projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add state tracking to struct l2cap_chan
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
89bc500e
GP		 213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
214
ab07801d
GP		 215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d 220{
89bc500e 221 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
89bc500e
GP		 227static void l2cap_state_change(struct l2cap_chan *chan, int state)
228{
229 chan->state = state;
230 chan->ops->state_change(chan->data, state);
231}
232
ab07801d
GP		 233static void l2cap_chan_timeout(unsigned long arg)
234{
235 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
236 struct sock *sk = chan->sk;
237 int reason;
238
89bc500e 239 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 240
241 bh_lock_sock(sk);
242
243 if (sock_owned_by_user(sk)) {
244 /* sk is owned by user. Try again later */
245 l2cap_chan_set_timer(chan, HZ / 5);
246 bh_unlock_sock(sk);
247 sock_put(sk);
248 return;
249 }
250
89bc500e 251 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 252 reason = ECONNREFUSED;
89bc500e 253 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 254 chan->sec_level != BT_SECURITY_SDP)
255 reason = ECONNREFUSED;
256 else
257 reason = ETIMEDOUT;
258
0f852724 259 l2cap_chan_close(chan, reason);
ab07801d
GP		 260
261 bh_unlock_sock(sk);
262
ba3bd0ee 263 chan->ops->close(chan->data);
ab07801d
GP		 264 sock_put(sk);
265}
266
23691d75 267struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 268{
269 struct l2cap_chan *chan;
270
271 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
272 if (!chan)
273 return NULL;
274
275 chan->sk = sk;
276
23691d75
GP		 277 write_lock_bh(&chan_list_lock);
278 list_add(&chan->global_l, &chan_list);
279 write_unlock_bh(&chan_list_lock);
280
ab07801d
GP		 281 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
282
89bc500e
GP		 283 chan->state = BT_OPEN;
284
48454079
GP		 285 return chan;
286}
287
23691d75 288void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 289{
23691d75
GP		 290 write_lock_bh(&chan_list_lock);
291 list_del(&chan->global_l);
292 write_unlock_bh(&chan_list_lock);
293
6ff5abbf
GP		 294 kfree(chan);
295}
296
48454079 297static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 298{
48454079 299 struct sock *sk = chan->sk;
0139418c 300
af05b30b 301 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 302 chan->psm, chan->dcid);
0139418c 303
2950f21a
MH		 304 conn->disc_reason = 0x13;
305
8c1d787b 306 chan->conn = conn;
0139418c 307
715ec005 308 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 309 if (conn->hcon->type == LE_LINK) {
310 /* LE connection */
0c1bc5c6 311 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 312 chan->scid = L2CAP_CID_LE_DATA;
313 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 314 } else {
315 /* Alloc CID for connection-oriented socket */
fe4128e0 316 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 317 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 318 }
715ec005 319 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 320 /* Connectionless socket */
fe4128e0
GP		 321 chan->scid = L2CAP_CID_CONN_LESS;
322 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 323 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 324 } else {
325 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 326 chan->scid = L2CAP_CID_SIGNALING;
327 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 328 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 329 }
330
baa7e1fa
GP		 331 sock_hold(sk);
332
333 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 334}
335
8e87d142 336/* Delete channel.
0139418c 337 * Must be called on the locked socket. */
4519de9a 338static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 339{
48454079 340 struct sock *sk = chan->sk;
8c1d787b 341 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 342 struct sock *parent = bt_sk(sk)->parent;
343
ab07801d 344 l2cap_chan_clear_timer(chan);
0139418c 345
49208c9c 346 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 347
8e87d142 348 if (conn) {
baa7e1fa
GP		 349 /* Delete from channel list */
350 write_lock_bh(&conn->chan_lock);
351 list_del(&chan->list);
352 write_unlock_bh(&conn->chan_lock);
353 __sock_put(sk);
354
8c1d787b 355 chan->conn = NULL;
0139418c
MH		 356 hci_conn_put(conn->hcon);
357 }
358
89bc500e 359 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 360 sock_set_flag(sk, SOCK_ZAPPED);
361
362 if (err)
363 sk->sk_err = err;
364
365 if (parent) {
366 bt_accept_unlink(sk);
367 parent->sk_data_ready(parent, 0);
368 } else
369 sk->sk_state_change(sk);
c13ffa62 370
b4450035
GP		 371 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
372 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 373 return;
2ead70b8 374
58d35f87 375 skb_queue_purge(&chan->tx_q);
c13ffa62 376
0c1bc5c6 377 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 378 struct srej_list *l, *tmp;
379
e92c8e70
GP		 380 del_timer(&chan->retrans_timer);
381 del_timer(&chan->monitor_timer);
382 del_timer(&chan->ack_timer);
c13ffa62 383
f1c6775b
GP		 384 skb_queue_purge(&chan->srej_q);
385 skb_queue_purge(&chan->busy_q);
c13ffa62 386
39d5a3ee 387 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 388 list_del(&l->list);
389 kfree(l);
390 }
391 }
0139418c
MH		 392}
393
4519de9a
GP		 394static void l2cap_chan_cleanup_listen(struct sock *parent)
395{
396 struct sock *sk;
397
398 BT_DBG("parent %p", parent);
399
400 /* Close not yet accepted channels */
0f852724 401 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee
GP		 402 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
403 l2cap_chan_clear_timer(chan);
0f852724 404 lock_sock(sk);
ba3bd0ee 405 l2cap_chan_close(chan, ECONNRESET);
0f852724 406 release_sock(sk);
ba3bd0ee 407 chan->ops->close(chan->data);
0f852724 408 }
4519de9a
GP		 409}
410
0f852724 411void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 412{
413 struct l2cap_conn *conn = chan->conn;
414 struct sock *sk = chan->sk;
415
89bc500e 416 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 417
89bc500e 418 switch (chan->state) {
4519de9a
GP		 419 case BT_LISTEN:
420 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 421
422 l2cap_state_change(chan, BT_CLOSED);
423 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 424 break;
425
426 case BT_CONNECTED:
427 case BT_CONFIG:
715ec005 428 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 429 conn->hcon->type == ACL_LINK) {
500698d3 430 l2cap_chan_clear_timer(chan);
ab07801d 431 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 432 l2cap_send_disconn_req(conn, chan, reason);
433 } else
434 l2cap_chan_del(chan, reason);
435 break;
436
437 case BT_CONNECT2:
715ec005 438 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 439 conn->hcon->type == ACL_LINK) {
440 struct l2cap_conn_rsp rsp;
441 __u16 result;
442
443 if (bt_sk(sk)->defer_setup)
444 result = L2CAP_CR_SEC_BLOCK;
445 else
446 result = L2CAP_CR_BAD_PSM;
89bc500e 447 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 448
449 rsp.scid = cpu_to_le16(chan->dcid);
450 rsp.dcid = cpu_to_le16(chan->scid);
451 rsp.result = cpu_to_le16(result);
452 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
453 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
454 sizeof(rsp), &rsp);
455 }
456
457 l2cap_chan_del(chan, reason);
458 break;
459
460 case BT_CONNECT:
461 case BT_DISCONN:
462 l2cap_chan_del(chan, reason);
463 break;
464
465 default:
466 sock_set_flag(sk, SOCK_ZAPPED);
467 break;
468 }
469}
470
4343478f 471static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 472{
715ec005 473 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 474 switch (chan->sec_level) {
8556edd3
JH		 475 case BT_SECURITY_HIGH:
476 return HCI_AT_DEDICATED_BONDING_MITM;
477 case BT_SECURITY_MEDIUM:
478 return HCI_AT_DEDICATED_BONDING;
479 default:
480 return HCI_AT_NO_BONDING;
481 }
fe4128e0 482 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 483 if (chan->sec_level == BT_SECURITY_LOW)
484 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 485
4343478f 486 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 487 return HCI_AT_NO_BONDING_MITM;
00ae4af9 488 else
8556edd3 489 return HCI_AT_NO_BONDING;
00ae4af9 490 } else {
4343478f 491 switch (chan->sec_level) {
00ae4af9 492 case BT_SECURITY_HIGH:
8556edd3 493 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 494 case BT_SECURITY_MEDIUM:
8556edd3 495 return HCI_AT_GENERAL_BONDING;
00ae4af9 496 default:
8556edd3 497 return HCI_AT_NO_BONDING;
00ae4af9 498 }
0684e5f9 499 }
8556edd3
JH		 500}
501
502/* Service level security */
4343478f 503static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 504{
8c1d787b 505 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 506 __u8 auth_type;
507
4343478f 508 auth_type = l2cap_get_auth_type(chan);
79d554a6 509
4343478f 510 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 511}
512
b5ad8b7f 513static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 514{
515 u8 id;
516
517 /* Get next available identificator.
518 * 1 - 128 are used by kernel.
519 * 129 - 199 are reserved.
520 * 200 - 254 are used by utilities like l2ping, etc.
521 */
522
523 spin_lock_bh(&conn->lock);
524
525 if (++conn->tx_ident > 128)
526 conn->tx_ident = 1;
527
528 id = conn->tx_ident;
529
530 spin_unlock_bh(&conn->lock);
531
532 return id;
533}
534
4519de9a 535static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 536{
537 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 538 u8 flags;
4e8402a3
MH		 539
540 BT_DBG("code 0x%2.2x", code);
541
542 if (!skb)
9a9c6a34 543 return;
4e8402a3 544
e702112f
AE		 545 if (lmp_no_flush_capable(conn->hcon->hdev))
546 flags = ACL_START_NO_FLUSH;
547 else
548 flags = ACL_START;
549
14b12d0b
JG		 550 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
551
e702112f 552 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 553}
554
525cd185 555static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 556{
557 struct sk_buff *skb;
558 struct l2cap_hdr *lh;
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
fcc203c3 560 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 561 u8 flags;
fcc203c3 562
89bc500e 563 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 564 return;
565
47d1ec61 566 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 567 hlen += 2;
1c2acffb 568
49208c9c 569 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 570
fcc203c3 571 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 572 control |= L2CAP_CTRL_FRAME_TYPE;
573
525cd185 574 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 575 control |= L2CAP_CTRL_FINAL;
525cd185 576 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 577 }
578
525cd185 579 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 580 control |= L2CAP_CTRL_POLL;
525cd185 581 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 582 }
583
1c2acffb
GP		 584 skb = bt_skb_alloc(count, GFP_ATOMIC);
585 if (!skb)
9a9c6a34 586 return;
1c2acffb
GP		 587
588 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 589 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 590 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 591 put_unaligned_le16(control, skb_put(skb, 2));
592
47d1ec61 593 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 594 u16 fcs = crc16(0, (u8 *)lh, count - 2);
595 put_unaligned_le16(fcs, skb_put(skb, 2));
596 }
597
e702112f
AE		 598 if (lmp_no_flush_capable(conn->hcon->hdev))
599 flags = ACL_START_NO_FLUSH;
600 else
601 flags = ACL_START;
602
14b12d0b
JG		 603 bt_cb(skb)->force_active = chan->force_active;
604
8c1d787b 605 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 606}
607
525cd185 608static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 609{
525cd185 610 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 611 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 612 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 613 } else
7e743090
GP		 614 control |= L2CAP_SUPER_RCV_READY;
615
42e5c802 616 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 617
525cd185 618 l2cap_send_sframe(chan, control);
7e743090
GP		 619}
620
b4450035 621static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 622{
b4450035 623 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 624}
625
fc7f8a7e 626static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 627{
8c1d787b 628 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 629
630 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 631 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
632 return;
633
4343478f
GP		 634 if (l2cap_check_security(chan) &&
635 __l2cap_no_conn_pending(chan)) {
b1235d79 636 struct l2cap_conn_req req;
fe4128e0
GP		 637 req.scid = cpu_to_le16(chan->scid);
638 req.psm = chan->psm;
79d554a6 639
fc7f8a7e 640 chan->ident = l2cap_get_ident(conn);
b4450035 641 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 642
fc7f8a7e
GP		 643 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
644 sizeof(req), &req);
b1235d79 645 }
79d554a6
MH		 646 } else {
647 struct l2cap_info_req req;
648 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
649
650 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
651 conn->info_ident = l2cap_get_ident(conn);
652
653 mod_timer(&conn->info_timer, jiffies +
654 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
655
656 l2cap_send_cmd(conn, conn->info_ident,
657 L2CAP_INFO_REQ, sizeof(req), &req);
658 }
659}
660
cf6c2c0b
GP		 661static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
662{
663 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 664 if (!disable_ertm)
cf6c2c0b
GP		 665 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
666
667 switch (mode) {
668 case L2CAP_MODE_ERTM:
669 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
670 case L2CAP_MODE_STREAMING:
671 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
672 default:
673 return 0x00;
674 }
675}
676
4519de9a 677static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 678{
e92c8e70 679 struct sock *sk;
22121fc9
GP		 680 struct l2cap_disconn_req req;
681
c13ffa62
GP		 682 if (!conn)
683 return;
684
e92c8e70
GP		 685 sk = chan->sk;
686
0c1bc5c6 687 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 688 del_timer(&chan->retrans_timer);
689 del_timer(&chan->monitor_timer);
690 del_timer(&chan->ack_timer);
c13ffa62
GP		 691 }
692
fe4128e0
GP		 693 req.dcid = cpu_to_le16(chan->dcid);
694 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 695 l2cap_send_cmd(conn, l2cap_get_ident(conn),
696 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 697
89bc500e 698 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 699 sk->sk_err = err;
22121fc9
GP		 700}
701
1da177e4 702/* ---- L2CAP connections ---- */
4e8402a3
MH		 703static void l2cap_conn_start(struct l2cap_conn *conn)
704{
820ffdb3 705 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 706
707 BT_DBG("conn %p", conn);
708
baa7e1fa 709 read_lock(&conn->chan_lock);
4e8402a3 710
820ffdb3 711 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 712 struct sock *sk = chan->sk;
baa7e1fa 713
4e8402a3
MH		 714 bh_lock_sock(sk);
715
715ec005 716 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 717 bh_unlock_sock(sk);
718 continue;
719 }
720
89bc500e 721 if (chan->state == BT_CONNECT) {
47731de7 722 struct l2cap_conn_req req;
79d554a6 723
4343478f 724 if (!l2cap_check_security(chan) ||
b4450035 725 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 726 bh_unlock_sock(sk);
727 continue;
728 }
79d554a6 729
0c1bc5c6 730 if (!l2cap_mode_supported(chan->mode,
47731de7 731 conn->feat_mask)
b4450035 732 && chan->conf_state &
47731de7 733 L2CAP_CONF_STATE2_DEVICE) {
0f852724 734 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 735 * so release the lock */
736 read_unlock_bh(&conn->chan_lock);
89bc500e 737 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 738 read_lock_bh(&conn->chan_lock);
47731de7
GP		 739 bh_unlock_sock(sk);
740 continue;
b1235d79 741 }
47731de7 742
fe4128e0
GP		 743 req.scid = cpu_to_le16(chan->scid);
744 req.psm = chan->psm;
47731de7 745
fc7f8a7e 746 chan->ident = l2cap_get_ident(conn);
b4450035 747 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 748
fc7f8a7e
GP		 749 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
750 sizeof(req), &req);
47731de7 751
89bc500e 752 } else if (chan->state == BT_CONNECT2) {
79d554a6 753 struct l2cap_conn_rsp rsp;
e9aeb2dd 754 char buf[128];
fe4128e0
GP		 755 rsp.scid = cpu_to_le16(chan->dcid);
756 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 757
4343478f 758 if (l2cap_check_security(chan)) {
f66dc81f
MH		 759 if (bt_sk(sk)->defer_setup) {
760 struct sock *parent = bt_sk(sk)->parent;
761 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
762 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
763 parent->sk_data_ready(parent, 0);
764
765 } else {
89bc500e 766 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 767 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
768 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
769 }
79d554a6
MH		 770 } else {
771 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
772 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
773 }
774
fc7f8a7e
GP		 775 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
776 sizeof(rsp), &rsp);
e9aeb2dd 777
b4450035 778 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 779 rsp.result != L2CAP_CR_SUCCESS) {
780 bh_unlock_sock(sk);
781 continue;
782 }
783
b4450035 784 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 785 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 786 l2cap_build_conf_req(chan, buf), buf);
787 chan->num_conf_req++;
4e8402a3
MH		 788 }
789
790 bh_unlock_sock(sk);
791 }
792
baa7e1fa 793 read_unlock(&conn->chan_lock);
4e8402a3
MH		 794}
795
b62f328b
VT		 796/* Find socket with cid and source bdaddr.
