projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove debug statements
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
1890d36b
GP		 64static struct workqueue_struct *_busy_wq;
65
b5ad8b7f
JB		 66static LIST_HEAD(chan_list);
67static DEFINE_RWLOCK(chan_list_lock);
1da177e4 68
1890d36b
GP		 69static void l2cap_busy_work(struct work_struct *work);
70
1da177e4
LT		 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 73static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
74 void *data);
710f9b0a 75static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 76static void l2cap_send_disconn_req(struct l2cap_conn *conn,
77 struct l2cap_chan *chan, int err);
1da177e4 78
218bb9df
GP		 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
80
0139418c 81/* ---- L2CAP channels ---- */
71ba0e56
GP		 82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
baa7e1fa 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 95{
48454079 96 struct l2cap_chan *c;
baa7e1fa
GP		 97
98 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 99 if (c->dcid == cid)
baa7e1fa 100 return c;
0139418c 101 }
baa7e1fa
GP		 102 return NULL;
103
0139418c
MH		 104}
105
baa7e1fa 106static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 111 if (c->scid == cid)
baa7e1fa 112 return c;
0139418c 113 }
baa7e1fa 114 return NULL;
0139418c
MH		 115}
116
117/* Find channel with given SCID.
118 * Returns locked socket */
baa7e1fa 119static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 120{
48454079 121 struct l2cap_chan *c;
baa7e1fa
GP		 122
123 read_lock(&conn->chan_lock);
124 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 125 if (c)
126 bh_lock_sock(c->sk);
baa7e1fa 127 read_unlock(&conn->chan_lock);
48454079 128 return c;
0139418c
MH		 129}
130
baa7e1fa 131static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 132{
48454079 133 struct l2cap_chan *c;
baa7e1fa
GP		 134
135 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 136 if (c->ident == ident)
baa7e1fa 137 return c;
0139418c 138 }
baa7e1fa 139 return NULL;
0139418c
MH		 140}
141
baa7e1fa 142static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 143{
48454079 144 struct l2cap_chan *c;
baa7e1fa
GP		 145
146 read_lock(&conn->chan_lock);
147 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 148 if (c)
149 bh_lock_sock(c->sk);
baa7e1fa 150 read_unlock(&conn->chan_lock);
48454079 151 return c;
0139418c
MH		 152}
153
23691d75 154static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 155{
23691d75 156 struct l2cap_chan *c;
9e4425ff 157
23691d75
GP		 158 list_for_each_entry(c, &chan_list, global_l) {
159 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 160 goto found;
161 }
162
23691d75 163 c = NULL;
9e4425ff 164found:
23691d75 165 return c;
9e4425ff
GP		 166}
167
168int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
169{
73b2ec18
GP		 170 int err;
171
23691d75 172 write_lock_bh(&chan_list_lock);
9e4425ff 173
23691d75 174 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 175 err = -EADDRINUSE;
176 goto done;
9e4425ff
GP		 177 }
178
73b2ec18
GP		 179 if (psm) {
180 chan->psm = psm;
181 chan->sport = psm;
182 err = 0;
183 } else {
184 u16 p;
185
186 err = -EINVAL;
187 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 188 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 189 chan->psm = cpu_to_le16(p);
190 chan->sport = cpu_to_le16(p);
191 err = 0;
192 break;
193 }
194 }
9e4425ff 195
73b2ec18 196done:
23691d75 197 write_unlock_bh(&chan_list_lock);
73b2ec18 198 return err;
9e4425ff
GP		 199}
200
201int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
202{
23691d75 203 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 chan->scid = scid;
206
23691d75 207 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 208
209 return 0;
210}
211
baa7e1fa 212static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 213{
8db4dc46 214 u16 cid = L2CAP_CID_DYN_START;
0139418c 215
8db4dc46 216 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 217 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 218 return cid;
219 }
220
221 return 0;
222}
223
c9b66675 224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 225{
89bc500e
GP		 226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
227
c9b66675 228 if (!mod_timer(timer, jiffies + timeout))
71ba0e56 229 chan_hold(chan);
ab07801d
GP		 230}
231
c9b66675 232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 233{
89bc500e 234 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 235
c9b66675 236 if (timer_pending(timer) && del_timer(timer))
71ba0e56 237 chan_put(chan);
ab07801d
GP		 238}
239
89bc500e
GP		 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
244}
245
ab07801d
GP		 246static void l2cap_chan_timeout(unsigned long arg)
247{
248 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
249 struct sock *sk = chan->sk;
250 int reason;
251
89bc500e 252 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 253
254 bh_lock_sock(sk);
255
256 if (sock_owned_by_user(sk)) {
257 /* sk is owned by user. Try again later */
c9b66675 258 __set_chan_timer(chan, HZ / 5);
ab07801d 259 bh_unlock_sock(sk);
71ba0e56 260 chan_put(chan);
ab07801d
GP		 261 return;
262 }
263
89bc500e 264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 265 reason = ECONNREFUSED;
89bc500e 266 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 267 chan->sec_level != BT_SECURITY_SDP)
268 reason = ECONNREFUSED;
269 else
270 reason = ETIMEDOUT;
271
0f852724 272 l2cap_chan_close(chan, reason);
ab07801d
GP		 273
274 bh_unlock_sock(sk);
275
ba3bd0ee 276 chan->ops->close(chan->data);
71ba0e56 277 chan_put(chan);
ab07801d
GP		 278}
279
23691d75 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 281{
282 struct l2cap_chan *chan;
283
284 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
285 if (!chan)
286 return NULL;
287
288 chan->sk = sk;
289
23691d75
GP		 290 write_lock_bh(&chan_list_lock);
291 list_add(&chan->global_l, &chan_list);
292 write_unlock_bh(&chan_list_lock);
293
ab07801d
GP		 294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
295
89bc500e
GP		 296 chan->state = BT_OPEN;
297
71ba0e56
GP		 298 atomic_set(&chan->refcnt, 1);
299
48454079
GP		 300 return chan;
301}
302
23691d75 303void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 304{
23691d75
GP		 305 write_lock_bh(&chan_list_lock);
306 list_del(&chan->global_l);
307 write_unlock_bh(&chan_list_lock);
308
71ba0e56 309 chan_put(chan);
6ff5abbf
GP		 310}
311
48454079 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 313{
af05b30b 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 315 chan->psm, chan->dcid);
0139418c 316
2950f21a
MH		 317 conn->disc_reason = 0x13;
318
8c1d787b 319 chan->conn = conn;
0139418c 320
715ec005 321 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 322 if (conn->hcon->type == LE_LINK) {
323 /* LE connection */
0c1bc5c6 324 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 325 chan->scid = L2CAP_CID_LE_DATA;
326 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 327 } else {
328 /* Alloc CID for connection-oriented socket */
fe4128e0 329 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 330 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 331 }
715ec005 332 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 333 /* Connectionless socket */
fe4128e0
GP		 334 chan->scid = L2CAP_CID_CONN_LESS;
335 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 336 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 337 } else {
338 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 339 chan->scid = L2CAP_CID_SIGNALING;
340 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 341 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 342 }
343
71ba0e56 344 chan_hold(chan);
baa7e1fa
GP		 345
346 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 347}
348
8e87d142 349/* Delete channel.
0139418c 350 * Must be called on the locked socket. */
4519de9a 351static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 352{
48454079 353 struct sock *sk = chan->sk;
8c1d787b 354 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 355 struct sock *parent = bt_sk(sk)->parent;
356
c9b66675 357 __clear_chan_timer(chan);
0139418c 358
49208c9c 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 360
8e87d142 361 if (conn) {
baa7e1fa
GP		 362 /* Delete from channel list */
363 write_lock_bh(&conn->chan_lock);
364 list_del(&chan->list);
365 write_unlock_bh(&conn->chan_lock);
71ba0e56 366 chan_put(chan);
baa7e1fa 367
8c1d787b 368 chan->conn = NULL;
0139418c
MH		 369 hci_conn_put(conn->hcon);
370 }
371
89bc500e 372 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 373 sock_set_flag(sk, SOCK_ZAPPED);
374
375 if (err)
376 sk->sk_err = err;
377
378 if (parent) {
379 bt_accept_unlink(sk);
380 parent->sk_data_ready(parent, 0);
381 } else
382 sk->sk_state_change(sk);
c13ffa62 383
b4450035
GP		 384 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
385 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 386 return;
2ead70b8 387
58d35f87 388 skb_queue_purge(&chan->tx_q);
c13ffa62 389
0c1bc5c6 390 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 391 struct srej_list *l, *tmp;
392
1a09bcb9
GP		 393 __clear_retrans_timer(chan);
394 __clear_monitor_timer(chan);
395 __clear_ack_timer(chan);
c13ffa62 396
f1c6775b
GP		 397 skb_queue_purge(&chan->srej_q);
398 skb_queue_purge(&chan->busy_q);
c13ffa62 399
39d5a3ee 400 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 401 list_del(&l->list);
402 kfree(l);
403 }
404 }
0139418c
MH		 405}
406
4519de9a
GP		 407static void l2cap_chan_cleanup_listen(struct sock *parent)
408{
409 struct sock *sk;
410
411 BT_DBG("parent %p", parent);
412
413 /* Close not yet accepted channels */
0f852724 414 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 416 __clear_chan_timer(chan);
0f852724 417 lock_sock(sk);
ba3bd0ee 418 l2cap_chan_close(chan, ECONNRESET);
0f852724 419 release_sock(sk);
ba3bd0ee 420 chan->ops->close(chan->data);
0f852724 421 }
4519de9a
GP		 422}
423
0f852724 424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 425{
426 struct l2cap_conn *conn = chan->conn;
427 struct sock *sk = chan->sk;
428
89bc500e 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 430
89bc500e 431 switch (chan->state) {
4519de9a
GP		 432 case BT_LISTEN:
433 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 437 break;
438
439 case BT_CONNECTED:
440 case BT_CONFIG:
715ec005 441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 442 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 443 __clear_chan_timer(chan);
444 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 445 l2cap_send_disconn_req(conn, chan, reason);
446 } else
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT2:
715ec005 451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 452 conn->hcon->type == ACL_LINK) {
453 struct l2cap_conn_rsp rsp;
454 __u16 result;
455
456 if (bt_sk(sk)->defer_setup)
457 result = L2CAP_CR_SEC_BLOCK;
458 else
459 result = L2CAP_CR_BAD_PSM;
89bc500e 460 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 461
462 rsp.scid = cpu_to_le16(chan->dcid);
463 rsp.dcid = cpu_to_le16(chan->scid);
464 rsp.result = cpu_to_le16(result);
465 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
467 sizeof(rsp), &rsp);
468 }
469
470 l2cap_chan_del(chan, reason);
471 break;
472
473 case BT_CONNECT:
474 case BT_DISCONN:
475 l2cap_chan_del(chan, reason);
476 break;
477
478 default:
479 sock_set_flag(sk, SOCK_ZAPPED);
480 break;
481 }
482}
483
4343478f 484static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 485{
715ec005 486 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 487 switch (chan->sec_level) {
8556edd3
JH		 488 case BT_SECURITY_HIGH:
489 return HCI_AT_DEDICATED_BONDING_MITM;
490 case BT_SECURITY_MEDIUM:
491 return HCI_AT_DEDICATED_BONDING;
492 default:
493 return HCI_AT_NO_BONDING;
494 }
fe4128e0 495 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 496 if (chan->sec_level == BT_SECURITY_LOW)
497 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 498
4343478f 499 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 500 return HCI_AT_NO_BONDING_MITM;
00ae4af9 501 else
8556edd3 502 return HCI_AT_NO_BONDING;
00ae4af9 503 } else {
4343478f 504 switch (chan->sec_level) {
00ae4af9 505 case BT_SECURITY_HIGH:
8556edd3 506 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 507 case BT_SECURITY_MEDIUM:
8556edd3 508 return HCI_AT_GENERAL_BONDING;
00ae4af9 509 default:
8556edd3 510 return HCI_AT_NO_BONDING;
00ae4af9 511 }
0684e5f9 512 }
8556edd3
JH		 513}
514
515/* Service level security */
4343478f 516static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 517{
8c1d787b 518 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 519 __u8 auth_type;
520
4343478f 521 auth_type = l2cap_get_auth_type(chan);
79d554a6 522
4343478f 523 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 524}
525
b5ad8b7f 526static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 527{
528 u8 id;
529
530 /* Get next available identificator.
531 * 1 - 128 are used by kernel.
532 * 129 - 199 are reserved.
533 * 200 - 254 are used by utilities like l2ping, etc.
