unacked_frames = 0;
42e5c802 1873 chan->buffer_seq = 0;
6a026610
GP		 1874 chan->num_acked = 0;
1875 chan->frames_sent = 0;
0565c1c2 1876
e92c8e70
GP		 1877 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1878 (unsigned long) chan);
1879 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1880 (unsigned long) chan);
1881 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1882
f1c6775b
GP		 1883 skb_queue_head_init(&chan->srej_q);
1884 skb_queue_head_init(&chan->busy_q);
1890d36b 1885
39d5a3ee
GP		 1886 INIT_LIST_HEAD(&chan->srej_l);
1887
311bb895 1888 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1889
1890 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1891}
1892
f2fcfcd6
GP		 1893static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1894{
1895 switch (mode) {
1896 case L2CAP_MODE_STREAMING:
1897 case L2CAP_MODE_ERTM:
1898 if (l2cap_mode_supported(mode, remote_feat_mask))
1899 return mode;
1900 /* fall through */
1901 default:
1902 return L2CAP_MODE_BASIC;
1903 }
1904}
1905
710f9b0a 1906static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1907{
1da177e4 1908 struct l2cap_conf_req *req = data;
0c1bc5c6 1909 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1910 void *ptr = req->data;
1911
49208c9c 1912 BT_DBG("chan %p", chan);
1da177e4 1913
73ffa904 1914 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1915 goto done;
1916
0c1bc5c6 1917 switch (chan->mode) {
f2fcfcd6
GP		 1918 case L2CAP_MODE_STREAMING:
1919 case L2CAP_MODE_ERTM:
b4450035 1920 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1921 break;
85eb53c6 1922
2ba13ed6 1923 /* fall through */
f2fcfcd6 1924 default:
8c1d787b 1925 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1926 break;
1927 }
1928
1929done:
0c1bc5c6
GP		 1930 if (chan->imtu != L2CAP_DEFAULT_MTU)
1931 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1932
0c1bc5c6 1933 switch (chan->mode) {
65c7c491 1934 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1935 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1936 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1937 break;
1938
62547752
GP		 1939 rfc.mode = L2CAP_MODE_BASIC;
1940 rfc.txwin_size = 0;
1941 rfc.max_transmit = 0;
1942 rfc.retrans_timeout = 0;
1943 rfc.monitor_timeout = 0;
1944 rfc.max_pdu_size = 0;
1945
63406504
GP		 1946 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1947 (unsigned long) &rfc);
65c7c491
MH		 1948 break;
1949
1950 case L2CAP_MODE_ERTM:
1951 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1952 rfc.txwin_size = chan->tx_win;
1953 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1954 rfc.retrans_timeout = 0;
1955 rfc.monitor_timeout = 0;
c74e560c 1956 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1957 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1958 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1959
63406504
GP		 1960 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1961 (unsigned long) &rfc);
1962
8c1d787b 1963 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1964 break;
1965
47d1ec61 1966 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1967 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1968 chan->fcs = L2CAP_FCS_NONE;
1969 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1970 }
f2fcfcd6
GP		 1971 break;
1972
1973 case L2CAP_MODE_STREAMING:
1974 rfc.mode = L2CAP_MODE_STREAMING;
1975 rfc.txwin_size = 0;
1976 rfc.max_transmit = 0;
1977 rfc.retrans_timeout = 0;
1978 rfc.monitor_timeout = 0;
c74e560c 1979 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1980 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1981 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1982
63406504
GP		 1983 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1984 (unsigned long) &rfc);
1985
8c1d787b 1986 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1987 break;
1988
47d1ec61 1989 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1990 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1991 chan->fcs = L2CAP_FCS_NONE;
1992 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1993 }
65c7c491
MH		 1994 break;
1995 }
1da177e4 1996
fe4128e0 1997 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1998 req->flags = cpu_to_le16(0);
1da177e4
LT		 1999
2000 return ptr - data;
2001}
2002
73ffa904 2003static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2004{
5dee9e7c
MH		 2005 struct l2cap_conf_rsp *rsp = data;
2006 void *ptr = rsp->data;
73ffa904
GP		 2007 void *req = chan->conf_req;
2008 int len = chan->conf_len;
5dee9e7c
MH		 2009 int type, hint, olen;
2010 unsigned long val;
6464f35f 2011 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2012 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2013 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2014
73ffa904 2015 BT_DBG("chan %p", chan);
820ae1b8 2016
5dee9e7c
MH		 2017 while (len >= L2CAP_CONF_OPT_SIZE) {
2018 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2019
589d2746 2020 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2021 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2022
2023 switch (type) {
2024 case L2CAP_CONF_MTU:
861d6882 2025 mtu = val;
5dee9e7c
MH		 2026 break;
2027
2028 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2029 chan->flush_to = val;
5dee9e7c
MH		 2030 break;
2031
2032 case L2CAP_CONF_QOS:
2033 break;
2034
6464f35f
MH		 2035 case L2CAP_CONF_RFC:
2036 if (olen == sizeof(rfc))
2037 memcpy(&rfc, (void *) val, olen);
2038 break;
2039
fcc203c3
GP		 2040 case L2CAP_CONF_FCS:
2041 if (val == L2CAP_FCS_NONE)
b4450035 2042 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2043
2044 break;
2045
5dee9e7c
MH		 2046 default:
2047 if (hint)
2048 break;
2049
2050 result = L2CAP_CONF_UNKNOWN;
2051 *((u8 *) ptr++) = type;
2052 break;
2053 }
2054 }
2055
73ffa904 2056 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2057 goto done;
2058
0c1bc5c6 2059 switch (chan->mode) {
f2fcfcd6
GP		 2060 case L2CAP_MODE_STREAMING:
2061 case L2CAP_MODE_ERTM:
b4450035 2062 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2063 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2064 chan->conn->feat_mask);
85eb53c6
GP		 2065 break;
2066 }
2067
0c1bc5c6 2068 if (chan->mode != rfc.mode)
f2fcfcd6 2069 return -ECONNREFUSED;
742e519b 2070
f2fcfcd6 2071 break;
f2fcfcd6
GP		 2072 }
2073
2074done:
0c1bc5c6 2075 if (chan->mode != rfc.mode) {
f2fcfcd6 2076 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2077 rfc.mode = chan->mode;
f2fcfcd6 2078
73ffa904 2079 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2080 return -ECONNREFUSED;
2081
2082 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2083 sizeof(rfc), (unsigned long) &rfc);
2084 }
2085
2086
5dee9e7c
MH		 2087 if (result == L2CAP_CONF_SUCCESS) {
2088 /* Configure output options and let the other side know
2089 * which ones we don't like. */
2090
f2fcfcd6
GP		 2091 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2092 result = L2CAP_CONF_UNACCEPT;
2093 else {
0c1bc5c6 2094 chan->omtu = mtu;
b4450035 2095 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2096 }
0c1bc5c6 2097 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2098
f2fcfcd6
GP		 2099 switch (rfc.mode) {
2100 case L2CAP_MODE_BASIC:
47d1ec61 2101 chan->fcs = L2CAP_FCS_NONE;
b4450035 2102 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2103 break;
2104
2105 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2106 chan->remote_tx_win = rfc.txwin_size;
2107 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2108
8c1d787b
GP		 2109 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2110 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2111
2c03a7a4 2112 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2113
10467e9e
GP		 2114 rfc.retrans_timeout =
2115 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2116 rfc.monitor_timeout =
2117 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2118
b4450035 2119 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2120
2121 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2122 sizeof(rfc), (unsigned long) &rfc);
2123
f2fcfcd6
GP		 2124 break;
2125
2126 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2127 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2128 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2129
2c03a7a4 2130 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2131
b4450035 2132 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2133
2134 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2135 sizeof(rfc), (unsigned long) &rfc);
2136
f2fcfcd6
GP		 2137 break;
2138
2139 default:
5dee9e7c 2140 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2141
6464f35f 2142 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2143 rfc.mode = chan->mode;
f2fcfcd6 2144 }
6464f35f 2145
f2fcfcd6 2146 if (result == L2CAP_CONF_SUCCESS)
b4450035 2147 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2148 }
fe4128e0 2149 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2150 rsp->result = cpu_to_le16(result);
2151 rsp->flags = cpu_to_le16(0x0000);
2152
2153 return ptr - data;
1da177e4
LT		 2154}
2155
b4450035 2156static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2157{
f2fcfcd6
GP		 2158 struct l2cap_conf_req *req = data;
2159 void *ptr = req->data;
2160 int type, olen;
2161 unsigned long val;
2162 struct l2cap_conf_rfc rfc;
2163
fe4128e0 2164 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2165
2166 while (len >= L2CAP_CONF_OPT_SIZE) {
2167 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2168
2169 switch (type) {
2170 case L2CAP_CONF_MTU:
2171 if (val < L2CAP_DEFAULT_MIN_MTU) {
2172 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2173 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2174 } else
0c1bc5c6
GP		 2175 chan->imtu = val;
2176 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2177 break;
2178
2179 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2180 chan->flush_to = val;
f2fcfcd6 2181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2182 2, chan->flush_to);
f2fcfcd6
GP		 2183 break;
2184
2185 case L2CAP_CONF_RFC:
2186 if (olen == sizeof(rfc))
2187 memcpy(&rfc, (void *)val, olen);
2188
b4450035 2189 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2190 rfc.mode != chan->mode)
f2fcfcd6
GP		 2191 return -ECONNREFUSED;
2192
47d1ec61 2193 chan->fcs = 0;
