projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: EWS: support extended seq numbers
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
774e5651 223 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b
JG		 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
567
e702112f 568 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 569}
570
88843ab0 571static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 572{
573 struct sk_buff *skb;
574 struct l2cap_hdr *lh;
8c1d787b 575 struct l2cap_conn *conn = chan->conn;
e4ca6d98 576 int count, hlen;
e702112f 577 u8 flags;
fcc203c3 578
89bc500e 579 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 580 return;
581
e4ca6d98
AE		 582 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
583 hlen = L2CAP_EXT_HDR_SIZE;
584 else
585 hlen = L2CAP_ENH_HDR_SIZE;
586
47d1ec61 587 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 588 hlen += 2;
1c2acffb 589
88843ab0 590 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 591
fcc203c3 592 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 593
594 control |= __set_sframe(chan);
1c2acffb 595
e2ab4353 596 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 597 control |= __set_ctrl_final(chan);
9e917af1 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 600 control |= __set_ctrl_poll(chan);
f0946ccf 601
1c2acffb
GP		 602 skb = bt_skb_alloc(count, GFP_ATOMIC);
603 if (!skb)
9a9c6a34 604 return;
1c2acffb
GP		 605
606 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 607 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 608 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 609
610 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 611
47d1ec61 612 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 613 u16 fcs = crc16(0, (u8 *)lh, count - 2);
614 put_unaligned_le16(fcs, skb_put(skb, 2));
615 }
616
e702112f
AE		 617 if (lmp_no_flush_capable(conn->hcon->hdev))
618 flags = ACL_START_NO_FLUSH;
619 else
620 flags = ACL_START;
621
15770b1a 622 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b 623
8c1d787b 624 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 625}
626
88843ab0 627static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 628{
e2ab4353 629 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 630 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 631 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 632 } else
ab784b73 633 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 634
0b209fae 635 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 636
525cd185 637 l2cap_send_sframe(chan, control);
7e743090
GP		 638}
639
b4450035 640static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 641{
c1360a1c 642 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 643}
644
fc7f8a7e 645static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 646{
8c1d787b 647 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 648
649 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 650 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
651 return;
652
4343478f
GP		 653 if (l2cap_check_security(chan) &&
654 __l2cap_no_conn_pending(chan)) {
b1235d79 655 struct l2cap_conn_req req;
fe4128e0
GP		 656 req.scid = cpu_to_le16(chan->scid);
657 req.psm = chan->psm;
79d554a6 658
fc7f8a7e 659 chan->ident = l2cap_get_ident(conn);
c1360a1c 660 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 661
fc7f8a7e
GP		 662 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
663 sizeof(req), &req);
b1235d79 664 }
79d554a6
MH		 665 } else {
666 struct l2cap_info_req req;
667 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
668
669 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
670 conn->info_ident = l2cap_get_ident(conn);
671
672 mod_timer(&conn->info_timer, jiffies +
673 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
674
675 l2cap_send_cmd(conn, conn->info_ident,
676 L2CAP_INFO_REQ, sizeof(req), &req);
677 }
678}
679
cf6c2c0b
GP		 680static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
681{
682 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 683 if (!disable_ertm)
cf6c2c0b
GP		 684 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
685
686 switch (mode) {
687 case L2CAP_MODE_ERTM:
688 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
689 case L2CAP_MODE_STREAMING:
690 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
691 default:
692 return 0x00;
693 }
694}
695
4519de9a 696static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 697{
e92c8e70 698 struct sock *sk;
22121fc9
GP		 699 struct l2cap_disconn_req req;
700
c13ffa62
GP		 701 if (!conn)
702 return;
703
e92c8e70
GP		 704 sk = chan->sk;
705
0c1bc5c6 706 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 707 __clear_retrans_timer(chan);
708 __clear_monitor_timer(chan);
709 __clear_ack_timer(chan);
c13ffa62
GP		 710 }
711
fe4128e0
GP		 712 req.dcid = cpu_to_le16(chan->dcid);
713 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 714 l2cap_send_cmd(conn, l2cap_get_ident(conn),
715 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 716
89bc500e 717 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 718 sk->sk_err = err;
22121fc9
GP		 719}
720
1da177e4 721/* ---- L2CAP connections ---- */
4e8402a3
MH		 722static void l2cap_conn_start(struct l2cap_conn *conn)
723{
820ffdb3 724 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 725
726 BT_DBG("conn %p", conn);
727
baa7e1fa 728 read_lock(&conn->chan_lock);
4e8402a3 729
820ffdb3 730 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 731 struct sock *sk = chan->sk;
baa7e1fa 732
4e8402a3
MH		 733 bh_lock_sock(sk);
734
715ec005 735 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 736 bh_unlock_sock(sk);
737 continue;
738 }
739
89bc500e 740 if (chan->state == BT_CONNECT) {
47731de7 741 struct l2cap_conn_req req;
79d554a6 742
4343478f 743 if (!l2cap_check_security(chan) ||
b4450035 744 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 745 bh_unlock_sock(sk);
746 continue;
747 }
79d554a6 748
c1360a1c
GP		 749 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
750 && test_bit(CONF_STATE2_DEVICE,
751 &chan->conf_state)) {
0f852724 752 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 753 * so release the lock */
2461daac 754 read_unlock(&conn->chan_lock);
89bc500e 755 l2cap_chan_close(chan, ECONNRESET);
2461daac 756 read_lock(&conn->chan_lock);
47731de7
GP		 757 bh_unlock_sock(sk);
758 continue;
b1235d79 759 }
47731de7 760
fe4128e0
GP		 761 req.scid = cpu_to_le16(chan->scid);
762 req.psm = chan->psm;
47731de7 763
fc7f8a7e 764 chan->ident = l2cap_get_ident(conn);
c1360a1c 765 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 766
fc7f8a7e
GP		 767 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
768 sizeof(req), &req);
47731de7 769
89bc500e 770 } else if (chan->state == BT_CONNECT2) {
79d554a6 771 struct l2cap_conn_rsp rsp;
e9aeb2dd 772 char buf[128];
fe4128e0
GP		 773 rsp.scid = cpu_to_le16(chan->dcid);
774 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 775
4343478f 776 if (l2cap_check_security(chan)) {
f66dc81f
MH		 777 if (bt_sk(sk)->defer_setup) {
778 struct sock *parent = bt_sk(sk)->parent;
779 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
780 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 781 if (parent)
782 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 783
784 } else {
89bc500e 785 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 786 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
787 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
788 }
79d554a6
MH		 789 } else {
790 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
791 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
792 }
793
fc7f8a7e
GP		 794 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
795 sizeof(rsp), &rsp);
e9aeb2dd 796
c1360a1c 797 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 798 rsp.result != L2CAP_CR_SUCCESS) {
799 bh_unlock_sock(sk);
800 continue;
801 }
802
c1360a1c 803 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 804 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 805 l2cap_build_conf_req(chan, buf), buf);
806 chan->num_conf_req++;
4e8402a3
MH		 807 }
808
809 bh_unlock_sock(sk);
810 }
811
baa7e1fa 812 read_unlock(&conn->chan_lock);
4e8402a3
MH		 813}
814
b62f328b
VT		 815/* Find socket with cid and source bdaddr.
816 * Returns closest match, locked.
817 */
23691d75 818static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 819{
23691d75 820 struct l2cap_chan *c, *c1 = NULL;
b62f328b 821
23691d75 822 read_lock(&chan_list_lock);
b62f328b 823
23691d75
GP		 824 list_for_each_entry(c, &chan_list, global_l) {
825 struct sock *sk = c->sk;
fe4128e0 826
89bc500e 827 if (state && c->state != state)
b62f328b
VT		 828 continue;
829
23691d75 830 if (c->scid == cid) {
b62f328b 831 /* Exact match. */
23691d75
GP		 832 if (!bacmp(&bt_sk(sk)->src, src)) {
833 read_unlock(&chan_list_lock);
834 return c;
835 }
b62f328b
VT		 836
837 /* Closest match */
838 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 839 c1 = c;
b62f328b
VT		 840 }
841 }
280f294f 842
23691d75 843 read_unlock(&chan_list_lock);
b62f328b 844
23691d75 845 return c1;
b62f328b
VT		 846}
847
848static void l2cap_le_conn_ready(struct l2cap_conn *conn)
849{
c916fbe4 850 struct sock *parent, *sk;
23691d75 851 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 852
853 BT_DBG("");
854
855 /* Check if we have socket listening on cid */
23691d75 856 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 857 conn->src);
23691d75 858 if (!pchan)
b62f328b
VT		 859 return;
860
23691d75
GP		 861 parent = pchan->sk;
862
62f3a2cf
GP		 863 bh_lock_sock(parent);
864
b62f328b
VT		 865 /* Check for backlog size */
866 if (sk_acceptq_is_full(parent)) {
867 BT_DBG("backlog full %d", parent->sk_ack_backlog);
868 goto clean;
869 }
870
80808e43
GP		 871 chan = pchan->ops->new_connection(pchan->data);
872 if (!chan)
b62f328b
VT		 873 goto clean;
874
80808e43 875 sk = chan->sk;
5d41ce1d 876
baa7e1fa 877 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 878
879 hci_conn_hold(conn->hcon);
880
b62f328b
VT		 881 bacpy(&bt_sk(sk)->src, conn->src);
882 bacpy(&bt_sk(sk)->dst, conn->dst);
883
d1010240
GP		 884 bt_accept_enqueue(parent, sk);
885
48454079
GP		 886 __l2cap_chan_add(conn, chan);
887
c9b66675 888 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 889
89bc500e 890 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 891 parent->sk_data_ready(parent, 0);
892
baa7e1fa 893 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 894
895clean:
896 bh_unlock_sock(parent);
897}
898
f1cb9af5
VCG		 899static void l2cap_chan_ready(struct sock *sk)
900{
901 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
902 struct sock *parent = bt_sk(sk)->parent;
903
904 BT_DBG("sk %p, parent %p", sk, parent);
905
906 chan->conf_state = 0;
907 __clear_chan_timer(chan);
908
43f3dc41 909 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 910 sk->sk_state_change(sk);
911
912 if (parent)
913 parent->sk_data_ready(parent, 0);
914}
915
4e8402a3
MH		 916static void l2cap_conn_ready(struct l2cap_conn *conn)
917{
48454079 918 struct l2cap_chan *chan;
4e8402a3 919
79d554a6 920 BT_DBG("conn %p", conn);
4e8402a3 921
b62f328b
VT		 922 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
923 l2cap_le_conn_ready(conn);
924
160dc6ac
VCG		 925 if (conn->hcon->out && conn->hcon->type == LE_LINK)
926 smp_conn_security(conn, conn->hcon->pending_sec_level);
927
baa7e1fa 928 read_lock(&conn->chan_lock);
4e8402a3 929
baa7e1fa 930 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 931 struct sock *sk = chan->sk;
baa7e1fa 932
79d554a6 933 bh_lock_sock(sk);
4e8402a3 934
63128451 935 if (conn->hcon->type == LE_LINK) {
b501d6a1 936 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 937 l2cap_chan_ready(sk);
acd7d370 938
63128451 939 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 940 __clear_chan_timer(chan);
89bc500e 941 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 942 sk->sk_state_change(sk);
b501d6a1 943
89bc500e 944 } else if (chan->state == BT_CONNECT)
fc7f8a7e 945 l2cap_do_start(chan);
4e8402a3 946
79d554a6 947 bh_unlock_sock(sk);
4e8402a3 948 }
79d554a6 949
baa7e1fa 950 read_unlock(&conn->chan_lock);
4e8402a3
MH		 951}
952
953/* Notify sockets that we cannot guaranty reliability anymore */
954static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
955{
48454079 956 struct l2cap_chan *chan;
4e8402a3
MH		 957
958 BT_DBG("conn %p", conn);
959
baa7e1fa 960 read_lock(&conn->chan_lock);
4e8402a3 961
baa7e1fa 962 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 963 struct sock *sk = chan->sk;
baa7e1fa 964
ecf61bdb 965 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 966 sk->sk_err = err;
967 }
968
baa7e1fa 969 read_unlock(&conn->chan_lock);
4e8402a3
MH		 970}
971
972static void l2cap_info_timeout(unsigned long arg)
973{
974 struct l2cap_conn *conn = (void *) arg;
975
984947dc 976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 977 conn->info_ident = 0;
984947dc 978
4e8402a3
MH		 979 l2cap_conn_start(conn);
980}
981
5d3de7df
VCG		 982static void l2cap_conn_del(struct hci_conn *hcon, int err)
983{
984 struct l2cap_conn *conn = hcon->l2cap_data;
985 struct l2cap_chan *chan, *l;
986 struct sock *sk;
987
988 if (!conn)
989 return;
990
991 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
992
993 kfree_skb(conn->rx_skb);
994
995 /* Kill channels */
996 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
997 sk = chan->sk;
998 bh_lock_sock(sk);
999 l2cap_chan_del(chan, err);
1000 bh_unlock_sock(sk);
1001 chan->ops->close(chan->data);
1002 }
1003
1004 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1005 del_timer_sync(&conn->info_timer);
1006
d26a2345 1007 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1008 del_timer(&conn->security_timer);
8aab4757 1009 smp_chan_destroy(conn);
d26a2345 1010 }
5d3de7df
VCG		 1011
1012 hcon->l2cap_data = NULL;
1013 kfree(conn);
1014}
1015
1016static void security_timeout(unsigned long arg)
1017{
1018 struct l2cap_conn *conn = (void *) arg;
1019
1020 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1021}
1022
1da177e4
LT		 1023static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1024{
0139418c 1025 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1026
0139418c 1027 if (conn || status)
1da177e4
LT		 1028 return conn;
1029
0139418c
MH		 1030 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1031 if (!conn)
1da177e4 1032 return NULL;
1da177e4
LT		 1033
1034 hcon->l2cap_data = conn;
1035 conn->hcon = hcon;
1036
0139418c
MH		 1037 BT_DBG("hcon %p conn %p", hcon, conn);
1038
acd7d370
VT		 1039 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1040 conn->mtu = hcon->hdev->le_mtu;
1041 else
1042 conn->mtu = hcon->hdev->acl_mtu;
1043
1da177e4
LT		 1044 conn->src = &hcon->hdev->bdaddr;
1045 conn->dst = &hcon->dst;
1046
4e8402a3
MH		 1047 conn->feat_mask = 0;
1048
1da177e4 1049 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1050 rwlock_init(&conn->chan_lock);
1051
1052 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1053
5d3de7df
VCG		 1054 if (hcon->type == LE_LINK)
1055 setup_timer(&conn->security_timer, security_timeout,
1056 (unsigned long) conn);
1057 else
b62f328b 1058 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1059 (unsigned long) conn);
1060
2950f21a
MH		 1061 conn->disc_reason = 0x13;
1062
1da177e4
LT		 1063 return conn;
1064}
1065
48454079 1066static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1067{
baa7e1fa 1068 write_lock_bh(&conn->chan_lock);
48454079 1069 __l2cap_chan_add(conn, chan);
baa7e1fa 1070 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1071}
1072
1da177e4 1073/* ---- Socket interface ---- */
1da177e4
LT		 1074
1075/* Find socket with psm and source bdaddr.
