projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: add close() callback to l2cap_chan_ops
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state,
214 timeout);
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d
GP		 220{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state);
222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
227static void l2cap_chan_timeout(unsigned long arg)
228{
229 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
230 struct sock *sk = chan->sk;
231 int reason;
232
233 BT_DBG("chan %p state %d", chan, sk->sk_state);
234
235 bh_lock_sock(sk);
236
237 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5);
240 bh_unlock_sock(sk);
241 sock_put(sk);
242 return;
243 }
244
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
246 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED;
250 else
251 reason = ETIMEDOUT;
252
0f852724 253 l2cap_chan_close(chan, reason);
ab07801d
GP		 254
255 bh_unlock_sock(sk);
256
ba3bd0ee 257 chan->ops->close(chan->data);
ab07801d
GP		 258 sock_put(sk);
259}
260
23691d75 261struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 262{
263 struct l2cap_chan *chan;
264
265 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
266 if (!chan)
267 return NULL;
268
269 chan->sk = sk;
270
23691d75
GP		 271 write_lock_bh(&chan_list_lock);
272 list_add(&chan->global_l, &chan_list);
273 write_unlock_bh(&chan_list_lock);
274
ab07801d
GP		 275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276
48454079
GP		 277 return chan;
278}
279
23691d75 280void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 281{
23691d75
GP		 282 write_lock_bh(&chan_list_lock);
283 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock);
285
6ff5abbf
GP		 286 kfree(chan);
287}
288
48454079 289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 290{
48454079 291 struct sock *sk = chan->sk;
0139418c 292
af05b30b 293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 294 chan->psm, chan->dcid);
0139418c 295
2950f21a
MH		 296 conn->disc_reason = 0x13;
297
8c1d787b 298 chan->conn = conn;
0139418c 299
715ec005 300 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 301 if (conn->hcon->type == LE_LINK) {
302 /* LE connection */
0c1bc5c6 303 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 304 chan->scid = L2CAP_CID_LE_DATA;
305 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 306 } else {
307 /* Alloc CID for connection-oriented socket */
fe4128e0 308 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 309 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 310 }
715ec005 311 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 316 } else {
317 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 318 chan->scid = L2CAP_CID_SIGNALING;
319 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 320 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 321 }
322
baa7e1fa
GP		 323 sock_hold(sk);
324
325 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 326}
327
8e87d142 328/* Delete channel.
0139418c 329 * Must be called on the locked socket. */
4519de9a 330static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 331{
48454079 332 struct sock *sk = chan->sk;
8c1d787b 333 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 334 struct sock *parent = bt_sk(sk)->parent;
335
ab07801d 336 l2cap_chan_clear_timer(chan);
0139418c 337
49208c9c 338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 339
8e87d142 340 if (conn) {
baa7e1fa
GP		 341 /* Delete from channel list */
342 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk);
346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
b1235d79 351 sk->sk_state = BT_CLOSED;
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
b4450035
GP		 363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
e92c8e70
GP		 372 del_timer(&chan->retrans_timer);
373 del_timer(&chan->monitor_timer);
374 del_timer(&chan->ack_timer);
c13ffa62 375
f1c6775b
GP		 376 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q);
c13ffa62 378
39d5a3ee 379 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 380 list_del(&l->list);
381 kfree(l);
382 }
383 }
0139418c
MH		 384}
385
4519de9a
GP		 386static void l2cap_chan_cleanup_listen(struct sock *parent)
387{
388 struct sock *sk;
389
390 BT_DBG("parent %p", parent);
391
392 /* Close not yet accepted channels */
0f852724 393 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee
GP		 394 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
395 l2cap_chan_clear_timer(chan);
0f852724 396 lock_sock(sk);
ba3bd0ee 397 l2cap_chan_close(chan, ECONNRESET);
0f852724 398 release_sock(sk);
ba3bd0ee 399 chan->ops->close(chan->data);
0f852724 400 }
4519de9a
GP		 401
402 parent->sk_state = BT_CLOSED;
403 sock_set_flag(parent, SOCK_ZAPPED);
404}
405
0f852724 406void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 407{
408 struct l2cap_conn *conn = chan->conn;
409 struct sock *sk = chan->sk;
410
411 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket);
412
413 switch (sk->sk_state) {
414 case BT_LISTEN:
415 l2cap_chan_cleanup_listen(sk);
416 break;
417
418 case BT_CONNECTED:
419 case BT_CONFIG:
715ec005 420 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 421 conn->hcon->type == ACL_LINK) {
500698d3 422 l2cap_chan_clear_timer(chan);
ab07801d 423 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 424 l2cap_send_disconn_req(conn, chan, reason);
425 } else
426 l2cap_chan_del(chan, reason);
427 break;
428
429 case BT_CONNECT2:
715ec005 430 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 431 conn->hcon->type == ACL_LINK) {
432 struct l2cap_conn_rsp rsp;
433 __u16 result;
434
435 if (bt_sk(sk)->defer_setup)
436 result = L2CAP_CR_SEC_BLOCK;
437 else
438 result = L2CAP_CR_BAD_PSM;
d8d69c54 439 sk->sk_state = BT_DISCONN;
4519de9a
GP		 440
441 rsp.scid = cpu_to_le16(chan->dcid);
442 rsp.dcid = cpu_to_le16(chan->scid);
443 rsp.result = cpu_to_le16(result);
444 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
445 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
446 sizeof(rsp), &rsp);
447 }
448
449 l2cap_chan_del(chan, reason);
450 break;
451
452 case BT_CONNECT:
453 case BT_DISCONN:
454 l2cap_chan_del(chan, reason);
455 break;
456
457 default:
458 sock_set_flag(sk, SOCK_ZAPPED);
459 break;
460 }
461}
462
4343478f 463static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 464{
715ec005 465 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 466 switch (chan->sec_level) {
8556edd3
JH		 467 case BT_SECURITY_HIGH:
468 return HCI_AT_DEDICATED_BONDING_MITM;
469 case BT_SECURITY_MEDIUM:
470 return HCI_AT_DEDICATED_BONDING;
471 default:
472 return HCI_AT_NO_BONDING;
473 }
fe4128e0 474 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 475 if (chan->sec_level == BT_SECURITY_LOW)
476 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 477
4343478f 478 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 479 return HCI_AT_NO_BONDING_MITM;
00ae4af9 480 else
8556edd3 481 return HCI_AT_NO_BONDING;
00ae4af9 482 } else {
4343478f 483 switch (chan->sec_level) {
00ae4af9 484 case BT_SECURITY_HIGH:
8556edd3 485 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 486 case BT_SECURITY_MEDIUM:
8556edd3 487 return HCI_AT_GENERAL_BONDING;
00ae4af9 488 default:
8556edd3 489 return HCI_AT_NO_BONDING;
00ae4af9 490 }
0684e5f9 491 }
8556edd3
JH		 492}
493
494/* Service level security */
4343478f 495static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 496{
8c1d787b 497 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 498 __u8 auth_type;
499
4343478f 500 auth_type = l2cap_get_auth_type(chan);
79d554a6 501
4343478f 502 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 503}
504
b5ad8b7f 505static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 506{
507 u8 id;
508
509 /* Get next available identificator.
510 * 1 - 128 are used by kernel.
511 * 129 - 199 are reserved.
512 * 200 - 254 are used by utilities like l2ping, etc.
513 */
514
515 spin_lock_bh(&conn->lock);
516
517 if (++conn->tx_ident > 128)
518 conn->tx_ident = 1;
519
520 id = conn->tx_ident;
521
522 spin_unlock_bh(&conn->lock);
523
524 return id;
525}
526
4519de9a 527static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 528{
529 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 530 u8 flags;
4e8402a3
MH		 531
532 BT_DBG("code 0x%2.2x", code);
533
534 if (!skb)
9a9c6a34 535 return;
4e8402a3 536
e702112f
AE		 537 if (lmp_no_flush_capable(conn->hcon->hdev))
538 flags = ACL_START_NO_FLUSH;
539 else
540 flags = ACL_START;
541
14b12d0b
JG		 542 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
543
e702112f 544 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 545}
546
525cd185 547static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 548{
549 struct sk_buff *skb;
550 struct l2cap_hdr *lh;
525cd185 551 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
8c1d787b 552 struct l2cap_conn *conn = chan->conn;
c13ffa62 553 struct sock *sk = (struct sock *)pi;
fcc203c3 554 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 555 u8 flags;
fcc203c3 556
c13ffa62
GP		 557 if (sk->sk_state != BT_CONNECTED)
558 return;
559
47d1ec61 560 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 561 hlen += 2;
1c2acffb 562
49208c9c 563 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 564
fcc203c3 565 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 566 control |= L2CAP_CTRL_FRAME_TYPE;
567
525cd185 568 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 569 control |= L2CAP_CTRL_FINAL;
525cd185 570 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 571 }
572
525cd185 573 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 574 control |= L2CAP_CTRL_POLL;
525cd185 575 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 576 }
577
1c2acffb
GP		 578 skb = bt_skb_alloc(count, GFP_ATOMIC);
579 if (!skb)
9a9c6a34 580 return;
1c2acffb
GP		 581
582 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 583 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 584 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 585 put_unaligned_le16(control, skb_put(skb, 2));
586
47d1ec61 587 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 588 u16 fcs = crc16(0, (u8 *)lh, count - 2);
589 put_unaligned_le16(fcs, skb_put(skb, 2));
590 }
591
e702112f
AE		 592 if (lmp_no_flush_capable(conn->hcon->hdev))
593 flags = ACL_START_NO_FLUSH;
594 else
595 flags = ACL_START;
596
14b12d0b
JG		 597 bt_cb(skb)->force_active = chan->force_active;
598
8c1d787b 599 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 600}
601
525cd185 602static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 603{
525cd185 604 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 605 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 606 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 607 } else
7e743090
GP		 608 control |= L2CAP_SUPER_RCV_READY;
609
42e5c802 610 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 611
525cd185 612 l2cap_send_sframe(chan, control);
7e743090
GP		 613}
614
b4450035 615static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 616{
b4450035 617 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 618}
619
fc7f8a7e 620static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 621{
8c1d787b 622 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 623
624 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 625 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
626 return;
627
4343478f
GP		 628 if (l2cap_check_security(chan) &&
629 __l2cap_no_conn_pending(chan)) {
b1235d79 630 struct l2cap_conn_req req;
fe4128e0
GP		 631 req.scid = cpu_to_le16(chan->scid);
632 req.psm = chan->psm;
79d554a6 633
fc7f8a7e 634 chan->ident = l2cap_get_ident(conn);
b4450035 635 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 636
fc7f8a7e
GP		 637 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
638 sizeof(req), &req);
b1235d79 639 }
79d554a6
MH		 640 } else {
641 struct l2cap_info_req req;
642 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
643
644 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
645 conn->info_ident = l2cap_get_ident(conn);
646
647 mod_timer(&conn->info_timer, jiffies +
648 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
649
650 l2cap_send_cmd(conn, conn->info_ident,
651 L2CAP_INFO_REQ, sizeof(req), &req);
652 }
653}
654
cf6c2c0b
GP		 655static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
656{
657 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 658 if (!disable_ertm)
cf6c2c0b
GP		 659 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
660
661 switch (mode) {
662 case L2CAP_MODE_ERTM:
663 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
664 case L2CAP_MODE_STREAMING:
665 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
666 default:
667 return 0x00;
668 }
669}
670
4519de9a 671static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 672{
e92c8e70 673 struct sock *sk;
22121fc9
GP		 674 struct l2cap_disconn_req req;
675
c13ffa62
GP		 676 if (!conn)
677 return;
678
e92c8e70
GP		 679 sk = chan->sk;
680
0c1bc5c6 681 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 682 del_timer(&chan->retrans_timer);
683 del_timer(&chan->monitor_timer);
684 del_timer(&chan->ack_timer);
c13ffa62
GP		 685 }
686
fe4128e0
GP		 687 req.dcid = cpu_to_le16(chan->dcid);
688 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 689 l2cap_send_cmd(conn, l2cap_get_ident(conn),
690 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 691
692 sk->sk_state = BT_DISCONN;
9b108fc0 693 sk->sk_err = err;
22121fc9
GP		 694}
695
1da177e4 696/* ---- L2CAP connections ---- */
4e8402a3
MH		 697static void l2cap_conn_start(struct l2cap_conn *conn)
698{
820ffdb3 699 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 700
701 BT_DBG("conn %p", conn);
702
baa7e1fa 703 read_lock(&conn->chan_lock);
4e8402a3 704
820ffdb3 705 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 706 struct sock *sk = chan->sk;
baa7e1fa 707
4e8402a3
MH		 708 bh_lock_sock(sk);
709
715ec005 710 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 711 bh_unlock_sock(sk);
712 continue;
713 }
714
715 if (sk->sk_state == BT_CONNECT) {
47731de7 716 struct l2cap_conn_req req;
79d554a6 717
4343478f 718 if (!l2cap_check_security(chan) ||
b4450035 719 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 720 bh_unlock_sock(sk);
721 continue;
722 }
79d554a6 723
0c1bc5c6 724 if (!l2cap_mode_supported(chan->mode,
47731de7 725 conn->feat_mask)
b4450035 726 && chan->conf_state &
47731de7 727 L2CAP_CONF_STATE2_DEVICE) {
0f852724 728 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 729 * so release the lock */
730 read_unlock_bh(&conn->chan_lock);
0f852724 731 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 732 read_lock_bh(&conn->chan_lock);
47731de7
GP		 733 bh_unlock_sock(sk);
734 continue;
b1235d79 735 }
47731de7 736
fe4128e0
GP		 737 req.scid = cpu_to_le16(chan->scid);
738 req.psm = chan->psm;
47731de7 739
fc7f8a7e 740 chan->ident = l2cap_get_ident(conn);
b4450035 741 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 742
fc7f8a7e
GP		 743 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
744 sizeof(req), &req);
47731de7 745
79d554a6
MH		 746 } else if (sk->sk_state == BT_CONNECT2) {
747 struct l2cap_conn_rsp rsp;
e9aeb2dd 748 char buf[128];
fe4128e0
GP		 749 rsp.scid = cpu_to_le16(chan->dcid);
750 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 751
4343478f 752 if (l2cap_check_security(chan)) {
f66dc81f
MH		 753 if (bt_sk(sk)->defer_setup) {
754 struct sock *parent = bt_sk(sk)->parent;
755 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
756 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
757 parent->sk_data_ready(parent, 0);
758
759 } else {
760 sk->sk_state = BT_CONFIG;
761 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
762 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
763 }
79d554a6
MH		 764 } else {
765 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
766 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
767 }
768
fc7f8a7e
GP		 769 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
770 sizeof(rsp), &rsp);
e9aeb2dd 771
b4450035 772 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 773 rsp.result != L2CAP_CR_SUCCESS) {
774 bh_unlock_sock(sk);
775 continue;
776 }
777
b4450035 778 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 779 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 780 l2cap_build_conf_req(chan, buf), buf);
781 chan->num_conf_req++;
4e8402a3
MH		 782 }
783
784 bh_unlock_sock(sk);
785 }
786
baa7e1fa 787 read_unlock(&conn->chan_lock);
4e8402a3
MH		 788}
789
b62f328b
VT		 790/* Find socket with cid and source bdaddr.