534 */
535
536 spin_lock_bh(&conn->lock);
537
538 if (++conn->tx_ident > 128)
539 conn->tx_ident = 1;
540
541 id = conn->tx_ident;
542
543 spin_unlock_bh(&conn->lock);
544
545 return id;
546}
547
4519de9a 548static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 549{
550 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 551 u8 flags;
4e8402a3
MH		 552
553 BT_DBG("code 0x%2.2x", code);
554
555 if (!skb)
9a9c6a34 556 return;
4e8402a3 557
e702112f
AE		 558 if (lmp_no_flush_capable(conn->hcon->hdev))
559 flags = ACL_START_NO_FLUSH;
560 else
561 flags = ACL_START;
562
14b12d0b
JG		 563 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
564
e702112f 565 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 566}
567
525cd185 568static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 569{
570 struct sk_buff *skb;
571 struct l2cap_hdr *lh;
8c1d787b 572 struct l2cap_conn *conn = chan->conn;
fcc203c3 573 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 574 u8 flags;
fcc203c3 575
89bc500e 576 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 577 return;
578
47d1ec61 579 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 580 hlen += 2;
1c2acffb 581
49208c9c 582 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 583
fcc203c3 584 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 585 control |= L2CAP_CTRL_FRAME_TYPE;
586
525cd185 587 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 588 control |= L2CAP_CTRL_FINAL;
525cd185 589 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 590 }
591
525cd185 592 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 593 control |= L2CAP_CTRL_POLL;
525cd185 594 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 595 }
596
1c2acffb
GP		 597 skb = bt_skb_alloc(count, GFP_ATOMIC);
598 if (!skb)
9a9c6a34 599 return;
1c2acffb
GP		 600
601 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 602 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 604 put_unaligned_le16(control, skb_put(skb, 2));
605
47d1ec61 606 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 607 u16 fcs = crc16(0, (u8 *)lh, count - 2);
608 put_unaligned_le16(fcs, skb_put(skb, 2));
609 }
610
e702112f
AE		 611 if (lmp_no_flush_capable(conn->hcon->hdev))
612 flags = ACL_START_NO_FLUSH;
613 else
614 flags = ACL_START;
615
14b12d0b
JG		 616 bt_cb(skb)->force_active = chan->force_active;
617
8c1d787b 618 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 619}
620
525cd185 621static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 622{
525cd185 623 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 624 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 625 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 626 } else
7e743090
GP		 627 control |= L2CAP_SUPER_RCV_READY;
628
42e5c802 629 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 630
525cd185 631 l2cap_send_sframe(chan, control);
7e743090
GP		 632}
633
b4450035 634static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 635{
b4450035 636 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 637}
638
fc7f8a7e 639static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 640{
8c1d787b 641 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 642
643 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 644 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
645 return;
646
4343478f
GP		 647 if (l2cap_check_security(chan) &&
648 __l2cap_no_conn_pending(chan)) {
b1235d79 649 struct l2cap_conn_req req;
fe4128e0
GP		 650 req.scid = cpu_to_le16(chan->scid);
651 req.psm = chan->psm;
79d554a6 652
fc7f8a7e 653 chan->ident = l2cap_get_ident(conn);
b4450035 654 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 655
fc7f8a7e
GP		 656 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
657 sizeof(req), &req);
b1235d79 658 }
79d554a6
MH		 659 } else {
660 struct l2cap_info_req req;
661 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
662
663 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
664 conn->info_ident = l2cap_get_ident(conn);
665
666 mod_timer(&conn->info_timer, jiffies +
667 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
668
669 l2cap_send_cmd(conn, conn->info_ident,
670 L2CAP_INFO_REQ, sizeof(req), &req);
671 }
672}
673
cf6c2c0b
GP		 674static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
675{
676 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 677 if (!disable_ertm)
cf6c2c0b
GP		 678 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
679
680 switch (mode) {
681 case L2CAP_MODE_ERTM:
682 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
683 case L2CAP_MODE_STREAMING:
684 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
685 default:
686 return 0x00;
687 }
688}
689
4519de9a 690static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 691{
e92c8e70 692 struct sock *sk;
22121fc9
GP		 693 struct l2cap_disconn_req req;
694
c13ffa62
GP		 695 if (!conn)
696 return;
697
e92c8e70
GP		 698 sk = chan->sk;
699
0c1bc5c6 700 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 701 __clear_retrans_timer(chan);
702 __clear_monitor_timer(chan);
703 __clear_ack_timer(chan);
c13ffa62
GP		 704 }
705
fe4128e0
GP		 706 req.dcid = cpu_to_le16(chan->dcid);
707 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 708 l2cap_send_cmd(conn, l2cap_get_ident(conn),
709 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 710
89bc500e 711 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 712 sk->sk_err = err;
22121fc9
GP		 713}
714
1da177e4 715/* ---- L2CAP connections ---- */
4e8402a3
MH		 716static void l2cap_conn_start(struct l2cap_conn *conn)
717{
820ffdb3 718 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 719
720 BT_DBG("conn %p", conn);
721
baa7e1fa 722 read_lock(&conn->chan_lock);
4e8402a3 723
820ffdb3 724 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 725 struct sock *sk = chan->sk;
baa7e1fa 726
4e8402a3
MH		 727 bh_lock_sock(sk);
728
715ec005 729 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 730 bh_unlock_sock(sk);
731 continue;
732 }
733
89bc500e 734 if (chan->state == BT_CONNECT) {
47731de7 735 struct l2cap_conn_req req;
79d554a6 736
4343478f 737 if (!l2cap_check_security(chan) ||
b4450035 738 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 739 bh_unlock_sock(sk);
740 continue;
741 }
79d554a6 742
0c1bc5c6 743 if (!l2cap_mode_supported(chan->mode,
47731de7 744 conn->feat_mask)
b4450035 745 && chan->conf_state &
47731de7 746 L2CAP_CONF_STATE2_DEVICE) {
0f852724 747 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 748 * so release the lock */
749 read_unlock_bh(&conn->chan_lock);
89bc500e 750 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 751 read_lock_bh(&conn->chan_lock);
47731de7
GP		 752 bh_unlock_sock(sk);
753 continue;
b1235d79 754 }
47731de7 755
fe4128e0
GP		 756 req.scid = cpu_to_le16(chan->scid);
757 req.psm = chan->psm;
47731de7 758
fc7f8a7e 759 chan->ident = l2cap_get_ident(conn);
b4450035 760 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 761
fc7f8a7e
GP		 762 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
763 sizeof(req), &req);
47731de7 764
89bc500e 765 } else if (chan->state == BT_CONNECT2) {
79d554a6 766 struct l2cap_conn_rsp rsp;
e9aeb2dd 767 char buf[128];
fe4128e0
GP		 768 rsp.scid = cpu_to_le16(chan->dcid);
769 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 770
4343478f 771 if (l2cap_check_security(chan)) {
f66dc81f
MH		 772 if (bt_sk(sk)->defer_setup) {
773 struct sock *parent = bt_sk(sk)->parent;
774 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
775 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
776 parent->sk_data_ready(parent, 0);
777
778 } else {
89bc500e 779 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 780 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
781 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
782 }
79d554a6
MH		 783 } else {
784 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
785 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
786 }
787
fc7f8a7e
GP		 788 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
789 sizeof(rsp), &rsp);
e9aeb2dd 790
b4450035 791 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 792 rsp.result != L2CAP_CR_SUCCESS) {
793 bh_unlock_sock(sk);
794 continue;
795 }
796
b4450035 797 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 798 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 799 l2cap_build_conf_req(chan, buf), buf);
800 chan->num_conf_req++;
4e8402a3
MH		 801 }
802
803 bh_unlock_sock(sk);
804 }
805
baa7e1fa 806 read_unlock(&conn->chan_lock);
4e8402a3
MH		 807}
808
b62f328b
VT		 809/* Find socket with cid and source bdaddr.
810 * Returns closest match, locked.
811 */
23691d75 812static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 813{
23691d75 814 struct l2cap_chan *c, *c1 = NULL;
b62f328b 815
23691d75 816 read_lock(&chan_list_lock);
b62f328b 817
23691d75
GP		 818 list_for_each_entry(c, &chan_list, global_l) {
819 struct sock *sk = c->sk;
fe4128e0 820
89bc500e 821 if (state && c->state != state)
b62f328b
VT		 822 continue;
823
23691d75 824 if (c->scid == cid) {
b62f328b 825 /* Exact match. */
23691d75
GP		 826 if (!bacmp(&bt_sk(sk)->src, src)) {
827 read_unlock(&chan_list_lock);
828 return c;
829 }
b62f328b
VT		 830
831 /* Closest match */
832 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 833 c1 = c;
b62f328b
VT		 834 }
835 }
280f294f 836
23691d75 837 read_unlock(&chan_list_lock);
b62f328b 838
23691d75 839 return c1;
b62f328b
VT		 840}
841
842static void l2cap_le_conn_ready(struct l2cap_conn *conn)
843{
c916fbe4 844 struct sock *parent, *sk;
23691d75 845 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 846
847 BT_DBG("");
848
849 /* Check if we have socket listening on cid */
23691d75 850 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 851 conn->src);
23691d75 852 if (!pchan)
b62f328b
VT		 853 return;
854
23691d75
GP		 855 parent = pchan->sk;
856
62f3a2cf
GP		 857 bh_lock_sock(parent);
858
b62f328b
VT		 859 /* Check for backlog size */
860 if (sk_acceptq_is_full(parent)) {
861 BT_DBG("backlog full %d", parent->sk_ack_backlog);
862 goto clean;
863 }
864
80808e43
GP		 865 chan = pchan->ops->new_connection(pchan->data);
866 if (!chan)
b62f328b
VT		 867 goto clean;
868
80808e43 869 sk = chan->sk;
5d41ce1d 870
baa7e1fa 871 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 872
873 hci_conn_hold(conn->hcon);
874
b62f328b
VT		 875 bacpy(&bt_sk(sk)->src, conn->src);
876 bacpy(&bt_sk(sk)->dst, conn->dst);
877
d1010240
GP		 878 bt_accept_enqueue(parent, sk);
879
48454079
GP		 880 __l2cap_chan_add(conn, chan);
881
c9b66675 882 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 883
89bc500e 884 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 885 parent->sk_data_ready(parent, 0);
886
baa7e1fa 887 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 888
889clean:
890 bh_unlock_sock(parent);
891}
892
4e8402a3
MH		 893static void l2cap_conn_ready(struct l2cap_conn *conn)
894{
48454079 895 struct l2cap_chan *chan;
4e8402a3 896
79d554a6 897 BT_DBG("conn %p", conn);
4e8402a3 898
b62f328b
VT		 899 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
900 l2cap_le_conn_ready(conn);
901
baa7e1fa 902 read_lock(&conn->chan_lock);
4e8402a3 903
baa7e1fa 904 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 905 struct sock *sk = chan->sk;
baa7e1fa 906
79d554a6 907 bh_lock_sock(sk);
4e8402a3 908
acd7d370 909 if (conn->hcon->type == LE_LINK) {
c9b66675 910 __clear_chan_timer(chan);
89bc500e 911 l2cap_state_change(chan, BT_CONNECTED);
acd7d370 912 sk->sk_state_change(sk);
b501d6a1
AB		 913 if (smp_conn_security(conn, chan->sec_level))
914 BT_DBG("Insufficient security");
acd7d370
VT		 915 }
916
715ec005 917 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 918 __clear_chan_timer(chan);
89bc500e 919 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 920 sk->sk_state_change(sk);
b501d6a1 921
89bc500e 922 } else if (chan->state == BT_CONNECT)
fc7f8a7e 923 l2cap_do_start(chan);
4e8402a3 924
79d554a6 925 bh_unlock_sock(sk);
4e8402a3 926 }
79d554a6 927
baa7e1fa 928 read_unlock(&conn->chan_lock);
4e8402a3
MH		 929}
930
931/* Notify sockets that we cannot guaranty reliability anymore */
932static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
933{
48454079 934 struct l2cap_chan *chan;
4e8402a3
MH		 935
936 BT_DBG("conn %p", conn);
937
baa7e1fa 938 read_lock(&conn->chan_lock);
4e8402a3 939
baa7e1fa 940 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 941 struct sock *sk = chan->sk;
baa7e1fa 942
4343478f 943 if (chan->force_reliable)
4e8402a3
MH		 944 sk->sk_err = err;
945 }
946
baa7e1fa 947 read_unlock(&conn->chan_lock);
4e8402a3
MH		 948}
949
950static void l2cap_info_timeout(unsigned long arg)
951{
952 struct l2cap_conn *conn = (void *) arg;
953
984947dc 954 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 955 conn->info_ident = 0;
984947dc 956
4e8402a3
MH		 957 l2cap_conn_start(conn);
958}
959
1da177e4
LT		 960static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
961{
0139418c 962 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 963
0139418c 964 if (conn || status)
1da177e4
LT		 965 return conn;
966
0139418c
MH		 967 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
968 if (!conn)
1da177e4 969 return NULL;
1da177e4
LT		 970
971 hcon->l2cap_data = conn;
972 conn->hcon = hcon;
973
0139418c
MH		 974 BT_DBG("hcon %p conn %p", hcon, conn);
975
acd7d370
VT		 976 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
977 conn->mtu = hcon->hdev->le_mtu;
978 else
979 conn->mtu = hcon->hdev->acl_mtu;
980
1da177e4
LT		 981 conn->src = &hcon->hdev->bdaddr;
982 conn->dst = &hcon->dst;
983
4e8402a3
MH		 984 conn->feat_mask = 0;
985
1da177e4 986 spin_lock_init(&conn->lock);
baa7e1fa
GP		 987 rwlock_init(&conn->chan_lock);
988
989 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 990
b62f328b
VT		 991 if (hcon->type != LE_LINK)
992 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 993 (unsigned long) conn);
994
2950f21a
MH		 995 conn->disc_reason = 0x13;
996
1da177e4
LT		 997 return conn;
998}
999
0139418c 1000static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 1001{
0139418c 1002 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 1003 struct l2cap_chan *chan, *l;
1da177e4
LT		 1004 struct sock *sk;
1005
0139418c
MH		 1006 if (!conn)
1007 return;
1da177e4
LT		 1008
1009 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1010
7585b97a 1011 kfree_skb(conn->rx_skb);
1da177e4
LT		 1012
1013 /* Kill channels */
baa7e1fa 1014 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 1015 sk = chan->sk;
1da177e4 1016 bh_lock_sock(sk);
48454079 1017 l2cap_chan_del(chan, err);
1da177e4 1018 bh_unlock_sock(sk);
ba3bd0ee 1019 chan->ops->close(chan->data);
1da177e4
LT		 1020 }
1021
8e8440f5
DY		 1022 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1023 del_timer_sync(&conn->info_timer);
3ab22731 1024
1da177e4
LT		 1025 hcon->l2cap_data = NULL;
1026 kfree(conn);
1da177e4
LT		 1027}
1028
48454079 1029static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1030{
baa7e1fa 1031 write_lock_bh(&conn->chan_lock);
48454079 1032 __l2cap_chan_add(conn, chan);
baa7e1fa 1033 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1034}
1035
1da177e4 1036/* ---- Socket interface ---- */
1da177e4
LT		 1037
1038/* Find socket with psm and source bdaddr.
1039 * Returns closest match.