1076 * Returns closest match.
1077 */
23691d75 1078static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1079{
23691d75 1080 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1081
23691d75 1082 read_lock(&chan_list_lock);
e0f0cb56 1083
23691d75
GP		 1084 list_for_each_entry(c, &chan_list, global_l) {
1085 struct sock *sk = c->sk;
fe4128e0 1086
89bc500e 1087 if (state && c->state != state)
1da177e4
LT		 1088 continue;
1089
23691d75 1090 if (c->psm == psm) {
1da177e4 1091 /* Exact match. */
23691d75 1092 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1093 read_unlock(&chan_list_lock);
23691d75
GP		 1094 return c;
1095 }
1da177e4
LT		 1096
1097 /* Closest match */
1098 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1099 c1 = c;
1da177e4
LT		 1100 }
1101 }
1da177e4 1102
23691d75 1103 read_unlock(&chan_list_lock);
e0f0cb56 1104
23691d75 1105 return c1;
1da177e4
LT		 1106}
1107
77a74c7e 1108int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1109{
5d41ce1d 1110 struct sock *sk = chan->sk;
1da177e4
LT		 1111 bdaddr_t *src = &bt_sk(sk)->src;
1112 bdaddr_t *dst = &bt_sk(sk)->dst;
1113 struct l2cap_conn *conn;
1114 struct hci_conn *hcon;
1115 struct hci_dev *hdev;
09ab6f4c 1116 __u8 auth_type;
44d0e48e 1117 int err;
1da177e4 1118
f29972de 1119 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1120 chan->psm);
1da177e4 1121
af05b30b
GP		 1122 hdev = hci_get_route(dst, src);
1123 if (!hdev)
1da177e4
LT		 1124 return -EHOSTUNREACH;
1125
1126 hci_dev_lock_bh(hdev);
1127
4343478f 1128 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1129
fe4128e0 1130 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1131 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1132 chan->sec_level, auth_type);
acd7d370
VT		 1133 else
1134 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1135 chan->sec_level, auth_type);
acd7d370 1136
30e76272
VT		 1137 if (IS_ERR(hcon)) {
1138 err = PTR_ERR(hcon);
1da177e4 1139 goto done;
30e76272 1140 }
1da177e4
LT		 1141
1142 conn = l2cap_conn_add(hcon, 0);
1143 if (!conn) {
1144 hci_conn_put(hcon);
30e76272 1145 err = -ENOMEM;
1da177e4
LT		 1146 goto done;
1147 }
1148
1da177e4
LT		 1149 /* Update source addr of the socket */
1150 bacpy(src, conn->src);
1151
48454079
GP		 1152 l2cap_chan_add(conn, chan);
1153
89bc500e 1154 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1155 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1156
1157 if (hcon->state == BT_CONNECTED) {
715ec005 1158 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1159 __clear_chan_timer(chan);
4343478f 1160 if (l2cap_check_security(chan))
89bc500e 1161 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1162 } else
fc7f8a7e 1163 l2cap_do_start(chan);
1da177e4
LT		 1164 }
1165
30e76272
VT		 1166 err = 0;
1167
1da177e4
LT		 1168done:
1169 hci_dev_unlock_bh(hdev);
1170 hci_dev_put(hdev);
1171 return err;
1172}
1173
dcba0dba 1174int __l2cap_wait_ack(struct sock *sk)
6161c038 1175{
8c1d787b 1176 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1177 DECLARE_WAITQUEUE(wait, current);
1178 int err = 0;
1179 int timeo = HZ/5;
1180
2b0b05dd 1181 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1182 set_current_state(TASK_INTERRUPTIBLE);
1183 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1184 if (!timeo)
1185 timeo = HZ/5;
1186
1187 if (signal_pending(current)) {
1188 err = sock_intr_errno(timeo);
1189 break;
1190 }
1191
1192 release_sock(sk);
1193 timeo = schedule_timeout(timeo);
1194 lock_sock(sk);
a71a0cf4 1195 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1196
1197 err = sock_error(sk);
1198 if (err)
1199 break;
1200 }
1201 set_current_state(TASK_RUNNING);
2b0b05dd 1202 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1203 return err;
1204}
1205
e90bac06
GP		 1206static void l2cap_monitor_timeout(unsigned long arg)
1207{
525cd185
GP		 1208 struct l2cap_chan *chan = (void *) arg;
1209 struct sock *sk = chan->sk;
e90bac06 1210
525cd185 1211 BT_DBG("chan %p", chan);
0e98958d 1212
e686219a 1213 bh_lock_sock(sk);
2c03a7a4 1214 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1215 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1216 bh_unlock_sock(sk);
e90bac06
GP		 1217 return;
1218 }
1219
6a026610 1220 chan->retry_count++;
1a09bcb9 1221 __set_monitor_timer(chan);
e90bac06 1222
525cd185 1223 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1224 bh_unlock_sock(sk);
e90bac06
GP		 1225}
1226
1227static void l2cap_retrans_timeout(unsigned long arg)
1228{
525cd185
GP		 1229 struct l2cap_chan *chan = (void *) arg;
1230 struct sock *sk = chan->sk;
e90bac06 1231
49208c9c 1232 BT_DBG("chan %p", chan);
0e98958d 1233
e686219a 1234 bh_lock_sock(sk);
6a026610 1235 chan->retry_count = 1;
1a09bcb9 1236 __set_monitor_timer(chan);
e90bac06 1237
e2ab4353 1238 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1239
525cd185 1240 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1241 bh_unlock_sock(sk);
e90bac06
GP		 1242}
1243
42e5c802 1244static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1245{
1c2acffb 1246 struct sk_buff *skb;
1da177e4 1247
58d35f87 1248 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1249 chan->unacked_frames) {
42e5c802 1250 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1251 break;
1da177e4 1252
58d35f87 1253 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1254 kfree_skb(skb);
1da177e4 1255
6a026610 1256 chan->unacked_frames--;
1c2acffb 1257 }
1da177e4 1258
6a026610 1259 if (!chan->unacked_frames)
1a09bcb9 1260 __clear_retrans_timer(chan);
1c2acffb 1261}
1da177e4 1262
67c9e840 1263static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1264{
8c1d787b 1265 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1266 u16 flags;
1c2acffb 1267
4343478f 1268 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1269
d57b0e8b
AE		 1270 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1271 lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1272 flags = ACL_START_NO_FLUSH;
1273 else
1274 flags = ACL_START;
1275
15770b1a 1276 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
e702112f 1277 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1278}
1279
67c9e840 1280static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1281{
ccbb84af 1282 struct sk_buff *skb;
88843ab0
AE		 1283 u32 control;
1284 u16 fcs;
6840ed07 1285
58d35f87 1286 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1287 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1288 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1289 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1290
47d1ec61 1291 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1292 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1293 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1294 }
1295
4343478f 1296 l2cap_do_send(chan, skb);
6840ed07 1297
836be934 1298 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1299 }
6840ed07
GP		 1300}
1301
fb45de7d 1302static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1303{
8f17154f 1304 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1305 u16 fcs;
1306 u32 control;
8f17154f 1307
58d35f87 1308 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1309 if (!skb)
1310 return;
8f17154f 1311
f11d676d
GP		 1312 do {
1313 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1314 break;
8f17154f 1315
58d35f87 1316 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1317 return;
8f17154f 1318
58d35f87 1319 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1320
2c03a7a4
GP		 1321 if (chan->remote_max_tx &&
1322 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1323 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1324 return;
1325 }
1326
1327 tx_skb = skb_clone(skb, GFP_ATOMIC);
1328 bt_cb(skb)->retries++;
88843ab0
AE		 1329
1330 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1331 control &= __get_sar_mask(chan);
3cb123d1 1332
e2ab4353 1333 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1334 control |= __set_ctrl_final(chan);
95ffa978 1335
0b209fae 1336 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1337 control |= __set_txseq(chan, tx_seq);
3cb123d1 1338
88843ab0 1339 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1340
47d1ec61 1341 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1342 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1343 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1344 }
1345
4343478f 1346 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1347}
1348
67c9e840 1349static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1350{
1351 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1352 u16 fcs;
1353 u32 control;
9a9c6a34 1354 int nsent = 0;
1c2acffb 1355
89bc500e 1356 if (chan->state != BT_CONNECTED)
c13ffa62 1357 return -ENOTCONN;
e90bac06 1358
58d35f87 1359 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1360
2c03a7a4
GP		 1361 if (chan->remote_max_tx &&
1362 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1363 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1364 break;
1365 }
1366
e420aba3
AE		 1367 tx_skb = skb_clone(skb, GFP_ATOMIC);
1368
e90bac06
GP		 1369 bt_cb(skb)->retries++;
1370
88843ab0 1371 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1372 control &= __get_sar_mask(chan);
95ffa978 1373
e2ab4353 1374 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1375 control |= __set_ctrl_final(chan);
e2ab4353 1376
0b209fae 1377 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1378 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1379
88843ab0 1380 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1381
47d1ec61 1382 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1383 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1384 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1385 }
1386
4343478f 1387 l2cap_do_send(chan, tx_skb);
9a9c6a34 1388
1a09bcb9 1389 __set_retrans_timer(chan);
1c2acffb 1390
42e5c802 1391 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1392
1393 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1394
23e9fde2 1395 if (bt_cb(skb)->retries == 1)
6a026610 1396 chan->unacked_frames++;
23e9fde2 1397
6a026610 1398 chan->frames_sent++;
1c2acffb 1399
58d35f87
GP		 1400 if (skb_queue_is_last(&chan->tx_q, skb))
1401 chan->tx_send_head = NULL;
1c2acffb 1402 else
58d35f87 1403 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1404
1405 nsent++;
1c2acffb
GP		 1406 }
1407
9e917af1
GP		 1408 return nsent;
1409}
1410
525cd185 1411static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1412{
dfc909be
GP		 1413 int ret;
1414
58d35f87
GP		 1415 if (!skb_queue_empty(&chan->tx_q))
1416 chan->tx_send_head = chan->tx_q.next;
dfc909be 1417
42e5c802 1418 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1419 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1420 return ret;
1421}
1422
525cd185 1423static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1424{
88843ab0 1425 u32 control = 0;
9e917af1 1426
0b209fae 1427 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1428
e2ab4353 1429 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1430 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1431 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1432 l2cap_send_sframe(chan, control);
9a9c6a34 1433 return;
9e917af1 1434 }
dfc909be 1435
525cd185 1436 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1437 return;
1438
ab784b73 1439 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1440 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1441}
1442
525cd185 1443static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1444{
1445 struct srej_list *tail;
88843ab0 1446 u32 control;
99b0d4b7 1447
ab784b73 1448 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1449 control |= __set_ctrl_final(chan);
99b0d4b7 1450
39d5a3ee 1451 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1452 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1453
525cd185 1454 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1455}
1456
1c2acffb
GP		 1457static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1458{
8c1d787b 1459 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1460 struct sk_buff **frag;
1461 int err, sent = 0;
1da177e4 1462
59203a21 1463 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1464 return -EFAULT;
1da177e4
LT		 1465
1466 sent += count;
1467 len -= count;
1468
1469 /* Continuation fragments (no L2CAP header) */
1470 frag = &skb_shinfo(skb)->frag_list;
1471 while (len) {
1472 count = min_t(unsigned int, conn->mtu, len);
1473
1474 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1475 if (!*frag)
0175d629 1476 return err;
1c2acffb
GP		 1477 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1478 return -EFAULT;
1da177e4
LT		 1479
1480 sent += count;
1481 len -= count;
1482
1483 frag = &(*frag)->next;
1484 }
1da177e4
LT		 1485
1486 return sent;
1c2acffb 1487}
1da177e4 1488
67c9e840 1489static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1490{
fe4128e0 1491 struct sock *sk = chan->sk;
8c1d787b 1492 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1493 struct sk_buff *skb;
1494 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1495 struct l2cap_hdr *lh;
1496
1497 BT_DBG("sk %p len %d", sk, (int)len);
1498
1499 count = min_t(unsigned int, (conn->mtu - hlen), len);
1500 skb = bt_skb_send_alloc(sk, count + hlen,
1501 msg->msg_flags & MSG_DONTWAIT, &err);
1502 if (!skb)
0175d629 1503 return ERR_PTR(err);
1c2acffb
GP		 1504
1505 /* Create L2CAP header */
1506 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1507 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1508 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1509 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1510
1511 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1512 if (unlikely(err < 0)) {
1513 kfree_skb(skb);
1514 return ERR_PTR(err);
1515 }
1516 return skb;
1517}
1518
67c9e840 1519static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1520{
fe4128e0 1521 struct sock *sk = chan->sk;
8c1d787b 1522 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1523 struct sk_buff *skb;
1524 int err, count, hlen = L2CAP_HDR_SIZE;
1525 struct l2cap_hdr *lh;
1526
1527 BT_DBG("sk %p len %d", sk, (int)len);
1528
1529 count = min_t(unsigned int, (conn->mtu - hlen), len);
1530 skb = bt_skb_send_alloc(sk, count + hlen,
1531 msg->msg_flags & MSG_DONTWAIT, &err);
1532 if (!skb)
0175d629 1533 return ERR_PTR(err);
1c2acffb
GP		 1534
1535 /* Create L2CAP header */
1536 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1537 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1538 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1539
1540 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1541 if (unlikely(err < 0)) {
1542 kfree_skb(skb);
1543 return ERR_PTR(err);
1544 }
1545 return skb;
1546}
1547
ab0ff76d
LAD		 1548static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1549 struct msghdr *msg, size_t len,
88843ab0 1550 u32 control, u16 sdulen)
1c2acffb 1551{
47d1ec61 1552 struct sock *sk = chan->sk;
8c1d787b 1553 struct l2cap_conn *conn = chan->conn;
1c2acffb 1554 struct sk_buff *skb;
e4ca6d98 1555 int err, count, hlen;
1c2acffb
GP		 1556 struct l2cap_hdr *lh;
1557
1558 BT_DBG("sk %p len %d", sk, (int)len);
1559
0ee0d208
GP		 1560 if (!conn)
1561 return ERR_PTR(-ENOTCONN);
1562
e4ca6d98
AE		 1563 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1564 hlen = L2CAP_EXT_HDR_SIZE;
1565 else
1566 hlen = L2CAP_ENH_HDR_SIZE;
1567
c74e560c
GP		 1568 if (sdulen)
1569 hlen += 2;
1570
47d1ec61 1571 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1572 hlen += 2;
1573
1c2acffb
GP		 1574 count = min_t(unsigned int, (conn->mtu - hlen), len);
1575 skb = bt_skb_send_alloc(sk, count + hlen,
1576 msg->msg_flags & MSG_DONTWAIT, &err);
1577 if (!skb)
0175d629 1578 return ERR_PTR(err);
1c2acffb
GP		 1579
1580 /* Create L2CAP header */