791 * Returns closest match, locked.
792 */
23691d75 793static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 794{
23691d75 795 struct l2cap_chan *c, *c1 = NULL;
b62f328b 796
23691d75 797 read_lock(&chan_list_lock);
b62f328b 798
23691d75
GP		 799 list_for_each_entry(c, &chan_list, global_l) {
800 struct sock *sk = c->sk;
fe4128e0 801
b62f328b
VT		 802 if (state && sk->sk_state != state)
803 continue;
804
23691d75 805 if (c->scid == cid) {
b62f328b 806 /* Exact match. */
23691d75
GP		 807 if (!bacmp(&bt_sk(sk)->src, src)) {
808 read_unlock(&chan_list_lock);
809 return c;
810 }
b62f328b
VT		 811
812 /* Closest match */
813 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 814 c1 = c;
b62f328b
VT		 815 }
816 }
280f294f 817
23691d75 818 read_unlock(&chan_list_lock);
b62f328b 819
23691d75 820 return c1;
b62f328b
VT		 821}
822
823static void l2cap_le_conn_ready(struct l2cap_conn *conn)
824{
c916fbe4 825 struct sock *parent, *sk;
23691d75 826 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 827
828 BT_DBG("");
829
830 /* Check if we have socket listening on cid */
23691d75 831 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 832 conn->src);
23691d75 833 if (!pchan)
b62f328b
VT		 834 return;
835
23691d75
GP		 836 parent = pchan->sk;
837
62f3a2cf
GP		 838 bh_lock_sock(parent);
839
b62f328b
VT		 840 /* Check for backlog size */
841 if (sk_acceptq_is_full(parent)) {
842 BT_DBG("backlog full %d", parent->sk_ack_backlog);
843 goto clean;
844 }
845
80808e43
GP		 846 chan = pchan->ops->new_connection(pchan->data);
847 if (!chan)
b62f328b
VT		 848 goto clean;
849
80808e43 850 sk = chan->sk;
5d41ce1d 851
baa7e1fa 852 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 853
854 hci_conn_hold(conn->hcon);
855
b62f328b
VT		 856 bacpy(&bt_sk(sk)->src, conn->src);
857 bacpy(&bt_sk(sk)->dst, conn->dst);
858
d1010240
GP		 859 bt_accept_enqueue(parent, sk);
860
48454079
GP		 861 __l2cap_chan_add(conn, chan);
862
ab07801d 863 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b
VT		 864
865 sk->sk_state = BT_CONNECTED;
866 parent->sk_data_ready(parent, 0);
867
baa7e1fa 868 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 869
870clean:
871 bh_unlock_sock(parent);
872}
873
4e8402a3
MH		 874static void l2cap_conn_ready(struct l2cap_conn *conn)
875{
48454079 876 struct l2cap_chan *chan;
4e8402a3 877
79d554a6 878 BT_DBG("conn %p", conn);
4e8402a3 879
b62f328b
VT		 880 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
881 l2cap_le_conn_ready(conn);
882
baa7e1fa 883 read_lock(&conn->chan_lock);
4e8402a3 884
baa7e1fa 885 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 886 struct sock *sk = chan->sk;
baa7e1fa 887
79d554a6 888 bh_lock_sock(sk);
4e8402a3 889
acd7d370 890 if (conn->hcon->type == LE_LINK) {
ab07801d 891 l2cap_chan_clear_timer(chan);
acd7d370
VT		 892 sk->sk_state = BT_CONNECTED;
893 sk->sk_state_change(sk);
894 }
895
715ec005 896 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 897 l2cap_chan_clear_timer(chan);
79d554a6
MH		 898 sk->sk_state = BT_CONNECTED;
899 sk->sk_state_change(sk);
900 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 901 l2cap_do_start(chan);
4e8402a3 902
79d554a6 903 bh_unlock_sock(sk);
4e8402a3 904 }
79d554a6 905
baa7e1fa 906 read_unlock(&conn->chan_lock);
4e8402a3
MH		 907}
908
909/* Notify sockets that we cannot guaranty reliability anymore */
910static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
911{
48454079 912 struct l2cap_chan *chan;
4e8402a3
MH		 913
914 BT_DBG("conn %p", conn);
915
baa7e1fa 916 read_lock(&conn->chan_lock);
4e8402a3 917
baa7e1fa 918 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 919 struct sock *sk = chan->sk;
baa7e1fa 920
4343478f 921 if (chan->force_reliable)
4e8402a3
MH		 922 sk->sk_err = err;
923 }
924
baa7e1fa 925 read_unlock(&conn->chan_lock);
4e8402a3
MH		 926}
927
928static void l2cap_info_timeout(unsigned long arg)
929{
930 struct l2cap_conn *conn = (void *) arg;
931
984947dc 932 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 933 conn->info_ident = 0;
984947dc 934
4e8402a3
MH		 935 l2cap_conn_start(conn);
936}
937
1da177e4
LT		 938static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
939{
0139418c 940 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 941
0139418c 942 if (conn || status)
1da177e4
LT		 943 return conn;
944
0139418c
MH		 945 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
946 if (!conn)
1da177e4 947 return NULL;
1da177e4
LT		 948
949 hcon->l2cap_data = conn;
950 conn->hcon = hcon;
951
0139418c
MH		 952 BT_DBG("hcon %p conn %p", hcon, conn);
953
acd7d370
VT		 954 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
955 conn->mtu = hcon->hdev->le_mtu;
956 else
957 conn->mtu = hcon->hdev->acl_mtu;
958
1da177e4
LT		 959 conn->src = &hcon->hdev->bdaddr;
960 conn->dst = &hcon->dst;
961
4e8402a3
MH		 962 conn->feat_mask = 0;
963
1da177e4 964 spin_lock_init(&conn->lock);
baa7e1fa
GP		 965 rwlock_init(&conn->chan_lock);
966
967 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 968
b62f328b
VT		 969 if (hcon->type != LE_LINK)
970 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 971 (unsigned long) conn);
972
2950f21a
MH		 973 conn->disc_reason = 0x13;
974
1da177e4
LT		 975 return conn;
976}
977
0139418c 978static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 979{
0139418c 980 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 981 struct l2cap_chan *chan, *l;
1da177e4
LT		 982 struct sock *sk;
983
0139418c
MH		 984 if (!conn)
985 return;
1da177e4
LT		 986
987 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
988
7585b97a 989 kfree_skb(conn->rx_skb);
1da177e4
LT		 990
991 /* Kill channels */
baa7e1fa 992 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 993 sk = chan->sk;
1da177e4 994 bh_lock_sock(sk);
48454079 995 l2cap_chan_del(chan, err);
1da177e4 996 bh_unlock_sock(sk);
ba3bd0ee 997 chan->ops->close(chan->data);
1da177e4
LT		 998 }
999
8e8440f5
DY		 1000 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1001 del_timer_sync(&conn->info_timer);
3ab22731 1002
1da177e4
LT		 1003 hcon->l2cap_data = NULL;
1004 kfree(conn);
1da177e4
LT		 1005}
1006
48454079 1007static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1008{
baa7e1fa 1009 write_lock_bh(&conn->chan_lock);
48454079 1010 __l2cap_chan_add(conn, chan);
baa7e1fa 1011 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1012}
1013
1da177e4 1014/* ---- Socket interface ---- */
1da177e4
LT		 1015
1016/* Find socket with psm and source bdaddr.
1017 * Returns closest match.
1018 */
23691d75 1019static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1020{
23691d75 1021 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1022
23691d75 1023 read_lock(&chan_list_lock);
e0f0cb56 1024
23691d75
GP		 1025 list_for_each_entry(c, &chan_list, global_l) {
1026 struct sock *sk = c->sk;
fe4128e0 1027
1da177e4
LT		 1028 if (state && sk->sk_state != state)
1029 continue;
1030
23691d75 1031 if (c->psm == psm) {
1da177e4 1032 /* Exact match. */
23691d75 1033 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1034 read_unlock(&chan_list_lock);
23691d75
GP		 1035 return c;
1036 }
1da177e4
LT		 1037
1038 /* Closest match */
1039 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1040 c1 = c;
1da177e4
LT		 1041 }
1042 }
1da177e4 1043
23691d75 1044 read_unlock(&chan_list_lock);
e0f0cb56 1045
23691d75 1046 return c1;
1da177e4
LT		 1047}
1048
77a74c7e 1049int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1050{
5d41ce1d 1051 struct sock *sk = chan->sk;
1da177e4
LT		 1052 bdaddr_t *src = &bt_sk(sk)->src;
1053 bdaddr_t *dst = &bt_sk(sk)->dst;
1054 struct l2cap_conn *conn;
1055 struct hci_conn *hcon;
1056 struct hci_dev *hdev;
09ab6f4c 1057 __u8 auth_type;
44d0e48e 1058 int err;
1da177e4 1059
f29972de 1060 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1061 chan->psm);
1da177e4 1062
af05b30b
GP		 1063 hdev = hci_get_route(dst, src);
1064 if (!hdev)
1da177e4
LT		 1065 return -EHOSTUNREACH;
1066
1067 hci_dev_lock_bh(hdev);
1068
4343478f 1069 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1070
fe4128e0 1071 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1072 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1073 chan->sec_level, auth_type);
acd7d370
VT		 1074 else
1075 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1076 chan->sec_level, auth_type);
acd7d370 1077
30e76272
VT		 1078 if (IS_ERR(hcon)) {
1079 err = PTR_ERR(hcon);
1da177e4 1080 goto done;
30e76272 1081 }
1da177e4
LT		 1082
1083 conn = l2cap_conn_add(hcon, 0);
1084 if (!conn) {
1085 hci_conn_put(hcon);
30e76272 1086 err = -ENOMEM;
1da177e4
LT		 1087 goto done;
1088 }
1089
1da177e4
LT		 1090 /* Update source addr of the socket */
1091 bacpy(src, conn->src);
1092
48454079
GP		 1093 l2cap_chan_add(conn, chan);
1094
1da177e4 1095 sk->sk_state = BT_CONNECT;
ab07801d 1096 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1097
1098 if (hcon->state == BT_CONNECTED) {
715ec005 1099 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1100 l2cap_chan_clear_timer(chan);
4343478f 1101 if (l2cap_check_security(chan))
d00ef24f 1102 sk->sk_state = BT_CONNECTED;
79d554a6 1103 } else
fc7f8a7e 1104 l2cap_do_start(chan);
1da177e4
LT		 1105 }
1106
30e76272
VT		 1107 err = 0;
1108
1da177e4
LT		 1109done:
1110 hci_dev_unlock_bh(hdev);
1111 hci_dev_put(hdev);
1112 return err;
1113}
1114
dcba0dba 1115int __l2cap_wait_ack(struct sock *sk)
6161c038 1116{
8c1d787b 1117 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1118 DECLARE_WAITQUEUE(wait, current);
1119 int err = 0;
1120 int timeo = HZ/5;
1121
2b0b05dd 1122 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1123 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1124 set_current_state(TASK_INTERRUPTIBLE);
1125
1126 if (!timeo)
1127 timeo = HZ/5;
1128
1129 if (signal_pending(current)) {
1130 err = sock_intr_errno(timeo);
1131 break;
1132 }
1133
1134 release_sock(sk);
1135 timeo = schedule_timeout(timeo);
1136 lock_sock(sk);
1137
1138 err = sock_error(sk);
1139 if (err)
1140 break;
1141 }
1142 set_current_state(TASK_RUNNING);
2b0b05dd 1143 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1144 return err;
1145}
1146
e90bac06
GP		 1147static void l2cap_monitor_timeout(unsigned long arg)
1148{
525cd185
GP		 1149 struct l2cap_chan *chan = (void *) arg;
1150 struct sock *sk = chan->sk;
e90bac06 1151
525cd185 1152 BT_DBG("chan %p", chan);
0e98958d 1153
e686219a 1154 bh_lock_sock(sk);
2c03a7a4 1155 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1156 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1157 bh_unlock_sock(sk);
e90bac06
GP		 1158 return;
1159 }
1160
6a026610 1161 chan->retry_count++;
e90bac06
GP		 1162 __mod_monitor_timer();
1163
525cd185 1164 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1165 bh_unlock_sock(sk);
e90bac06
GP		 1166}
1167
1168static void l2cap_retrans_timeout(unsigned long arg)
1169{
525cd185
GP		 1170 struct l2cap_chan *chan = (void *) arg;
1171 struct sock *sk = chan->sk;
e90bac06 1172
49208c9c 1173 BT_DBG("chan %p", chan);
0e98958d 1174
e686219a 1175 bh_lock_sock(sk);
6a026610 1176 chan->retry_count = 1;
e90bac06
GP		 1177 __mod_monitor_timer();
1178
525cd185 1179 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1180
525cd185 1181 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1182 bh_unlock_sock(sk);
e90bac06
GP		 1183}
1184
42e5c802 1185static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1186{
1c2acffb 1187 struct sk_buff *skb;
1da177e4 1188
58d35f87 1189 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1190 chan->unacked_frames) {
42e5c802 1191 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1192 break;
1da177e4 1193
58d35f87 1194 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1195 kfree_skb(skb);
1da177e4 1196
6a026610 1197 chan->unacked_frames--;
1c2acffb 1198 }
1da177e4 1199
6a026610 1200 if (!chan->unacked_frames)
e92c8e70 1201 del_timer(&chan->retrans_timer);
1c2acffb 1202}
1da177e4 1203
4343478f 1204void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1205{
8c1d787b 1206 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1207 u16 flags;
1c2acffb 1208
4343478f 1209 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1210
4343478f 1211 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1212 flags = ACL_START_NO_FLUSH;
1213 else
1214 flags = ACL_START;
1215
14b12d0b 1216 bt_cb(skb)->force_active = chan->force_active;
e702112f 1217 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1218}
1219
42e5c802 1220void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1221{
ccbb84af 1222 struct sk_buff *skb;
fcc203c3 1223 u16 control, fcs;
6840ed07 1224
58d35f87 1225 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1226 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1227 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1228 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1229
47d1ec61 1230 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1231 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1232 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1233 }
1234
4343478f 1235 l2cap_do_send(chan, skb);
6840ed07 1236
42e5c802 1237 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1238 }