f2fcfcd6
GP		 2194
2195 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2196 sizeof(rfc), (unsigned long) &rfc);
2197 break;
2198 }
2199 }
2200
0c1bc5c6 2201 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2202 return -ECONNREFUSED;
2203
0c1bc5c6 2204 chan->mode = rfc.mode;
6c2ea7a8 2205
f2fcfcd6
GP		 2206 if (*result == L2CAP_CONF_SUCCESS) {
2207 switch (rfc.mode) {
2208 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2209 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2210 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2211 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2212 break;
2213 case L2CAP_MODE_STREAMING:
47d1ec61 2214 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2215 }
2216 }
2217
fe4128e0 2218 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2219 req->flags = cpu_to_le16(0x0000);
2220
2221 return ptr - data;
2222}
2223
fe4128e0 2224static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2225{
2226 struct l2cap_conf_rsp *rsp = data;
2227 void *ptr = rsp->data;
1da177e4 2228
fe4128e0 2229 BT_DBG("chan %p", chan);
1da177e4 2230
fe4128e0 2231 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2232 rsp->result = cpu_to_le16(result);
aca3192c 2233 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2234
2235 return ptr - data;
2236}
2237
8c1d787b 2238void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2239{
2240 struct l2cap_conn_rsp rsp;
8c1d787b 2241 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2242 u8 buf[128];
2243
fe4128e0
GP		 2244 rsp.scid = cpu_to_le16(chan->dcid);
2245 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2246 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2247 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2248 l2cap_send_cmd(conn, chan->ident,
2249 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2250
b4450035 2251 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2252 return;
2253
b4450035 2254 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2255 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2256 l2cap_build_conf_req(chan, buf), buf);
2257 chan->num_conf_req++;
2258}
2259
47d1ec61 2260static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2261{
7b1c0049
GP		 2262 int type, olen;
2263 unsigned long val;
2264 struct l2cap_conf_rfc rfc;
2265
47d1ec61 2266 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2267
0c1bc5c6 2268 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2269 return;
2270
2271 while (len >= L2CAP_CONF_OPT_SIZE) {
2272 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2273
2274 switch (type) {
2275 case L2CAP_CONF_RFC:
2276 if (olen == sizeof(rfc))
2277 memcpy(&rfc, (void *)val, olen);
2278 goto done;
2279 }
2280 }
2281
2282done:
2283 switch (rfc.mode) {
2284 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2285 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2286 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2287 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2288 break;
2289 case L2CAP_MODE_STREAMING:
47d1ec61 2290 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2291 }
2292}
2293
4e8402a3
MH		 2294static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2295{
2296 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2297
2298 if (rej->reason != 0x0000)
2299 return 0;
2300
2301 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2302 cmd->ident == conn->info_ident) {
4e8402a3 2303 del_timer(&conn->info_timer);
984947dc
MH		 2304
2305 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2306 conn->info_ident = 0;
984947dc 2307
4e8402a3
MH		 2308 l2cap_conn_start(conn);
2309 }
2310
2311 return 0;
2312}
2313
1da177e4
LT		 2314static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2315{
1da177e4
LT		 2316 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2317 struct l2cap_conn_rsp rsp;
23691d75 2318 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2319 struct sock *parent, *sk = NULL;
e7c29cb1 2320 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2321
2322 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2323 __le16 psm = req->psm;
1da177e4
LT		 2324
2325 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2326
2327 /* Check if we have socket listening on psm */
23691d75
GP		 2328 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2329 if (!pchan) {
1da177e4
LT		 2330 result = L2CAP_CR_BAD_PSM;
2331 goto sendresp;
2332 }
2333
23691d75
GP		 2334 parent = pchan->sk;
2335
e0f0cb56
GP		 2336 bh_lock_sock(parent);
2337
e7c29cb1
MH		 2338 /* Check if the ACL is secure enough (if not SDP) */
2339 if (psm != cpu_to_le16(0x0001) &&
2340 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2341 conn->disc_reason = 0x05;
e7c29cb1
MH		 2342 result = L2CAP_CR_SEC_BLOCK;
2343 goto response;
2344 }
2345
1da177e4
LT		 2346 result = L2CAP_CR_NO_MEM;
2347
2348 /* Check for backlog size */
2349 if (sk_acceptq_is_full(parent)) {
8e87d142 2350 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2351 goto response;
2352 }
2353
80808e43
GP		 2354 chan = pchan->ops->new_connection(pchan->data);
2355 if (!chan)
1da177e4
LT		 2356 goto response;
2357
80808e43
GP		 2358 sk = chan->sk;
2359
baa7e1fa 2360 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2361
2362 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2363 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2364 write_unlock_bh(&conn->chan_lock);
1da177e4 2365 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2366 chan->ops->close(chan->data);
1da177e4
LT		 2367 goto response;
2368 }
2369
2370 hci_conn_hold(conn->hcon);
2371
1da177e4
LT		 2372 bacpy(&bt_sk(sk)->src, conn->src);
2373 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2374 chan->psm = psm;
2375 chan->dcid = scid;
1da177e4 2376
d1010240
GP		 2377 bt_accept_enqueue(parent, sk);
2378
48454079
GP		 2379 __l2cap_chan_add(conn, chan);
2380
fe4128e0 2381 dcid = chan->scid;
1da177e4 2382
c9b66675 2383 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2384
fc7f8a7e 2385 chan->ident = cmd->ident;
1da177e4 2386
984947dc 2387 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2388 if (l2cap_check_security(chan)) {
f66dc81f 2389 if (bt_sk(sk)->defer_setup) {
89bc500e 2390 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2391 result = L2CAP_CR_PEND;
2392 status = L2CAP_CS_AUTHOR_PEND;
2393 parent->sk_data_ready(parent, 0);
2394 } else {
89bc500e 2395 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2396 result = L2CAP_CR_SUCCESS;
2397 status = L2CAP_CS_NO_INFO;
2398 }
79d554a6 2399 } else {
89bc500e 2400 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2401 result = L2CAP_CR_PEND;
2402 status = L2CAP_CS_AUTHEN_PEND;
2403 }
2404 } else {
89bc500e 2405 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2406 result = L2CAP_CR_PEND;
2407 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2408 }
2409
baa7e1fa 2410 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2411
2412response:
2413 bh_unlock_sock(parent);
2414
2415sendresp:
aca3192c
YH		 2416 rsp.scid = cpu_to_le16(scid);
2417 rsp.dcid = cpu_to_le16(dcid);
2418 rsp.result = cpu_to_le16(result);
2419 rsp.status = cpu_to_le16(status);
1da177e4 2420 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2421
2422 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2423 struct l2cap_info_req info;
2424 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2425
2426 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2427 conn->info_ident = l2cap_get_ident(conn);
2428
2429 mod_timer(&conn->info_timer, jiffies +
2430 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2431
2432 l2cap_send_cmd(conn, conn->info_ident,
2433 L2CAP_INFO_REQ, sizeof(info), &info);
2434 }
2435
b4450035 2436 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2437 result == L2CAP_CR_SUCCESS) {
2438 u8 buf[128];
b4450035 2439 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2440 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2441 l2cap_build_conf_req(chan, buf), buf);
2442 chan->num_conf_req++;
e9aeb2dd
GP		 2443 }
2444
1da177e4
LT		 2445 return 0;
2446}
2447
2448static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2449{
2450 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2451 u16 scid, dcid, result, status;
48454079 2452 struct l2cap_chan *chan;
1da177e4
LT		 2453 struct sock *sk;
2454 u8 req[128];
2455
2456 scid = __le16_to_cpu(rsp->scid);
2457 dcid = __le16_to_cpu(rsp->dcid);
2458 result = __le16_to_cpu(rsp->result);
2459 status = __le16_to_cpu(rsp->status);
2460
2461 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2462
2463 if (scid) {
baa7e1fa 2464 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2465 if (!chan)
57d3b22b 2466 return -EFAULT;
1da177e4 2467 } else {
baa7e1fa 2468 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2469 if (!chan)
57d3b22b 2470 return -EFAULT;
1da177e4
LT		 2471 }
2472
48454079
GP		 2473 sk = chan->sk;
2474
1da177e4
LT		 2475 switch (result) {
2476 case L2CAP_CR_SUCCESS:
89bc500e 2477 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2478 chan->ident = 0;
fe4128e0 2479 chan->dcid = dcid;
b4450035 2480 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2481
b4450035 2482 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2483 break;
2484
b4450035 2485 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2486
1da177e4 2487 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2488 l2cap_build_conf_req(chan, req), req);
2489 chan->num_conf_req++;
1da177e4
LT		 2490 break;
2491
2492 case L2CAP_CR_PEND:
b4450035 2493 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2494 break;
2495
2496 default:
a49184c2
AE		 2497 /* don't delete l2cap channel if sk is owned by user */
2498 if (sock_owned_by_user(sk)) {
89bc500e 2499 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2500 __clear_chan_timer(chan);
2501 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2502 break;
2503 }
2504
48454079 2505 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2506 break;
2507 }
2508
2509 bh_unlock_sock(sk);
2510 return 0;
2511}
2512
47d1ec61 2513static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2514{
47d1ec61
GP		 2515 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2516
8c462b60
MM		 2517 /* FCS is enabled only in ERTM or streaming mode, if one or both
2518 * sides request it.
