projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Verify a pin code in pin_code_reply
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state,
214 timeout);
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d
GP		 220{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state);
222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
227static void l2cap_chan_timeout(unsigned long arg)
228{
229 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
230 struct sock *sk = chan->sk;
231 int reason;
232
233 BT_DBG("chan %p state %d", chan, sk->sk_state);
234
235 bh_lock_sock(sk);
236
237 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5);
240 bh_unlock_sock(sk);
241 sock_put(sk);
242 return;
243 }
244
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
246 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED;
250 else
251 reason = ETIMEDOUT;
252
0f852724 253 l2cap_chan_close(chan, reason);
ab07801d
GP		 254
255 bh_unlock_sock(sk);
256
257 l2cap_sock_kill(sk);
258 sock_put(sk);
259}
260
23691d75 261struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 262{
263 struct l2cap_chan *chan;
264
265 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
266 if (!chan)
267 return NULL;
268
269 chan->sk = sk;
270
23691d75
GP		 271 write_lock_bh(&chan_list_lock);
272 list_add(&chan->global_l, &chan_list);
273 write_unlock_bh(&chan_list_lock);
274
ab07801d
GP		 275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276
48454079
GP		 277 return chan;
278}
279
23691d75 280void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 281{
23691d75
GP		 282 write_lock_bh(&chan_list_lock);
283 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock);
285
6ff5abbf
GP		 286 kfree(chan);
287}
288
48454079 289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 290{
48454079 291 struct sock *sk = chan->sk;
0139418c 292
af05b30b 293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 294 chan->psm, chan->dcid);
0139418c 295
2950f21a
MH		 296 conn->disc_reason = 0x13;
297
8c1d787b 298 chan->conn = conn;
0139418c 299
715ec005 300 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 301 if (conn->hcon->type == LE_LINK) {
302 /* LE connection */
0c1bc5c6 303 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 304 chan->scid = L2CAP_CID_LE_DATA;
305 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 306 } else {
307 /* Alloc CID for connection-oriented socket */
fe4128e0 308 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 309 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 310 }
715ec005 311 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 316 } else {
317 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 318 chan->scid = L2CAP_CID_SIGNALING;
319 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 320 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 321 }
322
baa7e1fa
GP		 323 sock_hold(sk);
324
325 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 326}
327
8e87d142 328/* Delete channel.
0139418c 329 * Must be called on the locked socket. */
4519de9a 330static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 331{
48454079 332 struct sock *sk = chan->sk;
8c1d787b 333 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 334 struct sock *parent = bt_sk(sk)->parent;
335
ab07801d 336 l2cap_chan_clear_timer(chan);
0139418c 337
49208c9c 338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 339
8e87d142 340 if (conn) {
baa7e1fa
GP		 341 /* Delete from channel list */
342 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk);
346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
b1235d79 351 sk->sk_state = BT_CLOSED;
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
b4450035
GP		 363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
e92c8e70
GP		 372 del_timer(&chan->retrans_timer);
373 del_timer(&chan->monitor_timer);
374 del_timer(&chan->ack_timer);
c13ffa62 375
f1c6775b
GP		 376 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q);
c13ffa62 378
39d5a3ee 379 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 380 list_del(&l->list);
381 kfree(l);
382 }
383 }
0139418c
MH		 384}
385
4519de9a
GP		 386static void l2cap_chan_cleanup_listen(struct sock *parent)
387{
388 struct sock *sk;
389
390 BT_DBG("parent %p", parent);
391
392 /* Close not yet accepted channels */
0f852724
GP		 393 while ((sk = bt_accept_dequeue(parent, NULL))) {
394 l2cap_chan_clear_timer(l2cap_pi(sk)->chan);
395 lock_sock(sk);
396 l2cap_chan_close(l2cap_pi(sk)->chan, ECONNRESET);
397 release_sock(sk);
398 l2cap_sock_kill(sk);
399 }
4519de9a
GP		 400
401 parent->sk_state = BT_CLOSED;
402 sock_set_flag(parent, SOCK_ZAPPED);
403}
404
0f852724 405void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 406{
407 struct l2cap_conn *conn = chan->conn;
408 struct sock *sk = chan->sk;
409
410 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket);
411
412 switch (sk->sk_state) {
413 case BT_LISTEN:
414 l2cap_chan_cleanup_listen(sk);
415 break;
416
417 case BT_CONNECTED:
418 case BT_CONFIG:
715ec005 419 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 420 conn->hcon->type == ACL_LINK) {
500698d3 421 l2cap_chan_clear_timer(chan);
ab07801d 422 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 423 l2cap_send_disconn_req(conn, chan, reason);
424 } else
425 l2cap_chan_del(chan, reason);
426 break;
427
428 case BT_CONNECT2:
715ec005 429 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 430 conn->hcon->type == ACL_LINK) {
431 struct l2cap_conn_rsp rsp;
432 __u16 result;
433
434 if (bt_sk(sk)->defer_setup)
435 result = L2CAP_CR_SEC_BLOCK;
436 else
437 result = L2CAP_CR_BAD_PSM;
438
439 rsp.scid = cpu_to_le16(chan->dcid);
440 rsp.dcid = cpu_to_le16(chan->scid);
441 rsp.result = cpu_to_le16(result);
442 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
443 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
444 sizeof(rsp), &rsp);
445 }
446
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT:
451 case BT_DISCONN:
452 l2cap_chan_del(chan, reason);
453 break;
454
455 default:
456 sock_set_flag(sk, SOCK_ZAPPED);
457 break;
458 }
459}
460
4343478f 461static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 462{
715ec005 463 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 464 switch (chan->sec_level) {
8556edd3
JH		 465 case BT_SECURITY_HIGH:
466 return HCI_AT_DEDICATED_BONDING_MITM;
467 case BT_SECURITY_MEDIUM:
468 return HCI_AT_DEDICATED_BONDING;
469 default:
470 return HCI_AT_NO_BONDING;
471 }
fe4128e0 472 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 473 if (chan->sec_level == BT_SECURITY_LOW)
474 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 475
4343478f 476 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 477 return HCI_AT_NO_BONDING_MITM;
00ae4af9 478 else
8556edd3 479 return HCI_AT_NO_BONDING;
00ae4af9 480 } else {
4343478f 481 switch (chan->sec_level) {
00ae4af9 482 case BT_SECURITY_HIGH:
8556edd3 483 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 484 case BT_SECURITY_MEDIUM:
8556edd3 485 return HCI_AT_GENERAL_BONDING;
00ae4af9 486 default:
8556edd3 487 return HCI_AT_NO_BONDING;
00ae4af9 488 }
0684e5f9 489 }
8556edd3
JH		 490}
491
492/* Service level security */
4343478f 493static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 494{
8c1d787b 495 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 496 __u8 auth_type;
497
4343478f 498 auth_type = l2cap_get_auth_type(chan);
79d554a6 499
4343478f 500 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 501}
502
b5ad8b7f 503static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 504{
505 u8 id;
506
507 /* Get next available identificator.
508 * 1 - 128 are used by kernel.
509 * 129 - 199 are reserved.
510 * 200 - 254 are used by utilities like l2ping, etc.
511 */
512
513 spin_lock_bh(&conn->lock);
514
515 if (++conn->tx_ident > 128)
516 conn->tx_ident = 1;
517
518 id = conn->tx_ident;
519
520 spin_unlock_bh(&conn->lock);
521
522 return id;
523}
524
4519de9a 525static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 526{
527 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 528 u8 flags;
4e8402a3
MH		 529
530 BT_DBG("code 0x%2.2x", code);
531
532 if (!skb)
9a9c6a34 533 return;
4e8402a3 534
e702112f
AE		 535 if (lmp_no_flush_capable(conn->hcon->hdev))
536 flags = ACL_START_NO_FLUSH;
537 else
538 flags = ACL_START;
539
540 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 541}
542
525cd185 543static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 544{
545 struct sk_buff *skb;
546 struct l2cap_hdr *lh;
525cd185 547 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
8c1d787b 548 struct l2cap_conn *conn = chan->conn;
c13ffa62 549 struct sock *sk = (struct sock *)pi;
fcc203c3 550 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 551 u8 flags;
fcc203c3 552
c13ffa62
GP		 553 if (sk->sk_state != BT_CONNECTED)
554 return;
555
47d1ec61 556 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 557 hlen += 2;
1c2acffb 558
49208c9c 559 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 560
fcc203c3 561 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 562 control |= L2CAP_CTRL_FRAME_TYPE;
563
525cd185 564 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 565 control |= L2CAP_CTRL_FINAL;
525cd185 566 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 567 }
568
525cd185 569 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 570 control |= L2CAP_CTRL_POLL;
525cd185 571 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 572 }
573
1c2acffb
GP		 574 skb = bt_skb_alloc(count, GFP_ATOMIC);
575 if (!skb)
9a9c6a34 576 return;
1c2acffb
GP		 577
578 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 579 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 580 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 581 put_unaligned_le16(control, skb_put(skb, 2));
582
47d1ec61 583 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 584 u16 fcs = crc16(0, (u8 *)lh, count - 2);
585 put_unaligned_le16(fcs, skb_put(skb, 2));
586 }
587
e702112f
AE		 588 if (lmp_no_flush_capable(conn->hcon->hdev))
589 flags = ACL_START_NO_FLUSH;
590 else
591 flags = ACL_START;
592
8c1d787b 593 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 594}
595
525cd185 596static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 597{
525cd185 598 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 599 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 600 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 601 } else
7e743090
GP		 602 control |= L2CAP_SUPER_RCV_READY;
603
42e5c802 604 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 605
525cd185 606 l2cap_send_sframe(chan, control);
7e743090
GP		 607}
608
b4450035 609static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 610{
b4450035 611 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 612}
613
fc7f8a7e 614static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 615{
8c1d787b 616 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 617
618 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 619 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
620 return;
621
4343478f
GP		 622 if (l2cap_check_security(chan) &&
623 __l2cap_no_conn_pending(chan)) {
b1235d79 624 struct l2cap_conn_req req;
fe4128e0
GP		 625 req.scid = cpu_to_le16(chan->scid);
626 req.psm = chan->psm;
79d554a6 627
fc7f8a7e 628 chan->ident = l2cap_get_ident(conn);
b4450035 629 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 630
fc7f8a7e
GP		 631 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
632 sizeof(req), &req);
b1235d79 633 }
79d554a6
MH		 634 } else {
635 struct l2cap_info_req req;
636 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
637
638 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
639 conn->info_ident = l2cap_get_ident(conn);
640
641 mod_timer(&conn->info_timer, jiffies +
642 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
643
644 l2cap_send_cmd(conn, conn->info_ident,
645 L2CAP_INFO_REQ, sizeof(req), &req);
646 }
647}
648
cf6c2c0b
GP		 649static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
650{
651 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 652 if (!disable_ertm)
cf6c2c0b
GP		 653 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
654
655 switch (mode) {
656 case L2CAP_MODE_ERTM:
657 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
658 case L2CAP_MODE_STREAMING:
659 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
660 default:
661 return 0x00;
662 }
663}
664
4519de9a 665static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 666{
e92c8e70 667 struct sock *sk;
22121fc9
GP		 668 struct l2cap_disconn_req req;
669
c13ffa62
GP		 670 if (!conn)
671 return;
672
e92c8e70
GP		 673 sk = chan->sk;
674
0c1bc5c6 675 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 676 del_timer(&chan->retrans_timer);
677 del_timer(&chan->monitor_timer);
678 del_timer(&chan->ack_timer);
c13ffa62
GP		 679 }
680
fe4128e0
GP		 681 req.dcid = cpu_to_le16(chan->dcid);
682 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 683 l2cap_send_cmd(conn, l2cap_get_ident(conn),
684 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 685
686 sk->sk_state = BT_DISCONN;
9b108fc0 687 sk->sk_err = err;
22121fc9
GP		 688}
689
1da177e4 690/* ---- L2CAP connections ---- */
4e8402a3
MH		 691static void l2cap_conn_start(struct l2cap_conn *conn)
692{
820ffdb3 693 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 694
695 BT_DBG("conn %p", conn);
696
baa7e1fa 697 read_lock(&conn->chan_lock);
4e8402a3 698
820ffdb3 699 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 700 struct sock *sk = chan->sk;
baa7e1fa 701
4e8402a3
MH		 702 bh_lock_sock(sk);
703
715ec005 704 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 705 bh_unlock_sock(sk);
706 continue;
707 }
708
709 if (sk->sk_state == BT_CONNECT) {
47731de7 710 struct l2cap_conn_req req;
79d554a6 711
4343478f 712 if (!l2cap_check_security(chan) ||
b4450035 713 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 714 bh_unlock_sock(sk);
715 continue;
716 }
79d554a6 717
0c1bc5c6 718 if (!l2cap_mode_supported(chan->mode,
47731de7 719 conn->feat_mask)
b4450035 720 && chan->conf_state &
47731de7 721 L2CAP_CONF_STATE2_DEVICE) {
0f852724 722 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 723 * so release the lock */
724 read_unlock_bh(&conn->chan_lock);
0f852724 725 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 726 read_lock_bh(&conn->chan_lock);
47731de7
GP		 727 bh_unlock_sock(sk);
728 continue;
b1235d79 729 }
47731de7 730
fe4128e0
GP		 731 req.scid = cpu_to_le16(chan->scid);
732 req.psm = chan->psm;
47731de7 733
fc7f8a7e 734 chan->ident = l2cap_get_ident(conn);
b4450035 735 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 736
fc7f8a7e
GP		 737 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
738 sizeof(req), &req);
47731de7 739
79d554a6
MH		 740 } else if (sk->sk_state == BT_CONNECT2) {
741 struct l2cap_conn_rsp rsp;
e9aeb2dd 742 char buf[128];
fe4128e0
GP		 743 rsp.scid = cpu_to_le16(chan->dcid);
744 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 745
4343478f 746 if (l2cap_check_security(chan)) {
f66dc81f
MH		 747 if (bt_sk(sk)->defer_setup) {
748 struct sock *parent = bt_sk(sk)->parent;
749 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
750 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
751 parent->sk_data_ready(parent, 0);
752
753 } else {
754 sk->sk_state = BT_CONFIG;
755 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
756 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
757 }
79d554a6
MH		 758 } else {
759 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
760 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
761 }
762
fc7f8a7e
GP		 763 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
764 sizeof(rsp), &rsp);
e9aeb2dd 765
b4450035 766 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 767 rsp.result != L2CAP_CR_SUCCESS) {
768 bh_unlock_sock(sk);
769 continue;
770 }
771
b4450035 772 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 773 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 774 l2cap_build_conf_req(chan, buf), buf);
775 chan->num_conf_req++;
4e8402a3
MH		 776 }
777
778 bh_unlock_sock(sk);
779 }
780
baa7e1fa 781 read_unlock(&conn->chan_lock);
4e8402a3
MH		 782}
783
b62f328b
VT		 784/* Find socket with cid and source bdaddr.