6840ed07
GP		 1239}
1240
525cd185 1241static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1242{
8f17154f
GP		 1243 struct sk_buff *skb, *tx_skb;
1244 u16 control, fcs;
8f17154f 1245
58d35f87 1246 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1247 if (!skb)
1248 return;
8f17154f 1249
f11d676d
GP		 1250 do {
1251 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1252 break;
8f17154f 1253
58d35f87 1254 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1255 return;
8f17154f 1256
58d35f87 1257 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1258
2c03a7a4
GP		 1259 if (chan->remote_max_tx &&
1260 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1261 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1262 return;
1263 }
1264
1265 tx_skb = skb_clone(skb, GFP_ATOMIC);
1266 bt_cb(skb)->retries++;
1267 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1268 control &= L2CAP_CTRL_SAR;
3cb123d1 1269
525cd185 1270 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1271 control |= L2CAP_CTRL_FINAL;
525cd185 1272 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1273 }
95ffa978 1274
42e5c802 1275 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1276 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1277
f11d676d
GP		 1278 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1279
47d1ec61 1280 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1281 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1282 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1283 }
1284
4343478f 1285 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1286}
1287
525cd185 1288int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1289{
1290 struct sk_buff *skb, *tx_skb;
525cd185 1291 struct sock *sk = chan->sk;
fcc203c3 1292 u16 control, fcs;
9a9c6a34 1293 int nsent = 0;
1c2acffb 1294
c13ffa62
GP		 1295 if (sk->sk_state != BT_CONNECTED)
1296 return -ENOTCONN;
e90bac06 1297
58d35f87 1298 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1299
2c03a7a4
GP		 1300 if (chan->remote_max_tx &&
1301 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1302 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1303 break;
1304 }
1305
e420aba3
AE		 1306 tx_skb = skb_clone(skb, GFP_ATOMIC);
1307
e90bac06
GP		 1308 bt_cb(skb)->retries++;
1309
1c2acffb 1310 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1311 control &= L2CAP_CTRL_SAR;
1312
525cd185 1313 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1314 control |= L2CAP_CTRL_FINAL;
525cd185 1315 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1316 }
42e5c802
GP		 1317 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1318 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1319 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1320
e90bac06 1321
47d1ec61 1322 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1323 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1324 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1325 }
1326
4343478f 1327 l2cap_do_send(chan, tx_skb);
9a9c6a34 1328
e90bac06 1329 __mod_retrans_timer();
1c2acffb 1330
42e5c802
GP		 1331 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1332 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1333
23e9fde2 1334 if (bt_cb(skb)->retries == 1)
6a026610 1335 chan->unacked_frames++;
23e9fde2 1336
6a026610 1337 chan->frames_sent++;
1c2acffb 1338
58d35f87
GP		 1339 if (skb_queue_is_last(&chan->tx_q, skb))
1340 chan->tx_send_head = NULL;
1c2acffb 1341 else
58d35f87 1342 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1343
1344 nsent++;
1c2acffb
GP		 1345 }
1346
9e917af1
GP		 1347 return nsent;
1348}
1349
525cd185 1350static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1351{
dfc909be
GP		 1352 int ret;
1353
58d35f87
GP		 1354 if (!skb_queue_empty(&chan->tx_q))
1355 chan->tx_send_head = chan->tx_q.next;
dfc909be 1356
42e5c802 1357 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1358 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1359 return ret;
1360}
1361
525cd185 1362static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1363{
9e917af1
GP		 1364 u16 control = 0;
1365
42e5c802 1366 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1367
525cd185 1368 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1369 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1370 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1371 l2cap_send_sframe(chan, control);
9a9c6a34 1372 return;
9e917af1 1373 }
dfc909be 1374
525cd185 1375 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1376 return;
1377
1378 control |= L2CAP_SUPER_RCV_READY;
525cd185 1379 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1380}
1381
525cd185 1382static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1383{
1384 struct srej_list *tail;
1385 u16 control;
1386
1387 control = L2CAP_SUPER_SELECT_REJECT;
1388 control |= L2CAP_CTRL_FINAL;
1389
39d5a3ee 1390 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1391 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1392
525cd185 1393 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1394}
1395
1c2acffb
GP		 1396static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1397{
8c1d787b 1398 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1399 struct sk_buff **frag;
1400 int err, sent = 0;
1da177e4 1401
59203a21 1402 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1403 return -EFAULT;
1da177e4
LT		 1404
1405 sent += count;
1406 len -= count;
1407
1408 /* Continuation fragments (no L2CAP header) */
1409 frag = &skb_shinfo(skb)->frag_list;
1410 while (len) {
1411 count = min_t(unsigned int, conn->mtu, len);
1412
1413 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1414 if (!*frag)
0175d629 1415 return err;
1c2acffb
GP		 1416 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1417 return -EFAULT;
1da177e4
LT		 1418
1419 sent += count;
1420 len -= count;
1421
1422 frag = &(*frag)->next;
1423 }
1da177e4
LT		 1424
1425 return sent;
1c2acffb 1426}
1da177e4 1427
fe4128e0 1428struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1429{
fe4128e0 1430 struct sock *sk = chan->sk;
8c1d787b 1431 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1432 struct sk_buff *skb;
1433 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1434 struct l2cap_hdr *lh;
1435
1436 BT_DBG("sk %p len %d", sk, (int)len);
1437
1438 count = min_t(unsigned int, (conn->mtu - hlen), len);
1439 skb = bt_skb_send_alloc(sk, count + hlen,
1440 msg->msg_flags & MSG_DONTWAIT, &err);
1441 if (!skb)
0175d629 1442 return ERR_PTR(err);
1c2acffb
GP		 1443
1444 /* Create L2CAP header */
1445 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1446 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1447 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1448 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1449
1450 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1451 if (unlikely(err < 0)) {
1452 kfree_skb(skb);
1453 return ERR_PTR(err);
1454 }
1455 return skb;
1456}
1457
fe4128e0 1458struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1459{
fe4128e0 1460 struct sock *sk = chan->sk;
8c1d787b 1461 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1462 struct sk_buff *skb;
1463 int err, count, hlen = L2CAP_HDR_SIZE;
1464 struct l2cap_hdr *lh;
1465
1466 BT_DBG("sk %p len %d", sk, (int)len);
1467
1468 count = min_t(unsigned int, (conn->mtu - hlen), len);
1469 skb = bt_skb_send_alloc(sk, count + hlen,
1470 msg->msg_flags & MSG_DONTWAIT, &err);
1471 if (!skb)
0175d629 1472 return ERR_PTR(err);
1c2acffb
GP		 1473
1474 /* Create L2CAP header */
1475 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1476 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1477 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1478
1479 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1480 if (unlikely(err < 0)) {
1481 kfree_skb(skb);
1482 return ERR_PTR(err);
1483 }
1484 return skb;
1485}
1486
47d1ec61 1487struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1488{
47d1ec61 1489 struct sock *sk = chan->sk;
8c1d787b 1490 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1491 struct sk_buff *skb;
1492 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1493 struct l2cap_hdr *lh;
1494
1495 BT_DBG("sk %p len %d", sk, (int)len);
1496
0ee0d208
GP		 1497 if (!conn)
1498 return ERR_PTR(-ENOTCONN);
1499
c74e560c
GP		 1500 if (sdulen)
1501 hlen += 2;
1502
47d1ec61 1503 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1504 hlen += 2;
1505
1c2acffb
GP		 1506 count = min_t(unsigned int, (conn->mtu - hlen), len);
1507 skb = bt_skb_send_alloc(sk, count + hlen,
1508 msg->msg_flags & MSG_DONTWAIT, &err);
1509 if (!skb)
0175d629 1510 return ERR_PTR(err);
1c2acffb
GP		 1511
1512 /* Create L2CAP header */
1513 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1514 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1515 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1516 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1517 if (sdulen)
1518 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1519
1520 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1521 if (unlikely(err < 0)) {
1522 kfree_skb(skb);
1523 return ERR_PTR(err);
1524 }
e90bac06 1525
47d1ec61 1526 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1527 put_unaligned_le16(0, skb_put(skb, 2));
1528
e90bac06 1529 bt_cb(skb)->retries = 0;
1c2acffb 1530 return skb;
1da177e4
LT		 1531}
1532
2c03a7a4 1533int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1534{
c74e560c
GP		 1535 struct sk_buff *skb;
1536 struct sk_buff_head sar_queue;
1537 u16 control;
1538 size_t size = 0;
1539
ff12fd64 1540 skb_queue_head_init(&sar_queue);
c74e560c 1541 control = L2CAP_SDU_START;
47d1ec61 1542 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1543 if (IS_ERR(skb))
1544 return PTR_ERR(skb);
1545
1546 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1547 len -= chan->remote_mps;
1548 size += chan->remote_mps;
c74e560c
GP		 1549
1550 while (len > 0) {
1551 size_t buflen;
1552
2c03a7a4 1553 if (len > chan->remote_mps) {
44651b85 1554 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1555 buflen = chan->remote_mps;
c74e560c 1556 } else {
44651b85 1557 control = L2CAP_SDU_END;
c74e560c
GP		 1558 buflen = len;
1559 }
1560
47d1ec61 1561 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1562 if (IS_ERR(skb)) {
1563 skb_queue_purge(&sar_queue);
1564 return PTR_ERR(skb);
1565 }
1566
1567 __skb_queue_tail(&sar_queue, skb);
1568 len -= buflen;
1569 size += buflen;
c74e560c 1570 }
58d35f87
GP		 1571 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1572 if (chan->tx_send_head == NULL)
1573 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1574
1575 return size;
1576}
1577
9a91a04a
GP		 1578int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1579{
9a91a04a
GP		 1580 struct sk_buff *skb;
1581 u16 control;
1582 int err;
1583
1584 /* Connectionless channel */
715ec005 1585 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1586 skb = l2cap_create_connless_pdu(chan, msg, len);
1587 if (IS_ERR(skb))
1588 return PTR_ERR(skb);
1589
1590 l2cap_do_send(chan, skb);
1591 return len;
1592 }
1593
1594 switch (chan->mode) {
1595 case L2CAP_MODE_BASIC:
1596 /* Check outgoing MTU */
1597 if (len > chan->omtu)
1598 return -EMSGSIZE;
1599
1600 /* Create a basic PDU */
1601 skb = l2cap_create_basic_pdu(chan, msg, len);
1602 if (IS_ERR(skb))
1603 return PTR_ERR(skb);
1604
1605 l2cap_do_send(chan, skb);
1606 err = len;
1607 break;
1608
1609 case L2CAP_MODE_ERTM:
1610 case L2CAP_MODE_STREAMING:
1611 /* Entire SDU fits into one PDU */
1612 if (len <= chan->remote_mps) {
1613 control = L2CAP_SDU_UNSEGMENTED;
1614 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1615 0);
1616 if (IS_ERR(skb))
1617 return PTR_ERR(skb);
1618
1619 __skb_queue_tail(&chan->tx_q, skb);
1620
1621 if (chan->tx_send_head == NULL)
1622 chan->tx_send_head = skb;
1623
1624 } else {
1625 /* Segment SDU into multiples PDUs */
1626 err = l2cap_sar_segment_sdu(chan, msg, len);
1627 if (err < 0)
1628 return err;
1629 }
1630
1631 if (chan->mode == L2CAP_MODE_STREAMING) {
1632 l2cap_streaming_send(chan);
1633 err = len;
1634 break;
1635 }
1636
1637 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1638 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1639 err = len;
1640 break;
1641 }
1642
1643 err = l2cap_ertm_send(chan);
1644 if (err >= 0)
1645 err = len;
1646
1647 break;
1648
1649 default:
1650 BT_DBG("bad state %1.1x", chan->mode);
1651 err = -EBADFD;
1652 }
1653
1654 return err;
1655}
1656
1da177e4
LT		 1657static void l2cap_chan_ready(struct sock *sk)
1658{
1659 struct sock *parent = bt_sk(sk)->parent;
b4450035 1660 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1661
1662 BT_DBG("sk %p, parent %p", sk, parent);
1663
b4450035 1664 chan->conf_state = 0;
ab07801d 1665 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1666
1667 if (!parent) {
1668 /* Outgoing channel.
1669 * Wake up socket sleeping on connect.
1670 */
1671 sk->sk_state = BT_CONNECTED;
1672 sk->sk_state_change(sk);
1673 } else {
1674 /* Incoming channel.
1675 * Wake up socket sleeping on accept.