1581 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1582 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1583 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1584
1585 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1586
c74e560c
GP		 1587 if (sdulen)
1588 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1589
1590 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1591 if (unlikely(err < 0)) {
1592 kfree_skb(skb);
1593 return ERR_PTR(err);
1594 }
e90bac06 1595
47d1ec61 1596 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1597 put_unaligned_le16(0, skb_put(skb, 2));
1598
e90bac06 1599 bt_cb(skb)->retries = 0;
1c2acffb 1600 return skb;
1da177e4
LT		 1601}
1602
67c9e840 1603static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1604{
c74e560c
GP		 1605 struct sk_buff *skb;
1606 struct sk_buff_head sar_queue;
88843ab0 1607 u32 control;
c74e560c
GP		 1608 size_t size = 0;
1609
ff12fd64 1610 skb_queue_head_init(&sar_queue);
7e0ef6ee 1611 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1612 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1613 if (IS_ERR(skb))
1614 return PTR_ERR(skb);
1615
1616 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1617 len -= chan->remote_mps;
1618 size += chan->remote_mps;
c74e560c
GP		 1619
1620 while (len > 0) {
1621 size_t buflen;
1622
2c03a7a4 1623 if (len > chan->remote_mps) {
7e0ef6ee 1624 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1625 buflen = chan->remote_mps;
c74e560c 1626 } else {
7e0ef6ee 1627 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1628 buflen = len;
1629 }
1630
47d1ec61 1631 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1632 if (IS_ERR(skb)) {
1633 skb_queue_purge(&sar_queue);
1634 return PTR_ERR(skb);
1635 }
1636
1637 __skb_queue_tail(&sar_queue, skb);
1638 len -= buflen;
1639 size += buflen;
c74e560c 1640 }
58d35f87
GP		 1641 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1642 if (chan->tx_send_head == NULL)
1643 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1644
1645 return size;
1646}
1647
9a91a04a
GP		 1648int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1649{
9a91a04a 1650 struct sk_buff *skb;
88843ab0 1651 u32 control;
9a91a04a
GP		 1652 int err;
1653
1654 /* Connectionless channel */
715ec005 1655 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1656 skb = l2cap_create_connless_pdu(chan, msg, len);
1657 if (IS_ERR(skb))
1658 return PTR_ERR(skb);
1659
1660 l2cap_do_send(chan, skb);
1661 return len;
1662 }
1663
1664 switch (chan->mode) {
1665 case L2CAP_MODE_BASIC:
1666 /* Check outgoing MTU */
1667 if (len > chan->omtu)
1668 return -EMSGSIZE;
1669
1670 /* Create a basic PDU */
1671 skb = l2cap_create_basic_pdu(chan, msg, len);
1672 if (IS_ERR(skb))
1673 return PTR_ERR(skb);
1674
1675 l2cap_do_send(chan, skb);
1676 err = len;
1677 break;
1678
1679 case L2CAP_MODE_ERTM:
1680 case L2CAP_MODE_STREAMING:
1681 /* Entire SDU fits into one PDU */
1682 if (len <= chan->remote_mps) {
7e0ef6ee 1683 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1684 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1685 0);
1686 if (IS_ERR(skb))
1687 return PTR_ERR(skb);
1688
1689 __skb_queue_tail(&chan->tx_q, skb);
1690
1691 if (chan->tx_send_head == NULL)
1692 chan->tx_send_head = skb;
1693
1694 } else {
1695 /* Segment SDU into multiples PDUs */
1696 err = l2cap_sar_segment_sdu(chan, msg, len);
1697 if (err < 0)
1698 return err;
1699 }
1700
1701 if (chan->mode == L2CAP_MODE_STREAMING) {
1702 l2cap_streaming_send(chan);
1703 err = len;
1704 break;
1705 }
1706
e2ab4353
GP		 1707 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1708 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1709 err = len;
1710 break;
1711 }
1712
1713 err = l2cap_ertm_send(chan);
1714 if (err >= 0)
1715 err = len;
1716
1717 break;
1718
1719 default:
1720 BT_DBG("bad state %1.1x", chan->mode);
1721 err = -EBADFD;
1722 }
1723
1724 return err;
1725}
1726
1da177e4
LT		 1727/* Copy frame to all raw sockets on that connection */
1728static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1729{
1da177e4 1730 struct sk_buff *nskb;
48454079 1731 struct l2cap_chan *chan;
1da177e4
LT		 1732
1733 BT_DBG("conn %p", conn);
1734
baa7e1fa
GP		 1735 read_lock(&conn->chan_lock);
1736 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1737 struct sock *sk = chan->sk;
715ec005 1738 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1739 continue;
1740
1741 /* Don't send frame to the socket it came from */
1742 if (skb->sk == sk)
1743 continue;
af05b30b
GP		 1744 nskb = skb_clone(skb, GFP_ATOMIC);
1745 if (!nskb)
1da177e4
LT		 1746 continue;
1747
23070494 1748 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1749 kfree_skb(nskb);
1750 }
baa7e1fa 1751 read_unlock(&conn->chan_lock);
1da177e4
LT		 1752}
1753
1754/* ---- L2CAP signalling commands ---- */
1755static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1756 u8 code, u8 ident, u16 dlen, void *data)
1757{
1758 struct sk_buff *skb, **frag;
1759 struct l2cap_cmd_hdr *cmd;
1760 struct l2cap_hdr *lh;
1761 int len, count;
1762
af05b30b
GP		 1763 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1764 conn, code, ident, dlen);
1da177e4
LT		 1765
1766 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1767 count = min_t(unsigned int, conn->mtu, len);
1768
1769 skb = bt_skb_alloc(count, GFP_ATOMIC);
1770 if (!skb)
1771 return NULL;
1772
1773 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1774 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1775
1776 if (conn->hcon->type == LE_LINK)
1777 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1778 else
1779 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1780
1781 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1782 cmd->code = code;
1783 cmd->ident = ident;
aca3192c 1784 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1785
1786 if (dlen) {
1787 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1788 memcpy(skb_put(skb, count), data, count);
1789 data += count;
1790 }
1791
1792 len -= skb->len;
1793
1794 /* Continuation fragments (no L2CAP header) */
1795 frag = &skb_shinfo(skb)->frag_list;
1796 while (len) {
1797 count = min_t(unsigned int, conn->mtu, len);
1798
1799 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1800 if (!*frag)
1801 goto fail;
1802
1803 memcpy(skb_put(*frag, count), data, count);
1804
1805 len -= count;
1806 data += count;
1807
1808 frag = &(*frag)->next;
1809 }
1810
1811 return skb;
1812
1813fail:
1814 kfree_skb(skb);
1815 return NULL;
1816}
1817
1818static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1819{
1820 struct l2cap_conf_opt *opt = *ptr;
1821 int len;
1822
1823 len = L2CAP_CONF_OPT_SIZE + opt->len;
1824 *ptr += len;
1825
1826 *type = opt->type;
1827 *olen = opt->len;
1828
1829 switch (opt->len) {
1830 case 1:
1831 *val = *((u8 *) opt->val);
1832 break;
1833
1834 case 2:
bfaaeb3e 1835 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1836 break;
1837
1838 case 4:
bfaaeb3e 1839 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1840 break;
1841
1842 default:
1843 *val = (unsigned long) opt->val;
1844 break;
1845 }
1846
1847 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1848 return len;
1849}
1850
1da177e4
LT		 1851static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1852{
1853 struct l2cap_conf_opt *opt = *ptr;
1854
1855 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1856
1857 opt->type = type;
1858 opt->len = len;
1859
1860 switch (len) {
1861 case 1:
1862 *((u8 *) opt->val) = val;
1863 break;
1864
1865 case 2:
4f8b691c 1866 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1867 break;
1868
1869 case 4:
4f8b691c 1870 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1871 break;
1872
1873 default:
1874 memcpy(opt->val, (void *) val, len);
1875 break;
1876 }
1877
1878 *ptr += L2CAP_CONF_OPT_SIZE + len;
1879}
1880
f89cef09
AE		 1881static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1882{
1883 struct l2cap_conf_efs efs;
1884
1885 switch(chan->mode) {
1886 case L2CAP_MODE_ERTM:
1887 efs.id = chan->local_id;
1888 efs.stype = chan->local_stype;
1889 efs.msdu = cpu_to_le16(chan->local_msdu);
1890 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1891 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1892 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1893 break;
1894
1895 case L2CAP_MODE_STREAMING:
1896 efs.id = 1;
1897 efs.stype = L2CAP_SERV_BESTEFFORT;
1898 efs.msdu = cpu_to_le16(chan->local_msdu);
1899 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1900 efs.acc_lat = 0;
1901 efs.flush_to = 0;
1902 break;
1903
1904 default:
1905 return;
1906 }
1907
1908 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1909 (unsigned long) &efs);
1910}
1911
c1b4f43b
GP		 1912static void l2cap_ack_timeout(unsigned long arg)
1913{
525cd185 1914 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1915
525cd185
GP		 1916 bh_lock_sock(chan->sk);
1917 l2cap_send_ack(chan);
1918 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1919}
1920
525cd185 1921static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1922{
525cd185
GP		 1923 struct sock *sk = chan->sk;
1924
42e5c802 1925 chan->expected_ack_seq = 0;
6a026610 1926 chan->unacked_frames = 0;
42e5c802 1927 chan->buffer_seq = 0;
6a026610
GP		 1928 chan->num_acked = 0;
1929 chan->frames_sent = 0;
0565c1c2 1930
e92c8e70
GP		 1931 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1932 (unsigned long) chan);
1933 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1934 (unsigned long) chan);
1935 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1936
f1c6775b 1937 skb_queue_head_init(&chan->srej_q);
1890d36b 1938
39d5a3ee
GP		 1939 INIT_LIST_HEAD(&chan->srej_l);
1940
218bb9df
GP		 1941
1942 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1943}
1944
f2fcfcd6
GP		 1945static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1946{
1947 switch (mode) {
1948 case L2CAP_MODE_STREAMING:
1949 case L2CAP_MODE_ERTM:
1950 if (l2cap_mode_supported(mode, remote_feat_mask))
1951 return mode;
1952 /* fall through */
1953 default:
1954 return L2CAP_MODE_BASIC;
1955 }
1956}
1957
6327eb98
AE		 1958static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1959{
1960 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1961}
1962
f89cef09
AE		 1963static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1964{
1965 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1966}
1967
6327eb98
AE		 1968static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1969{
1970 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1971 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1972 /* use extended control field */
1973 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1974 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1975 } else {
6327eb98
AE		 1976 chan->tx_win = min_t(u16, chan->tx_win,
1977 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 1978 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
1979 }
6327eb98
AE		 1980}
1981
710f9b0a 1982static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1983{
1da177e4 1984 struct l2cap_conf_req *req = data;
0c1bc5c6 1985 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1986 void *ptr = req->data;
1987
49208c9c 1988 BT_DBG("chan %p", chan);
1da177e4 1989
73ffa904 1990 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1991 goto done;
1992
0c1bc5c6 1993 switch (chan->mode) {
f2fcfcd6
GP		 1994 case L2CAP_MODE_STREAMING:
1995 case L2CAP_MODE_ERTM:
c1360a1c 1996 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1997 break;
85eb53c6 1998
f89cef09
AE		 1999 if (__l2cap_efs_supported(chan))
2000 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2001
2ba13ed6 2002 /* fall through */
f2fcfcd6 2003 default:
8c1d787b 2004 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2005 break;
2006 }
2007
2008done:
0c1bc5c6
GP		 2009 if (chan->imtu != L2CAP_DEFAULT_MTU)
2010 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2011
0c1bc5c6 2012 switch (chan->mode) {
65c7c491 2013 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2014 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2015 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2016 break;
2017
62547752
GP		 2018 rfc.mode = L2CAP_MODE_BASIC;
2019 rfc.txwin_size = 0;
2020 rfc.max_transmit = 0;
2021 rfc.retrans_timeout = 0;
2022 rfc.monitor_timeout = 0;
2023 rfc.max_pdu_size = 0;
2024
63406504
GP		 2025 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2026 (unsigned long) &rfc);
65c7c491
MH		 2027 break;
2028
2029 case L2CAP_MODE_ERTM:
2030 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2031 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2032 rfc.retrans_timeout = 0;
2033 rfc.monitor_timeout = 0;
c74e560c 2034 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2035 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2036 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 2037
6327eb98
AE		 2038 l2cap_txwin_setup(chan);
2039
2040 rfc.txwin_size = min_t(u16, chan->tx_win,
2041 L2CAP_DEFAULT_TX_WINDOW);
2042
63406504
GP		 2043 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2044 (unsigned long) &rfc);
2045
f89cef09
AE		 2046 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2047 l2cap_add_opt_efs(&ptr, chan);
2048
8c1d787b 2049 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2050 break;
2051
47d1ec61 2052 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2053 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2054 chan->fcs = L2CAP_FCS_NONE;
2055 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2056 }
6327eb98
AE		 2057
2058 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2059 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2060 chan->tx_win);
f2fcfcd6
GP		 2061 break;
2062
2063 case L2CAP_MODE_STREAMING:
2064 rfc.mode = L2CAP_MODE_STREAMING;
2065 rfc.txwin_size = 0;
2066 rfc.max_transmit = 0;
2067 rfc.retrans_timeout = 0;
2068 rfc.monitor_timeout = 0;
c74e560c 2069 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2070 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2071 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 2072
63406504
GP		 2073 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2074 (unsigned long) &rfc);
2075
f89cef09
AE		 2076 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2077 l2cap_add_opt_efs(&ptr, chan);
2078
8c1d787b 2079 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2080 break;
2081
47d1ec61 2082 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2083 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2084 chan->fcs = L2CAP_FCS_NONE;
2085 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2086 }
65c7c491
MH		 2087 break;
2088 }
1da177e4 2089
fe4128e0 2090 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2091 req->flags = cpu_to_le16(0);
1da177e4
LT		 2092
2093 return ptr - data;
2094}
2095
73ffa904 2096static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2097{
5dee9e7c
MH		 2098 struct l2cap_conf_rsp *rsp = data;
2099 void *ptr = rsp->data;
73ffa904
GP		 2100 void *req = chan->conf_req;
2101 int len = chan->conf_len;
5dee9e7c
MH		 2102 int type, hint, olen;
2103 unsigned long val;
6464f35f 2104 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2105 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2106 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2107
73ffa904 2108 BT_DBG("chan %p", chan);
820ae1b8 2109
5dee9e7c
MH		 2110 while (len >= L2CAP_CONF_OPT_SIZE) {
2111 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2112
589d2746 2113 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2114 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2115
2116 switch (type) {
2117 case L2CAP_CONF_MTU:
861d6882 2118 mtu = val;
5dee9e7c
MH		 2119 break;
2120
2121 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2122 chan->flush_to = val;