797 * Returns closest match, locked.
798 */
23691d75 799static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 800{
23691d75 801 struct l2cap_chan *c, *c1 = NULL;
b62f328b 802
23691d75 803 read_lock(&chan_list_lock);
b62f328b 804
23691d75
GP		 805 list_for_each_entry(c, &chan_list, global_l) {
806 struct sock *sk = c->sk;
fe4128e0 807
89bc500e 808 if (state && c->state != state)
b62f328b
VT		 809 continue;
810
23691d75 811 if (c->scid == cid) {
b62f328b 812 /* Exact match. */
23691d75
GP		 813 if (!bacmp(&bt_sk(sk)->src, src)) {
814 read_unlock(&chan_list_lock);
815 return c;
816 }
b62f328b
VT		 817
818 /* Closest match */
819 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 820 c1 = c;
b62f328b
VT		 821 }
822 }
280f294f 823
23691d75 824 read_unlock(&chan_list_lock);
b62f328b 825
23691d75 826 return c1;
b62f328b
VT		 827}
828
829static void l2cap_le_conn_ready(struct l2cap_conn *conn)
830{
c916fbe4 831 struct sock *parent, *sk;
23691d75 832 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 833
834 BT_DBG("");
835
836 /* Check if we have socket listening on cid */
23691d75 837 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 838 conn->src);
23691d75 839 if (!pchan)
b62f328b
VT		 840 return;
841
23691d75
GP		 842 parent = pchan->sk;
843
62f3a2cf
GP		 844 bh_lock_sock(parent);
845
b62f328b
VT		 846 /* Check for backlog size */
847 if (sk_acceptq_is_full(parent)) {
848 BT_DBG("backlog full %d", parent->sk_ack_backlog);
849 goto clean;
850 }
851
80808e43
GP		 852 chan = pchan->ops->new_connection(pchan->data);
853 if (!chan)
b62f328b
VT		 854 goto clean;
855
80808e43 856 sk = chan->sk;
5d41ce1d 857
baa7e1fa 858 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 859
860 hci_conn_hold(conn->hcon);
861
b62f328b
VT		 862 bacpy(&bt_sk(sk)->src, conn->src);
863 bacpy(&bt_sk(sk)->dst, conn->dst);
864
d1010240
GP		 865 bt_accept_enqueue(parent, sk);
866
48454079
GP		 867 __l2cap_chan_add(conn, chan);
868
ab07801d 869 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b 870
89bc500e 871 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 872 parent->sk_data_ready(parent, 0);
873
baa7e1fa 874 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 875
876clean:
877 bh_unlock_sock(parent);
878}
879
4e8402a3
MH		 880static void l2cap_conn_ready(struct l2cap_conn *conn)
881{
48454079 882 struct l2cap_chan *chan;
4e8402a3 883
79d554a6 884 BT_DBG("conn %p", conn);
4e8402a3 885
b62f328b
VT		 886 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
887 l2cap_le_conn_ready(conn);
888
baa7e1fa 889 read_lock(&conn->chan_lock);
4e8402a3 890
baa7e1fa 891 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 892 struct sock *sk = chan->sk;
baa7e1fa 893
79d554a6 894 bh_lock_sock(sk);
4e8402a3 895
acd7d370 896 if (conn->hcon->type == LE_LINK) {
ab07801d 897 l2cap_chan_clear_timer(chan);
89bc500e 898 l2cap_state_change(chan, BT_CONNECTED);
acd7d370
VT		 899 sk->sk_state_change(sk);
900 }
901
715ec005 902 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 903 l2cap_chan_clear_timer(chan);
89bc500e 904 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 905 sk->sk_state_change(sk);
89bc500e 906 } else if (chan->state == BT_CONNECT)
fc7f8a7e 907 l2cap_do_start(chan);
4e8402a3 908
79d554a6 909 bh_unlock_sock(sk);
4e8402a3 910 }
79d554a6 911
baa7e1fa 912 read_unlock(&conn->chan_lock);
4e8402a3
MH		 913}
914
915/* Notify sockets that we cannot guaranty reliability anymore */
916static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
917{
48454079 918 struct l2cap_chan *chan;
4e8402a3
MH		 919
920 BT_DBG("conn %p", conn);
921
baa7e1fa 922 read_lock(&conn->chan_lock);
4e8402a3 923
baa7e1fa 924 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 925 struct sock *sk = chan->sk;
baa7e1fa 926
4343478f 927 if (chan->force_reliable)
4e8402a3
MH		 928 sk->sk_err = err;
929 }
930
baa7e1fa 931 read_unlock(&conn->chan_lock);
4e8402a3
MH		 932}
933
934static void l2cap_info_timeout(unsigned long arg)
935{
936 struct l2cap_conn *conn = (void *) arg;
937
984947dc 938 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 939 conn->info_ident = 0;
984947dc 940
4e8402a3
MH		 941 l2cap_conn_start(conn);
942}
943
1da177e4
LT		 944static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
945{
0139418c 946 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 947
0139418c 948 if (conn || status)
1da177e4
LT		 949 return conn;
950
0139418c
MH		 951 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
952 if (!conn)
1da177e4 953 return NULL;
1da177e4
LT		 954
955 hcon->l2cap_data = conn;
956 conn->hcon = hcon;
957
0139418c
MH		 958 BT_DBG("hcon %p conn %p", hcon, conn);
959
acd7d370
VT		 960 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
961 conn->mtu = hcon->hdev->le_mtu;
962 else
963 conn->mtu = hcon->hdev->acl_mtu;
964
1da177e4
LT		 965 conn->src = &hcon->hdev->bdaddr;
966 conn->dst = &hcon->dst;
967
4e8402a3
MH		 968 conn->feat_mask = 0;
969
1da177e4 970 spin_lock_init(&conn->lock);
baa7e1fa
GP		 971 rwlock_init(&conn->chan_lock);
972
973 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 974
b62f328b
VT		 975 if (hcon->type != LE_LINK)
976 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 977 (unsigned long) conn);
978
2950f21a
MH		 979 conn->disc_reason = 0x13;
980
1da177e4
LT		 981 return conn;
982}
983
0139418c 984static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 985{
0139418c 986 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 987 struct l2cap_chan *chan, *l;
1da177e4
LT		 988 struct sock *sk;
989
0139418c
MH		 990 if (!conn)
991 return;
1da177e4
LT		 992
993 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
994
7585b97a 995 kfree_skb(conn->rx_skb);
1da177e4
LT		 996
997 /* Kill channels */
baa7e1fa 998 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 999 sk = chan->sk;
1da177e4 1000 bh_lock_sock(sk);
48454079 1001 l2cap_chan_del(chan, err);
1da177e4 1002 bh_unlock_sock(sk);
ba3bd0ee 1003 chan->ops->close(chan->data);
1da177e4
LT		 1004 }
1005
8e8440f5
DY		 1006 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1007 del_timer_sync(&conn->info_timer);
3ab22731 1008
1da177e4
LT		 1009 hcon->l2cap_data = NULL;
1010 kfree(conn);
1da177e4
LT		 1011}
1012
48454079 1013static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1014{
baa7e1fa 1015 write_lock_bh(&conn->chan_lock);
48454079 1016 __l2cap_chan_add(conn, chan);
baa7e1fa 1017 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1018}
1019
1da177e4 1020/* ---- Socket interface ---- */
1da177e4
LT		 1021
1022/* Find socket with psm and source bdaddr.
1023 * Returns closest match.
1024 */
23691d75 1025static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1026{
23691d75 1027 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1028
23691d75 1029 read_lock(&chan_list_lock);
e0f0cb56 1030
23691d75
GP		 1031 list_for_each_entry(c, &chan_list, global_l) {
1032 struct sock *sk = c->sk;
fe4128e0 1033
89bc500e 1034 if (state && c->state != state)
1da177e4
LT		 1035 continue;
1036
23691d75 1037 if (c->psm == psm) {
1da177e4 1038 /* Exact match. */
23691d75 1039 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1040 read_unlock(&chan_list_lock);
23691d75
GP		 1041 return c;
1042 }
1da177e4
LT		 1043
1044 /* Closest match */
1045 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1046 c1 = c;
1da177e4
LT		 1047 }
1048 }
1da177e4 1049
23691d75 1050 read_unlock(&chan_list_lock);
e0f0cb56 1051
23691d75 1052 return c1;
1da177e4
LT		 1053}
1054
77a74c7e 1055int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1056{
5d41ce1d 1057 struct sock *sk = chan->sk;
1da177e4
LT		 1058 bdaddr_t *src = &bt_sk(sk)->src;
1059 bdaddr_t *dst = &bt_sk(sk)->dst;
1060 struct l2cap_conn *conn;
1061 struct hci_conn *hcon;
1062 struct hci_dev *hdev;
09ab6f4c 1063 __u8 auth_type;
44d0e48e 1064 int err;
1da177e4 1065
f29972de 1066 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1067 chan->psm);
1da177e4 1068
af05b30b
GP		 1069 hdev = hci_get_route(dst, src);
1070 if (!hdev)
1da177e4
LT		 1071 return -EHOSTUNREACH;
1072
1073 hci_dev_lock_bh(hdev);
1074
4343478f 1075 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1076
fe4128e0 1077 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1078 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1079 chan->sec_level, auth_type);
acd7d370
VT		 1080 else
1081 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1082 chan->sec_level, auth_type);
acd7d370 1083
30e76272
VT		 1084 if (IS_ERR(hcon)) {
1085 err = PTR_ERR(hcon);
1da177e4 1086 goto done;
30e76272 1087 }
1da177e4
LT		 1088
1089 conn = l2cap_conn_add(hcon, 0);
1090 if (!conn) {
1091 hci_conn_put(hcon);
30e76272 1092 err = -ENOMEM;
1da177e4
LT		 1093 goto done;
1094 }
1095
1da177e4
LT		 1096 /* Update source addr of the socket */
1097 bacpy(src, conn->src);
1098
48454079
GP		 1099 l2cap_chan_add(conn, chan);
1100
89bc500e 1101 l2cap_state_change(chan, BT_CONNECT);
ab07801d 1102 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1103
1104 if (hcon->state == BT_CONNECTED) {
715ec005 1105 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1106 l2cap_chan_clear_timer(chan);
4343478f 1107 if (l2cap_check_security(chan))
89bc500e 1108 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1109 } else
fc7f8a7e 1110 l2cap_do_start(chan);
1da177e4
LT		 1111 }
1112
30e76272
VT		 1113 err = 0;
1114
1da177e4
LT		 1115done:
1116 hci_dev_unlock_bh(hdev);
1117 hci_dev_put(hdev);
1118 return err;
1119}
1120
dcba0dba 1121int __l2cap_wait_ack(struct sock *sk)
6161c038 1122{
8c1d787b 1123 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1124 DECLARE_WAITQUEUE(wait, current);
1125 int err = 0;
1126 int timeo = HZ/5;
1127
2b0b05dd 1128 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1129 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1130 set_current_state(TASK_INTERRUPTIBLE);
1131
1132 if (!timeo)
1133 timeo = HZ/5;
1134
1135 if (signal_pending(current)) {
1136 err = sock_intr_errno(timeo);
1137 break;
1138 }
1139
1140 release_sock(sk);
1141 timeo = schedule_timeout(timeo);
1142 lock_sock(sk);
1143
1144 err = sock_error(sk);
1145 if (err)
1146 break;
1147 }
1148 set_current_state(TASK_RUNNING);
2b0b05dd 1149 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1150 return err;
1151}
1152
e90bac06
GP		 1153static void l2cap_monitor_timeout(unsigned long arg)
1154{
525cd185
GP		 1155 struct l2cap_chan *chan = (void *) arg;
1156 struct sock *sk = chan->sk;
e90bac06 1157
525cd185 1158 BT_DBG("chan %p", chan);
0e98958d 1159
e686219a 1160 bh_lock_sock(sk);
2c03a7a4 1161 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1162 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1163 bh_unlock_sock(sk);
e90bac06
GP		 1164 return;
1165 }
1166
6a026610 1167 chan->retry_count++;
e90bac06
GP		 1168 __mod_monitor_timer();
1169
525cd185 1170 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1171 bh_unlock_sock(sk);
e90bac06
GP		 1172}
1173
1174static void l2cap_retrans_timeout(unsigned long arg)
1175{
525cd185
GP		 1176 struct l2cap_chan *chan = (void *) arg;
1177 struct sock *sk = chan->sk;
e90bac06 1178
49208c9c 1179 BT_DBG("chan %p", chan);
0e98958d 1180
e686219a 1181 bh_lock_sock(sk);
6a026610 1182 chan->retry_count = 1;
e90bac06
GP		 1183 __mod_monitor_timer();
1184
525cd185 1185 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1186
525cd185 1187 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1188 bh_unlock_sock(sk);
e90bac06
GP		 1189}
1190
42e5c802 1191static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1192{
1c2acffb 1193 struct sk_buff *skb;
1da177e4 1194
58d35f87 1195 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1196 chan->unacked_frames) {
42e5c802 1197 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1198 break;
1da177e4 1199
58d35f87 1200 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1201 kfree_skb(skb);
1da177e4 1202
6a026610 1203 chan->unacked_frames--;
1c2acffb 1204 }
1da177e4 1205
6a026610 1206 if (!chan->unacked_frames)
e92c8e70 1207 del_timer(&chan->retrans_timer);
1c2acffb 1208}
1da177e4 1209
4343478f 1210void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1211{
8c1d787b 1212 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1213 u16 flags;
1c2acffb 1214
4343478f 1215 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1216
4343478f 1217 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1218 flags = ACL_START_NO_FLUSH;
1219 else
1220 flags = ACL_START;
1221
14b12d0b 1222 bt_cb(skb)->force_active = chan->force_active;
e702112f 1223 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1224}
1225
42e5c802 1226void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1227{
ccbb84af 1228 struct sk_buff *skb;
fcc203c3 1229 u16 control, fcs;
6840ed07 1230
58d35f87 1231 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1232 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1233 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1234 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1235
47d1ec61 1236 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1237 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1238 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1239 }
1240
4343478f 1241 l2cap_do_send(chan, skb);