1040 */
23691d75 1041static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1042{
23691d75 1043 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1044
23691d75 1045 read_lock(&chan_list_lock);
e0f0cb56 1046
23691d75
GP		 1047 list_for_each_entry(c, &chan_list, global_l) {
1048 struct sock *sk = c->sk;
fe4128e0 1049
89bc500e 1050 if (state && c->state != state)
1da177e4
LT		 1051 continue;
1052
23691d75 1053 if (c->psm == psm) {
1da177e4 1054 /* Exact match. */
23691d75 1055 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1056 read_unlock(&chan_list_lock);
23691d75
GP		 1057 return c;
1058 }
1da177e4
LT		 1059
1060 /* Closest match */
1061 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1062 c1 = c;
1da177e4
LT		 1063 }
1064 }
1da177e4 1065
23691d75 1066 read_unlock(&chan_list_lock);
e0f0cb56 1067
23691d75 1068 return c1;
1da177e4
LT		 1069}
1070
77a74c7e 1071int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1072{
5d41ce1d 1073 struct sock *sk = chan->sk;
1da177e4
LT		 1074 bdaddr_t *src = &bt_sk(sk)->src;
1075 bdaddr_t *dst = &bt_sk(sk)->dst;
1076 struct l2cap_conn *conn;
1077 struct hci_conn *hcon;
1078 struct hci_dev *hdev;
09ab6f4c 1079 __u8 auth_type;
44d0e48e 1080 int err;
1da177e4 1081
f29972de 1082 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1083 chan->psm);
1da177e4 1084
af05b30b
GP		 1085 hdev = hci_get_route(dst, src);
1086 if (!hdev)
1da177e4
LT		 1087 return -EHOSTUNREACH;
1088
1089 hci_dev_lock_bh(hdev);
1090
4343478f 1091 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1092
fe4128e0 1093 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1094 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1095 chan->sec_level, auth_type);
acd7d370
VT		 1096 else
1097 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1098 chan->sec_level, auth_type);
acd7d370 1099
30e76272
VT		 1100 if (IS_ERR(hcon)) {
1101 err = PTR_ERR(hcon);
1da177e4 1102 goto done;
30e76272 1103 }
1da177e4
LT		 1104
1105 conn = l2cap_conn_add(hcon, 0);
1106 if (!conn) {
1107 hci_conn_put(hcon);
30e76272 1108 err = -ENOMEM;
1da177e4
LT		 1109 goto done;
1110 }
1111
1da177e4
LT		 1112 /* Update source addr of the socket */
1113 bacpy(src, conn->src);
1114
48454079
GP		 1115 l2cap_chan_add(conn, chan);
1116
89bc500e 1117 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1118 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1119
1120 if (hcon->state == BT_CONNECTED) {
715ec005 1121 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1122 __clear_chan_timer(chan);
4343478f 1123 if (l2cap_check_security(chan))
89bc500e 1124 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1125 } else
fc7f8a7e 1126 l2cap_do_start(chan);
1da177e4
LT		 1127 }
1128
30e76272
VT		 1129 err = 0;
1130
1da177e4
LT		 1131done:
1132 hci_dev_unlock_bh(hdev);
1133 hci_dev_put(hdev);
1134 return err;
1135}
1136
dcba0dba 1137int __l2cap_wait_ack(struct sock *sk)
6161c038 1138{
8c1d787b 1139 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1140 DECLARE_WAITQUEUE(wait, current);
1141 int err = 0;
1142 int timeo = HZ/5;
1143
2b0b05dd 1144 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1145 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1146 set_current_state(TASK_INTERRUPTIBLE);
1147
1148 if (!timeo)
1149 timeo = HZ/5;
1150
1151 if (signal_pending(current)) {
1152 err = sock_intr_errno(timeo);
1153 break;
1154 }
1155
1156 release_sock(sk);
1157 timeo = schedule_timeout(timeo);
1158 lock_sock(sk);
1159
1160 err = sock_error(sk);
1161 if (err)
1162 break;
1163 }
1164 set_current_state(TASK_RUNNING);
2b0b05dd 1165 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1166 return err;
1167}
1168
e90bac06
GP		 1169static void l2cap_monitor_timeout(unsigned long arg)
1170{
525cd185
GP		 1171 struct l2cap_chan *chan = (void *) arg;
1172 struct sock *sk = chan->sk;
e90bac06 1173
525cd185 1174 BT_DBG("chan %p", chan);
0e98958d 1175
e686219a 1176 bh_lock_sock(sk);
2c03a7a4 1177 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1178 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1179 bh_unlock_sock(sk);
e90bac06
GP		 1180 return;
1181 }
1182
6a026610 1183 chan->retry_count++;
1a09bcb9 1184 __set_monitor_timer(chan);
e90bac06 1185
525cd185 1186 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1187 bh_unlock_sock(sk);
e90bac06
GP		 1188}
1189
1190static void l2cap_retrans_timeout(unsigned long arg)
1191{
525cd185
GP		 1192 struct l2cap_chan *chan = (void *) arg;
1193 struct sock *sk = chan->sk;
e90bac06 1194
49208c9c 1195 BT_DBG("chan %p", chan);
0e98958d 1196
e686219a 1197 bh_lock_sock(sk);
6a026610 1198 chan->retry_count = 1;
1a09bcb9 1199 __set_monitor_timer(chan);
e90bac06 1200
525cd185 1201 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1202
525cd185 1203 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1204 bh_unlock_sock(sk);
e90bac06
GP		 1205}
1206
42e5c802 1207static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1208{
1c2acffb 1209 struct sk_buff *skb;
1da177e4 1210
58d35f87 1211 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1212 chan->unacked_frames) {
42e5c802 1213 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1214 break;
1da177e4 1215
58d35f87 1216 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1217 kfree_skb(skb);
1da177e4 1218
6a026610 1219 chan->unacked_frames--;
1c2acffb 1220 }
1da177e4 1221
6a026610 1222 if (!chan->unacked_frames)
1a09bcb9 1223 __clear_retrans_timer(chan);
1c2acffb 1224}
1da177e4 1225
4343478f 1226void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1227{
8c1d787b 1228 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1229 u16 flags;
1c2acffb 1230
4343478f 1231 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1232
4343478f 1233 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1234 flags = ACL_START_NO_FLUSH;
1235 else
1236 flags = ACL_START;
1237
14b12d0b 1238 bt_cb(skb)->force_active = chan->force_active;
e702112f 1239 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1240}
1241
42e5c802 1242void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1243{
ccbb84af 1244 struct sk_buff *skb;
fcc203c3 1245 u16 control, fcs;
6840ed07 1246
58d35f87 1247 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1248 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1249 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1250 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1251
47d1ec61 1252 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1253 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1254 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1255 }
1256
4343478f 1257 l2cap_do_send(chan, skb);
6840ed07 1258
42e5c802 1259 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1260 }
6840ed07
GP		 1261}
1262
525cd185 1263static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1264{
8f17154f
GP		 1265 struct sk_buff *skb, *tx_skb;
1266 u16 control, fcs;
8f17154f 1267
58d35f87 1268 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1269 if (!skb)
1270 return;
8f17154f 1271
f11d676d
GP		 1272 do {
1273 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1274 break;
8f17154f 1275
58d35f87 1276 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1277 return;
8f17154f 1278
58d35f87 1279 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1280
2c03a7a4
GP		 1281 if (chan->remote_max_tx &&
1282 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1283 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1284 return;
1285 }
1286
1287 tx_skb = skb_clone(skb, GFP_ATOMIC);
1288 bt_cb(skb)->retries++;
1289 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1290 control &= L2CAP_CTRL_SAR;
3cb123d1 1291
525cd185 1292 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1293 control |= L2CAP_CTRL_FINAL;
525cd185 1294 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1295 }
95ffa978 1296
42e5c802 1297 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1298 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1299
f11d676d
GP		 1300 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1301
47d1ec61 1302 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1303 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1304 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1305 }
1306
4343478f 1307 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1308}
1309
525cd185 1310int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1311{
1312 struct sk_buff *skb, *tx_skb;
fcc203c3 1313 u16 control, fcs;
9a9c6a34 1314 int nsent = 0;
1c2acffb 1315
89bc500e 1316 if (chan->state != BT_CONNECTED)
c13ffa62 1317 return -ENOTCONN;
e90bac06 1318
58d35f87 1319 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1320
2c03a7a4
GP		 1321 if (chan->remote_max_tx &&
1322 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1323 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1324 break;
1325 }
1326
e420aba3
AE		 1327 tx_skb = skb_clone(skb, GFP_ATOMIC);
1328
e90bac06
GP		 1329 bt_cb(skb)->retries++;
1330
1c2acffb 1331 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1332 control &= L2CAP_CTRL_SAR;
1333
525cd185 1334 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1335 control |= L2CAP_CTRL_FINAL;
525cd185 1336 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1337 }
42e5c802
GP		 1338 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1339 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1340 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1341
e90bac06 1342
47d1ec61 1343 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1344 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1345 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1346 }
1347
4343478f 1348 l2cap_do_send(chan, tx_skb);
9a9c6a34 1349
1a09bcb9 1350 __set_retrans_timer(chan);
1c2acffb 1351
42e5c802
GP		 1352 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1353 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1354
23e9fde2 1355 if (bt_cb(skb)->retries == 1)
6a026610 1356 chan->unacked_frames++;
23e9fde2 1357
6a026610 1358 chan->frames_sent++;
1c2acffb 1359
58d35f87
GP		 1360 if (skb_queue_is_last(&chan->tx_q, skb))
1361 chan->tx_send_head = NULL;
1c2acffb 1362 else
58d35f87 1363 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1364
1365 nsent++;
1c2acffb
GP		 1366 }
1367
9e917af1
GP		 1368 return nsent;
1369}
1370
525cd185 1371static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1372{
dfc909be
GP		 1373 int ret;
1374
58d35f87
GP		 1375 if (!skb_queue_empty(&chan->tx_q))
1376 chan->tx_send_head = chan->tx_q.next;
dfc909be 1377
42e5c802 1378 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1379 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1380 return ret;
1381}
1382
525cd185 1383static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1384{
9e917af1
GP		 1385 u16 control = 0;
1386
42e5c802 1387 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1388
525cd185 1389 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1390 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1391 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1392 l2cap_send_sframe(chan, control);
9a9c6a34 1393 return;
9e917af1 1394 }
dfc909be 1395
525cd185 1396 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1397 return;
1398
1399 control |= L2CAP_SUPER_RCV_READY;
525cd185 1400 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1401}
1402
525cd185 1403static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1404{
1405 struct srej_list *tail;
1406 u16 control;
1407
1408 control = L2CAP_SUPER_SELECT_REJECT;
1409 control |= L2CAP_CTRL_FINAL;
1410
39d5a3ee 1411 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1412 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1413
525cd185 1414 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1415}
1416
1c2acffb
GP		 1417static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1418{
8c1d787b 1419 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1420 struct sk_buff **frag;
1421 int err, sent = 0;
1da177e4 1422
59203a21 1423 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1424 return -EFAULT;
1da177e4
LT		 1425
1426 sent += count;
1427 len -= count;
1428
1429 /* Continuation fragments (no L2CAP header) */
1430 frag = &skb_shinfo(skb)->frag_list;
1431 while (len) {
1432 count = min_t(unsigned int, conn->mtu, len);
1433
1434 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1435 if (!*frag)
0175d629 1436 return err;
1c2acffb
GP		 1437 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1438 return -EFAULT;
1da177e4
LT		 1439
1440 sent += count;
1441 len -= count;
1442
1443 frag = &(*frag)->next;
1444 }
1da177e4
LT		 1445
1446 return sent;
1c2acffb 1447}
1da177e4 1448
fe4128e0 1449struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1450{
fe4128e0 1451 struct sock *sk = chan->sk;
8c1d787b 1452 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1453 struct sk_buff *skb;
1454 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1455 struct l2cap_hdr *lh;
1456
1457 BT_DBG("sk %p len %d", sk, (int)len);
1458
1459 count = min_t(unsigned int, (conn->mtu - hlen), len);
1460 skb = bt_skb_send_alloc(sk, count + hlen,
1461 msg->msg_flags & MSG_DONTWAIT, &err);
1462 if (!skb)
0175d629 1463 return ERR_PTR(err);
1c2acffb
GP		 1464
1465 /* Create L2CAP header */
1466 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1467 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1468 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1469 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1470
1471 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1472 if (unlikely(err < 0)) {
1473 kfree_skb(skb);
1474 return ERR_PTR(err);
1475 }
1476 return skb;
1477}
1478
fe4128e0 1479struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1480{
fe4128e0 1481 struct sock *sk = chan->sk;
8c1d787b 1482 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1483 struct sk_buff *skb;
1484 int err, count, hlen = L2CAP_HDR_SIZE;
1485 struct l2cap_hdr *lh;
1486
1487 BT_DBG("sk %p len %d", sk, (int)len);
1488
1489 count = min_t(unsigned int, (conn->mtu - hlen), len);
1490 skb = bt_skb_send_alloc(sk, count + hlen,
1491 msg->msg_flags & MSG_DONTWAIT, &err);
1492 if (!skb)
0175d629 1493 return ERR_PTR(err);
1c2acffb
GP		 1494
1495 /* Create L2CAP header */
1496 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1497 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1498 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1499
1500 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1501 if (unlikely(err < 0)) {
1502 kfree_skb(skb);
1503 return ERR_PTR(err);
1504 }
1505 return skb;
1506}
1507
47d1ec61 1508struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1509{
47d1ec61 1510 struct sock *sk = chan->sk;
8c1d787b 1511 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1512 struct sk_buff *skb;
1513 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1514 struct l2cap_hdr *lh;
1515
1516 BT_DBG("sk %p len %d", sk, (int)len);
1517
0ee0d208
GP		 1518 if (!conn)
1519 return ERR_PTR(-ENOTCONN);
1520
c74e560c
GP		 1521 if (sdulen)
1522 hlen += 2;
1523
47d1ec61 1524 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1525 hlen += 2;
1526
1c2acffb
GP		 1527 count = min_t(unsigned int, (conn->mtu - hlen), len);
1528 skb = bt_skb_send_alloc(sk, count + hlen,
1529 msg->msg_flags & MSG_DONTWAIT, &err);
1530 if (!skb)
0175d629 1531 return ERR_PTR(err);
1c2acffb
GP		 1532
1533 /* Create L2CAP header */
1534 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1535 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1536 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1537 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1538 if (sdulen)
1539 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1540
1541 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1542 if (unlikely(err < 0)) {
1543 kfree_skb(skb);
1544 return ERR_PTR(err);
1545 }
e90bac06 1546
47d1ec61 1547 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1548 put_unaligned_le16(0, skb_put(skb, 2));
1549
e90bac06 1550 bt_cb(skb)->retries = 0;
1c2acffb 1551 return skb;
1da177e4
LT		 1552}
1553
2c03a7a4 1554int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1555{
c74e560c
GP		 1556 struct sk_buff *skb;
1557 struct sk_buff_head sar_queue;
1558 u16 control;
1559 size_t size = 0;
1560
ff12fd64 1561 skb_queue_head_init(&sar_queue);
c74e560c 1562 control = L2CAP_SDU_START;
47d1ec61 1563 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1564 if (IS_ERR(skb))
1565 return PTR_ERR(skb);
1566
1567 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1568 len -= chan->remote_mps;
1569 size += chan->remote_mps;
c74e560c
GP		 1570
1571 while (len > 0) {
1572 size_t buflen;
1573
2c03a7a4 1574 if (len > chan->remote_mps) {
44651b85 1575 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1576 buflen = chan->remote_mps;
c74e560c 1577 } else {
44651b85 1578 control = L2CAP_SDU_END;
c74e560c
GP		 1579 buflen = len;
1580 }
1581
47d1ec61 1582 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1583 if (IS_ERR(skb)) {
1584 skb_queue_purge(&sar_queue);
1585 return PTR_ERR(skb);
1586 }
1587
1588 __skb_queue_tail(&sar_queue, skb);
1589 len -= buflen;
1590 size += buflen;
c74e560c 1591 }
58d35f87
GP		 1592 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1593 if (chan->tx_send_head == NULL)
1594 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1595
1596 return size;
1597}
1598
9a91a04a
GP		 1599int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1600{
9a91a04a
GP		 1601 struct sk_buff *skb;
1602 u16 control;
1603 int err;
1604
1605 /* Connectionless channel */
715ec005 1606 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1607 skb = l2cap_create_connless_pdu(chan, msg, len);
1608 if (IS_ERR(skb))
1609 return PTR_ERR(skb);
1610
1611 l2cap_do_send(chan, skb);
1612 return len;
1613 }
1614
1615 switch (chan->mode) {
1616 case L2CAP_MODE_BASIC:
1617 /* Check outgoing MTU */
1618 if (len > chan->omtu)
1619 return -EMSGSIZE;
1620
1621 /* Create a basic PDU */
1622 skb = l2cap_create_basic_pdu(chan, msg, len);
1623 if (IS_ERR(skb))
1624 return PTR_ERR(skb);
1625
1626 l2cap_do_send(chan, skb);
1627 err = len;
1628 break;
1629
1630 case L2CAP_MODE_ERTM:
1631 case L2CAP_MODE_STREAMING:
1632 /* Entire SDU fits into one PDU */
1633 if (len <= chan->remote_mps) {
1634 control = L2CAP_SDU_UNSEGMENTED;
1635 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1636 0);
1637 if (IS_ERR(skb))
1638 return PTR_ERR(skb);
1639
1640 __skb_queue_tail(&chan->tx_q, skb);
1641
1642 if (chan->tx_send_head == NULL)
1643 chan->tx_send_head = skb;
1644
1645 } else {
1646 /* Segment SDU into multiples PDUs */
1647 err = l2cap_sar_segment_sdu(chan, msg, len);
1648 if (err < 0)
1649 return err;
1650 }
1651
1652 if (chan->mode == L2CAP_MODE_STREAMING) {
1653 l2cap_streaming_send(chan);
1654 err = len;
1655 break;
1656 }
1657
1658 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1659 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1660 err = len;
1661 break;
1662 }
1663
1664 err = l2cap_ertm_send(chan);
1665 if (err >= 0)
1666 err = len;
1667
1668 break;
1669
1670 default:
1671 BT_DBG("bad state %1.1x", chan->mode);
1672 err = -EBADFD;
1673 }
1674
1675 return err;
1676}
1677
1da177e4
LT		 1678static void l2cap_chan_ready(struct sock *sk)
1679{
1680 struct sock *parent = bt_sk(sk)->parent;
b4450035 1681 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1682
1683 BT_DBG("sk %p, parent %p", sk, parent);
1684
b4450035 1685 chan->conf_state = 0;
c9b66675 1686 __clear_chan_timer(chan);
1da177e4
LT		 1687
1688 if (!parent) {
1689 /* Outgoing channel.