1676 */
1677 parent->sk_data_ready(parent, 0);
1678 }
1679}
1680
1681/* Copy frame to all raw sockets on that connection */
1682static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1683{
1da177e4 1684 struct sk_buff *nskb;
48454079 1685 struct l2cap_chan *chan;
1da177e4
LT		 1686
1687 BT_DBG("conn %p", conn);
1688
baa7e1fa
GP		 1689 read_lock(&conn->chan_lock);
1690 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1691 struct sock *sk = chan->sk;
715ec005 1692 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1693 continue;
1694
1695 /* Don't send frame to the socket it came from */
1696 if (skb->sk == sk)
1697 continue;
af05b30b
GP		 1698 nskb = skb_clone(skb, GFP_ATOMIC);
1699 if (!nskb)
1da177e4
LT		 1700 continue;
1701
23070494 1702 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1703 kfree_skb(nskb);
1704 }
baa7e1fa 1705 read_unlock(&conn->chan_lock);
1da177e4
LT		 1706}
1707
1708/* ---- L2CAP signalling commands ---- */
1709static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1710 u8 code, u8 ident, u16 dlen, void *data)
1711{
1712 struct sk_buff *skb, **frag;
1713 struct l2cap_cmd_hdr *cmd;
1714 struct l2cap_hdr *lh;
1715 int len, count;
1716
af05b30b
GP		 1717 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1718 conn, code, ident, dlen);
1da177e4
LT		 1719
1720 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1721 count = min_t(unsigned int, conn->mtu, len);
1722
1723 skb = bt_skb_alloc(count, GFP_ATOMIC);
1724 if (!skb)
1725 return NULL;
1726
1727 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1728 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1729
1730 if (conn->hcon->type == LE_LINK)
1731 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1732 else
1733 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1734
1735 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1736 cmd->code = code;
1737 cmd->ident = ident;
aca3192c 1738 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1739
1740 if (dlen) {
1741 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1742 memcpy(skb_put(skb, count), data, count);
1743 data += count;
1744 }
1745
1746 len -= skb->len;
1747
1748 /* Continuation fragments (no L2CAP header) */
1749 frag = &skb_shinfo(skb)->frag_list;
1750 while (len) {
1751 count = min_t(unsigned int, conn->mtu, len);
1752
1753 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1754 if (!*frag)
1755 goto fail;
1756
1757 memcpy(skb_put(*frag, count), data, count);
1758
1759 len -= count;
1760 data += count;
1761
1762 frag = &(*frag)->next;
1763 }
1764
1765 return skb;
1766
1767fail:
1768 kfree_skb(skb);
1769 return NULL;
1770}
1771
1772static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1773{
1774 struct l2cap_conf_opt *opt = *ptr;
1775 int len;
1776
1777 len = L2CAP_CONF_OPT_SIZE + opt->len;
1778 *ptr += len;
1779
1780 *type = opt->type;
1781 *olen = opt->len;
1782
1783 switch (opt->len) {
1784 case 1:
1785 *val = *((u8 *) opt->val);
1786 break;
1787
1788 case 2:
bfaaeb3e 1789 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1790 break;
1791
1792 case 4:
bfaaeb3e 1793 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1794 break;
1795
1796 default:
1797 *val = (unsigned long) opt->val;
1798 break;
1799 }
1800
1801 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1802 return len;
1803}
1804
1da177e4
LT		 1805static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1806{
1807 struct l2cap_conf_opt *opt = *ptr;
1808
1809 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1810
1811 opt->type = type;
1812 opt->len = len;
1813
1814 switch (len) {
1815 case 1:
1816 *((u8 *) opt->val) = val;
1817 break;
1818
1819 case 2:
4f8b691c 1820 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1821 break;
1822
1823 case 4:
4f8b691c 1824 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1825 break;
1826
1827 default:
1828 memcpy(opt->val, (void *) val, len);
1829 break;
1830 }
1831
1832 *ptr += L2CAP_CONF_OPT_SIZE + len;
1833}
1834
c1b4f43b
GP		 1835static void l2cap_ack_timeout(unsigned long arg)
1836{
525cd185 1837 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1838
525cd185
GP		 1839 bh_lock_sock(chan->sk);
1840 l2cap_send_ack(chan);
1841 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1842}
1843
525cd185 1844static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1845{
525cd185
GP		 1846 struct sock *sk = chan->sk;
1847
42e5c802 1848 chan->expected_ack_seq = 0;
6a026610 1849 chan->unacked_frames = 0;
42e5c802 1850 chan->buffer_seq = 0;
6a026610
GP		 1851 chan->num_acked = 0;
1852 chan->frames_sent = 0;
0565c1c2 1853
e92c8e70
GP		 1854 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1855 (unsigned long) chan);
1856 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1857 (unsigned long) chan);
1858 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1859
f1c6775b
GP		 1860 skb_queue_head_init(&chan->srej_q);
1861 skb_queue_head_init(&chan->busy_q);
1890d36b 1862
39d5a3ee
GP		 1863 INIT_LIST_HEAD(&chan->srej_l);
1864
311bb895 1865 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1866
1867 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1868}
1869
f2fcfcd6
GP		 1870static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1871{
1872 switch (mode) {
1873 case L2CAP_MODE_STREAMING:
1874 case L2CAP_MODE_ERTM:
1875 if (l2cap_mode_supported(mode, remote_feat_mask))
1876 return mode;
1877 /* fall through */
1878 default:
1879 return L2CAP_MODE_BASIC;
1880 }
1881}
1882
710f9b0a 1883static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1884{
1da177e4 1885 struct l2cap_conf_req *req = data;
0c1bc5c6 1886 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1887 void *ptr = req->data;
1888
49208c9c 1889 BT_DBG("chan %p", chan);
1da177e4 1890
73ffa904 1891 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1892 goto done;
1893
0c1bc5c6 1894 switch (chan->mode) {
f2fcfcd6
GP		 1895 case L2CAP_MODE_STREAMING:
1896 case L2CAP_MODE_ERTM:
b4450035 1897 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1898 break;
85eb53c6 1899
2ba13ed6 1900 /* fall through */
f2fcfcd6 1901 default:
8c1d787b 1902 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1903 break;
1904 }
1905
1906done:
0c1bc5c6
GP		 1907 if (chan->imtu != L2CAP_DEFAULT_MTU)
1908 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1909
0c1bc5c6 1910 switch (chan->mode) {
65c7c491 1911 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1912 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1913 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1914 break;
1915
62547752
GP		 1916 rfc.mode = L2CAP_MODE_BASIC;
1917 rfc.txwin_size = 0;
1918 rfc.max_transmit = 0;
1919 rfc.retrans_timeout = 0;
1920 rfc.monitor_timeout = 0;
1921 rfc.max_pdu_size = 0;
1922
63406504
GP		 1923 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1924 (unsigned long) &rfc);
65c7c491
MH		 1925 break;
1926
1927 case L2CAP_MODE_ERTM:
1928 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1929 rfc.txwin_size = chan->tx_win;
1930 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1931 rfc.retrans_timeout = 0;
1932 rfc.monitor_timeout = 0;
c74e560c 1933 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1934 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1935 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1936
63406504
GP		 1937 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1938 (unsigned long) &rfc);
1939
8c1d787b 1940 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1941 break;
1942
47d1ec61 1943 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1944 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1945 chan->fcs = L2CAP_FCS_NONE;
1946 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1947 }
f2fcfcd6
GP		 1948 break;
1949
1950 case L2CAP_MODE_STREAMING:
1951 rfc.mode = L2CAP_MODE_STREAMING;
1952 rfc.txwin_size = 0;
1953 rfc.max_transmit = 0;
1954 rfc.retrans_timeout = 0;
1955 rfc.monitor_timeout = 0;
c74e560c 1956 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1957 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1958 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1959
63406504
GP		 1960 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1961 (unsigned long) &rfc);
1962
8c1d787b 1963 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1964 break;
1965
47d1ec61 1966 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1967 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1968 chan->fcs = L2CAP_FCS_NONE;
1969 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1970 }
65c7c491
MH		 1971 break;
1972 }
1da177e4 1973
fe4128e0 1974 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1975 req->flags = cpu_to_le16(0);
1da177e4
LT		 1976
1977 return ptr - data;
1978}
1979
73ffa904 1980static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1981{
5dee9e7c
MH		 1982 struct l2cap_conf_rsp *rsp = data;
1983 void *ptr = rsp->data;
73ffa904
GP		 1984 void *req = chan->conf_req;
1985 int len = chan->conf_len;
5dee9e7c
MH		 1986 int type, hint, olen;
1987 unsigned long val;
6464f35f 1988 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1989 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1990 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1991
73ffa904 1992 BT_DBG("chan %p", chan);
820ae1b8 1993
5dee9e7c
MH		 1994 while (len >= L2CAP_CONF_OPT_SIZE) {
1995 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1996
589d2746 1997 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1998 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1999
2000 switch (type) {
2001 case L2CAP_CONF_MTU:
861d6882 2002 mtu = val;
5dee9e7c
MH		 2003 break;
2004
2005 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2006 chan->flush_to = val;
5dee9e7c
MH		 2007 break;
2008
2009 case L2CAP_CONF_QOS:
2010 break;
2011
6464f35f
MH		 2012 case L2CAP_CONF_RFC:
2013 if (olen == sizeof(rfc))
2014 memcpy(&rfc, (void *) val, olen);
2015 break;
2016
fcc203c3
GP		 2017 case L2CAP_CONF_FCS:
2018 if (val == L2CAP_FCS_NONE)
b4450035 2019 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2020
2021 break;
2022
5dee9e7c
MH		 2023 default:
2024 if (hint)
2025 break;
2026
2027 result = L2CAP_CONF_UNKNOWN;
2028 *((u8 *) ptr++) = type;
2029 break;
2030 }
2031 }
2032
73ffa904 2033 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2034 goto done;
2035
0c1bc5c6 2036 switch (chan->mode) {
f2fcfcd6
GP		 2037 case L2CAP_MODE_STREAMING:
2038 case L2CAP_MODE_ERTM:
b4450035 2039 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2040 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2041 chan->conn->feat_mask);
85eb53c6
GP		 2042 break;
2043 }
2044
0c1bc5c6 2045 if (chan->mode != rfc.mode)
f2fcfcd6 2046 return -ECONNREFUSED;
742e519b 2047
f2fcfcd6 2048 break;
f2fcfcd6
GP		 2049 }
2050
2051done:
0c1bc5c6 2052 if (chan->mode != rfc.mode) {
f2fcfcd6 2053 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2054 rfc.mode = chan->mode;
f2fcfcd6 2055
73ffa904 2056 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2057 return -ECONNREFUSED;
2058
2059 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2060 sizeof(rfc), (unsigned long) &rfc);
2061 }
2062
2063
5dee9e7c
MH		 2064 if (result == L2CAP_CONF_SUCCESS) {
2065 /* Configure output options and let the other side know
2066 * which ones we don't like. */
2067
f2fcfcd6
GP		 2068 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2069 result = L2CAP_CONF_UNACCEPT;
2070 else {
0c1bc5c6 2071 chan->omtu = mtu;
b4450035 2072 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2073 }
0c1bc5c6 2074 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2075
f2fcfcd6
GP		 2076 switch (rfc.mode) {
2077 case L2CAP_MODE_BASIC:
47d1ec61 2078 chan->fcs = L2CAP_FCS_NONE;
b4450035 2079 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2080 break;
2081
2082 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2083 chan->remote_tx_win = rfc.txwin_size;
2084 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2085
8c1d787b
GP		 2086 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2087 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2088
2c03a7a4 2089 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2090
10467e9e
GP		 2091 rfc.retrans_timeout =
2092 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2093 rfc.monitor_timeout =
2094 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2095
b4450035 2096 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2097
2098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2099 sizeof(rfc), (unsigned long) &rfc);
2100
f2fcfcd6
GP		 2101 break;
2102
2103 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2104 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2105 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2106
2c03a7a4 2107 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2108
b4450035 2109 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2110
2111 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2112 sizeof(rfc), (unsigned long) &rfc);
2113
f2fcfcd6
GP		 2114 break;
2115
2116 default:
5dee9e7c 2117 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2118
6464f35f 2119 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2120 rfc.mode = chan->mode;
f2fcfcd6 2121 }
6464f35f 2122
f2fcfcd6 2123 if (result == L2CAP_CONF_SUCCESS)
b4450035 2124 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2125 }
fe4128e0 2126 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2127 rsp->result = cpu_to_le16(result);
2128 rsp->flags = cpu_to_le16(0x0000);
2129
2130 return ptr - data;
1da177e4
LT		 2131}
2132
b4450035 2133static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2134{
f2fcfcd6
GP		 2135 struct l2cap_conf_req *req = data;
2136 void *ptr = req->data;
2137 int type, olen;
2138 unsigned long val;
2139 struct l2cap_conf_rfc rfc;
2140
fe4128e0 2141 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2142
2143 while (len >= L2CAP_CONF_OPT_SIZE) {
2144 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2145
2146 switch (type) {
2147 case L2CAP_CONF_MTU:
2148 if (val < L2CAP_DEFAULT_MIN_MTU) {
2149 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2150 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2151 } else
0c1bc5c6
GP		 2152 chan->imtu = val;
2153 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2154 break;
2155
2156 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2157 chan->flush_to = val;
f2fcfcd6 2158 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2159 2, chan->flush_to);
f2fcfcd6
GP		 2160 break;
2161
2162 case L2CAP_CONF_RFC:
2163 if (olen == sizeof(rfc))
2164 memcpy(&rfc, (void *)val, olen);
2165
b4450035 2166 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2167 rfc.mode != chan->mode)
f2fcfcd6
GP		 2168 return -ECONNREFUSED;
2169
47d1ec61 2170 chan->fcs = 0;
f2fcfcd6
GP		 2171
2172 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2173 sizeof(rfc), (unsigned long) &rfc);
2174 break;
2175 }
2176 }
2177
0c1bc5c6 2178 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2179 return -ECONNREFUSED;
2180
0c1bc5c6 2181 chan->mode = rfc.mode;
6c2ea7a8 2182
f2fcfcd6
GP		 2183 if (*result == L2CAP_CONF_SUCCESS) {
2184 switch (rfc.mode) {
2185 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2186 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2187 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2188 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2189 break;
2190 case L2CAP_MODE_STREAMING:
47d1ec61 2191 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2192 }
2193 }
2194
fe4128e0 2195 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2196 req->flags = cpu_to_le16(0x0000);
2197
2198 return ptr - data;
2199}
2200
fe4128e0 2201static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2202{
2203 struct l2cap_conf_rsp *rsp = data;
2204 void *ptr = rsp->data;
1da177e4 2205
fe4128e0 2206 BT_DBG("chan %p", chan);
1da177e4 2207
fe4128e0 2208 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2209 rsp->result = cpu_to_le16(result);
aca3192c 2210 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2211
2212 return ptr - data;
2213}
2214
8c1d787b 2215void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2216{
2217 struct l2cap_conn_rsp rsp;
8c1d787b 2218 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2219 u8 buf[128];
2220
fe4128e0
GP		 2221 rsp.scid = cpu_to_le16(chan->dcid);
2222 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2223 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2224 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2225 l2cap_send_cmd(conn, chan->ident,
2226 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2227
b4450035 2228 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2229 return;
2230
b4450035 2231 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2232 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2233 l2cap_build_conf_req(chan, buf), buf);
2234 chan->num_conf_req++;
2235}
2236
47d1ec61 2237static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2238{
7b1c0049