6840ed07 1242
42e5c802 1243 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1244 }
6840ed07
GP		 1245}
1246
525cd185 1247static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1248{
8f17154f
GP		 1249 struct sk_buff *skb, *tx_skb;
1250 u16 control, fcs;
8f17154f 1251
58d35f87 1252 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1253 if (!skb)
1254 return;
8f17154f 1255
f11d676d
GP		 1256 do {
1257 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1258 break;
8f17154f 1259
58d35f87 1260 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1261 return;
8f17154f 1262
58d35f87 1263 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1264
2c03a7a4
GP		 1265 if (chan->remote_max_tx &&
1266 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1267 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1268 return;
1269 }
1270
1271 tx_skb = skb_clone(skb, GFP_ATOMIC);
1272 bt_cb(skb)->retries++;
1273 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1274 control &= L2CAP_CTRL_SAR;
3cb123d1 1275
525cd185 1276 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1277 control |= L2CAP_CTRL_FINAL;
525cd185 1278 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1279 }
95ffa978 1280
42e5c802 1281 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1282 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1283
f11d676d
GP		 1284 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1285
47d1ec61 1286 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1287 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1288 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1289 }
1290
4343478f 1291 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1292}
1293
525cd185 1294int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1295{
1296 struct sk_buff *skb, *tx_skb;
fcc203c3 1297 u16 control, fcs;
9a9c6a34 1298 int nsent = 0;
1c2acffb 1299
89bc500e 1300 if (chan->state != BT_CONNECTED)
c13ffa62 1301 return -ENOTCONN;
e90bac06 1302
58d35f87 1303 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1304
2c03a7a4
GP		 1305 if (chan->remote_max_tx &&
1306 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1307 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1308 break;
1309 }
1310
e420aba3
AE		 1311 tx_skb = skb_clone(skb, GFP_ATOMIC);
1312
e90bac06
GP		 1313 bt_cb(skb)->retries++;
1314
1c2acffb 1315 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1316 control &= L2CAP_CTRL_SAR;
1317
525cd185 1318 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1319 control |= L2CAP_CTRL_FINAL;
525cd185 1320 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1321 }
42e5c802
GP		 1322 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1323 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1324 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1325
e90bac06 1326
47d1ec61 1327 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1328 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1329 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1330 }
1331
4343478f 1332 l2cap_do_send(chan, tx_skb);
9a9c6a34 1333
e90bac06 1334 __mod_retrans_timer();
1c2acffb 1335
42e5c802
GP		 1336 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1337 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1338
23e9fde2 1339 if (bt_cb(skb)->retries == 1)
6a026610 1340 chan->unacked_frames++;
23e9fde2 1341
6a026610 1342 chan->frames_sent++;
1c2acffb 1343
58d35f87
GP		 1344 if (skb_queue_is_last(&chan->tx_q, skb))
1345 chan->tx_send_head = NULL;
1c2acffb 1346 else
58d35f87 1347 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1348
1349 nsent++;
1c2acffb
GP		 1350 }
1351
9e917af1
GP		 1352 return nsent;
1353}
1354
525cd185 1355static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1356{
dfc909be
GP		 1357 int ret;
1358
58d35f87
GP		 1359 if (!skb_queue_empty(&chan->tx_q))
1360 chan->tx_send_head = chan->tx_q.next;
dfc909be 1361
42e5c802 1362 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1363 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1364 return ret;
1365}
1366
525cd185 1367static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1368{
9e917af1
GP		 1369 u16 control = 0;
1370
42e5c802 1371 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1372
525cd185 1373 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1374 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1375 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1376 l2cap_send_sframe(chan, control);
9a9c6a34 1377 return;
9e917af1 1378 }
dfc909be 1379
525cd185 1380 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1381 return;
1382
1383 control |= L2CAP_SUPER_RCV_READY;
525cd185 1384 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1385}
1386
525cd185 1387static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1388{
1389 struct srej_list *tail;
1390 u16 control;
1391
1392 control = L2CAP_SUPER_SELECT_REJECT;
1393 control |= L2CAP_CTRL_FINAL;
1394
39d5a3ee 1395 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1396 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1397
525cd185 1398 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1399}
1400
1c2acffb
GP		 1401static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1402{
8c1d787b 1403 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1404 struct sk_buff **frag;
1405 int err, sent = 0;
1da177e4 1406
59203a21 1407 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1408 return -EFAULT;
1da177e4
LT		 1409
1410 sent += count;
1411 len -= count;
1412
1413 /* Continuation fragments (no L2CAP header) */
1414 frag = &skb_shinfo(skb)->frag_list;
1415 while (len) {
1416 count = min_t(unsigned int, conn->mtu, len);
1417
1418 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1419 if (!*frag)
0175d629 1420 return err;
1c2acffb
GP		 1421 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1422 return -EFAULT;
1da177e4
LT		 1423
1424 sent += count;
1425 len -= count;
1426
1427 frag = &(*frag)->next;
1428 }
1da177e4
LT		 1429
1430 return sent;
1c2acffb 1431}
1da177e4 1432
fe4128e0 1433struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1434{
fe4128e0 1435 struct sock *sk = chan->sk;
8c1d787b 1436 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1437 struct sk_buff *skb;
1438 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1439 struct l2cap_hdr *lh;
1440
1441 BT_DBG("sk %p len %d", sk, (int)len);
1442
1443 count = min_t(unsigned int, (conn->mtu - hlen), len);
1444 skb = bt_skb_send_alloc(sk, count + hlen,
1445 msg->msg_flags & MSG_DONTWAIT, &err);
1446 if (!skb)
0175d629 1447 return ERR_PTR(err);
1c2acffb
GP		 1448
1449 /* Create L2CAP header */
1450 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1451 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1452 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1453 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1454
1455 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1456 if (unlikely(err < 0)) {
1457 kfree_skb(skb);
1458 return ERR_PTR(err);
1459 }
1460 return skb;
1461}
1462
fe4128e0 1463struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1464{
fe4128e0 1465 struct sock *sk = chan->sk;
8c1d787b 1466 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1467 struct sk_buff *skb;
1468 int err, count, hlen = L2CAP_HDR_SIZE;
1469 struct l2cap_hdr *lh;
1470
1471 BT_DBG("sk %p len %d", sk, (int)len);
1472
1473 count = min_t(unsigned int, (conn->mtu - hlen), len);
1474 skb = bt_skb_send_alloc(sk, count + hlen,
1475 msg->msg_flags & MSG_DONTWAIT, &err);
1476 if (!skb)
0175d629 1477 return ERR_PTR(err);
1c2acffb
GP		 1478
1479 /* Create L2CAP header */
1480 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1481 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1482 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1483
1484 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1485 if (unlikely(err < 0)) {
1486 kfree_skb(skb);
1487 return ERR_PTR(err);
1488 }
1489 return skb;
1490}
1491
47d1ec61 1492struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1493{
47d1ec61 1494 struct sock *sk = chan->sk;
8c1d787b 1495 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1496 struct sk_buff *skb;
1497 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1498 struct l2cap_hdr *lh;
1499
1500 BT_DBG("sk %p len %d", sk, (int)len);
1501
0ee0d208
GP		 1502 if (!conn)
1503 return ERR_PTR(-ENOTCONN);
1504
c74e560c
GP		 1505 if (sdulen)
1506 hlen += 2;
1507
47d1ec61 1508 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1509 hlen += 2;
1510
1c2acffb
GP		 1511 count = min_t(unsigned int, (conn->mtu - hlen), len);
1512 skb = bt_skb_send_alloc(sk, count + hlen,
1513 msg->msg_flags & MSG_DONTWAIT, &err);
1514 if (!skb)
0175d629 1515 return ERR_PTR(err);
1c2acffb
GP		 1516
1517 /* Create L2CAP header */
1518 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1519 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1520 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1521 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1522 if (sdulen)
1523 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1524
1525 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1526 if (unlikely(err < 0)) {
1527 kfree_skb(skb);
1528 return ERR_PTR(err);
1529 }
e90bac06 1530
47d1ec61 1531 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1532 put_unaligned_le16(0, skb_put(skb, 2));
1533
e90bac06 1534 bt_cb(skb)->retries = 0;
1c2acffb 1535 return skb;
1da177e4
LT		 1536}
1537
2c03a7a4 1538int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1539{
c74e560c
GP		 1540 struct sk_buff *skb;
1541 struct sk_buff_head sar_queue;
1542 u16 control;
1543 size_t size = 0;
1544
ff12fd64 1545 skb_queue_head_init(&sar_queue);
c74e560c 1546 control = L2CAP_SDU_START;
47d1ec61 1547 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1548 if (IS_ERR(skb))
1549 return PTR_ERR(skb);
1550
1551 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1552 len -= chan->remote_mps;
1553 size += chan->remote_mps;
c74e560c
GP		 1554
1555 while (len > 0) {
1556 size_t buflen;
1557
2c03a7a4 1558 if (len > chan->remote_mps) {
44651b85 1559 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1560 buflen = chan->remote_mps;
c74e560c 1561 } else {
44651b85 1562 control = L2CAP_SDU_END;
c74e560c
GP		 1563 buflen = len;
1564 }
1565
47d1ec61 1566 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1567 if (IS_ERR(skb)) {
1568 skb_queue_purge(&sar_queue);
1569 return PTR_ERR(skb);
1570 }
1571
1572 __skb_queue_tail(&sar_queue, skb);
1573 len -= buflen;
1574 size += buflen;
c74e560c 1575 }
58d35f87
GP		 1576 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1577 if (chan->tx_send_head == NULL)
1578 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1579
1580 return size;
1581}
1582
9a91a04a
GP		 1583int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1584{
9a91a04a
GP		 1585 struct sk_buff *skb;
1586 u16 control;
1587 int err;
1588
1589 /* Connectionless channel */
715ec005 1590 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1591 skb = l2cap_create_connless_pdu(chan, msg, len);
1592 if (IS_ERR(skb))
1593 return PTR_ERR(skb);
1594
1595 l2cap_do_send(chan, skb);
1596 return len;
1597 }
1598
1599 switch (chan->mode) {
1600 case L2CAP_MODE_BASIC:
1601 /* Check outgoing MTU */
1602 if (len > chan->omtu)
1603 return -EMSGSIZE;
1604
1605 /* Create a basic PDU */
1606 skb = l2cap_create_basic_pdu(chan, msg, len);
1607 if (IS_ERR(skb))
1608 return PTR_ERR(skb);
1609
1610 l2cap_do_send(chan, skb);
1611 err = len;
1612 break;
1613
1614 case L2CAP_MODE_ERTM:
1615 case L2CAP_MODE_STREAMING:
1616 /* Entire SDU fits into one PDU */
1617 if (len <= chan->remote_mps) {
1618 control = L2CAP_SDU_UNSEGMENTED;
1619 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1620 0);
1621 if (IS_ERR(skb))
1622 return PTR_ERR(skb);
1623
1624 __skb_queue_tail(&chan->tx_q, skb);
1625
1626 if (chan->tx_send_head == NULL)
1627 chan->tx_send_head = skb;
1628
1629 } else {
1630 /* Segment SDU into multiples PDUs */
1631 err = l2cap_sar_segment_sdu(chan, msg, len);
1632 if (err < 0)
1633 return err;
1634 }
1635
1636 if (chan->mode == L2CAP_MODE_STREAMING) {
1637 l2cap_streaming_send(chan);
1638 err = len;
1639 break;
1640 }
1641
1642 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1643 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1644 err = len;
1645 break;
1646 }
1647
1648 err = l2cap_ertm_send(chan);
1649 if (err >= 0)
1650 err = len;
1651
1652 break;
1653
1654 default:
1655 BT_DBG("bad state %1.1x", chan->mode);
1656 err = -EBADFD;
1657 }
1658
1659 return err;
1660}
1661
1da177e4
LT		 1662static void l2cap_chan_ready(struct sock *sk)
1663{
1664 struct sock *parent = bt_sk(sk)->parent;
b4450035 1665 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1666
1667 BT_DBG("sk %p, parent %p", sk, parent);
1668
b4450035 1669 chan->conf_state = 0;
ab07801d 1670 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1671
1672 if (!parent) {
1673 /* Outgoing channel.
1674 * Wake up socket sleeping on connect.
1675 */
89bc500e 1676 l2cap_state_change(chan, BT_CONNECTED);
1da177e4
LT		 1677 sk->sk_state_change(sk);
1678 } else {
1679 /* Incoming channel.
1680 * Wake up socket sleeping on accept.