1690 * Wake up socket sleeping on connect.
1691 */
89bc500e 1692 l2cap_state_change(chan, BT_CONNECTED);
1da177e4
LT		 1693 sk->sk_state_change(sk);
1694 } else {
1695 /* Incoming channel.
1696 * Wake up socket sleeping on accept.
1697 */
1698 parent->sk_data_ready(parent, 0);
1699 }
1700}
1701
1702/* Copy frame to all raw sockets on that connection */
1703static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1704{
1da177e4 1705 struct sk_buff *nskb;
48454079 1706 struct l2cap_chan *chan;
1da177e4
LT		 1707
1708 BT_DBG("conn %p", conn);
1709
baa7e1fa
GP		 1710 read_lock(&conn->chan_lock);
1711 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1712 struct sock *sk = chan->sk;
715ec005 1713 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1714 continue;
1715
1716 /* Don't send frame to the socket it came from */
1717 if (skb->sk == sk)
1718 continue;
af05b30b
GP		 1719 nskb = skb_clone(skb, GFP_ATOMIC);
1720 if (!nskb)
1da177e4
LT		 1721 continue;
1722
23070494 1723 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1724 kfree_skb(nskb);
1725 }
baa7e1fa 1726 read_unlock(&conn->chan_lock);
1da177e4
LT		 1727}
1728
1729/* ---- L2CAP signalling commands ---- */
1730static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1731 u8 code, u8 ident, u16 dlen, void *data)
1732{
1733 struct sk_buff *skb, **frag;
1734 struct l2cap_cmd_hdr *cmd;
1735 struct l2cap_hdr *lh;
1736 int len, count;
1737
af05b30b
GP		 1738 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1739 conn, code, ident, dlen);
1da177e4
LT		 1740
1741 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1742 count = min_t(unsigned int, conn->mtu, len);
1743
1744 skb = bt_skb_alloc(count, GFP_ATOMIC);
1745 if (!skb)
1746 return NULL;
1747
1748 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1749 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1750
1751 if (conn->hcon->type == LE_LINK)
1752 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1753 else
1754 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1755
1756 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1757 cmd->code = code;
1758 cmd->ident = ident;
aca3192c 1759 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1760
1761 if (dlen) {
1762 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1763 memcpy(skb_put(skb, count), data, count);
1764 data += count;
1765 }
1766
1767 len -= skb->len;
1768
1769 /* Continuation fragments (no L2CAP header) */
1770 frag = &skb_shinfo(skb)->frag_list;
1771 while (len) {
1772 count = min_t(unsigned int, conn->mtu, len);
1773
1774 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1775 if (!*frag)
1776 goto fail;
1777
1778 memcpy(skb_put(*frag, count), data, count);
1779
1780 len -= count;
1781 data += count;
1782
1783 frag = &(*frag)->next;
1784 }
1785
1786 return skb;
1787
1788fail:
1789 kfree_skb(skb);
1790 return NULL;
1791}
1792
1793static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1794{
1795 struct l2cap_conf_opt *opt = *ptr;
1796 int len;
1797
1798 len = L2CAP_CONF_OPT_SIZE + opt->len;
1799 *ptr += len;
1800
1801 *type = opt->type;
1802 *olen = opt->len;
1803
1804 switch (opt->len) {
1805 case 1:
1806 *val = *((u8 *) opt->val);
1807 break;
1808
1809 case 2:
bfaaeb3e 1810 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1811 break;
1812
1813 case 4:
bfaaeb3e 1814 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1815 break;
1816
1817 default:
1818 *val = (unsigned long) opt->val;
1819 break;
1820 }
1821
1822 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1823 return len;
1824}
1825
1da177e4
LT		 1826static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1827{
1828 struct l2cap_conf_opt *opt = *ptr;
1829
1830 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1831
1832 opt->type = type;
1833 opt->len = len;
1834
1835 switch (len) {
1836 case 1:
1837 *((u8 *) opt->val) = val;
1838 break;
1839
1840 case 2:
4f8b691c 1841 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1842 break;
1843
1844 case 4:
4f8b691c 1845 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1846 break;
1847
1848 default:
1849 memcpy(opt->val, (void *) val, len);
1850 break;
1851 }
1852
1853 *ptr += L2CAP_CONF_OPT_SIZE + len;
1854}
1855
c1b4f43b
GP		 1856static void l2cap_ack_timeout(unsigned long arg)
1857{
525cd185 1858 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1859
525cd185
GP		 1860 bh_lock_sock(chan->sk);
1861 l2cap_send_ack(chan);
1862 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1863}
1864
525cd185 1865static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1866{
525cd185
GP		 1867 struct sock *sk = chan->sk;
1868
42e5c802 1869 chan->expected_ack_seq = 0;
6a026610 1870 chan->unacked_frames = 0;
42e5c802 1871 chan->buffer_seq = 0;
6a026610
GP		 1872 chan->num_acked = 0;
1873 chan->frames_sent = 0;
0565c1c2 1874
e92c8e70
GP		 1875 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1876 (unsigned long) chan);
1877 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1878 (unsigned long) chan);
1879 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1880
f1c6775b
GP		 1881 skb_queue_head_init(&chan->srej_q);
1882 skb_queue_head_init(&chan->busy_q);
1890d36b 1883
39d5a3ee
GP		 1884 INIT_LIST_HEAD(&chan->srej_l);
1885
311bb895 1886 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1887
1888 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1889}
1890
f2fcfcd6
GP		 1891static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1892{
1893 switch (mode) {
1894 case L2CAP_MODE_STREAMING:
1895 case L2CAP_MODE_ERTM:
1896 if (l2cap_mode_supported(mode, remote_feat_mask))
1897 return mode;
1898 /* fall through */
1899 default:
1900 return L2CAP_MODE_BASIC;
1901 }
1902}
1903
710f9b0a 1904static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1905{
1da177e4 1906 struct l2cap_conf_req *req = data;
0c1bc5c6 1907 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1908 void *ptr = req->data;
1909
49208c9c 1910 BT_DBG("chan %p", chan);
1da177e4 1911
73ffa904 1912 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1913 goto done;
1914
0c1bc5c6 1915 switch (chan->mode) {
f2fcfcd6
GP		 1916 case L2CAP_MODE_STREAMING:
1917 case L2CAP_MODE_ERTM:
b4450035 1918 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1919 break;
85eb53c6 1920
2ba13ed6 1921 /* fall through */
f2fcfcd6 1922 default:
8c1d787b 1923 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1924 break;
1925 }
1926
1927done:
0c1bc5c6
GP		 1928 if (chan->imtu != L2CAP_DEFAULT_MTU)
1929 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1930
0c1bc5c6 1931 switch (chan->mode) {
65c7c491 1932 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1933 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1934 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1935 break;
1936
62547752
GP		 1937 rfc.mode = L2CAP_MODE_BASIC;
1938 rfc.txwin_size = 0;
1939 rfc.max_transmit = 0;
1940 rfc.retrans_timeout = 0;
1941 rfc.monitor_timeout = 0;
1942 rfc.max_pdu_size = 0;
1943
63406504
GP		 1944 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1945 (unsigned long) &rfc);
65c7c491
MH		 1946 break;
1947
1948 case L2CAP_MODE_ERTM:
1949 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1950 rfc.txwin_size = chan->tx_win;
1951 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1952 rfc.retrans_timeout = 0;
1953 rfc.monitor_timeout = 0;
c74e560c 1954 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1955 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1956 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1957
63406504
GP		 1958 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1959 (unsigned long) &rfc);
1960
8c1d787b 1961 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1962 break;
1963
47d1ec61 1964 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1965 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1966 chan->fcs = L2CAP_FCS_NONE;
1967 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1968 }
f2fcfcd6
GP		 1969 break;
1970
1971 case L2CAP_MODE_STREAMING:
1972 rfc.mode = L2CAP_MODE_STREAMING;
1973 rfc.txwin_size = 0;
1974 rfc.max_transmit = 0;
1975 rfc.retrans_timeout = 0;
1976 rfc.monitor_timeout = 0;
c74e560c 1977 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1978 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1979 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1980
63406504
GP		 1981 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1982 (unsigned long) &rfc);
1983
8c1d787b 1984 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1985 break;
1986
47d1ec61 1987 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1988 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1989 chan->fcs = L2CAP_FCS_NONE;
1990 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1991 }
65c7c491
MH		 1992 break;
1993 }
1da177e4 1994
fe4128e0 1995 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1996 req->flags = cpu_to_le16(0);
1da177e4
LT		 1997
1998 return ptr - data;
1999}
2000
73ffa904 2001static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2002{
5dee9e7c
MH		 2003 struct l2cap_conf_rsp *rsp = data;
2004 void *ptr = rsp->data;
73ffa904
GP		 2005 void *req = chan->conf_req;
2006 int len = chan->conf_len;
5dee9e7c
MH		 2007 int type, hint, olen;
2008 unsigned long val;
6464f35f 2009 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2010 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2011 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2012
73ffa904 2013 BT_DBG("chan %p", chan);
820ae1b8 2014
5dee9e7c
MH		 2015 while (len >= L2CAP_CONF_OPT_SIZE) {
2016 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2017
589d2746 2018 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2019 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2020
2021 switch (type) {
2022 case L2CAP_CONF_MTU:
861d6882 2023 mtu = val;
5dee9e7c
MH		 2024 break;
2025
2026 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2027 chan->flush_to = val;
5dee9e7c
MH		 2028 break;
2029
2030 case L2CAP_CONF_QOS:
2031 break;
2032
6464f35f
MH		 2033 case L2CAP_CONF_RFC:
2034 if (olen == sizeof(rfc))
2035 memcpy(&rfc, (void *) val, olen);
2036 break;
2037
fcc203c3
GP		 2038 case L2CAP_CONF_FCS:
2039 if (val == L2CAP_FCS_NONE)
b4450035 2040 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2041
2042 break;
2043
5dee9e7c
MH		 2044 default:
2045 if (hint)
2046 break;
2047
2048 result = L2CAP_CONF_UNKNOWN;
2049 *((u8 *) ptr++) = type;
2050 break;
2051 }
2052 }
2053
73ffa904 2054 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2055 goto done;
2056
0c1bc5c6 2057 switch (chan->mode) {
f2fcfcd6
GP		 2058 case L2CAP_MODE_STREAMING:
2059 case L2CAP_MODE_ERTM:
b4450035 2060 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2061 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2062 chan->conn->feat_mask);
85eb53c6
GP		 2063 break;
2064 }
2065
0c1bc5c6 2066 if (chan->mode != rfc.mode)
f2fcfcd6 2067 return -ECONNREFUSED;
742e519b 2068
f2fcfcd6 2069 break;
f2fcfcd6
GP		 2070 }
2071
2072done:
0c1bc5c6 2073 if (chan->mode != rfc.mode) {
f2fcfcd6 2074 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2075 rfc.mode = chan->mode;
f2fcfcd6 2076
73ffa904 2077 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2078 return -ECONNREFUSED;
2079
2080 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2081 sizeof(rfc), (unsigned long) &rfc);
2082 }
2083
2084
5dee9e7c
MH		 2085 if (result == L2CAP_CONF_SUCCESS) {
2086 /* Configure output options and let the other side know
2087 * which ones we don't like. */
2088
f2fcfcd6
GP		 2089 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2090 result = L2CAP_CONF_UNACCEPT;
2091 else {
0c1bc5c6 2092 chan->omtu = mtu;
b4450035 2093 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2094 }
0c1bc5c6 2095 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2096
f2fcfcd6
GP		 2097 switch (rfc.mode) {
2098 case L2CAP_MODE_BASIC:
47d1ec61 2099 chan->fcs = L2CAP_FCS_NONE;
b4450035 2100 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2101 break;
2102
2103 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2104 chan->remote_tx_win = rfc.txwin_size;
2105 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2106
8c1d787b
GP		 2107 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2108 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2109
2c03a7a4 2110 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2111
10467e9e
GP		 2112 rfc.retrans_timeout =
2113 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2114 rfc.monitor_timeout =
2115 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2116
b4450035 2117 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2118
2119 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2120 sizeof(rfc), (unsigned long) &rfc);
2121
f2fcfcd6
GP		 2122 break;
2123
2124 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2125 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2126 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2127
2c03a7a4 2128 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2129
b4450035 2130 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2131
2132 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2133 sizeof(rfc), (unsigned long) &rfc);
2134
f2fcfcd6
GP		 2135 break;
2136
2137 default:
5dee9e7c 2138 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2139
6464f35f 2140 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2141 rfc.mode = chan->mode;
f2fcfcd6 2142 }
6464f35f 2143
f2fcfcd6 2144 if (result == L2CAP_CONF_SUCCESS)
b4450035 2145 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2146 }
fe4128e0 2147 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2148 rsp->result = cpu_to_le16(result);
2149 rsp->flags = cpu_to_le16(0x0000);
2150
2151 return ptr - data;
1da177e4
LT		 2152}
2153
b4450035 2154static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2155{
f2fcfcd6
GP		 2156 struct l2cap_conf_req *req = data;
2157 void *ptr = req->data;
2158 int type, olen;
2159 unsigned long val;
2160 struct l2cap_conf_rfc rfc;
2161
fe4128e0 2162 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2163
2164 while (len >= L2CAP_CONF_OPT_SIZE) {
2165 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2166
2167 switch (type) {
2168 case L2CAP_CONF_MTU:
2169 if (val < L2CAP_DEFAULT_MIN_MTU) {
2170 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2171 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2172 } else
0c1bc5c6
GP		 2173 chan->imtu = val;
2174 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2175 break;
2176
2177 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2178 chan->flush_to = val;
f2fcfcd6 2179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2180 2, chan->flush_to);
f2fcfcd6
GP		 2181 break;
2182
2183 case L2CAP_CONF_RFC:
2184 if (olen == sizeof(rfc))
2185 memcpy(&rfc, (void *)val, olen);
2186
b4450035 2187 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2188 rfc.mode != chan->mode)
f2fcfcd6
GP		 2189 return -ECONNREFUSED;
2190
47d1ec61 2191 chan->fcs = 0;
f2fcfcd6
GP		 2192
2193 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2194 sizeof(rfc), (unsigned long) &rfc);
2195 break;
2196 }
2197 }
2198
0c1bc5c6 2199 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2200 return -ECONNREFUSED;
2201
0c1bc5c6 2202 chan->mode = rfc.mode;
6c2ea7a8 2203
f2fcfcd6
GP		 2204 if (*result == L2CAP_CONF_SUCCESS) {
2205 switch (rfc.mode) {
2206 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2207 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2208 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2209 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2210 break;
2211 case L2CAP_MODE_STREAMING:
47d1ec61 2212 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2213 }
2214 }
2215
fe4128e0 2216 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2217 req->flags = cpu_to_le16(0x0000);
2218
2219 return ptr - data;
2220}
2221
fe4128e0 2222static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2223{
2224 struct l2cap_conf_rsp *rsp = data;
2225 void *ptr = rsp->data;
1da177e4 2226
fe4128e0 2227 BT_DBG("chan %p", chan);
1da177e4 2228
fe4128e0 2229 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2230 rsp->result = cpu_to_le16(result);
aca3192c 2231 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2232
2233 return ptr - data;
2234}
2235
8c1d787b 2236void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2237{
2238 struct l2cap_conn_rsp rsp;
8c1d787b 2239 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2240 u8 buf[128];
2241
fe4128e0
GP		 2242 rsp.scid = cpu_to_le16(chan->dcid);
2243 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2244 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2245 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2246 l2cap_send_cmd(conn, chan->ident,
2247 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2248
b4450035 2249 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2250 return;
2251
b4450035 2252 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2253 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2254 l2cap_build_conf_req(chan, buf), buf);
2255 chan->num_conf_req++;