785 * Returns closest match, locked.
786 */
23691d75 787static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 788{
23691d75 789 struct l2cap_chan *c, *c1 = NULL;
b62f328b 790
23691d75 791 read_lock(&chan_list_lock);
b62f328b 792
23691d75
GP		 793 list_for_each_entry(c, &chan_list, global_l) {
794 struct sock *sk = c->sk;
fe4128e0 795
b62f328b
VT		 796 if (state && sk->sk_state != state)
797 continue;
798
23691d75 799 if (c->scid == cid) {
b62f328b 800 /* Exact match. */
23691d75
GP		 801 if (!bacmp(&bt_sk(sk)->src, src)) {
802 read_unlock(&chan_list_lock);
803 return c;
804 }
b62f328b
VT		 805
806 /* Closest match */
807 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 808 c1 = c;
b62f328b
VT		 809 }
810 }
280f294f 811
23691d75 812 read_unlock(&chan_list_lock);
b62f328b 813
23691d75 814 return c1;
b62f328b
VT		 815}
816
817static void l2cap_le_conn_ready(struct l2cap_conn *conn)
818{
c916fbe4 819 struct sock *parent, *sk;
23691d75 820 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 821
822 BT_DBG("");
823
824 /* Check if we have socket listening on cid */
23691d75 825 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 826 conn->src);
23691d75 827 if (!pchan)
b62f328b
VT		 828 return;
829
23691d75
GP		 830 parent = pchan->sk;
831
62f3a2cf
GP		 832 bh_lock_sock(parent);
833
b62f328b
VT		 834 /* Check for backlog size */
835 if (sk_acceptq_is_full(parent)) {
836 BT_DBG("backlog full %d", parent->sk_ack_backlog);
837 goto clean;
838 }
839
840 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
841 if (!sk)
842 goto clean;
843
23691d75 844 chan = l2cap_chan_create(sk);
48454079
GP		 845 if (!chan) {
846 l2cap_sock_kill(sk);
847 goto clean;
848 }
849
5d41ce1d
GP		 850 l2cap_pi(sk)->chan = chan;
851
baa7e1fa 852 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 853
854 hci_conn_hold(conn->hcon);
855
856 l2cap_sock_init(sk, parent);
baa7e1fa 857
b62f328b
VT		 858 bacpy(&bt_sk(sk)->src, conn->src);
859 bacpy(&bt_sk(sk)->dst, conn->dst);
860
d1010240
GP		 861 bt_accept_enqueue(parent, sk);
862
48454079
GP		 863 __l2cap_chan_add(conn, chan);
864
ab07801d 865 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b
VT		 866
867 sk->sk_state = BT_CONNECTED;
868 parent->sk_data_ready(parent, 0);
869
baa7e1fa 870 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 871
872clean:
873 bh_unlock_sock(parent);
874}
875
4e8402a3
MH		 876static void l2cap_conn_ready(struct l2cap_conn *conn)
877{
48454079 878 struct l2cap_chan *chan;
4e8402a3 879
79d554a6 880 BT_DBG("conn %p", conn);
4e8402a3 881
b62f328b
VT		 882 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
883 l2cap_le_conn_ready(conn);
884
baa7e1fa 885 read_lock(&conn->chan_lock);
4e8402a3 886
baa7e1fa 887 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 888 struct sock *sk = chan->sk;
baa7e1fa 889
79d554a6 890 bh_lock_sock(sk);
4e8402a3 891
acd7d370 892 if (conn->hcon->type == LE_LINK) {
ab07801d 893 l2cap_chan_clear_timer(chan);
acd7d370
VT		 894 sk->sk_state = BT_CONNECTED;
895 sk->sk_state_change(sk);
896 }
897
715ec005 898 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 899 l2cap_chan_clear_timer(chan);
79d554a6
MH		 900 sk->sk_state = BT_CONNECTED;
901 sk->sk_state_change(sk);
902 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 903 l2cap_do_start(chan);
4e8402a3 904
79d554a6 905 bh_unlock_sock(sk);
4e8402a3 906 }
79d554a6 907
baa7e1fa 908 read_unlock(&conn->chan_lock);
4e8402a3
MH		 909}
910
911/* Notify sockets that we cannot guaranty reliability anymore */
912static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
913{
48454079 914 struct l2cap_chan *chan;
4e8402a3
MH		 915
916 BT_DBG("conn %p", conn);
917
baa7e1fa 918 read_lock(&conn->chan_lock);
4e8402a3 919
baa7e1fa 920 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 921 struct sock *sk = chan->sk;
baa7e1fa 922
4343478f 923 if (chan->force_reliable)
4e8402a3
MH		 924 sk->sk_err = err;
925 }
926
baa7e1fa 927 read_unlock(&conn->chan_lock);
4e8402a3
MH		 928}
929
930static void l2cap_info_timeout(unsigned long arg)
931{
932 struct l2cap_conn *conn = (void *) arg;
933
984947dc 934 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 935 conn->info_ident = 0;
984947dc 936
4e8402a3
MH		 937 l2cap_conn_start(conn);
938}
939
1da177e4
LT		 940static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
941{
0139418c 942 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 943
0139418c 944 if (conn || status)
1da177e4
LT		 945 return conn;
946
0139418c
MH		 947 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
948 if (!conn)
1da177e4 949 return NULL;
1da177e4
LT		 950
951 hcon->l2cap_data = conn;
952 conn->hcon = hcon;
953
0139418c
MH		 954 BT_DBG("hcon %p conn %p", hcon, conn);
955
acd7d370
VT		 956 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
957 conn->mtu = hcon->hdev->le_mtu;
958 else
959 conn->mtu = hcon->hdev->acl_mtu;
960
1da177e4
LT		 961 conn->src = &hcon->hdev->bdaddr;
962 conn->dst = &hcon->dst;
963
4e8402a3
MH		 964 conn->feat_mask = 0;
965
1da177e4 966 spin_lock_init(&conn->lock);
baa7e1fa
GP		 967 rwlock_init(&conn->chan_lock);
968
969 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 970
b62f328b
VT		 971 if (hcon->type != LE_LINK)
972 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 973 (unsigned long) conn);
974
2950f21a
MH		 975 conn->disc_reason = 0x13;
976
1da177e4
LT		 977 return conn;
978}
979
0139418c 980static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 981{
0139418c 982 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 983 struct l2cap_chan *chan, *l;
1da177e4
LT		 984 struct sock *sk;
985
0139418c
MH		 986 if (!conn)
987 return;
1da177e4
LT		 988
989 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
990
7585b97a 991 kfree_skb(conn->rx_skb);
1da177e4
LT		 992
993 /* Kill channels */
baa7e1fa 994 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 995 sk = chan->sk;
1da177e4 996 bh_lock_sock(sk);
48454079 997 l2cap_chan_del(chan, err);
1da177e4
LT		 998 bh_unlock_sock(sk);
999 l2cap_sock_kill(sk);
1000 }
1001
8e8440f5
DY		 1002 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1003 del_timer_sync(&conn->info_timer);
3ab22731 1004
1da177e4
LT		 1005 hcon->l2cap_data = NULL;
1006 kfree(conn);
1da177e4
LT		 1007}
1008
48454079 1009static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1010{
baa7e1fa 1011 write_lock_bh(&conn->chan_lock);
48454079 1012 __l2cap_chan_add(conn, chan);
baa7e1fa 1013 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1014}
1015
1da177e4 1016/* ---- Socket interface ---- */
1da177e4
LT		 1017
1018/* Find socket with psm and source bdaddr.
1019 * Returns closest match.
1020 */
23691d75 1021static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1022{
23691d75 1023 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1024
23691d75 1025 read_lock(&chan_list_lock);
e0f0cb56 1026
23691d75
GP		 1027 list_for_each_entry(c, &chan_list, global_l) {
1028 struct sock *sk = c->sk;
fe4128e0 1029
1da177e4
LT		 1030 if (state && sk->sk_state != state)
1031 continue;
1032
23691d75 1033 if (c->psm == psm) {
1da177e4 1034 /* Exact match. */
23691d75 1035 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1036 read_unlock(&chan_list_lock);
23691d75
GP		 1037 return c;
1038 }
1da177e4
LT		 1039
1040 /* Closest match */
1041 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1042 c1 = c;
1da177e4
LT		 1043 }
1044 }
1da177e4 1045
23691d75 1046 read_unlock(&chan_list_lock);
e0f0cb56 1047
23691d75 1048 return c1;
1da177e4
LT		 1049}
1050
77a74c7e 1051int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1052{
5d41ce1d 1053 struct sock *sk = chan->sk;
1da177e4
LT		 1054 bdaddr_t *src = &bt_sk(sk)->src;
1055 bdaddr_t *dst = &bt_sk(sk)->dst;
1056 struct l2cap_conn *conn;
1057 struct hci_conn *hcon;
1058 struct hci_dev *hdev;
09ab6f4c 1059 __u8 auth_type;
44d0e48e 1060 int err;
1da177e4 1061
f29972de 1062 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1063 chan->psm);
1da177e4 1064
af05b30b
GP		 1065 hdev = hci_get_route(dst, src);
1066 if (!hdev)
1da177e4
LT		 1067 return -EHOSTUNREACH;
1068
1069 hci_dev_lock_bh(hdev);
1070
4343478f 1071 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1072
fe4128e0 1073 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1074 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1075 chan->sec_level, auth_type);
acd7d370
VT		 1076 else
1077 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1078 chan->sec_level, auth_type);
acd7d370 1079
30e76272
VT		 1080 if (IS_ERR(hcon)) {
1081 err = PTR_ERR(hcon);
1da177e4 1082 goto done;
30e76272 1083 }
1da177e4
LT		 1084
1085 conn = l2cap_conn_add(hcon, 0);
1086 if (!conn) {
1087 hci_conn_put(hcon);
30e76272 1088 err = -ENOMEM;
1da177e4
LT		 1089 goto done;
1090 }
1091
1da177e4
LT		 1092 /* Update source addr of the socket */
1093 bacpy(src, conn->src);
1094
48454079
GP		 1095 l2cap_chan_add(conn, chan);
1096
1da177e4 1097 sk->sk_state = BT_CONNECT;
ab07801d 1098 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1099
1100 if (hcon->state == BT_CONNECTED) {
715ec005 1101 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1102 l2cap_chan_clear_timer(chan);
4343478f 1103 if (l2cap_check_security(chan))
d00ef24f 1104 sk->sk_state = BT_CONNECTED;
79d554a6 1105 } else
fc7f8a7e 1106 l2cap_do_start(chan);
1da177e4
LT		 1107 }
1108
30e76272
VT		 1109 err = 0;
1110
1da177e4
LT		 1111done:
1112 hci_dev_unlock_bh(hdev);
1113 hci_dev_put(hdev);
1114 return err;
1115}
1116
dcba0dba 1117int __l2cap_wait_ack(struct sock *sk)
6161c038 1118{
8c1d787b 1119 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1120 DECLARE_WAITQUEUE(wait, current);
1121 int err = 0;
1122 int timeo = HZ/5;
1123
2b0b05dd 1124 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1125 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1126 set_current_state(TASK_INTERRUPTIBLE);
1127
1128 if (!timeo)
1129 timeo = HZ/5;
1130
1131 if (signal_pending(current)) {
1132 err = sock_intr_errno(timeo);
1133 break;
1134 }
1135
1136 release_sock(sk);
1137 timeo = schedule_timeout(timeo);
1138 lock_sock(sk);
1139
1140 err = sock_error(sk);
1141 if (err)
1142 break;
1143 }
1144 set_current_state(TASK_RUNNING);
2b0b05dd 1145 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1146 return err;
1147}
1148
e90bac06
GP		 1149static void l2cap_monitor_timeout(unsigned long arg)
1150{
525cd185
GP		 1151 struct l2cap_chan *chan = (void *) arg;
1152 struct sock *sk = chan->sk;
e90bac06 1153
525cd185 1154 BT_DBG("chan %p", chan);
0e98958d 1155
e686219a 1156 bh_lock_sock(sk);
2c03a7a4 1157 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1158 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1159 bh_unlock_sock(sk);
e90bac06
GP		 1160 return;
1161 }
1162
6a026610 1163 chan->retry_count++;
e90bac06
GP		 1164 __mod_monitor_timer();
1165
525cd185 1166 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1167 bh_unlock_sock(sk);
e90bac06
GP		 1168}
1169
1170static void l2cap_retrans_timeout(unsigned long arg)
1171{
525cd185
GP		 1172 struct l2cap_chan *chan = (void *) arg;
1173 struct sock *sk = chan->sk;
e90bac06 1174
49208c9c 1175 BT_DBG("chan %p", chan);
0e98958d 1176
e686219a 1177 bh_lock_sock(sk);
6a026610 1178 chan->retry_count = 1;
e90bac06
GP		 1179 __mod_monitor_timer();
1180
525cd185 1181 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1182
525cd185 1183 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1184 bh_unlock_sock(sk);
e90bac06
GP		 1185}
1186
42e5c802 1187static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1188{
1c2acffb 1189 struct sk_buff *skb;
1da177e4 1190
58d35f87 1191 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1192 chan->unacked_frames) {
42e5c802 1193 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1194 break;
1da177e4 1195
58d35f87 1196 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1197 kfree_skb(skb);
1da177e4 1198
6a026610 1199 chan->unacked_frames--;
1c2acffb 1200 }
1da177e4 1201
6a026610 1202 if (!chan->unacked_frames)
e92c8e70 1203 del_timer(&chan->retrans_timer);
1c2acffb 1204}
1da177e4 1205
4343478f 1206void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1207{
8c1d787b 1208 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1209 u16 flags;
1c2acffb 1210
4343478f 1211 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1212
4343478f 1213 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1214 flags = ACL_START_NO_FLUSH;
1215 else
1216 flags = ACL_START;
1217
1218 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1219}
1220
42e5c802 1221void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1222{
ccbb84af 1223 struct sk_buff *skb;
fcc203c3 1224 u16 control, fcs;
6840ed07 1225
58d35f87 1226 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1227 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1228 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1229 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1230
47d1ec61 1231 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1232 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1233 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1234 }
1235
4343478f 1236 l2cap_do_send(chan, skb);
6840ed07 1237