2519 */
0c1bc5c6 2520 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2521 chan->fcs = L2CAP_FCS_NONE;
b4450035 2522 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2523 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2524}
2525
88219a0f 2526static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2527{
2528 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2529 u16 dcid, flags;
2530 u8 rsp[64];
48454079 2531 struct l2cap_chan *chan;
1da177e4 2532 struct sock *sk;
5dee9e7c 2533 int len;
1da177e4
LT		 2534
2535 dcid = __le16_to_cpu(req->dcid);
2536 flags = __le16_to_cpu(req->flags);
2537
2538 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2539
baa7e1fa 2540 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2541 if (!chan)
1da177e4
LT		 2542 return -ENOENT;
2543
48454079
GP		 2544 sk = chan->sk;
2545
89bc500e 2546 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2547 struct l2cap_cmd_rej rej;
2548
2549 rej.reason = cpu_to_le16(0x0002);
2550 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2551 sizeof(rej), &rej);
354f60a9 2552 goto unlock;
df6bd743 2553 }
354f60a9 2554
5dee9e7c 2555 /* Reject if config buffer is too small. */
88219a0f 2556 len = cmd_len - sizeof(*req);
73ffa904 2557 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2558 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2559 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2560 L2CAP_CONF_REJECT, flags), rsp);
2561 goto unlock;
2562 }
2563
2564 /* Store config. */
73ffa904
GP		 2565 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2566 chan->conf_len += len;
1da177e4
LT		 2567
2568 if (flags & 0x0001) {
2569 /* Incomplete config. Send empty response. */
2570 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2571 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2572 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2573 goto unlock;
2574 }
2575
2576 /* Complete config. */
73ffa904 2577 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2578 if (len < 0) {
e92c8e70 2579 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2580 goto unlock;
f2fcfcd6 2581 }
1da177e4 2582
5dee9e7c 2583 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2584 chan->num_conf_rsp++;
5dee9e7c 2585
5dee9e7c 2586 /* Reset config buffer. */
73ffa904 2587 chan->conf_len = 0;
5dee9e7c 2588
b4450035 2589 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2590 goto unlock;
2591
b4450035 2592 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2593 set_default_fcs(chan);
fcc203c3 2594
89bc500e 2595 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2596
42e5c802
GP		 2597 chan->next_tx_seq = 0;
2598 chan->expected_tx_seq = 0;
58d35f87 2599 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2600 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2601 l2cap_ertm_init(chan);
0565c1c2 2602
1da177e4 2603 l2cap_chan_ready(sk);
876d9484
MH		 2604 goto unlock;
2605 }
2606
b4450035 2607 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2608 u8 buf[64];
b4450035 2609 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2610 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2611 l2cap_build_conf_req(chan, buf), buf);
2612 chan->num_conf_req++;
1da177e4
LT		 2613 }
2614
2615unlock:
2616 bh_unlock_sock(sk);
2617 return 0;
2618}
2619
2620static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2621{
2622 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2623 u16 scid, flags, result;
48454079 2624 struct l2cap_chan *chan;
1da177e4 2625 struct sock *sk;
7b1c0049 2626 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2627
2628 scid = __le16_to_cpu(rsp->scid);
2629 flags = __le16_to_cpu(rsp->flags);
2630 result = __le16_to_cpu(rsp->result);
2631
af05b30b
GP		 2632 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2633 scid, flags, result);
1da177e4 2634
baa7e1fa 2635 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2636 if (!chan)
1da177e4
LT		 2637 return 0;
2638
48454079
GP		 2639 sk = chan->sk;
2640
1da177e4
LT		 2641 switch (result) {
2642 case L2CAP_CONF_SUCCESS:
47d1ec61 2643 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2644 break;
2645
2646 case L2CAP_CONF_UNACCEPT:
73ffa904 2647 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2648 char req[64];
2649
c2c77ec8 2650 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2651 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2652 goto done;
2653 }
2654
f2fcfcd6
GP		 2655 /* throw out any old stored conf requests */
2656 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2657 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2658 req, &result);
f2fcfcd6 2659 if (len < 0) {
e92c8e70 2660 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2661 goto done;
2662 }
2663
2664 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2665 L2CAP_CONF_REQ, len, req);
73ffa904 2666 chan->num_conf_req++;
f2fcfcd6
GP		 2667 if (result != L2CAP_CONF_SUCCESS)
2668 goto done;
2669 break;
1da177e4
LT		 2670 }
2671
8e87d142 2672 default:
b1235d79 2673 sk->sk_err = ECONNRESET;
c9b66675 2674 __set_chan_timer(chan, HZ * 5);
e92c8e70 2675 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2676 goto done;
2677 }
2678
2679 if (flags & 0x01)
2680 goto done;
2681
b4450035 2682 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2683
b4450035 2684 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2685 set_default_fcs(chan);
fcc203c3 2686
89bc500e 2687 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2688 chan->next_tx_seq = 0;
2689 chan->expected_tx_seq = 0;
58d35f87 2690 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2691 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2692 l2cap_ertm_init(chan);
0565c1c2 2693
1da177e4
LT		 2694 l2cap_chan_ready(sk);
2695 }
2696
2697done:
2698 bh_unlock_sock(sk);
2699 return 0;
2700}
2701
2702static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2703{
2704 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2705 struct l2cap_disconn_rsp rsp;
2706 u16 dcid, scid;
48454079 2707 struct l2cap_chan *chan;
1da177e4
LT		 2708 struct sock *sk;
2709
2710 scid = __le16_to_cpu(req->scid);
2711 dcid = __le16_to_cpu(req->dcid);
2712
2713 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2714
baa7e1fa 2715 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2716 if (!chan)
1da177e4
LT		 2717 return 0;
2718
48454079
GP		 2719 sk = chan->sk;
2720
fe4128e0
GP		 2721 rsp.dcid = cpu_to_le16(chan->scid);
2722 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2723 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2724
2725 sk->sk_shutdown = SHUTDOWN_MASK;
2726
a49184c2
AE		 2727 /* don't delete l2cap channel if sk is owned by user */
2728 if (sock_owned_by_user(sk)) {
89bc500e 2729 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2730 __clear_chan_timer(chan);
2731 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2732 bh_unlock_sock(sk);
2733 return 0;
2734 }
2735
48454079 2736 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2737 bh_unlock_sock(sk);
2738
ba3bd0ee 2739 chan->ops->close(chan->data);
1da177e4
LT		 2740 return 0;
2741}
2742
2743static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2744{
2745 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2746 u16 dcid, scid;
48454079 2747 struct l2cap_chan *chan;
1da177e4
LT		 2748 struct sock *sk;
2749
2750 scid = __le16_to_cpu(rsp->scid);
2751 dcid = __le16_to_cpu(rsp->dcid);
2752
2753 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2754
baa7e1fa 2755 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2756 if (!chan)
1da177e4
LT		 2757 return 0;
2758
48454079
GP		 2759 sk = chan->sk;
2760
a49184c2
AE		 2761 /* don't delete l2cap channel if sk is owned by user */
2762 if (sock_owned_by_user(sk)) {
89bc500e 2763 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2764 __clear_chan_timer(chan);
2765 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2766 bh_unlock_sock(sk);
2767 return 0;
2768 }
2769
48454079 2770 l2cap_chan_del(chan, 0);
1da177e4
LT		 2771 bh_unlock_sock(sk);
2772
ba3bd0ee 2773 chan->ops->close(chan->data);
1da177e4
LT		 2774 return 0;
2775}
2776
2777static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2778{
2779 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2780 u16 type;
2781
2782 type = __le16_to_cpu(req->type);
2783
2784 BT_DBG("type 0x%4.4x", type);
2785
f0709e03
MH		 2786 if (type == L2CAP_IT_FEAT_MASK) {
2787 u8 buf[8];
44dd46de 2788 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2789 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2790 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2791 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2792 if (!disable_ertm)
fcc203c3
GP		 2793 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2794 | L2CAP_FEAT_FCS;
1b7bf4ed 2795 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2796 l2cap_send_cmd(conn, cmd->ident,
2797 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2798 } else if (type == L2CAP_IT_FIXED_CHAN) {
2799 u8 buf[12];
2800 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2801 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2802 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2803 memcpy(buf + 4, l2cap_fixed_chan, 8);
2804 l2cap_send_cmd(conn, cmd->ident,
2805 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2806 } else {
2807 struct l2cap_info_rsp rsp;
2808 rsp.type = cpu_to_le16(type);
2809 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2810 l2cap_send_cmd(conn, cmd->ident,
2811 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2812 }
1da177e4
LT		 2813
2814 return 0;
2815}
2816
2817static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2818{
2819 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2820 u16 type, result;
2821
2822 type = __le16_to_cpu(rsp->type);
2823 result = __le16_to_cpu(rsp->result);
2824
2825 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2826
e90165be
AE		 2827 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2828 if (cmd->ident != conn->info_ident ||
2829 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2830 return 0;
2831
4e8402a3
MH		 2832 del_timer(&conn->info_timer);
2833
adb08ede
VT		 2834 if (result != L2CAP_IR_SUCCESS) {
2835 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2836 conn->info_ident = 0;
2837
2838 l2cap_conn_start(conn);
2839
2840 return 0;
2841 }
2842
984947dc 2843 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2844 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2845
47ec1dcd 2846 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2847 struct l2cap_info_req req;
2848 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2849
2850 conn->info_ident = l2cap_get_ident(conn);
2851
2852 l2cap_send_cmd(conn, conn->info_ident,
2853 L2CAP_INFO_REQ, sizeof(req), &req);
2854 } else {
2855 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2856 conn->info_ident = 0;