GP		 2239 int type, olen;
2240 unsigned long val;
2241 struct l2cap_conf_rfc rfc;
2242
47d1ec61 2243 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2244
0c1bc5c6 2245 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2246 return;
2247
2248 while (len >= L2CAP_CONF_OPT_SIZE) {
2249 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2250
2251 switch (type) {
2252 case L2CAP_CONF_RFC:
2253 if (olen == sizeof(rfc))
2254 memcpy(&rfc, (void *)val, olen);
2255 goto done;
2256 }
2257 }
2258
2259done:
2260 switch (rfc.mode) {
2261 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2262 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2263 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2264 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2265 break;
2266 case L2CAP_MODE_STREAMING:
47d1ec61 2267 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2268 }
2269}
2270
4e8402a3
MH		 2271static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2272{
2273 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2274
2275 if (rej->reason != 0x0000)
2276 return 0;
2277
2278 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2279 cmd->ident == conn->info_ident) {
4e8402a3 2280 del_timer(&conn->info_timer);
984947dc
MH		 2281
2282 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2283 conn->info_ident = 0;
984947dc 2284
4e8402a3
MH		 2285 l2cap_conn_start(conn);
2286 }
2287
2288 return 0;
2289}
2290
1da177e4
LT		 2291static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2292{
1da177e4
LT		 2293 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2294 struct l2cap_conn_rsp rsp;
23691d75 2295 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2296 struct sock *parent, *sk = NULL;
e7c29cb1 2297 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2298
2299 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2300 __le16 psm = req->psm;
1da177e4
LT		 2301
2302 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2303
2304 /* Check if we have socket listening on psm */
23691d75
GP		 2305 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2306 if (!pchan) {
1da177e4
LT		 2307 result = L2CAP_CR_BAD_PSM;
2308 goto sendresp;
2309 }
2310
23691d75
GP		 2311 parent = pchan->sk;
2312
e0f0cb56
GP		 2313 bh_lock_sock(parent);
2314
e7c29cb1
MH		 2315 /* Check if the ACL is secure enough (if not SDP) */
2316 if (psm != cpu_to_le16(0x0001) &&
2317 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2318 conn->disc_reason = 0x05;
e7c29cb1
MH		 2319 result = L2CAP_CR_SEC_BLOCK;
2320 goto response;
2321 }
2322
1da177e4
LT		 2323 result = L2CAP_CR_NO_MEM;
2324
2325 /* Check for backlog size */
2326 if (sk_acceptq_is_full(parent)) {
8e87d142 2327 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2328 goto response;
2329 }
2330
80808e43
GP		 2331 chan = pchan->ops->new_connection(pchan->data);
2332 if (!chan)
1da177e4
LT		 2333 goto response;
2334
80808e43
GP		 2335 sk = chan->sk;
2336
baa7e1fa 2337 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2338
2339 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2340 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2341 write_unlock_bh(&conn->chan_lock);
1da177e4 2342 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2343 chan->ops->close(chan->data);
1da177e4
LT		 2344 goto response;
2345 }
2346
2347 hci_conn_hold(conn->hcon);
2348
1da177e4
LT		 2349 bacpy(&bt_sk(sk)->src, conn->src);
2350 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2351 chan->psm = psm;
2352 chan->dcid = scid;
1da177e4 2353
d1010240
GP		 2354 bt_accept_enqueue(parent, sk);
2355
48454079
GP		 2356 __l2cap_chan_add(conn, chan);
2357
fe4128e0 2358 dcid = chan->scid;
1da177e4 2359
ab07801d 2360 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2361
fc7f8a7e 2362 chan->ident = cmd->ident;
1da177e4 2363
984947dc 2364 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2365 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2366 if (bt_sk(sk)->defer_setup) {
2367 sk->sk_state = BT_CONNECT2;
2368 result = L2CAP_CR_PEND;
2369 status = L2CAP_CS_AUTHOR_PEND;
2370 parent->sk_data_ready(parent, 0);
2371 } else {
2372 sk->sk_state = BT_CONFIG;
2373 result = L2CAP_CR_SUCCESS;
2374 status = L2CAP_CS_NO_INFO;
2375 }
79d554a6
MH		 2376 } else {
2377 sk->sk_state = BT_CONNECT2;
2378 result = L2CAP_CR_PEND;
2379 status = L2CAP_CS_AUTHEN_PEND;
2380 }
2381 } else {
2382 sk->sk_state = BT_CONNECT2;
2383 result = L2CAP_CR_PEND;
2384 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2385 }
2386
baa7e1fa 2387 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2388
2389response:
2390 bh_unlock_sock(parent);
2391
2392sendresp:
aca3192c
YH		 2393 rsp.scid = cpu_to_le16(scid);
2394 rsp.dcid = cpu_to_le16(dcid);
2395 rsp.result = cpu_to_le16(result);
2396 rsp.status = cpu_to_le16(status);
1da177e4 2397 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2398
2399 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2400 struct l2cap_info_req info;
2401 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2402
2403 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2404 conn->info_ident = l2cap_get_ident(conn);
2405
2406 mod_timer(&conn->info_timer, jiffies +
2407 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2408
2409 l2cap_send_cmd(conn, conn->info_ident,
2410 L2CAP_INFO_REQ, sizeof(info), &info);
2411 }
2412
b4450035 2413 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2414 result == L2CAP_CR_SUCCESS) {
2415 u8 buf[128];
b4450035 2416 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2417 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2418 l2cap_build_conf_req(chan, buf), buf);
2419 chan->num_conf_req++;
e9aeb2dd
GP		 2420 }
2421
1da177e4
LT		 2422 return 0;
2423}
2424
2425static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2426{
2427 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2428 u16 scid, dcid, result, status;
48454079 2429 struct l2cap_chan *chan;
1da177e4
LT		 2430 struct sock *sk;
2431 u8 req[128];
2432
2433 scid = __le16_to_cpu(rsp->scid);
2434 dcid = __le16_to_cpu(rsp->dcid);
2435 result = __le16_to_cpu(rsp->result);
2436 status = __le16_to_cpu(rsp->status);
2437
2438 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2439
2440 if (scid) {
baa7e1fa 2441 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2442 if (!chan)
57d3b22b 2443 return -EFAULT;
1da177e4 2444 } else {
baa7e1fa 2445 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2446 if (!chan)
57d3b22b 2447 return -EFAULT;
1da177e4
LT		 2448 }
2449
48454079
GP		 2450 sk = chan->sk;
2451
1da177e4
LT		 2452 switch (result) {
2453 case L2CAP_CR_SUCCESS:
2454 sk->sk_state = BT_CONFIG;
fc7f8a7e 2455 chan->ident = 0;
fe4128e0 2456 chan->dcid = dcid;
b4450035 2457 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2458
b4450035 2459 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2460 break;
2461
b4450035 2462 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2463
1da177e4 2464 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2465 l2cap_build_conf_req(chan, req), req);
2466 chan->num_conf_req++;
1da177e4
LT		 2467 break;
2468
2469 case L2CAP_CR_PEND:
b4450035 2470 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2471 break;
2472
2473 default:
a49184c2
AE		 2474 /* don't delete l2cap channel if sk is owned by user */
2475 if (sock_owned_by_user(sk)) {
2476 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2477 l2cap_chan_clear_timer(chan);
2478 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2479 break;
2480 }
2481
48454079 2482 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2483 break;
2484 }
2485
2486 bh_unlock_sock(sk);
2487 return 0;
2488}
2489
47d1ec61 2490static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2491{
47d1ec61
GP		 2492 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2493
8c462b60
MM		 2494 /* FCS is enabled only in ERTM or streaming mode, if one or both
2495 * sides request it.
2496 */
0c1bc5c6 2497 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2498 chan->fcs = L2CAP_FCS_NONE;
b4450035 2499 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2500 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2501}
2502
88219a0f 2503static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2504{
2505 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2506 u16 dcid, flags;
2507 u8 rsp[64];
48454079 2508 struct l2cap_chan *chan;
1da177e4 2509 struct sock *sk;
5dee9e7c 2510 int len;
1da177e4
LT		 2511
2512 dcid = __le16_to_cpu(req->dcid);
2513 flags = __le16_to_cpu(req->flags);
2514
2515 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2516
baa7e1fa 2517 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2518 if (!chan)
1da177e4
LT		 2519 return -ENOENT;
2520
48454079
GP		 2521 sk = chan->sk;
2522
df6bd743
GP		 2523 if (sk->sk_state != BT_CONFIG) {
2524 struct l2cap_cmd_rej rej;
2525
2526 rej.reason = cpu_to_le16(0x0002);
2527 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2528 sizeof(rej), &rej);
354f60a9 2529 goto unlock;
df6bd743 2530 }
354f60a9 2531
5dee9e7c 2532 /* Reject if config buffer is too small. */
88219a0f 2533 len = cmd_len - sizeof(*req);
73ffa904 2534 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2535 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2536 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2537 L2CAP_CONF_REJECT, flags), rsp);
2538 goto unlock;
2539 }
2540
2541 /* Store config. */
73ffa904
GP		 2542 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2543 chan->conf_len += len;
1da177e4
LT		 2544
2545 if (flags & 0x0001) {
2546 /* Incomplete config. Send empty response. */
2547 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2548 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2549 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2550 goto unlock;
2551 }
2552
2553 /* Complete config. */
73ffa904 2554 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2555 if (len < 0) {
e92c8e70 2556 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2557 goto unlock;
f2fcfcd6 2558 }
1da177e4 2559
5dee9e7c 2560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2561 chan->num_conf_rsp++;
5dee9e7c 2562
5dee9e7c 2563 /* Reset config buffer. */
73ffa904 2564 chan->conf_len = 0;
5dee9e7c 2565
b4450035 2566 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2567 goto unlock;
2568
b4450035 2569 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2570 set_default_fcs(chan);
fcc203c3 2571
1da177e4 2572 sk->sk_state = BT_CONNECTED;
e90bac06 2573
42e5c802
GP		 2574 chan->next_tx_seq = 0;
2575 chan->expected_tx_seq = 0;
58d35f87 2576 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2577 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2578 l2cap_ertm_init(chan);
0565c1c2 2579
1da177e4 2580 l2cap_chan_ready(sk);
876d9484
MH		 2581 goto unlock;
2582 }
2583
b4450035 2584 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2585 u8 buf[64];
b4450035 2586 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2587 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2588 l2cap_build_conf_req(chan, buf), buf);
2589 chan->num_conf_req++;
1da177e4
LT		 2590 }
2591
2592unlock:
2593 bh_unlock_sock(sk);
2594 return 0;
2595}
2596
2597static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2598{
2599 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2600 u16 scid, flags, result;
48454079 2601 struct l2cap_chan *chan;
1da177e4 2602 struct sock *sk;
7b1c0049 2603 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2604
2605 scid = __le16_to_cpu(rsp->scid);
2606 flags = __le16_to_cpu(rsp->flags);
2607 result = __le16_to_cpu(rsp->result);
2608
af05b30b
GP		 2609 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2610 scid, flags, result);
1da177e4 2611
baa7e1fa 2612 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2613 if (!chan)
1da177e4
LT		 2614 return 0;
2615
48454079
GP		 2616 sk = chan->sk;
2617
1da177e4
LT		 2618 switch (result) {
2619 case L2CAP_CONF_SUCCESS:
47d1ec61 2620 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2621 break;
2622
2623 case L2CAP_CONF_UNACCEPT:
73ffa904 2624 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2625 char req[64];
2626
c2c77ec8 2627 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2628 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2629 goto done;
2630 }
2631
f2fcfcd6
GP		 2632 /* throw out any old stored conf requests */
2633 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2634 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2635 req, &result);
f2fcfcd6 2636 if (len < 0) {
e92c8e70 2637 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2638 goto done;
2639 }
2640
2641 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2642 L2CAP_CONF_REQ, len, req);
73ffa904 2643 chan->num_conf_req++;
f2fcfcd6
GP		 2644 if (result != L2CAP_CONF_SUCCESS)
2645 goto done;
2646 break;
1da177e4
LT		 2647 }
2648
8e87d142 2649 default:
b1235d79 2650 sk->sk_err = ECONNRESET;
ab07801d 2651 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2652 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2653 goto done;
2654 }
2655
2656 if (flags & 0x01)
2657 goto done;
2658
b4450035 2659 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2660
b4450035 2661 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2662 set_default_fcs(chan);
fcc203c3 2663
1da177e4 2664 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2665 chan->next_tx_seq = 0;
2666 chan->expected_tx_seq = 0;
58d35f87 2667 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2668 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2669 l2cap_ertm_init(chan);
0565c1c2 2670
1da177e4
LT		 2671 l2cap_chan_ready(sk);
2672 }
2673
2674done:
2675 bh_unlock_sock(sk);
2676 return 0;
2677}
2678
2679static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2680{
2681 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2682 struct l2cap_disconn_rsp rsp;
2683 u16 dcid, scid;
48454079 2684 struct l2cap_chan *chan;
1da177e4
LT		 2685 struct sock *sk;
2686
2687 scid = __le16_to_cpu(req->scid);
2688 dcid = __le16_to_cpu(req->dcid);
2689
2690 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2691
baa7e1fa 2692 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2693 if (!chan)
1da177e4
LT		 2694 return 0;
2695
48454079
GP		 2696 sk = chan->sk;
2697
fe4128e0
GP		 2698 rsp.dcid = cpu_to_le16(chan->scid);
2699 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2700 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2701
2702 sk->sk_shutdown = SHUTDOWN_MASK;
2703
a49184c2
AE		 2704 /* don't delete l2cap channel if sk is owned by user */
2705 if (sock_owned_by_user(sk)) {
2706 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2707 l2cap_chan_clear_timer(chan);
2708 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2709 bh_unlock_sock(sk);
2710 return 0;
2711 }
2712
48454079 2713 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2714 bh_unlock_sock(sk);
2715
ba3bd0ee 2716 chan->ops->close(chan->data);
1da177e4
LT		 2717 return 0;
2718}
2719
2720static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2721{
2722 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2723 u16 dcid, scid;
48454079 2724 struct l2cap_chan *chan;
1da177e4
LT		 2725 struct sock *sk;
2726
2727 scid = __le16_to_cpu(rsp->scid);
2728 dcid = __le16_to_cpu(rsp->dcid);
2729
2730 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2731
baa7e1fa 2732 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2733 if (!chan)
1da177e4
LT		 2734 return 0;
2735
48454079
GP		 2736 sk = chan->sk;
2737
a49184c2
AE		 2738 /* don't delete l2cap channel if sk is owned by user */
2739 if (sock_owned_by_user(sk)) {
2740 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2741 l2cap_chan_clear_timer(chan);
2742 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2743 bh_unlock_sock(sk);
2744 return 0;
2745 }
2746
48454079 2747 l2cap_chan_del(chan, 0);
1da177e4
LT		 2748 bh_unlock_sock(sk);
2749
ba3bd0ee 2750 chan->ops->close(chan->data);
1da177e4
LT		 2751 return 0;
2752}
2753
2754static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2755{
2756 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2757 u16 type;
2758
2759 type = __le16_to_cpu(req->type);
2760
2761 BT_DBG("type 0x%4.4x", type);
2762
f0709e03
MH		 2763 if (type == L2CAP_IT_FEAT_MASK) {
2764 u8 buf[8];
44dd46de 2765 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2766 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2767 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2768 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2769 if (!disable_ertm)
fcc203c3
GP		 2770 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2771 | L2CAP_FEAT_FCS;
1b7bf4ed 2772 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2773 l2cap_send_cmd(conn, cmd->ident,
2774 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2775 } else if (type == L2CAP_IT_FIXED_CHAN) {
2776 u8 buf[12];
2777 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2778 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2779 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2780 memcpy(buf + 4, l2cap_fixed_chan, 8);