1681 */
1682 parent->sk_data_ready(parent, 0);
1683 }
1684}
1685
1686/* Copy frame to all raw sockets on that connection */
1687static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1688{
1da177e4 1689 struct sk_buff *nskb;
48454079 1690 struct l2cap_chan *chan;
1da177e4
LT		 1691
1692 BT_DBG("conn %p", conn);
1693
baa7e1fa
GP		 1694 read_lock(&conn->chan_lock);
1695 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1696 struct sock *sk = chan->sk;
715ec005 1697 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1698 continue;
1699
1700 /* Don't send frame to the socket it came from */
1701 if (skb->sk == sk)
1702 continue;
af05b30b
GP		 1703 nskb = skb_clone(skb, GFP_ATOMIC);
1704 if (!nskb)
1da177e4
LT		 1705 continue;
1706
23070494 1707 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1708 kfree_skb(nskb);
1709 }
baa7e1fa 1710 read_unlock(&conn->chan_lock);
1da177e4
LT		 1711}
1712
1713/* ---- L2CAP signalling commands ---- */
1714static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1715 u8 code, u8 ident, u16 dlen, void *data)
1716{
1717 struct sk_buff *skb, **frag;
1718 struct l2cap_cmd_hdr *cmd;
1719 struct l2cap_hdr *lh;
1720 int len, count;
1721
af05b30b
GP		 1722 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1723 conn, code, ident, dlen);
1da177e4
LT		 1724
1725 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1726 count = min_t(unsigned int, conn->mtu, len);
1727
1728 skb = bt_skb_alloc(count, GFP_ATOMIC);
1729 if (!skb)
1730 return NULL;
1731
1732 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1733 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1734
1735 if (conn->hcon->type == LE_LINK)
1736 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1737 else
1738 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1739
1740 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1741 cmd->code = code;
1742 cmd->ident = ident;
aca3192c 1743 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1744
1745 if (dlen) {
1746 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1747 memcpy(skb_put(skb, count), data, count);
1748 data += count;
1749 }
1750
1751 len -= skb->len;
1752
1753 /* Continuation fragments (no L2CAP header) */
1754 frag = &skb_shinfo(skb)->frag_list;
1755 while (len) {
1756 count = min_t(unsigned int, conn->mtu, len);
1757
1758 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1759 if (!*frag)
1760 goto fail;
1761
1762 memcpy(skb_put(*frag, count), data, count);
1763
1764 len -= count;
1765 data += count;
1766
1767 frag = &(*frag)->next;
1768 }
1769
1770 return skb;
1771
1772fail:
1773 kfree_skb(skb);
1774 return NULL;
1775}
1776
1777static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1778{
1779 struct l2cap_conf_opt *opt = *ptr;
1780 int len;
1781
1782 len = L2CAP_CONF_OPT_SIZE + opt->len;
1783 *ptr += len;
1784
1785 *type = opt->type;
1786 *olen = opt->len;
1787
1788 switch (opt->len) {
1789 case 1:
1790 *val = *((u8 *) opt->val);
1791 break;
1792
1793 case 2:
bfaaeb3e 1794 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1795 break;
1796
1797 case 4:
bfaaeb3e 1798 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1799 break;
1800
1801 default:
1802 *val = (unsigned long) opt->val;
1803 break;
1804 }
1805
1806 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1807 return len;
1808}
1809
1da177e4
LT		 1810static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1811{
1812 struct l2cap_conf_opt *opt = *ptr;
1813
1814 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1815
1816 opt->type = type;
1817 opt->len = len;
1818
1819 switch (len) {
1820 case 1:
1821 *((u8 *) opt->val) = val;
1822 break;
1823
1824 case 2:
4f8b691c 1825 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1826 break;
1827
1828 case 4:
4f8b691c 1829 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1830 break;
1831
1832 default:
1833 memcpy(opt->val, (void *) val, len);
1834 break;
1835 }
1836
1837 *ptr += L2CAP_CONF_OPT_SIZE + len;
1838}
1839
c1b4f43b
GP		 1840static void l2cap_ack_timeout(unsigned long arg)
1841{
525cd185 1842 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1843
525cd185
GP		 1844 bh_lock_sock(chan->sk);
1845 l2cap_send_ack(chan);
1846 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1847}
1848
525cd185 1849static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1850{
525cd185
GP		 1851 struct sock *sk = chan->sk;
1852
42e5c802 1853 chan->expected_ack_seq = 0;
6a026610 1854 chan->unacked_frames = 0;
42e5c802 1855 chan->buffer_seq = 0;
6a026610
GP		 1856 chan->num_acked = 0;
1857 chan->frames_sent = 0;
0565c1c2 1858
e92c8e70
GP		 1859 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1860 (unsigned long) chan);
1861 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1862 (unsigned long) chan);
1863 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1864
f1c6775b
GP		 1865 skb_queue_head_init(&chan->srej_q);
1866 skb_queue_head_init(&chan->busy_q);
1890d36b 1867
39d5a3ee
GP		 1868 INIT_LIST_HEAD(&chan->srej_l);
1869
311bb895 1870 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1871
1872 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1873}
1874
f2fcfcd6
GP		 1875static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1876{
1877 switch (mode) {
1878 case L2CAP_MODE_STREAMING:
1879 case L2CAP_MODE_ERTM:
1880 if (l2cap_mode_supported(mode, remote_feat_mask))
1881 return mode;
1882 /* fall through */
1883 default:
1884 return L2CAP_MODE_BASIC;
1885 }
1886}
1887
710f9b0a 1888static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1889{
1da177e4 1890 struct l2cap_conf_req *req = data;
0c1bc5c6 1891 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1892 void *ptr = req->data;
1893
49208c9c 1894 BT_DBG("chan %p", chan);
1da177e4 1895
73ffa904 1896 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1897 goto done;
1898
0c1bc5c6 1899 switch (chan->mode) {
f2fcfcd6
GP		 1900 case L2CAP_MODE_STREAMING:
1901 case L2CAP_MODE_ERTM:
b4450035 1902 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1903 break;
85eb53c6 1904
2ba13ed6 1905 /* fall through */
f2fcfcd6 1906 default:
8c1d787b 1907 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1908 break;
1909 }
1910
1911done:
0c1bc5c6
GP		 1912 if (chan->imtu != L2CAP_DEFAULT_MTU)
1913 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1914
0c1bc5c6 1915 switch (chan->mode) {
65c7c491 1916 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1917 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1918 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1919 break;
1920
62547752
GP		 1921 rfc.mode = L2CAP_MODE_BASIC;
1922 rfc.txwin_size = 0;
1923 rfc.max_transmit = 0;
1924 rfc.retrans_timeout = 0;
1925 rfc.monitor_timeout = 0;
1926 rfc.max_pdu_size = 0;
1927
63406504
GP		 1928 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1929 (unsigned long) &rfc);
65c7c491
MH		 1930 break;
1931
1932 case L2CAP_MODE_ERTM:
1933 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1934 rfc.txwin_size = chan->tx_win;
1935 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1936 rfc.retrans_timeout = 0;
1937 rfc.monitor_timeout = 0;
c74e560c 1938 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1939 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1940 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1941
63406504
GP		 1942 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1943 (unsigned long) &rfc);
1944
8c1d787b 1945 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1946 break;
1947
47d1ec61 1948 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1949 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1950 chan->fcs = L2CAP_FCS_NONE;
1951 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1952 }
f2fcfcd6
GP		 1953 break;
1954
1955 case L2CAP_MODE_STREAMING:
1956 rfc.mode = L2CAP_MODE_STREAMING;
1957 rfc.txwin_size = 0;
1958 rfc.max_transmit = 0;
1959 rfc.retrans_timeout = 0;
1960 rfc.monitor_timeout = 0;
c74e560c 1961 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1962 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1963 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1964
63406504
GP		 1965 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1966 (unsigned long) &rfc);
1967
8c1d787b 1968 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1969 break;
1970
47d1ec61 1971 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1972 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1973 chan->fcs = L2CAP_FCS_NONE;
1974 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1975 }
65c7c491
MH		 1976 break;
1977 }
1da177e4 1978
fe4128e0 1979 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1980 req->flags = cpu_to_le16(0);
1da177e4
LT		 1981
1982 return ptr - data;
1983}
1984
73ffa904 1985static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1986{
5dee9e7c
MH		 1987 struct l2cap_conf_rsp *rsp = data;
1988 void *ptr = rsp->data;
73ffa904
GP		 1989 void *req = chan->conf_req;
1990 int len = chan->conf_len;
5dee9e7c
MH		 1991 int type, hint, olen;
1992 unsigned long val;
6464f35f 1993 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1994 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1995 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1996
73ffa904 1997 BT_DBG("chan %p", chan);
820ae1b8 1998
5dee9e7c
MH		 1999 while (len >= L2CAP_CONF_OPT_SIZE) {
2000 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2001
589d2746 2002 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2003 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2004
2005 switch (type) {
2006 case L2CAP_CONF_MTU:
861d6882 2007 mtu = val;
5dee9e7c
MH		 2008 break;
2009
2010 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2011 chan->flush_to = val;
5dee9e7c
MH		 2012 break;
2013
2014 case L2CAP_CONF_QOS:
2015 break;
2016
6464f35f
MH		 2017 case L2CAP_CONF_RFC:
2018 if (olen == sizeof(rfc))
2019 memcpy(&rfc, (void *) val, olen);
2020 break;
2021
fcc203c3
GP		 2022 case L2CAP_CONF_FCS:
2023 if (val == L2CAP_FCS_NONE)
b4450035 2024 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2025
2026 break;
2027
5dee9e7c
MH		 2028 default:
2029 if (hint)
2030 break;
2031
2032 result = L2CAP_CONF_UNKNOWN;
2033 *((u8 *) ptr++) = type;
2034 break;
2035 }
2036 }
2037
73ffa904 2038 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2039 goto done;
2040
0c1bc5c6 2041 switch (chan->mode) {
f2fcfcd6
GP		 2042 case L2CAP_MODE_STREAMING:
2043 case L2CAP_MODE_ERTM:
b4450035 2044 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2045 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2046 chan->conn->feat_mask);
85eb53c6
GP		 2047 break;
2048 }
2049
0c1bc5c6 2050 if (chan->mode != rfc.mode)
f2fcfcd6 2051 return -ECONNREFUSED;
742e519b 2052
f2fcfcd6 2053 break;
f2fcfcd6
GP		 2054 }
2055
2056done:
0c1bc5c6 2057 if (chan->mode != rfc.mode) {
f2fcfcd6 2058 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2059 rfc.mode = chan->mode;
f2fcfcd6 2060
73ffa904 2061 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2062 return -ECONNREFUSED;
2063
2064 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2065 sizeof(rfc), (unsigned long) &rfc);
2066 }
2067
2068
5dee9e7c
MH		 2069 if (result == L2CAP_CONF_SUCCESS) {
2070 /* Configure output options and let the other side know
2071 * which ones we don't like. */
2072
f2fcfcd6
GP		 2073 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2074 result = L2CAP_CONF_UNACCEPT;
2075 else {
0c1bc5c6 2076 chan->omtu = mtu;
b4450035 2077 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2078 }
0c1bc5c6 2079 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2080
f2fcfcd6
GP		 2081 switch (rfc.mode) {
2082 case L2CAP_MODE_BASIC:
47d1ec61 2083 chan->fcs = L2CAP_FCS_NONE;
b4450035 2084 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2085 break;
2086
2087 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2088 chan->remote_tx_win = rfc.txwin_size;
2089 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2090
8c1d787b
GP		 2091 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2092 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2093
2c03a7a4 2094 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2095
10467e9e
GP		 2096 rfc.retrans_timeout =
2097 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2098 rfc.monitor_timeout =
2099 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2100
b4450035 2101 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2102
2103 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2104 sizeof(rfc), (unsigned long) &rfc);
2105
f2fcfcd6
GP		 2106 break;
2107
2108 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2109 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2110 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2111
2c03a7a4 2112 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2113
b4450035 2114 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2115
2116 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2117 sizeof(rfc), (unsigned long) &rfc);
2118
f2fcfcd6
GP		 2119 break;
2120
2121 default:
5dee9e7c 2122 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2123
6464f35f 2124 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2125 rfc.mode = chan->mode;
f2fcfcd6 2126 }
6464f35f 2127
f2fcfcd6 2128 if (result == L2CAP_CONF_SUCCESS)
b4450035 2129 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2130 }
fe4128e0 2131 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2132 rsp->result = cpu_to_le16(result);
2133 rsp->flags = cpu_to_le16(0x0000);
2134
2135 return ptr - data;
1da177e4
LT		 2136}
2137
b4450035 2138static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2139{
f2fcfcd6
GP		 2140 struct l2cap_conf_req *req = data;
2141 void *ptr = req->data;
2142 int type, olen;
2143 unsigned long val;
2144 struct l2cap_conf_rfc rfc;
2145
fe4128e0 2146 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2147
2148 while (len >= L2CAP_CONF_OPT_SIZE) {
2149 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2150
2151 switch (type) {
2152 case L2CAP_CONF_MTU:
2153 if (val < L2CAP_DEFAULT_MIN_MTU) {
2154 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2155 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2156 } else
0c1bc5c6
GP		 2157 chan->imtu = val;
2158 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2159 break;
2160
2161 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2162 chan->flush_to = val;
f2fcfcd6 2163 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2164 2, chan->flush_to);
f2fcfcd6
GP		 2165 break;
2166
2167 case L2CAP_CONF_RFC:
2168 if (olen == sizeof(rfc))
2169 memcpy(&rfc, (void *)val, olen);
2170
b4450035 2171 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2172 rfc.mode != chan->mode)
f2fcfcd6
GP		 2173 return -ECONNREFUSED;
2174
47d1ec61 2175 chan->fcs = 0;
f2fcfcd6
GP		 2176
2177 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2178 sizeof(rfc), (unsigned long) &rfc);
2179 break;
2180 }
2181 }
2182
0c1bc5c6 2183 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2184 return -ECONNREFUSED;
2185
0c1bc5c6 2186 chan->mode = rfc.mode;
6c2ea7a8 2187
f2fcfcd6
GP		 2188 if (*result == L2CAP_CONF_SUCCESS) {
2189 switch (rfc.mode) {
2190 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2191 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2192 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2193 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2194 break;
2195 case L2CAP_MODE_STREAMING:
47d1ec61 2196 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2197 }
2198 }
2199
fe4128e0 2200 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2201 req->flags = cpu_to_le16(0x0000);
2202
2203 return ptr - data;
2204}
2205
fe4128e0 2206static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2207{
2208 struct l2cap_conf_rsp *rsp = data;
2209 void *ptr = rsp->data;
1da177e4 2210
fe4128e0 2211 BT_DBG("chan %p", chan);
1da177e4 2212
fe4128e0 2213 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2214 rsp->result = cpu_to_le16(result);
aca3192c 2215 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2216
2217 return ptr - data;
2218}
2219
8c1d787b 2220void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2221{
2222 struct l2cap_conn_rsp rsp;
8c1d787b 2223 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2224 u8 buf[128];
2225
fe4128e0
GP		 2226 rsp.scid = cpu_to_le16(chan->dcid);
2227 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2228 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2229 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2230 l2cap_send_cmd(conn, chan->ident,
2231 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2232
b4450035 2233 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2234 return;
2235
b4450035 2236 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2237 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2238 l2cap_build_conf_req(chan, buf), buf);
2239 chan->num_conf_req++;
2240}
2241
47d1ec61 2242static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2243{
7b1c0049
GP		 2244 int type, olen;
2245 unsigned long val;