2857
2858 l2cap_conn_start(conn);
2859 }
2860 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2861 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2862 conn->info_ident = 0;
984947dc
MH		 2863
2864 l2cap_conn_start(conn);
2865 }
4e8402a3 2866
1da177e4
LT		 2867 return 0;
2868}
2869
e2174ca4 2870static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2871 u16 to_multiplier)
2872{
2873 u16 max_latency;
2874
2875 if (min > max || min < 6 || max > 3200)
2876 return -EINVAL;
2877
2878 if (to_multiplier < 10 || to_multiplier > 3200)
2879 return -EINVAL;
2880
2881 if (max >= to_multiplier * 8)
2882 return -EINVAL;
2883
2884 max_latency = (to_multiplier * 8 / max) - 1;
2885 if (latency > 499 || latency > max_latency)
2886 return -EINVAL;
2887
2888 return 0;
2889}
2890
2891static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2892 struct l2cap_cmd_hdr *cmd, u8 *data)
2893{
2894 struct hci_conn *hcon = conn->hcon;
2895 struct l2cap_conn_param_update_req *req;
2896 struct l2cap_conn_param_update_rsp rsp;
2897 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2898 int err;
de73115a
CT		 2899
2900 if (!(hcon->link_mode & HCI_LM_MASTER))
2901 return -EINVAL;
2902
2903 cmd_len = __le16_to_cpu(cmd->len);
2904 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2905 return -EPROTO;
2906
2907 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2908 min = __le16_to_cpu(req->min);
2909 max = __le16_to_cpu(req->max);
de73115a
CT		 2910 latency = __le16_to_cpu(req->latency);
2911 to_multiplier = __le16_to_cpu(req->to_multiplier);
2912
2913 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2914 min, max, latency, to_multiplier);
2915
2916 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2917
2918 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2919 if (err)
de73115a
CT		 2920 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2921 else
2922 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2923
2924 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2925 sizeof(rsp), &rsp);
2926
2ce603eb
CT		 2927 if (!err)
2928 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2929
de73115a
CT		 2930 return 0;
2931}
2932
3300d9a9
CT		 2933static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2934 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2935{
2936 int err = 0;
2937
2938 switch (cmd->code) {
2939 case L2CAP_COMMAND_REJ:
2940 l2cap_command_rej(conn, cmd, data);
2941 break;
2942
2943 case L2CAP_CONN_REQ:
2944 err = l2cap_connect_req(conn, cmd, data);
2945 break;
2946
2947 case L2CAP_CONN_RSP:
2948 err = l2cap_connect_rsp(conn, cmd, data);
2949 break;
2950
2951 case L2CAP_CONF_REQ:
2952 err = l2cap_config_req(conn, cmd, cmd_len, data);
2953 break;
2954
2955 case L2CAP_CONF_RSP:
2956 err = l2cap_config_rsp(conn, cmd, data);
2957 break;
2958
2959 case L2CAP_DISCONN_REQ:
2960 err = l2cap_disconnect_req(conn, cmd, data);
2961 break;
2962
2963 case L2CAP_DISCONN_RSP:
2964 err = l2cap_disconnect_rsp(conn, cmd, data);
2965 break;
2966
2967 case L2CAP_ECHO_REQ:
2968 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2969 break;
2970
2971 case L2CAP_ECHO_RSP:
2972 break;
2973
2974 case L2CAP_INFO_REQ:
2975 err = l2cap_information_req(conn, cmd, data);
2976 break;
2977
2978 case L2CAP_INFO_RSP:
2979 err = l2cap_information_rsp(conn, cmd, data);
2980 break;
2981
2982 default:
2983 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2984 err = -EINVAL;
2985 break;
2986 }
2987
2988 return err;
2989}
2990
2991static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2992 struct l2cap_cmd_hdr *cmd, u8 *data)
2993{
2994 switch (cmd->code) {
2995 case L2CAP_COMMAND_REJ:
2996 return 0;
2997
2998 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2999 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3000
3001 case L2CAP_CONN_PARAM_UPDATE_RSP:
3002 return 0;
3003
3004 default:
3005 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3006 return -EINVAL;
3007 }
3008}
3009
3010static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3011 struct sk_buff *skb)
1da177e4
LT		 3012{
3013 u8 *data = skb->data;
3014 int len = skb->len;
3015 struct l2cap_cmd_hdr cmd;
3300d9a9 3016 int err;
1da177e4
LT		 3017
3018 l2cap_raw_recv(conn, skb);
3019
3020 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3021 u16 cmd_len;
1da177e4
LT		 3022 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3023 data += L2CAP_CMD_HDR_SIZE;
3024 len -= L2CAP_CMD_HDR_SIZE;
3025
88219a0f 3026 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3027
88219a0f 3028 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3029
88219a0f 3030 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3031 BT_DBG("corrupted command");
3032 break;
3033 }
3034
3300d9a9
CT		 3035 if (conn->hcon->type == LE_LINK)
3036 err = l2cap_le_sig_cmd(conn, &cmd, data);
3037 else
3038 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3039
3040 if (err) {
3041 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3042
3043 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3044
3045 /* FIXME: Map err to a valid reason */
aca3192c 3046 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3047 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3048 }
3049
88219a0f
AV		 3050 data += cmd_len;
3051 len -= cmd_len;
1da177e4
LT		 3052 }
3053
3054 kfree_skb(skb);
3055}
3056
47d1ec61 3057static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3058{
3059 u16 our_fcs, rcv_fcs;
3060 int hdr_size = L2CAP_HDR_SIZE + 2;
3061
47d1ec61 3062 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3063 skb_trim(skb, skb->len - 2);
3064 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3065 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3066
3067 if (our_fcs != rcv_fcs)
7a560e5c 3068 return -EBADMSG;
fcc203c3
GP		 3069 }
3070 return 0;
3071}
3072
525cd185 3073static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3074{
d5392c8f
GP		 3075 u16 control = 0;
3076
6a026610 3077 chan->frames_sent = 0;
d5392c8f 3078
42e5c802 3079 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3080
525cd185 3081 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3082 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3083 l2cap_send_sframe(chan, control);
3084 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3085 }
3086
525cd185
GP		 3087 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3088 l2cap_retransmit_frames(chan);
d5392c8f 3089
525cd185 3090 l2cap_ertm_send(chan);
d5392c8f 3091
525cd185 3092 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3093 chan->frames_sent == 0) {
d5392c8f 3094 control |= L2CAP_SUPER_RCV_READY;
525cd185 3095 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3096 }
3097}
3098
42e5c802 3099static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3100{
3101 struct sk_buff *next_skb;
bfbacc11 3102 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3103
3104 bt_cb(skb)->tx_seq = tx_seq;
3105 bt_cb(skb)->sar = sar;
3106
f1c6775b 3107 next_skb = skb_peek(&chan->srej_q);
8f17154f 3108 if (!next_skb) {
f1c6775b 3109 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3110 return 0;
8f17154f
GP		 3111 }
3112
42e5c802 3113 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3114 if (tx_seq_offset < 0)
3115 tx_seq_offset += 64;
3116
8f17154f 3117 do {
9b53350d
JPRV		 3118 if (bt_cb(next_skb)->tx_seq == tx_seq)
3119 return -EINVAL;
3120
bfbacc11 3121 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3122 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3123 if (next_tx_seq_offset < 0)
3124 next_tx_seq_offset += 64;
3125
3126 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3127 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3128 return 0;
8f17154f
GP		 3129 }
3130
f1c6775b 3131 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3132 break;
3133
f1c6775b 3134 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3135
f1c6775b 3136 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3137
3138 return 0;
8f17154f
GP		 3139}
3140
525cd185 3141static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3142{
18778a63 3143 struct sk_buff *_skb;
1890d36b 3144 int err;
18778a63
GP		 3145
3146 switch (control & L2CAP_CTRL_SAR) {
3147 case L2CAP_SDU_UNSEGMENTED:
525cd185 3148 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3149 goto drop;
3150
23070494 3151 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3152
3153 case L2CAP_SDU_START:
525cd185 3154 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3155 goto drop;
3156
6f61fd47 3157 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3158
0c1bc5c6 3159 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3160 goto disconnect;
3161
6f61fd47
GP		 3162 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3163 if (!chan->sdu)
1890d36b
GP		 3164 return -ENOMEM;
3165
3166 /* pull sdu_len bytes only after alloc, because of Local Busy
3167 * condition we have to be sure that this will be executed
3168 * only once, i.e., when alloc does not fail */
3169 skb_pull(skb, 2);
18778a63 3170
6f61fd47 3171 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3172
525cd185 3173 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3174 chan->partial_sdu_len = skb->len;
18778a63
GP		 3175 break;
3176
3177 case L2CAP_SDU_CONTINUE:
525cd185 3178 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3179 goto disconnect;
3180
6f61fd47 3181 if (!chan->sdu)
18778a63
GP		 3182 goto disconnect;
3183
6f61fd47
GP		 3184 chan->partial_sdu_len += skb->len;
3185 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3186 goto drop;
3187
6f61fd47 3188 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3189
18778a63
GP		 3190 break;
3191
3192 case L2CAP_SDU_END:
525cd185 3193 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3194 goto disconnect;
3195
6f61fd47 3196 if (!chan->sdu)
18778a63
GP		 3197 goto disconnect;
3198
525cd185 3199 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3200 chan->partial_sdu_len += skb->len;
18778a63 3201
0c1bc5c6 3202 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3203 goto drop;
18778a63 3204
6f61fd47 3205 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3206 goto drop;
4178ba46 3207
6f61fd47 3208 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3209 }
18778a63 3210
6f61fd47 3211 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3212 if (!_skb) {
525cd185 3213 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3214 return -ENOMEM;
3215 }
3216
23070494 3217 err = chan->ops->recv(chan->data, _skb);
1890d36b 3218 if (err < 0) {
18778a63 3219 kfree_skb(_skb);
525cd185 3220 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3221 return err;
3222 }
3223
525cd185
GP		 3224 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3225 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3226
6f61fd47 3227 kfree_skb(chan->sdu);
18778a63
GP		 3228 break;
3229 }
3230
3231 kfree_skb(skb);
1890d36b 3232 return 0;
