projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: use bit operation on conf_state
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
1890d36b
GP		 64static struct workqueue_struct *_busy_wq;
65
b5ad8b7f
JB		 66static LIST_HEAD(chan_list);
67static DEFINE_RWLOCK(chan_list_lock);
1da177e4 68
1890d36b
GP		 69static void l2cap_busy_work(struct work_struct *work);
70
1da177e4
LT		 71static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 73static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
74 void *data);
710f9b0a 75static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 76static void l2cap_send_disconn_req(struct l2cap_conn *conn,
77 struct l2cap_chan *chan, int err);
1da177e4 78
218bb9df
GP		 79static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
80
0139418c 81/* ---- L2CAP channels ---- */
71ba0e56
GP		 82
83static inline void chan_hold(struct l2cap_chan *c)
84{
85 atomic_inc(&c->refcnt);
86}
87
88static inline void chan_put(struct l2cap_chan *c)
89{
90 if (atomic_dec_and_test(&c->refcnt))
91 kfree(c);
92}
93
baa7e1fa 94static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 95{
48454079 96 struct l2cap_chan *c;
baa7e1fa
GP		 97
98 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 99 if (c->dcid == cid)
baa7e1fa 100 return c;
0139418c 101 }
baa7e1fa
GP		 102 return NULL;
103
0139418c
MH		 104}
105
baa7e1fa 106static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 111 if (c->scid == cid)
baa7e1fa 112 return c;
0139418c 113 }
baa7e1fa 114 return NULL;
0139418c
MH		 115}
116
117/* Find channel with given SCID.
118 * Returns locked socket */
baa7e1fa 119static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 120{
48454079 121 struct l2cap_chan *c;
baa7e1fa
GP		 122
123 read_lock(&conn->chan_lock);
124 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 125 if (c)
126 bh_lock_sock(c->sk);
baa7e1fa 127 read_unlock(&conn->chan_lock);
48454079 128 return c;
0139418c
MH		 129}
130
baa7e1fa 131static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 132{
48454079 133 struct l2cap_chan *c;
baa7e1fa
GP		 134
135 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 136 if (c->ident == ident)
baa7e1fa 137 return c;
0139418c 138 }
baa7e1fa 139 return NULL;
0139418c
MH		 140}
141
baa7e1fa 142static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 143{
48454079 144 struct l2cap_chan *c;
baa7e1fa
GP		 145
146 read_lock(&conn->chan_lock);
147 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 148 if (c)
149 bh_lock_sock(c->sk);
baa7e1fa 150 read_unlock(&conn->chan_lock);
48454079 151 return c;
0139418c
MH		 152}
153
23691d75 154static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 155{
23691d75 156 struct l2cap_chan *c;
9e4425ff 157
23691d75
GP		 158 list_for_each_entry(c, &chan_list, global_l) {
159 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 160 goto found;
161 }
162
23691d75 163 c = NULL;
9e4425ff 164found:
23691d75 165 return c;
9e4425ff
GP		 166}
167
168int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
169{
73b2ec18
GP		 170 int err;
171
23691d75 172 write_lock_bh(&chan_list_lock);
9e4425ff 173
23691d75 174 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 175 err = -EADDRINUSE;
176 goto done;
9e4425ff
GP		 177 }
178
73b2ec18
GP		 179 if (psm) {
180 chan->psm = psm;
181 chan->sport = psm;
182 err = 0;
183 } else {
184 u16 p;
185
186 err = -EINVAL;
187 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 188 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 189 chan->psm = cpu_to_le16(p);
190 chan->sport = cpu_to_le16(p);
191 err = 0;
192 break;
193 }
194 }
9e4425ff 195
73b2ec18 196done:
23691d75 197 write_unlock_bh(&chan_list_lock);
73b2ec18 198 return err;
9e4425ff
GP		 199}
200
201int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
202{
23691d75 203 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 chan->scid = scid;
206
23691d75 207 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 208
209 return 0;
210}
211
baa7e1fa 212static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 213{
8db4dc46 214 u16 cid = L2CAP_CID_DYN_START;
0139418c 215
8db4dc46 216 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 217 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 218 return cid;
219 }
220
221 return 0;
222}
223
c9b66675 224static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 225{
89bc500e
GP		 226 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
227
c9b66675 228 if (!mod_timer(timer, jiffies + timeout))
71ba0e56 229 chan_hold(chan);
ab07801d
GP		 230}
231
c9b66675 232static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 233{
89bc500e 234 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 235
c9b66675 236 if (timer_pending(timer) && del_timer(timer))
71ba0e56 237 chan_put(chan);
ab07801d
GP		 238}
239
89bc500e
GP		 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
241{
242 chan->state = state;
243 chan->ops->state_change(chan->data, state);
244}
245
ab07801d
GP		 246static void l2cap_chan_timeout(unsigned long arg)
247{
248 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
249 struct sock *sk = chan->sk;
250 int reason;
251
89bc500e 252 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 253
254 bh_lock_sock(sk);
255
256 if (sock_owned_by_user(sk)) {
257 /* sk is owned by user. Try again later */
c9b66675 258 __set_chan_timer(chan, HZ / 5);
ab07801d 259 bh_unlock_sock(sk);
71ba0e56 260 chan_put(chan);
ab07801d
GP		 261 return;
262 }
263
89bc500e 264 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 265 reason = ECONNREFUSED;
89bc500e 266 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 267 chan->sec_level != BT_SECURITY_SDP)
268 reason = ECONNREFUSED;
269 else
270 reason = ETIMEDOUT;
271
0f852724 272 l2cap_chan_close(chan, reason);
ab07801d
GP		 273
274 bh_unlock_sock(sk);
275
ba3bd0ee 276 chan->ops->close(chan->data);
71ba0e56 277 chan_put(chan);
ab07801d
GP		 278}
279
23691d75 280struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 281{
282 struct l2cap_chan *chan;
283
284 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
285 if (!chan)
286 return NULL;
287
288 chan->sk = sk;
289
23691d75
GP		 290 write_lock_bh(&chan_list_lock);
291 list_add(&chan->global_l, &chan_list);
292 write_unlock_bh(&chan_list_lock);
293
ab07801d
GP		 294 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
295
89bc500e
GP		 296 chan->state = BT_OPEN;
297
71ba0e56
GP		 298 atomic_set(&chan->refcnt, 1);
299
48454079
GP		 300 return chan;
301}
302
23691d75 303void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 304{
23691d75
GP		 305 write_lock_bh(&chan_list_lock);
306 list_del(&chan->global_l);
307 write_unlock_bh(&chan_list_lock);
308
71ba0e56 309 chan_put(chan);
6ff5abbf
GP		 310}
311
48454079 312static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 313{
af05b30b 314 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 315 chan->psm, chan->dcid);
0139418c 316
2950f21a
MH		 317 conn->disc_reason = 0x13;
318
8c1d787b 319 chan->conn = conn;
0139418c 320
715ec005 321 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 322 if (conn->hcon->type == LE_LINK) {
323 /* LE connection */
0c1bc5c6 324 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 325 chan->scid = L2CAP_CID_LE_DATA;
326 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 327 } else {
328 /* Alloc CID for connection-oriented socket */
fe4128e0 329 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 330 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 331 }
715ec005 332 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 333 /* Connectionless socket */
fe4128e0
GP		 334 chan->scid = L2CAP_CID_CONN_LESS;
335 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 336 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 337 } else {
338 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 339 chan->scid = L2CAP_CID_SIGNALING;
340 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 341 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 342 }
343
71ba0e56 344 chan_hold(chan);
baa7e1fa
GP		 345
346 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 347}
348
8e87d142 349/* Delete channel.