2246 struct l2cap_conf_rfc rfc;
2247
47d1ec61 2248 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2249
0c1bc5c6 2250 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2251 return;
2252
2253 while (len >= L2CAP_CONF_OPT_SIZE) {
2254 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2255
2256 switch (type) {
2257 case L2CAP_CONF_RFC:
2258 if (olen == sizeof(rfc))
2259 memcpy(&rfc, (void *)val, olen);
2260 goto done;
2261 }
2262 }
2263
2264done:
2265 switch (rfc.mode) {
2266 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2267 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2268 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2269 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2270 break;
2271 case L2CAP_MODE_STREAMING:
47d1ec61 2272 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2273 }
2274}
2275
4e8402a3
MH		 2276static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2277{
2278 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2279
2280 if (rej->reason != 0x0000)
2281 return 0;
2282
2283 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2284 cmd->ident == conn->info_ident) {
4e8402a3 2285 del_timer(&conn->info_timer);
984947dc
MH		 2286
2287 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2288 conn->info_ident = 0;
984947dc 2289
4e8402a3
MH		 2290 l2cap_conn_start(conn);
2291 }
2292
2293 return 0;
2294}
2295
1da177e4
LT		 2296static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2297{
1da177e4
LT		 2298 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2299 struct l2cap_conn_rsp rsp;
23691d75 2300 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2301 struct sock *parent, *sk = NULL;
e7c29cb1 2302 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2303
2304 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2305 __le16 psm = req->psm;
1da177e4
LT		 2306
2307 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2308
2309 /* Check if we have socket listening on psm */
23691d75
GP		 2310 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2311 if (!pchan) {
1da177e4
LT		 2312 result = L2CAP_CR_BAD_PSM;
2313 goto sendresp;
2314 }
2315
23691d75
GP		 2316 parent = pchan->sk;
2317
e0f0cb56
GP		 2318 bh_lock_sock(parent);
2319
e7c29cb1
MH		 2320 /* Check if the ACL is secure enough (if not SDP) */
2321 if (psm != cpu_to_le16(0x0001) &&
2322 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2323 conn->disc_reason = 0x05;
e7c29cb1
MH		 2324 result = L2CAP_CR_SEC_BLOCK;
2325 goto response;
2326 }
2327
1da177e4
LT		 2328 result = L2CAP_CR_NO_MEM;
2329
2330 /* Check for backlog size */
2331 if (sk_acceptq_is_full(parent)) {
8e87d142 2332 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2333 goto response;
2334 }
2335
80808e43
GP		 2336 chan = pchan->ops->new_connection(pchan->data);
2337 if (!chan)
1da177e4
LT		 2338 goto response;
2339
80808e43
GP		 2340 sk = chan->sk;
2341
baa7e1fa 2342 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2343
2344 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2345 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2346 write_unlock_bh(&conn->chan_lock);
1da177e4 2347 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2348 chan->ops->close(chan->data);
1da177e4
LT		 2349 goto response;
2350 }
2351
2352 hci_conn_hold(conn->hcon);
2353
1da177e4
LT		 2354 bacpy(&bt_sk(sk)->src, conn->src);
2355 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2356 chan->psm = psm;
2357 chan->dcid = scid;
1da177e4 2358
d1010240
GP		 2359 bt_accept_enqueue(parent, sk);
2360
48454079
GP		 2361 __l2cap_chan_add(conn, chan);
2362
fe4128e0 2363 dcid = chan->scid;
1da177e4 2364
ab07801d 2365 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2366
fc7f8a7e 2367 chan->ident = cmd->ident;
1da177e4 2368
984947dc 2369 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2370 if (l2cap_check_security(chan)) {
f66dc81f 2371 if (bt_sk(sk)->defer_setup) {
89bc500e 2372 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2373 result = L2CAP_CR_PEND;
2374 status = L2CAP_CS_AUTHOR_PEND;
2375 parent->sk_data_ready(parent, 0);
2376 } else {
89bc500e 2377 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2378 result = L2CAP_CR_SUCCESS;
2379 status = L2CAP_CS_NO_INFO;
2380 }
79d554a6 2381 } else {
89bc500e 2382 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2383 result = L2CAP_CR_PEND;
2384 status = L2CAP_CS_AUTHEN_PEND;
2385 }
2386 } else {
89bc500e 2387 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2388 result = L2CAP_CR_PEND;
2389 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2390 }
2391
baa7e1fa 2392 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2393
2394response:
2395 bh_unlock_sock(parent);
2396
2397sendresp:
aca3192c
YH		 2398 rsp.scid = cpu_to_le16(scid);
2399 rsp.dcid = cpu_to_le16(dcid);
2400 rsp.result = cpu_to_le16(result);
2401 rsp.status = cpu_to_le16(status);
1da177e4 2402 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2403
2404 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2405 struct l2cap_info_req info;
2406 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2407
2408 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2409 conn->info_ident = l2cap_get_ident(conn);
2410
2411 mod_timer(&conn->info_timer, jiffies +
2412 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2413
2414 l2cap_send_cmd(conn, conn->info_ident,
2415 L2CAP_INFO_REQ, sizeof(info), &info);
2416 }
2417
b4450035 2418 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2419 result == L2CAP_CR_SUCCESS) {
2420 u8 buf[128];
b4450035 2421 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2422 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2423 l2cap_build_conf_req(chan, buf), buf);
2424 chan->num_conf_req++;
e9aeb2dd
GP		 2425 }
2426
1da177e4
LT		 2427 return 0;
2428}
2429
2430static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2431{
2432 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2433 u16 scid, dcid, result, status;
48454079 2434 struct l2cap_chan *chan;
1da177e4
LT		 2435 struct sock *sk;
2436 u8 req[128];
2437
2438 scid = __le16_to_cpu(rsp->scid);
2439 dcid = __le16_to_cpu(rsp->dcid);
2440 result = __le16_to_cpu(rsp->result);
2441 status = __le16_to_cpu(rsp->status);
2442
2443 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2444
2445 if (scid) {
baa7e1fa 2446 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2447 if (!chan)
57d3b22b 2448 return -EFAULT;
1da177e4 2449 } else {
baa7e1fa 2450 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2451 if (!chan)
57d3b22b 2452 return -EFAULT;
1da177e4
LT		 2453 }
2454
48454079
GP		 2455 sk = chan->sk;
2456
1da177e4
LT		 2457 switch (result) {
2458 case L2CAP_CR_SUCCESS:
89bc500e 2459 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2460 chan->ident = 0;
fe4128e0 2461 chan->dcid = dcid;
b4450035 2462 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2463
b4450035 2464 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2465 break;
2466
b4450035 2467 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2468
1da177e4 2469 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2470 l2cap_build_conf_req(chan, req), req);
2471 chan->num_conf_req++;
1da177e4
LT		 2472 break;
2473
2474 case L2CAP_CR_PEND:
b4450035 2475 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2476 break;
2477
2478 default:
a49184c2
AE		 2479 /* don't delete l2cap channel if sk is owned by user */
2480 if (sock_owned_by_user(sk)) {
89bc500e 2481 l2cap_state_change(chan, BT_DISCONN);
ab07801d
GP		 2482 l2cap_chan_clear_timer(chan);
2483 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2484 break;
2485 }
2486
48454079 2487 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2488 break;
2489 }
2490
2491 bh_unlock_sock(sk);
2492 return 0;
2493}
2494
47d1ec61 2495static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2496{
47d1ec61
GP		 2497 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2498
8c462b60
MM		 2499 /* FCS is enabled only in ERTM or streaming mode, if one or both
2500 * sides request it.
2501 */
0c1bc5c6 2502 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2503 chan->fcs = L2CAP_FCS_NONE;
b4450035 2504 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2505 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2506}
2507
88219a0f 2508static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2509{
2510 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2511 u16 dcid, flags;
2512 u8 rsp[64];
48454079 2513 struct l2cap_chan *chan;
1da177e4 2514 struct sock *sk;
5dee9e7c 2515 int len;
1da177e4
LT		 2516
2517 dcid = __le16_to_cpu(req->dcid);
2518 flags = __le16_to_cpu(req->flags);
2519
2520 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2521
baa7e1fa 2522 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2523 if (!chan)
1da177e4
LT		 2524 return -ENOENT;
2525
48454079
GP		 2526 sk = chan->sk;
2527
89bc500e 2528 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2529 struct l2cap_cmd_rej rej;
2530
2531 rej.reason = cpu_to_le16(0x0002);
2532 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2533 sizeof(rej), &rej);
354f60a9 2534 goto unlock;
df6bd743 2535 }
354f60a9 2536
5dee9e7c 2537 /* Reject if config buffer is too small. */
88219a0f 2538 len = cmd_len - sizeof(*req);
73ffa904 2539 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2540 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2541 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2542 L2CAP_CONF_REJECT, flags), rsp);
2543 goto unlock;
2544 }
2545
2546 /* Store config. */
73ffa904
GP		 2547 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2548 chan->conf_len += len;
1da177e4
LT		 2549
2550 if (flags & 0x0001) {
2551 /* Incomplete config. Send empty response. */
2552 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2553 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2554 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2555 goto unlock;
2556 }
2557
2558 /* Complete config. */
73ffa904 2559 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2560 if (len < 0) {
e92c8e70 2561 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2562 goto unlock;
f2fcfcd6 2563 }
1da177e4 2564
5dee9e7c 2565 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2566 chan->num_conf_rsp++;
5dee9e7c 2567
5dee9e7c 2568 /* Reset config buffer. */
73ffa904 2569 chan->conf_len = 0;
5dee9e7c 2570
b4450035 2571 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2572 goto unlock;
2573
b4450035 2574 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2575 set_default_fcs(chan);
fcc203c3 2576
89bc500e 2577 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2578
42e5c802
GP		 2579 chan->next_tx_seq = 0;
2580 chan->expected_tx_seq = 0;
58d35f87 2581 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2582 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2583 l2cap_ertm_init(chan);
0565c1c2 2584
1da177e4 2585 l2cap_chan_ready(sk);
876d9484
MH		 2586 goto unlock;
2587 }
2588
b4450035 2589 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2590 u8 buf[64];
b4450035 2591 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2592 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2593 l2cap_build_conf_req(chan, buf), buf);
2594 chan->num_conf_req++;
1da177e4
LT		 2595 }
2596
2597unlock:
2598 bh_unlock_sock(sk);
2599 return 0;
2600}
2601
2602static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2603{
2604 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2605 u16 scid, flags, result;
48454079 2606 struct l2cap_chan *chan;
1da177e4 2607 struct sock *sk;
7b1c0049 2608 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2609
2610 scid = __le16_to_cpu(rsp->scid);
2611 flags = __le16_to_cpu(rsp->flags);
2612 result = __le16_to_cpu(rsp->result);
2613
af05b30b
GP		 2614 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2615 scid, flags, result);
1da177e4 2616
baa7e1fa 2617 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2618 if (!chan)
1da177e4
LT		 2619 return 0;
2620
48454079
GP		 2621 sk = chan->sk;
2622
1da177e4
LT		 2623 switch (result) {
2624 case L2CAP_CONF_SUCCESS:
47d1ec61 2625 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2626 break;
2627
2628 case L2CAP_CONF_UNACCEPT:
73ffa904 2629 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2630 char req[64];
2631
c2c77ec8 2632 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2633 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2634 goto done;
2635 }
2636
f2fcfcd6
GP		 2637 /* throw out any old stored conf requests */
2638 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2639 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2640 req, &result);
f2fcfcd6 2641 if (len < 0) {
e92c8e70 2642 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2643 goto done;
2644 }
2645
2646 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2647 L2CAP_CONF_REQ, len, req);
73ffa904 2648 chan->num_conf_req++;
f2fcfcd6
GP		 2649 if (result != L2CAP_CONF_SUCCESS)
2650 goto done;
2651 break;
1da177e4
LT		 2652 }
2653
8e87d142 2654 default:
b1235d79 2655 sk->sk_err = ECONNRESET;
ab07801d 2656 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2657 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2658 goto done;
2659 }
2660
2661 if (flags & 0x01)
2662 goto done;
2663
b4450035 2664 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2665
b4450035 2666 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2667 set_default_fcs(chan);
fcc203c3 2668
89bc500e 2669 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2670 chan->next_tx_seq = 0;
2671 chan->expected_tx_seq = 0;
58d35f87 2672 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2673 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2674 l2cap_ertm_init(chan);
0565c1c2 2675
1da177e4
LT		 2676 l2cap_chan_ready(sk);
2677 }
2678
2679done:
2680 bh_unlock_sock(sk);
2681 return 0;
2682}
2683
2684static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2685{
2686 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2687 struct l2cap_disconn_rsp rsp;
2688 u16 dcid, scid;
48454079 2689 struct l2cap_chan *chan;
1da177e4
LT		 2690 struct sock *sk;
2691
2692 scid = __le16_to_cpu(req->scid);
2693 dcid = __le16_to_cpu(req->dcid);
2694
2695 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2696
baa7e1fa 2697 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2698 if (!chan)
1da177e4
LT		 2699 return 0;
2700
48454079
GP		 2701 sk = chan->sk;
2702
fe4128e0
GP		 2703 rsp.dcid = cpu_to_le16(chan->scid);
2704 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2705 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2706
2707 sk->sk_shutdown = SHUTDOWN_MASK;
2708
a49184c2
AE		 2709 /* don't delete l2cap channel if sk is owned by user */
2710 if (sock_owned_by_user(sk)) {
89bc500e 2711 l2cap_state_change(chan, BT_DISCONN);
ab07801d
GP		 2712 l2cap_chan_clear_timer(chan);
2713 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2714 bh_unlock_sock(sk);
2715 return 0;
2716 }
2717
48454079 2718 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2719 bh_unlock_sock(sk);
2720
ba3bd0ee 2721 chan->ops->close(chan->data);
1da177e4
LT		 2722 return 0;
2723}
2724
2725static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2726{
2727 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2728 u16 dcid, scid;
48454079 2729 struct l2cap_chan *chan;
1da177e4
LT		 2730 struct sock *sk;
2731
2732 scid = __le16_to_cpu(rsp->scid);
2733 dcid = __le16_to_cpu(rsp->dcid);
2734
2735 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2736
baa7e1fa 2737 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2738 if (!chan)
1da177e4
LT		 2739 return 0;
2740
48454079
GP		 2741 sk = chan->sk;
2742
a49184c2
AE		 2743 /* don't delete l2cap channel if sk is owned by user */
2744 if (sock_owned_by_user(sk)) {
89bc500e 2745 l2cap_state_change(chan,BT_DISCONN);
ab07801d
GP		 2746 l2cap_chan_clear_timer(chan);
2747 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2748 bh_unlock_sock(sk);
2749 return 0;
2750 }
2751
48454079 2752 l2cap_chan_del(chan, 0);
1da177e4
LT		 2753 bh_unlock_sock(sk);
2754
ba3bd0ee 2755 chan->ops->close(chan->data);
1da177e4
LT		 2756 return 0;
2757}
2758
2759static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2760{
2761 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2762 u16 type;
2763
2764 type = __le16_to_cpu(req->type);
2765
2766 BT_DBG("type 0x%4.4x", type);
2767
f0709e03
MH		 2768 if (type == L2CAP_IT_FEAT_MASK) {
2769 u8 buf[8];
44dd46de 2770 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2771 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2772 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2773 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2774 if (!disable_ertm)
fcc203c3
GP		 2775 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2776 | L2CAP_FEAT_FCS;
1b7bf4ed 2777 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2778 l2cap_send_cmd(conn, cmd->ident,
2779 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2780 } else if (type == L2CAP_IT_FIXED_CHAN) {
2781 u8 buf[12];