18778a63
GP		 3233
3234drop:
6f61fd47
GP		 3235 kfree_skb(chan->sdu);
3236 chan->sdu = NULL;
18778a63
GP		 3237
3238disconnect:
8c1d787b 3239 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3240 kfree_skb(skb);
3241 return 0;
3242}
3243
525cd185 3244static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3245{
712132eb
GP		 3246 struct sk_buff *skb;
3247 u16 control;
3248 int err;
3249
f1c6775b 3250 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3251 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3252 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3253 if (err < 0) {
f1c6775b 3254 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3255 return -EBUSY;
3256 }
3257
42e5c802 3258 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3259 }
3260
525cd185 3261 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3262 goto done;
3263
42e5c802 3264 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3265 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3266 l2cap_send_sframe(chan, control);
6a026610 3267 chan->retry_count = 1;
712132eb 3268
1a09bcb9
GP		 3269 __clear_retrans_timer(chan);
3270 __set_monitor_timer(chan);
712132eb 3271
525cd185 3272 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3273
3274done:
525cd185
GP		 3275 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3276 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3277
49208c9c 3278 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3279
3280 return 0;
3281}
3282
1890d36b
GP		 3283static void l2cap_busy_work(struct work_struct *work)
3284{
3285 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3286 struct l2cap_chan *chan =
3287 container_of(work, struct l2cap_chan, busy_work);
3288 struct sock *sk = chan->sk;
1890d36b
GP		 3289 int n_tries = 0, timeo = HZ/5, err;
3290 struct sk_buff *skb;
1890d36b
GP		 3291
3292 lock_sock(sk);
3293
2b0b05dd 3294 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3295 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3296 set_current_state(TASK_INTERRUPTIBLE);
3297
3298 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3299 err = -EBUSY;
8c1d787b 3300 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3301 break;
1890d36b
GP		 3302 }
3303
3304 if (!timeo)
3305 timeo = HZ/5;
3306
3307 if (signal_pending(current)) {
3308 err = sock_intr_errno(timeo);
712132eb 3309 break;
1890d36b
GP		 3310 }
3311
3312 release_sock(sk);
3313 timeo = schedule_timeout(timeo);
3314 lock_sock(sk);
3315
3316 err = sock_error(sk);
3317 if (err)
712132eb 3318 break;
1890d36b 3319
311bb895 3320 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3321 break;
3322 }
3323
1890d36b 3324 set_current_state(TASK_RUNNING);
2b0b05dd 3325 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3326
3327 release_sock(sk);
3328}
3329
525cd185 3330static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3331{
1890d36b
GP		 3332 int sctrl, err;
3333
525cd185 3334 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3335 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3336 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3337 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3338
3339
1890d36b
GP		 3340 }
3341
525cd185 3342 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3343 if (err >= 0) {
42e5c802 3344 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3345 return err;
3346 }
3347
3348 /* Busy Condition */
311bb895 3349 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3350
525cd185 3351 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3352 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3353 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3354
42e5c802 3355 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3356 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3357 l2cap_send_sframe(chan, sctrl);
1890d36b 3358
525cd185 3359 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3360
1a09bcb9 3361 __clear_ack_timer(chan);
7fe9b298 3362
311bb895 3363 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3364
3365 return err;
3366}
3367
525cd185 3368static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3369{
c74e560c
GP		 3370 struct sk_buff *_skb;
3371 int err = -EINVAL;
3372
18778a63
GP		 3373 /*
3374 * TODO: We have to notify the userland if some data is lost with the
3375 * Streaming Mode.
3376 */
3377
c74e560c
GP		 3378 switch (control & L2CAP_CTRL_SAR) {
3379 case L2CAP_SDU_UNSEGMENTED:
525cd185 3380 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3381 kfree_skb(chan->sdu);
c74e560c
GP		 3382 break;
3383 }
3384
23070494 3385 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3386 if (!err)
3387 return 0;
3388
3389 break;
3390
3391 case L2CAP_SDU_START:
525cd185 3392 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3393 kfree_skb(chan->sdu);
c74e560c
GP		 3394 break;
3395 }
3396
6f61fd47 3397 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3398 skb_pull(skb, 2);
3399
0c1bc5c6 3400 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3401 err = -EMSGSIZE;
3402 break;
3403 }
3404
6f61fd47
GP		 3405 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3406 if (!chan->sdu) {
c74e560c
GP		 3407 err = -ENOMEM;
3408 break;
3409 }
3410
6f61fd47 3411 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3412
525cd185 3413 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3414 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3415 err = 0;
3416 break;
3417
3418 case L2CAP_SDU_CONTINUE:
525cd185 3419 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3420 break;
3421
6f61fd47 3422 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3423
6f61fd47
GP		 3424 chan->partial_sdu_len += skb->len;
3425 if (chan->partial_sdu_len > chan->sdu_len)
3426 kfree_skb(chan->sdu);
c74e560c
GP		 3427 else
3428 err = 0;
3429
3430 break;
3431
3432 case L2CAP_SDU_END:
525cd185 3433 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3434 break;
3435
6f61fd47 3436 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3437
525cd185 3438 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3439 chan->partial_sdu_len += skb->len;
c74e560c 3440
0c1bc5c6 3441 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3442 goto drop;
3443
6f61fd47
GP		 3444 if (chan->partial_sdu_len == chan->sdu_len) {
3445 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3446 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3447 if (err < 0)
3448 kfree_skb(_skb);
3449 }
c74e560c
GP		 3450 err = 0;
3451
36f2fd58 3452drop:
6f61fd47 3453 kfree_skb(chan->sdu);
c74e560c
GP		 3454 break;
3455 }
3456
3457 kfree_skb(skb);
3458 return err;
3459}
3460
525cd185 3461static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3462{
3463 struct sk_buff *skb;
afefdbc4 3464 u16 control;
8f17154f 3465
f1c6775b 3466 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3467 if (bt_cb(skb)->tx_seq != tx_seq)
3468 break;
3469
f1c6775b 3470 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3471 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3472 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3473 chan->buffer_seq_srej =
3474 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3475 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3476 }
3477}
3478
525cd185 3479static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3480{
8f17154f
GP		 3481 struct srej_list *l, *tmp;
3482 u16 control;
3483
39d5a3ee 3484 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3485 if (l->tx_seq == tx_seq) {
3486 list_del(&l->list);
3487 kfree(l);
3488 return;
3489 }
3490 control = L2CAP_SUPER_SELECT_REJECT;
3491 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3492 l2cap_send_sframe(chan, control);
8f17154f 3493 list_del(&l->list);
39d5a3ee 3494 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3495 }
3496}
3497
525cd185 3498static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3499{
8f17154f
GP		 3500 struct srej_list *new;
3501 u16 control;
3502
42e5c802 3503 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3504 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3505 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3506 l2cap_send_sframe(chan, control);
8f17154f
GP		 3507
3508 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3509 new->tx_seq = chan->expected_tx_seq;
3510 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3511 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3512 }
42e5c802 3513 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3514}
3515
525cd185 3516static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3517{
1c2acffb 3518 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3519 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3520 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3521 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3522 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3523 int err = 0;
3524
525cd185
GP		 3525 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3526 tx_seq, rx_control);
1c2acffb 3527
9b16dc65 3528 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3529 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3530 __clear_monitor_timer(chan);
6a026610 3531 if (chan->unacked_frames > 0)
1a09bcb9 3532 __set_retrans_timer(chan);
525cd185 3533 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3534 }
3535
42e5c802
GP		 3536 chan->expected_ack_seq = req_seq;
3537 l2cap_drop_acked_frames(chan);
9f121a5a 3538
42e5c802 3539 if (tx_seq == chan->expected_tx_seq)
8f17154f 3540 goto expected;
1c2acffb 3541
42e5c802 3542 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3543 if (tx_seq_offset < 0)
3544 tx_seq_offset += 64;
3545
3546 /* invalid tx_seq */
47d1ec61 3547 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3548 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3549 goto drop;
3550 }
3551
e6949280 3552 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3553 goto drop;
3554
525cd185 3555 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3556 struct srej_list *first;
30afb5b2 3557
39d5a3ee 3558 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3559 struct srej_list, list);
3560 if (tx_seq == first->tx_seq) {
42e5c802 3561 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3562 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3563
3564 list_del(&first->list);
3565 kfree(first);
3566
39d5a3ee 3567 if (list_empty(&chan->srej_l)) {
42e5c802 3568 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3569 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3570 l2cap_send_ack(chan);
49208c9c 3571 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3572 }
3573 } else {
3574 struct srej_list *l;
9b53350d
JPRV		 3575
3576 /* duplicated tx_seq */
42e5c802 3577 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3578 goto drop;
8f17154f 3579
39d5a3ee 3580 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3581 if (l->tx_seq == tx_seq) {