2781 l2cap_send_cmd(conn, cmd->ident,
2782 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2783 } else {
2784 struct l2cap_info_rsp rsp;
2785 rsp.type = cpu_to_le16(type);
2786 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2787 l2cap_send_cmd(conn, cmd->ident,
2788 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2789 }
1da177e4
LT		 2790
2791 return 0;
2792}
2793
2794static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2795{
2796 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2797 u16 type, result;
2798
2799 type = __le16_to_cpu(rsp->type);
2800 result = __le16_to_cpu(rsp->result);
2801
2802 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2803
e90165be
AE		 2804 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2805 if (cmd->ident != conn->info_ident ||
2806 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2807 return 0;
2808
4e8402a3
MH		 2809 del_timer(&conn->info_timer);
2810
adb08ede
VT		 2811 if (result != L2CAP_IR_SUCCESS) {
2812 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2813 conn->info_ident = 0;
2814
2815 l2cap_conn_start(conn);
2816
2817 return 0;
2818 }
2819
984947dc 2820 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2821 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2822
47ec1dcd 2823 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2824 struct l2cap_info_req req;
2825 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2826
2827 conn->info_ident = l2cap_get_ident(conn);
2828
2829 l2cap_send_cmd(conn, conn->info_ident,
2830 L2CAP_INFO_REQ, sizeof(req), &req);
2831 } else {
2832 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2833 conn->info_ident = 0;
2834
2835 l2cap_conn_start(conn);
2836 }
2837 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2838 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2839 conn->info_ident = 0;
984947dc
MH		 2840
2841 l2cap_conn_start(conn);
2842 }
4e8402a3 2843
1da177e4
LT		 2844 return 0;
2845}
2846
e2174ca4 2847static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2848 u16 to_multiplier)
2849{
2850 u16 max_latency;
2851
2852 if (min > max || min < 6 || max > 3200)
2853 return -EINVAL;
2854
2855 if (to_multiplier < 10 || to_multiplier > 3200)
2856 return -EINVAL;
2857
2858 if (max >= to_multiplier * 8)
2859 return -EINVAL;
2860
2861 max_latency = (to_multiplier * 8 / max) - 1;
2862 if (latency > 499 || latency > max_latency)
2863 return -EINVAL;
2864
2865 return 0;
2866}
2867
2868static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2869 struct l2cap_cmd_hdr *cmd, u8 *data)
2870{
2871 struct hci_conn *hcon = conn->hcon;
2872 struct l2cap_conn_param_update_req *req;
2873 struct l2cap_conn_param_update_rsp rsp;
2874 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2875 int err;
de73115a
CT		 2876
2877 if (!(hcon->link_mode & HCI_LM_MASTER))
2878 return -EINVAL;
2879
2880 cmd_len = __le16_to_cpu(cmd->len);
2881 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2882 return -EPROTO;
2883
2884 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2885 min = __le16_to_cpu(req->min);
2886 max = __le16_to_cpu(req->max);
de73115a
CT		 2887 latency = __le16_to_cpu(req->latency);
2888 to_multiplier = __le16_to_cpu(req->to_multiplier);
2889
2890 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2891 min, max, latency, to_multiplier);
2892
2893 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2894
2895 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2896 if (err)
de73115a
CT		 2897 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2898 else
2899 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2900
2901 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2902 sizeof(rsp), &rsp);
2903
2ce603eb
CT		 2904 if (!err)
2905 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2906
de73115a
CT		 2907 return 0;
2908}
2909
3300d9a9
CT		 2910static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2911 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2912{
2913 int err = 0;
2914
2915 switch (cmd->code) {
2916 case L2CAP_COMMAND_REJ:
2917 l2cap_command_rej(conn, cmd, data);
2918 break;
2919
2920 case L2CAP_CONN_REQ:
2921 err = l2cap_connect_req(conn, cmd, data);
2922 break;
2923
2924 case L2CAP_CONN_RSP:
2925 err = l2cap_connect_rsp(conn, cmd, data);
2926 break;
2927
2928 case L2CAP_CONF_REQ:
2929 err = l2cap_config_req(conn, cmd, cmd_len, data);
2930 break;
2931
2932 case L2CAP_CONF_RSP:
2933 err = l2cap_config_rsp(conn, cmd, data);
2934 break;
2935
2936 case L2CAP_DISCONN_REQ:
2937 err = l2cap_disconnect_req(conn, cmd, data);
2938 break;
2939
2940 case L2CAP_DISCONN_RSP:
2941 err = l2cap_disconnect_rsp(conn, cmd, data);
2942 break;
2943
2944 case L2CAP_ECHO_REQ:
2945 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2946 break;
2947
2948 case L2CAP_ECHO_RSP:
2949 break;
2950
2951 case L2CAP_INFO_REQ:
2952 err = l2cap_information_req(conn, cmd, data);
2953 break;
2954
2955 case L2CAP_INFO_RSP:
2956 err = l2cap_information_rsp(conn, cmd, data);
2957 break;
2958
2959 default:
2960 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2961 err = -EINVAL;
2962 break;
2963 }
2964
2965 return err;
2966}
2967
2968static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2969 struct l2cap_cmd_hdr *cmd, u8 *data)
2970{
2971 switch (cmd->code) {
2972 case L2CAP_COMMAND_REJ:
2973 return 0;
2974
2975 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2976 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2977
2978 case L2CAP_CONN_PARAM_UPDATE_RSP:
2979 return 0;
2980
2981 default:
2982 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2983 return -EINVAL;
2984 }
2985}
2986
2987static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2988 struct sk_buff *skb)
1da177e4
LT		 2989{
2990 u8 *data = skb->data;
2991 int len = skb->len;
2992 struct l2cap_cmd_hdr cmd;
3300d9a9 2993 int err;
1da177e4
LT		 2994
2995 l2cap_raw_recv(conn, skb);
2996
2997 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2998 u16 cmd_len;
1da177e4
LT		 2999 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3000 data += L2CAP_CMD_HDR_SIZE;
3001 len -= L2CAP_CMD_HDR_SIZE;
3002
88219a0f 3003 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3004
88219a0f 3005 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3006
88219a0f 3007 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3008 BT_DBG("corrupted command");
3009 break;
3010 }
3011
3300d9a9
CT		 3012 if (conn->hcon->type == LE_LINK)
3013 err = l2cap_le_sig_cmd(conn, &cmd, data);
3014 else
3015 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3016
3017 if (err) {
3018 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3019
3020 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3021
3022 /* FIXME: Map err to a valid reason */
aca3192c 3023 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3024 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3025 }
3026
88219a0f
AV		 3027 data += cmd_len;
3028 len -= cmd_len;
1da177e4
LT		 3029 }
3030
3031 kfree_skb(skb);
3032}
3033
47d1ec61 3034static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3035{
3036 u16 our_fcs, rcv_fcs;
3037 int hdr_size = L2CAP_HDR_SIZE + 2;
3038
47d1ec61 3039 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3040 skb_trim(skb, skb->len - 2);
3041 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3042 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3043
3044 if (our_fcs != rcv_fcs)
7a560e5c 3045 return -EBADMSG;
fcc203c3
GP		 3046 }
3047 return 0;
3048}
3049
525cd185 3050static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3051{
d5392c8f
GP		 3052 u16 control = 0;
3053
6a026610 3054 chan->frames_sent = 0;
d5392c8f 3055
42e5c802 3056 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3057
525cd185 3058 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3059 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3060 l2cap_send_sframe(chan, control);
3061 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3062 }
3063
525cd185
GP		 3064 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3065 l2cap_retransmit_frames(chan);
d5392c8f 3066
525cd185 3067 l2cap_ertm_send(chan);
d5392c8f 3068
525cd185 3069 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3070 chan->frames_sent == 0) {
d5392c8f 3071 control |= L2CAP_SUPER_RCV_READY;
525cd185 3072 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3073 }
3074}
3075
42e5c802 3076static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3077{
3078 struct sk_buff *next_skb;
bfbacc11 3079 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3080
3081 bt_cb(skb)->tx_seq = tx_seq;
3082 bt_cb(skb)->sar = sar;
3083
f1c6775b 3084 next_skb = skb_peek(&chan->srej_q);
8f17154f 3085 if (!next_skb) {
f1c6775b 3086 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3087 return 0;
8f17154f
GP		 3088 }
3089
42e5c802 3090 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3091 if (tx_seq_offset < 0)
3092 tx_seq_offset += 64;
3093
8f17154f 3094 do {
9b53350d
JPRV		 3095 if (bt_cb(next_skb)->tx_seq == tx_seq)
3096 return -EINVAL;
3097
bfbacc11 3098 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3099 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3100 if (next_tx_seq_offset < 0)
3101 next_tx_seq_offset += 64;
3102
3103 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3104 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3105 return 0;
8f17154f
GP		 3106 }
3107
f1c6775b 3108 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3109 break;
3110
f1c6775b 3111 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3112
f1c6775b 3113 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3114
3115 return 0;
8f17154f
GP		 3116}
3117
525cd185 3118static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3119{
18778a63 3120 struct sk_buff *_skb;
1890d36b 3121 int err;
18778a63
GP		 3122
3123 switch (control & L2CAP_CTRL_SAR) {
3124 case L2CAP_SDU_UNSEGMENTED:
525cd185 3125 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3126 goto drop;
3127
23070494 3128 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3129
3130 case L2CAP_SDU_START:
525cd185 3131 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3132 goto drop;
3133
6f61fd47 3134 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3135
0c1bc5c6 3136 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3137 goto disconnect;
3138
6f61fd47
GP		 3139 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3140 if (!chan->sdu)
1890d36b
GP		 3141 return -ENOMEM;
3142
3143 /* pull sdu_len bytes only after alloc, because of Local Busy
3144 * condition we have to be sure that this will be executed
3145 * only once, i.e., when alloc does not fail */
3146 skb_pull(skb, 2);
18778a63 3147
6f61fd47 3148 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3149
525cd185 3150 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3151 chan->partial_sdu_len = skb->len;
18778a63
GP		 3152 break;
3153
3154 case L2CAP_SDU_CONTINUE:
525cd185 3155 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3156 goto disconnect;
3157
6f61fd47 3158 if (!chan->sdu)
18778a63
GP		 3159 goto disconnect;
3160
6f61fd47
GP		 3161 chan->partial_sdu_len += skb->len;
3162 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3163 goto drop;
3164
6f61fd47 3165 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3166
18778a63
GP		 3167 break;
3168
3169 case L2CAP_SDU_END:
525cd185 3170 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3171 goto disconnect;
3172
6f61fd47 3173 if (!chan->sdu)
18778a63
GP		 3174 goto disconnect;
3175
525cd185 3176 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3177 chan->partial_sdu_len += skb->len;
18778a63 3178
0c1bc5c6 3179 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3180 goto drop;
18778a63 3181
6f61fd47 3182 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3183 goto drop;
4178ba46 3184
6f61fd47 3185 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3186 }
18778a63 3187
6f61fd47 3188 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3189 if (!_skb) {
525cd185 3190 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3191 return -ENOMEM;
3192 }
3193
23070494 3194 err = chan->ops->recv(chan->data, _skb);
1890d36b 3195 if (err < 0) {
18778a63 3196 kfree_skb(_skb);
525cd185 3197 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3198 return err;
3199 }
3200
525cd185
GP		 3201 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3202 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3203
6f61fd47 3204 kfree_skb(chan->sdu);
18778a63
GP		 3205 break;
3206 }
3207
3208 kfree_skb(skb);
1890d36b 3209 return 0;
18778a63
GP		 3210
3211drop:
6f61fd47
GP		 3212 kfree_skb(chan->sdu);
3213 chan->sdu = NULL;
18778a63
GP		 3214
3215disconnect:
8c1d787b 3216 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3217 kfree_skb(skb);
3218 return 0;
3219}
3220
525cd185 3221static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3222{
712132eb
GP		 3223 struct sk_buff *skb;
3224 u16 control;
3225 int err;
3226
f1c6775b 3227 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3228 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3229 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3230 if (err < 0) {
f1c6775b 3231 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3232 return -EBUSY;
3233 }
3234
42e5c802 3235 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3236 }
3237
525cd185 3238 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3239 goto done;
3240
42e5c802 3241 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3242 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3243 l2cap_send_sframe(chan, control);
6a026610 3244 chan->retry_count = 1;
712132eb 3245
e92c8e70 3246 del_timer(&chan->retrans_timer);
712132eb
GP		 3247 __mod_monitor_timer();
3248
525cd185 3249 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3250
3251done:
525cd185
GP		 3252 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3253 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3254
49208c9c 3255 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3256
3257 return 0;
3258}
3259
1890d36b
GP		 3260static void l2cap_busy_work(struct work_struct *work)
3261{
3262 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3263 struct l2cap_chan *chan =
3264 container_of(work, struct l2cap_chan, busy_work);
3265 struct sock *sk = chan->sk;
1890d36b
GP		 3266 int n_tries = 0, timeo = HZ/5, err;
3267 struct sk_buff *skb;
1890d36b
GP		 3268
3269 lock_sock(sk);
3270
2b0b05dd 3271 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3272 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3273 set_current_state(TASK_INTERRUPTIBLE);
3274
3275 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3276 err = -EBUSY;
8c1d787b 3277 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3278 break;
1890d36b
GP		 3279 }
3280
3281 if (!timeo)
3282 timeo = HZ/5;
3283
3284 if (signal_pending(current)) {
3285 err = sock_intr_errno(timeo);
712132eb 3286 break;
1890d36b
GP		 3287 }
3288
3289 release_sock(sk);
3290 timeo = schedule_timeout(timeo);
3291 lock_sock(sk);
3292
3293 err = sock_error(sk);
3294 if (err)
712132eb 3295 break;
1890d36b 3296
311bb895 3297 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3298 break;
3299 }
3300
1890d36b 3301 set_current_state(TASK_RUNNING);
2b0b05dd 3302 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3303
3304 release_sock(sk);
3305}
3306
525cd185 3307static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3308{
1890d36b
GP		 3309 int sctrl, err;
3310
525cd185 3311 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3312 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3313 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3314 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3315
3316
1890d36b
GP		 3317 }
3318
525cd185 3319 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3320 if (err >= 0) {
42e5c802 3321 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3322 return err;
3323 }
3324
3325 /* Busy Condition */
311bb895 3326 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3327
525cd185 3328 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3329 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3330 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3331
42e5c802 3332 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3333 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3334 l2cap_send_sframe(chan, sctrl);
1890d36b 3335
525cd185 3336 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3337
e92c8e70 3338 del_timer(&chan->ack_timer);
7fe9b298 3339
311bb895 3340 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3341
3342 return err;
3343}
3344
525cd185 3345static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3346{
c74e560c
GP		 3347 struct sk_buff *_skb;
3348 int err = -EINVAL;
3349
18778a63
GP		 3350 /*
3351 * TODO: We have to notify the userland if some data is lost with the
3352 * Streaming Mode.