0139418c 350 * Must be called on the locked socket. */
4519de9a 351static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 352{
48454079 353 struct sock *sk = chan->sk;
8c1d787b 354 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 355 struct sock *parent = bt_sk(sk)->parent;
356
c9b66675 357 __clear_chan_timer(chan);
0139418c 358
49208c9c 359 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 360
8e87d142 361 if (conn) {
baa7e1fa
GP		 362 /* Delete from channel list */
363 write_lock_bh(&conn->chan_lock);
364 list_del(&chan->list);
365 write_unlock_bh(&conn->chan_lock);
71ba0e56 366 chan_put(chan);
baa7e1fa 367
8c1d787b 368 chan->conn = NULL;
0139418c
MH		 369 hci_conn_put(conn->hcon);
370 }
371
89bc500e 372 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 373 sock_set_flag(sk, SOCK_ZAPPED);
374
375 if (err)
376 sk->sk_err = err;
377
378 if (parent) {
379 bt_accept_unlink(sk);
380 parent->sk_data_ready(parent, 0);
381 } else
382 sk->sk_state_change(sk);
c13ffa62 383
c1360a1c
GP		 384 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
385 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 386 return;
2ead70b8 387
58d35f87 388 skb_queue_purge(&chan->tx_q);
c13ffa62 389
0c1bc5c6 390 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 391 struct srej_list *l, *tmp;
392
1a09bcb9
GP		 393 __clear_retrans_timer(chan);
394 __clear_monitor_timer(chan);
395 __clear_ack_timer(chan);
c13ffa62 396
f1c6775b
GP		 397 skb_queue_purge(&chan->srej_q);
398 skb_queue_purge(&chan->busy_q);
c13ffa62 399
39d5a3ee 400 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 401 list_del(&l->list);
402 kfree(l);
403 }
404 }
0139418c
MH		 405}
406
4519de9a
GP		 407static void l2cap_chan_cleanup_listen(struct sock *parent)
408{
409 struct sock *sk;
410
411 BT_DBG("parent %p", parent);
412
413 /* Close not yet accepted channels */
0f852724 414 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 415 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 416 __clear_chan_timer(chan);
0f852724 417 lock_sock(sk);
ba3bd0ee 418 l2cap_chan_close(chan, ECONNRESET);
0f852724 419 release_sock(sk);
ba3bd0ee 420 chan->ops->close(chan->data);
0f852724 421 }
4519de9a
GP		 422}
423
0f852724 424void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 425{
426 struct l2cap_conn *conn = chan->conn;
427 struct sock *sk = chan->sk;
428
89bc500e 429 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 430
89bc500e 431 switch (chan->state) {
4519de9a
GP		 432 case BT_LISTEN:
433 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 434
435 l2cap_state_change(chan, BT_CLOSED);
436 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 437 break;
438
439 case BT_CONNECTED:
440 case BT_CONFIG:
715ec005 441 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 442 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 443 __clear_chan_timer(chan);
444 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 445 l2cap_send_disconn_req(conn, chan, reason);
446 } else
447 l2cap_chan_del(chan, reason);
448 break;
449
450 case BT_CONNECT2:
715ec005 451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 452 conn->hcon->type == ACL_LINK) {
453 struct l2cap_conn_rsp rsp;
454 __u16 result;
455
456 if (bt_sk(sk)->defer_setup)
457 result = L2CAP_CR_SEC_BLOCK;
458 else
459 result = L2CAP_CR_BAD_PSM;
89bc500e 460 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 461
462 rsp.scid = cpu_to_le16(chan->dcid);
463 rsp.dcid = cpu_to_le16(chan->scid);
464 rsp.result = cpu_to_le16(result);
465 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
467 sizeof(rsp), &rsp);
468 }
469
470 l2cap_chan_del(chan, reason);
471 break;
472
473 case BT_CONNECT:
474 case BT_DISCONN:
475 l2cap_chan_del(chan, reason);
476 break;
477
478 default:
479 sock_set_flag(sk, SOCK_ZAPPED);
480 break;
481 }
482}
483
4343478f 484static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 485{
715ec005 486 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 487 switch (chan->sec_level) {
8556edd3
JH		 488 case BT_SECURITY_HIGH:
489 return HCI_AT_DEDICATED_BONDING_MITM;
490 case BT_SECURITY_MEDIUM:
491 return HCI_AT_DEDICATED_BONDING;
492 default:
493 return HCI_AT_NO_BONDING;
494 }
fe4128e0 495 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 496 if (chan->sec_level == BT_SECURITY_LOW)
497 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 498
4343478f 499 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 500 return HCI_AT_NO_BONDING_MITM;
00ae4af9 501 else
8556edd3 502 return HCI_AT_NO_BONDING;
00ae4af9 503 } else {
4343478f 504 switch (chan->sec_level) {
00ae4af9 505 case BT_SECURITY_HIGH:
8556edd3 506 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 507 case BT_SECURITY_MEDIUM:
8556edd3 508 return HCI_AT_GENERAL_BONDING;
00ae4af9 509 default:
8556edd3 510 return HCI_AT_NO_BONDING;
00ae4af9 511 }
0684e5f9 512 }
8556edd3
JH		 513}
514
515/* Service level security */
4343478f 516static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 517{
8c1d787b 518 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 519 __u8 auth_type;
520
4343478f 521 auth_type = l2cap_get_auth_type(chan);
79d554a6 522
4343478f 523 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 524}
525
b5ad8b7f 526static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 527{
528 u8 id;
529
530 /* Get next available identificator.