525cd185 3582 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3583 return 0;
3584 }
3585 }
525cd185 3586 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3587 }
3588 } else {
9b53350d 3589 expected_tx_seq_offset =
42e5c802 3590 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3591 if (expected_tx_seq_offset < 0)
3592 expected_tx_seq_offset += 64;
3593
3594 /* duplicated tx_seq */
3595 if (tx_seq_offset < expected_tx_seq_offset)
3596 goto drop;
3597
525cd185 3598 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3599
49208c9c 3600 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3601
39d5a3ee 3602 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3603 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3604
f1c6775b
GP		 3605 __skb_queue_head_init(&chan->srej_q);
3606 __skb_queue_head_init(&chan->busy_q);
42e5c802 3607 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3608
525cd185 3609 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3610
525cd185 3611 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3612
1a09bcb9 3613 __clear_ack_timer(chan);
1c2acffb 3614 }
30afb5b2
GP		 3615 return 0;
3616
8f17154f 3617expected:
42e5c802 3618 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3619
525cd185 3620 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3621 bt_cb(skb)->tx_seq = tx_seq;
3622 bt_cb(skb)->sar = sar;
f1c6775b 3623 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3624 return 0;
3625 }
3626
525cd185 3627 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3628 if (err < 0)
3629 return 0;
3630
4ec10d97 3631 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3632 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3633 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3634 else
525cd185 3635 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3636 }
3637
1a09bcb9 3638 __set_ack_timer(chan);
c1b4f43b 3639
6a026610
GP		 3640 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3641 if (chan->num_acked == num_to_ack - 1)
525cd185 3642 l2cap_send_ack(chan);
9e917af1 3643
8f17154f 3644 return 0;
9b53350d
JPRV		 3645
3646drop:
3647 kfree_skb(skb);
3648 return 0;
1c2acffb
GP		 3649}
3650
525cd185 3651static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3652{
49208c9c 3653 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3654 rx_control);
3655
42e5c802
GP		 3656 chan->expected_ack_seq = __get_reqseq(rx_control);
3657 l2cap_drop_acked_frames(chan);
1c2acffb 3658
e072745f 3659 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3660 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3661 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3662 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3663 (chan->unacked_frames > 0))
1a09bcb9 3664 __set_retrans_timer(chan);
05fbd89d 3665
525cd185
GP		 3666 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3667 l2cap_send_srejtail(chan);
05fbd89d 3668 } else {
525cd185 3669 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3670 }
1d8f5d16 3671
e072745f 3672 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3673 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3674
525cd185
GP		 3675 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3676 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3677 else
525cd185 3678 l2cap_retransmit_frames(chan);
2246b2f1 3679
e072745f 3680 } else {
525cd185 3681 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3682 (chan->unacked_frames > 0))
1a09bcb9 3683 __set_retrans_timer(chan);
1c2acffb 3684
525cd185
GP		 3685 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3686 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3687 l2cap_send_ack(chan);
894718a6 3688 else
525cd185 3689 l2cap_ertm_send(chan);
e072745f
GP		 3690 }
3691}
2246b2f1 3692
525cd185 3693static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3694{
e072745f 3695 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3696
525cd185 3697 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3698
525cd185 3699 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3700
42e5c802
GP		 3701 chan->expected_ack_seq = tx_seq;
3702 l2cap_drop_acked_frames(chan);
e072745f
GP		 3703
3704 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3705 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3706 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3707 else
525cd185 3708 l2cap_retransmit_frames(chan);
e072745f 3709 } else {
525cd185 3710 l2cap_retransmit_frames(chan);
30afb5b2 3711
525cd185
GP		 3712 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3713 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3714 }
3715}
525cd185 3716static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3717{
e072745f 3718 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3719
525cd185 3720 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3721
525cd185 3722 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3723
e072745f 3724 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3725 chan->expected_ack_seq = tx_seq;
3726 l2cap_drop_acked_frames(chan);
3cb123d1 3727
525cd185
GP		 3728 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3729 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3730
525cd185 3731 l2cap_ertm_send(chan);
dfc909be 3732
525cd185 3733 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3734 chan->srej_save_reqseq = tx_seq;
525cd185 3735 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3736 }
e072745f 3737 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3738 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3739 chan->srej_save_reqseq == tx_seq)
525cd185 3740 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3741 else
525cd185 3742 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3743 } else {
525cd185
GP		 3744 l2cap_retransmit_one_frame(chan, tx_seq);
3745 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3746 chan->srej_save_reqseq = tx_seq;
525cd185 3747 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3748 }
e072745f
GP		 3749 }
3750}
3751
525cd185 3752static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3753{
e072745f
GP		 3754 u8 tx_seq = __get_reqseq(rx_control);
3755
525cd185 3756 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3757
525cd185 3758 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3759 chan->expected_ack_seq = tx_seq;
3760 l2cap_drop_acked_frames(chan);
e072745f 3761
3cb123d1 3762 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3763 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3764
525cd185 3765 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
1a09bcb9 3766 __clear_retrans_timer(chan);
a2e12a2a 3767 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3768 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3769 return;
e072745f 3770 }
99b0d4b7
GP		 3771
3772 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3773 l2cap_send_srejtail(chan);
99b0d4b7 3774 else
525cd185 3775 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3776}
3777
525cd185 3778static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3779{
525cd185 3780 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3781
9b16dc65 3782 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3783 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3784 __clear_monitor_timer(chan);
6a026610 3785 if (chan->unacked_frames > 0)
1a09bcb9 3786 __set_retrans_timer(chan);
525cd185 3787 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3788 }
3789
3790 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3791 case L2CAP_SUPER_RCV_READY:
525cd185 3792 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3793 break;
3794
e072745f 3795 case L2CAP_SUPER_REJECT:
525cd185 3796 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3797 break;
2246b2f1 3798
e072745f 3799 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3800 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3801 break;
3802
3803 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3804 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3805 break;
3806 }
3807
faaebd19 3808 kfree_skb(skb);
1c2acffb
GP		 3809 return 0;
3810}
3811
218bb9df
GP		 3812static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3813{
525cd185 3814 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3815 u16 control;
3816 u8 req_seq;
3817 int len, next_tx_seq_offset, req_seq_offset;
3818
3819 control = get_unaligned_le16(skb->data);
3820 skb_pull(skb, 2);
3821 len = skb->len;
3822
3823 /*
3824 * We can just drop the corrupted I-frame here.
3825 * Receiver will miss it and start proper recovery
3826 * procedures and ask retransmission.
3827 */
47d1ec61 3828 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3829 goto drop;
3830
3831 if (__is_sar_start(control) && __is_iframe(control))
3832 len -= 2;
3833
47d1ec61 3834 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3835 len -= 2;
3836
47d1ec61 3837 if (len > chan->mps) {
8c1d787b 3838 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3839 goto drop;
3840 }
3841
3842 req_seq = __get_reqseq(control);
42e5c802 3843 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3844 if (req_seq_offset < 0)
3845 req_seq_offset += 64;
3846
3847 next_tx_seq_offset =
42e5c802 3848 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3849 if (next_tx_seq_offset < 0)
3850 next_tx_seq_offset += 64;
3851
3852 /* check for invalid req-seq */
3853 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3854 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3855 goto drop;
3856 }
3857
3858 if (__is_iframe(control)) {
3859 if (len < 0) {
8c1d787b 3860 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3861 goto drop;
3862 }
3863
525cd185 3864 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3865 } else {
3866 if (len != 0) {
3867 BT_ERR("%d", len);
8c1d787b 3868 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3869 goto drop;
3870 }
3871
525cd185 3872 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3873 }
3874
3875 return 0;
3876
3877drop:
3878 kfree_skb(skb);
3879 return 0;
3880}
3881
1da177e4
LT		 3882static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3883{
48454079 3884 struct l2cap_chan *chan;
bf734843 3885 struct sock *sk = NULL;
51893f88 3886 u16 control;
218bb9df
GP		 3887 u8 tx_seq;
3888 int len;
1da177e4 3889
baa7e1fa 3890 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3891 if (!chan) {
1da177e4
LT		 3892 BT_DBG("unknown cid 0x%4.4x", cid);
3893 goto drop;
3894 }
3895
48454079 3896 sk = chan->sk;
6840ed07 3897
49208c9c 3898 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3899
89bc500e 3900 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3901 goto drop;
3902
0c1bc5c6 3903 switch (chan->mode) {
1c2acffb
GP		 3904 case L2CAP_MODE_BASIC:
3905 /* If socket recv buffers overflows we drop data here
3906 * which is *bad* because L2CAP has to be reliable.