42e5c802 1238 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1239 }
6840ed07
GP		 1240}
1241
525cd185 1242static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1243{
8f17154f
GP		 1244 struct sk_buff *skb, *tx_skb;
1245 u16 control, fcs;
8f17154f 1246
58d35f87 1247 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1248 if (!skb)
1249 return;
8f17154f 1250
f11d676d
GP		 1251 do {
1252 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1253 break;
8f17154f 1254
58d35f87 1255 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1256 return;
8f17154f 1257
58d35f87 1258 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1259
2c03a7a4
GP		 1260 if (chan->remote_max_tx &&
1261 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1262 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1263 return;
1264 }
1265
1266 tx_skb = skb_clone(skb, GFP_ATOMIC);
1267 bt_cb(skb)->retries++;
1268 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1269 control &= L2CAP_CTRL_SAR;
3cb123d1 1270
525cd185 1271 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1272 control |= L2CAP_CTRL_FINAL;
525cd185 1273 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1274 }
95ffa978 1275
42e5c802 1276 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1277 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1278
f11d676d
GP		 1279 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1280
47d1ec61 1281 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1282 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1283 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1284 }
1285
4343478f 1286 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1287}
1288
525cd185 1289int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1290{
1291 struct sk_buff *skb, *tx_skb;
525cd185 1292 struct sock *sk = chan->sk;
fcc203c3 1293 u16 control, fcs;
9a9c6a34 1294 int nsent = 0;
1c2acffb 1295
c13ffa62
GP		 1296 if (sk->sk_state != BT_CONNECTED)
1297 return -ENOTCONN;
e90bac06 1298
58d35f87 1299 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1300
2c03a7a4
GP		 1301 if (chan->remote_max_tx &&
1302 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1303 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1304 break;
1305 }
1306
e420aba3
AE		 1307 tx_skb = skb_clone(skb, GFP_ATOMIC);
1308
e90bac06
GP		 1309 bt_cb(skb)->retries++;
1310
1c2acffb 1311 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1312 control &= L2CAP_CTRL_SAR;
1313
525cd185 1314 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1315 control |= L2CAP_CTRL_FINAL;
525cd185 1316 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1317 }
42e5c802
GP		 1318 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1319 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1320 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1321
e90bac06 1322
47d1ec61 1323 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1324 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1325 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1326 }
1327
4343478f 1328 l2cap_do_send(chan, tx_skb);
9a9c6a34 1329
e90bac06 1330 __mod_retrans_timer();
1c2acffb 1331
42e5c802
GP		 1332 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1333 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1334
23e9fde2 1335 if (bt_cb(skb)->retries == 1)
6a026610 1336 chan->unacked_frames++;
23e9fde2 1337
6a026610 1338 chan->frames_sent++;
1c2acffb 1339
58d35f87
GP		 1340 if (skb_queue_is_last(&chan->tx_q, skb))
1341 chan->tx_send_head = NULL;
1c2acffb 1342 else
58d35f87 1343 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1344
1345 nsent++;
1c2acffb
GP		 1346 }
1347
9e917af1
GP		 1348 return nsent;
1349}
1350
525cd185 1351static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1352{
dfc909be
GP		 1353 int ret;
1354
58d35f87
GP		 1355 if (!skb_queue_empty(&chan->tx_q))
1356 chan->tx_send_head = chan->tx_q.next;
dfc909be 1357
42e5c802 1358 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1359 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1360 return ret;
1361}
1362
525cd185 1363static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1364{
9e917af1
GP		 1365 u16 control = 0;
1366
42e5c802 1367 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1368
525cd185 1369 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1370 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1371 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1372 l2cap_send_sframe(chan, control);
9a9c6a34 1373 return;
9e917af1 1374 }
dfc909be 1375
525cd185 1376 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1377 return;
1378
1379 control |= L2CAP_SUPER_RCV_READY;
525cd185 1380 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1381}
1382
525cd185 1383static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1384{
1385 struct srej_list *tail;
1386 u16 control;
1387
1388 control = L2CAP_SUPER_SELECT_REJECT;
1389 control |= L2CAP_CTRL_FINAL;
1390
39d5a3ee 1391 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1392 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1393
525cd185 1394 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1395}
1396
1c2acffb
GP		 1397static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1398{
8c1d787b 1399 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1400 struct sk_buff **frag;
1401 int err, sent = 0;
1da177e4 1402
59203a21 1403 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1404 return -EFAULT;
1da177e4
LT		 1405
1406 sent += count;
1407 len -= count;
1408
1409 /* Continuation fragments (no L2CAP header) */
1410 frag = &skb_shinfo(skb)->frag_list;
1411 while (len) {
1412 count = min_t(unsigned int, conn->mtu, len);
1413
1414 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1415 if (!*frag)
0175d629 1416 return err;
1c2acffb
GP		 1417 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1418 return -EFAULT;
1da177e4
LT		 1419
1420 sent += count;
1421 len -= count;
1422
1423 frag = &(*frag)->next;
1424 }
1da177e4
LT		 1425
1426 return sent;
1c2acffb 1427}
1da177e4 1428
fe4128e0 1429struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1430{
fe4128e0 1431 struct sock *sk = chan->sk;
8c1d787b 1432 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1433 struct sk_buff *skb;
1434 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1435 struct l2cap_hdr *lh;
1436
1437 BT_DBG("sk %p len %d", sk, (int)len);
1438
1439 count = min_t(unsigned int, (conn->mtu - hlen), len);
1440 skb = bt_skb_send_alloc(sk, count + hlen,
1441 msg->msg_flags & MSG_DONTWAIT, &err);
1442 if (!skb)
0175d629 1443 return ERR_PTR(err);
1c2acffb
GP		 1444
1445 /* Create L2CAP header */
1446 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1447 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1448 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1449 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1450
1451 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1452 if (unlikely(err < 0)) {
1453 kfree_skb(skb);
1454 return ERR_PTR(err);
1455 }
1456 return skb;
1457}
1458
fe4128e0 1459struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1460{
fe4128e0 1461 struct sock *sk = chan->sk;
8c1d787b 1462 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1463 struct sk_buff *skb;
1464 int err, count, hlen = L2CAP_HDR_SIZE;
1465 struct l2cap_hdr *lh;
1466
1467 BT_DBG("sk %p len %d", sk, (int)len);
1468
1469 count = min_t(unsigned int, (conn->mtu - hlen), len);
1470 skb = bt_skb_send_alloc(sk, count + hlen,
1471 msg->msg_flags & MSG_DONTWAIT, &err);
1472 if (!skb)
0175d629 1473 return ERR_PTR(err);
1c2acffb
GP		 1474
1475 /* Create L2CAP header */
1476 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1477 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1478 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1479
1480 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1481 if (unlikely(err < 0)) {
1482 kfree_skb(skb);
1483 return ERR_PTR(err);
1484 }
1485 return skb;
1486}
1487
47d1ec61 1488struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1489{
47d1ec61 1490 struct sock *sk = chan->sk;
8c1d787b 1491 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1492 struct sk_buff *skb;
1493 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1494 struct l2cap_hdr *lh;
1495
1496 BT_DBG("sk %p len %d", sk, (int)len);
1497
0ee0d208
GP		 1498 if (!conn)
1499 return ERR_PTR(-ENOTCONN);
1500
c74e560c
GP		 1501 if (sdulen)
1502 hlen += 2;
1503
47d1ec61 1504 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1505 hlen += 2;
1506
1c2acffb
GP		 1507 count = min_t(unsigned int, (conn->mtu - hlen), len);
1508 skb = bt_skb_send_alloc(sk, count + hlen,
1509 msg->msg_flags & MSG_DONTWAIT, &err);
1510 if (!skb)
0175d629 1511 return ERR_PTR(err);
1c2acffb
GP		 1512
1513 /* Create L2CAP header */
1514 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1515 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1516 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1517 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1518 if (sdulen)
1519 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1520
1521 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1522 if (unlikely(err < 0)) {
1523 kfree_skb(skb);
1524 return ERR_PTR(err);
1525 }
e90bac06 1526
47d1ec61 1527 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1528 put_unaligned_le16(0, skb_put(skb, 2));
1529
e90bac06 1530 bt_cb(skb)->retries = 0;
1c2acffb 1531 return skb;
1da177e4
LT		 1532}
1533
2c03a7a4 1534int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1535{
c74e560c
GP		 1536 struct sk_buff *skb;
1537 struct sk_buff_head sar_queue;
1538 u16 control;
1539 size_t size = 0;
1540
ff12fd64 1541 skb_queue_head_init(&sar_queue);
c74e560c 1542 control = L2CAP_SDU_START;
47d1ec61 1543 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1544 if (IS_ERR(skb))
1545 return PTR_ERR(skb);
1546
1547 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1548 len -= chan->remote_mps;
1549 size += chan->remote_mps;
c74e560c
GP		 1550
1551 while (len > 0) {
1552 size_t buflen;
1553
2c03a7a4 1554 if (len > chan->remote_mps) {
44651b85 1555 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1556 buflen = chan->remote_mps;
c74e560c 1557 } else {
44651b85 1558 control = L2CAP_SDU_END;
c74e560c
GP		 1559 buflen = len;
1560 }
1561
47d1ec61 1562 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1563 if (IS_ERR(skb)) {
1564 skb_queue_purge(&sar_queue);
1565 return PTR_ERR(skb);
1566 }
1567
1568 __skb_queue_tail(&sar_queue, skb);
1569 len -= buflen;
1570 size += buflen;
c74e560c 1571 }
58d35f87
GP		 1572 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1573 if (chan->tx_send_head == NULL)
1574 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1575
1576 return size;
1577}
1578
9a91a04a
GP		 1579int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1580{
9a91a04a
GP		 1581 struct sk_buff *skb;
1582 u16 control;
1583 int err;
1584
1585 /* Connectionless channel */
715ec005 1586 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1587 skb = l2cap_create_connless_pdu(chan, msg, len);
1588 if (IS_ERR(skb))
1589 return PTR_ERR(skb);
1590
1591 l2cap_do_send(chan, skb);
1592 return len;
1593 }
1594
1595 switch (chan->mode) {
1596 case L2CAP_MODE_BASIC:
1597 /* Check outgoing MTU */
1598 if (len > chan->omtu)
1599 return -EMSGSIZE;
1600
1601 /* Create a basic PDU */
1602 skb = l2cap_create_basic_pdu(chan, msg, len);
1603 if (IS_ERR(skb))
1604 return PTR_ERR(skb);
1605
1606 l2cap_do_send(chan, skb);
1607 err = len;
1608 break;
1609
1610 case L2CAP_MODE_ERTM:
1611 case L2CAP_MODE_STREAMING:
1612 /* Entire SDU fits into one PDU */
1613 if (len <= chan->remote_mps) {
1614 control = L2CAP_SDU_UNSEGMENTED;
1615 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1616 0);
1617 if (IS_ERR(skb))
1618 return PTR_ERR(skb);
1619
1620 __skb_queue_tail(&chan->tx_q, skb);
1621
1622 if (chan->tx_send_head == NULL)
1623 chan->tx_send_head = skb;
1624
1625 } else {
1626 /* Segment SDU into multiples PDUs */
1627 err = l2cap_sar_segment_sdu(chan, msg, len);
1628 if (err < 0)
1629 return err;
1630 }
1631
1632 if (chan->mode == L2CAP_MODE_STREAMING) {
1633 l2cap_streaming_send(chan);
1634 err = len;
1635 break;
1636 }
1637
1638 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1639 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1640 err = len;
1641 break;
1642 }
1643
1644 err = l2cap_ertm_send(chan);
1645 if (err >= 0)
1646 err = len;
1647
1648 break;
1649
1650 default:
1651 BT_DBG("bad state %1.1x", chan->mode);
1652 err = -EBADFD;
1653 }
1654
1655 return err;
1656}
1657
1da177e4
LT		 1658static void l2cap_chan_ready(struct sock *sk)
1659{
1660 struct sock *parent = bt_sk(sk)->parent;
b4450035 1661 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1662
1663 BT_DBG("sk %p, parent %p", sk, parent);
1664
b4450035 1665 chan->conf_state = 0;
ab07801d 1666 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1667
1668 if (!parent) {
1669 /* Outgoing channel.
1670 * Wake up socket sleeping on connect.
1671 */
1672 sk->sk_state = BT_CONNECTED;
1673 sk->sk_state_change(sk);
1674 } else {
1675 /* Incoming channel.
1676 * Wake up socket sleeping on accept.