531 * 1 - 128 are used by kernel.
532 * 129 - 199 are reserved.
533 * 200 - 254 are used by utilities like l2ping, etc.
534 */
535
536 spin_lock_bh(&conn->lock);
537
538 if (++conn->tx_ident > 128)
539 conn->tx_ident = 1;
540
541 id = conn->tx_ident;
542
543 spin_unlock_bh(&conn->lock);
544
545 return id;
546}
547
4519de9a 548static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 549{
550 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 551 u8 flags;
4e8402a3
MH		 552
553 BT_DBG("code 0x%2.2x", code);
554
555 if (!skb)
9a9c6a34 556 return;
4e8402a3 557
e702112f
AE		 558 if (lmp_no_flush_capable(conn->hcon->hdev))
559 flags = ACL_START_NO_FLUSH;
560 else
561 flags = ACL_START;
562
14b12d0b
JG		 563 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
564
e702112f 565 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 566}
567
525cd185 568static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 569{
570 struct sk_buff *skb;
571 struct l2cap_hdr *lh;
8c1d787b 572 struct l2cap_conn *conn = chan->conn;
fcc203c3 573 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 574 u8 flags;
fcc203c3 575
89bc500e 576 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 577 return;
578
47d1ec61 579 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 580 hlen += 2;
1c2acffb 581
49208c9c 582 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 583
fcc203c3 584 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 585 control |= L2CAP_CTRL_FRAME_TYPE;
586
525cd185 587 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 588 control |= L2CAP_CTRL_FINAL;
525cd185 589 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 590 }
591
525cd185 592 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 593 control |= L2CAP_CTRL_POLL;
525cd185 594 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 595 }
596
1c2acffb
GP		 597 skb = bt_skb_alloc(count, GFP_ATOMIC);
598 if (!skb)
9a9c6a34 599 return;
1c2acffb
GP		 600
601 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 602 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 604 put_unaligned_le16(control, skb_put(skb, 2));
605
47d1ec61 606 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 607 u16 fcs = crc16(0, (u8 *)lh, count - 2);
608 put_unaligned_le16(fcs, skb_put(skb, 2));
609 }
610
e702112f
AE		 611 if (lmp_no_flush_capable(conn->hcon->hdev))
612 flags = ACL_START_NO_FLUSH;
613 else
614 flags = ACL_START;
615
14b12d0b
JG		 616 bt_cb(skb)->force_active = chan->force_active;
617
8c1d787b 618 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 619}
620
525cd185 621static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 622{
525cd185 623 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 624 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 625 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 626 } else
7e743090
GP		 627 control |= L2CAP_SUPER_RCV_READY;
628
42e5c802 629 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 630
525cd185 631 l2cap_send_sframe(chan, control);
7e743090
GP		 632}
633
b4450035 634static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 635{
c1360a1c 636 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 637}
638
fc7f8a7e 639static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 640{
8c1d787b 641 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 642
643 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 644 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
645 return;
646
4343478f
GP		 647 if (l2cap_check_security(chan) &&
648 __l2cap_no_conn_pending(chan)) {
b1235d79 649 struct l2cap_conn_req req;
fe4128e0
GP		 650 req.scid = cpu_to_le16(chan->scid);
651 req.psm = chan->psm;
79d554a6 652
fc7f8a7e 653 chan->ident = l2cap_get_ident(conn);
c1360a1c 654 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 655
fc7f8a7e
GP		 656 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
657 sizeof(req), &req);
b1235d79 658 }
79d554a6
MH		 659 } else {
660 struct l2cap_info_req req;
661 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
662
663 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
664 conn->info_ident = l2cap_get_ident(conn);
665
666 mod_timer(&conn->info_timer, jiffies +
667 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
668
669 l2cap_send_cmd(conn, conn->info_ident,
670 L2CAP_INFO_REQ, sizeof(req), &req);
671 }
672}
673
cf6c2c0b
GP		 674static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
675{
676 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 677 if (!disable_ertm)
cf6c2c0b
GP		 678 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
679
680 switch (mode) {
681 case L2CAP_MODE_ERTM:
682 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
683 case L2CAP_MODE_STREAMING:
684 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
685 default:
686 return 0x00;
687 }
688}
689
4519de9a 690static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 691{
e92c8e70 692 struct sock *sk;
22121fc9
GP		 693 struct l2cap_disconn_req req;
694
c13ffa62
GP		 695 if (!conn)
696 return;
697
e92c8e70
GP		 698 sk = chan->sk;
699
0c1bc5c6 700 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 701 __clear_retrans_timer(chan);
702 __clear_monitor_timer(chan);
703 __clear_ack_timer(chan);
c13ffa62
GP		 704 }
705
fe4128e0
GP		 706 req.dcid = cpu_to_le16(chan->dcid);
707 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 708 l2cap_send_cmd(conn, l2cap_get_ident(conn),
709 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 710
89bc500e 711 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 712 sk->sk_err = err;
22121fc9
GP		 713}
714
1da177e4 715/* ---- L2CAP connections ---- */
4e8402a3
MH		 716static void l2cap_conn_start(struct l2cap_conn *conn)
717{
820ffdb3 718 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 719
720 BT_DBG("conn %p", conn);
721
baa7e1fa 722 read_lock(&conn->chan_lock);
4e8402a3 723
820ffdb3 724 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 725 struct sock *sk = chan->sk;
baa7e1fa 726
4e8402a3
MH		 727 bh_lock_sock(sk);
728
715ec005 729 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 730 bh_unlock_sock(sk);
731 continue;
732 }
733
89bc500e 734 if (chan->state == BT_CONNECT) {
47731de7 735 struct l2cap_conn_req req;
79d554a6 736
4343478f 737 if (!l2cap_check_security(chan) ||
b4450035 738 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 739 bh_unlock_sock(sk);
740 continue;
741 }
79d554a6 742
c1360a1c
GP		 743 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
744 && test_bit(CONF_STATE2_DEVICE,
745 &chan->conf_state)) {
0f852724 746 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 747 * so release the lock */
748 read_unlock_bh(&conn->chan_lock);
89bc500e 749 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 750 read_lock_bh(&conn->chan_lock);
47731de7
GP		 751 bh_unlock_sock(sk);
752 continue;
b1235d79 753 }
47731de7 754
fe4128e0
GP		 755 req.scid = cpu_to_le16(chan->scid);
756 req.psm = chan->psm;
47731de7 757
fc7f8a7e 758 chan->ident = l2cap_get_ident(conn);
c1360a1c 759 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 760
fc7f8a7e
GP		 761 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
762 sizeof(req), &req);
47731de7 763
89bc500e 764 } else if (chan->state == BT_CONNECT2) {
79d554a6 765 struct l2cap_conn_rsp rsp;
e9aeb2dd 766 char buf[128];
fe4128e0
GP		 767 rsp.scid = cpu_to_le16(chan->dcid);
768 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 769
4343478f 770 if (l2cap_check_security(chan)) {
f66dc81f
MH		 771 if (bt_sk(sk)->defer_setup) {
772 struct sock *parent = bt_sk(sk)->parent;
773 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
774 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
775 parent->sk_data_ready(parent, 0);
776
777 } else {
89bc500e 778 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 779 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
780 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
781 }
79d554a6
MH		 782 } else {
783 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
784 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
785 }
786
fc7f8a7e
GP		 787 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
788 sizeof(rsp), &rsp);
e9aeb2dd 789
c1360a1c 790 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 791 rsp.result != L2CAP_CR_SUCCESS) {
792 bh_unlock_sock(sk);
793 continue;
794 }
795
c1360a1c 796 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 797 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 798 l2cap_build_conf_req(chan, buf), buf);
799 chan->num_conf_req++;
4e8402a3
MH		 800 }
801
802 bh_unlock_sock(sk);
803 }
804
baa7e1fa 805 read_unlock(&conn->chan_lock);
4e8402a3
MH		 806}
807
b62f328b
VT		 808/* Find socket with cid and source bdaddr.