3907 * But we don't have any other choice. L2CAP doesn't
3908 * provide flow control mechanism. */
1da177e4 3909
0c1bc5c6 3910 if (chan->imtu < skb->len)
1c2acffb 3911 goto drop;
1da177e4 3912
23070494 3913 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3914 goto done;
3915 break;
3916
3917 case L2CAP_MODE_ERTM:
218bb9df
GP		 3918 if (!sock_owned_by_user(sk)) {
3919 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3920 } else {
218bb9df 3921 if (sk_add_backlog(sk, skb))
277ffbe3 3922 goto drop;
277ffbe3 3923 }
1c2acffb 3924
fcafde2e 3925 goto done;
1c2acffb 3926
6840ed07
GP		 3927 case L2CAP_MODE_STREAMING:
3928 control = get_unaligned_le16(skb->data);
3929 skb_pull(skb, 2);
3930 len = skb->len;
3931
47d1ec61 3932 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3933 goto drop;
3934
6840ed07
GP		 3935 if (__is_sar_start(control))
3936 len -= 2;
3937
47d1ec61 3938 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3939 len -= 2;
3940
47d1ec61 3941 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3942 goto drop;
3943
3944 tx_seq = __get_txseq(control);
3945
42e5c802
GP		 3946 if (chan->expected_tx_seq == tx_seq)
3947 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3948 else
42e5c802 3949 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3950
525cd185 3951 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3952
3953 goto done;
3954
1c2acffb 3955 default:
0c1bc5c6 3956 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3957 break;
3958 }
1da177e4
LT		 3959
3960drop:
3961 kfree_skb(skb);
3962
3963done:
0139418c
MH		 3964 if (sk)
3965 bh_unlock_sock(sk);
3966
1da177e4
LT		 3967 return 0;
3968}
3969
8e036fc3 3970static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3971{
6dcae1ea 3972 struct sock *sk = NULL;
23691d75 3973 struct l2cap_chan *chan;
1da177e4 3974
23691d75
GP		 3975 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3976 if (!chan)
1da177e4
LT		 3977 goto drop;
3978
23691d75
GP		 3979 sk = chan->sk;
3980
e0f0cb56
GP		 3981 bh_lock_sock(sk);
3982
1da177e4
LT		 3983 BT_DBG("sk %p, len %d", sk, skb->len);
3984
89bc500e 3985 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3986 goto drop;
3987
0c1bc5c6 3988 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3989 goto drop;
3990
23070494 3991 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3992 goto done;
3993
3994drop:
3995 kfree_skb(skb);
3996
3997done:
af05b30b
GP		 3998 if (sk)
3999 bh_unlock_sock(sk);
1da177e4
LT		 4000 return 0;
4001}
4002
9f69bda6
GP		 4003static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4004{
6dcae1ea 4005 struct sock *sk = NULL;
23691d75 4006 struct l2cap_chan *chan;
9f69bda6 4007
23691d75
GP		 4008 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4009 if (!chan)
9f69bda6
GP		 4010 goto drop;
4011
23691d75
GP		 4012 sk = chan->sk;
4013
9f69bda6
GP		 4014 bh_lock_sock(sk);
4015
4016 BT_DBG("sk %p, len %d", sk, skb->len);
4017
89bc500e 4018 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4019 goto drop;
4020
0c1bc5c6 4021 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4022 goto drop;
4023
23070494 4024 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4025 goto done;
4026
4027drop:
4028 kfree_skb(skb);
4029
4030done:
4031 if (sk)
4032 bh_unlock_sock(sk);
4033 return 0;
4034}
4035
1da177e4
LT		 4036static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4037{
4038 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4039 u16 cid, len;
4040 __le16 psm;
1da177e4
LT		 4041
4042 skb_pull(skb, L2CAP_HDR_SIZE);
4043 cid = __le16_to_cpu(lh->cid);
4044 len = __le16_to_cpu(lh->len);
4045
1c2acffb
GP		 4046 if (len != skb->len) {
4047 kfree_skb(skb);
4048 return;
4049 }
4050
1da177e4
LT		 4051 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4052
4053 switch (cid) {
3300d9a9 4054 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4055 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4056 l2cap_sig_channel(conn, skb);
4057 break;
4058
8db4dc46 4059 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4060 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4061 skb_pull(skb, 2);
4062 l2cap_conless_channel(conn, psm, skb);
4063 break;
4064
9f69bda6
GP		 4065 case L2CAP_CID_LE_DATA:
4066 l2cap_att_channel(conn, cid, skb);
4067 break;
4068
b501d6a1
AB		 4069 case L2CAP_CID_SMP:
4070 if (smp_sig_channel(conn, skb))
4071 l2cap_conn_del(conn->hcon, EACCES);
4072 break;
4073
1da177e4
LT		 4074 default:
4075 l2cap_data_channel(conn, cid, skb);
4076 break;
4077 }
4078}
4079
4080/* ---- L2CAP interface with lower layer (HCI) ---- */
4081
4082static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4083{
4084 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4085 struct l2cap_chan *c;
1da177e4
LT		 4086
4087 if (type != ACL_LINK)
963cf687 4088 return -EINVAL;
1da177e4
LT		 4089
4090 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4091
4092 /* Find listening sockets and check their link_mode */
23691d75
GP		 4093 read_lock(&chan_list_lock);
4094 list_for_each_entry(c, &chan_list, global_l) {
4095 struct sock *sk = c->sk;
4343478f 4096
89bc500e 4097 if (c->state != BT_LISTEN)
1da177e4
LT		 4098 continue;
4099
4100 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4101 lm1 |= HCI_LM_ACCEPT;
23691d75 4102 if (c->role_switch)
2af6b9d5 4103 lm1 |= HCI_LM_MASTER;
1da177e4 4104 exact++;
2af6b9d5
MH		 4105 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4106 lm2 |= HCI_LM_ACCEPT;
23691d75 4107 if (c->role_switch)
2af6b9d5
MH		 4108 lm2 |= HCI_LM_MASTER;
4109 }
1da177e4 4110 }
23691d75 4111 read_unlock(&chan_list_lock);
1da177e4
LT		 4112
4113 return exact ? lm1 : lm2;
4114}
4115
4116static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4117{
0139418c
MH		 4118 struct l2cap_conn *conn;
4119
1da177e4
LT		 4120 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4121
acd7d370 4122 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4123 return -EINVAL;
1da177e4
LT		 4124
4125 if (!status) {
1da177e4
LT		 4126 conn = l2cap_conn_add(hcon, status);
4127 if (conn)
4128 l2cap_conn_ready(conn);
0139418c 4129 } else
1da177e4
LT		 4130 l2cap_conn_del(hcon, bt_err(status));
4131
4132 return 0;
4133}
4134
2950f21a
MH		 4135static int l2cap_disconn_ind(struct hci_conn *hcon)
4136{
4137 struct l2cap_conn *conn = hcon->l2cap_data;
4138
4139 BT_DBG("hcon %p", hcon);
4140
b5694506 4141 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4142 return 0x13;
4143
4144 return conn->disc_reason;
4145}
4146
4147static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4148{
4149 BT_DBG("hcon %p reason %d", hcon, reason);
4150
acd7d370 4151 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4152 return -EINVAL;
1da177e4
LT		 4153
4154 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4155
1da177e4
LT		 4156 return 0;
4157}
4158
4343478f 4159static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4160{
715ec005 4161 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4162 return;
4163
f62e4323 4164 if (encrypt == 0x00) {
4343478f 4165 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4166 __clear_chan_timer(chan);
4167 __set_chan_timer(chan, HZ * 5);
4343478f 4168 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4169 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4170 } else {
4343478f 4171 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4172 __clear_chan_timer(chan);
f62e4323
MH		 4173 }
4174}
4175
8c1b2355 4176static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4177{
0139418c 4178 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4179 struct l2cap_chan *chan;
1da177e4 4180
0139418c 4181 if (!conn)
1da177e4 4182 return 0;
0139418c 4183
1da177e4
LT		 4184 BT_DBG("conn %p", conn);
4185
baa7e1fa 4186 read_lock(&conn->chan_lock);
1da177e4 4187
baa7e1fa 4188 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4189 struct sock *sk = chan->sk;
baa7e1fa 4190
1da177e4
LT		 4191 bh_lock_sock(sk);
4192
f1cb9af5
VCG		 4193 BT_DBG("chan->scid %d", chan->scid);
4194
4195 if (chan->scid == L2CAP_CID_LE_DATA) {
4196 if (!status && encrypt) {
4197 chan->sec_level = hcon->sec_level;