1677 */
1678 parent->sk_data_ready(parent, 0);
1679 }
1680}
1681
1682/* Copy frame to all raw sockets on that connection */
1683static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1684{
1da177e4 1685 struct sk_buff *nskb;
48454079 1686 struct l2cap_chan *chan;
1da177e4
LT		 1687
1688 BT_DBG("conn %p", conn);
1689
baa7e1fa
GP		 1690 read_lock(&conn->chan_lock);
1691 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1692 struct sock *sk = chan->sk;
715ec005 1693 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1694 continue;
1695
1696 /* Don't send frame to the socket it came from */
1697 if (skb->sk == sk)
1698 continue;
af05b30b
GP		 1699 nskb = skb_clone(skb, GFP_ATOMIC);
1700 if (!nskb)
1da177e4
LT		 1701 continue;
1702
1703 if (sock_queue_rcv_skb(sk, nskb))
1704 kfree_skb(nskb);
1705 }
baa7e1fa 1706 read_unlock(&conn->chan_lock);
1da177e4
LT		 1707}
1708
1709/* ---- L2CAP signalling commands ---- */
1710static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1711 u8 code, u8 ident, u16 dlen, void *data)
1712{
1713 struct sk_buff *skb, **frag;
1714 struct l2cap_cmd_hdr *cmd;
1715 struct l2cap_hdr *lh;
1716 int len, count;
1717
af05b30b
GP		 1718 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1719 conn, code, ident, dlen);
1da177e4
LT		 1720
1721 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1722 count = min_t(unsigned int, conn->mtu, len);
1723
1724 skb = bt_skb_alloc(count, GFP_ATOMIC);
1725 if (!skb)
1726 return NULL;
1727
1728 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1729 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1730
1731 if (conn->hcon->type == LE_LINK)
1732 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1733 else
1734 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1735
1736 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1737 cmd->code = code;
1738 cmd->ident = ident;
aca3192c 1739 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1740
1741 if (dlen) {
1742 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1743 memcpy(skb_put(skb, count), data, count);
1744 data += count;
1745 }
1746
1747 len -= skb->len;
1748
1749 /* Continuation fragments (no L2CAP header) */
1750 frag = &skb_shinfo(skb)->frag_list;
1751 while (len) {
1752 count = min_t(unsigned int, conn->mtu, len);
1753
1754 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1755 if (!*frag)
1756 goto fail;
1757
1758 memcpy(skb_put(*frag, count), data, count);
1759
1760 len -= count;
1761 data += count;
1762
1763 frag = &(*frag)->next;
1764 }
1765
1766 return skb;
1767
1768fail:
1769 kfree_skb(skb);
1770 return NULL;
1771}
1772
1773static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1774{
1775 struct l2cap_conf_opt *opt = *ptr;
1776 int len;
1777
1778 len = L2CAP_CONF_OPT_SIZE + opt->len;
1779 *ptr += len;
1780
1781 *type = opt->type;
1782 *olen = opt->len;
1783
1784 switch (opt->len) {
1785 case 1:
1786 *val = *((u8 *) opt->val);
1787 break;
1788
1789 case 2:
bfaaeb3e 1790 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1791 break;
1792
1793 case 4:
bfaaeb3e 1794 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1795 break;
1796
1797 default:
1798 *val = (unsigned long) opt->val;
1799 break;
1800 }
1801
1802 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1803 return len;
1804}
1805
1da177e4
LT		 1806static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1807{
1808 struct l2cap_conf_opt *opt = *ptr;
1809
1810 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1811
1812 opt->type = type;
1813 opt->len = len;
1814
1815 switch (len) {
1816 case 1:
1817 *((u8 *) opt->val) = val;
1818 break;
1819
1820 case 2:
4f8b691c 1821 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1822 break;
1823
1824 case 4:
4f8b691c 1825 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1826 break;
1827
1828 default:
1829 memcpy(opt->val, (void *) val, len);
1830 break;
1831 }
1832
1833 *ptr += L2CAP_CONF_OPT_SIZE + len;
1834}
1835
c1b4f43b
GP		 1836static void l2cap_ack_timeout(unsigned long arg)
1837{
525cd185 1838 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1839
525cd185
GP		 1840 bh_lock_sock(chan->sk);
1841 l2cap_send_ack(chan);
1842 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1843}
1844
525cd185 1845static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1846{
525cd185
GP		 1847 struct sock *sk = chan->sk;
1848
42e5c802 1849 chan->expected_ack_seq = 0;
6a026610 1850 chan->unacked_frames = 0;
42e5c802 1851 chan->buffer_seq = 0;
6a026610
GP		 1852 chan->num_acked = 0;
1853 chan->frames_sent = 0;
0565c1c2 1854
e92c8e70
GP		 1855 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1856 (unsigned long) chan);
1857 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1858 (unsigned long) chan);
1859 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1860
f1c6775b
GP		 1861 skb_queue_head_init(&chan->srej_q);
1862 skb_queue_head_init(&chan->busy_q);
1890d36b 1863
39d5a3ee
GP		 1864 INIT_LIST_HEAD(&chan->srej_l);
1865
311bb895 1866 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1867
1868 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1869}
1870
f2fcfcd6
GP		 1871static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1872{
1873 switch (mode) {
1874 case L2CAP_MODE_STREAMING:
1875 case L2CAP_MODE_ERTM:
1876 if (l2cap_mode_supported(mode, remote_feat_mask))
1877 return mode;
1878 /* fall through */
1879 default:
1880 return L2CAP_MODE_BASIC;
1881 }
1882}
1883
710f9b0a 1884static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1885{
1da177e4 1886 struct l2cap_conf_req *req = data;
0c1bc5c6 1887 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1888 void *ptr = req->data;
1889
49208c9c 1890 BT_DBG("chan %p", chan);
1da177e4 1891
73ffa904 1892 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1893 goto done;
1894
0c1bc5c6 1895 switch (chan->mode) {
f2fcfcd6
GP		 1896 case L2CAP_MODE_STREAMING:
1897 case L2CAP_MODE_ERTM:
b4450035 1898 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1899 break;
85eb53c6 1900
2ba13ed6 1901 /* fall through */
f2fcfcd6 1902 default:
8c1d787b 1903 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1904 break;
1905 }
1906
1907done:
0c1bc5c6
GP		 1908 if (chan->imtu != L2CAP_DEFAULT_MTU)
1909 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1910
0c1bc5c6 1911 switch (chan->mode) {
65c7c491 1912 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1913 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1914 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1915 break;
1916
62547752
GP		 1917 rfc.mode = L2CAP_MODE_BASIC;
1918 rfc.txwin_size = 0;
1919 rfc.max_transmit = 0;
1920 rfc.retrans_timeout = 0;
1921 rfc.monitor_timeout = 0;
1922 rfc.max_pdu_size = 0;
1923
63406504
GP		 1924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1925 (unsigned long) &rfc);
65c7c491
MH		 1926 break;
1927
1928 case L2CAP_MODE_ERTM:
1929 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1930 rfc.txwin_size = chan->tx_win;
1931 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1932 rfc.retrans_timeout = 0;
1933 rfc.monitor_timeout = 0;
c74e560c 1934 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1935 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1936 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1937
63406504
GP		 1938 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1939 (unsigned long) &rfc);
1940
8c1d787b 1941 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1942 break;
1943
47d1ec61 1944 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1945 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1946 chan->fcs = L2CAP_FCS_NONE;
1947 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1948 }
f2fcfcd6
GP		 1949 break;
1950
1951 case L2CAP_MODE_STREAMING:
1952 rfc.mode = L2CAP_MODE_STREAMING;
1953 rfc.txwin_size = 0;
1954 rfc.max_transmit = 0;
1955 rfc.retrans_timeout = 0;
1956 rfc.monitor_timeout = 0;
c74e560c 1957 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1958 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1959 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1960
63406504
GP		 1961 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1962 (unsigned long) &rfc);
1963
8c1d787b 1964 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1965 break;
1966
47d1ec61 1967 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1968 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1969 chan->fcs = L2CAP_FCS_NONE;
1970 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1971 }
65c7c491
MH		 1972 break;
1973 }
1da177e4 1974
fe4128e0 1975 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1976 req->flags = cpu_to_le16(0);
1da177e4
LT		 1977
1978 return ptr - data;
1979}
1980
73ffa904 1981static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1982{
5dee9e7c
MH		 1983 struct l2cap_conf_rsp *rsp = data;
1984 void *ptr = rsp->data;
73ffa904
GP		 1985 void *req = chan->conf_req;
1986 int len = chan->conf_len;
5dee9e7c
MH		 1987 int type, hint, olen;
1988 unsigned long val;
6464f35f 1989 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1990 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1991 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1992
73ffa904 1993 BT_DBG("chan %p", chan);
820ae1b8 1994
5dee9e7c
MH		 1995 while (len >= L2CAP_CONF_OPT_SIZE) {
1996 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1997
589d2746 1998 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1999 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2000
2001 switch (type) {
2002 case L2CAP_CONF_MTU:
861d6882 2003 mtu = val;
5dee9e7c
MH		 2004 break;
2005
2006 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2007 chan->flush_to = val;
5dee9e7c
MH		 2008 break;
2009
2010 case L2CAP_CONF_QOS:
2011 break;
2012
6464f35f
MH		 2013 case L2CAP_CONF_RFC:
2014 if (olen == sizeof(rfc))
2015 memcpy(&rfc, (void *) val, olen);
2016 break;
2017
fcc203c3
GP		 2018 case L2CAP_CONF_FCS:
2019 if (val == L2CAP_FCS_NONE)
b4450035 2020 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2021
2022 break;
2023
5dee9e7c
MH		 2024 default:
2025 if (hint)
2026 break;
2027
2028 result = L2CAP_CONF_UNKNOWN;
2029 *((u8 *) ptr++) = type;
2030 break;
2031 }
2032 }
2033
73ffa904 2034 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2035 goto done;
2036
0c1bc5c6 2037 switch (chan->mode) {
f2fcfcd6
GP		 2038 case L2CAP_MODE_STREAMING:
2039 case L2CAP_MODE_ERTM:
b4450035 2040 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2041 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2042 chan->conn->feat_mask);
85eb53c6
GP		 2043 break;
2044 }
2045
0c1bc5c6 2046 if (chan->mode != rfc.mode)
f2fcfcd6 2047 return -ECONNREFUSED;
742e519b 2048
f2fcfcd6 2049 break;
f2fcfcd6
GP		 2050 }
2051
2052done:
0c1bc5c6 2053 if (chan->mode != rfc.mode) {
f2fcfcd6 2054 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2055 rfc.mode = chan->mode;
f2fcfcd6 2056
73ffa904 2057 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2058 return -ECONNREFUSED;
2059
2060 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2061 sizeof(rfc), (unsigned long) &rfc);
2062 }
2063
2064
5dee9e7c
MH		 2065 if (result == L2CAP_CONF_SUCCESS) {
2066 /* Configure output options and let the other side know
2067 * which ones we don't like. */
2068
f2fcfcd6
GP		 2069 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2070 result = L2CAP_CONF_UNACCEPT;
2071 else {
0c1bc5c6 2072 chan->omtu = mtu;
b4450035 2073 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2074 }
0c1bc5c6 2075 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2076
f2fcfcd6
GP		 2077 switch (rfc.mode) {
2078 case L2CAP_MODE_BASIC:
47d1ec61 2079 chan->fcs = L2CAP_FCS_NONE;
b4450035 2080 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2081 break;
2082
2083 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2084 chan->remote_tx_win = rfc.txwin_size;
2085 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2086
8c1d787b
GP		 2087 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2088 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2089
2c03a7a4 2090 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2091
10467e9e
GP		 2092 rfc.retrans_timeout =
2093 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2094 rfc.monitor_timeout =
2095 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2096
b4450035 2097 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2098
2099 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2100 sizeof(rfc), (unsigned long) &rfc);
2101
f2fcfcd6
GP		 2102 break;
2103
2104 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2105 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2106 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2107
2c03a7a4 2108 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2109
b4450035 2110 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2111
2112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2113 sizeof(rfc), (unsigned long) &rfc);
2114
f2fcfcd6
GP		 2115 break;
2116
2117 default:
5dee9e7c 2118 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2119
6464f35f 2120 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2121 rfc.mode = chan->mode;
f2fcfcd6 2122 }
6464f35f 2123
f2fcfcd6 2124 if (result == L2CAP_CONF_SUCCESS)
b4450035 2125 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2126 }
fe4128e0 2127 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2128 rsp->result = cpu_to_le16(result);
2129 rsp->flags = cpu_to_le16(0x0000);
2130
2131 return ptr - data;
1da177e4
LT		 2132}
2133
b4450035 2134static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2135{
f2fcfcd6
GP		 2136 struct l2cap_conf_req *req = data;
2137 void *ptr = req->data;
2138 int type, olen;
2139 unsigned long val;
2140 struct l2cap_conf_rfc rfc;
2141
fe4128e0 2142 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2143
2144 while (len >= L2CAP_CONF_OPT_SIZE) {
2145 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2146
2147 switch (type) {
2148 case L2CAP_CONF_MTU:
2149 if (val < L2CAP_DEFAULT_MIN_MTU) {
2150 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2151 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2152 } else
0c1bc5c6
GP		 2153 chan->imtu = val;
2154 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2155 break;
2156
2157 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2158 chan->flush_to = val;
f2fcfcd6 2159 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2160 2, chan->flush_to);
f2fcfcd6
GP		 2161 break;
2162
2163 case L2CAP_CONF_RFC:
2164 if (olen == sizeof(rfc))
2165 memcpy(&rfc, (void *)val, olen);
2166
b4450035 2167 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2168 rfc.mode != chan->mode)
f2fcfcd6
GP		 2169 return -ECONNREFUSED;
2170
47d1ec61 2171 chan->fcs = 0;
f2fcfcd6
GP		 2172
2173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2174 sizeof(rfc), (unsigned long) &rfc);
2175 break;
2176 }
2177 }
2178
0c1bc5c6 2179 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2180 return -ECONNREFUSED;
2181
0c1bc5c6 2182 chan->mode = rfc.mode;
6c2ea7a8 2183
f2fcfcd6
GP		 2184 if (*result == L2CAP_CONF_SUCCESS) {
2185 switch (rfc.mode) {
2186 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2187 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2188 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2189 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2190 break;
2191 case L2CAP_MODE_STREAMING:
47d1ec61 2192 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2193 }
2194 }
2195
fe4128e0 2196 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2197 req->flags = cpu_to_le16(0x0000);
2198
2199 return ptr - data;
2200}
2201
fe4128e0 2202static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2203{
2204 struct l2cap_conf_rsp *rsp = data;
2205 void *ptr = rsp->data;
1da177e4 2206
fe4128e0 2207 BT_DBG("chan %p", chan);
1da177e4 2208
fe4128e0 2209 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2210 rsp->result = cpu_to_le16(result);
aca3192c 2211 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2212
2213 return ptr - data;
2214}
2215
8c1d787b 2216void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2217{
2218 struct l2cap_conn_rsp rsp;
8c1d787b 2219 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2220 u8 buf[128];
2221
fe4128e0
GP		 2222 rsp.scid = cpu_to_le16(chan->dcid);
2223 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2224 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2225 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2226 l2cap_send_cmd(conn, chan->ident,
2227 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2228
b4450035 2229 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2230 return;
2231
b4450035 2232 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2233 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2234 l2cap_build_conf_req(chan, buf), buf);
2235 chan->num_conf_req++;
2236}
2237
47d1ec61 2238static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2239{
7b1c0049
GP		 2240 int type, olen;