809 * Returns closest match, locked.
810 */
23691d75 811static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 812{
23691d75 813 struct l2cap_chan *c, *c1 = NULL;
b62f328b 814
23691d75 815 read_lock(&chan_list_lock);
b62f328b 816
23691d75
GP		 817 list_for_each_entry(c, &chan_list, global_l) {
818 struct sock *sk = c->sk;
fe4128e0 819
89bc500e 820 if (state && c->state != state)
b62f328b
VT		 821 continue;
822
23691d75 823 if (c->scid == cid) {
b62f328b 824 /* Exact match. */
23691d75
GP		 825 if (!bacmp(&bt_sk(sk)->src, src)) {
826 read_unlock(&chan_list_lock);
827 return c;
828 }
b62f328b
VT		 829
830 /* Closest match */
831 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 832 c1 = c;
b62f328b
VT		 833 }
834 }
280f294f 835
23691d75 836 read_unlock(&chan_list_lock);
b62f328b 837
23691d75 838 return c1;
b62f328b
VT		 839}
840
841static void l2cap_le_conn_ready(struct l2cap_conn *conn)
842{
c916fbe4 843 struct sock *parent, *sk;
23691d75 844 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 845
846 BT_DBG("");
847
848 /* Check if we have socket listening on cid */
23691d75 849 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 850 conn->src);
23691d75 851 if (!pchan)
b62f328b
VT		 852 return;
853
23691d75
GP		 854 parent = pchan->sk;
855
62f3a2cf
GP		 856 bh_lock_sock(parent);
857
b62f328b
VT		 858 /* Check for backlog size */
859 if (sk_acceptq_is_full(parent)) {
860 BT_DBG("backlog full %d", parent->sk_ack_backlog);
861 goto clean;
862 }
863
80808e43
GP		 864 chan = pchan->ops->new_connection(pchan->data);
865 if (!chan)
b62f328b
VT		 866 goto clean;
867
80808e43 868 sk = chan->sk;
5d41ce1d 869
baa7e1fa 870 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 871
872 hci_conn_hold(conn->hcon);
873
b62f328b
VT		 874 bacpy(&bt_sk(sk)->src, conn->src);
875 bacpy(&bt_sk(sk)->dst, conn->dst);
876
d1010240
GP		 877 bt_accept_enqueue(parent, sk);
878
48454079
GP		 879 __l2cap_chan_add(conn, chan);
880
c9b66675 881 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 882
89bc500e 883 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 884 parent->sk_data_ready(parent, 0);
885
baa7e1fa 886 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 887
888clean:
889 bh_unlock_sock(parent);
890}
891
f1cb9af5
VCG		 892static void l2cap_chan_ready(struct sock *sk)
893{
894 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
895 struct sock *parent = bt_sk(sk)->parent;
896
897 BT_DBG("sk %p, parent %p", sk, parent);
898
899 chan->conf_state = 0;
900 __clear_chan_timer(chan);
901
902 sk->sk_state = BT_CONNECTED;
903 sk->sk_state_change(sk);
904
905 if (parent)
906 parent->sk_data_ready(parent, 0);
907}
908
4e8402a3
MH		 909static void l2cap_conn_ready(struct l2cap_conn *conn)
910{
48454079 911 struct l2cap_chan *chan;
4e8402a3 912
79d554a6 913 BT_DBG("conn %p", conn);
4e8402a3 914
b62f328b
VT		 915 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
916 l2cap_le_conn_ready(conn);
917
baa7e1fa 918 read_lock(&conn->chan_lock);
4e8402a3 919
baa7e1fa 920 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 921 struct sock *sk = chan->sk;
baa7e1fa 922
79d554a6 923 bh_lock_sock(sk);
4e8402a3 924
f1cb9af5 925 if (conn->hcon->type == LE_LINK)
b501d6a1 926 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 927 l2cap_chan_ready(sk);
acd7d370 928
715ec005 929 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 930 __clear_chan_timer(chan);
89bc500e 931 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 932 sk->sk_state_change(sk);
b501d6a1 933
89bc500e 934 } else if (chan->state == BT_CONNECT)
fc7f8a7e 935 l2cap_do_start(chan);
4e8402a3 936
79d554a6 937 bh_unlock_sock(sk);
4e8402a3 938 }
79d554a6 939
baa7e1fa 940 read_unlock(&conn->chan_lock);
4e8402a3
MH		 941}
942
943/* Notify sockets that we cannot guaranty reliability anymore */
944static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
945{
48454079 946 struct l2cap_chan *chan;
4e8402a3
MH		 947
948 BT_DBG("conn %p", conn);
949
baa7e1fa 950 read_lock(&conn->chan_lock);
4e8402a3 951
baa7e1fa 952 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 953 struct sock *sk = chan->sk;
baa7e1fa 954
4343478f 955 if (chan->force_reliable)
4e8402a3
MH		 956 sk->sk_err = err;
957 }
958
baa7e1fa 959 read_unlock(&conn->chan_lock);
4e8402a3
MH		 960}
961
962static void l2cap_info_timeout(unsigned long arg)
963{
964 struct l2cap_conn *conn = (void *) arg;
965
984947dc 966 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 967 conn->info_ident = 0;
984947dc 968
4e8402a3
MH		 969 l2cap_conn_start(conn);
970}
971
5d3de7df
VCG		 972static void l2cap_conn_del(struct hci_conn *hcon, int err)
973{
974 struct l2cap_conn *conn = hcon->l2cap_data;
975 struct l2cap_chan *chan, *l;
976 struct sock *sk;
977
978 if (!conn)
979 return;
980
981 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
982
983 kfree_skb(conn->rx_skb);
984
985 /* Kill channels */
986 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
987 sk = chan->sk;
988 bh_lock_sock(sk);
989 l2cap_chan_del(chan, err);
990 bh_unlock_sock(sk);
991 chan->ops->close(chan->data);
992 }
993
994 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
995 del_timer_sync(&conn->info_timer);
996
997 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
998 del_timer(&conn->security_timer);
999
1000 hcon->l2cap_data = NULL;
1001 kfree(conn);
1002}
1003
1004static void security_timeout(unsigned long arg)
1005{
1006 struct l2cap_conn *conn = (void *) arg;
1007
1008 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1009}
1010
1da177e4
LT		 1011static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1012{
0139418c 1013 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1014
0139418c 1015 if (conn || status)
1da177e4
LT		 1016 return conn;
1017
0139418c
MH		 1018 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1019 if (!conn)
1da177e4 1020 return NULL;
1da177e4
LT		 1021
1022 hcon->l2cap_data = conn;
1023 conn->hcon = hcon;
1024
0139418c
MH		 1025 BT_DBG("hcon %p conn %p", hcon, conn);
1026
acd7d370