5dee9e7c
MH		 2123 break;
2124
2125 case L2CAP_CONF_QOS:
2126 break;
2127
6464f35f
MH		 2128 case L2CAP_CONF_RFC:
2129 if (olen == sizeof(rfc))
2130 memcpy(&rfc, (void *) val, olen);
2131 break;
2132
fcc203c3
GP		 2133 case L2CAP_CONF_FCS:
2134 if (val == L2CAP_FCS_NONE)
c1360a1c 2135 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2136
2137 break;
2138
6327eb98
AE		 2139 case L2CAP_CONF_EWS:
2140 if (!enable_hs)
2141 return -ECONNREFUSED;
2142
2143 set_bit(FLAG_EXT_CTRL, &chan->flags);
2144 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2145 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98
AE		 2146 chan->remote_tx_win = val;
2147 break;
2148
5dee9e7c
MH		 2149 default:
2150 if (hint)
2151 break;
2152
2153 result = L2CAP_CONF_UNKNOWN;
2154 *((u8 *) ptr++) = type;
2155 break;
2156 }
2157 }
2158
73ffa904 2159 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2160 goto done;
2161
0c1bc5c6 2162 switch (chan->mode) {
f2fcfcd6
GP		 2163 case L2CAP_MODE_STREAMING:
2164 case L2CAP_MODE_ERTM:
c1360a1c 2165 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2166 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2167 chan->conn->feat_mask);
85eb53c6
GP		 2168 break;
2169 }
2170
0c1bc5c6 2171 if (chan->mode != rfc.mode)
f2fcfcd6 2172 return -ECONNREFUSED;
742e519b 2173
f2fcfcd6 2174 break;
f2fcfcd6
GP		 2175 }
2176
2177done:
0c1bc5c6 2178 if (chan->mode != rfc.mode) {
f2fcfcd6 2179 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2180 rfc.mode = chan->mode;
f2fcfcd6 2181
73ffa904 2182 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2183 return -ECONNREFUSED;
2184
2185 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2186 sizeof(rfc), (unsigned long) &rfc);
2187 }
2188
2189
5dee9e7c
MH		 2190 if (result == L2CAP_CONF_SUCCESS) {
2191 /* Configure output options and let the other side know
2192 * which ones we don't like. */
2193
f2fcfcd6
GP		 2194 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2195 result = L2CAP_CONF_UNACCEPT;
2196 else {
0c1bc5c6 2197 chan->omtu = mtu;
c1360a1c 2198 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2199 }
0c1bc5c6 2200 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2201
f2fcfcd6
GP		 2202 switch (rfc.mode) {
2203 case L2CAP_MODE_BASIC:
47d1ec61 2204 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2205 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2206 break;
2207
2208 case L2CAP_MODE_ERTM:
6327eb98
AE		 2209 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2210 chan->remote_tx_win = rfc.txwin_size;
2211 else
2212 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2213
2c03a7a4 2214 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2215
8c1d787b
GP		 2216 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2217 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2218
2c03a7a4 2219 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2220
10467e9e
GP		 2221 rfc.retrans_timeout =
2222 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2223 rfc.monitor_timeout =
2224 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2225
c1360a1c 2226 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2227
2228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2229 sizeof(rfc), (unsigned long) &rfc);
2230
f2fcfcd6
GP		 2231 break;
2232
2233 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2234 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2235 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2236
2c03a7a4 2237 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2238
c1360a1c 2239 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2240
2241 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2242 sizeof(rfc), (unsigned long) &rfc);
2243
f2fcfcd6
GP		 2244 break;
2245
2246 default:
5dee9e7c 2247 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2248
6464f35f 2249 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2250 rfc.mode = chan->mode;
f2fcfcd6 2251 }
6464f35f 2252
f2fcfcd6 2253 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2254 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2255 }
fe4128e0 2256 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2257 rsp->result = cpu_to_le16(result);
2258 rsp->flags = cpu_to_le16(0x0000);
2259
2260 return ptr - data;
1da177e4
LT		 2261}
2262
b4450035 2263static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2264{
f2fcfcd6
GP		 2265 struct l2cap_conf_req *req = data;
2266 void *ptr = req->data;
2267 int type, olen;
2268 unsigned long val;
2269 struct l2cap_conf_rfc rfc;
2270
fe4128e0 2271 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2272
2273 while (len >= L2CAP_CONF_OPT_SIZE) {
2274 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2275
2276 switch (type) {
2277 case L2CAP_CONF_MTU:
2278 if (val < L2CAP_DEFAULT_MIN_MTU) {
2279 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2280 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2281 } else
0c1bc5c6
GP		 2282 chan->imtu = val;
2283 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2284 break;
2285
2286 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2287 chan->flush_to = val;
f2fcfcd6 2288 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2289 2, chan->flush_to);
f2fcfcd6
GP		 2290 break;
2291
2292 case L2CAP_CONF_RFC:
2293 if (olen == sizeof(rfc))
2294 memcpy(&rfc, (void *)val, olen);
2295
c1360a1c 2296 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2297 rfc.mode != chan->mode)
f2fcfcd6
GP		 2298 return -ECONNREFUSED;
2299
47d1ec61 2300 chan->fcs = 0;
f2fcfcd6
GP		 2301
2302 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2303 sizeof(rfc), (unsigned long) &rfc);
2304 break;
6327eb98
AE		 2305
2306 case L2CAP_CONF_EWS:
2307 chan->tx_win = min_t(u16, val,
2308 L2CAP_DEFAULT_EXT_WINDOW);
2309 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS,
2310 2, chan->tx_win);
2311 break;
f2fcfcd6
GP		 2312 }
2313 }
2314
0c1bc5c6 2315 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2316 return -ECONNREFUSED;
2317
0c1bc5c6 2318 chan->mode = rfc.mode;
6c2ea7a8 2319
f2fcfcd6
GP		 2320 if (*result == L2CAP_CONF_SUCCESS) {
2321 switch (rfc.mode) {
2322 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2323 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2324 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2325 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2326 break;
2327 case L2CAP_MODE_STREAMING:
47d1ec61 2328 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2329 }
2330 }
2331
fe4128e0 2332 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2333 req->flags = cpu_to_le16(0x0000);
2334
2335 return ptr - data;
2336}
2337
fe4128e0 2338static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2339{
2340 struct l2cap_conf_rsp *rsp = data;
2341 void *ptr = rsp->data;
1da177e4 2342
fe4128e0 2343 BT_DBG("chan %p", chan);
1da177e4 2344
fe4128e0 2345 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2346 rsp->result = cpu_to_le16(result);
aca3192c 2347 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2348
2349 return ptr - data;
2350}
2351
8c1d787b 2352void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2353{
2354 struct l2cap_conn_rsp rsp;
8c1d787b 2355 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2356 u8 buf[128];
2357
fe4128e0
GP		 2358 rsp.scid = cpu_to_le16(chan->dcid);
2359 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2360 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2361 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2362 l2cap_send_cmd(conn, chan->ident,
2363 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2364
c1360a1c 2365 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2366 return;
2367
710f9b0a
GP		 2368 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2369 l2cap_build_conf_req(chan, buf), buf);
2370 chan->num_conf_req++;
2371}
2372
47d1ec61 2373static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2374{
7b1c0049
GP		 2375 int type, olen;
2376 unsigned long val;
2377 struct l2cap_conf_rfc rfc;
2378
47d1ec61 2379 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2380
0c1bc5c6 2381 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2382 return;
2383
2384 while (len >= L2CAP_CONF_OPT_SIZE) {
2385 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2386
2387 switch (type) {
2388 case L2CAP_CONF_RFC:
2389 if (olen == sizeof(rfc))
2390 memcpy(&rfc, (void *)val, olen);
2391 goto done;
2392 }
2393 }
2394
2395done:
2396 switch (rfc.mode) {
2397 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2398 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2399 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2400 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2401 break;
2402 case L2CAP_MODE_STREAMING:
47d1ec61 2403 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2404 }
2405}
2406
4e8402a3
MH		 2407static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2408{
e2fd318e 2409 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2410
e2fd318e 2411 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2412 return 0;
2413
2414 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2415 cmd->ident == conn->info_ident) {
4e8402a3 2416 del_timer(&conn->info_timer);
984947dc
MH		 2417
2418 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2419 conn->info_ident = 0;
984947dc 2420
4e8402a3
MH		 2421 l2cap_conn_start(conn);
2422 }
2423
2424 return 0;
2425}
2426
1da177e4
LT		 2427static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2428{
1da177e4
LT		 2429 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2430 struct l2cap_conn_rsp rsp;
23691d75 2431 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2432 struct sock *parent, *sk = NULL;
e7c29cb1 2433 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2434
2435 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2436 __le16 psm = req->psm;
1da177e4
LT		 2437
2438 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2439
2440 /* Check if we have socket listening on psm */
23691d75
GP		 2441 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2442 if (!pchan) {
1da177e4
LT		 2443 result = L2CAP_CR_BAD_PSM;
2444 goto sendresp;
2445 }
2446
23691d75
GP		 2447 parent = pchan->sk;
2448
e0f0cb56
GP		 2449 bh_lock_sock(parent);
2450
e7c29cb1
MH		 2451 /* Check if the ACL is secure enough (if not SDP) */
2452 if (psm != cpu_to_le16(0x0001) &&
2453 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2454 conn->disc_reason = 0x05;
e7c29cb1
MH		 2455 result = L2CAP_CR_SEC_BLOCK;
2456 goto response;
2457 }
2458
1da177e4
LT		 2459 result = L2CAP_CR_NO_MEM;
2460
2461 /* Check for backlog size */
2462 if (sk_acceptq_is_full(parent)) {
8e87d142 2463 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2464 goto response;
2465 }
2466
80808e43
GP		 2467 chan = pchan->ops->new_connection(pchan->data);
2468 if (!chan)
1da177e4
LT		 2469 goto response;
2470
80808e43
GP		 2471 sk = chan->sk;
2472
baa7e1fa 2473 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2474
2475 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2476 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2477 write_unlock_bh(&conn->chan_lock);
1da177e4 2478 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2479 chan->ops->close(chan->data);
1da177e4
LT		 2480 goto response;
2481 }
2482
2483 hci_conn_hold(conn->hcon);
2484
1da177e4
LT		 2485 bacpy(&bt_sk(sk)->src, conn->src);
2486 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2487 chan->psm = psm;
2488 chan->dcid = scid;
1da177e4 2489
d1010240
GP		 2490 bt_accept_enqueue(parent, sk);
2491
48454079
GP		 2492 __l2cap_chan_add(conn, chan);
2493
fe4128e0 2494 dcid = chan->scid;
1da177e4 2495
c9b66675 2496 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2497
fc7f8a7e 2498 chan->ident = cmd->ident;
1da177e4 2499
984947dc 2500 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2501 if (l2cap_check_security(chan)) {
f66dc81f 2502 if (bt_sk(sk)->defer_setup) {
89bc500e 2503 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2504 result = L2CAP_CR_PEND;
2505 status = L2CAP_CS_AUTHOR_PEND;
2506 parent->sk_data_ready(parent, 0);
2507 } else {
89bc500e 2508 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2509 result = L2CAP_CR_SUCCESS;
2510 status = L2CAP_CS_NO_INFO;
2511 }
79d554a6 2512 } else {
89bc500e 2513 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2514 result = L2CAP_CR_PEND;
2515 status = L2CAP_CS_AUTHEN_PEND;
2516 }
2517 } else {
89bc500e 2518 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2519 result = L2CAP_CR_PEND;
2520 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2521 }
2522
baa7e1fa 2523 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2524
2525response:
2526 bh_unlock_sock(parent);
2527
2528sendresp:
aca3192c
YH		 2529 rsp.scid = cpu_to_le16(scid);
2530 rsp.dcid = cpu_to_le16(dcid);
2531 rsp.result = cpu_to_le16(result);
2532 rsp.status = cpu_to_le16(status);
1da177e4 2533 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2534
2535 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2536 struct l2cap_info_req info;
2537 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2538
2539 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2540 conn->info_ident = l2cap_get_ident(conn);
2541
2542 mod_timer(&conn->info_timer, jiffies +
2543 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2544
2545 l2cap_send_cmd(conn, conn->info_ident,
2546 L2CAP_INFO_REQ, sizeof(info), &info);
2547 }
2548
c1360a1c 2549 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2550 result == L2CAP_CR_SUCCESS) {
2551 u8 buf[128];
c1360a1c 2552 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2553 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2554 l2cap_build_conf_req(chan, buf), buf);
2555 chan->num_conf_req++;
e9aeb2dd
GP		 2556 }
2557
1da177e4
LT		 2558 return 0;
2559}
2560
2561static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2562{
2563 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2564 u16 scid, dcid, result, status;
48454079 2565 struct l2cap_chan *chan;
1da177e4
LT		 2566 struct sock *sk;
2567 u8 req[128];
2568
2569 scid = __le16_to_cpu(rsp->scid);
2570 dcid = __le16_to_cpu(rsp->dcid);
2571 result = __le16_to_cpu(rsp->result);
2572 status = __le16_to_cpu(rsp->status);
2573
2574 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2575
2576 if (scid) {
baa7e1fa 2577 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2578 if (!chan)
57d3b22b 2579 return -EFAULT;
1da177e4 2580 } else {
baa7e1fa 2581 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2582 if (!chan)
57d3b22b 2583 return -EFAULT;
1da177e4
LT		 2584 }
2585
48454079
GP		 2586 sk = chan->sk;
2587
1da177e4
LT		 2588 switch (result) {
2589 case L2CAP_CR_SUCCESS:
89bc500e 2590 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2591 chan->ident = 0;
fe4128e0 2592 chan->dcid = dcid;
c1360a1c 2593 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2594
c1360a1c 2595 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2596 break;
2597
1da177e4 2598 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2599 l2cap_build_conf_req(chan, req), req);
2600 chan->num_conf_req++;
1da177e4
LT		 2601 break;
2602
2603 case L2CAP_CR_PEND:
c1360a1c 2604 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2605 break;
2606
2607 default:
a49184c2
AE		 2608 /* don't delete l2cap channel if sk is owned by user */
2609 if (sock_owned_by_user(sk)) {
89bc500e 2610 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2611 __clear_chan_timer(chan);
2612 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2613 break;
2614 }
2615
48454079 2616 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2617 break;
2618 }
2619
2620 bh_unlock_sock(sk);
2621 return 0;
2622}
2623
47d1ec61 2624static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2625{
2626 /* FCS is enabled only in ERTM or streaming mode, if one or both
2627 * sides request it.