5d3de7df 4198 del_timer(&conn->security_timer);
f1cb9af5
VCG		 4199 l2cap_chan_ready(sk);
4200 }
4201
4202 bh_unlock_sock(sk);
4203 continue;
4204 }
4205
b4450035 4206 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4207 bh_unlock_sock(sk);
4208 continue;
4209 }
4210
89bc500e
GP		 4211 if (!status && (chan->state == BT_CONNECTED ||
4212 chan->state == BT_CONFIG)) {
4343478f 4213 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4214 bh_unlock_sock(sk);
4215 continue;
4216 }
4217
89bc500e 4218 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4219 if (!status) {
4220 struct l2cap_conn_req req;
fe4128e0
GP		 4221 req.scid = cpu_to_le16(chan->scid);
4222 req.psm = chan->psm;
1da177e4 4223
fc7f8a7e 4224 chan->ident = l2cap_get_ident(conn);
b4450035 4225 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4226
fc7f8a7e 4227 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4228 L2CAP_CONN_REQ, sizeof(req), &req);
4229 } else {
c9b66675
GP		 4230 __clear_chan_timer(chan);
4231 __set_chan_timer(chan, HZ / 10);
b1235d79 4232 }
89bc500e 4233 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4234 struct l2cap_conn_rsp rsp;
4235 __u16 result;
1da177e4 4236
b1235d79 4237 if (!status) {
89bc500e 4238 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4239 result = L2CAP_CR_SUCCESS;
4240 } else {
89bc500e 4241 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4242 __set_chan_timer(chan, HZ / 10);
b1235d79
MH		 4243 result = L2CAP_CR_SEC_BLOCK;
4244 }
4245
fe4128e0
GP		 4246 rsp.scid = cpu_to_le16(chan->dcid);
4247 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4248 rsp.result = cpu_to_le16(result);
e7c29cb1 4249 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4250 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4251 sizeof(rsp), &rsp);
b1235d79 4252 }
1da177e4
LT		 4253
4254 bh_unlock_sock(sk);
4255 }
4256
baa7e1fa 4257 read_unlock(&conn->chan_lock);
b1235d79 4258
1da177e4
LT		 4259 return 0;
4260}
4261
4262static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4263{
4264 struct l2cap_conn *conn = hcon->l2cap_data;
4265
5a08ecce
AE		 4266 if (!conn)
4267 conn = l2cap_conn_add(hcon, 0);
4268
4269 if (!conn)
1da177e4
LT		 4270 goto drop;
4271
4272 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4273
e702112f 4274 if (!(flags & ACL_CONT)) {
1da177e4 4275 struct l2cap_hdr *hdr;
48454079 4276 struct l2cap_chan *chan;
89794813 4277 u16 cid;
1da177e4
LT		 4278 int len;
4279
4280 if (conn->rx_len) {
4281 BT_ERR("Unexpected start frame (len %d)", skb->len);
4282 kfree_skb(conn->rx_skb);
4283 conn->rx_skb = NULL;
4284 conn->rx_len = 0;
4285 l2cap_conn_unreliable(conn, ECOMM);
4286 }
4287
aae7fe22
AE		 4288 /* Start fragment always begin with Basic L2CAP header */
4289 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4290 BT_ERR("Frame is too short (len %d)", skb->len);
4291 l2cap_conn_unreliable(conn, ECOMM);
4292 goto drop;
4293 }
4294
4295 hdr = (struct l2cap_hdr *) skb->data;
4296 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4297 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4298
4299 if (len == skb->len) {
4300 /* Complete frame received */
4301 l2cap_recv_frame(conn, skb);
4302 return 0;
4303 }
4304
4305 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4306
4307 if (skb->len > len) {
4308 BT_ERR("Frame is too long (len %d, expected len %d)",
4309 skb->len, len);
4310 l2cap_conn_unreliable(conn, ECOMM);
4311 goto drop;
4312 }
4313
baa7e1fa 4314 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4315
48454079
GP		 4316 if (chan && chan->sk) {
4317 struct sock *sk = chan->sk;
89794813 4318
0c1bc5c6 4319 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4320 BT_ERR("Frame exceeding recv MTU (len %d, "
4321 "MTU %d)", len,
0c1bc5c6 4322 chan->imtu);
48454079
GP		 4323 bh_unlock_sock(sk);
4324 l2cap_conn_unreliable(conn, ECOMM);
4325 goto drop;
4326 }
89794813 4327 bh_unlock_sock(sk);
48454079 4328 }
89794813 4329
1da177e4 4330 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4331 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4332 if (!conn->rx_skb)
1da177e4
LT		 4333 goto drop;
4334
d626f62b 4335 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4336 skb->len);
1da177e4
LT		 4337 conn->rx_len = len - skb->len;
4338 } else {
4339 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4340
4341 if (!conn->rx_len) {
4342 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4343 l2cap_conn_unreliable(conn, ECOMM);
4344 goto drop;
4345 }
4346
4347 if (skb->len > conn->rx_len) {
4348 BT_ERR("Fragment is too long (len %d, expected %d)",
4349 skb->len, conn->rx_len);
4350 kfree_skb(conn->rx_skb);
4351 conn->rx_skb = NULL;
4352 conn->rx_len = 0;
4353 l2cap_conn_unreliable(conn, ECOMM);
4354 goto drop;
4355 }
4356
d626f62b 4357 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4358 skb->len);
1da177e4
LT		 4359 conn->rx_len -= skb->len;
4360
4361 if (!conn->rx_len) {
4362 /* Complete frame received */
4363 l2cap_recv_frame(conn, conn->rx_skb);
4364 conn->rx_skb = NULL;
4365 }
4366 }
4367
4368drop:
4369 kfree_skb(skb);
4370 return 0;
4371}
4372
aef7d97c 4373static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4374{
23691d75 4375 struct l2cap_chan *c;
1da177e4 4376
23691d75 4377 read_lock_bh(&chan_list_lock);
1da177e4 4378
23691d75
GP		 4379 list_for_each_entry(c, &chan_list, global_l) {
4380 struct sock *sk = c->sk;
101545f6 4381
903d343e 4382 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4383 batostr(&bt_sk(sk)->src),
4384 batostr(&bt_sk(sk)->dst),
89bc500e 4385 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4386 c->scid, c->dcid, c->imtu, c->omtu,
4387 c->sec_level, c->mode);
be9d1227 4388 }
1da177e4 4389
23691d75 4390 read_unlock_bh(&chan_list_lock);
1da177e4 4391
aef7d97c 4392 return 0;
1da177e4
LT		 4393}
4394
aef7d97c
MH		 4395static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4396{
4397 return single_open(file, l2cap_debugfs_show, inode->i_private);
4398}
4399
4400static const struct file_operations l2cap_debugfs_fops = {
4401 .open = l2cap_debugfs_open,
4402 .read = seq_read,
4403 .llseek = seq_lseek,
4404 .release = single_release,
4405};
4406
4407static struct dentry *l2cap_debugfs;
1da177e4 4408
1da177e4
LT		 4409static struct hci_proto l2cap_hci_proto = {
4410 .name = "L2CAP",
4411 .id = HCI_PROTO_L2CAP,
4412 .connect_ind = l2cap_connect_ind,
4413 .connect_cfm = l2cap_connect_cfm,
4414 .disconn_ind = l2cap_disconn_ind,
2950f21a 4415 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4416 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4417 .recv_acldata = l2cap_recv_acldata
4418};
4419
64274518 4420int __init l2cap_init(void)
1da177e4
LT		 4421{
4422 int err;
be9d1227 4423
bb58f747 4424 err = l2cap_init_sockets();
1da177e4
LT		 4425 if (err < 0)
4426 return err;
4427
1890d36b 4428 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4429 if (!_busy_wq) {
bb58f747 4430 err = -ENOMEM;
1da177e4
LT		 4431 goto error;
4432 }
4433
4434 err = hci_register_proto(&l2cap_hci_proto);
4435 if (err < 0) {
4436 BT_ERR("L2CAP protocol registration failed");
4437 bt_sock_unregister(BTPROTO_L2CAP);
4438 goto error;
4439 }
4440
aef7d97c
MH		 4441 if (bt_debugfs) {
4442 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4443 bt_debugfs, NULL, &l2cap_debugfs_fops);
4444 if (!l2cap_debugfs)
4445 BT_ERR("Failed to create L2CAP debug file");
4446 }
1da177e4 4447
1da177e4
LT		 4448 return 0;
4449
4450error:
b78d7b4f 4451 destroy_workqueue(_busy_wq);
bb58f747 4452 l2cap_cleanup_sockets();
1da177e4
LT		 4453 return err;
4454}
4455
64274518 4456void l2cap_exit(void)
1da177e4 4457{
aef7d97c 4458 debugfs_remove(l2cap_debugfs);
1da177e4 4459
1890d36b
GP		 4460 flush_workqueue(_busy_wq);
4461 destroy_workqueue(_busy_wq);
4462
1da177e4
LT		 4463 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4464 BT_ERR("L2CAP protocol unregistration failed");
4465
bb58f747 4466 l2cap_cleanup_sockets();
1da177e4
LT		 4467}
4468
d1c4a17d
GP		 4469module_param(disable_ertm, bool, 0644);
4470MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)