2256}
2257
47d1ec61 2258static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2259{
7b1c0049
GP		 2260 int type, olen;
2261 unsigned long val;
2262 struct l2cap_conf_rfc rfc;
2263
47d1ec61 2264 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2265
0c1bc5c6 2266 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2267 return;
2268
2269 while (len >= L2CAP_CONF_OPT_SIZE) {
2270 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2271
2272 switch (type) {
2273 case L2CAP_CONF_RFC:
2274 if (olen == sizeof(rfc))
2275 memcpy(&rfc, (void *)val, olen);
2276 goto done;
2277 }
2278 }
2279
2280done:
2281 switch (rfc.mode) {
2282 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2283 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2284 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2285 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2286 break;
2287 case L2CAP_MODE_STREAMING:
47d1ec61 2288 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2289 }
2290}
2291
4e8402a3
MH		 2292static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2293{
2294 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2295
2296 if (rej->reason != 0x0000)
2297 return 0;
2298
2299 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2300 cmd->ident == conn->info_ident) {
4e8402a3 2301 del_timer(&conn->info_timer);
984947dc
MH		 2302
2303 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2304 conn->info_ident = 0;
984947dc 2305
4e8402a3
MH		 2306 l2cap_conn_start(conn);
2307 }
2308
2309 return 0;
2310}
2311
1da177e4
LT		 2312static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2313{
1da177e4
LT		 2314 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2315 struct l2cap_conn_rsp rsp;
23691d75 2316 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2317 struct sock *parent, *sk = NULL;
e7c29cb1 2318 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2319
2320 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2321 __le16 psm = req->psm;
1da177e4
LT		 2322
2323 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2324
2325 /* Check if we have socket listening on psm */
23691d75
GP		 2326 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2327 if (!pchan) {
1da177e4
LT		 2328 result = L2CAP_CR_BAD_PSM;
2329 goto sendresp;
2330 }
2331
23691d75
GP		 2332 parent = pchan->sk;
2333
e0f0cb56
GP		 2334 bh_lock_sock(parent);
2335
e7c29cb1
MH		 2336 /* Check if the ACL is secure enough (if not SDP) */
2337 if (psm != cpu_to_le16(0x0001) &&
2338 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2339 conn->disc_reason = 0x05;
e7c29cb1
MH		 2340 result = L2CAP_CR_SEC_BLOCK;
2341 goto response;
2342 }
2343
1da177e4
LT		 2344 result = L2CAP_CR_NO_MEM;
2345
2346 /* Check for backlog size */
2347 if (sk_acceptq_is_full(parent)) {
8e87d142 2348 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2349 goto response;
2350 }
2351
80808e43
GP		 2352 chan = pchan->ops->new_connection(pchan->data);
2353 if (!chan)
1da177e4
LT		 2354 goto response;
2355
80808e43
GP		 2356 sk = chan->sk;
2357
baa7e1fa 2358 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2359
2360 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2361 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2362 write_unlock_bh(&conn->chan_lock);
1da177e4 2363 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2364 chan->ops->close(chan->data);
1da177e4
LT		 2365 goto response;
2366 }
2367
2368 hci_conn_hold(conn->hcon);
2369
1da177e4
LT		 2370 bacpy(&bt_sk(sk)->src, conn->src);
2371 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2372 chan->psm = psm;
2373 chan->dcid = scid;
1da177e4 2374
d1010240
GP		 2375 bt_accept_enqueue(parent, sk);
2376
48454079
GP		 2377 __l2cap_chan_add(conn, chan);
2378
fe4128e0 2379 dcid = chan->scid;
1da177e4 2380
c9b66675 2381 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2382
fc7f8a7e 2383 chan->ident = cmd->ident;
1da177e4 2384
984947dc 2385 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2386 if (l2cap_check_security(chan)) {
f66dc81f 2387 if (bt_sk(sk)->defer_setup) {
89bc500e 2388 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2389 result = L2CAP_CR_PEND;
2390 status = L2CAP_CS_AUTHOR_PEND;
2391 parent->sk_data_ready(parent, 0);
2392 } else {
89bc500e 2393 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2394 result = L2CAP_CR_SUCCESS;
2395 status = L2CAP_CS_NO_INFO;
2396 }
79d554a6 2397 } else {
89bc500e 2398 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2399 result = L2CAP_CR_PEND;
2400 status = L2CAP_CS_AUTHEN_PEND;
2401 }
2402 } else {
89bc500e 2403 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2404 result = L2CAP_CR_PEND;
2405 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2406 }
2407
baa7e1fa 2408 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2409
2410response:
2411 bh_unlock_sock(parent);
2412
2413sendresp:
aca3192c
YH		 2414 rsp.scid = cpu_to_le16(scid);
2415 rsp.dcid = cpu_to_le16(dcid);
2416 rsp.result = cpu_to_le16(result);
2417 rsp.status = cpu_to_le16(status);
1da177e4 2418 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2419
2420 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2421 struct l2cap_info_req info;
2422 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2423
2424 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2425 conn->info_ident = l2cap_get_ident(conn);
2426
2427 mod_timer(&conn->info_timer, jiffies +
2428 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2429
2430 l2cap_send_cmd(conn, conn->info_ident,
2431 L2CAP_INFO_REQ, sizeof(info), &info);
2432 }
2433
b4450035 2434 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2435 result == L2CAP_CR_SUCCESS) {
2436 u8 buf[128];
b4450035 2437 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2438 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2439 l2cap_build_conf_req(chan, buf), buf);
2440 chan->num_conf_req++;
e9aeb2dd
GP		 2441 }
2442
1da177e4
LT		 2443 return 0;
2444}
2445
2446static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2447{
2448 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2449 u16 scid, dcid, result, status;
48454079 2450 struct l2cap_chan *chan;
1da177e4
LT		 2451 struct sock *sk;
2452 u8 req[128];
2453
2454 scid = __le16_to_cpu(rsp->scid);
2455 dcid = __le16_to_cpu(rsp->dcid);
2456 result = __le16_to_cpu(rsp->result);
2457 status = __le16_to_cpu(rsp->status);
2458
2459 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2460
2461 if (scid) {
baa7e1fa 2462 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2463 if (!chan)
57d3b22b 2464 return -EFAULT;
1da177e4 2465 } else {
baa7e1fa 2466 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2467 if (!chan)
57d3b22b 2468 return -EFAULT;
1da177e4
LT		 2469 }
2470
48454079
GP		 2471 sk = chan->sk;
2472
1da177e4
LT		 2473 switch (result) {
2474 case L2CAP_CR_SUCCESS:
89bc500e 2475 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2476 chan->ident = 0;
fe4128e0 2477 chan->dcid = dcid;
b4450035 2478 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2479
b4450035 2480 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2481 break;
2482
b4450035 2483 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2484
1da177e4 2485 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2486 l2cap_build_conf_req(chan, req), req);
2487 chan->num_conf_req++;
1da177e4
LT		 2488 break;
2489
2490 case L2CAP_CR_PEND:
b4450035 2491 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2492 break;
2493
2494 default:
a49184c2
AE		 2495 /* don't delete l2cap channel if sk is owned by user */
2496 if (sock_owned_by_user(sk)) {
89bc500e 2497 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2498 __clear_chan_timer(chan);
2499 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2500 break;
2501 }
2502
48454079 2503 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2504 break;
2505 }
2506
2507 bh_unlock_sock(sk);
2508 return 0;
2509}
2510
47d1ec61 2511static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2512{
47d1ec61
GP		 2513 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2514
8c462b60
MM		 2515 /* FCS is enabled only in ERTM or streaming mode, if one or both
2516 * sides request it.
2517 */
0c1bc5c6 2518 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2519 chan->fcs = L2CAP_FCS_NONE;
b4450035 2520 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2521 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2522}
2523
88219a0f 2524static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2525{
2526 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2527 u16 dcid, flags;
2528 u8 rsp[64];
48454079 2529 struct l2cap_chan *chan;
1da177e4 2530 struct sock *sk;
5dee9e7c 2531 int len;
1da177e4
LT		 2532
2533 dcid = __le16_to_cpu(req->dcid);
2534 flags = __le16_to_cpu(req->flags);
2535
2536 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2537
baa7e1fa 2538 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2539 if (!chan)
1da177e4
LT		 2540 return -ENOENT;
2541
48454079
GP		 2542 sk = chan->sk;
2543
89bc500e 2544 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2545 struct l2cap_cmd_rej rej;
2546
2547 rej.reason = cpu_to_le16(0x0002);
2548 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2549 sizeof(rej), &rej);
354f60a9 2550 goto unlock;
df6bd743 2551 }
354f60a9 2552
5dee9e7c 2553 /* Reject if config buffer is too small. */
88219a0f 2554 len = cmd_len - sizeof(*req);
73ffa904 2555 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2556 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2557 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2558 L2CAP_CONF_REJECT, flags), rsp);
2559 goto unlock;
2560 }
2561
2562 /* Store config. */
73ffa904
GP		 2563 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2564 chan->conf_len += len;
1da177e4
LT		 2565
2566 if (flags & 0x0001) {
2567 /* Incomplete config. Send empty response. */
2568 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2569 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2570 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2571 goto unlock;
2572 }
2573
2574 /* Complete config. */
73ffa904 2575 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2576 if (len < 0) {
e92c8e70 2577 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2578 goto unlock;
f2fcfcd6 2579 }
1da177e4 2580
5dee9e7c 2581 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2582 chan->num_conf_rsp++;
5dee9e7c 2583
5dee9e7c 2584 /* Reset config buffer. */
73ffa904 2585 chan->conf_len = 0;
5dee9e7c 2586
b4450035 2587 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2588 goto unlock;
2589
b4450035 2590 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2591 set_default_fcs(chan);
fcc203c3 2592
89bc500e 2593 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2594
42e5c802
GP		 2595 chan->next_tx_seq = 0;
2596 chan->expected_tx_seq = 0;
58d35f87 2597 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2598 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2599 l2cap_ertm_init(chan);
0565c1c2 2600
1da177e4 2601 l2cap_chan_ready(sk);
876d9484
MH		 2602 goto unlock;
2603 }
2604
b4450035 2605 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2606 u8 buf[64];
b4450035 2607 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2608 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2609 l2cap_build_conf_req(chan, buf), buf);
2610 chan->num_conf_req++;
1da177e4
LT		 2611 }
2612
2613unlock:
2614 bh_unlock_sock(sk);
2615 return 0;
2616}
2617
2618static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2619{
2620 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2621 u16 scid, flags, result;
48454079 2622 struct l2cap_chan *chan;
1da177e4 2623 struct sock *sk;
7b1c0049 2624 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2625
2626 scid = __le16_to_cpu(rsp->scid);
2627 flags = __le16_to_cpu(rsp->flags);
2628 result = __le16_to_cpu(rsp->result);
2629
af05b30b
GP		 2630 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2631 scid, flags, result);
1da177e4 2632
baa7e1fa 2633 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2634 if (!chan)
1da177e4
LT		 2635 return 0;
2636
48454079
GP		 2637 sk = chan->sk;
2638
1da177e4
LT		 2639 switch (result) {
2640 case L2CAP_CONF_SUCCESS:
47d1ec61 2641 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2642 break;
2643
2644 case L2CAP_CONF_UNACCEPT:
73ffa904 2645 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2646 char req[64];
2647
c2c77ec8 2648 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2649 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2650 goto done;
2651 }
2652
f2fcfcd6
GP		 2653 /* throw out any old stored conf requests */
2654 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2655 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2656 req, &result);
f2fcfcd6 2657 if (len < 0) {
e92c8e70 2658 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2659 goto done;
2660 }
2661
2662 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2663 L2CAP_CONF_REQ, len, req);
73ffa904 2664 chan->num_conf_req++;
f2fcfcd6
GP		 2665 if (result != L2CAP_CONF_SUCCESS)
2666 goto done;
2667 break;
1da177e4
LT		 2668 }
2669
8e87d142 2670 default:
b1235d79 2671 sk->sk_err = ECONNRESET;
c9b66675 2672 __set_chan_timer(chan, HZ * 5);
e92c8e70 2673 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2674 goto done;
2675 }
2676
2677 if (flags & 0x01)
2678 goto done;
2679
b4450035 2680 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2681
b4450035 2682 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2683 set_default_fcs(chan);
fcc203c3 2684
89bc500e 2685 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2686 chan->next_tx_seq = 0;
2687 chan->expected_tx_seq = 0;
58d35f87 2688 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2689 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2690 l2cap_ertm_init(chan);
0565c1c2 2691
1da177e4
LT		 2692 l2cap_chan_ready(sk);
2693 }
2694
2695done:
2696 bh_unlock_sock(sk);
2697 return 0;
2698}
2699
2700static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2701{
2702 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2703 struct l2cap_disconn_rsp rsp;
2704 u16 dcid, scid;
48454079 2705 struct l2cap_chan *chan;
1da177e4
LT		 2706 struct sock *sk;
2707
2708 scid = __le16_to_cpu(req->scid);
2709 dcid = __le16_to_cpu(req->dcid);
2710
2711 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2712
baa7e1fa 2713 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2714 if (!chan)
1da177e4
LT		 2715 return 0;
2716
48454079
GP		 2717 sk = chan->sk;
2718
fe4128e0
GP		 2719 rsp.dcid = cpu_to_le16(chan->scid);
2720 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2721 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2722
2723 sk->sk_shutdown = SHUTDOWN_MASK;
2724
a49184c2
AE		 2725 /* don't delete l2cap channel if sk is owned by user */
2726 if (sock_owned_by_user(sk)) {
89bc500e 2727 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2728 __clear_chan_timer(chan);
2729 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2730 bh_unlock_sock(sk);
2731 return 0;
2732 }
2733
48454079 2734 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2735 bh_unlock_sock(sk);
2736
ba3bd0ee 2737 chan->ops->close(chan->data);
1da177e4
LT		 2738 return 0;
2739}
2740
2741static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2742{
2743 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2744 u16 dcid, scid;
48454079 2745 struct l2cap_chan *chan;
1da177e4
LT		 2746 struct sock *sk;
2747
2748 scid = __le16_to_cpu(rsp->scid);
2749 dcid = __le16_to_cpu(rsp->dcid);
2750
2751 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2752
baa7e1fa 2753 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2754 if (!chan)
1da177e4
LT		 2755 return 0;
2756
48454079
GP		 2757 sk = chan->sk;
2758
a49184c2
AE		 2759 /* don't delete l2cap channel if sk is owned by user */
2760 if (sock_owned_by_user(sk)) {
89bc500e 2761 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2762 __clear_chan_timer(chan);
2763 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2764 bh_unlock_sock(sk);
2765 return 0;
2766 }
2767
48454079 2768 l2cap_chan_del(chan, 0);
1da177e4
LT		 2769 bh_unlock_sock(sk);
2770
ba3bd0ee 2771 chan->ops->close(chan->data);
1da177e4
LT		 2772 return 0;
2773}
2774
2775static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2776{
2777 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2778 u16 type;
2779
2780 type = __le16_to_cpu(req->type);
2781
2782 BT_DBG("type 0x%4.4x", type);
2783
f0709e03
MH		 2784 if (type == L2CAP_IT_FEAT_MASK) {
2785 u8 buf[8];
44dd46de 2786 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2787 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2788 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2789 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2790 if (!disable_ertm)
fcc203c3
GP		 2791 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2792 | L2CAP_FEAT_FCS;
1b7bf4ed 2793 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2794 l2cap_send_cmd(conn, cmd->ident,
2795 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2796 } else if (type == L2CAP_IT_FIXED_CHAN) {