2241 unsigned long val;
2242 struct l2cap_conf_rfc rfc;
2243
47d1ec61 2244 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2245
0c1bc5c6 2246 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2247 return;
2248
2249 while (len >= L2CAP_CONF_OPT_SIZE) {
2250 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2251
2252 switch (type) {
2253 case L2CAP_CONF_RFC:
2254 if (olen == sizeof(rfc))
2255 memcpy(&rfc, (void *)val, olen);
2256 goto done;
2257 }
2258 }
2259
2260done:
2261 switch (rfc.mode) {
2262 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2263 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2264 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2265 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2266 break;
2267 case L2CAP_MODE_STREAMING:
47d1ec61 2268 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2269 }
2270}
2271
4e8402a3
MH		 2272static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2273{
2274 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2275
2276 if (rej->reason != 0x0000)
2277 return 0;
2278
2279 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2280 cmd->ident == conn->info_ident) {
4e8402a3 2281 del_timer(&conn->info_timer);
984947dc
MH		 2282
2283 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2284 conn->info_ident = 0;
984947dc 2285
4e8402a3
MH		 2286 l2cap_conn_start(conn);
2287 }
2288
2289 return 0;
2290}
2291
1da177e4
LT		 2292static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2293{
1da177e4
LT		 2294 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2295 struct l2cap_conn_rsp rsp;
23691d75 2296 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2297 struct sock *parent, *sk = NULL;
e7c29cb1 2298 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2299
2300 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2301 __le16 psm = req->psm;
1da177e4
LT		 2302
2303 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2304
2305 /* Check if we have socket listening on psm */
23691d75
GP		 2306 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2307 if (!pchan) {
1da177e4
LT		 2308 result = L2CAP_CR_BAD_PSM;
2309 goto sendresp;
2310 }
2311
23691d75
GP		 2312 parent = pchan->sk;
2313
e0f0cb56
GP		 2314 bh_lock_sock(parent);
2315
e7c29cb1
MH		 2316 /* Check if the ACL is secure enough (if not SDP) */
2317 if (psm != cpu_to_le16(0x0001) &&
2318 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2319 conn->disc_reason = 0x05;
e7c29cb1
MH		 2320 result = L2CAP_CR_SEC_BLOCK;
2321 goto response;
2322 }
2323
1da177e4
LT		 2324 result = L2CAP_CR_NO_MEM;
2325
2326 /* Check for backlog size */
2327 if (sk_acceptq_is_full(parent)) {
8e87d142 2328 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2329 goto response;
2330 }
2331
3b1e0a65 2332 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2333 if (!sk)
2334 goto response;
2335
23691d75 2336 chan = l2cap_chan_create(sk);
48454079
GP		 2337 if (!chan) {
2338 l2cap_sock_kill(sk);
2339 goto response;
2340 }
2341
5d41ce1d
GP		 2342 l2cap_pi(sk)->chan = chan;
2343
baa7e1fa 2344 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2345
2346 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2347 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2348 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2349 sock_set_flag(sk, SOCK_ZAPPED);
2350 l2cap_sock_kill(sk);
2351 goto response;
2352 }
2353
2354 hci_conn_hold(conn->hcon);
2355
2356 l2cap_sock_init(sk, parent);
2357 bacpy(&bt_sk(sk)->src, conn->src);
2358 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2359 chan->psm = psm;
2360 chan->dcid = scid;
1da177e4 2361
d1010240
GP		 2362 bt_accept_enqueue(parent, sk);
2363
48454079
GP		 2364 __l2cap_chan_add(conn, chan);
2365
fe4128e0 2366 dcid = chan->scid;
1da177e4 2367
ab07801d 2368 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2369
fc7f8a7e 2370 chan->ident = cmd->ident;
1da177e4 2371
984947dc 2372 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2373 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2374 if (bt_sk(sk)->defer_setup) {
2375 sk->sk_state = BT_CONNECT2;
2376 result = L2CAP_CR_PEND;
2377 status = L2CAP_CS_AUTHOR_PEND;
2378 parent->sk_data_ready(parent, 0);
2379 } else {
2380 sk->sk_state = BT_CONFIG;
2381 result = L2CAP_CR_SUCCESS;
2382 status = L2CAP_CS_NO_INFO;
2383 }
79d554a6
MH		 2384 } else {
2385 sk->sk_state = BT_CONNECT2;
2386 result = L2CAP_CR_PEND;
2387 status = L2CAP_CS_AUTHEN_PEND;
2388 }
2389 } else {
2390 sk->sk_state = BT_CONNECT2;
2391 result = L2CAP_CR_PEND;
2392 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2393 }
2394
baa7e1fa 2395 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2396
2397response:
2398 bh_unlock_sock(parent);
2399
2400sendresp:
aca3192c
YH		 2401 rsp.scid = cpu_to_le16(scid);
2402 rsp.dcid = cpu_to_le16(dcid);
2403 rsp.result = cpu_to_le16(result);
2404 rsp.status = cpu_to_le16(status);
1da177e4 2405 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2406
2407 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2408 struct l2cap_info_req info;
2409 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2410
2411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2412 conn->info_ident = l2cap_get_ident(conn);
2413
2414 mod_timer(&conn->info_timer, jiffies +
2415 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2416
2417 l2cap_send_cmd(conn, conn->info_ident,
2418 L2CAP_INFO_REQ, sizeof(info), &info);
2419 }
2420
b4450035 2421 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2422 result == L2CAP_CR_SUCCESS) {
2423 u8 buf[128];
b4450035 2424 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2425 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2426 l2cap_build_conf_req(chan, buf), buf);
2427 chan->num_conf_req++;
e9aeb2dd
GP		 2428 }
2429
1da177e4
LT		 2430 return 0;
2431}
2432
2433static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2434{
2435 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2436 u16 scid, dcid, result, status;
48454079 2437 struct l2cap_chan *chan;
1da177e4
LT		 2438 struct sock *sk;
2439 u8 req[128];
2440
2441 scid = __le16_to_cpu(rsp->scid);
2442 dcid = __le16_to_cpu(rsp->dcid);
2443 result = __le16_to_cpu(rsp->result);
2444 status = __le16_to_cpu(rsp->status);
2445
2446 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2447
2448 if (scid) {
baa7e1fa 2449 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2450 if (!chan)
57d3b22b 2451 return -EFAULT;
1da177e4 2452 } else {
baa7e1fa 2453 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2454 if (!chan)
57d3b22b 2455 return -EFAULT;
1da177e4
LT		 2456 }
2457
48454079
GP		 2458 sk = chan->sk;
2459
1da177e4
LT		 2460 switch (result) {
2461 case L2CAP_CR_SUCCESS:
2462 sk->sk_state = BT_CONFIG;
fc7f8a7e 2463 chan->ident = 0;
fe4128e0 2464 chan->dcid = dcid;
b4450035 2465 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2466
b4450035 2467 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2468 break;
2469
b4450035 2470 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2471
1da177e4 2472 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2473 l2cap_build_conf_req(chan, req), req);
2474 chan->num_conf_req++;
1da177e4
LT		 2475 break;
2476
2477 case L2CAP_CR_PEND:
b4450035 2478 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2479 break;
2480
2481 default:
a49184c2
AE		 2482 /* don't delete l2cap channel if sk is owned by user */
2483 if (sock_owned_by_user(sk)) {
2484 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2485 l2cap_chan_clear_timer(chan);
2486 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2487 break;
2488 }
2489
48454079 2490 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2491 break;
2492 }
2493
2494 bh_unlock_sock(sk);
2495 return 0;
2496}
2497
47d1ec61 2498static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2499{
47d1ec61
GP		 2500 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2501
8c462b60
MM		 2502 /* FCS is enabled only in ERTM or streaming mode, if one or both
2503 * sides request it.
2504 */
0c1bc5c6 2505 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2506 chan->fcs = L2CAP_FCS_NONE;
b4450035 2507 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2508 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2509}
2510
88219a0f 2511static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2512{
2513 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2514 u16 dcid, flags;
2515 u8 rsp[64];
48454079 2516 struct l2cap_chan *chan;
1da177e4 2517 struct sock *sk;
5dee9e7c 2518 int len;
1da177e4
LT		 2519
2520 dcid = __le16_to_cpu(req->dcid);
2521 flags = __le16_to_cpu(req->flags);
2522
2523 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2524
baa7e1fa 2525 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2526 if (!chan)
1da177e4
LT		 2527 return -ENOENT;
2528
48454079
GP		 2529 sk = chan->sk;
2530
df6bd743
GP		 2531 if (sk->sk_state != BT_CONFIG) {
2532 struct l2cap_cmd_rej rej;
2533
2534 rej.reason = cpu_to_le16(0x0002);
2535 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2536 sizeof(rej), &rej);
354f60a9 2537 goto unlock;
df6bd743 2538 }
354f60a9 2539
5dee9e7c 2540 /* Reject if config buffer is too small. */
88219a0f 2541 len = cmd_len - sizeof(*req);
73ffa904 2542 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2543 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2544 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2545 L2CAP_CONF_REJECT, flags), rsp);
2546 goto unlock;
2547 }
2548
2549 /* Store config. */
73ffa904
GP		 2550 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2551 chan->conf_len += len;
1da177e4
LT		 2552
2553 if (flags & 0x0001) {
2554 /* Incomplete config. Send empty response. */
2555 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2556 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2557 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2558 goto unlock;
2559 }
2560
2561 /* Complete config. */
73ffa904 2562 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2563 if (len < 0) {
e92c8e70 2564 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2565 goto unlock;
f2fcfcd6 2566 }
1da177e4 2567
5dee9e7c 2568 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2569 chan->num_conf_rsp++;
5dee9e7c 2570
5dee9e7c 2571 /* Reset config buffer. */
73ffa904 2572 chan->conf_len = 0;
5dee9e7c 2573
b4450035 2574 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2575 goto unlock;
2576
b4450035 2577 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2578 set_default_fcs(chan);
fcc203c3 2579
1da177e4 2580 sk->sk_state = BT_CONNECTED;
e90bac06 2581
42e5c802
GP		 2582 chan->next_tx_seq = 0;
2583 chan->expected_tx_seq = 0;
58d35f87 2584 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2585 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2586 l2cap_ertm_init(chan);
0565c1c2 2587
1da177e4 2588 l2cap_chan_ready(sk);
876d9484
MH		 2589 goto unlock;
2590 }
2591
b4450035 2592 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2593 u8 buf[64];
b4450035 2594 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2595 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2596 l2cap_build_conf_req(chan, buf), buf);
2597 chan->num_conf_req++;
1da177e4
LT		 2598 }
2599
2600unlock:
2601 bh_unlock_sock(sk);
2602 return 0;
2603}
2604
2605static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2606{
2607 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2608 u16 scid, flags, result;
48454079 2609 struct l2cap_chan *chan;
1da177e4 2610 struct sock *sk;
7b1c0049 2611 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2612
2613 scid = __le16_to_cpu(rsp->scid);
2614 flags = __le16_to_cpu(rsp->flags);
2615 result = __le16_to_cpu(rsp->result);
2616
af05b30b
GP		 2617 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2618 scid, flags, result);
1da177e4 2619
baa7e1fa 2620 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2621 if (!chan)
1da177e4
LT		 2622 return 0;
2623
48454079
GP		 2624 sk = chan->sk;
2625
1da177e4
LT		 2626 switch (result) {
2627 case L2CAP_CONF_SUCCESS:
47d1ec61 2628 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2629 break;
2630
2631 case L2CAP_CONF_UNACCEPT:
73ffa904 2632 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2633 char req[64];
2634
c2c77ec8 2635 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2636 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2637 goto done;
2638 }
2639
f2fcfcd6
GP		 2640 /* throw out any old stored conf requests */
2641 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2642 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2643 req, &result);
f2fcfcd6 2644 if (len < 0) {
e92c8e70 2645 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2646 goto done;
2647 }
2648
2649 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2650 L2CAP_CONF_REQ, len, req);
73ffa904 2651 chan->num_conf_req++;
f2fcfcd6
GP		 2652 if (result != L2CAP_CONF_SUCCESS)
2653 goto done;
2654 break;
1da177e4
LT		 2655 }
2656
8e87d142 2657 default:
b1235d79 2658 sk->sk_err = ECONNRESET;
ab07801d 2659 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2660 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2661 goto done;
2662 }
2663
2664 if (flags & 0x01)
2665 goto done;
2666
b4450035 2667 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2668
b4450035 2669 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2670 set_default_fcs(chan);
fcc203c3 2671
1da177e4 2672 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2673 chan->next_tx_seq = 0;
2674 chan->expected_tx_seq = 0;
58d35f87 2675 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2676 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2677 l2cap_ertm_init(chan);
0565c1c2 2678
1da177e4
LT		 2679 l2cap_chan_ready(sk);
2680 }
2681
2682done:
2683 bh_unlock_sock(sk);
2684 return 0;
2685}
2686
2687static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2688{
2689 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2690 struct l2cap_disconn_rsp rsp;
2691 u16 dcid, scid;
48454079 2692 struct l2cap_chan *chan;
1da177e4
LT		 2693 struct sock *sk;
2694
2695 scid = __le16_to_cpu(req->scid);
2696 dcid = __le16_to_cpu(req->dcid);
2697
2698 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2699
baa7e1fa 2700 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2701 if (!chan)
1da177e4
LT		 2702 return 0;
2703
48454079
GP		 2704 sk = chan->sk;
2705
fe4128e0
GP		 2706 rsp.dcid = cpu_to_le16(chan->scid);
2707 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2708 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2709
2710 sk->sk_shutdown = SHUTDOWN_MASK;
2711
a49184c2
AE		 2712 /* don't delete l2cap channel if sk is owned by user */
2713 if (sock_owned_by_user(sk)) {
2714 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2715 l2cap_chan_clear_timer(chan);
2716 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2717 bh_unlock_sock(sk);
2718 return 0;
2719 }
2720
48454079 2721 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2722 bh_unlock_sock(sk);
2723
2724 l2cap_sock_kill(sk);
2725 return 0;
2726}
2727
2728static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2729{
2730 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2731 u16 dcid, scid;
48454079 2732 struct l2cap_chan *chan;
1da177e4
LT		 2733 struct sock *sk;
2734
2735 scid = __le16_to_cpu(rsp->scid);
2736 dcid = __le16_to_cpu(rsp->dcid);
2737
2738 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2739
baa7e1fa 2740 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2741 if (!chan)
1da177e4
LT		 2742 return 0;
2743
48454079
GP		 2744 sk = chan->sk;
2745
a49184c2
AE		 2746 /* don't delete l2cap channel if sk is owned by user */
2747 if (sock_owned_by_user(sk)) {
2748 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2749 l2cap_chan_clear_timer(chan);
2750 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2751 bh_unlock_sock(sk);
2752 return 0;
2753 }
2754
48454079 2755 l2cap_chan_del(chan, 0);
1da177e4
LT		 2756 bh_unlock_sock(sk);
2757
2758 l2cap_sock_kill(sk);
2759 return 0;
2760}
2761
2762static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2763{
2764 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2765 u16 type;
2766
2767 type = __le16_to_cpu(req->type);
2768
2769 BT_DBG("type 0x%4.4x", type);
2770
f0709e03
MH		 2771 if (type == L2CAP_IT_FEAT_MASK) {
2772 u8 buf[8];
44dd46de 2773 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2774 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2775 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2776 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2777 if (!disable_ertm)
fcc203c3
GP		 2778 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2779 | L2CAP_FEAT_FCS;
1b7bf4ed 2780 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2781 l2cap_send_cmd(conn, cmd->ident,
2782 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2783 } else if (type == L2CAP_IT_FIXED_CHAN) {
2784 u8 buf[12];