2628 */
0c1bc5c6 2629 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2630 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2631 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2632 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2633}
2634
88219a0f 2635static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2636{
2637 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2638 u16 dcid, flags;
2639 u8 rsp[64];
48454079 2640 struct l2cap_chan *chan;
1da177e4 2641 struct sock *sk;
5dee9e7c 2642 int len;
1da177e4
LT		 2643
2644 dcid = __le16_to_cpu(req->dcid);
2645 flags = __le16_to_cpu(req->flags);
2646
2647 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2648
baa7e1fa 2649 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2650 if (!chan)
1da177e4
LT		 2651 return -ENOENT;
2652
48454079
GP		 2653 sk = chan->sk;
2654
033b1142 2655 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2656 struct l2cap_cmd_rej_cid rej;
2657
2658 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2659 rej.scid = cpu_to_le16(chan->scid);
2660 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2661
df6bd743
GP		 2662 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2663 sizeof(rej), &rej);
354f60a9 2664 goto unlock;
df6bd743 2665 }
354f60a9 2666
5dee9e7c 2667 /* Reject if config buffer is too small. */
88219a0f 2668 len = cmd_len - sizeof(*req);
7ac28817 2669 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2670 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2671 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2672 L2CAP_CONF_REJECT, flags), rsp);
2673 goto unlock;
2674 }
2675
2676 /* Store config. */
73ffa904
GP		 2677 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2678 chan->conf_len += len;
1da177e4
LT		 2679
2680 if (flags & 0x0001) {
2681 /* Incomplete config. Send empty response. */
2682 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2683 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2684 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2685 goto unlock;
2686 }
2687
2688 /* Complete config. */
73ffa904 2689 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2690 if (len < 0) {
e92c8e70 2691 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2692 goto unlock;
f2fcfcd6 2693 }
1da177e4 2694
5dee9e7c 2695 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2696 chan->num_conf_rsp++;
5dee9e7c 2697
5dee9e7c 2698 /* Reset config buffer. */
73ffa904 2699 chan->conf_len = 0;
5dee9e7c 2700
c1360a1c 2701 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2702 goto unlock;
2703
c1360a1c 2704 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2705 set_default_fcs(chan);
fcc203c3 2706
89bc500e 2707 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2708
42e5c802
GP		 2709 chan->next_tx_seq = 0;
2710 chan->expected_tx_seq = 0;
58d35f87 2711 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2712 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2713 l2cap_ertm_init(chan);
0565c1c2 2714
1da177e4 2715 l2cap_chan_ready(sk);
876d9484
MH		 2716 goto unlock;
2717 }
2718
c1360a1c 2719 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2720 u8 buf[64];
1da177e4 2721 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2722 l2cap_build_conf_req(chan, buf), buf);
2723 chan->num_conf_req++;
1da177e4
LT		 2724 }
2725
2726unlock:
2727 bh_unlock_sock(sk);
2728 return 0;
2729}
2730
2731static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2732{
2733 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2734 u16 scid, flags, result;
48454079 2735 struct l2cap_chan *chan;
1da177e4 2736 struct sock *sk;
7b1c0049 2737 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2738
2739 scid = __le16_to_cpu(rsp->scid);
2740 flags = __le16_to_cpu(rsp->flags);
2741 result = __le16_to_cpu(rsp->result);
2742
af05b30b
GP		 2743 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2744 scid, flags, result);
1da177e4 2745
baa7e1fa 2746 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2747 if (!chan)
1da177e4
LT		 2748 return 0;
2749
48454079
GP		 2750 sk = chan->sk;
2751
1da177e4
LT		 2752 switch (result) {
2753 case L2CAP_CONF_SUCCESS:
47d1ec61 2754 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2755 break;
2756
2757 case L2CAP_CONF_UNACCEPT:
73ffa904 2758 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2759 char req[64];
2760
c2c77ec8 2761 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2762 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2763 goto done;
2764 }
2765
f2fcfcd6
GP		 2766 /* throw out any old stored conf requests */
2767 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2768 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2769 req, &result);
f2fcfcd6 2770 if (len < 0) {
e92c8e70 2771 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2772 goto done;
2773 }
2774
2775 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2776 L2CAP_CONF_REQ, len, req);
73ffa904 2777 chan->num_conf_req++;
f2fcfcd6
GP		 2778 if (result != L2CAP_CONF_SUCCESS)
2779 goto done;
2780 break;
1da177e4
LT		 2781 }
2782
8e87d142 2783 default:
b1235d79 2784 sk->sk_err = ECONNRESET;
c9b66675 2785 __set_chan_timer(chan, HZ * 5);
e92c8e70 2786 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2787 goto done;
2788 }
2789
2790 if (flags & 0x01)
2791 goto done;
2792
c1360a1c 2793 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2794
c1360a1c 2795 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2796 set_default_fcs(chan);
fcc203c3 2797
89bc500e 2798 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2799 chan->next_tx_seq = 0;
2800 chan->expected_tx_seq = 0;
58d35f87 2801 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2802 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2803 l2cap_ertm_init(chan);
0565c1c2 2804
1da177e4
LT		 2805 l2cap_chan_ready(sk);
2806 }
2807
2808done:
2809 bh_unlock_sock(sk);
2810 return 0;
2811}
2812
2813static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2814{
2815 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2816 struct l2cap_disconn_rsp rsp;
2817 u16 dcid, scid;
48454079 2818 struct l2cap_chan *chan;
1da177e4
LT		 2819 struct sock *sk;
2820
2821 scid = __le16_to_cpu(req->scid);
2822 dcid = __le16_to_cpu(req->dcid);
2823
2824 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2825
baa7e1fa 2826 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2827 if (!chan)
1da177e4
LT		 2828 return 0;
2829
48454079
GP		 2830 sk = chan->sk;
2831
fe4128e0
GP		 2832 rsp.dcid = cpu_to_le16(chan->scid);
2833 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2834 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2835
2836 sk->sk_shutdown = SHUTDOWN_MASK;
2837
a49184c2
AE		 2838 /* don't delete l2cap channel if sk is owned by user */
2839 if (sock_owned_by_user(sk)) {
89bc500e 2840 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2841 __clear_chan_timer(chan);
2842 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2843 bh_unlock_sock(sk);
2844 return 0;
2845 }
2846
48454079 2847 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2848 bh_unlock_sock(sk);
2849
ba3bd0ee 2850 chan->ops->close(chan->data);
1da177e4
LT		 2851 return 0;
2852}
2853
2854static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2855{
2856 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2857 u16 dcid, scid;
48454079 2858 struct l2cap_chan *chan;
1da177e4
LT		 2859 struct sock *sk;
2860
2861 scid = __le16_to_cpu(rsp->scid);
2862 dcid = __le16_to_cpu(rsp->dcid);
2863
2864 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2865
baa7e1fa 2866 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2867 if (!chan)
1da177e4
LT		 2868 return 0;
2869
48454079
GP		 2870 sk = chan->sk;
2871
a49184c2
AE		 2872 /* don't delete l2cap channel if sk is owned by user */
2873 if (sock_owned_by_user(sk)) {
89bc500e 2874 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2875 __clear_chan_timer(chan);
2876 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2877 bh_unlock_sock(sk);
2878 return 0;
2879 }
2880
48454079 2881 l2cap_chan_del(chan, 0);
1da177e4
LT		 2882 bh_unlock_sock(sk);
2883
ba3bd0ee 2884 chan->ops->close(chan->data);
1da177e4
LT		 2885 return 0;
2886}
2887
2888static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2889{
2890 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2891 u16 type;
2892
2893 type = __le16_to_cpu(req->type);
2894
2895 BT_DBG("type 0x%4.4x", type);
2896
f0709e03
MH		 2897 if (type == L2CAP_IT_FEAT_MASK) {
2898 u8 buf[8];
44dd46de 2899 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2900 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2901 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2902 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2903 if (!disable_ertm)
fcc203c3
GP		 2904 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2905 | L2CAP_FEAT_FCS;
a5fd6f30 2906 if (enable_hs)
6327eb98
AE		 2907 feat_mask |= L2CAP_FEAT_EXT_FLOW
2908 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 2909
1b7bf4ed 2910 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2911 l2cap_send_cmd(conn, cmd->ident,
2912 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2913 } else if (type == L2CAP_IT_FIXED_CHAN) {
2914 u8 buf[12];
2915 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2916 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2917 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2918 memcpy(buf + 4, l2cap_fixed_chan, 8);
2919 l2cap_send_cmd(conn, cmd->ident,
2920 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2921 } else {
2922 struct l2cap_info_rsp rsp;
2923 rsp.type = cpu_to_le16(type);
2924 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2925 l2cap_send_cmd(conn, cmd->ident,
2926 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2927 }
1da177e4
LT		 2928
2929 return 0;
2930}
2931
2932static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2933{
2934 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2935 u16 type, result;
2936
2937 type = __le16_to_cpu(rsp->type);
2938 result = __le16_to_cpu(rsp->result);
2939
2940 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2941
e90165be
AE		 2942 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2943 if (cmd->ident != conn->info_ident ||
2944 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2945 return 0;
2946
4e8402a3
MH		 2947 del_timer(&conn->info_timer);
2948
adb08ede
VT		 2949 if (result != L2CAP_IR_SUCCESS) {
2950 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2951 conn->info_ident = 0;
2952
2953 l2cap_conn_start(conn);
2954
2955 return 0;
2956 }
2957
984947dc 2958 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2959 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2960
47ec1dcd 2961 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2962 struct l2cap_info_req req;
2963 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2964
2965 conn->info_ident = l2cap_get_ident(conn);
2966
2967 l2cap_send_cmd(conn, conn->info_ident,
2968 L2CAP_INFO_REQ, sizeof(req), &req);
2969 } else {
2970 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2971 conn->info_ident = 0;
2972
2973 l2cap_conn_start(conn);
2974 }
2975 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2977 conn->info_ident = 0;
984947dc
MH		 2978
2979 l2cap_conn_start(conn);
2980 }
4e8402a3 2981
1da177e4
LT		 2982 return 0;
2983}
2984
e2174ca4 2985static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2986 u16 to_multiplier)
2987{
2988 u16 max_latency;
2989
2990 if (min > max || min < 6 || max > 3200)
2991 return -EINVAL;
2992
2993 if (to_multiplier < 10 || to_multiplier > 3200)
2994 return -EINVAL;
2995
2996 if (max >= to_multiplier * 8)
2997 return -EINVAL;
2998
2999 max_latency = (to_multiplier * 8 / max) - 1;
3000 if (latency > 499 || latency > max_latency)
3001 return -EINVAL;
3002
3003 return 0;
3004}
3005
3006static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3007 struct l2cap_cmd_hdr *cmd, u8 *data)
3008{
3009 struct hci_conn *hcon = conn->hcon;
3010 struct l2cap_conn_param_update_req *req;
3011 struct l2cap_conn_param_update_rsp rsp;
3012 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3013 int err;
de73115a
CT		 3014
3015 if (!(hcon->link_mode & HCI_LM_MASTER))
3016 return -EINVAL;
3017
3018 cmd_len = __le16_to_cpu(cmd->len);
3019 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3020 return -EPROTO;
3021
3022 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3023 min = __le16_to_cpu(req->min);
3024 max = __le16_to_cpu(req->max);
de73115a
CT		 3025 latency = __le16_to_cpu(req->latency);
3026 to_multiplier = __le16_to_cpu(req->to_multiplier);
3027
3028 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3029 min, max, latency, to_multiplier);
3030
3031 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3032
3033 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3034 if (err)
de73115a