2782 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2783 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2784 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2785 memcpy(buf + 4, l2cap_fixed_chan, 8);
2786 l2cap_send_cmd(conn, cmd->ident,
2787 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2788 } else {
2789 struct l2cap_info_rsp rsp;
2790 rsp.type = cpu_to_le16(type);
2791 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2792 l2cap_send_cmd(conn, cmd->ident,
2793 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2794 }
1da177e4
LT		 2795
2796 return 0;
2797}
2798
2799static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2800{
2801 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2802 u16 type, result;
2803
2804 type = __le16_to_cpu(rsp->type);
2805 result = __le16_to_cpu(rsp->result);
2806
2807 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2808
e90165be
AE		 2809 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2810 if (cmd->ident != conn->info_ident ||
2811 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2812 return 0;
2813
4e8402a3
MH		 2814 del_timer(&conn->info_timer);
2815
adb08ede
VT		 2816 if (result != L2CAP_IR_SUCCESS) {
2817 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2818 conn->info_ident = 0;
2819
2820 l2cap_conn_start(conn);
2821
2822 return 0;
2823 }
2824
984947dc 2825 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2826 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2827
47ec1dcd 2828 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2829 struct l2cap_info_req req;
2830 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2831
2832 conn->info_ident = l2cap_get_ident(conn);
2833
2834 l2cap_send_cmd(conn, conn->info_ident,
2835 L2CAP_INFO_REQ, sizeof(req), &req);
2836 } else {
2837 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2838 conn->info_ident = 0;
2839
2840 l2cap_conn_start(conn);
2841 }
2842 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2843 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2844 conn->info_ident = 0;
984947dc
MH		 2845
2846 l2cap_conn_start(conn);
2847 }
4e8402a3 2848
1da177e4
LT		 2849 return 0;
2850}
2851
e2174ca4 2852static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2853 u16 to_multiplier)
2854{
2855 u16 max_latency;
2856
2857 if (min > max || min < 6 || max > 3200)
2858 return -EINVAL;
2859
2860 if (to_multiplier < 10 || to_multiplier > 3200)
2861 return -EINVAL;
2862
2863 if (max >= to_multiplier * 8)
2864 return -EINVAL;
2865
2866 max_latency = (to_multiplier * 8 / max) - 1;
2867 if (latency > 499 || latency > max_latency)
2868 return -EINVAL;
2869
2870 return 0;
2871}
2872
2873static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2874 struct l2cap_cmd_hdr *cmd, u8 *data)
2875{
2876 struct hci_conn *hcon = conn->hcon;
2877 struct l2cap_conn_param_update_req *req;
2878 struct l2cap_conn_param_update_rsp rsp;
2879 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2880 int err;
de73115a
CT		 2881
2882 if (!(hcon->link_mode & HCI_LM_MASTER))
2883 return -EINVAL;
2884
2885 cmd_len = __le16_to_cpu(cmd->len);
2886 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2887 return -EPROTO;
2888
2889 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2890 min = __le16_to_cpu(req->min);
2891 max = __le16_to_cpu(req->max);
de73115a
CT		 2892 latency = __le16_to_cpu(req->latency);
2893 to_multiplier = __le16_to_cpu(req->to_multiplier);
2894
2895 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2896 min, max, latency, to_multiplier);
2897
2898 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2899
2900 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2901 if (err)
de73115a
CT		 2902 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2903 else
2904 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2905
2906 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2907 sizeof(rsp), &rsp);
2908
2ce603eb
CT		 2909 if (!err)
2910 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2911
de73115a
CT		 2912 return 0;
2913}
2914
3300d9a9
CT		 2915static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2916 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2917{
2918 int err = 0;
2919
2920 switch (cmd->code) {
2921 case L2CAP_COMMAND_REJ:
2922 l2cap_command_rej(conn, cmd, data);
2923 break;
2924
2925 case L2CAP_CONN_REQ:
2926 err = l2cap_connect_req(conn, cmd, data);
2927 break;
2928
2929 case L2CAP_CONN_RSP:
2930 err = l2cap_connect_rsp(conn, cmd, data);
2931 break;
2932
2933 case L2CAP_CONF_REQ:
2934 err = l2cap_config_req(conn, cmd, cmd_len, data);
2935 break;
2936
2937 case L2CAP_CONF_RSP:
2938 err = l2cap_config_rsp(conn, cmd, data);
2939 break;
2940
2941 case L2CAP_DISCONN_REQ:
2942 err = l2cap_disconnect_req(conn, cmd, data);
2943 break;
2944
2945 case L2CAP_DISCONN_RSP:
2946 err = l2cap_disconnect_rsp(conn, cmd, data);
2947 break;
2948
2949 case L2CAP_ECHO_REQ:
2950 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2951 break;
2952
2953 case L2CAP_ECHO_RSP:
2954 break;
2955
2956 case L2CAP_INFO_REQ:
2957 err = l2cap_information_req(conn, cmd, data);
2958 break;
2959
2960 case L2CAP_INFO_RSP:
2961 err = l2cap_information_rsp(conn, cmd, data);
2962 break;
2963
2964 default:
2965 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2966 err = -EINVAL;
2967 break;
2968 }
2969
2970 return err;
2971}
2972
2973static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2974 struct l2cap_cmd_hdr *cmd, u8 *data)
2975{
2976 switch (cmd->code) {
2977 case L2CAP_COMMAND_REJ:
2978 return 0;
2979
2980 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2981 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2982
2983 case L2CAP_CONN_PARAM_UPDATE_RSP:
2984 return 0;
2985
2986 default:
2987 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2988 return -EINVAL;
2989 }
2990}
2991
2992static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2993 struct sk_buff *skb)
1da177e4
LT		 2994{
2995 u8 *data = skb->data;
2996 int len = skb->len;
2997 struct l2cap_cmd_hdr cmd;
3300d9a9 2998 int err;
1da177e4
LT		 2999
3000 l2cap_raw_recv(conn, skb);
3001
3002 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3003 u16 cmd_len;
1da177e4
LT		 3004 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3005 data += L2CAP_CMD_HDR_SIZE;
3006 len -= L2CAP_CMD_HDR_SIZE;
3007
88219a0f 3008 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3009
88219a0f 3010 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3011
88219a0f 3012 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3013 BT_DBG("corrupted command");
3014 break;
3015 }
3016
3300d9a9
CT		 3017 if (conn->hcon->type == LE_LINK)
3018 err = l2cap_le_sig_cmd(conn, &cmd, data);
3019 else
3020 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3021
3022 if (err) {
3023 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3024
3025 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3026
3027 /* FIXME: Map err to a valid reason */
aca3192c 3028 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3029 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3030 }
3031
88219a0f
AV		 3032 data += cmd_len;
3033 len -= cmd_len;
1da177e4
LT		 3034 }
3035
3036 kfree_skb(skb);
3037}
3038
47d1ec61 3039static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3040{
3041 u16 our_fcs, rcv_fcs;
3042 int hdr_size = L2CAP_HDR_SIZE + 2;
3043
47d1ec61 3044 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3045 skb_trim(skb, skb->len - 2);
3046 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3047 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3048
3049 if (our_fcs != rcv_fcs)
7a560e5c 3050 return -EBADMSG;
fcc203c3
GP		 3051 }
3052 return 0;
3053}
3054
525cd185 3055static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3056{
d5392c8f
GP		 3057 u16 control = 0;
3058
6a026610 3059 chan->frames_sent = 0;
d5392c8f 3060
42e5c802 3061 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3062
525cd185 3063 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3064 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3065 l2cap_send_sframe(chan, control);
3066 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3067 }
3068
525cd185
GP		 3069 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3070 l2cap_retransmit_frames(chan);
d5392c8f 3071
525cd185 3072 l2cap_ertm_send(chan);
d5392c8f 3073
525cd185 3074 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3075 chan->frames_sent == 0) {
d5392c8f 3076 control |= L2CAP_SUPER_RCV_READY;
525cd185 3077 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3078 }
3079}
3080
42e5c802 3081static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3082{
3083 struct sk_buff *next_skb;
bfbacc11 3084 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3085
3086 bt_cb(skb)->tx_seq = tx_seq;
3087 bt_cb(skb)->sar = sar;
3088
f1c6775b 3089 next_skb = skb_peek(&chan->srej_q);
8f17154f 3090 if (!next_skb) {
f1c6775b 3091 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3092 return 0;
8f17154f
GP		 3093 }
3094
42e5c802 3095 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3096 if (tx_seq_offset < 0)
3097 tx_seq_offset += 64;
3098
8f17154f 3099 do {
9b53350d
JPRV		 3100 if (bt_cb(next_skb)->tx_seq == tx_seq)
3101 return -EINVAL;
3102
bfbacc11 3103 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3104 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3105 if (next_tx_seq_offset < 0)
3106 next_tx_seq_offset += 64;
3107
3108 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3109 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3110 return 0;
8f17154f
GP		 3111 }
3112
f1c6775b 3113 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3114 break;
3115
f1c6775b 3116 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3117
f1c6775b 3118 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3119
3120 return 0;
8f17154f
GP		 3121}
3122
525cd185 3123static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3124{
18778a63 3125 struct sk_buff *_skb;
1890d36b 3126 int err;
18778a63
GP		 3127
3128 switch (control & L2CAP_CTRL_SAR) {
3129 case L2CAP_SDU_UNSEGMENTED:
525cd185 3130 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3131 goto drop;
3132
23070494 3133 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3134
3135 case L2CAP_SDU_START:
525cd185 3136 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3137 goto drop;
3138
6f61fd47 3139 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3140
0c1bc5c6 3141 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3142 goto disconnect;
3143
6f61fd47
GP		 3144 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3145 if (!chan->sdu)
1890d36b
GP		 3146 return -ENOMEM;
3147
3148 /* pull sdu_len bytes only after alloc, because of Local Busy
3149 * condition we have to be sure that this will be executed
3150 * only once, i.e., when alloc does not fail */
3151 skb_pull(skb, 2);
18778a63 3152
6f61fd47 3153 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3154
525cd185 3155 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3156 chan->partial_sdu_len = skb->len;
18778a63
GP		 3157 break;
3158
3159 case L2CAP_SDU_CONTINUE:
525cd185 3160 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3161 goto disconnect;
3162
6f61fd47 3163 if (!chan->sdu)
18778a63
GP		 3164 goto disconnect;
3165
6f61fd47
GP		 3166 chan->partial_sdu_len += skb->len;
3167 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3168 goto drop;
3169
6f61fd47 3170 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3171
18778a63
GP		 3172 break;
3173
3174 case L2CAP_SDU_END:
525cd185 3175 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3176 goto disconnect;
3177
6f61fd47 3178 if (!chan->sdu)
18778a63
GP		 3179 goto disconnect;
3180
525cd185 3181 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3182 chan->partial_sdu_len += skb->len;
18778a63 3183
0c1bc5c6 3184 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3185 goto drop;
18778a63 3186
6f61fd47 3187 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3188 goto drop;
4178ba46 3189
6f61fd47 3190 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3191 }
18778a63 3192
6f61fd47 3193 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3194 if (!_skb) {
525cd185 3195 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3196 return -ENOMEM;
3197 }
3198
23070494 3199 err = chan->ops->recv(chan->data, _skb);
1890d36b 3200 if (err < 0) {
18778a63 3201 kfree_skb(_skb);
525cd185 3202 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3203 return err;
3204 }
3205
525cd185
GP		 3206 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3207 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3208
6f61fd47 3209 kfree_skb(chan->sdu);
18778a63
GP		 3210 break;
3211 }
3212
3213 kfree_skb(skb);
1890d36b 3214 return 0;
18778a63
GP		 3215
3216drop:
6f61fd47
GP		 3217 kfree_skb(chan->sdu);
3218 chan->sdu = NULL;
18778a63
GP		 3219
3220disconnect:
8c1d787b 3221 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3222 kfree_skb(skb);
3223 return 0;
3224}
3225
525cd185 3226static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3227{
712132eb
GP		 3228 struct sk_buff *skb;
3229 u16 control;
3230 int err;
3231
f1c6775b 3232 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3233 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3234 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3235 if (err < 0) {
f1c6775b 3236 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3237 return -EBUSY;
3238 }
3239
42e5c802 3240 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3241 }
3242
525cd185 3243 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3244 goto done;
3245
42e5c802 3246 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3247 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3248 l2cap_send_sframe(chan, control);
6a026610 3249 chan->retry_count = 1;
712132eb 3250
e92c8e70 3251 del_timer(&chan->retrans_timer);
712132eb
GP		 3252 __mod_monitor_timer();
3253
525cd185 3254 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3255
3256done:
525cd185
GP		 3257 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3258 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3259
49208c9c 3260 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3261
3262 return 0;
3263}
3264
1890d36b
GP		 3265static void l2cap_busy_work(struct work_struct *work)
3266{
3267 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3268 struct l2cap_chan *chan =
3269 container_of(work, struct l2cap_chan, busy_work);
3270 struct sock *sk = chan->sk;
1890d36b
GP		 3271 int n_tries = 0, timeo = HZ/5, err;
3272 struct sk_buff *skb;
1890d36b
GP		 3273
3274 lock_sock(sk);
3275
2b0b05dd 3276 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3277 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3278 set_current_state(TASK_INTERRUPTIBLE);
3279
3280 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3281 err = -EBUSY;
8c1d787b 3282 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3283 break;
1890d36b
GP		 3284 }
3285
3286 if (!timeo)
3287 timeo = HZ/5;
3288
3289 if (signal_pending(current)) {
3290 err = sock_intr_errno(timeo);
712132eb 3291 break;
1890d36b
GP		 3292 }
3293
3294 release_sock(sk);
3295 timeo = schedule_timeout(timeo);
3296 lock_sock(sk);
3297
3298 err = sock_error(sk);
3299 if (err)
712132eb 3300 break;
1890d36b 3301
311bb895 3302 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3303 break;
3304 }
3305
1890d36b 3306 set_current_state(TASK_RUNNING);
2b0b05dd 3307 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3308
3309 release_sock(sk);
3310}
3311
525cd185 3312static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3313{
1890d36b
GP		 3314 int sctrl, err;
3315
525cd185 3316 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3317 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3318 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3319 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3320
3321
1890d36b
GP		 3322 }
3323
525cd185 3324 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3325 if (err >= 0) {
42e5c802 3326 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3327 return err;
3328 }
3329
3330 /* Busy Condition */
311bb895 3331 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3332
525cd185 3333 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3334 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3335 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3336
42e5c802 3337 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3338 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3339 l2cap_send_sframe(chan, sctrl);
1890d36b 3340
525cd185 3341 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3342
e92c8e70 3343 del_timer(&chan->ack_timer);
7fe9b298 3344
311bb895 3345 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3346
3347 return err;
3348}
3349
525cd185 3350static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3351{
c74e560c
GP		 3352 struct sk_buff *_skb;
3353 int err = -EINVAL;
3354
18778a63
GP		 3355 /*
3356 * TODO: We have to notify the userland if some data is lost with the
3357 * Streaming Mode.