VT		 1027 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1028 conn->mtu = hcon->hdev->le_mtu;
1029 else
1030 conn->mtu = hcon->hdev->acl_mtu;
1031
1da177e4
LT		 1032 conn->src = &hcon->hdev->bdaddr;
1033 conn->dst = &hcon->dst;
1034
4e8402a3
MH		 1035 conn->feat_mask = 0;
1036
1da177e4 1037 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1038 rwlock_init(&conn->chan_lock);
1039
1040 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1041
5d3de7df
VCG		 1042 if (hcon->type == LE_LINK)
1043 setup_timer(&conn->security_timer, security_timeout,
1044 (unsigned long) conn);
1045 else
b62f328b 1046 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1047 (unsigned long) conn);
1048
2950f21a
MH		 1049 conn->disc_reason = 0x13;
1050
1da177e4
LT		 1051 return conn;
1052}
1053
48454079 1054static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1055{
baa7e1fa 1056 write_lock_bh(&conn->chan_lock);
48454079 1057 __l2cap_chan_add(conn, chan);
baa7e1fa 1058 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1059}
1060
1da177e4 1061/* ---- Socket interface ---- */
1da177e4
LT		 1062
1063/* Find socket with psm and source bdaddr.
1064 * Returns closest match.
1065 */
23691d75 1066static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1067{
23691d75 1068 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1069
23691d75 1070 read_lock(&chan_list_lock);
e0f0cb56 1071
23691d75
GP		 1072 list_for_each_entry(c, &chan_list, global_l) {
1073 struct sock *sk = c->sk;
fe4128e0 1074
89bc500e 1075 if (state && c->state != state)
1da177e4
LT		 1076 continue;
1077
23691d75 1078 if (c->psm == psm) {
1da177e4 1079 /* Exact match. */
23691d75 1080 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1081 read_unlock(&chan_list_lock);
23691d75
GP		 1082 return c;
1083 }
1da177e4
LT		 1084
1085 /* Closest match */
1086 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1087 c1 = c;
1da177e4
LT		 1088 }
1089 }
1da177e4 1090
23691d75 1091 read_unlock(&chan_list_lock);
e0f0cb56 1092
23691d75 1093 return c1;
1da177e4
LT		 1094}
1095
77a74c7e 1096int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1097{
5d41ce1d 1098 struct sock *sk = chan->sk;
1da177e4
LT		 1099 bdaddr_t *src = &bt_sk(sk)->src;
1100 bdaddr_t *dst = &bt_sk(sk)->dst;
1101 struct l2cap_conn *conn;
1102 struct hci_conn *hcon;
1103 struct hci_dev *hdev;
09ab6f4c 1104 __u8 auth_type;
44d0e48e 1105 int err;
1da177e4 1106
f29972de 1107 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1108 chan->psm);
1da177e4 1109
af05b30b
GP		 1110 hdev = hci_get_route(dst, src);
1111 if (!hdev)
1da177e4
LT		 1112 return -EHOSTUNREACH;
1113
1114 hci_dev_lock_bh(hdev);
1115
4343478f 1116 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1117
fe4128e0 1118 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1119 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1120 chan->sec_level, auth_type);
acd7d370
VT		 1121 else
1122 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1123 chan->sec_level, auth_type);
acd7d370 1124
30e76272
VT		 1125 if (IS_ERR(hcon)) {
1126 err = PTR_ERR(hcon);
1da177e4 1127 goto done;
30e76272 1128 }
1da177e4
LT		 1129
1130 conn = l2cap_conn_add(hcon, 0);
1131 if (!conn) {
1132 hci_conn_put(hcon);
30e76272 1133 err = -ENOMEM;
1da177e4
LT		 1134 goto done;
1135 }
1136
1da177e4
LT		 1137 /* Update source addr of the socket */
1138 bacpy(src, conn->src);
1139
48454079
GP		 1140 l2cap_chan_add(conn, chan);
1141
89bc500e 1142 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1143 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1144
1145 if (hcon->state == BT_CONNECTED) {
715ec005 1146 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1147 __clear_chan_timer(chan);
4343478f 1148 if (l2cap_check_security(chan))
89bc500e 1149 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1150 } else
fc7f8a7e 1151 l2cap_do_start(chan);
1da177e4
LT		 1152 }
1153
30e76272
VT		 1154 err = 0;
1155
1da177e4
LT		 1156done:
1157 hci_dev_unlock_bh(hdev);
1158 hci_dev_put(hdev);
1159 return err;
1160}
1161
dcba0dba 1162int __l2cap_wait_ack(struct sock *sk)
6161c038 1163{
8c1d787b 1164 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1165 DECLARE_WAITQUEUE(wait, current);
1166 int err = 0;
1167 int timeo = HZ/5;
1168
2b0b05dd 1169 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1170 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1171 set_current_state(TASK_INTERRUPTIBLE);
1172
1173 if (!timeo)
1174 timeo = HZ/5;
1175
1176 if (signal_pending(current)) {
1177 err = sock_intr_errno(timeo);
1178 break;
1179 }
1180
1181 release_sock(sk);
1182 timeo = schedule_timeout(timeo);
1183 lock_sock(sk);
1184
1185 err = sock_error(sk);
1186 if (err)
1187 break;
1188 }
1189 set_current_state(TASK_RUNNING);
2b0b05dd 1190 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1191 return err;
1192}
1193
e90bac06
GP		 1194static void l2cap_monitor_timeout(unsigned long arg)
1195{
525cd185
GP		 1196 struct l2cap_chan *chan = (void *) arg;
1197 struct sock *sk = chan->sk;
e90bac06 1198
525cd185 1199 BT_DBG("chan %p", chan);
0e98958d 1200
e686219a 1201 bh_lock_sock(sk);
2c03a7a4 1202 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1203 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1204 bh_unlock_sock(sk);
e90bac06
GP		 1205 return;
1206 }
1207
6a026610 1208 chan->retry_count++;
1a09bcb9 1209 __set_monitor_timer(chan);
e90bac06 1210
525cd185 1211 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1212 bh_unlock_sock(sk);
e90bac06
GP		 1213}
1214
1215static void l2cap_retrans_timeout(unsigned long arg)
1216{
525cd185
GP		 1217 struct l2cap_chan *chan = (void *) arg;
1218 struct sock *sk = chan->sk;
e90bac06 1219
49208c9c 1220 BT_DBG("chan %p", chan);
0e98958d 1221
e686219a 1222 bh_lock_sock(sk);
6a026610 1223 chan->retry_count = 1;
1a09bcb9 1224 __set_monitor_timer(chan);
e90bac06 1225
525cd185 1226 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1227
525cd185 1228 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1229 bh_unlock_sock(sk);
e90bac06
GP		 1230}
1231
42e5c802 1232static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1233{