3353 */
3354
c74e560c
GP		 3355 switch (control & L2CAP_CTRL_SAR) {
3356 case L2CAP_SDU_UNSEGMENTED:
525cd185 3357 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3358 kfree_skb(chan->sdu);
c74e560c
GP		 3359 break;
3360 }
3361
23070494 3362 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3363 if (!err)
3364 return 0;
3365
3366 break;
3367
3368 case L2CAP_SDU_START:
525cd185 3369 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3370 kfree_skb(chan->sdu);
c74e560c
GP		 3371 break;
3372 }
3373
6f61fd47 3374 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3375 skb_pull(skb, 2);
3376
0c1bc5c6 3377 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3378 err = -EMSGSIZE;
3379 break;
3380 }
3381
6f61fd47
GP		 3382 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3383 if (!chan->sdu) {
c74e560c
GP		 3384 err = -ENOMEM;
3385 break;
3386 }
3387
6f61fd47 3388 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3389
525cd185 3390 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3391 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3392 err = 0;
3393 break;
3394
3395 case L2CAP_SDU_CONTINUE:
525cd185 3396 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3397 break;
3398
6f61fd47 3399 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3400
6f61fd47
GP		 3401 chan->partial_sdu_len += skb->len;
3402 if (chan->partial_sdu_len > chan->sdu_len)
3403 kfree_skb(chan->sdu);
c74e560c
GP		 3404 else
3405 err = 0;
3406
3407 break;
3408
3409 case L2CAP_SDU_END:
525cd185 3410 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3411 break;
3412
6f61fd47 3413 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3414
525cd185 3415 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3416 chan->partial_sdu_len += skb->len;
c74e560c 3417
0c1bc5c6 3418 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3419 goto drop;
3420
6f61fd47
GP		 3421 if (chan->partial_sdu_len == chan->sdu_len) {
3422 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3423 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3424 if (err < 0)
3425 kfree_skb(_skb);
3426 }
c74e560c
GP		 3427 err = 0;
3428
36f2fd58 3429drop:
6f61fd47 3430 kfree_skb(chan->sdu);
c74e560c
GP		 3431 break;
3432 }
3433
3434 kfree_skb(skb);
3435 return err;
3436}
3437
525cd185 3438static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3439{
3440 struct sk_buff *skb;
afefdbc4 3441 u16 control;
8f17154f 3442
f1c6775b 3443 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3444 if (bt_cb(skb)->tx_seq != tx_seq)
3445 break;
3446
f1c6775b 3447 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3448 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3449 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3450 chan->buffer_seq_srej =
3451 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3452 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3453 }
3454}
3455
525cd185 3456static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3457{
8f17154f
GP		 3458 struct srej_list *l, *tmp;
3459 u16 control;
3460
39d5a3ee 3461 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3462 if (l->tx_seq == tx_seq) {
3463 list_del(&l->list);
3464 kfree(l);
3465 return;
3466 }
3467 control = L2CAP_SUPER_SELECT_REJECT;
3468 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3469 l2cap_send_sframe(chan, control);
8f17154f 3470 list_del(&l->list);
39d5a3ee 3471 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3472 }
3473}
3474
525cd185 3475static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3476{
8f17154f
GP		 3477 struct srej_list *new;
3478 u16 control;
3479
42e5c802 3480 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3481 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3482 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3483 l2cap_send_sframe(chan, control);
8f17154f
GP		 3484
3485 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3486 new->tx_seq = chan->expected_tx_seq;
3487 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3488 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3489 }
42e5c802 3490 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3491}
3492
525cd185 3493static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3494{
1c2acffb 3495 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3496 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3497 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3498 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3499 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3500 int err = 0;
3501
525cd185
GP		 3502 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3503 tx_seq, rx_control);
1c2acffb 3504
9b16dc65 3505 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3506 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3507 del_timer(&chan->monitor_timer);
6a026610 3508 if (chan->unacked_frames > 0)
1d8f5d16 3509 __mod_retrans_timer();
525cd185 3510 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3511 }
3512
42e5c802
GP		 3513 chan->expected_ack_seq = req_seq;
3514 l2cap_drop_acked_frames(chan);
9f121a5a 3515
42e5c802 3516 if (tx_seq == chan->expected_tx_seq)
8f17154f 3517 goto expected;
1c2acffb 3518
42e5c802 3519 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3520 if (tx_seq_offset < 0)
3521 tx_seq_offset += 64;
3522
3523 /* invalid tx_seq */
47d1ec61 3524 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3525 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3526 goto drop;
3527 }
3528
e6949280 3529 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3530 goto drop;
3531
525cd185 3532 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3533 struct srej_list *first;
30afb5b2 3534
39d5a3ee 3535 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3536 struct srej_list, list);
3537 if (tx_seq == first->tx_seq) {
42e5c802 3538 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3539 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3540
3541 list_del(&first->list);
3542 kfree(first);
3543
39d5a3ee 3544 if (list_empty(&chan->srej_l)) {
42e5c802 3545 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3546 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3547 l2cap_send_ack(chan);
49208c9c 3548 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3549 }
3550 } else {
3551 struct srej_list *l;
9b53350d
JPRV		 3552
3553 /* duplicated tx_seq */
42e5c802 3554 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3555 goto drop;
8f17154f 3556
39d5a3ee 3557 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3558 if (l->tx_seq == tx_seq) {
525cd185 3559 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3560 return 0;
3561 }
3562 }
525cd185 3563 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3564 }
3565 } else {
9b53350d 3566 expected_tx_seq_offset =
42e5c802 3567 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3568 if (expected_tx_seq_offset < 0)
3569 expected_tx_seq_offset += 64;
3570
3571 /* duplicated tx_seq */
3572 if (tx_seq_offset < expected_tx_seq_offset)
3573 goto drop;
3574
525cd185 3575 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3576
49208c9c 3577 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3578
39d5a3ee 3579 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3580 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3581
f1c6775b
GP		 3582 __skb_queue_head_init(&chan->srej_q);
3583 __skb_queue_head_init(&chan->busy_q);
42e5c802 3584 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3585
525cd185 3586 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3587
525cd185 3588 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3589
e92c8e70 3590 del_timer(&chan->ack_timer);
1c2acffb 3591 }
30afb5b2
GP		 3592 return 0;
3593
8f17154f 3594expected:
42e5c802 3595 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3596
525cd185 3597 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3598 bt_cb(skb)->tx_seq = tx_seq;
3599 bt_cb(skb)->sar = sar;
f1c6775b 3600 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3601 return 0;
3602 }
3603
525cd185 3604 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3605 if (err < 0)
3606 return 0;
3607
4ec10d97 3608 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3609 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3610 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3611 else
525cd185 3612 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3613 }
3614
c1b4f43b
GP		 3615 __mod_ack_timer();
3616
6a026610
GP		 3617 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3618 if (chan->num_acked == num_to_ack - 1)
525cd185 3619 l2cap_send_ack(chan);
9e917af1 3620
8f17154f 3621 return 0;
9b53350d
JPRV		 3622
3623drop:
3624 kfree_skb(skb);
3625 return 0;
1c2acffb
GP		 3626}
3627
525cd185 3628static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3629{
49208c9c 3630 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3631 rx_control);
3632
42e5c802
GP		 3633 chan->expected_ack_seq = __get_reqseq(rx_control);
3634 l2cap_drop_acked_frames(chan);
1c2acffb 3635
e072745f 3636 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3637 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3638 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3639 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3640 (chan->unacked_frames > 0))
05fbd89d
GP		 3641 __mod_retrans_timer();
3642
525cd185
GP		 3643 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3644 l2cap_send_srejtail(chan);
05fbd89d 3645 } else {
525cd185 3646 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3647 }
1d8f5d16 3648
e072745f 3649 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3650 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3651
525cd185
GP		 3652 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3653 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3654 else
525cd185 3655 l2cap_retransmit_frames(chan);
2246b2f1 3656
e072745f 3657 } else {
525cd185 3658 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3659 (chan->unacked_frames > 0))
e072745f 3660 __mod_retrans_timer();
1c2acffb 3661
525cd185
GP		 3662 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3663 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3664 l2cap_send_ack(chan);
894718a6 3665 else
525cd185 3666 l2cap_ertm_send(chan);
e072745f
GP		 3667 }
3668}
2246b2f1 3669
525cd185 3670static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3671{
e072745f 3672 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3673
525cd185 3674 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3675
525cd185 3676 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3677
42e5c802
GP		 3678 chan->expected_ack_seq = tx_seq;
3679 l2cap_drop_acked_frames(chan);
e072745f
GP		 3680
3681 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3682 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3683 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3684 else
525cd185 3685 l2cap_retransmit_frames(chan);
e072745f 3686 } else {
525cd185 3687 l2cap_retransmit_frames(chan);
30afb5b2 3688
525cd185
GP		 3689 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3690 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3691 }
3692}
525cd185 3693static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3694{
e072745f 3695 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3696
525cd185 3697 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3698
525cd185 3699 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3700
e072745f 3701 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3702 chan->expected_ack_seq = tx_seq;
3703 l2cap_drop_acked_frames(chan);
3cb123d1 3704
525cd185
GP		 3705 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3706 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3707
525cd185 3708 l2cap_ertm_send(chan);
dfc909be 3709
525cd185 3710 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3711 chan->srej_save_reqseq = tx_seq;
525cd185 3712 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3713 }
e072745f 3714 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3715 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3716 chan->srej_save_reqseq == tx_seq)
525cd185 3717 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3718 else
525cd185 3719 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3720 } else {
525cd185
GP		 3721 l2cap_retransmit_one_frame(chan, tx_seq);
3722 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3723 chan->srej_save_reqseq = tx_seq;
525cd185 3724 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3725 }
e072745f
GP		 3726 }
3727}
3728
525cd185 3729static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3730{
e072745f
GP		 3731 u8 tx_seq = __get_reqseq(rx_control);
3732
525cd185 3733 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3734
525cd185 3735 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3736 chan->expected_ack_seq = tx_seq;
3737 l2cap_drop_acked_frames(chan);
e072745f 3738
3cb123d1 3739 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3740 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3741
525cd185 3742 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3743 del_timer(&chan->retrans_timer);
a2e12a2a 3744 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3745 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3746 return;
e072745f 3747 }
99b0d4b7
GP		 3748
3749 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3750 l2cap_send_srejtail(chan);
99b0d4b7 3751 else
525cd185 3752 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3753}
3754
525cd185 3755static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3756{
525cd185 3757 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3758
9b16dc65 3759 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3760 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3761 del_timer(&chan->monitor_timer);
6a026610 3762 if (chan->unacked_frames > 0)
e072745f 3763 __mod_retrans_timer();
525cd185 3764 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3765 }
3766
3767 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3768 case L2CAP_SUPER_RCV_READY:
525cd185 3769 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3770 break;
3771
e072745f 3772 case L2CAP_SUPER_REJECT:
525cd185 3773 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3774 break;
2246b2f1 3775
e072745f 3776 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3777 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3778 break;
3779
3780 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3781 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3782 break;
3783 }
3784
faaebd19 3785 kfree_skb(skb);
1c2acffb
GP		 3786 return 0;
3787}
3788
218bb9df
GP		 3789static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3790{
525cd185 3791 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3792 u16 control;
3793 u8 req_seq;
3794 int len, next_tx_seq_offset, req_seq_offset;
3795
3796 control = get_unaligned_le16(skb->data);
3797 skb_pull(skb, 2);
3798 len = skb->len;
3799
3800 /*
3801 * We can just drop the corrupted I-frame here.
3802 * Receiver will miss it and start proper recovery
3803 * procedures and ask retransmission.
3804 */
47d1ec61 3805 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3806 goto drop;
3807
3808 if (__is_sar_start(control) && __is_iframe(control))
3809 len -= 2;
3810
47d1ec61 3811 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3812 len -= 2;
3813
47d1ec61 3814 if (len > chan->mps) {
8c1d787b 3815 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3816 goto drop;
3817 }
3818
3819 req_seq = __get_reqseq(control);
42e5c802 3820 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3821 if (req_seq_offset < 0)
3822 req_seq_offset += 64;
3823
3824 next_tx_seq_offset =
42e5c802 3825 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3826 if (next_tx_seq_offset < 0)
3827 next_tx_seq_offset += 64;
3828
3829 /* check for invalid req-seq */
3830 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3831 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3832 goto drop;
3833 }
3834
3835 if (__is_iframe(control)) {
3836 if (len < 0) {
8c1d787b 3837 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3838 goto drop;
3839 }
3840
525cd185 3841 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3842 } else {
3843 if (len != 0) {
3844 BT_ERR("%d", len);
8c1d787b 3845 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3846 goto drop;
3847 }
3848
525cd185 3849 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3850 }
3851
3852 return 0;
3853
3854drop:
3855 kfree_skb(skb);
3856 return 0;
3857}
3858
1da177e4
LT		 3859static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3860{
48454079 3861 struct l2cap_chan *chan;
bf734843 3862 struct sock *sk = NULL;
51893f88 3863 u16 control;
218bb9df
GP		 3864 u8 tx_seq;
3865 int len;
1da177e4 3866
baa7e1fa 3867 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3868 if (!chan) {
1da177e4
LT		 3869 BT_DBG("unknown cid 0x%4.4x", cid);
3870 goto drop;
3871 }
3872
48454079 3873 sk = chan->sk;
6840ed07 3874
49208c9c 3875 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3876
3877 if (sk->sk_state != BT_CONNECTED)
3878 goto drop;
3879
0c1bc5c6 3880 switch (chan->mode) {
1c2acffb
GP		 3881 case L2CAP_MODE_BASIC:
3882 /* If socket recv buffers overflows we drop data here
3883 * which is *bad* because L2CAP has to be reliable.