3358 */
3359
c74e560c
GP		 3360 switch (control & L2CAP_CTRL_SAR) {
3361 case L2CAP_SDU_UNSEGMENTED:
525cd185 3362 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3363 kfree_skb(chan->sdu);
c74e560c
GP		 3364 break;
3365 }
3366
23070494 3367 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3368 if (!err)
3369 return 0;
3370
3371 break;
3372
3373 case L2CAP_SDU_START:
525cd185 3374 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3375 kfree_skb(chan->sdu);
c74e560c
GP		 3376 break;
3377 }
3378
6f61fd47 3379 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3380 skb_pull(skb, 2);
3381
0c1bc5c6 3382 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3383 err = -EMSGSIZE;
3384 break;
3385 }
3386
6f61fd47
GP		 3387 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3388 if (!chan->sdu) {
c74e560c
GP		 3389 err = -ENOMEM;
3390 break;
3391 }
3392
6f61fd47 3393 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3394
525cd185 3395 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3396 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3397 err = 0;
3398 break;
3399
3400 case L2CAP_SDU_CONTINUE:
525cd185 3401 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3402 break;
3403
6f61fd47 3404 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3405
6f61fd47
GP		 3406 chan->partial_sdu_len += skb->len;
3407 if (chan->partial_sdu_len > chan->sdu_len)
3408 kfree_skb(chan->sdu);
c74e560c
GP		 3409 else
3410 err = 0;
3411
3412 break;
3413
3414 case L2CAP_SDU_END:
525cd185 3415 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3416 break;
3417
6f61fd47 3418 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3419
525cd185 3420 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3421 chan->partial_sdu_len += skb->len;
c74e560c 3422
0c1bc5c6 3423 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3424 goto drop;
3425
6f61fd47
GP		 3426 if (chan->partial_sdu_len == chan->sdu_len) {
3427 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3428 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3429 if (err < 0)
3430 kfree_skb(_skb);
3431 }
c74e560c
GP		 3432 err = 0;
3433
36f2fd58 3434drop:
6f61fd47 3435 kfree_skb(chan->sdu);
c74e560c
GP		 3436 break;
3437 }
3438
3439 kfree_skb(skb);
3440 return err;
3441}
3442
525cd185 3443static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3444{
3445 struct sk_buff *skb;
afefdbc4 3446 u16 control;
8f17154f 3447
f1c6775b 3448 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3449 if (bt_cb(skb)->tx_seq != tx_seq)
3450 break;
3451
f1c6775b 3452 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3453 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3454 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3455 chan->buffer_seq_srej =
3456 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3457 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3458 }
3459}
3460
525cd185 3461static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3462{
8f17154f
GP		 3463 struct srej_list *l, *tmp;
3464 u16 control;
3465
39d5a3ee 3466 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3467 if (l->tx_seq == tx_seq) {
3468 list_del(&l->list);
3469 kfree(l);
3470 return;
3471 }
3472 control = L2CAP_SUPER_SELECT_REJECT;
3473 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3474 l2cap_send_sframe(chan, control);
8f17154f 3475 list_del(&l->list);
39d5a3ee 3476 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3477 }
3478}
3479
525cd185 3480static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3481{
8f17154f
GP		 3482 struct srej_list *new;
3483 u16 control;
3484
42e5c802 3485 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3486 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3487 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3488 l2cap_send_sframe(chan, control);
8f17154f
GP		 3489
3490 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3491 new->tx_seq = chan->expected_tx_seq;
3492 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3493 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3494 }
42e5c802 3495 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3496}
3497
525cd185 3498static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3499{
1c2acffb 3500 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3501 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3502 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3503 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3504 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3505 int err = 0;
3506
525cd185
GP		 3507 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3508 tx_seq, rx_control);
1c2acffb 3509
9b16dc65 3510 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3511 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3512 del_timer(&chan->monitor_timer);
6a026610 3513 if (chan->unacked_frames > 0)
1d8f5d16 3514 __mod_retrans_timer();
525cd185 3515 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3516 }
3517
42e5c802
GP		 3518 chan->expected_ack_seq = req_seq;
3519 l2cap_drop_acked_frames(chan);
9f121a5a 3520
42e5c802 3521 if (tx_seq == chan->expected_tx_seq)
8f17154f 3522 goto expected;
1c2acffb 3523
42e5c802 3524 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3525 if (tx_seq_offset < 0)
3526 tx_seq_offset += 64;
3527
3528 /* invalid tx_seq */
47d1ec61 3529 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3530 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3531 goto drop;
3532 }
3533
e6949280 3534 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3535 goto drop;
3536
525cd185 3537 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3538 struct srej_list *first;
30afb5b2 3539
39d5a3ee 3540 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3541 struct srej_list, list);
3542 if (tx_seq == first->tx_seq) {
42e5c802 3543 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3544 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3545
3546 list_del(&first->list);
3547 kfree(first);
3548
39d5a3ee 3549 if (list_empty(&chan->srej_l)) {
42e5c802 3550 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3551 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3552 l2cap_send_ack(chan);
49208c9c 3553 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3554 }
3555 } else {
3556 struct srej_list *l;
9b53350d
JPRV		 3557
3558 /* duplicated tx_seq */
42e5c802 3559 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3560 goto drop;
8f17154f 3561
39d5a3ee 3562 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3563 if (l->tx_seq == tx_seq) {
525cd185 3564 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3565 return 0;
3566 }
3567 }
525cd185 3568 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3569 }
3570 } else {
9b53350d 3571 expected_tx_seq_offset =
42e5c802 3572 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3573 if (expected_tx_seq_offset < 0)
3574 expected_tx_seq_offset += 64;
3575
3576 /* duplicated tx_seq */
3577 if (tx_seq_offset < expected_tx_seq_offset)
3578 goto drop;
3579
525cd185 3580 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3581
49208c9c 3582 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3583
39d5a3ee 3584 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3585 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3586
f1c6775b
GP		 3587 __skb_queue_head_init(&chan->srej_q);
3588 __skb_queue_head_init(&chan->busy_q);
42e5c802 3589 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3590
525cd185 3591 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3592
525cd185 3593 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3594
e92c8e70 3595 del_timer(&chan->ack_timer);
1c2acffb 3596 }
30afb5b2
GP		 3597 return 0;
3598
8f17154f 3599expected:
42e5c802 3600 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3601
525cd185 3602 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3603 bt_cb(skb)->tx_seq = tx_seq;
3604 bt_cb(skb)->sar = sar;
f1c6775b 3605 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3606 return 0;
3607 }
3608
525cd185 3609 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3610 if (err < 0)
3611 return 0;
3612
4ec10d97 3613 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3614 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3615 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3616 else
525cd185 3617 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3618 }
3619
c1b4f43b
GP		 3620 __mod_ack_timer();
3621
6a026610
GP		 3622 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3623 if (chan->num_acked == num_to_ack - 1)
525cd185 3624 l2cap_send_ack(chan);
9e917af1 3625
8f17154f 3626 return 0;
9b53350d
JPRV		 3627
3628drop:
3629 kfree_skb(skb);
3630 return 0;
1c2acffb
GP		 3631}
3632
525cd185 3633static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3634{
49208c9c 3635 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3636 rx_control);
3637
42e5c802
GP		 3638 chan->expected_ack_seq = __get_reqseq(rx_control);
3639 l2cap_drop_acked_frames(chan);
1c2acffb 3640
e072745f 3641 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3642 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3643 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3644 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3645 (chan->unacked_frames > 0))
05fbd89d
GP		 3646 __mod_retrans_timer();
3647
525cd185
GP		 3648 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3649 l2cap_send_srejtail(chan);
05fbd89d 3650 } else {
525cd185 3651 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3652 }
1d8f5d16 3653
e072745f 3654 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3655 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3656
525cd185
GP		 3657 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3658 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3659 else
525cd185 3660 l2cap_retransmit_frames(chan);
2246b2f1 3661
e072745f 3662 } else {
525cd185 3663 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3664 (chan->unacked_frames > 0))
e072745f 3665 __mod_retrans_timer();
1c2acffb 3666
525cd185
GP		 3667 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3668 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3669 l2cap_send_ack(chan);
894718a6 3670 else
525cd185 3671 l2cap_ertm_send(chan);
e072745f
GP		 3672 }
3673}
2246b2f1 3674
525cd185 3675static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3676{
e072745f 3677 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3678
525cd185 3679 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3680
525cd185 3681 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3682
42e5c802
GP		 3683 chan->expected_ack_seq = tx_seq;
3684 l2cap_drop_acked_frames(chan);
e072745f
GP		 3685
3686 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3687 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3688 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3689 else
525cd185 3690 l2cap_retransmit_frames(chan);
e072745f 3691 } else {
525cd185 3692 l2cap_retransmit_frames(chan);
30afb5b2 3693
525cd185
GP		 3694 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3695 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3696 }
3697}
525cd185 3698static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3699{
e072745f 3700 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3701
525cd185 3702 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3703
525cd185 3704 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3705
e072745f 3706 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3707 chan->expected_ack_seq = tx_seq;
3708 l2cap_drop_acked_frames(chan);
3cb123d1 3709
525cd185
GP		 3710 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3711 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3712
525cd185 3713 l2cap_ertm_send(chan);
dfc909be 3714
525cd185 3715 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3716 chan->srej_save_reqseq = tx_seq;
525cd185 3717 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3718 }
e072745f 3719 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3720 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3721 chan->srej_save_reqseq == tx_seq)
525cd185 3722 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3723 else
525cd185 3724 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3725 } else {
525cd185
GP		 3726 l2cap_retransmit_one_frame(chan, tx_seq);
3727 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3728 chan->srej_save_reqseq = tx_seq;
525cd185 3729 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3730 }
e072745f
GP		 3731 }
3732}
3733
525cd185 3734static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3735{
e072745f
GP		 3736 u8 tx_seq = __get_reqseq(rx_control);
3737
525cd185 3738 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3739
525cd185 3740 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3741 chan->expected_ack_seq = tx_seq;
3742 l2cap_drop_acked_frames(chan);
e072745f 3743
3cb123d1 3744 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3745 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3746
525cd185 3747 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3748 del_timer(&chan->retrans_timer);
a2e12a2a 3749 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3750 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3751 return;
e072745f 3752 }
99b0d4b7
GP		 3753
3754 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3755 l2cap_send_srejtail(chan);
99b0d4b7 3756 else
525cd185 3757 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3758}
3759
525cd185 3760static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3761{
525cd185 3762 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3763
9b16dc65 3764 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3765 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3766 del_timer(&chan->monitor_timer);
6a026610 3767 if (chan->unacked_frames > 0)
e072745f 3768 __mod_retrans_timer();
525cd185 3769 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3770 }
3771
3772 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3773 case L2CAP_SUPER_RCV_READY:
525cd185 3774 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3775 break;
3776
e072745f 3777 case L2CAP_SUPER_REJECT:
525cd185 3778 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3779 break;
2246b2f1 3780
e072745f 3781 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3782 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3783 break;
3784
3785 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3786 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3787 break;
3788 }
3789
faaebd19 3790 kfree_skb(skb);
1c2acffb
GP		 3791 return 0;
3792}
3793
218bb9df
GP		 3794static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3795{
525cd185 3796 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3797 u16 control;
3798 u8 req_seq;
3799 int len, next_tx_seq_offset, req_seq_offset;
3800
3801 control = get_unaligned_le16(skb->data);
3802 skb_pull(skb, 2);
3803 len = skb->len;
3804
3805 /*
3806 * We can just drop the corrupted I-frame here.
3807 * Receiver will miss it and start proper recovery
3808 * procedures and ask retransmission.
3809 */
47d1ec61 3810 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3811 goto drop;
3812
3813 if (__is_sar_start(control) && __is_iframe(control))
3814 len -= 2;
3815
47d1ec61 3816 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3817 len -= 2;
3818
47d1ec61 3819 if (len > chan->mps) {
8c1d787b 3820 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3821 goto drop;
3822 }
3823
3824 req_seq = __get_reqseq(control);
42e5c802 3825 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3826 if (req_seq_offset < 0)
3827 req_seq_offset += 64;
3828
3829 next_tx_seq_offset =
42e5c802 3830 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3831 if (next_tx_seq_offset < 0)
3832 next_tx_seq_offset += 64;
3833
3834 /* check for invalid req-seq */
3835 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3836 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3837 goto drop;
3838 }
3839
3840 if (__is_iframe(control)) {
3841 if (len < 0) {
8c1d787b 3842 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3843 goto drop;
3844 }
3845
525cd185 3846 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3847 } else {
3848 if (len != 0) {
3849 BT_ERR("%d", len);
8c1d787b 3850 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3851 goto drop;
3852 }
3853
525cd185 3854 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3855 }
3856
3857 return 0;
3858
3859drop:
3860 kfree_skb(skb);
3861 return 0;
3862}
3863
1da177e4
LT		 3864static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3865{
48454079 3866 struct l2cap_chan *chan;
bf734843 3867 struct sock *sk = NULL;
51893f88 3868 u16 control;
218bb9df
GP		 3869 u8 tx_seq;
3870 int len;
1da177e4 3871
baa7e1fa 3872 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3873 if (!chan) {
1da177e4
LT		 3874 BT_DBG("unknown cid 0x%4.4x", cid);
3875 goto drop;
3876 }
3877
48454079 3878 sk = chan->sk;
6840ed07 3879
49208c9c 3880 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3881
89bc500e 3882 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3883 goto drop;
3884
0c1bc5c6 3885 switch (chan->mode) {
1c2acffb
GP		 3886 case L2CAP_MODE_BASIC:
3887 /* If socket recv buffers overflows we drop data here
3888 * which is *bad* because L2CAP has to be reliable.