1c2acffb 1234 struct sk_buff *skb;
1da177e4 1235
58d35f87 1236 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1237 chan->unacked_frames) {
42e5c802 1238 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1239 break;
1da177e4 1240
58d35f87 1241 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1242 kfree_skb(skb);
1da177e4 1243
6a026610 1244 chan->unacked_frames--;
1c2acffb 1245 }
1da177e4 1246
6a026610 1247 if (!chan->unacked_frames)
1a09bcb9 1248 __clear_retrans_timer(chan);
1c2acffb 1249}
1da177e4 1250
4343478f 1251void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1252{
8c1d787b 1253 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1254 u16 flags;
1c2acffb 1255
4343478f 1256 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1257
4343478f 1258 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1259 flags = ACL_START_NO_FLUSH;
1260 else
1261 flags = ACL_START;
1262
14b12d0b 1263 bt_cb(skb)->force_active = chan->force_active;
e702112f 1264 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1265}
1266
42e5c802 1267void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1268{
ccbb84af 1269 struct sk_buff *skb;
fcc203c3 1270 u16 control, fcs;
6840ed07 1271
58d35f87 1272 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1273 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1274 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1275 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1276
47d1ec61 1277 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1278 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1279 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1280 }
1281
4343478f 1282 l2cap_do_send(chan, skb);
6840ed07 1283
42e5c802 1284 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1285 }
6840ed07
GP		 1286}
1287
525cd185 1288static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1289{
8f17154f
GP		 1290 struct sk_buff *skb, *tx_skb;
1291 u16 control, fcs;
8f17154f 1292
58d35f87 1293 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1294 if (!skb)
1295 return;
8f17154f 1296
f11d676d
GP		 1297 do {
1298 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1299 break;
8f17154f 1300
58d35f87 1301 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1302 return;
8f17154f 1303
58d35f87 1304 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1305
2c03a7a4
GP		 1306 if (chan->remote_max_tx &&
1307 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1308 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1309 return;
1310 }
1311
1312 tx_skb = skb_clone(skb, GFP_ATOMIC);
1313 bt_cb(skb)->retries++;
1314 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1315 control &= L2CAP_CTRL_SAR;
3cb123d1 1316
525cd185 1317 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1318 control |= L2CAP_CTRL_FINAL;
525cd185 1319 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1320 }
95ffa978 1321
42e5c802 1322 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1323 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1324
f11d676d
GP		 1325 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1326
47d1ec61 1327 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1328 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1329 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1330 }
1331
4343478f 1332 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1333}
1334
525cd185 1335int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1336{
1337 struct sk_buff *skb, *tx_skb;
fcc203c3 1338 u16 control, fcs;
9a9c6a34 1339 int nsent = 0;
1c2acffb 1340
89bc500e 1341 if (chan->state != BT_CONNECTED)
c13ffa62 1342 return -ENOTCONN;
e90bac06 1343
58d35f87 1344 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1345
2c03a7a4
GP		 1346 if (chan->remote_max_tx &&
1347 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1348 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1349 break;
1350 }
1351
e420aba3
AE		 1352 tx_skb = skb_clone(skb, GFP_ATOMIC);
1353
e90bac06
GP		 1354 bt_cb(skb)->retries++;
1355
1c2acffb 1356 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1357 control &= L2CAP_CTRL_SAR;
1358
525cd185 1359 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1360 control |= L2CAP_CTRL_FINAL;
525cd185 1361 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1362 }
42e5c802
GP		 1363 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1364 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1365 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1366
e90bac06 1367
47d1ec61 1368 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1369 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1370 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1371 }
1372
4343478f 1373 l2cap_do_send(chan, tx_skb);
9a9c6a34 1374
1a09bcb9 1375 __set_retrans_timer(chan);
1c2acffb 1376
42e5c802
GP		 1377 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1378 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1379
23e9fde2 1380 if (bt_cb(skb)->retries == 1)
6a026610 1381 chan->unacked_frames++;
23e9fde2 1382
6a026610 1383 chan->frames_sent++;
1c2acffb 1384
58d35f87
GP		 1385 if (skb_queue_is_last(&chan->tx_q, skb))
1386 chan->tx_send_head = NULL;
1c2acffb 1387 else
58d35f87 1388 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1389
1390 nsent++;
1c2acffb
GP		 1391 }
1392
9e917af1
GP		 1393 return nsent;
1394}
1395
525cd185 1396static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1397{
dfc909be
GP		 1398 int ret;
1399
58d35f87
GP		 1400 if (!skb_queue_empty(&chan->tx_q))
1401 chan->tx_send_head = chan->tx_q.next;
dfc909be 1402
42e5c802 1403 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1404 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1405 return ret;
1406}
1407
525cd185 1408static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1409{
9e917af1
GP		 1410 u16 control = 0;
1411
42e5c802 1412 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1413