CT		 3035 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3036 else
3037 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3038
3039 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3040 sizeof(rsp), &rsp);
3041
2ce603eb
CT		 3042 if (!err)
3043 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3044
de73115a
CT		 3045 return 0;
3046}
3047
3300d9a9
CT		 3048static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3049 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3050{
3051 int err = 0;
3052
3053 switch (cmd->code) {
3054 case L2CAP_COMMAND_REJ:
3055 l2cap_command_rej(conn, cmd, data);
3056 break;
3057
3058 case L2CAP_CONN_REQ:
3059 err = l2cap_connect_req(conn, cmd, data);
3060 break;
3061
3062 case L2CAP_CONN_RSP:
3063 err = l2cap_connect_rsp(conn, cmd, data);
3064 break;
3065
3066 case L2CAP_CONF_REQ:
3067 err = l2cap_config_req(conn, cmd, cmd_len, data);
3068 break;
3069
3070 case L2CAP_CONF_RSP:
3071 err = l2cap_config_rsp(conn, cmd, data);
3072 break;
3073
3074 case L2CAP_DISCONN_REQ:
3075 err = l2cap_disconnect_req(conn, cmd, data);
3076 break;
3077
3078 case L2CAP_DISCONN_RSP:
3079 err = l2cap_disconnect_rsp(conn, cmd, data);
3080 break;
3081
3082 case L2CAP_ECHO_REQ:
3083 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3084 break;
3085
3086 case L2CAP_ECHO_RSP:
3087 break;
3088
3089 case L2CAP_INFO_REQ:
3090 err = l2cap_information_req(conn, cmd, data);
3091 break;
3092
3093 case L2CAP_INFO_RSP:
3094 err = l2cap_information_rsp(conn, cmd, data);
3095 break;
3096
3097 default:
3098 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3099 err = -EINVAL;
3100 break;
3101 }
3102
3103 return err;
3104}
3105
3106static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3107 struct l2cap_cmd_hdr *cmd, u8 *data)
3108{
3109 switch (cmd->code) {
3110 case L2CAP_COMMAND_REJ:
3111 return 0;
3112
3113 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3114 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3115
3116 case L2CAP_CONN_PARAM_UPDATE_RSP:
3117 return 0;
3118
3119 default:
3120 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3121 return -EINVAL;
3122 }
3123}
3124
3125static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3126 struct sk_buff *skb)
1da177e4
LT		 3127{
3128 u8 *data = skb->data;
3129 int len = skb->len;
3130 struct l2cap_cmd_hdr cmd;
3300d9a9 3131 int err;
1da177e4
LT		 3132
3133 l2cap_raw_recv(conn, skb);
3134
3135 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3136 u16 cmd_len;
1da177e4
LT		 3137 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3138 data += L2CAP_CMD_HDR_SIZE;
3139 len -= L2CAP_CMD_HDR_SIZE;
3140
88219a0f 3141 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3142
88219a0f 3143 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3144
88219a0f 3145 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3146 BT_DBG("corrupted command");
3147 break;
3148 }
3149
3300d9a9
CT		 3150 if (conn->hcon->type == LE_LINK)
3151 err = l2cap_le_sig_cmd(conn, &cmd, data);
3152 else
3153 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3154
3155 if (err) {
e2fd318e 3156 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3157
3158 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3159
3160 /* FIXME: Map err to a valid reason */
e2fd318e 3161 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3162 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3163 }
3164
88219a0f
AV		 3165 data += cmd_len;
3166 len -= cmd_len;
1da177e4
LT		 3167 }
3168
3169 kfree_skb(skb);
3170}
3171
47d1ec61 3172static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3173{
3174 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3175 int hdr_size;
3176
3177 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3178 hdr_size = L2CAP_EXT_HDR_SIZE;
3179 else
3180 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3181
47d1ec61 3182 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3183 skb_trim(skb, skb->len - 2);
3184 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3185 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3186
3187 if (our_fcs != rcv_fcs)
7a560e5c 3188 return -EBADMSG;
fcc203c3
GP		 3189 }
3190 return 0;
3191}
3192
525cd185 3193static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3194{
88843ab0 3195 u32 control = 0;
d5392c8f 3196
6a026610 3197 chan->frames_sent = 0;
d5392c8f 3198
0b209fae 3199 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3200
e2ab4353 3201 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3202 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3203 l2cap_send_sframe(chan, control);
e2ab4353 3204 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3205 }
3206
e2ab4353 3207 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3208 l2cap_retransmit_frames(chan);
d5392c8f 3209
525cd185 3210 l2cap_ertm_send(chan);
d5392c8f 3211
e2ab4353 3212 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3213 chan->frames_sent == 0) {
ab784b73 3214 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3215 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3216 }
3217}
3218
fb45de7d 3219static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3220{
3221 struct sk_buff *next_skb;
bfbacc11 3222 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3223
3224 bt_cb(skb)->tx_seq = tx_seq;
3225 bt_cb(skb)->sar = sar;
3226
f1c6775b 3227 next_skb = skb_peek(&chan->srej_q);
8f17154f 3228 if (!next_skb) {
f1c6775b 3229 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3230 return 0;
8f17154f
GP		 3231 }
3232
836be934 3233 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3234
8f17154f 3235 do {
9b53350d
JPRV		 3236 if (bt_cb(next_skb)->tx_seq == tx_seq)
3237 return -EINVAL;
3238
836be934
AE		 3239 next_tx_seq_offset = __seq_offset(chan,
3240 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3241
3242 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3243 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3244 return 0;
8f17154f
GP		 3245 }
3246
f1c6775b 3247 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3248 break;
3249
f1c6775b 3250 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3251
f1c6775b 3252 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3253
3254 return 0;
8f17154f
GP		 3255}
3256
84084a31
MM		 3257static void append_skb_frag(struct sk_buff *skb,
3258 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3259{
84084a31
MM		 3260 /* skb->len reflects data in skb as well as all fragments
3261 * skb->data_len reflects only data in fragments
3262 */
3263 if (!skb_has_frag_list(skb))
3264 skb_shinfo(skb)->frag_list = new_frag;
3265
3266 new_frag->next = NULL;
3267
3268 (*last_frag)->next = new_frag;
3269 *last_frag = new_frag;
3270
3271 skb->len += new_frag->len;
3272 skb->data_len += new_frag->len;
3273 skb->truesize += new_frag->truesize;
3274}
3275
88843ab0 3276static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3277{
3278 int err = -EINVAL;
18778a63 3279
7e0ef6ee
AE		 3280 switch (__get_ctrl_sar(chan, control)) {
3281 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3282 if (chan->sdu)
3283 break;
18778a63 3284
84084a31
MM		 3285 err = chan->ops->recv(chan->data, skb);
3286 break;
18778a63 3287
7e0ef6ee 3288 case L2CAP_SAR_START:
84084a31
MM		 3289 if (chan->sdu)
3290 break;
18778a63 3291
6f61fd47 3292 chan->sdu_len = get_unaligned_le16(skb->data);
84084a31 3293 skb_pull(skb, 2);
18778a63 3294
84084a31
MM		 3295 if (chan->sdu_len > chan->imtu) {
3296 err = -EMSGSIZE;
3297 break;
3298 }
1890d36b 3299
84084a31
MM		 3300 if (skb->len >= chan->sdu_len)
3301 break;
18778a63 3302
84084a31
MM		 3303 chan->sdu = skb;
3304 chan->sdu_last_frag = skb;
18778a63 3305
84084a31
MM		 3306 skb = NULL;
3307 err = 0;
18778a63
GP		 3308 break;
3309
7e0ef6ee 3310 case L2CAP_SAR_CONTINUE:
6f61fd47 3311 if (!chan->sdu)
84084a31 3312 break;
18778a63 3313
84084a31
MM		 3314 append_skb_frag(chan->sdu, skb,
3315 &chan->sdu_last_frag);
3316 skb = NULL;
18778a63 3317
84084a31
MM		 3318 if (chan->sdu->len >= chan->sdu_len)
3319 break;
4178ba46 3320
84084a31 3321 err = 0;
18778a63
GP		 3322 break;
3323
7e0ef6ee 3324 case L2CAP_SAR_END:
6f61fd47 3325 if (!chan->sdu)
84084a31 3326 break;
18778a63 3327
84084a31
MM		 3328 append_skb_frag(chan->sdu, skb,
3329 &chan->sdu_last_frag);
3330 skb = NULL;
4178ba46 3331
84084a31
MM		 3332 if (chan->sdu->len != chan->sdu_len)
3333 break;
18778a63 3334
84084a31 3335 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3336
84084a31
MM		 3337 if (!err) {
3338 /* Reassembly complete */
3339 chan->sdu = NULL;
3340 chan->sdu_last_frag = NULL;
3341 chan->sdu_len = 0;
1890d36b 3342 }
18778a63
GP		 3343 break;
3344 }
3345
84084a31
MM		 3346 if (err) {
3347 kfree_skb(skb);
3348 kfree_skb(chan->sdu);
3349 chan->sdu = NULL;
3350 chan->sdu_last_frag = NULL;
3351 chan->sdu_len = 0;
3352 }
18778a63 3353
84084a31 3354 return err;
18778a63
GP		 3355}
3356
26f880d2 3357static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3358{
88843ab0 3359 u32 control;
712132eb 3360
26f880d2 3361 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3362
26f880d2
MM		 3363 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3364
0b209fae 3365 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3366 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3367 l2cap_send_sframe(chan, control);
3368
3369 set_bit(CONN_RNR_SENT, &chan->conn_state);
3370
3371 __clear_ack_timer(chan);
3372}
3373
3374static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3375{
88843ab0 3376 u32 control;
712132eb 3377
e2ab4353 3378 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3379 goto done;
3380
0b209fae 3381 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3382 control |= __set_ctrl_poll(chan);
ab784b73 3383 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3384 l2cap_send_sframe(chan, control);
6a026610 3385 chan->retry_count = 1;
712132eb 3386
1a09bcb9
GP		 3387 __clear_retrans_timer(chan);
3388 __set_monitor_timer(chan);
712132eb 3389
e2ab4353 3390 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3391
3392done:
e2ab4353
GP		 3393 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3394 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3395
49208c9c 3396 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3397}
3398
e328140f 3399void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3400{
e328140f
MM		 3401 if (chan->mode == L2CAP_MODE_ERTM) {
3402 if (busy)
3403 l2cap_ertm_enter_local_busy(chan);
3404 else
3405 l2cap_ertm_exit_local_busy(chan);
1890d36b 3406 }
1890d36b
GP		 3407}
3408
fb45de7d 3409static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3410{
3411 struct sk_buff *skb;
88843ab0 3412 u32 control;
8f17154f 3413
e328140f
MM		 3414 while ((skb = skb_peek(&chan->srej_q)) &&
3415 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3416 int err;
3417
8f17154f
GP		 3418 if (bt_cb(skb)->tx_seq != tx_seq)
3419 break;
3420
f1c6775b 3421 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3422 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3423 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3424
3425 if (err < 0) {
3426 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3427 break;
3428 }
3429
836be934
AE		 3430 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3431 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3432 }
3433}
3434
fb45de7d 3435static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3436{
8f17154f 3437 struct srej_list *l, *tmp;
88843ab0 3438 u32 control;
8f17154f 3439
39d5a3ee 3440 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3441 if (l->tx_seq == tx_seq) {
3442 list_del(&l->list);
3443 kfree(l);
3444 return;
3445 }
ab784b73 3446 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3447 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3448 l2cap_send_sframe(chan, control);
8f17154f 3449 list_del(&l->list);
39d5a3ee 3450 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3451 }
3452}
3453
fb45de7d 3454static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3455{
8f17154f 3456 struct srej_list *new;
88843ab0 3457 u32 control;
8f17154f 3458
42e5c802 3459 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3460 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3461 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3462 l2cap_send_sframe(chan, control);
8f17154f
GP		 3463
3464 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3465 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3466
3467 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3468
39d5a3ee 3469 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3470 }
836be934
AE		 3471
3472 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP		 3473}
3474
88843ab0 3475static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3476{
fb45de7d 3477 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3478 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3479 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3480 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3481 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3482 int err = 0;