2797 u8 buf[12];
2798 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2799 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2800 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2801 memcpy(buf + 4, l2cap_fixed_chan, 8);
2802 l2cap_send_cmd(conn, cmd->ident,
2803 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2804 } else {
2805 struct l2cap_info_rsp rsp;
2806 rsp.type = cpu_to_le16(type);
2807 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2808 l2cap_send_cmd(conn, cmd->ident,
2809 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2810 }
1da177e4
LT		 2811
2812 return 0;
2813}
2814
2815static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2816{
2817 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2818 u16 type, result;
2819
2820 type = __le16_to_cpu(rsp->type);
2821 result = __le16_to_cpu(rsp->result);
2822
2823 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2824
e90165be
AE		 2825 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2826 if (cmd->ident != conn->info_ident ||
2827 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2828 return 0;
2829
4e8402a3
MH		 2830 del_timer(&conn->info_timer);
2831
adb08ede
VT		 2832 if (result != L2CAP_IR_SUCCESS) {
2833 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2834 conn->info_ident = 0;
2835
2836 l2cap_conn_start(conn);
2837
2838 return 0;
2839 }
2840
984947dc 2841 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2842 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2843
47ec1dcd 2844 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2845 struct l2cap_info_req req;
2846 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2847
2848 conn->info_ident = l2cap_get_ident(conn);
2849
2850 l2cap_send_cmd(conn, conn->info_ident,
2851 L2CAP_INFO_REQ, sizeof(req), &req);
2852 } else {
2853 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2854 conn->info_ident = 0;
2855
2856 l2cap_conn_start(conn);
2857 }
2858 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2859 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2860 conn->info_ident = 0;
984947dc
MH		 2861
2862 l2cap_conn_start(conn);
2863 }
4e8402a3 2864
1da177e4
LT		 2865 return 0;
2866}
2867
e2174ca4 2868static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2869 u16 to_multiplier)
2870{
2871 u16 max_latency;
2872
2873 if (min > max || min < 6 || max > 3200)
2874 return -EINVAL;
2875
2876 if (to_multiplier < 10 || to_multiplier > 3200)
2877 return -EINVAL;
2878
2879 if (max >= to_multiplier * 8)
2880 return -EINVAL;
2881
2882 max_latency = (to_multiplier * 8 / max) - 1;
2883 if (latency > 499 || latency > max_latency)
2884 return -EINVAL;
2885
2886 return 0;
2887}
2888
2889static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2890 struct l2cap_cmd_hdr *cmd, u8 *data)
2891{
2892 struct hci_conn *hcon = conn->hcon;
2893 struct l2cap_conn_param_update_req *req;
2894 struct l2cap_conn_param_update_rsp rsp;
2895 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2896 int err;
de73115a
CT		 2897
2898 if (!(hcon->link_mode & HCI_LM_MASTER))
2899 return -EINVAL;
2900
2901 cmd_len = __le16_to_cpu(cmd->len);
2902 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2903 return -EPROTO;
2904
2905 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2906 min = __le16_to_cpu(req->min);
2907 max = __le16_to_cpu(req->max);
de73115a
CT		 2908 latency = __le16_to_cpu(req->latency);
2909 to_multiplier = __le16_to_cpu(req->to_multiplier);
2910
2911 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2912 min, max, latency, to_multiplier);
2913
2914 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2915
2916 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2917 if (err)
de73115a
CT		 2918 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2919 else
2920 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2921
2922 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2923 sizeof(rsp), &rsp);
2924
2ce603eb
CT		 2925 if (!err)
2926 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2927
de73115a
CT		 2928 return 0;
2929}
2930
3300d9a9
CT		 2931static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2932 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2933{
2934 int err = 0;
2935
2936 switch (cmd->code) {
2937 case L2CAP_COMMAND_REJ:
2938 l2cap_command_rej(conn, cmd, data);
2939 break;
2940
2941 case L2CAP_CONN_REQ:
2942 err = l2cap_connect_req(conn, cmd, data);
2943 break;
2944
2945 case L2CAP_CONN_RSP:
2946 err = l2cap_connect_rsp(conn, cmd, data);
2947 break;
2948
2949 case L2CAP_CONF_REQ:
2950 err = l2cap_config_req(conn, cmd, cmd_len, data);
2951 break;
2952
2953 case L2CAP_CONF_RSP:
2954 err = l2cap_config_rsp(conn, cmd, data);
2955 break;
2956
2957 case L2CAP_DISCONN_REQ:
2958 err = l2cap_disconnect_req(conn, cmd, data);
2959 break;
2960
2961 case L2CAP_DISCONN_RSP:
2962 err = l2cap_disconnect_rsp(conn, cmd, data);
2963 break;
2964
2965 case L2CAP_ECHO_REQ:
2966 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2967 break;
2968
2969 case L2CAP_ECHO_RSP:
2970 break;
2971
2972 case L2CAP_INFO_REQ:
2973 err = l2cap_information_req(conn, cmd, data);
2974 break;
2975
2976 case L2CAP_INFO_RSP:
2977 err = l2cap_information_rsp(conn, cmd, data);
2978 break;
2979
2980 default:
2981 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2982 err = -EINVAL;
2983 break;
2984 }
2985
2986 return err;
2987}
2988
2989static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2990 struct l2cap_cmd_hdr *cmd, u8 *data)
2991{
2992 switch (cmd->code) {
2993 case L2CAP_COMMAND_REJ:
2994 return 0;
2995
2996 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2997 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2998
2999 case L2CAP_CONN_PARAM_UPDATE_RSP:
3000 return 0;
3001
3002 default:
3003 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3004 return -EINVAL;
3005 }
3006}
3007
3008static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3009 struct sk_buff *skb)
1da177e4
LT		 3010{
3011 u8 *data = skb->data;
3012 int len = skb->len;
3013 struct l2cap_cmd_hdr cmd;
3300d9a9 3014 int err;
1da177e4
LT		 3015
3016 l2cap_raw_recv(conn, skb);
3017
3018 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3019 u16 cmd_len;
1da177e4
LT		 3020 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3021 data += L2CAP_CMD_HDR_SIZE;
3022 len -= L2CAP_CMD_HDR_SIZE;
3023
88219a0f 3024 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3025
88219a0f 3026 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3027
88219a0f 3028 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3029 BT_DBG("corrupted command");
3030 break;
3031 }
3032
3300d9a9
CT		 3033 if (conn->hcon->type == LE_LINK)
3034 err = l2cap_le_sig_cmd(conn, &cmd, data);
3035 else
3036 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3037
3038 if (err) {
3039 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3040
3041 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3042
3043 /* FIXME: Map err to a valid reason */
aca3192c 3044 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3045 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3046 }
3047
88219a0f
AV		 3048 data += cmd_len;
3049 len -= cmd_len;
1da177e4
LT		 3050 }
3051
3052 kfree_skb(skb);
3053}
3054
47d1ec61 3055static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3056{
3057 u16 our_fcs, rcv_fcs;
3058 int hdr_size = L2CAP_HDR_SIZE + 2;
3059
47d1ec61 3060 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3061 skb_trim(skb, skb->len - 2);
3062 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3063 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3064
3065 if (our_fcs != rcv_fcs)
7a560e5c 3066 return -EBADMSG;
fcc203c3
GP		 3067 }
3068 return 0;
3069}
3070
525cd185 3071static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3072{
d5392c8f
GP		 3073 u16 control = 0;
3074
6a026610 3075 chan->frames_sent = 0;
d5392c8f 3076
42e5c802 3077 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3078
525cd185 3079 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3080 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3081 l2cap_send_sframe(chan, control);
3082 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3083 }
3084
525cd185
GP		 3085 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3086 l2cap_retransmit_frames(chan);
d5392c8f 3087
525cd185 3088 l2cap_ertm_send(chan);
d5392c8f 3089
525cd185 3090 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3091 chan->frames_sent == 0) {
d5392c8f 3092 control |= L2CAP_SUPER_RCV_READY;
525cd185 3093 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3094 }
3095}
3096
42e5c802 3097static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3098{
3099 struct sk_buff *next_skb;
bfbacc11 3100 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3101
3102 bt_cb(skb)->tx_seq = tx_seq;
3103 bt_cb(skb)->sar = sar;
3104
f1c6775b 3105 next_skb = skb_peek(&chan->srej_q);
8f17154f 3106 if (!next_skb) {
f1c6775b 3107 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3108 return 0;
8f17154f
GP		 3109 }
3110
42e5c802 3111 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3112 if (tx_seq_offset < 0)
3113 tx_seq_offset += 64;
3114
8f17154f 3115 do {
9b53350d
JPRV		 3116 if (bt_cb(next_skb)->tx_seq == tx_seq)
3117 return -EINVAL;
3118
bfbacc11 3119 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3120 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3121 if (next_tx_seq_offset < 0)
3122 next_tx_seq_offset += 64;
3123
3124 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3125 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3126 return 0;
8f17154f
GP		 3127 }
3128
f1c6775b 3129 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3130 break;
3131
f1c6775b 3132 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3133
f1c6775b 3134 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3135
3136 return 0;
8f17154f
GP		 3137}
3138
525cd185 3139static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3140{
18778a63 3141 struct sk_buff *_skb;
1890d36b 3142 int err;
18778a63
GP		 3143
3144 switch (control & L2CAP_CTRL_SAR) {
3145 case L2CAP_SDU_UNSEGMENTED:
525cd185 3146 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3147 goto drop;
3148
23070494 3149 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3150
3151 case L2CAP_SDU_START:
525cd185 3152 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3153 goto drop;
3154
6f61fd47 3155 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3156
0c1bc5c6 3157 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3158 goto disconnect;
3159
6f61fd47
GP		 3160 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3161 if (!chan->sdu)
1890d36b
GP		 3162 return -ENOMEM;
3163
3164 /* pull sdu_len bytes only after alloc, because of Local Busy
3165 * condition we have to be sure that this will be executed
3166 * only once, i.e., when alloc does not fail */
3167 skb_pull(skb, 2);
18778a63 3168
6f61fd47 3169 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3170
525cd185 3171 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3172 chan->partial_sdu_len = skb->len;
18778a63
GP		 3173 break;
3174
3175 case L2CAP_SDU_CONTINUE:
525cd185 3176 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3177 goto disconnect;
3178
6f61fd47 3179 if (!chan->sdu)
18778a63
GP		 3180 goto disconnect;
3181
6f61fd47
GP		 3182 chan->partial_sdu_len += skb->len;
3183 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3184 goto drop;
3185
6f61fd47 3186 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3187
18778a63
GP		 3188 break;
3189
3190 case L2CAP_SDU_END:
525cd185 3191 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3192 goto disconnect;
3193
6f61fd47 3194 if (!chan->sdu)
18778a63
GP		 3195 goto disconnect;
3196
525cd185 3197 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3198 chan->partial_sdu_len += skb->len;
18778a63 3199
0c1bc5c6 3200 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3201 goto drop;
18778a63 3202
6f61fd47 3203 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3204 goto drop;
4178ba46 3205
6f61fd47 3206 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3207 }
18778a63 3208
6f61fd47 3209 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3210 if (!_skb) {
525cd185 3211 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3212 return -ENOMEM;
3213 }
3214
23070494 3215 err = chan->ops->recv(chan->data, _skb);
1890d36b 3216 if (err < 0) {
18778a63 3217 kfree_skb(_skb);
525cd185 3218 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3219 return err;
3220 }
3221
525cd185
GP		 3222 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3223 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3224
6f61fd47 3225 kfree_skb(chan->sdu);
18778a63
GP		 3226 break;
3227 }
3228
3229 kfree_skb(skb);
1890d36b 3230 return 0;
18778a63
GP		 3231
3232drop:
6f61fd47
GP		 3233 kfree_skb(chan->sdu);
3234 chan->sdu = NULL;
18778a63
GP		 3235
3236disconnect:
8c1d787b 3237 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3238 kfree_skb(skb);
3239 return 0;
3240}
3241
525cd185 3242static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3243{
712132eb
GP		 3244 struct sk_buff *skb;
3245 u16 control;
3246 int err;
3247
f1c6775b 3248 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3249 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3250 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3251 if (err < 0) {
f1c6775b 3252 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3253 return -EBUSY;
3254 }
3255
42e5c802 3256 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3257 }
3258
525cd185 3259 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3260 goto done;
3261
42e5c802 3262 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3263 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3264 l2cap_send_sframe(chan, control);
6a026610 3265 chan->retry_count = 1;
712132eb 3266
1a09bcb9
GP		 3267 __clear_retrans_timer(chan);
3268 __set_monitor_timer(chan);
712132eb 3269
525cd185 3270 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3271
3272done:
525cd185
GP		 3273 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3274 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3275
49208c9c 3276 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3277
3278 return 0;
3279}
3280
1890d36b
GP		 3281static void l2cap_busy_work(struct work_struct *work)
3282{
3283 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3284 struct l2cap_chan *chan =
3285 container_of(work, struct l2cap_chan, busy_work);
3286 struct sock *sk = chan->sk;
1890d36b
GP		 3287 int n_tries = 0, timeo = HZ/5, err;
3288 struct sk_buff *skb;
1890d36b
GP		 3289
3290 lock_sock(sk);
3291
2b0b05dd 3292 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3293 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3294 set_current_state(TASK_INTERRUPTIBLE);
3295
3296 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3297 err = -EBUSY;
8c1d787b 3298 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3299 break;
1890d36b
GP		 3300 }
3301
3302 if (!timeo)
3303 timeo = HZ/5;
3304
3305 if (signal_pending(current)) {
3306 err = sock_intr_errno(timeo);
712132eb 3307 break;
1890d36b
GP		 3308 }
3309
3310 release_sock(sk);
3311 timeo = schedule_timeout(timeo);
3312 lock_sock(sk);
3313
3314 err = sock_error(sk);
3315 if (err)
712132eb 3316 break;
1890d36b 3317
311bb895 3318 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3319 break;
3320 }
3321
1890d36b 3322 set_current_state(TASK_RUNNING);
2b0b05dd 3323 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3324
3325 release_sock(sk);
3326}
3327
525cd185 3328static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3329{
1890d36b
GP		 3330 int sctrl, err;
3331
525cd185 3332 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3333 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3334 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3335 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3336
3337
1890d36b
GP		 3338 }
3339
525cd185 3340 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3341 if (err >= 0) {
42e5c802 3342 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3343 return err;
3344 }
3345
3346 /* Busy Condition */
311bb895 3347 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3348
525cd185 3349 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3350 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3351 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3352
42e5c802 3353 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3354 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3355 l2cap_send_sframe(chan, sctrl);
1890d36b 3356
525cd185 3357 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3358
1a09bcb9 3359 __clear_ack_timer(chan);
7fe9b298 3360
311bb895 3361 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3362
3363 return err;
3364}
3365
525cd185 3366static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3367{
c74e560c
GP		 3368 struct sk_buff *_skb;
3369 int err = -EINVAL;
3370
18778a63
GP		 3371 /*
3372 * TODO: We have to notify the userland if some data is lost with the
3373 * Streaming Mode.