2785 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2786 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2787 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2788 memcpy(buf + 4, l2cap_fixed_chan, 8);
2789 l2cap_send_cmd(conn, cmd->ident,
2790 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2791 } else {
2792 struct l2cap_info_rsp rsp;
2793 rsp.type = cpu_to_le16(type);
2794 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2795 l2cap_send_cmd(conn, cmd->ident,
2796 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2797 }
1da177e4
LT		 2798
2799 return 0;
2800}
2801
2802static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2803{
2804 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2805 u16 type, result;
2806
2807 type = __le16_to_cpu(rsp->type);
2808 result = __le16_to_cpu(rsp->result);
2809
2810 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2811
e90165be
AE		 2812 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2813 if (cmd->ident != conn->info_ident ||
2814 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2815 return 0;
2816
4e8402a3
MH		 2817 del_timer(&conn->info_timer);
2818
adb08ede
VT		 2819 if (result != L2CAP_IR_SUCCESS) {
2820 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2821 conn->info_ident = 0;
2822
2823 l2cap_conn_start(conn);
2824
2825 return 0;
2826 }
2827
984947dc 2828 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2829 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2830
47ec1dcd 2831 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2832 struct l2cap_info_req req;
2833 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2834
2835 conn->info_ident = l2cap_get_ident(conn);
2836
2837 l2cap_send_cmd(conn, conn->info_ident,
2838 L2CAP_INFO_REQ, sizeof(req), &req);
2839 } else {
2840 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2841 conn->info_ident = 0;
2842
2843 l2cap_conn_start(conn);
2844 }
2845 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2846 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2847 conn->info_ident = 0;
984947dc
MH		 2848
2849 l2cap_conn_start(conn);
2850 }
4e8402a3 2851
1da177e4
LT		 2852 return 0;
2853}
2854
e2174ca4 2855static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2856 u16 to_multiplier)
2857{
2858 u16 max_latency;
2859
2860 if (min > max || min < 6 || max > 3200)
2861 return -EINVAL;
2862
2863 if (to_multiplier < 10 || to_multiplier > 3200)
2864 return -EINVAL;
2865
2866 if (max >= to_multiplier * 8)
2867 return -EINVAL;
2868
2869 max_latency = (to_multiplier * 8 / max) - 1;
2870 if (latency > 499 || latency > max_latency)
2871 return -EINVAL;
2872
2873 return 0;
2874}
2875
2876static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2877 struct l2cap_cmd_hdr *cmd, u8 *data)
2878{
2879 struct hci_conn *hcon = conn->hcon;
2880 struct l2cap_conn_param_update_req *req;
2881 struct l2cap_conn_param_update_rsp rsp;
2882 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2883 int err;
de73115a
CT		 2884
2885 if (!(hcon->link_mode & HCI_LM_MASTER))
2886 return -EINVAL;
2887
2888 cmd_len = __le16_to_cpu(cmd->len);
2889 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2890 return -EPROTO;
2891
2892 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2893 min = __le16_to_cpu(req->min);
2894 max = __le16_to_cpu(req->max);
de73115a
CT		 2895 latency = __le16_to_cpu(req->latency);
2896 to_multiplier = __le16_to_cpu(req->to_multiplier);
2897
2898 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2899 min, max, latency, to_multiplier);
2900
2901 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2902
2903 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2904 if (err)
de73115a
CT		 2905 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2906 else
2907 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2908
2909 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2910 sizeof(rsp), &rsp);
2911
2ce603eb
CT		 2912 if (!err)
2913 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2914
de73115a
CT		 2915 return 0;
2916}
2917
3300d9a9
CT		 2918static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2919 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2920{
2921 int err = 0;
2922
2923 switch (cmd->code) {
2924 case L2CAP_COMMAND_REJ:
2925 l2cap_command_rej(conn, cmd, data);
2926 break;
2927
2928 case L2CAP_CONN_REQ:
2929 err = l2cap_connect_req(conn, cmd, data);
2930 break;
2931
2932 case L2CAP_CONN_RSP:
2933 err = l2cap_connect_rsp(conn, cmd, data);
2934 break;
2935
2936 case L2CAP_CONF_REQ:
2937 err = l2cap_config_req(conn, cmd, cmd_len, data);
2938 break;
2939
2940 case L2CAP_CONF_RSP:
2941 err = l2cap_config_rsp(conn, cmd, data);
2942 break;
2943
2944 case L2CAP_DISCONN_REQ:
2945 err = l2cap_disconnect_req(conn, cmd, data);
2946 break;
2947
2948 case L2CAP_DISCONN_RSP:
2949 err = l2cap_disconnect_rsp(conn, cmd, data);
2950 break;
2951
2952 case L2CAP_ECHO_REQ:
2953 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2954 break;
2955
2956 case L2CAP_ECHO_RSP:
2957 break;
2958
2959 case L2CAP_INFO_REQ:
2960 err = l2cap_information_req(conn, cmd, data);
2961 break;
2962
2963 case L2CAP_INFO_RSP:
2964 err = l2cap_information_rsp(conn, cmd, data);
2965 break;
2966
2967 default:
2968 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2969 err = -EINVAL;
2970 break;
2971 }
2972
2973 return err;
2974}
2975
2976static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2977 struct l2cap_cmd_hdr *cmd, u8 *data)
2978{
2979 switch (cmd->code) {
2980 case L2CAP_COMMAND_REJ:
2981 return 0;
2982
2983 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2984 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2985
2986 case L2CAP_CONN_PARAM_UPDATE_RSP:
2987 return 0;
2988
2989 default:
2990 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2991 return -EINVAL;
2992 }
2993}
2994
2995static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2996 struct sk_buff *skb)
1da177e4
LT		 2997{
2998 u8 *data = skb->data;
2999 int len = skb->len;
3000 struct l2cap_cmd_hdr cmd;
3300d9a9 3001 int err;
1da177e4
LT		 3002
3003 l2cap_raw_recv(conn, skb);
3004
3005 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3006 u16 cmd_len;
1da177e4
LT		 3007 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3008 data += L2CAP_CMD_HDR_SIZE;
3009 len -= L2CAP_CMD_HDR_SIZE;
3010
88219a0f 3011 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3012
88219a0f 3013 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3014
88219a0f 3015 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3016 BT_DBG("corrupted command");
3017 break;
3018 }
3019
3300d9a9
CT		 3020 if (conn->hcon->type == LE_LINK)
3021 err = l2cap_le_sig_cmd(conn, &cmd, data);
3022 else
3023 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3024
3025 if (err) {
3026 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3027
3028 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3029
3030 /* FIXME: Map err to a valid reason */
aca3192c 3031 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3032 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3033 }
3034
88219a0f
AV		 3035 data += cmd_len;
3036 len -= cmd_len;
1da177e4
LT		 3037 }
3038
3039 kfree_skb(skb);
3040}
3041
47d1ec61 3042static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3043{
3044 u16 our_fcs, rcv_fcs;
3045 int hdr_size = L2CAP_HDR_SIZE + 2;
3046
47d1ec61 3047 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3048 skb_trim(skb, skb->len - 2);
3049 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3050 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3051
3052 if (our_fcs != rcv_fcs)
7a560e5c 3053 return -EBADMSG;
fcc203c3
GP		 3054 }
3055 return 0;
3056}
3057
525cd185 3058static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3059{
d5392c8f
GP		 3060 u16 control = 0;
3061
6a026610 3062 chan->frames_sent = 0;
d5392c8f 3063
42e5c802 3064 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3065
525cd185 3066 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3067 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3068 l2cap_send_sframe(chan, control);
3069 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3070 }
3071
525cd185
GP		 3072 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3073 l2cap_retransmit_frames(chan);
d5392c8f 3074
525cd185 3075 l2cap_ertm_send(chan);
d5392c8f 3076
525cd185 3077 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3078 chan->frames_sent == 0) {
d5392c8f 3079 control |= L2CAP_SUPER_RCV_READY;
525cd185 3080 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3081 }
3082}
3083
42e5c802 3084static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3085{
3086 struct sk_buff *next_skb;
bfbacc11 3087 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3088
3089 bt_cb(skb)->tx_seq = tx_seq;
3090 bt_cb(skb)->sar = sar;
3091
f1c6775b 3092 next_skb = skb_peek(&chan->srej_q);
8f17154f 3093 if (!next_skb) {
f1c6775b 3094 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3095 return 0;
8f17154f
GP		 3096 }
3097
42e5c802 3098 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3099 if (tx_seq_offset < 0)
3100 tx_seq_offset += 64;
3101
8f17154f 3102 do {
9b53350d
JPRV		 3103 if (bt_cb(next_skb)->tx_seq == tx_seq)
3104 return -EINVAL;
3105
bfbacc11 3106 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3107 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3108 if (next_tx_seq_offset < 0)
3109 next_tx_seq_offset += 64;
3110
3111 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3112 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3113 return 0;
8f17154f
GP		 3114 }
3115
f1c6775b 3116 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3117 break;
3118
f1c6775b 3119 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3120
f1c6775b 3121 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3122
3123 return 0;
8f17154f
GP		 3124}
3125
525cd185 3126static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3127{
18778a63 3128 struct sk_buff *_skb;
1890d36b 3129 int err;
18778a63
GP		 3130
3131 switch (control & L2CAP_CTRL_SAR) {
3132 case L2CAP_SDU_UNSEGMENTED:
525cd185 3133 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3134 goto drop;
3135
224f8af0 3136 return sock_queue_rcv_skb(chan->sk, skb);
18778a63
GP		 3137
3138 case L2CAP_SDU_START:
525cd185 3139 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3140 goto drop;
3141
6f61fd47 3142 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3143
0c1bc5c6 3144 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3145 goto disconnect;
3146
6f61fd47
GP		 3147 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3148 if (!chan->sdu)
1890d36b
GP		 3149 return -ENOMEM;
3150
3151 /* pull sdu_len bytes only after alloc, because of Local Busy
3152 * condition we have to be sure that this will be executed
3153 * only once, i.e., when alloc does not fail */
3154 skb_pull(skb, 2);
18778a63 3155
6f61fd47 3156 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3157
525cd185 3158 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3159 chan->partial_sdu_len = skb->len;
18778a63
GP		 3160 break;
3161
3162 case L2CAP_SDU_CONTINUE:
525cd185 3163 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3164 goto disconnect;
3165
6f61fd47 3166 if (!chan->sdu)
18778a63
GP		 3167 goto disconnect;
3168
6f61fd47
GP		 3169 chan->partial_sdu_len += skb->len;
3170 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3171 goto drop;
3172
6f61fd47 3173 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3174
18778a63
GP		 3175 break;
3176
3177 case L2CAP_SDU_END:
525cd185 3178 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3179 goto disconnect;
3180
6f61fd47 3181 if (!chan->sdu)
18778a63
GP		 3182 goto disconnect;
3183
525cd185 3184 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3185 chan->partial_sdu_len += skb->len;
18778a63 3186
0c1bc5c6 3187 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3188 goto drop;
18778a63 3189
6f61fd47 3190 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3191 goto drop;
4178ba46 3192
6f61fd47 3193 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3194 }
18778a63 3195
6f61fd47 3196 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3197 if (!_skb) {
525cd185 3198 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3199 return -ENOMEM;
3200 }
3201
525cd185 3202 err = sock_queue_rcv_skb(chan->sk, _skb);
1890d36b 3203 if (err < 0) {
18778a63 3204 kfree_skb(_skb);
525cd185 3205 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3206 return err;
3207 }
3208
525cd185
GP		 3209 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3210 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3211
6f61fd47 3212 kfree_skb(chan->sdu);
18778a63
GP		 3213 break;
3214 }
3215
3216 kfree_skb(skb);
1890d36b 3217 return 0;
18778a63
GP		 3218
3219drop:
6f61fd47
GP		 3220 kfree_skb(chan->sdu);
3221 chan->sdu = NULL;
18778a63
GP		 3222
3223disconnect:
8c1d787b 3224 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3225 kfree_skb(skb);
3226 return 0;
3227}
3228
525cd185 3229static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3230{
712132eb
GP		 3231 struct sk_buff *skb;
3232 u16 control;
3233 int err;
3234
f1c6775b 3235 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3236 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3237 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3238 if (err < 0) {
f1c6775b 3239 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3240 return -EBUSY;
3241 }
3242
42e5c802 3243 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3244 }
3245
525cd185 3246 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3247 goto done;
3248
42e5c802 3249 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3250 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3251 l2cap_send_sframe(chan, control);
6a026610 3252 chan->retry_count = 1;
712132eb 3253
e92c8e70 3254 del_timer(&chan->retrans_timer);
712132eb
GP		 3255 __mod_monitor_timer();
3256
525cd185 3257 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3258
3259done:
525cd185
GP		 3260 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3261 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3262
49208c9c 3263 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3264
3265 return 0;
3266}
3267
1890d36b
GP		 3268static void l2cap_busy_work(struct work_struct *work)
3269{
3270 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3271 struct l2cap_chan *chan =
3272 container_of(work, struct l2cap_chan, busy_work);
3273 struct sock *sk = chan->sk;
1890d36b
GP		 3274 int n_tries = 0, timeo = HZ/5, err;
3275 struct sk_buff *skb;
1890d36b
GP		 3276
3277 lock_sock(sk);
3278
2b0b05dd 3279 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3280 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3281 set_current_state(TASK_INTERRUPTIBLE);
3282
3283 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3284 err = -EBUSY;
8c1d787b 3285 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3286 break;
1890d36b
GP		 3287 }
3288
3289 if (!timeo)
3290 timeo = HZ/5;
3291
3292 if (signal_pending(current)) {
3293 err = sock_intr_errno(timeo);
712132eb 3294 break;
1890d36b
GP		 3295 }
3296
3297 release_sock(sk);
3298 timeo = schedule_timeout(timeo);
3299 lock_sock(sk);
3300
3301 err = sock_error(sk);
3302 if (err)
712132eb 3303 break;
1890d36b 3304
311bb895 3305 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3306 break;
3307 }
3308
1890d36b 3309 set_current_state(TASK_RUNNING);
2b0b05dd 3310 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3311
3312 release_sock(sk);
3313}
3314
525cd185 3315static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3316{
1890d36b
GP		 3317 int sctrl, err;
3318
525cd185 3319 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3320 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3321 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3322 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3323
3324
1890d36b
GP		 3325 }
3326
525cd185 3327 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3328 if (err >= 0) {
42e5c802 3329 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3330 return err;
3331 }
3332
3333 /* Busy Condition */
311bb895 3334 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3335
525cd185 3336 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3337 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3338 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3339
42e5c802 3340 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3341 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3342 l2cap_send_sframe(chan, sctrl);
1890d36b 3343
525cd185 3344 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3345
e92c8e70 3346 del_timer(&chan->ack_timer);
7fe9b298 3347
311bb895 3348 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3349
3350 return err;
3351}
3352
525cd185 3353static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3354{
c74e560c
GP		 3355 struct sk_buff *_skb;
3356 int err = -EINVAL;
3357
18778a63
GP		 3358 /*
3359 * TODO: We have to notify the userland if some data is lost with the
3360 * Streaming Mode.