3483
88843ab0 3484 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3485 tx_seq, rx_control);
1c2acffb 3486
03f6715d 3487 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3488 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3489 __clear_monitor_timer(chan);
6a026610 3490 if (chan->unacked_frames > 0)
1a09bcb9 3491 __set_retrans_timer(chan);
e2ab4353 3492 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3493 }
3494
42e5c802
GP		 3495 chan->expected_ack_seq = req_seq;
3496 l2cap_drop_acked_frames(chan);
9f121a5a 3497
836be934 3498 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3499
3500 /* invalid tx_seq */
47d1ec61 3501 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3502 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3503 goto drop;
3504 }
3505
e2ab4353 3506 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3507 goto drop;
3508
02f1b641
MM		 3509 if (tx_seq == chan->expected_tx_seq)
3510 goto expected;
3511
e2ab4353 3512 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3513 struct srej_list *first;
30afb5b2 3514
39d5a3ee 3515 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3516 struct srej_list, list);
3517 if (tx_seq == first->tx_seq) {
42e5c802 3518 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3519 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3520
3521 list_del(&first->list);
3522 kfree(first);
3523
39d5a3ee 3524 if (list_empty(&chan->srej_l)) {
42e5c802 3525 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3526 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3527 l2cap_send_ack(chan);
49208c9c 3528 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3529 }
3530 } else {
3531 struct srej_list *l;
9b53350d
JPRV		 3532
3533 /* duplicated tx_seq */
42e5c802 3534 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3535 goto drop;
8f17154f 3536
39d5a3ee 3537 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3538 if (l->tx_seq == tx_seq) {
525cd185 3539 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3540 return 0;
3541 }
3542 }
525cd185 3543 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3544 }
3545 } else {
836be934
AE		 3546 expected_tx_seq_offset = __seq_offset(chan,
3547 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3548
3549 /* duplicated tx_seq */
3550 if (tx_seq_offset < expected_tx_seq_offset)
3551 goto drop;
3552
e2ab4353 3553 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3554
49208c9c 3555 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3556
39d5a3ee 3557 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3558 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3559
f1c6775b 3560 __skb_queue_head_init(&chan->srej_q);
42e5c802 3561 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3562
e2ab4353 3563 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3564
525cd185 3565 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3566
1a09bcb9 3567 __clear_ack_timer(chan);
1c2acffb 3568 }
30afb5b2
GP		 3569 return 0;
3570
8f17154f 3571expected:
836be934 3572 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3573
e2ab4353 3574 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3575 bt_cb(skb)->tx_seq = tx_seq;
3576 bt_cb(skb)->sar = sar;
f1c6775b 3577 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3578 return 0;
3579 }
3580
84084a31 3581 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3582 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3583
e328140f
MM		 3584 if (err < 0) {
3585 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3586 return err;
3587 }
2ece3684 3588
03f6715d 3589 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3590 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3591 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3592 }
3593
1a09bcb9 3594 __set_ack_timer(chan);
c1b4f43b 3595
6a026610
GP		 3596 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3597 if (chan->num_acked == num_to_ack - 1)
525cd185 3598 l2cap_send_ack(chan);
9e917af1 3599
8f17154f 3600 return 0;
9b53350d
JPRV		 3601
3602drop:
3603 kfree_skb(skb);
3604 return 0;
1c2acffb
GP		 3605}
3606
88843ab0 3607static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3608{
88843ab0 3609 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3610 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3611
0b209fae 3612 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3613 l2cap_drop_acked_frames(chan);
1c2acffb 3614
e3781735 3615 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3616 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3617 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3618 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3619 (chan->unacked_frames > 0))
1a09bcb9 3620 __set_retrans_timer(chan);
05fbd89d 3621
e2ab4353 3622 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3623 l2cap_send_srejtail(chan);
05fbd89d 3624 } else {
525cd185 3625 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3626 }
1d8f5d16 3627
03f6715d 3628 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3629 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3630
e2ab4353 3631 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3632 l2cap_retransmit_frames(chan);
2246b2f1 3633
e072745f 3634 } else {
e2ab4353 3635 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3636 (chan->unacked_frames > 0))
1a09bcb9 3637 __set_retrans_timer(chan);
1c2acffb 3638
e2ab4353
GP		 3639 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3640 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3641 l2cap_send_ack(chan);
894718a6 3642 else
525cd185 3643 l2cap_ertm_send(chan);
e072745f
GP		 3644 }
3645}
2246b2f1 3646
88843ab0 3647static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3648{
0b209fae 3649 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3650
88843ab0 3651 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3652
e2ab4353 3653 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3654
42e5c802
GP		 3655 chan->expected_ack_seq = tx_seq;
3656 l2cap_drop_acked_frames(chan);
e072745f 3657
03f6715d 3658 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3659 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3660 l2cap_retransmit_frames(chan);
e072745f 3661 } else {
525cd185 3662 l2cap_retransmit_frames(chan);
30afb5b2 3663
e2ab4353
GP		 3664 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3665 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3666 }
3667}
88843ab0 3668static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3669{
0b209fae 3670 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3671
88843ab0 3672 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3673
e2ab4353 3674 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3675
e3781735 3676 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3677 chan->expected_ack_seq = tx_seq;
3678 l2cap_drop_acked_frames(chan);
3cb123d1 3679
e2ab4353 3680 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3681 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3682
525cd185 3683 l2cap_ertm_send(chan);
dfc909be 3684
e2ab4353 3685 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3686 chan->srej_save_reqseq = tx_seq;
e2ab4353 3687 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3688 }
03f6715d 3689 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3690 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3691 chan->srej_save_reqseq == tx_seq)
e2ab4353 3692 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3693 else
525cd185 3694 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3695 } else {
525cd185 3696 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3697 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3698 chan->srej_save_reqseq = tx_seq;
e2ab4353 3699 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3700 }
e072745f
GP		 3701 }
3702}
3703
88843ab0 3704static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3705{
0b209fae 3706 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3707
88843ab0 3708 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3709
e2ab4353 3710 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3711 chan->expected_ack_seq = tx_seq;
3712 l2cap_drop_acked_frames(chan);
e072745f 3713
e3781735 3714 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3715 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3716
e2ab4353 3717 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3718 __clear_retrans_timer(chan);
e3781735 3719 if (__is_ctrl_poll(chan, rx_control))
525cd185 3720 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3721 return;
e072745f 3722 }
99b0d4b7 3723
e3781735 3724 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3725 l2cap_send_srejtail(chan);
ab784b73
AE		 3726 } else {
3727 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3728 l2cap_send_sframe(chan, rx_control);
3729 }
e072745f
GP		 3730}
3731
88843ab0 3732static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 3733{
88843ab0 3734 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 3735
03f6715d 3736 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3737 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3738 __clear_monitor_timer(chan);
6a026610 3739 if (chan->unacked_frames > 0)
1a09bcb9 3740 __set_retrans_timer(chan);
e2ab4353 3741 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3742 }
3743
ab784b73
AE		 3744 switch (__get_ctrl_super(chan, rx_control)) {
3745 case L2CAP_SUPER_RR:
525cd185 3746 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3747 break;
3748
ab784b73 3749 case L2CAP_SUPER_REJ:
525cd185 3750 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3751 break;
2246b2f1 3752
ab784b73 3753 case L2CAP_SUPER_SREJ:
525cd185 3754 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3755 break;
3756
ab784b73 3757 case L2CAP_SUPER_RNR:
525cd185 3758 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3759 break;
3760 }
3761
faaebd19 3762 kfree_skb(skb);
1c2acffb
GP		 3763 return 0;
3764}
3765
218bb9df
GP		 3766static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3767{
525cd185 3768 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 3769 u32 control;
0b209fae 3770 u16 req_seq;
218bb9df
GP		 3771 int len, next_tx_seq_offset, req_seq_offset;
3772
88843ab0
AE		 3773 control = __get_control(chan, skb->data);
3774 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 3775 len = skb->len;
3776
3777 /*
3778 * We can just drop the corrupted I-frame here.
3779 * Receiver will miss it and start proper recovery
3780 * procedures and ask retransmission.
3781 */
47d1ec61 3782 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3783 goto drop;
3784
793c2f1c 3785 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
218bb9df
GP		 3786 len -= 2;
3787
47d1ec61 3788 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3789 len -= 2;
3790
47d1ec61 3791 if (len > chan->mps) {
8c1d787b 3792 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3793 goto drop;
3794 }
3795
0b209fae 3796 req_seq = __get_reqseq(chan, control);
218bb9df 3797
836be934
AE		 3798 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
3799
3800 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
3801 chan->expected_ack_seq);
218bb9df
GP		 3802
3803 /* check for invalid req-seq */
3804 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3805 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3806 goto drop;
3807 }
3808
793c2f1c 3809 if (!__is_sframe(chan, control)) {
218bb9df 3810 if (len < 0) {
8c1d787b 3811 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3812 goto drop;
3813 }
3814
525cd185 3815 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3816 } else {
3817 if (len != 0) {
3818 BT_ERR("%d", len);
8c1d787b 3819 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3820 goto drop;
3821 }
3822
525cd185 3823 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3824 }
3825
3826 return 0;
3827
3828drop:
3829 kfree_skb(skb);
3830 return 0;
3831}
3832
1da177e4
LT		 3833static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3834{
48454079 3835 struct l2cap_chan *chan;
bf734843 3836 struct sock *sk = NULL;
88843ab0 3837 u32 control;
fb45de7d 3838 u16 tx_seq;
218bb9df 3839 int len;
1da177e4 3840
baa7e1fa 3841 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3842 if (!chan) {
1da177e4
LT		 3843 BT_DBG("unknown cid 0x%4.4x", cid);
3844 goto drop;
3845 }
3846
48454079 3847 sk = chan->sk;
6840ed07 3848
49208c9c 3849 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3850
89bc500e 3851 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3852 goto drop;
3853
0c1bc5c6 3854 switch (chan->mode) {
1c2acffb
GP		 3855 case L2CAP_MODE_BASIC:
3856 /* If socket recv buffers overflows we drop data here
3857 * which is *bad* because L2CAP has to be reliable.