3889 * But we don't have any other choice. L2CAP doesn't
3890 * provide flow control mechanism. */
1da177e4 3891
0c1bc5c6 3892 if (chan->imtu < skb->len)
1c2acffb 3893 goto drop;
1da177e4 3894
23070494 3895 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3896 goto done;
3897 break;
3898
3899 case L2CAP_MODE_ERTM:
218bb9df
GP		 3900 if (!sock_owned_by_user(sk)) {
3901 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3902 } else {
218bb9df 3903 if (sk_add_backlog(sk, skb))
277ffbe3 3904 goto drop;
277ffbe3 3905 }
1c2acffb 3906
fcafde2e 3907 goto done;
1c2acffb 3908
6840ed07
GP		 3909 case L2CAP_MODE_STREAMING:
3910 control = get_unaligned_le16(skb->data);
3911 skb_pull(skb, 2);
3912 len = skb->len;
3913
47d1ec61 3914 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3915 goto drop;
3916
6840ed07
GP		 3917 if (__is_sar_start(control))
3918 len -= 2;
3919
47d1ec61 3920 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3921 len -= 2;
3922
47d1ec61 3923 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3924 goto drop;
3925
3926 tx_seq = __get_txseq(control);
3927
42e5c802
GP		 3928 if (chan->expected_tx_seq == tx_seq)
3929 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3930 else
42e5c802 3931 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3932
525cd185 3933 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3934
3935 goto done;
3936
1c2acffb 3937 default:
0c1bc5c6 3938 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3939 break;
3940 }
1da177e4
LT		 3941
3942drop:
3943 kfree_skb(skb);
3944
3945done:
0139418c
MH		 3946 if (sk)
3947 bh_unlock_sock(sk);
3948
1da177e4
LT		 3949 return 0;
3950}
3951
8e036fc3 3952static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3953{
6dcae1ea 3954 struct sock *sk = NULL;
23691d75 3955 struct l2cap_chan *chan;
1da177e4 3956
23691d75
GP		 3957 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3958 if (!chan)
1da177e4
LT		 3959 goto drop;
3960
23691d75
GP		 3961 sk = chan->sk;
3962
e0f0cb56
GP		 3963 bh_lock_sock(sk);
3964
1da177e4
LT		 3965 BT_DBG("sk %p, len %d", sk, skb->len);
3966
89bc500e 3967 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3968 goto drop;
3969
0c1bc5c6 3970 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3971 goto drop;
3972
23070494 3973 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3974 goto done;
3975
3976drop:
3977 kfree_skb(skb);
3978
3979done:
af05b30b
GP		 3980 if (sk)
3981 bh_unlock_sock(sk);
1da177e4
LT		 3982 return 0;
3983}
3984
9f69bda6
GP		 3985static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3986{
6dcae1ea 3987 struct sock *sk = NULL;
23691d75 3988 struct l2cap_chan *chan;
9f69bda6 3989
23691d75
GP		 3990 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3991 if (!chan)
9f69bda6
GP		 3992 goto drop;
3993
23691d75
GP		 3994 sk = chan->sk;
3995
9f69bda6
GP		 3996 bh_lock_sock(sk);
3997
3998 BT_DBG("sk %p, len %d", sk, skb->len);
3999
89bc500e 4000 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4001 goto drop;
4002
0c1bc5c6 4003 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4004 goto drop;
4005
23070494 4006 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4007 goto done;
4008
4009drop:
4010 kfree_skb(skb);
4011
4012done:
4013 if (sk)
4014 bh_unlock_sock(sk);
4015 return 0;
4016}
4017
1da177e4
LT		 4018static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4019{
4020 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4021 u16 cid, len;
4022 __le16 psm;
1da177e4
LT		 4023
4024 skb_pull(skb, L2CAP_HDR_SIZE);
4025 cid = __le16_to_cpu(lh->cid);
4026 len = __le16_to_cpu(lh->len);
4027
1c2acffb
GP		 4028 if (len != skb->len) {
4029 kfree_skb(skb);
4030 return;
4031 }
4032
1da177e4
LT		 4033 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4034
4035 switch (cid) {
3300d9a9 4036 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4037 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4038 l2cap_sig_channel(conn, skb);
4039 break;
4040
8db4dc46 4041 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4042 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4043 skb_pull(skb, 2);
4044 l2cap_conless_channel(conn, psm, skb);
4045 break;
4046
9f69bda6
GP		 4047 case L2CAP_CID_LE_DATA:
4048 l2cap_att_channel(conn, cid, skb);
4049 break;
4050
1da177e4
LT		 4051 default:
4052 l2cap_data_channel(conn, cid, skb);
4053 break;
4054 }
4055}
4056
4057/* ---- L2CAP interface with lower layer (HCI) ---- */
4058
4059static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4060{
4061 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4062 struct l2cap_chan *c;
1da177e4
LT		 4063
4064 if (type != ACL_LINK)
963cf687 4065 return -EINVAL;
1da177e4
LT		 4066
4067 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4068
4069 /* Find listening sockets and check their link_mode */
23691d75
GP		 4070 read_lock(&chan_list_lock);
4071 list_for_each_entry(c, &chan_list, global_l) {
4072 struct sock *sk = c->sk;
4343478f 4073
89bc500e 4074 if (c->state != BT_LISTEN)
1da177e4
LT		 4075 continue;
4076
4077 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4078 lm1 |= HCI_LM_ACCEPT;
23691d75 4079 if (c->role_switch)
2af6b9d5 4080 lm1 |= HCI_LM_MASTER;
1da177e4 4081 exact++;
2af6b9d5
MH		 4082 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4083 lm2 |= HCI_LM_ACCEPT;
23691d75 4084 if (c->role_switch)
2af6b9d5
MH		 4085 lm2 |= HCI_LM_MASTER;
4086 }
1da177e4 4087 }
23691d75 4088 read_unlock(&chan_list_lock);
1da177e4
LT		 4089
4090 return exact ? lm1 : lm2;
4091}
4092
4093static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4094{
0139418c
MH		 4095 struct l2cap_conn *conn;
4096
1da177e4
LT		 4097 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4098
acd7d370 4099 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4100 return -EINVAL;
1da177e4
LT		 4101
4102 if (!status) {
1da177e4
LT		 4103 conn = l2cap_conn_add(hcon, status);
4104 if (conn)
4105 l2cap_conn_ready(conn);
0139418c 4106 } else
1da177e4
LT		 4107 l2cap_conn_del(hcon, bt_err(status));
4108
4109 return 0;
4110}
4111
2950f21a
MH		 4112static int l2cap_disconn_ind(struct hci_conn *hcon)
4113{
4114 struct l2cap_conn *conn = hcon->l2cap_data;
4115
4116 BT_DBG("hcon %p", hcon);
4117
4118 if (hcon->type != ACL_LINK || !conn)
4119 return 0x13;
4120
4121 return conn->disc_reason;
4122}
4123
4124static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4125{
4126 BT_DBG("hcon %p reason %d", hcon, reason);
4127
acd7d370 4128 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4129 return -EINVAL;
1da177e4
LT		 4130
4131 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4132
1da177e4
LT		 4133 return 0;
4134}
4135
4343478f 4136static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4137{
715ec005 4138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4139 return;
4140
f62e4323 4141 if (encrypt == 0x00) {
4343478f 4142 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4143 l2cap_chan_clear_timer(chan);
4144 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4145 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4146 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4147 } else {
4343478f 4148 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4149 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4150 }
4151}
4152
8c1b2355 4153static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4154{
0139418c 4155 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4156 struct l2cap_chan *chan;
1da177e4 4157
0139418c 4158 if (!conn)
1da177e4 4159 return 0;
0139418c 4160
1da177e4
LT		 4161 BT_DBG("conn %p", conn);
4162
baa7e1fa 4163 read_lock(&conn->chan_lock);
1da177e4 4164
baa7e1fa 4165 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4166 struct sock *sk = chan->sk;
baa7e1fa 4167
1da177e4
LT		 4168 bh_lock_sock(sk);
4169
b4450035 4170 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4171 bh_unlock_sock(sk);
4172 continue;
4173 }
4174
89bc500e
GP		 4175 if (!status && (chan->state == BT_CONNECTED ||
4176 chan->state == BT_CONFIG)) {
4343478f 4177 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4178 bh_unlock_sock(sk);
4179 continue;
4180 }
4181
89bc500e 4182 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4183 if (!status) {
4184 struct l2cap_conn_req req;
fe4128e0
GP		 4185 req.scid = cpu_to_le16(chan->scid);
4186 req.psm = chan->psm;
1da177e4 4187
fc7f8a7e 4188 chan->ident = l2cap_get_ident(conn);
b4450035 4189 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4190
fc7f8a7e 4191 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4192 L2CAP_CONN_REQ, sizeof(req), &req);
4193 } else {
ab07801d
GP		 4194 l2cap_chan_clear_timer(chan);
4195 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79 4196 }
89bc500e 4197 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4198 struct l2cap_conn_rsp rsp;
4199 __u16 result;
1da177e4 4200
b1235d79 4201 if (!status) {
89bc500e 4202 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4203 result = L2CAP_CR_SUCCESS;
4204 } else {
89bc500e 4205 l2cap_state_change(chan, BT_DISCONN);
ab07801d 4206 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4207 result = L2CAP_CR_SEC_BLOCK;
4208 }
4209
fe4128e0
GP		 4210 rsp.scid = cpu_to_le16(chan->dcid);
4211 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4212 rsp.result = cpu_to_le16(result);
e7c29cb1 4213 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4214 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4215 sizeof(rsp), &rsp);
b1235d79 4216 }
1da177e4
LT		 4217
4218 bh_unlock_sock(sk);
4219 }
4220
baa7e1fa 4221 read_unlock(&conn->chan_lock);
b1235d79 4222
1da177e4
LT		 4223 return 0;
4224}
4225
4226static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4227{
4228 struct l2cap_conn *conn = hcon->l2cap_data;
4229
5a08ecce
AE		 4230 if (!conn)
4231 conn = l2cap_conn_add(hcon, 0);
4232
4233 if (!conn)
1da177e4
LT		 4234 goto drop;
4235
4236 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4237
e702112f 4238 if (!(flags & ACL_CONT)) {
1da177e4 4239 struct l2cap_hdr *hdr;
48454079 4240 struct l2cap_chan *chan;
89794813 4241 u16 cid;
1da177e4
LT		 4242 int len;
4243
4244 if (conn->rx_len) {
4245 BT_ERR("Unexpected start frame (len %d)", skb->len);
4246 kfree_skb(conn->rx_skb);
4247 conn->rx_skb = NULL;
4248 conn->rx_len = 0;
4249 l2cap_conn_unreliable(conn, ECOMM);
4250 }
4251
aae7fe22
AE		 4252 /* Start fragment always begin with Basic L2CAP header */
4253 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4254 BT_ERR("Frame is too short (len %d)", skb->len);
4255 l2cap_conn_unreliable(conn, ECOMM);
4256 goto drop;
4257 }
4258
4259 hdr = (struct l2cap_hdr *) skb->data;
4260 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4261 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4262
4263 if (len == skb->len) {
4264 /* Complete frame received */
4265 l2cap_recv_frame(conn, skb);
4266 return 0;
4267 }
4268
4269 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4270
4271 if (skb->len > len) {
4272 BT_ERR("Frame is too long (len %d, expected len %d)",
4273 skb->len, len);
4274 l2cap_conn_unreliable(conn, ECOMM);
4275 goto drop;
4276 }
4277
baa7e1fa 4278 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4279
48454079
GP		 4280 if (chan && chan->sk) {
4281 struct sock *sk = chan->sk;
89794813 4282
0c1bc5c6 4283 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4284 BT_ERR("Frame exceeding recv MTU (len %d, "
4285 "MTU %d)", len,
0c1bc5c6 4286 chan->imtu);
48454079
GP		 4287 bh_unlock_sock(sk);
4288 l2cap_conn_unreliable(conn, ECOMM);
4289 goto drop;
4290 }
89794813 4291 bh_unlock_sock(sk);
48454079 4292 }
89794813 4293
1da177e4 4294 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4295 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4296 if (!conn->rx_skb)
1da177e4
LT		 4297 goto drop;
4298
d626f62b 4299 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4300 skb->len);
1da177e4
LT		 4301 conn->rx_len = len - skb->len;
4302 } else {
4303 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4304
4305 if (!conn->rx_len) {
4306 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4307 l2cap_conn_unreliable(conn, ECOMM);
4308 goto drop;
4309 }
4310
4311 if (skb->len > conn->rx_len) {
4312 BT_ERR("Fragment is too long (len %d, expected %d)",
4313 skb->len, conn->rx_len);
4314 kfree_skb(conn->rx_skb);
4315 conn->rx_skb = NULL;
4316 conn->rx_len = 0;
4317 l2cap_conn_unreliable(conn, ECOMM);
4318 goto drop;
4319 }
4320
d626f62b 4321 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4322 skb->len);
1da177e4
LT		 4323 conn->rx_len -= skb->len;
4324
4325 if (!conn->rx_len) {
4326 /* Complete frame received */
4327 l2cap_recv_frame(conn, conn->rx_skb);
4328 conn->rx_skb = NULL;
4329 }
4330 }
4331
4332drop:
4333 kfree_skb(skb);
4334 return 0;
4335}
4336
aef7d97c 4337static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4338{
23691d75 4339 struct l2cap_chan *c;
1da177e4 4340
23691d75 4341 read_lock_bh(&chan_list_lock);
1da177e4 4342
23691d75
GP		 4343 list_for_each_entry(c, &chan_list, global_l) {
4344 struct sock *sk = c->sk;
101545f6 4345
903d343e 4346 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4347 batostr(&bt_sk(sk)->src),
4348 batostr(&bt_sk(sk)->dst),
89bc500e 4349 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4350 c->scid, c->dcid, c->imtu, c->omtu,
4351 c->sec_level, c->mode);
be9d1227 4352 }
1da177e4 4353
23691d75 4354 read_unlock_bh(&chan_list_lock);
1da177e4 4355
aef7d97c 4356 return 0;
1da177e4
LT		 4357}
4358
aef7d97c
MH		 4359static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4360{
4361 return single_open(file, l2cap_debugfs_show, inode->i_private);
4362}
4363
4364static const struct file_operations l2cap_debugfs_fops = {
4365 .open = l2cap_debugfs_open,
4366 .read = seq_read,
4367 .llseek = seq_lseek,
4368 .release = single_release,
4369};
4370
4371static struct dentry *l2cap_debugfs;
1da177e4 4372
1da177e4
LT		 4373static struct hci_proto l2cap_hci_proto = {
4374 .name = "L2CAP",
4375 .id = HCI_PROTO_L2CAP,
4376 .connect_ind = l2cap_connect_ind,
4377 .connect_cfm = l2cap_connect_cfm,
4378 .disconn_ind = l2cap_disconn_ind,
2950f21a 4379 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4380 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4381 .recv_acldata = l2cap_recv_acldata
4382};
4383
64274518 4384int __init l2cap_init(void)
1da177e4
LT		 4385{
4386 int err;
be9d1227 4387
bb58f747 4388 err = l2cap_init_sockets();
1da177e4
LT		 4389 if (err < 0)
4390 return err;
4391
1890d36b 4392 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4393 if (!_busy_wq) {
bb58f747 4394 err = -ENOMEM;
1da177e4
LT		 4395 goto error;
4396 }
4397
4398 err = hci_register_proto(&l2cap_hci_proto);
4399 if (err < 0) {
4400 BT_ERR("L2CAP protocol registration failed");
4401 bt_sock_unregister(BTPROTO_L2CAP);
4402 goto error;
4403 }
4404
aef7d97c
MH		 4405 if (bt_debugfs) {
4406 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4407 bt_debugfs, NULL, &l2cap_debugfs_fops);
4408 if (!l2cap_debugfs)
4409 BT_ERR("Failed to create L2CAP debug file");
4410 }
1da177e4 4411
1da177e4
LT		 4412 return 0;
4413
4414error:
b78d7b4f 4415 destroy_workqueue(_busy_wq);
bb58f747 4416 l2cap_cleanup_sockets();
1da177e4
LT		 4417 return err;
4418}
4419
64274518 4420void l2cap_exit(void)
1da177e4 4421{
aef7d97c 4422 debugfs_remove(l2cap_debugfs);
1da177e4 4423
1890d36b
GP		 4424 flush_workqueue(_busy_wq);
4425 destroy_workqueue(_busy_wq);
4426
1da177e4
LT		 4427 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4428 BT_ERR("L2CAP protocol unregistration failed");
4429
bb58f747 4430 l2cap_cleanup_sockets();
1da177e4
LT		 4431}
4432
d1c4a17d
GP		 4433module_param(disable_ertm, bool, 0644);
4434MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)