3361 */
3362
c74e560c
GP		 3363 switch (control & L2CAP_CTRL_SAR) {
3364 case L2CAP_SDU_UNSEGMENTED:
525cd185 3365 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3366 kfree_skb(chan->sdu);
c74e560c
GP		 3367 break;
3368 }
3369
525cd185 3370 err = sock_queue_rcv_skb(chan->sk, skb);
c74e560c
GP		 3371 if (!err)
3372 return 0;
3373
3374 break;
3375
3376 case L2CAP_SDU_START:
525cd185 3377 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3378 kfree_skb(chan->sdu);
c74e560c
GP		 3379 break;
3380 }
3381
6f61fd47 3382 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3383 skb_pull(skb, 2);
3384
0c1bc5c6 3385 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3386 err = -EMSGSIZE;
3387 break;
3388 }
3389
6f61fd47
GP		 3390 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3391 if (!chan->sdu) {
c74e560c
GP		 3392 err = -ENOMEM;
3393 break;
3394 }
3395
6f61fd47 3396 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3397
525cd185 3398 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3399 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3400 err = 0;
3401 break;
3402
3403 case L2CAP_SDU_CONTINUE:
525cd185 3404 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3405 break;
3406
6f61fd47 3407 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3408
6f61fd47
GP		 3409 chan->partial_sdu_len += skb->len;
3410 if (chan->partial_sdu_len > chan->sdu_len)
3411 kfree_skb(chan->sdu);
c74e560c
GP		 3412 else
3413 err = 0;
3414
3415 break;
3416
3417 case L2CAP_SDU_END:
525cd185 3418 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3419 break;
3420
6f61fd47 3421 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3422
525cd185 3423 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3424 chan->partial_sdu_len += skb->len;
c74e560c 3425
0c1bc5c6 3426 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3427 goto drop;
3428
6f61fd47
GP		 3429 if (chan->partial_sdu_len == chan->sdu_len) {
3430 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
525cd185 3431 err = sock_queue_rcv_skb(chan->sk, _skb);
c74e560c
GP		 3432 if (err < 0)
3433 kfree_skb(_skb);
3434 }
c74e560c
GP		 3435 err = 0;
3436
36f2fd58 3437drop:
6f61fd47 3438 kfree_skb(chan->sdu);
c74e560c
GP		 3439 break;
3440 }
3441
3442 kfree_skb(skb);
3443 return err;
3444}
3445
525cd185 3446static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3447{
3448 struct sk_buff *skb;
afefdbc4 3449 u16 control;
8f17154f 3450
f1c6775b 3451 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3452 if (bt_cb(skb)->tx_seq != tx_seq)
3453 break;
3454
f1c6775b 3455 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3456 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3457 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3458 chan->buffer_seq_srej =
3459 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3460 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3461 }
3462}
3463
525cd185 3464static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3465{
8f17154f
GP		 3466 struct srej_list *l, *tmp;
3467 u16 control;
3468
39d5a3ee 3469 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3470 if (l->tx_seq == tx_seq) {
3471 list_del(&l->list);
3472 kfree(l);
3473 return;
3474 }
3475 control = L2CAP_SUPER_SELECT_REJECT;
3476 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3477 l2cap_send_sframe(chan, control);
8f17154f 3478 list_del(&l->list);
39d5a3ee 3479 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3480 }
3481}
3482
525cd185 3483static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3484{
8f17154f
GP		 3485 struct srej_list *new;
3486 u16 control;
3487
42e5c802 3488 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3489 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3490 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3491 l2cap_send_sframe(chan, control);
8f17154f
GP		 3492
3493 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3494 new->tx_seq = chan->expected_tx_seq;
3495 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3496 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3497 }
42e5c802 3498 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3499}
3500
525cd185 3501static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3502{
1c2acffb 3503 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3504 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3505 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3506 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3507 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3508 int err = 0;
3509
525cd185
GP		 3510 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3511 tx_seq, rx_control);
1c2acffb 3512
9b16dc65 3513 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3514 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3515 del_timer(&chan->monitor_timer);
6a026610 3516 if (chan->unacked_frames > 0)
1d8f5d16 3517 __mod_retrans_timer();
525cd185 3518 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3519 }
3520
42e5c802
GP		 3521 chan->expected_ack_seq = req_seq;
3522 l2cap_drop_acked_frames(chan);
9f121a5a 3523
42e5c802 3524 if (tx_seq == chan->expected_tx_seq)
8f17154f 3525 goto expected;
1c2acffb 3526
42e5c802 3527 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3528 if (tx_seq_offset < 0)
3529 tx_seq_offset += 64;
3530
3531 /* invalid tx_seq */
47d1ec61 3532 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3533 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3534 goto drop;
3535 }
3536
525cd185 3537 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3538 goto drop;
3539
525cd185 3540 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3541 struct srej_list *first;
30afb5b2 3542
39d5a3ee 3543 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3544 struct srej_list, list);
3545 if (tx_seq == first->tx_seq) {
42e5c802 3546 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3547 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3548
3549 list_del(&first->list);
3550 kfree(first);
3551
39d5a3ee 3552 if (list_empty(&chan->srej_l)) {
42e5c802 3553 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3554 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3555 l2cap_send_ack(chan);
49208c9c 3556 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3557 }
3558 } else {
3559 struct srej_list *l;
9b53350d
JPRV		 3560
3561 /* duplicated tx_seq */
42e5c802 3562 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3563 goto drop;
8f17154f 3564
39d5a3ee 3565 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3566 if (l->tx_seq == tx_seq) {
525cd185 3567 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3568 return 0;
3569 }
3570 }
525cd185 3571 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3572 }
3573 } else {
9b53350d 3574 expected_tx_seq_offset =
42e5c802 3575 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3576 if (expected_tx_seq_offset < 0)
3577 expected_tx_seq_offset += 64;
3578
3579 /* duplicated tx_seq */
3580 if (tx_seq_offset < expected_tx_seq_offset)
3581 goto drop;
3582
525cd185 3583 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3584
49208c9c 3585 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3586
39d5a3ee 3587 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3588 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3589
f1c6775b
GP		 3590 __skb_queue_head_init(&chan->srej_q);
3591 __skb_queue_head_init(&chan->busy_q);
42e5c802 3592 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3593
525cd185 3594 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3595
525cd185 3596 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3597
e92c8e70 3598 del_timer(&chan->ack_timer);
1c2acffb 3599 }
30afb5b2
GP		 3600 return 0;
3601
8f17154f 3602expected:
42e5c802 3603 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3604
525cd185 3605 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3606 bt_cb(skb)->tx_seq = tx_seq;
3607 bt_cb(skb)->sar = sar;
f1c6775b 3608 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3609 return 0;
3610 }
3611
525cd185 3612 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3613 if (err < 0)
3614 return 0;
3615
4ec10d97 3616 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3617 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3618 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3619 else
525cd185 3620 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3621 }
3622
c1b4f43b
GP		 3623 __mod_ack_timer();
3624
6a026610
GP		 3625 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3626 if (chan->num_acked == num_to_ack - 1)
525cd185 3627 l2cap_send_ack(chan);
9e917af1 3628
8f17154f 3629 return 0;
9b53350d
JPRV		 3630
3631drop:
3632 kfree_skb(skb);
3633 return 0;
1c2acffb
GP		 3634}
3635
525cd185 3636static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3637{
49208c9c 3638 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3639 rx_control);
3640
42e5c802
GP		 3641 chan->expected_ack_seq = __get_reqseq(rx_control);
3642 l2cap_drop_acked_frames(chan);
1c2acffb 3643
e072745f 3644 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3645 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3646 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3647 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3648 (chan->unacked_frames > 0))
05fbd89d
GP		 3649 __mod_retrans_timer();
3650
525cd185
GP		 3651 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3652 l2cap_send_srejtail(chan);
05fbd89d 3653 } else {
525cd185 3654 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3655 }
1d8f5d16 3656
e072745f 3657 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3658 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3659
525cd185
GP		 3660 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3661 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3662 else
525cd185 3663 l2cap_retransmit_frames(chan);
2246b2f1 3664
e072745f 3665 } else {
525cd185 3666 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3667 (chan->unacked_frames > 0))
e072745f 3668 __mod_retrans_timer();
1c2acffb 3669
525cd185
GP		 3670 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3671 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3672 l2cap_send_ack(chan);
894718a6 3673 else
525cd185 3674 l2cap_ertm_send(chan);
e072745f
GP		 3675 }
3676}
2246b2f1 3677
525cd185 3678static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3679{
e072745f 3680 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3681
525cd185 3682 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3683
525cd185 3684 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3685
42e5c802
GP		 3686 chan->expected_ack_seq = tx_seq;
3687 l2cap_drop_acked_frames(chan);
e072745f
GP		 3688
3689 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3690 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3691 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3692 else
525cd185 3693 l2cap_retransmit_frames(chan);
e072745f 3694 } else {
525cd185 3695 l2cap_retransmit_frames(chan);
30afb5b2 3696
525cd185
GP		 3697 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3698 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3699 }
3700}
525cd185 3701static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3702{
e072745f 3703 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3704
525cd185 3705 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3706
525cd185 3707 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3708
e072745f 3709 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3710 chan->expected_ack_seq = tx_seq;
3711 l2cap_drop_acked_frames(chan);
3cb123d1 3712
525cd185
GP		 3713 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3714 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3715
525cd185 3716 l2cap_ertm_send(chan);
dfc909be 3717
525cd185 3718 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3719 chan->srej_save_reqseq = tx_seq;
525cd185 3720 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3721 }
e072745f 3722 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3723 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3724 chan->srej_save_reqseq == tx_seq)
525cd185 3725 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3726 else
525cd185 3727 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3728 } else {
525cd185
GP		 3729 l2cap_retransmit_one_frame(chan, tx_seq);
3730 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3731 chan->srej_save_reqseq = tx_seq;
525cd185 3732 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3733 }
e072745f
GP		 3734 }
3735}
3736
525cd185 3737static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3738{
e072745f
GP		 3739 u8 tx_seq = __get_reqseq(rx_control);
3740
525cd185 3741 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3742
525cd185 3743 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3744 chan->expected_ack_seq = tx_seq;
3745 l2cap_drop_acked_frames(chan);
e072745f 3746
3cb123d1 3747 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3748 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3749
525cd185 3750 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3751 del_timer(&chan->retrans_timer);
a2e12a2a 3752 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3753 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3754 return;
e072745f 3755 }
99b0d4b7
GP		 3756
3757 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3758 l2cap_send_srejtail(chan);
99b0d4b7 3759 else
525cd185 3760 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3761}
3762
525cd185 3763static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3764{
525cd185 3765 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3766
9b16dc65 3767 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3768 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3769 del_timer(&chan->monitor_timer);
6a026610 3770 if (chan->unacked_frames > 0)
e072745f 3771 __mod_retrans_timer();
525cd185 3772 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3773 }
3774
3775 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3776 case L2CAP_SUPER_RCV_READY:
525cd185 3777 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3778 break;
3779
e072745f 3780 case L2CAP_SUPER_REJECT:
525cd185 3781 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3782 break;
2246b2f1 3783
e072745f 3784 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3785 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3786 break;
3787
3788 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3789 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3790 break;
3791 }
3792
faaebd19 3793 kfree_skb(skb);
1c2acffb
GP		 3794 return 0;
3795}
3796
218bb9df
GP		 3797static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3798{
525cd185 3799 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3800 u16 control;
3801 u8 req_seq;
3802 int len, next_tx_seq_offset, req_seq_offset;
3803
3804 control = get_unaligned_le16(skb->data);
3805 skb_pull(skb, 2);
3806 len = skb->len;
3807
3808 /*
3809 * We can just drop the corrupted I-frame here.
3810 * Receiver will miss it and start proper recovery
3811 * procedures and ask retransmission.
3812 */
47d1ec61 3813 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3814 goto drop;
3815
3816 if (__is_sar_start(control) && __is_iframe(control))
3817 len -= 2;
3818
47d1ec61 3819 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3820 len -= 2;
3821
47d1ec61 3822 if (len > chan->mps) {
8c1d787b 3823 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3824 goto drop;
3825 }
3826
3827 req_seq = __get_reqseq(control);
42e5c802 3828 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3829 if (req_seq_offset < 0)
3830 req_seq_offset += 64;
3831
3832 next_tx_seq_offset =
42e5c802 3833 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3834 if (next_tx_seq_offset < 0)
3835 next_tx_seq_offset += 64;
3836
3837 /* check for invalid req-seq */
3838 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3839 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3840 goto drop;
3841 }
3842
3843 if (__is_iframe(control)) {
3844 if (len < 0) {
8c1d787b 3845 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3846 goto drop;
3847 }
3848
525cd185 3849 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3850 } else {
3851 if (len != 0) {
3852 BT_ERR("%d", len);
8c1d787b 3853 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3854 goto drop;
3855 }
3856
525cd185 3857 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3858 }
3859
3860 return 0;
3861
3862drop:
3863 kfree_skb(skb);
3864 return 0;
3865}
3866
1da177e4
LT		 3867static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3868{
48454079 3869 struct l2cap_chan *chan;
bf734843 3870 struct sock *sk = NULL;
51893f88 3871 u16 control;
218bb9df
GP		 3872 u8 tx_seq;
3873 int len;
1da177e4 3874
baa7e1fa 3875 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3876 if (!chan) {
1da177e4
LT		 3877 BT_DBG("unknown cid 0x%4.4x", cid);
3878 goto drop;
3879 }
3880
48454079 3881 sk = chan->sk;
6840ed07 3882
49208c9c 3883 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3884
3885 if (sk->sk_state != BT_CONNECTED)
3886 goto drop;
3887
0c1bc5c6 3888 switch (chan->mode) {
1c2acffb
GP		 3889 case L2CAP_MODE_BASIC:
3890 /* If socket recv buffers overflows we drop data here
3891 * which is *bad* because L2CAP has to be reliable.