3374 */
3375
c74e560c
GP		 3376 switch (control & L2CAP_CTRL_SAR) {
3377 case L2CAP_SDU_UNSEGMENTED:
525cd185 3378 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3379 kfree_skb(chan->sdu);
c74e560c
GP		 3380 break;
3381 }
3382
23070494 3383 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3384 if (!err)
3385 return 0;
3386
3387 break;
3388
3389 case L2CAP_SDU_START:
525cd185 3390 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3391 kfree_skb(chan->sdu);
c74e560c
GP		 3392 break;
3393 }
3394
6f61fd47 3395 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3396 skb_pull(skb, 2);
3397
0c1bc5c6 3398 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3399 err = -EMSGSIZE;
3400 break;
3401 }
3402
6f61fd47
GP		 3403 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3404 if (!chan->sdu) {
c74e560c
GP		 3405 err = -ENOMEM;
3406 break;
3407 }
3408
6f61fd47 3409 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3410
525cd185 3411 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3412 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3413 err = 0;
3414 break;
3415
3416 case L2CAP_SDU_CONTINUE:
525cd185 3417 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3418 break;
3419
6f61fd47 3420 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3421
6f61fd47
GP		 3422 chan->partial_sdu_len += skb->len;
3423 if (chan->partial_sdu_len > chan->sdu_len)
3424 kfree_skb(chan->sdu);
c74e560c
GP		 3425 else
3426 err = 0;
3427
3428 break;
3429
3430 case L2CAP_SDU_END:
525cd185 3431 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3432 break;
3433
6f61fd47 3434 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3435
525cd185 3436 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3437 chan->partial_sdu_len += skb->len;
c74e560c 3438
0c1bc5c6 3439 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3440 goto drop;
3441
6f61fd47
GP		 3442 if (chan->partial_sdu_len == chan->sdu_len) {
3443 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3444 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3445 if (err < 0)
3446 kfree_skb(_skb);
3447 }
c74e560c
GP		 3448 err = 0;
3449
36f2fd58 3450drop:
6f61fd47 3451 kfree_skb(chan->sdu);
c74e560c
GP		 3452 break;
3453 }
3454
3455 kfree_skb(skb);
3456 return err;
3457}
3458
525cd185 3459static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3460{
3461 struct sk_buff *skb;
afefdbc4 3462 u16 control;
8f17154f 3463
f1c6775b 3464 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3465 if (bt_cb(skb)->tx_seq != tx_seq)
3466 break;
3467
f1c6775b 3468 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3469 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3470 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3471 chan->buffer_seq_srej =
3472 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3473 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3474 }
3475}
3476
525cd185 3477static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3478{
8f17154f
GP		 3479 struct srej_list *l, *tmp;
3480 u16 control;
3481
39d5a3ee 3482 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3483 if (l->tx_seq == tx_seq) {
3484 list_del(&l->list);
3485 kfree(l);
3486 return;
3487 }
3488 control = L2CAP_SUPER_SELECT_REJECT;
3489 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3490 l2cap_send_sframe(chan, control);
8f17154f 3491 list_del(&l->list);
39d5a3ee 3492 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3493 }
3494}
3495
525cd185 3496static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3497{
8f17154f
GP		 3498 struct srej_list *new;
3499 u16 control;
3500
42e5c802 3501 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3502 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3503 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3504 l2cap_send_sframe(chan, control);
8f17154f
GP		 3505
3506 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3507 new->tx_seq = chan->expected_tx_seq;
3508 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3509 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3510 }
42e5c802 3511 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3512}
3513
525cd185 3514static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3515{
1c2acffb 3516 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3517 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3518 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3519 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3520 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3521 int err = 0;
3522
525cd185
GP		 3523 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3524 tx_seq, rx_control);
1c2acffb 3525
9b16dc65 3526 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3527 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3528 __clear_monitor_timer(chan);
6a026610 3529 if (chan->unacked_frames > 0)
1a09bcb9 3530 __set_retrans_timer(chan);
525cd185 3531 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3532 }
3533
42e5c802
GP		 3534 chan->expected_ack_seq = req_seq;
3535 l2cap_drop_acked_frames(chan);
9f121a5a 3536
42e5c802 3537 if (tx_seq == chan->expected_tx_seq)
8f17154f 3538 goto expected;
1c2acffb 3539
42e5c802 3540 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3541 if (tx_seq_offset < 0)
3542 tx_seq_offset += 64;
3543
3544 /* invalid tx_seq */
47d1ec61 3545 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3546 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3547 goto drop;
3548 }
3549
e6949280 3550 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3551 goto drop;
3552
525cd185 3553 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3554 struct srej_list *first;
30afb5b2 3555
39d5a3ee 3556 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3557 struct srej_list, list);
3558 if (tx_seq == first->tx_seq) {
42e5c802 3559 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3560 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3561
3562 list_del(&first->list);
3563 kfree(first);
3564
39d5a3ee 3565 if (list_empty(&chan->srej_l)) {
42e5c802 3566 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3567 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3568 l2cap_send_ack(chan);
49208c9c 3569 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3570 }
3571 } else {
3572 struct srej_list *l;
9b53350d
JPRV		 3573
3574 /* duplicated tx_seq */
42e5c802 3575 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3576 goto drop;
8f17154f 3577
39d5a3ee 3578 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3579 if (l->tx_seq == tx_seq) {
525cd185 3580 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3581 return 0;
3582 }
3583 }
525cd185 3584 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3585 }
3586 } else {
9b53350d 3587 expected_tx_seq_offset =
42e5c802 3588 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3589 if (expected_tx_seq_offset < 0)
3590 expected_tx_seq_offset += 64;
3591
3592 /* duplicated tx_seq */
3593 if (tx_seq_offset < expected_tx_seq_offset)
3594 goto drop;
3595
525cd185 3596 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3597
49208c9c 3598 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3599
39d5a3ee 3600 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3601 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3602
f1c6775b
GP		 3603 __skb_queue_head_init(&chan->srej_q);
3604 __skb_queue_head_init(&chan->busy_q);
42e5c802 3605 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3606
525cd185 3607 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3608
525cd185 3609 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3610
1a09bcb9 3611 __clear_ack_timer(chan);
1c2acffb 3612 }
30afb5b2
GP		 3613 return 0;
3614
8f17154f 3615expected:
42e5c802 3616 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3617
525cd185 3618 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3619 bt_cb(skb)->tx_seq = tx_seq;
3620 bt_cb(skb)->sar = sar;
f1c6775b 3621 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3622 return 0;
3623 }
3624
525cd185 3625 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3626 if (err < 0)
3627 return 0;
3628
4ec10d97 3629 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3630 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3631 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3632 else
525cd185 3633 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3634 }
3635
1a09bcb9 3636 __set_ack_timer(chan);
c1b4f43b 3637
6a026610
GP		 3638 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3639 if (chan->num_acked == num_to_ack - 1)
525cd185 3640 l2cap_send_ack(chan);
9e917af1 3641
8f17154f 3642 return 0;
9b53350d
JPRV		 3643
3644drop:
3645 kfree_skb(skb);
3646 return 0;
1c2acffb
GP		 3647}
3648
525cd185 3649static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3650{
49208c9c 3651 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3652 rx_control);
3653
42e5c802
GP		 3654 chan->expected_ack_seq = __get_reqseq(rx_control);
3655 l2cap_drop_acked_frames(chan);
1c2acffb 3656
e072745f 3657 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3658 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3659 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3660 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3661 (chan->unacked_frames > 0))
1a09bcb9 3662 __set_retrans_timer(chan);
05fbd89d 3663
525cd185
GP		 3664 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3665 l2cap_send_srejtail(chan);
05fbd89d 3666 } else {
525cd185 3667 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3668 }
1d8f5d16 3669
e072745f 3670 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3671 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3672
525cd185
GP		 3673 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3674 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3675 else
525cd185 3676 l2cap_retransmit_frames(chan);
2246b2f1 3677
e072745f 3678 } else {
525cd185 3679 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3680 (chan->unacked_frames > 0))
1a09bcb9 3681 __set_retrans_timer(chan);
1c2acffb 3682
525cd185
GP		 3683 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3684 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3685 l2cap_send_ack(chan);
894718a6 3686 else
525cd185 3687 l2cap_ertm_send(chan);
e072745f
GP		 3688 }
3689}
2246b2f1 3690
525cd185 3691static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3692{
e072745f 3693 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3694
525cd185 3695 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3696
525cd185 3697 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3698
42e5c802
GP		 3699 chan->expected_ack_seq = tx_seq;
3700 l2cap_drop_acked_frames(chan);
e072745f
GP		 3701
3702 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3703 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3704 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3705 else
525cd185 3706 l2cap_retransmit_frames(chan);
e072745f 3707 } else {
525cd185 3708 l2cap_retransmit_frames(chan);
30afb5b2 3709
525cd185
GP		 3710 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3711 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3712 }
3713}
525cd185 3714static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3715{
e072745f 3716 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3717
525cd185 3718 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3719
525cd185 3720 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3721
e072745f 3722 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3723 chan->expected_ack_seq = tx_seq;
3724 l2cap_drop_acked_frames(chan);
3cb123d1 3725
525cd185
GP		 3726 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3727 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3728
525cd185 3729 l2cap_ertm_send(chan);
dfc909be 3730
525cd185 3731 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3732 chan->srej_save_reqseq = tx_seq;
525cd185 3733 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3734 }
e072745f 3735 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3736 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3737 chan->srej_save_reqseq == tx_seq)
525cd185 3738 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3739 else
525cd185 3740 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3741 } else {
525cd185
GP		 3742 l2cap_retransmit_one_frame(chan, tx_seq);
3743 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3744 chan->srej_save_reqseq = tx_seq;
525cd185 3745 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3746 }
e072745f
GP		 3747 }
3748}
3749
525cd185 3750static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3751{
e072745f
GP		 3752 u8 tx_seq = __get_reqseq(rx_control);
3753
525cd185 3754 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3755
525cd185 3756 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3757 chan->expected_ack_seq = tx_seq;
3758 l2cap_drop_acked_frames(chan);
e072745f 3759
3cb123d1 3760 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3761 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3762
525cd185 3763 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
1a09bcb9 3764 __clear_retrans_timer(chan);
a2e12a2a 3765 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3766 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3767 return;
e072745f 3768 }
99b0d4b7
GP		 3769
3770 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3771 l2cap_send_srejtail(chan);
99b0d4b7 3772 else
525cd185 3773 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3774}
3775
525cd185 3776static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3777{
525cd185 3778 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3779
9b16dc65 3780 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3781 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3782 __clear_monitor_timer(chan);
6a026610 3783 if (chan->unacked_frames > 0)
1a09bcb9 3784 __set_retrans_timer(chan);
525cd185 3785 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3786 }
3787
3788 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3789 case L2CAP_SUPER_RCV_READY:
525cd185 3790 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3791 break;
3792
e072745f 3793 case L2CAP_SUPER_REJECT:
525cd185 3794 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3795 break;
2246b2f1 3796
e072745f 3797 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3798 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3799 break;
3800
3801 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3802 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3803 break;
3804 }
3805
faaebd19 3806 kfree_skb(skb);
1c2acffb
GP		 3807 return 0;
3808}
3809
218bb9df
GP		 3810static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3811{
525cd185 3812 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3813 u16 control;
3814 u8 req_seq;
3815 int len, next_tx_seq_offset, req_seq_offset;
3816
3817 control = get_unaligned_le16(skb->data);
3818 skb_pull(skb, 2);
3819 len = skb->len;
3820
3821 /*
3822 * We can just drop the corrupted I-frame here.
3823 * Receiver will miss it and start proper recovery
3824 * procedures and ask retransmission.
3825 */
47d1ec61 3826 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3827 goto drop;
3828
3829 if (__is_sar_start(control) && __is_iframe(control))
3830 len -= 2;
3831
47d1ec61 3832 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3833 len -= 2;
3834
47d1ec61 3835 if (len > chan->mps) {
8c1d787b 3836 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3837 goto drop;
3838 }
3839
3840 req_seq = __get_reqseq(control);
42e5c802 3841 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3842 if (req_seq_offset < 0)
3843 req_seq_offset += 64;
3844
3845 next_tx_seq_offset =
42e5c802 3846 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3847 if (next_tx_seq_offset < 0)
3848 next_tx_seq_offset += 64;
3849
3850 /* check for invalid req-seq */
3851 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3852 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3853 goto drop;
3854 }
3855
3856 if (__is_iframe(control)) {
3857 if (len < 0) {
8c1d787b 3858 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3859 goto drop;
3860 }
3861
525cd185 3862 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3863 } else {
3864 if (len != 0) {
3865 BT_ERR("%d", len);
8c1d787b 3866 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3867 goto drop;
3868 }
3869
525cd185 3870 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3871 }
3872
3873 return 0;
3874
3875drop:
3876 kfree_skb(skb);
3877 return 0;
3878}
3879
1da177e4
LT		 3880static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3881{
48454079 3882 struct l2cap_chan *chan;
bf734843 3883 struct sock *sk = NULL;
51893f88 3884 u16 control;
218bb9df
GP		 3885 u8 tx_seq;
3886 int len;
1da177e4 3887
baa7e1fa 3888 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3889 if (!chan) {
1da177e4
LT		 3890 BT_DBG("unknown cid 0x%4.4x", cid);
3891 goto drop;
3892 }
3893
48454079 3894 sk = chan->sk;
6840ed07 3895
49208c9c 3896 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3897
89bc500e 3898 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3899 goto drop;
3900
0c1bc5c6 3901 switch (chan->mode) {
1c2acffb
GP		 3902 case L2CAP_MODE_BASIC:
3903 /* If socket recv buffers overflows we drop data here
3904 * which is *bad* because L2CAP has to be reliable.