3858 * But we don't have any other choice. L2CAP doesn't
3859 * provide flow control mechanism. */
1da177e4 3860
0c1bc5c6 3861 if (chan->imtu < skb->len)
1c2acffb 3862 goto drop;
1da177e4 3863
23070494 3864 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3865 goto done;
3866 break;
3867
3868 case L2CAP_MODE_ERTM:
218bb9df
GP		 3869 if (!sock_owned_by_user(sk)) {
3870 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3871 } else {
218bb9df 3872 if (sk_add_backlog(sk, skb))
277ffbe3 3873 goto drop;
277ffbe3 3874 }
1c2acffb 3875
fcafde2e 3876 goto done;
1c2acffb 3877
6840ed07 3878 case L2CAP_MODE_STREAMING:
88843ab0
AE		 3879 control = __get_control(chan, skb->data);
3880 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 3881 len = skb->len;
3882
47d1ec61 3883 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3884 goto drop;
3885
7e0ef6ee 3886 if (__is_sar_start(chan, control))
6840ed07
GP		 3887 len -= 2;
3888
47d1ec61 3889 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3890 len -= 2;
3891
793c2f1c 3892 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 3893 goto drop;
3894
fb45de7d 3895 tx_seq = __get_txseq(chan, control);
6840ed07 3896
84084a31
MM		 3897 if (chan->expected_tx_seq != tx_seq) {
3898 /* Frame(s) missing - must discard partial SDU */
3899 kfree_skb(chan->sdu);
3900 chan->sdu = NULL;
3901 chan->sdu_last_frag = NULL;
3902 chan->sdu_len = 0;
6840ed07 3903
84084a31
MM		 3904 /* TODO: Notify userland of missing data */
3905 }
3906
836be934 3907 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 3908
3909 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
3910 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 3911
3912 goto done;
3913
1c2acffb 3914 default:
0c1bc5c6 3915 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3916 break;
3917 }
1da177e4
LT		 3918
3919drop:
3920 kfree_skb(skb);
3921
3922done:
0139418c
MH		 3923 if (sk)
3924 bh_unlock_sock(sk);
3925
1da177e4
LT		 3926 return 0;
3927}
3928
8e036fc3 3929static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3930{
6dcae1ea 3931 struct sock *sk = NULL;
23691d75 3932 struct l2cap_chan *chan;
1da177e4 3933
23691d75
GP		 3934 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3935 if (!chan)
1da177e4
LT		 3936 goto drop;
3937
23691d75
GP		 3938 sk = chan->sk;
3939
e0f0cb56
GP		 3940 bh_lock_sock(sk);
3941
1da177e4
LT		 3942 BT_DBG("sk %p, len %d", sk, skb->len);
3943
89bc500e 3944 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3945 goto drop;
3946
e13e21dc 3947 if (chan->imtu < skb->len)
1da177e4
LT		 3948 goto drop;
3949
23070494 3950 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3951 goto done;
3952
3953drop:
3954 kfree_skb(skb);
3955
3956done:
af05b30b
GP		 3957 if (sk)
3958 bh_unlock_sock(sk);
1da177e4
LT		 3959 return 0;
3960}
3961
9f69bda6
GP		 3962static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3963{
6dcae1ea 3964 struct sock *sk = NULL;
23691d75 3965 struct l2cap_chan *chan;
9f69bda6 3966
23691d75
GP		 3967 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3968 if (!chan)
9f69bda6
GP		 3969 goto drop;
3970
23691d75
GP		 3971 sk = chan->sk;
3972
9f69bda6
GP		 3973 bh_lock_sock(sk);
3974
3975 BT_DBG("sk %p, len %d", sk, skb->len);
3976
89bc500e 3977 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3978 goto drop;
3979
e13e21dc 3980 if (chan->imtu < skb->len)
9f69bda6
GP		 3981 goto drop;
3982
23070494 3983 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 3984 goto done;
3985
3986drop:
3987 kfree_skb(skb);
3988
3989done:
3990 if (sk)
3991 bh_unlock_sock(sk);
3992 return 0;
3993}
3994
1da177e4
LT		 3995static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3996{
3997 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3998 u16 cid, len;
3999 __le16 psm;
1da177e4
LT		 4000
4001 skb_pull(skb, L2CAP_HDR_SIZE);
4002 cid = __le16_to_cpu(lh->cid);
4003 len = __le16_to_cpu(lh->len);
4004
1c2acffb
GP		 4005 if (len != skb->len) {
4006 kfree_skb(skb);
4007 return;
4008 }
4009
1da177e4
LT		 4010 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4011
4012 switch (cid) {
3300d9a9 4013 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4014 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4015 l2cap_sig_channel(conn, skb);
4016 break;
4017
8db4dc46 4018 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4019 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4020 skb_pull(skb, 2);
4021 l2cap_conless_channel(conn, psm, skb);
4022 break;
4023
9f69bda6
GP		 4024 case L2CAP_CID_LE_DATA:
4025 l2cap_att_channel(conn, cid, skb);
4026 break;
4027
b501d6a1
AB		 4028 case L2CAP_CID_SMP:
4029 if (smp_sig_channel(conn, skb))
4030 l2cap_conn_del(conn->hcon, EACCES);
4031 break;
4032
1da177e4
LT		 4033 default:
4034 l2cap_data_channel(conn, cid, skb);
4035 break;
4036 }
4037}
4038
4039/* ---- L2CAP interface with lower layer (HCI) ---- */
4040
4041static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4042{
4043 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4044 struct l2cap_chan *c;
1da177e4
LT		 4045
4046 if (type != ACL_LINK)
963cf687 4047 return -EINVAL;
1da177e4
LT		 4048
4049 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4050
4051 /* Find listening sockets and check their link_mode */
23691d75
GP		 4052 read_lock(&chan_list_lock);
4053 list_for_each_entry(c, &chan_list, global_l) {
4054 struct sock *sk = c->sk;
4343478f 4055
89bc500e 4056 if (c->state != BT_LISTEN)
1da177e4
LT		 4057 continue;
4058
4059 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4060 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4061 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4062 lm1 |= HCI_LM_MASTER;
1da177e4 4063 exact++;
2af6b9d5
MH		 4064 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4065 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4066 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4067 lm2 |= HCI_LM_MASTER;
4068 }
1da177e4 4069 }
23691d75 4070 read_unlock(&chan_list_lock);
1da177e4
LT		 4071
4072 return exact ? lm1 : lm2;
4073}
4074
4075static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4076{
0139418c
MH		 4077 struct l2cap_conn *conn;
4078
1da177e4
LT		 4079 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4080
acd7d370 4081 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4082 return -EINVAL;
1da177e4
LT		 4083
4084 if (!status) {
1da177e4
LT		 4085 conn = l2cap_conn_add(hcon, status);
4086 if (conn)
4087 l2cap_conn_ready(conn);
0139418c 4088 } else
e175072f 4089 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4090
4091 return 0;
4092}
4093
2950f21a
MH		 4094static int l2cap_disconn_ind(struct hci_conn *hcon)
4095{
4096 struct l2cap_conn *conn = hcon->l2cap_data;
4097
4098 BT_DBG("hcon %p", hcon);
4099
b5694506 4100 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4101 return 0x13;
4102
4103 return conn->disc_reason;
4104}
4105
4106static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4107{
4108 BT_DBG("hcon %p reason %d", hcon, reason);
4109
acd7d370 4110 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4111 return -EINVAL;
1da177e4 4112
e175072f 4113 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4114
1da177e4
LT		 4115 return 0;
4116}
4117
4343478f 4118static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4119{
715ec005 4120 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4121 return;
4122
f62e4323 4123 if (encrypt == 0x00) {
4343478f 4124 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4125 __clear_chan_timer(chan);
4126 __set_chan_timer(chan, HZ * 5);
4343478f 4127 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4128 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4129 } else {
4343478f 4130 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4131 __clear_chan_timer(chan);
f62e4323
MH		 4132 }
4133}
4134
8c1b2355 4135static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4136{
0139418c 4137 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4138 struct l2cap_chan *chan;
1da177e4 4139
0139418c 4140 if (!conn)
1da177e4 4141 return 0;
0139418c 4142
1da177e4
LT		 4143 BT_DBG("conn %p", conn);
4144
160dc6ac
VCG		 4145 if (hcon->type == LE_LINK) {
4146 smp_distribute_keys(conn, 0);
4147 del_timer(&conn->security_timer);
4148 }
4149
baa7e1fa 4150 read_lock(&conn->chan_lock);
1da177e4 4151
baa7e1fa 4152 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4153 struct sock *sk = chan->sk;
baa7e1fa 4154
1da177e4
LT		 4155 bh_lock_sock(sk);
4156
f1cb9af5
VCG		 4157 BT_DBG("chan->scid %d", chan->scid);
4158
4159 if (chan->scid == L2CAP_CID_LE_DATA) {
4160 if (!status && encrypt) {
4161 chan->sec_level = hcon->sec_level;
4162 l2cap_chan_ready(sk);
4163 }
4164
4165 bh_unlock_sock(sk);
4166 continue;
4167 }
4168
c1360a1c 4169 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4170 bh_unlock_sock(sk);
4171 continue;
4172 }
4173
89bc500e
GP		 4174 if (!status && (chan->state == BT_CONNECTED ||
4175 chan->state == BT_CONFIG)) {
4343478f 4176 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4177 bh_unlock_sock(sk);
4178 continue;
4179 }
4180
89bc500e 4181 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4182 if (!status) {
4183 struct l2cap_conn_req req;
fe4128e0
GP		 4184 req.scid = cpu_to_le16(chan->scid);
4185 req.psm = chan->psm;
1da177e4 4186
fc7f8a7e 4187 chan->ident = l2cap_get_ident(conn);
c1360a1c 4188 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4189
fc7f8a7e 4190 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4191 L2CAP_CONN_REQ, sizeof(req), &req);
4192 } else {
c9b66675
GP		 4193 __clear_chan_timer(chan);
4194 __set_chan_timer(chan, HZ / 10);
b1235d79 4195 }
89bc500e 4196 } else if (chan->state == BT_CONNECT2) {
b1235d79 4197 struct l2cap_conn_rsp rsp;
df3c3931 4198 __u16 res, stat;
1da177e4 4199
b1235d79 4200 if (!status) {
df3c3931
JH		 4201 if (bt_sk(sk)->defer_setup) {
4202 struct sock *parent = bt_sk(sk)->parent;
4203 res = L2CAP_CR_PEND;
4204 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4205 if (parent)
4206 parent->sk_data_ready(parent, 0);
df3c3931 4207 } else {
05558911 4208 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4209 res = L2CAP_CR_SUCCESS;
4210 stat = L2CAP_CS_NO_INFO;
4211 }
b1235d79 4212 } else {
89bc500e 4213 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4214 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4215 res = L2CAP_CR_SEC_BLOCK;
4216 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4217 }
4218
fe4128e0
GP		 4219 rsp.scid = cpu_to_le16(chan->dcid);
4220 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4221 rsp.result = cpu_to_le16(res);
4222 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4223 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4224 sizeof(rsp), &rsp);
b1235d79 4225 }
1da177e4
LT		 4226
4227 bh_unlock_sock(sk);
4228 }
4229
baa7e1fa 4230 read_unlock(&conn->chan_lock);
b1235d79 4231
1da177e4
LT		 4232 return 0;
4233}
4234
4235static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4236{
4237 struct l2cap_conn *conn = hcon->l2cap_data;
4238
5a08ecce
AE		 4239 if (!conn)
4240 conn = l2cap_conn_add(hcon, 0);
4241
4242 if (!conn)
1da177e4
LT		 4243 goto drop;
4244
4245 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4246
e702112f 4247 if (!(flags & ACL_CONT)) {
1da177e4 4248 struct l2cap_hdr *hdr;
48454079 4249 struct l2cap_chan *chan;
89794813 4250 u16 cid;
1da177e4
LT		 4251 int len;
4252
4253 if (conn->rx_len) {
4254 BT_ERR("Unexpected start frame (len %d)", skb->len);
4255 kfree_skb(conn->rx_skb);
4256 conn->rx_skb = NULL;
4257 conn->rx_len = 0;
4258 l2cap_conn_unreliable(conn, ECOMM);
4259 }
4260
aae7fe22
AE		 4261 /* Start fragment always begin with Basic L2CAP header */
4262 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4263 BT_ERR("Frame is too short (len %d)", skb->len);
4264 l2cap_conn_unreliable(conn, ECOMM);
4265 goto drop;
4266 }
4267
4268 hdr = (struct l2cap_hdr *) skb->data;
4269 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4270 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4271
4272 if (len == skb->len) {
4273 /* Complete frame received */
4274 l2cap_recv_frame(conn, skb);
4275 return 0;
4276 }
4277
4278 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4279
4280 if (skb->len > len) {
4281 BT_ERR("Frame is too long (len %d, expected len %d)",
4282 skb->len, len);
4283 l2cap_conn_unreliable(conn, ECOMM);
4284 goto drop;
4285 }
4286
baa7e1fa 4287 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4288
48454079
GP		 4289 if (chan && chan->sk) {
4290 struct sock *sk = chan->sk;
89794813 4291
0c1bc5c6 4292 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4293 BT_ERR("Frame exceeding recv MTU (len %d, "
4294 "MTU %d)", len,
0c1bc5c6 4295 chan->imtu);
48454079
GP		 4296 bh_unlock_sock(sk);
4297 l2cap_conn_unreliable(conn, ECOMM);
4298 goto drop;
4299 }
89794813 4300 bh_unlock_sock(sk);
48454079 4301 }
89794813 4302
1da177e4 4303 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4304 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4305 if (!conn->rx_skb)
1da177e4
LT		 4306 goto drop;
4307
d626f62b 4308 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4309 skb->len);
1da177e4
LT		 4310 conn->rx_len = len - skb->len;
4311 } else {
4312 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4313
4314 if (!conn->rx_len) {
4315 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4316 l2cap_conn_unreliable(conn, ECOMM);
4317 goto drop;
4318 }
4319
4320 if (skb->len > conn->rx_len) {
4321 BT_ERR("Fragment is too long (len %d, expected %d)",
4322 skb->len, conn->rx_len);
4323 kfree_skb(conn->rx_skb);
4324 conn->rx_skb = NULL;
4325 conn->rx_len = 0;
4326 l2cap_conn_unreliable(conn, ECOMM);
4327 goto drop;
4328 }
4329
d626f62b 4330 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4331 skb->len);
1da177e4
LT		 4332 conn->rx_len -= skb->len;
4333
4334 if (!conn->rx_len) {
4335 /* Complete frame received */
4336 l2cap_recv_frame(conn, conn->rx_skb);
4337 conn->rx_skb = NULL;
4338 }
4339 }
4340
4341drop:
4342 kfree_skb(skb);
4343 return 0;
4344}
4345
aef7d97c 4346static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4347{
23691d75 4348 struct l2cap_chan *c;
1da177e4 4349
23691d75 4350 read_lock_bh(&chan_list_lock);
1da177e4 4351
23691d75
GP		 4352 list_for_each_entry(c, &chan_list, global_l) {
4353 struct sock *sk = c->sk;
101545f6 4354
903d343e 4355 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4356 batostr(&bt_sk(sk)->src),
4357 batostr(&bt_sk(sk)->dst),
89bc500e 4358 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4359 c->scid, c->dcid, c->imtu, c->omtu,
4360 c->sec_level, c->mode);
05558911 4361}
1da177e4 4362
23691d75 4363 read_unlock_bh(&chan_list_lock);
1da177e4 4364
aef7d97c 4365 return 0;
1da177e4
LT		 4366}
4367
aef7d97c
MH		 4368static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4369{
4370 return single_open(file, l2cap_debugfs_show, inode->i_private);
4371}
4372
4373static const struct file_operations l2cap_debugfs_fops = {
4374 .open = l2cap_debugfs_open,
4375 .read = seq_read,
4376 .llseek = seq_lseek,
4377 .release = single_release,
4378};
4379
4380static struct dentry *l2cap_debugfs;
1da177e4 4381
1da177e4
LT		 4382static struct hci_proto l2cap_hci_proto = {
4383 .name = "L2CAP",
4384 .id = HCI_PROTO_L2CAP,
4385 .connect_ind = l2cap_connect_ind,
4386 .connect_cfm = l2cap_connect_cfm,
4387 .disconn_ind = l2cap_disconn_ind,
2950f21a 4388 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4389 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4390 .recv_acldata = l2cap_recv_acldata
4391};
4392
64274518 4393int __init l2cap_init(void)
1da177e4
LT		 4394{
4395 int err;
be9d1227 4396
bb58f747 4397 err = l2cap_init_sockets();
1da177e4
LT		 4398 if (err < 0)
4399 return err;
4400
1da177e4
LT		 4401 err = hci_register_proto(&l2cap_hci_proto);
4402 if (err < 0) {
4403 BT_ERR("L2CAP protocol registration failed");
4404 bt_sock_unregister(BTPROTO_L2CAP);
4405 goto error;
4406 }
4407
aef7d97c
MH		 4408 if (bt_debugfs) {
4409 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4410 bt_debugfs, NULL, &l2cap_debugfs_fops);
4411 if (!l2cap_debugfs)
4412 BT_ERR("Failed to create L2CAP debug file");
4413 }
1da177e4 4414
1da177e4
LT		 4415 return 0;
4416
4417error:
bb58f747 4418 l2cap_cleanup_sockets();
1da177e4
LT		 4419 return err;
4420}
4421
64274518 4422void l2cap_exit(void)
1da177e4 4423{
aef7d97c 4424 debugfs_remove(l2cap_debugfs);
1da177e4 4425
1da177e4
LT		 4426 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4427 BT_ERR("L2CAP protocol unregistration failed");
4428
bb58f747 4429 l2cap_cleanup_sockets();
1da177e4
LT		 4430}
4431
d1c4a17d
GP		 4432module_param(disable_ertm, bool, 0644);
4433MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4434
4435module_param(enable_hs, bool, 0644);
4436MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)