3892 * But we don't have any other choice. L2CAP doesn't
3893 * provide flow control mechanism. */
1da177e4 3894
0c1bc5c6 3895 if (chan->imtu < skb->len)
1c2acffb 3896 goto drop;
1da177e4 3897
1c2acffb
GP		 3898 if (!sock_queue_rcv_skb(sk, skb))
3899 goto done;
3900 break;
3901
3902 case L2CAP_MODE_ERTM:
218bb9df
GP		 3903 if (!sock_owned_by_user(sk)) {
3904 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3905 } else {
218bb9df 3906 if (sk_add_backlog(sk, skb))
277ffbe3 3907 goto drop;
277ffbe3 3908 }
1c2acffb 3909
fcafde2e 3910 goto done;
1c2acffb 3911
6840ed07
GP		 3912 case L2CAP_MODE_STREAMING:
3913 control = get_unaligned_le16(skb->data);
3914 skb_pull(skb, 2);
3915 len = skb->len;
3916
47d1ec61 3917 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3918 goto drop;
3919
6840ed07
GP		 3920 if (__is_sar_start(control))
3921 len -= 2;
3922
47d1ec61 3923 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3924 len -= 2;
3925
47d1ec61 3926 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3927 goto drop;
3928
3929 tx_seq = __get_txseq(control);
3930
42e5c802
GP		 3931 if (chan->expected_tx_seq == tx_seq)
3932 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3933 else
42e5c802 3934 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3935
525cd185 3936 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3937
3938 goto done;
3939
1c2acffb 3940 default:
0c1bc5c6 3941 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3942 break;
3943 }
1da177e4
LT		 3944
3945drop:
3946 kfree_skb(skb);
3947
3948done:
0139418c
MH		 3949 if (sk)
3950 bh_unlock_sock(sk);
3951
1da177e4
LT		 3952 return 0;
3953}
3954
8e036fc3 3955static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3956{
6dcae1ea 3957 struct sock *sk = NULL;
23691d75 3958 struct l2cap_chan *chan;
1da177e4 3959
23691d75
GP		 3960 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3961 if (!chan)
1da177e4
LT		 3962 goto drop;
3963
23691d75
GP		 3964 sk = chan->sk;
3965
e0f0cb56
GP		 3966 bh_lock_sock(sk);
3967
1da177e4
LT		 3968 BT_DBG("sk %p, len %d", sk, skb->len);
3969
3970 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3971 goto drop;
3972
0c1bc5c6 3973 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3974 goto drop;
3975
3976 if (!sock_queue_rcv_skb(sk, skb))
3977 goto done;
3978
3979drop:
3980 kfree_skb(skb);
3981
3982done:
af05b30b
GP		 3983 if (sk)
3984 bh_unlock_sock(sk);
1da177e4
LT		 3985 return 0;
3986}
3987
9f69bda6
GP		 3988static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3989{
6dcae1ea 3990 struct sock *sk = NULL;
23691d75 3991 struct l2cap_chan *chan;
9f69bda6 3992
23691d75
GP		 3993 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3994 if (!chan)
9f69bda6
GP		 3995 goto drop;
3996
23691d75
GP		 3997 sk = chan->sk;
3998
9f69bda6
GP		 3999 bh_lock_sock(sk);
4000
4001 BT_DBG("sk %p, len %d", sk, skb->len);
4002
4003 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4004 goto drop;
4005
0c1bc5c6 4006 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4007 goto drop;
4008
4009 if (!sock_queue_rcv_skb(sk, skb))
4010 goto done;
4011
4012drop:
4013 kfree_skb(skb);
4014
4015done:
4016 if (sk)
4017 bh_unlock_sock(sk);
4018 return 0;
4019}
4020
1da177e4
LT		 4021static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4022{
4023 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4024 u16 cid, len;
4025 __le16 psm;
1da177e4
LT		 4026
4027 skb_pull(skb, L2CAP_HDR_SIZE);
4028 cid = __le16_to_cpu(lh->cid);
4029 len = __le16_to_cpu(lh->len);
4030
1c2acffb
GP		 4031 if (len != skb->len) {
4032 kfree_skb(skb);
4033 return;
4034 }
4035
1da177e4
LT		 4036 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4037
4038 switch (cid) {
3300d9a9 4039 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4040 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4041 l2cap_sig_channel(conn, skb);
4042 break;
4043
8db4dc46 4044 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4045 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4046 skb_pull(skb, 2);
4047 l2cap_conless_channel(conn, psm, skb);
4048 break;
4049
9f69bda6
GP		 4050 case L2CAP_CID_LE_DATA:
4051 l2cap_att_channel(conn, cid, skb);
4052 break;
4053
1da177e4
LT		 4054 default:
4055 l2cap_data_channel(conn, cid, skb);
4056 break;
4057 }
4058}
4059
4060/* ---- L2CAP interface with lower layer (HCI) ---- */
4061
4062static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4063{
4064 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4065 struct l2cap_chan *c;
1da177e4
LT		 4066
4067 if (type != ACL_LINK)
963cf687 4068 return -EINVAL;
1da177e4
LT		 4069
4070 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4071
4072 /* Find listening sockets and check their link_mode */
23691d75
GP		 4073 read_lock(&chan_list_lock);
4074 list_for_each_entry(c, &chan_list, global_l) {
4075 struct sock *sk = c->sk;
4343478f 4076
1da177e4
LT		 4077 if (sk->sk_state != BT_LISTEN)
4078 continue;
4079
4080 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4081 lm1 |= HCI_LM_ACCEPT;
23691d75 4082 if (c->role_switch)
2af6b9d5 4083 lm1 |= HCI_LM_MASTER;
1da177e4 4084 exact++;
2af6b9d5
MH		 4085 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4086 lm2 |= HCI_LM_ACCEPT;
23691d75 4087 if (c->role_switch)
2af6b9d5
MH		 4088 lm2 |= HCI_LM_MASTER;
4089 }
1da177e4 4090 }
23691d75 4091 read_unlock(&chan_list_lock);
1da177e4
LT		 4092
4093 return exact ? lm1 : lm2;
4094}
4095
4096static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4097{
0139418c
MH		 4098 struct l2cap_conn *conn;
4099
1da177e4
LT		 4100 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4101
acd7d370 4102 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4103 return -EINVAL;
1da177e4
LT		 4104
4105 if (!status) {
1da177e4
LT		 4106 conn = l2cap_conn_add(hcon, status);
4107 if (conn)
4108 l2cap_conn_ready(conn);
0139418c 4109 } else
1da177e4
LT		 4110 l2cap_conn_del(hcon, bt_err(status));
4111
4112 return 0;
4113}
4114
2950f21a
MH		 4115static int l2cap_disconn_ind(struct hci_conn *hcon)
4116{
4117 struct l2cap_conn *conn = hcon->l2cap_data;
4118
4119 BT_DBG("hcon %p", hcon);
4120
4121 if (hcon->type != ACL_LINK || !conn)
4122 return 0x13;
4123
4124 return conn->disc_reason;
4125}
4126
4127static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4128{
4129 BT_DBG("hcon %p reason %d", hcon, reason);
4130
acd7d370 4131 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4132 return -EINVAL;
1da177e4
LT		 4133
4134 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4135
1da177e4
LT		 4136 return 0;
4137}
4138
4343478f 4139static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4140{
715ec005 4141 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4142 return;
4143
f62e4323 4144 if (encrypt == 0x00) {
4343478f 4145 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4146 l2cap_chan_clear_timer(chan);
4147 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4148 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4149 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4150 } else {
4343478f 4151 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4152 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4153 }
4154}
4155
8c1b2355 4156static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4157{
0139418c 4158 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4159 struct l2cap_chan *chan;
1da177e4 4160
0139418c 4161 if (!conn)
1da177e4 4162 return 0;
0139418c 4163
1da177e4
LT		 4164 BT_DBG("conn %p", conn);
4165
baa7e1fa 4166 read_lock(&conn->chan_lock);
1da177e4 4167
baa7e1fa 4168 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4169 struct sock *sk = chan->sk;
baa7e1fa 4170
1da177e4
LT		 4171 bh_lock_sock(sk);
4172
b4450035 4173 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4174 bh_unlock_sock(sk);
4175 continue;
4176 }
4177
f62e4323 4178 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4179 sk->sk_state == BT_CONFIG)) {
4343478f 4180 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4181 bh_unlock_sock(sk);
4182 continue;
4183 }
4184
b1235d79
MH		 4185 if (sk->sk_state == BT_CONNECT) {
4186 if (!status) {
4187 struct l2cap_conn_req req;
fe4128e0
GP		 4188 req.scid = cpu_to_le16(chan->scid);
4189 req.psm = chan->psm;
1da177e4 4190
fc7f8a7e 4191 chan->ident = l2cap_get_ident(conn);
b4450035 4192 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4193
fc7f8a7e 4194 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4195 L2CAP_CONN_REQ, sizeof(req), &req);
4196 } else {
ab07801d
GP		 4197 l2cap_chan_clear_timer(chan);
4198 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4199 }
4200 } else if (sk->sk_state == BT_CONNECT2) {
4201 struct l2cap_conn_rsp rsp;
4202 __u16 result;
1da177e4 4203
b1235d79
MH		 4204 if (!status) {
4205 sk->sk_state = BT_CONFIG;
4206 result = L2CAP_CR_SUCCESS;
4207 } else {
4208 sk->sk_state = BT_DISCONN;
ab07801d 4209 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4210 result = L2CAP_CR_SEC_BLOCK;
4211 }
4212
fe4128e0
GP		 4213 rsp.scid = cpu_to_le16(chan->dcid);
4214 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4215 rsp.result = cpu_to_le16(result);
e7c29cb1 4216 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4217 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4218 sizeof(rsp), &rsp);
b1235d79 4219 }
1da177e4
LT		 4220
4221 bh_unlock_sock(sk);
4222 }
4223
baa7e1fa 4224 read_unlock(&conn->chan_lock);
b1235d79 4225
1da177e4
LT		 4226 return 0;
4227}
4228
4229static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4230{
4231 struct l2cap_conn *conn = hcon->l2cap_data;
4232
5a08ecce
AE		 4233 if (!conn)
4234 conn = l2cap_conn_add(hcon, 0);
4235
4236 if (!conn)
1da177e4
LT		 4237 goto drop;
4238
4239 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4240
e702112f 4241 if (!(flags & ACL_CONT)) {
1da177e4 4242 struct l2cap_hdr *hdr;
48454079 4243 struct l2cap_chan *chan;
89794813 4244 u16 cid;
1da177e4
LT		 4245 int len;
4246
4247 if (conn->rx_len) {
4248 BT_ERR("Unexpected start frame (len %d)", skb->len);
4249 kfree_skb(conn->rx_skb);
4250 conn->rx_skb = NULL;
4251 conn->rx_len = 0;
4252 l2cap_conn_unreliable(conn, ECOMM);
4253 }
4254
aae7fe22
AE		 4255 /* Start fragment always begin with Basic L2CAP header */
4256 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4257 BT_ERR("Frame is too short (len %d)", skb->len);
4258 l2cap_conn_unreliable(conn, ECOMM);
4259 goto drop;
4260 }
4261
4262 hdr = (struct l2cap_hdr *) skb->data;
4263 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4264 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4265
4266 if (len == skb->len) {
4267 /* Complete frame received */
4268 l2cap_recv_frame(conn, skb);
4269 return 0;
4270 }
4271
4272 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4273
4274 if (skb->len > len) {
4275 BT_ERR("Frame is too long (len %d, expected len %d)",
4276 skb->len, len);
4277 l2cap_conn_unreliable(conn, ECOMM);
4278 goto drop;
4279 }
4280
baa7e1fa 4281 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4282
48454079
GP		 4283 if (chan && chan->sk) {
4284 struct sock *sk = chan->sk;
89794813 4285
0c1bc5c6 4286 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4287 BT_ERR("Frame exceeding recv MTU (len %d, "
4288 "MTU %d)", len,
0c1bc5c6 4289 chan->imtu);
48454079
GP		 4290 bh_unlock_sock(sk);
4291 l2cap_conn_unreliable(conn, ECOMM);
4292 goto drop;
4293 }
89794813 4294 bh_unlock_sock(sk);
48454079 4295 }
89794813 4296
1da177e4 4297 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4298 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4299 if (!conn->rx_skb)
1da177e4
LT		 4300 goto drop;
4301
d626f62b 4302 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4303 skb->len);
1da177e4
LT		 4304 conn->rx_len = len - skb->len;
4305 } else {
4306 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4307
4308 if (!conn->rx_len) {
4309 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4310 l2cap_conn_unreliable(conn, ECOMM);
4311 goto drop;
4312 }
4313
4314 if (skb->len > conn->rx_len) {
4315 BT_ERR("Fragment is too long (len %d, expected %d)",
4316 skb->len, conn->rx_len);
4317 kfree_skb(conn->rx_skb);
4318 conn->rx_skb = NULL;
4319 conn->rx_len = 0;
4320 l2cap_conn_unreliable(conn, ECOMM);
4321 goto drop;
4322 }
4323
d626f62b 4324 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4325 skb->len);
1da177e4
LT		 4326 conn->rx_len -= skb->len;
4327
4328 if (!conn->rx_len) {
4329 /* Complete frame received */
4330 l2cap_recv_frame(conn, conn->rx_skb);
4331 conn->rx_skb = NULL;
4332 }
4333 }
4334
4335drop:
4336 kfree_skb(skb);
4337 return 0;
4338}
4339
aef7d97c 4340static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4341{
23691d75 4342 struct l2cap_chan *c;
1da177e4 4343
23691d75 4344 read_lock_bh(&chan_list_lock);
1da177e4 4345
23691d75
GP		 4346 list_for_each_entry(c, &chan_list, global_l) {
4347 struct sock *sk = c->sk;
101545f6 4348
903d343e 4349 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4350 batostr(&bt_sk(sk)->src),
4351 batostr(&bt_sk(sk)->dst),
23691d75
GP		 4352 sk->sk_state, __le16_to_cpu(c->psm),
4353 c->scid, c->dcid, c->imtu, c->omtu,
4354 c->sec_level, c->mode);
be9d1227 4355 }
1da177e4 4356
23691d75 4357 read_unlock_bh(&chan_list_lock);
1da177e4 4358
aef7d97c 4359 return 0;
1da177e4
LT		 4360}
4361
aef7d97c
MH		 4362static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4363{
4364 return single_open(file, l2cap_debugfs_show, inode->i_private);
4365}
4366
4367static const struct file_operations l2cap_debugfs_fops = {
4368 .open = l2cap_debugfs_open,
4369 .read = seq_read,
4370 .llseek = seq_lseek,
4371 .release = single_release,
4372};
4373
4374static struct dentry *l2cap_debugfs;
1da177e4 4375
1da177e4
LT		 4376static struct hci_proto l2cap_hci_proto = {
4377 .name = "L2CAP",
4378 .id = HCI_PROTO_L2CAP,
4379 .connect_ind = l2cap_connect_ind,
4380 .connect_cfm = l2cap_connect_cfm,
4381 .disconn_ind = l2cap_disconn_ind,
2950f21a 4382 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4383 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4384 .recv_acldata = l2cap_recv_acldata
4385};
4386
64274518 4387int __init l2cap_init(void)
1da177e4
LT		 4388{
4389 int err;
be9d1227 4390
bb58f747 4391 err = l2cap_init_sockets();
1da177e4
LT		 4392 if (err < 0)
4393 return err;
4394
1890d36b 4395 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4396 if (!_busy_wq) {
bb58f747 4397 err = -ENOMEM;
1da177e4
LT		 4398 goto error;
4399 }
4400
4401 err = hci_register_proto(&l2cap_hci_proto);
4402 if (err < 0) {
4403 BT_ERR("L2CAP protocol registration failed");
4404 bt_sock_unregister(BTPROTO_L2CAP);
4405 goto error;
4406 }
4407
aef7d97c
MH		 4408 if (bt_debugfs) {
4409 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4410 bt_debugfs, NULL, &l2cap_debugfs_fops);
4411 if (!l2cap_debugfs)
4412 BT_ERR("Failed to create L2CAP debug file");
4413 }
1da177e4 4414
1da177e4
LT		 4415 return 0;
4416
4417error:
b78d7b4f 4418 destroy_workqueue(_busy_wq);
bb58f747 4419 l2cap_cleanup_sockets();
1da177e4
LT		 4420 return err;
4421}
4422
64274518 4423void l2cap_exit(void)
1da177e4 4424{
aef7d97c 4425 debugfs_remove(l2cap_debugfs);
1da177e4 4426
1890d36b
GP		 4427 flush_workqueue(_busy_wq);
4428 destroy_workqueue(_busy_wq);
4429
1da177e4
LT		 4430 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4431 BT_ERR("L2CAP protocol unregistration failed");
4432
bb58f747 4433 l2cap_cleanup_sockets();
1da177e4
LT		 4434}
4435
d1c4a17d
GP		 4436module_param(disable_ertm, bool, 0644);
4437MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)