525cd185 1414 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1415 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1416 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1417 l2cap_send_sframe(chan, control);
9a9c6a34 1418 return;
9e917af1 1419 }
dfc909be 1420
525cd185 1421 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1422 return;
1423
1424 control |= L2CAP_SUPER_RCV_READY;
525cd185 1425 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1426}
1427
525cd185 1428static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1429{
1430 struct srej_list *tail;
1431 u16 control;
1432
1433 control = L2CAP_SUPER_SELECT_REJECT;
1434 control |= L2CAP_CTRL_FINAL;
1435
39d5a3ee 1436 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1437 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1438
525cd185 1439 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1440}
1441
1c2acffb
GP		 1442static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1443{
8c1d787b 1444 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1445 struct sk_buff **frag;
1446 int err, sent = 0;
1da177e4 1447
59203a21 1448 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1449 return -EFAULT;
1da177e4
LT		 1450
1451 sent += count;
1452 len -= count;
1453
1454 /* Continuation fragments (no L2CAP header) */
1455 frag = &skb_shinfo(skb)->frag_list;
1456 while (len) {
1457 count = min_t(unsigned int, conn->mtu, len);
1458
1459 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1460 if (!*frag)
0175d629 1461 return err;
1c2acffb
GP		 1462 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1463 return -EFAULT;
1da177e4
LT		 1464
1465 sent += count;
1466 len -= count;
1467
1468 frag = &(*frag)->next;
1469 }
1da177e4
LT		 1470
1471 return sent;
1c2acffb 1472}
1da177e4 1473
fe4128e0 1474struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1475{
fe4128e0 1476 struct sock *sk = chan->sk;
8c1d787b 1477 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1478 struct sk_buff *skb;
1479 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1480 struct l2cap_hdr *lh;
1481
1482 BT_DBG("sk %p len %d", sk, (int)len);
1483
1484 count = min_t(unsigned int, (conn->mtu - hlen), len);
1485 skb = bt_skb_send_alloc(sk, count + hlen,
1486 msg->msg_flags & MSG_DONTWAIT, &err);
1487 if (!skb)
0175d629 1488 return ERR_PTR(err);
1c2acffb
GP		 1489
1490 /* Create L2CAP header */
1491 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1492 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1493 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1494 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1495
1496 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1497 if (unlikely(err < 0)) {
1498 kfree_skb(skb);
1499 return ERR_PTR(err);
1500 }
1501 return skb;
1502}
1503
fe4128e0 1504struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1505{
fe4128e0 1506 struct sock *sk = chan->sk;
8c1d787b 1507 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1508 struct sk_buff *skb;
1509 int err, count, hlen = L2CAP_HDR_SIZE;
1510 struct l2cap_hdr *lh;
1511
1512 BT_DBG("sk %p len %d", sk, (int)len);
1513
1514 count = min_t(unsigned int, (conn->mtu - hlen), len);
1515 skb = bt_skb_send_alloc(sk, count + hlen,
1516 msg->msg_flags & MSG_DONTWAIT, &err);
1517 if (!skb)
0175d629 1518 return ERR_PTR(err);
1c2acffb
GP		 1519
1520 /* Create L2CAP header */
1521 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1522 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1523 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1524
1525 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1526 if (unlikely(err < 0)) {
1527 kfree_skb(skb);
1528 return ERR_PTR(err);
1529 }
1530 return skb;
1531}
1532
47d1ec61 1533struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1534{
47d1ec61 1535 struct sock *sk = chan->sk;
8c1d787b 1536 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1537 struct sk_buff *skb;
1538 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1539 struct l2cap_hdr *lh;
1540
1541 BT_DBG("sk %p len %d", sk, (int)len);
1542
0ee0d208
GP		 1543 if (!conn)
1544 return ERR_PTR(-ENOTCONN);
1545
c74e560c
GP		 1546 if (sdulen)
1547 hlen += 2;
1548
47d1ec61 1549 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1550 hlen += 2;
1551
1c2acffb
GP		 1552 count = min_t(unsigned int, (conn->mtu - hlen), len);
1553 skb = bt_skb_send_alloc(sk, count + hlen,
1554 msg->msg_flags & MSG_DONTWAIT, &err);
1555 if (!skb)
0175d629 1556 return ERR_PTR(err);
1c2acffb
GP		 1557
1558 /* Create L2CAP header */
1559 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1560 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1561 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1562 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1563 if (sdulen)
1564 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1565
1566 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1567 if (unlikely(err < 0)) {
1568 kfree_skb(skb);
1569 return ERR_PTR(err);
1570 }
e90bac06 1571
47d1ec61 1572 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1573 put_unaligned_le16(0, skb_put(skb, 2));
1574
e90bac06 1575 bt_cb(skb)->retries = 0;
1c2acffb 1576 return skb;
1da177e4
LT		 1577}
1578
2c03a7a4 1579int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1580{
c74e560c
GP		 1581 struct sk_buff *skb;
1582 struct sk_buff_head sar_queue;
1583 u16 control;
1584 size_t size = 0;
1585
ff12fd64 1586 skb_queue_head_init(&sar_queue);
c74e560c 1587 control = L2CAP_SDU_START;
47d1ec61 1588 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1589 if (IS_ERR(skb))
1590 return PTR_ERR(skb);
1591
1592 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1593 len -= chan->remote_mps;
1594 size += chan->remote_mps;
c74e560c
GP		 1595
1596 while (len > 0) {
1597 size_t buflen;
1598
2c03a7a4 1599 if (len > chan->remote_mps) {
44651b85 1600 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1601 buflen = chan->remote_mps;
c74e560c 1602 } else {
44651b85 1603 control = L2CAP_SDU_END;
c74e560c
GP		 1604 buflen = len;
1605 }
1606
47d1ec61 1607 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1608 if (IS_ERR(skb)) {