3905 * But we don't have any other choice. L2CAP doesn't
3906 * provide flow control mechanism. */
1da177e4 3907
0c1bc5c6 3908 if (chan->imtu < skb->len)
1c2acffb 3909 goto drop;
1da177e4 3910
23070494 3911 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3912 goto done;
3913 break;
3914
3915 case L2CAP_MODE_ERTM:
218bb9df
GP		 3916 if (!sock_owned_by_user(sk)) {
3917 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3918 } else {
218bb9df 3919 if (sk_add_backlog(sk, skb))
277ffbe3 3920 goto drop;
277ffbe3 3921 }
1c2acffb 3922
fcafde2e 3923 goto done;
1c2acffb 3924
6840ed07
GP		 3925 case L2CAP_MODE_STREAMING:
3926 control = get_unaligned_le16(skb->data);
3927 skb_pull(skb, 2);
3928 len = skb->len;
3929
47d1ec61 3930 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3931 goto drop;
3932
6840ed07
GP		 3933 if (__is_sar_start(control))
3934 len -= 2;
3935
47d1ec61 3936 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3937 len -= 2;
3938
47d1ec61 3939 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3940 goto drop;
3941
3942 tx_seq = __get_txseq(control);
3943
42e5c802
GP		 3944 if (chan->expected_tx_seq == tx_seq)
3945 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3946 else
42e5c802 3947 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3948
525cd185 3949 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3950
3951 goto done;
3952
1c2acffb 3953 default:
0c1bc5c6 3954 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3955 break;
3956 }
1da177e4
LT		 3957
3958drop:
3959 kfree_skb(skb);
3960
3961done:
0139418c
MH		 3962 if (sk)
3963 bh_unlock_sock(sk);
3964
1da177e4
LT		 3965 return 0;
3966}
3967
8e036fc3 3968static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3969{
6dcae1ea 3970 struct sock *sk = NULL;
23691d75 3971 struct l2cap_chan *chan;
1da177e4 3972
23691d75
GP		 3973 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3974 if (!chan)
1da177e4
LT		 3975 goto drop;
3976
23691d75
GP		 3977 sk = chan->sk;
3978
e0f0cb56
GP		 3979 bh_lock_sock(sk);
3980
1da177e4
LT		 3981 BT_DBG("sk %p, len %d", sk, skb->len);
3982
89bc500e 3983 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3984 goto drop;
3985
0c1bc5c6 3986 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3987 goto drop;
3988
23070494 3989 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3990 goto done;
3991
3992drop:
3993 kfree_skb(skb);
3994
3995done:
af05b30b
GP		 3996 if (sk)
3997 bh_unlock_sock(sk);
1da177e4
LT		 3998 return 0;
3999}
4000
9f69bda6
GP		 4001static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4002{
6dcae1ea 4003 struct sock *sk = NULL;
23691d75 4004 struct l2cap_chan *chan;
9f69bda6 4005
23691d75
GP		 4006 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4007 if (!chan)
9f69bda6
GP		 4008 goto drop;
4009
23691d75
GP		 4010 sk = chan->sk;
4011
9f69bda6
GP		 4012 bh_lock_sock(sk);
4013
4014 BT_DBG("sk %p, len %d", sk, skb->len);
4015
89bc500e 4016 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4017 goto drop;
4018
0c1bc5c6 4019 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4020 goto drop;
4021
23070494 4022 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4023 goto done;
4024
4025drop:
4026 kfree_skb(skb);
4027
4028done:
4029 if (sk)
4030 bh_unlock_sock(sk);
4031 return 0;
4032}
4033
1da177e4
LT		 4034static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4035{
4036 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4037 u16 cid, len;
4038 __le16 psm;
1da177e4
LT		 4039
4040 skb_pull(skb, L2CAP_HDR_SIZE);
4041 cid = __le16_to_cpu(lh->cid);
4042 len = __le16_to_cpu(lh->len);
4043
1c2acffb
GP		 4044 if (len != skb->len) {
4045 kfree_skb(skb);
4046 return;
4047 }
4048
1da177e4
LT		 4049 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4050
4051 switch (cid) {
3300d9a9 4052 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4053 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4054 l2cap_sig_channel(conn, skb);
4055 break;
4056
8db4dc46 4057 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4058 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4059 skb_pull(skb, 2);
4060 l2cap_conless_channel(conn, psm, skb);
4061 break;
4062
9f69bda6
GP		 4063 case L2CAP_CID_LE_DATA:
4064 l2cap_att_channel(conn, cid, skb);
4065 break;
4066
b501d6a1
AB		 4067 case L2CAP_CID_SMP:
4068 if (smp_sig_channel(conn, skb))
4069 l2cap_conn_del(conn->hcon, EACCES);
4070 break;
4071
1da177e4
LT		 4072 default:
4073 l2cap_data_channel(conn, cid, skb);
4074 break;
4075 }
4076}
4077
4078/* ---- L2CAP interface with lower layer (HCI) ---- */
4079
4080static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4081{
4082 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4083 struct l2cap_chan *c;
1da177e4
LT		 4084
4085 if (type != ACL_LINK)
963cf687 4086 return -EINVAL;
1da177e4
LT		 4087
4088 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4089
4090 /* Find listening sockets and check their link_mode */
23691d75
GP		 4091 read_lock(&chan_list_lock);
4092 list_for_each_entry(c, &chan_list, global_l) {
4093 struct sock *sk = c->sk;
4343478f 4094
89bc500e 4095 if (c->state != BT_LISTEN)
1da177e4
LT		 4096 continue;
4097
4098 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4099 lm1 |= HCI_LM_ACCEPT;
23691d75 4100 if (c->role_switch)
2af6b9d5 4101 lm1 |= HCI_LM_MASTER;
1da177e4 4102 exact++;
2af6b9d5
MH		 4103 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4104 lm2 |= HCI_LM_ACCEPT;
23691d75 4105 if (c->role_switch)
2af6b9d5
MH		 4106 lm2 |= HCI_LM_MASTER;
4107 }
1da177e4 4108 }
23691d75 4109 read_unlock(&chan_list_lock);
1da177e4
LT		 4110
4111 return exact ? lm1 : lm2;
4112}
4113
4114static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4115{
0139418c
MH		 4116 struct l2cap_conn *conn;
4117
1da177e4
LT		 4118 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4119
acd7d370 4120 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4121 return -EINVAL;
1da177e4
LT		 4122
4123 if (!status) {
1da177e4
LT		 4124 conn = l2cap_conn_add(hcon, status);
4125 if (conn)
4126 l2cap_conn_ready(conn);
0139418c 4127 } else
1da177e4
LT		 4128 l2cap_conn_del(hcon, bt_err(status));
4129
4130 return 0;
4131}
4132
2950f21a
MH		 4133static int l2cap_disconn_ind(struct hci_conn *hcon)
4134{
4135 struct l2cap_conn *conn = hcon->l2cap_data;
4136
4137 BT_DBG("hcon %p", hcon);
4138
b5694506 4139 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4140 return 0x13;
4141
4142 return conn->disc_reason;
4143}
4144
4145static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4146{
4147 BT_DBG("hcon %p reason %d", hcon, reason);
4148
acd7d370 4149 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4150 return -EINVAL;
1da177e4
LT		 4151
4152 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4153
1da177e4
LT		 4154 return 0;
4155}
4156
4343478f 4157static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4158{
715ec005 4159 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4160 return;
4161
f62e4323 4162 if (encrypt == 0x00) {
4343478f 4163 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4164 __clear_chan_timer(chan);
4165 __set_chan_timer(chan, HZ * 5);
4343478f 4166 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4167 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4168 } else {
4343478f 4169 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4170 __clear_chan_timer(chan);
f62e4323
MH		 4171 }
4172}
4173
8c1b2355 4174static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4175{
0139418c 4176 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4177 struct l2cap_chan *chan;
1da177e4 4178
0139418c 4179 if (!conn)
1da177e4 4180 return 0;
0139418c 4181
1da177e4
LT		 4182 BT_DBG("conn %p", conn);
4183
baa7e1fa 4184 read_lock(&conn->chan_lock);
1da177e4 4185
baa7e1fa 4186 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4187 struct sock *sk = chan->sk;
baa7e1fa 4188
1da177e4
LT		 4189 bh_lock_sock(sk);
4190
b4450035 4191 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4192 bh_unlock_sock(sk);
4193 continue;
4194 }
4195
89bc500e
GP		 4196 if (!status && (chan->state == BT_CONNECTED ||
4197 chan->state == BT_CONFIG)) {
4343478f 4198 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4199 bh_unlock_sock(sk);
4200 continue;
4201 }
4202
89bc500e 4203 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4204 if (!status) {
4205 struct l2cap_conn_req req;
fe4128e0
GP		 4206 req.scid = cpu_to_le16(chan->scid);
4207 req.psm = chan->psm;
1da177e4 4208
fc7f8a7e 4209 chan->ident = l2cap_get_ident(conn);
b4450035 4210 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4211
fc7f8a7e 4212 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4213 L2CAP_CONN_REQ, sizeof(req), &req);
4214 } else {
c9b66675
GP		 4215 __clear_chan_timer(chan);
4216 __set_chan_timer(chan, HZ / 10);
b1235d79 4217 }
89bc500e 4218 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4219 struct l2cap_conn_rsp rsp;
4220 __u16 result;
1da177e4 4221
b1235d79 4222 if (!status) {
89bc500e 4223 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4224 result = L2CAP_CR_SUCCESS;
4225 } else {
89bc500e 4226 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4227 __set_chan_timer(chan, HZ / 10);
b1235d79
MH		 4228 result = L2CAP_CR_SEC_BLOCK;
4229 }
4230
fe4128e0
GP		 4231 rsp.scid = cpu_to_le16(chan->dcid);
4232 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4233 rsp.result = cpu_to_le16(result);
e7c29cb1 4234 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4235 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4236 sizeof(rsp), &rsp);
b1235d79 4237 }
1da177e4
LT		 4238
4239 bh_unlock_sock(sk);
4240 }
4241
baa7e1fa 4242 read_unlock(&conn->chan_lock);
b1235d79 4243
1da177e4
LT		 4244 return 0;
4245}
4246
4247static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4248{
4249 struct l2cap_conn *conn = hcon->l2cap_data;
4250
5a08ecce
AE		 4251 if (!conn)
4252 conn = l2cap_conn_add(hcon, 0);
4253
4254 if (!conn)
1da177e4
LT		 4255 goto drop;
4256
4257 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4258
e702112f 4259 if (!(flags & ACL_CONT)) {
1da177e4 4260 struct l2cap_hdr *hdr;
48454079 4261 struct l2cap_chan *chan;
89794813 4262 u16 cid;
1da177e4
LT		 4263 int len;
4264
4265 if (conn->rx_len) {
4266 BT_ERR("Unexpected start frame (len %d)", skb->len);
4267 kfree_skb(conn->rx_skb);
4268 conn->rx_skb = NULL;
4269 conn->rx_len = 0;
4270 l2cap_conn_unreliable(conn, ECOMM);
4271 }
4272
aae7fe22
AE		 4273 /* Start fragment always begin with Basic L2CAP header */
4274 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4275 BT_ERR("Frame is too short (len %d)", skb->len);
4276 l2cap_conn_unreliable(conn, ECOMM);
4277 goto drop;
4278 }
4279
4280 hdr = (struct l2cap_hdr *) skb->data;
4281 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4282 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4283
4284 if (len == skb->len) {
4285 /* Complete frame received */
4286 l2cap_recv_frame(conn, skb);
4287 return 0;
4288 }
4289
4290 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4291
4292 if (skb->len > len) {
4293 BT_ERR("Frame is too long (len %d, expected len %d)",
4294 skb->len, len);
4295 l2cap_conn_unreliable(conn, ECOMM);
4296 goto drop;
4297 }
4298
baa7e1fa 4299 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4300
48454079
GP		 4301 if (chan && chan->sk) {
4302 struct sock *sk = chan->sk;
89794813 4303
0c1bc5c6 4304 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4305 BT_ERR("Frame exceeding recv MTU (len %d, "
4306 "MTU %d)", len,
0c1bc5c6 4307 chan->imtu);
48454079
GP		 4308 bh_unlock_sock(sk);
4309 l2cap_conn_unreliable(conn, ECOMM);
4310 goto drop;
4311 }
89794813 4312 bh_unlock_sock(sk);
48454079 4313 }
89794813 4314
1da177e4 4315 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4316 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4317 if (!conn->rx_skb)
1da177e4
LT		 4318 goto drop;
4319
d626f62b 4320 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4321 skb->len);
1da177e4
LT		 4322 conn->rx_len = len - skb->len;
4323 } else {
4324 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4325
4326 if (!conn->rx_len) {
4327 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4328 l2cap_conn_unreliable(conn, ECOMM);
4329 goto drop;
4330 }
4331
4332 if (skb->len > conn->rx_len) {
4333 BT_ERR("Fragment is too long (len %d, expected %d)",
4334 skb->len, conn->rx_len);
4335 kfree_skb(conn->rx_skb);
4336 conn->rx_skb = NULL;
4337 conn->rx_len = 0;
4338 l2cap_conn_unreliable(conn, ECOMM);
4339 goto drop;
4340 }
4341
d626f62b 4342 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4343 skb->len);
1da177e4
LT		 4344 conn->rx_len -= skb->len;
4345
4346 if (!conn->rx_len) {
4347 /* Complete frame received */
4348 l2cap_recv_frame(conn, conn->rx_skb);
4349 conn->rx_skb = NULL;
4350 }
4351 }
4352
4353drop:
4354 kfree_skb(skb);
4355 return 0;
4356}
4357
aef7d97c 4358static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4359{
23691d75 4360 struct l2cap_chan *c;
1da177e4 4361
23691d75 4362 read_lock_bh(&chan_list_lock);
1da177e4 4363
23691d75
GP		 4364 list_for_each_entry(c, &chan_list, global_l) {
4365 struct sock *sk = c->sk;
101545f6 4366
903d343e 4367 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4368 batostr(&bt_sk(sk)->src),
4369 batostr(&bt_sk(sk)->dst),
89bc500e 4370 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4371 c->scid, c->dcid, c->imtu, c->omtu,
4372 c->sec_level, c->mode);
be9d1227 4373 }
1da177e4 4374
23691d75 4375 read_unlock_bh(&chan_list_lock);
1da177e4 4376
aef7d97c 4377 return 0;
1da177e4
LT		 4378}
4379
aef7d97c
MH		 4380static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4381{
4382 return single_open(file, l2cap_debugfs_show, inode->i_private);
4383}
4384
4385static const struct file_operations l2cap_debugfs_fops = {
4386 .open = l2cap_debugfs_open,
4387 .read = seq_read,
4388 .llseek = seq_lseek,
4389 .release = single_release,
4390};
4391
4392static struct dentry *l2cap_debugfs;
1da177e4 4393
1da177e4
LT		 4394static struct hci_proto l2cap_hci_proto = {
4395 .name = "L2CAP",
4396 .id = HCI_PROTO_L2CAP,
4397 .connect_ind = l2cap_connect_ind,
4398 .connect_cfm = l2cap_connect_cfm,
4399 .disconn_ind = l2cap_disconn_ind,
2950f21a 4400 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4401 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4402 .recv_acldata = l2cap_recv_acldata
4403};
4404
64274518 4405int __init l2cap_init(void)
1da177e4
LT		 4406{
4407 int err;
be9d1227 4408
bb58f747 4409 err = l2cap_init_sockets();
1da177e4
LT		 4410 if (err < 0)
4411 return err;
4412
1890d36b 4413 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4414 if (!_busy_wq) {
bb58f747 4415 err = -ENOMEM;
1da177e4
LT		 4416 goto error;
4417 }
4418
4419 err = hci_register_proto(&l2cap_hci_proto);
4420 if (err < 0) {
4421 BT_ERR("L2CAP protocol registration failed");
4422 bt_sock_unregister(BTPROTO_L2CAP);
4423 goto error;
4424 }
4425
aef7d97c
MH		 4426 if (bt_debugfs) {
4427 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4428 bt_debugfs, NULL, &l2cap_debugfs_fops);
4429 if (!l2cap_debugfs)
4430 BT_ERR("Failed to create L2CAP debug file");
4431 }
1da177e4 4432
1da177e4
LT		 4433 return 0;
4434
4435error:
b78d7b4f 4436 destroy_workqueue(_busy_wq);
bb58f747 4437 l2cap_cleanup_sockets();
1da177e4
LT		 4438 return err;
4439}
4440
64274518 4441void l2cap_exit(void)
1da177e4 4442{
aef7d97c 4443 debugfs_remove(l2cap_debugfs);
1da177e4 4444
1890d36b
GP		 4445 flush_workqueue(_busy_wq);
4446 destroy_workqueue(_busy_wq);
4447
1da177e4
LT		 4448 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4449 BT_ERR("L2CAP protocol unregistration failed");
4450
bb58f747 4451 l2cap_cleanup_sockets();
1da177e4
LT		 4452}
4453
d1c4a17d
GP		 4454module_param(disable_ertm, bool, 0644);
4455MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)