3884 * But we don't have any other choice. L2CAP doesn't
3885 * provide flow control mechanism. */
1da177e4 3886
0c1bc5c6 3887 if (chan->imtu < skb->len)
1c2acffb 3888 goto drop;
1da177e4 3889
23070494 3890 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3891 goto done;
3892 break;
3893
3894 case L2CAP_MODE_ERTM:
218bb9df
GP		 3895 if (!sock_owned_by_user(sk)) {
3896 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3897 } else {
218bb9df 3898 if (sk_add_backlog(sk, skb))
277ffbe3 3899 goto drop;
277ffbe3 3900 }
1c2acffb 3901
fcafde2e 3902 goto done;
1c2acffb 3903
6840ed07
GP		 3904 case L2CAP_MODE_STREAMING:
3905 control = get_unaligned_le16(skb->data);
3906 skb_pull(skb, 2);
3907 len = skb->len;
3908
47d1ec61 3909 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3910 goto drop;
3911
6840ed07
GP		 3912 if (__is_sar_start(control))
3913 len -= 2;
3914
47d1ec61 3915 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3916 len -= 2;
3917
47d1ec61 3918 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3919 goto drop;
3920
3921 tx_seq = __get_txseq(control);
3922
42e5c802
GP		 3923 if (chan->expected_tx_seq == tx_seq)
3924 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3925 else
42e5c802 3926 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3927
525cd185 3928 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3929
3930 goto done;
3931
1c2acffb 3932 default:
0c1bc5c6 3933 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3934 break;
3935 }
1da177e4
LT		 3936
3937drop:
3938 kfree_skb(skb);
3939
3940done:
0139418c
MH		 3941 if (sk)
3942 bh_unlock_sock(sk);
3943
1da177e4
LT		 3944 return 0;
3945}
3946
8e036fc3 3947static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3948{
6dcae1ea 3949 struct sock *sk = NULL;
23691d75 3950 struct l2cap_chan *chan;
1da177e4 3951
23691d75
GP		 3952 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3953 if (!chan)
1da177e4
LT		 3954 goto drop;
3955
23691d75
GP		 3956 sk = chan->sk;
3957
e0f0cb56
GP		 3958 bh_lock_sock(sk);
3959
1da177e4
LT		 3960 BT_DBG("sk %p, len %d", sk, skb->len);
3961
3962 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3963 goto drop;
3964
0c1bc5c6 3965 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3966 goto drop;
3967
23070494 3968 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3969 goto done;
3970
3971drop:
3972 kfree_skb(skb);
3973
3974done:
af05b30b
GP		 3975 if (sk)
3976 bh_unlock_sock(sk);
1da177e4
LT		 3977 return 0;
3978}
3979
9f69bda6
GP		 3980static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3981{
6dcae1ea 3982 struct sock *sk = NULL;
23691d75 3983 struct l2cap_chan *chan;
9f69bda6 3984
23691d75
GP		 3985 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3986 if (!chan)
9f69bda6
GP		 3987 goto drop;
3988
23691d75
GP		 3989 sk = chan->sk;
3990
9f69bda6
GP		 3991 bh_lock_sock(sk);
3992
3993 BT_DBG("sk %p, len %d", sk, skb->len);
3994
3995 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3996 goto drop;
3997
0c1bc5c6 3998 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 3999 goto drop;
4000
23070494 4001 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4002 goto done;
4003
4004drop:
4005 kfree_skb(skb);
4006
4007done:
4008 if (sk)
4009 bh_unlock_sock(sk);
4010 return 0;
4011}
4012
1da177e4
LT		 4013static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4014{
4015 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4016 u16 cid, len;
4017 __le16 psm;
1da177e4
LT		 4018
4019 skb_pull(skb, L2CAP_HDR_SIZE);
4020 cid = __le16_to_cpu(lh->cid);
4021 len = __le16_to_cpu(lh->len);
4022
1c2acffb
GP		 4023 if (len != skb->len) {
4024 kfree_skb(skb);
4025 return;
4026 }
4027
1da177e4
LT		 4028 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4029
4030 switch (cid) {
3300d9a9 4031 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4032 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4033 l2cap_sig_channel(conn, skb);
4034 break;
4035
8db4dc46 4036 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4037 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4038 skb_pull(skb, 2);
4039 l2cap_conless_channel(conn, psm, skb);
4040 break;
4041
9f69bda6
GP		 4042 case L2CAP_CID_LE_DATA:
4043 l2cap_att_channel(conn, cid, skb);
4044 break;
4045
1da177e4
LT		 4046 default:
4047 l2cap_data_channel(conn, cid, skb);
4048 break;
4049 }
4050}
4051
4052/* ---- L2CAP interface with lower layer (HCI) ---- */
4053
4054static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4055{
4056 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4057 struct l2cap_chan *c;
1da177e4
LT		 4058
4059 if (type != ACL_LINK)
963cf687 4060 return -EINVAL;
1da177e4
LT		 4061
4062 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4063
4064 /* Find listening sockets and check their link_mode */
23691d75
GP		 4065 read_lock(&chan_list_lock);
4066 list_for_each_entry(c, &chan_list, global_l) {
4067 struct sock *sk = c->sk;
4343478f 4068
1da177e4
LT		 4069 if (sk->sk_state != BT_LISTEN)
4070 continue;
4071
4072 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4073 lm1 |= HCI_LM_ACCEPT;
23691d75 4074 if (c->role_switch)
2af6b9d5 4075 lm1 |= HCI_LM_MASTER;
1da177e4 4076 exact++;
2af6b9d5
MH		 4077 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4078 lm2 |= HCI_LM_ACCEPT;
23691d75 4079 if (c->role_switch)
2af6b9d5
MH		 4080 lm2 |= HCI_LM_MASTER;
4081 }
1da177e4 4082 }
23691d75 4083 read_unlock(&chan_list_lock);
1da177e4
LT		 4084
4085 return exact ? lm1 : lm2;
4086}
4087
4088static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4089{
0139418c
MH		 4090 struct l2cap_conn *conn;
4091
1da177e4
LT		 4092 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4093
acd7d370 4094 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4095 return -EINVAL;
1da177e4
LT		 4096
4097 if (!status) {
1da177e4
LT		 4098 conn = l2cap_conn_add(hcon, status);
4099 if (conn)
4100 l2cap_conn_ready(conn);
0139418c 4101 } else
1da177e4
LT		 4102 l2cap_conn_del(hcon, bt_err(status));
4103
4104 return 0;
4105}
4106
2950f21a
MH		 4107static int l2cap_disconn_ind(struct hci_conn *hcon)
4108{
4109 struct l2cap_conn *conn = hcon->l2cap_data;
4110
4111 BT_DBG("hcon %p", hcon);
4112
4113 if (hcon->type != ACL_LINK || !conn)
4114 return 0x13;
4115
4116 return conn->disc_reason;
4117}
4118
4119static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4120{
4121 BT_DBG("hcon %p reason %d", hcon, reason);
4122
acd7d370 4123 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4124 return -EINVAL;
1da177e4
LT		 4125
4126 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4127
1da177e4
LT		 4128 return 0;
4129}
4130
4343478f 4131static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4132{
715ec005 4133 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4134 return;
4135
f62e4323 4136 if (encrypt == 0x00) {
4343478f 4137 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4138 l2cap_chan_clear_timer(chan);
4139 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4140 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4141 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4142 } else {
4343478f 4143 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4144 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4145 }
4146}
4147
8c1b2355 4148static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4149{
0139418c 4150 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4151 struct l2cap_chan *chan;
1da177e4 4152
0139418c 4153 if (!conn)
1da177e4 4154 return 0;
0139418c 4155
1da177e4
LT		 4156 BT_DBG("conn %p", conn);
4157
baa7e1fa 4158 read_lock(&conn->chan_lock);
1da177e4 4159
baa7e1fa 4160 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4161 struct sock *sk = chan->sk;
baa7e1fa 4162
1da177e4
LT		 4163 bh_lock_sock(sk);
4164
b4450035 4165 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4166 bh_unlock_sock(sk);
4167 continue;
4168 }
4169
f62e4323 4170 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4171 sk->sk_state == BT_CONFIG)) {
4343478f 4172 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4173 bh_unlock_sock(sk);
4174 continue;
4175 }
4176
b1235d79
MH		 4177 if (sk->sk_state == BT_CONNECT) {
4178 if (!status) {
4179 struct l2cap_conn_req req;
fe4128e0
GP		 4180 req.scid = cpu_to_le16(chan->scid);
4181 req.psm = chan->psm;
1da177e4 4182
fc7f8a7e 4183 chan->ident = l2cap_get_ident(conn);
b4450035 4184 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4185
fc7f8a7e 4186 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4187 L2CAP_CONN_REQ, sizeof(req), &req);
4188 } else {
ab07801d
GP		 4189 l2cap_chan_clear_timer(chan);
4190 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4191 }
4192 } else if (sk->sk_state == BT_CONNECT2) {
4193 struct l2cap_conn_rsp rsp;
4194 __u16 result;
1da177e4 4195
b1235d79
MH		 4196 if (!status) {
4197 sk->sk_state = BT_CONFIG;
4198 result = L2CAP_CR_SUCCESS;
4199 } else {
4200 sk->sk_state = BT_DISCONN;
ab07801d 4201 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4202 result = L2CAP_CR_SEC_BLOCK;
4203 }
4204
fe4128e0
GP		 4205 rsp.scid = cpu_to_le16(chan->dcid);
4206 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4207 rsp.result = cpu_to_le16(result);
e7c29cb1 4208 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4209 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4210 sizeof(rsp), &rsp);
b1235d79 4211 }
1da177e4
LT		 4212
4213 bh_unlock_sock(sk);
4214 }
4215
baa7e1fa 4216 read_unlock(&conn->chan_lock);
b1235d79 4217
1da177e4
LT		 4218 return 0;
4219}
4220
4221static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4222{
4223 struct l2cap_conn *conn = hcon->l2cap_data;
4224
5a08ecce
AE		 4225 if (!conn)
4226 conn = l2cap_conn_add(hcon, 0);
4227
4228 if (!conn)
1da177e4
LT		 4229 goto drop;
4230
4231 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4232
e702112f 4233 if (!(flags & ACL_CONT)) {
1da177e4 4234 struct l2cap_hdr *hdr;
48454079 4235 struct l2cap_chan *chan;
89794813 4236 u16 cid;
1da177e4
LT		 4237 int len;
4238
4239 if (conn->rx_len) {
4240 BT_ERR("Unexpected start frame (len %d)", skb->len);
4241 kfree_skb(conn->rx_skb);
4242 conn->rx_skb = NULL;
4243 conn->rx_len = 0;
4244 l2cap_conn_unreliable(conn, ECOMM);
4245 }
4246
aae7fe22
AE		 4247 /* Start fragment always begin with Basic L2CAP header */
4248 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4249 BT_ERR("Frame is too short (len %d)", skb->len);
4250 l2cap_conn_unreliable(conn, ECOMM);
4251 goto drop;
4252 }
4253
4254 hdr = (struct l2cap_hdr *) skb->data;
4255 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4256 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4257
4258 if (len == skb->len) {
4259 /* Complete frame received */
4260 l2cap_recv_frame(conn, skb);
4261 return 0;
4262 }
4263
4264 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4265
4266 if (skb->len > len) {
4267 BT_ERR("Frame is too long (len %d, expected len %d)",
4268 skb->len, len);
4269 l2cap_conn_unreliable(conn, ECOMM);
4270 goto drop;
4271 }
4272
baa7e1fa 4273 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4274
48454079
GP		 4275 if (chan && chan->sk) {
4276 struct sock *sk = chan->sk;
89794813 4277
0c1bc5c6 4278 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4279 BT_ERR("Frame exceeding recv MTU (len %d, "
4280 "MTU %d)", len,
0c1bc5c6 4281 chan->imtu);
48454079
GP		 4282 bh_unlock_sock(sk);
4283 l2cap_conn_unreliable(conn, ECOMM);
4284 goto drop;
4285 }
89794813 4286 bh_unlock_sock(sk);
48454079 4287 }
89794813 4288
1da177e4 4289 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4290 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4291 if (!conn->rx_skb)
1da177e4
LT		 4292 goto drop;
4293
d626f62b 4294 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4295 skb->len);
1da177e4
LT		 4296 conn->rx_len = len - skb->len;
4297 } else {
4298 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4299
4300 if (!conn->rx_len) {
4301 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4302 l2cap_conn_unreliable(conn, ECOMM);
4303 goto drop;
4304 }
4305
4306 if (skb->len > conn->rx_len) {
4307 BT_ERR("Fragment is too long (len %d, expected %d)",
4308 skb->len, conn->rx_len);
4309 kfree_skb(conn->rx_skb);
4310 conn->rx_skb = NULL;
4311 conn->rx_len = 0;
4312 l2cap_conn_unreliable(conn, ECOMM);
4313 goto drop;
4314 }
4315
d626f62b 4316 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4317 skb->len);
1da177e4
LT		 4318 conn->rx_len -= skb->len;
4319
4320 if (!conn->rx_len) {
4321 /* Complete frame received */
4322 l2cap_recv_frame(conn, conn->rx_skb);
4323 conn->rx_skb = NULL;
4324 }
4325 }
4326
4327drop:
4328 kfree_skb(skb);
4329 return 0;
4330}
4331
aef7d97c 4332static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4333{
23691d75 4334 struct l2cap_chan *c;
1da177e4 4335
23691d75 4336 read_lock_bh(&chan_list_lock);
1da177e4 4337
23691d75
GP		 4338 list_for_each_entry(c, &chan_list, global_l) {
4339 struct sock *sk = c->sk;
101545f6 4340
903d343e 4341 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4342 batostr(&bt_sk(sk)->src),
4343 batostr(&bt_sk(sk)->dst),
23691d75
GP		 4344 sk->sk_state, __le16_to_cpu(c->psm),
4345 c->scid, c->dcid, c->imtu, c->omtu,
4346 c->sec_level, c->mode);
be9d1227 4347 }
1da177e4 4348
23691d75 4349 read_unlock_bh(&chan_list_lock);
1da177e4 4350
aef7d97c 4351 return 0;
1da177e4
LT		 4352}
4353
aef7d97c
MH		 4354static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4355{
4356 return single_open(file, l2cap_debugfs_show, inode->i_private);
4357}
4358
4359static const struct file_operations l2cap_debugfs_fops = {
4360 .open = l2cap_debugfs_open,
4361 .read = seq_read,
4362 .llseek = seq_lseek,
4363 .release = single_release,
4364};
4365
4366static struct dentry *l2cap_debugfs;
1da177e4 4367
1da177e4
LT		 4368static struct hci_proto l2cap_hci_proto = {
4369 .name = "L2CAP",
4370 .id = HCI_PROTO_L2CAP,
4371 .connect_ind = l2cap_connect_ind,
4372 .connect_cfm = l2cap_connect_cfm,
4373 .disconn_ind = l2cap_disconn_ind,
2950f21a 4374 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4375 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4376 .recv_acldata = l2cap_recv_acldata
4377};
4378
64274518 4379int __init l2cap_init(void)
1da177e4
LT		 4380{
4381 int err;
be9d1227 4382
bb58f747 4383 err = l2cap_init_sockets();
1da177e4
LT		 4384 if (err < 0)
4385 return err;
4386
1890d36b 4387 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4388 if (!_busy_wq) {
bb58f747 4389 err = -ENOMEM;
1da177e4
LT		 4390 goto error;
4391 }
4392
4393 err = hci_register_proto(&l2cap_hci_proto);
4394 if (err < 0) {
4395 BT_ERR("L2CAP protocol registration failed");
4396 bt_sock_unregister(BTPROTO_L2CAP);
4397 goto error;
4398 }
4399
aef7d97c
MH		 4400 if (bt_debugfs) {
4401 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4402 bt_debugfs, NULL, &l2cap_debugfs_fops);
4403 if (!l2cap_debugfs)
4404 BT_ERR("Failed to create L2CAP debug file");
4405 }
1da177e4 4406
1da177e4
LT		 4407 return 0;
4408
4409error:
b78d7b4f 4410 destroy_workqueue(_busy_wq);
bb58f747 4411 l2cap_cleanup_sockets();
1da177e4
LT		 4412 return err;
4413}
4414
64274518 4415void l2cap_exit(void)
1da177e4 4416{
aef7d97c 4417 debugfs_remove(l2cap_debugfs);
1da177e4 4418
1890d36b
GP		 4419 flush_workqueue(_busy_wq);
4420 destroy_workqueue(_busy_wq);
4421
1da177e4
LT		 4422 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4423 BT_ERR("L2CAP protocol unregistration failed");
4424
bb58f747 4425 l2cap_cleanup_sockets();
1da177e4
LT		 4426}
4427
d1c4a17d
GP		 4428module_param(disable_ertm, bool, 0644);
4429MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)