1609 skb_queue_purge(&sar_queue);
1610 return PTR_ERR(skb);
1611 }
1612
1613 __skb_queue_tail(&sar_queue, skb);
1614 len -= buflen;
1615 size += buflen;
c74e560c 1616 }
58d35f87
GP		 1617 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1618 if (chan->tx_send_head == NULL)
1619 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1620
1621 return size;
1622}
1623
9a91a04a
GP		 1624int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1625{
9a91a04a
GP		 1626 struct sk_buff *skb;
1627 u16 control;
1628 int err;
1629
1630 /* Connectionless channel */
715ec005 1631 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1632 skb = l2cap_create_connless_pdu(chan, msg, len);
1633 if (IS_ERR(skb))
1634 return PTR_ERR(skb);
1635
1636 l2cap_do_send(chan, skb);
1637 return len;
1638 }
1639
1640 switch (chan->mode) {
1641 case L2CAP_MODE_BASIC:
1642 /* Check outgoing MTU */
1643 if (len > chan->omtu)
1644 return -EMSGSIZE;
1645
1646 /* Create a basic PDU */
1647 skb = l2cap_create_basic_pdu(chan, msg, len);
1648 if (IS_ERR(skb))
1649 return PTR_ERR(skb);
1650
1651 l2cap_do_send(chan, skb);
1652 err = len;
1653 break;
1654
1655 case L2CAP_MODE_ERTM:
1656 case L2CAP_MODE_STREAMING:
1657 /* Entire SDU fits into one PDU */
1658 if (len <= chan->remote_mps) {
1659 control = L2CAP_SDU_UNSEGMENTED;
1660 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1661 0);
1662 if (IS_ERR(skb))
1663 return PTR_ERR(skb);
1664
1665 __skb_queue_tail(&chan->tx_q, skb);
1666
1667 if (chan->tx_send_head == NULL)
1668 chan->tx_send_head = skb;
1669
1670 } else {
1671 /* Segment SDU into multiples PDUs */
1672 err = l2cap_sar_segment_sdu(chan, msg, len);
1673 if (err < 0)
1674 return err;
1675 }
1676
1677 if (chan->mode == L2CAP_MODE_STREAMING) {
1678 l2cap_streaming_send(chan);
1679 err = len;
1680 break;
1681 }
1682
1683 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1684 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1685 err = len;
1686 break;
1687 }
1688
1689 err = l2cap_ertm_send(chan);
1690 if (err >= 0)
1691 err = len;
1692
1693 break;
1694
1695 default:
1696 BT_DBG("bad state %1.1x", chan->mode);
1697 err = -EBADFD;
1698 }
1699
1700 return err;
1701}
1702
1da177e4
LT		 1703/* Copy frame to all raw sockets on that connection */
1704static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1705{
1da177e4 1706 struct sk_buff *nskb;
48454079 1707 struct l2cap_chan *chan;
1da177e4
LT		 1708
1709 BT_DBG("conn %p", conn);
1710
baa7e1fa
GP		 1711 read_lock(&conn->chan_lock);
1712 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1713 struct sock *sk = chan->sk;
715ec005 1714 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1715 continue;
1716
1717 /* Don't send frame to the socket it came from */
1718 if (skb->sk == sk)
1719 continue;
af05b30b
GP		 1720 nskb = skb_clone(skb, GFP_ATOMIC);
1721 if (!nskb)
1da177e4
LT		 1722 continue;
1723
23070494 1724 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1725 kfree_skb(nskb);
1726 }
baa7e1fa 1727 read_unlock(&conn->chan_lock);
1da177e4
LT		 1728}
1729
1730/* ---- L2CAP signalling commands ---- */
1731static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1732 u8 code, u8 ident, u16 dlen, void *data)
1733{
1734 struct sk_buff *skb, **frag;
1735 struct l2cap_cmd_hdr *cmd;
1736 struct l2cap_hdr *lh;
1737 int len, count;
1738
af05b30b
GP		 1739 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1740 conn, code, ident, dlen);
1da177e4
LT		 1741
1742 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1743 count = min_t(unsigned int, conn->mtu, len);
1744
1745 skb = bt_skb_alloc(count, GFP_ATOMIC);
1746 if (!skb)
1747 return NULL;
1748
1749 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1750 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1751
1752 if (conn->hcon->type == LE_LINK)
1753 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1754 else
1755 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1756
1757 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1758 cmd->code = code;
1759 cmd->ident = ident;
aca3192c 1760 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1761
1762 if (dlen) {
1763 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1764 memcpy(skb_put(skb, count), data, count);
1765 data += count;
1766 }
1767
1768 len -= skb->len;
1769
1770 /* Continuation fragments (no L2CAP header) */
1771 frag = &skb_shinfo(skb)->frag_list;
1772 while (len) {
1773 count = min_t(unsigned int, conn->mtu, len);
1774
1775 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1776 if (!*frag)
1777 goto fail;
1778
1779 memcpy(skb_put(*frag, count), data, count);
1780
1781 len -= count;
1782 data += count;
1783
1784 frag = &(*frag)->next;
1785 }
1786
1787 return skb;
1788
1789fail:
1790 kfree_skb(skb);
1791 return NULL;
1792}
1793
1794static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1795{
1796 struct l2cap_conf_opt *opt = *ptr;
1797 int len;
1798
1799 len = L2CAP_CONF_OPT_SIZE + opt->len;
1800 *ptr += len;
1801
1802 *type = opt->type;
1803 *olen = opt->len;
1804
1805 switch (opt->len) {
1806 case 1:
1807 *val = *((u8 *) opt->val);
1808 break;
1809
1810 case 2:
bfaaeb3e 1811 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1812 break;
1813
1814 case 4:
bfaaeb3e 1815 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1816 break;
1817
1818 default:
1819 *val = (unsigned long) opt->val;
1820 break;
1821 }
1822
1823 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1824 return len;
1825}
1826
1da177e4
LT		 1827static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1828{
1829 struct l2cap_conf_opt *opt = *ptr;
1830
1831 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1832
1833 opt->type = type;
1834 opt->len = len;
1835
1836 switch (len) {
1837 case 1:
1838 *((u8 *) opt->val) = val;
1839 break;
1840
1841 case 2:
4f8b691c 1842 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1843 break;
1844
1845 case 4:
4f8b691c 1846 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1847 break;
1848
1849 default:
1850 memcpy(opt->val, (void *) val, len);
1851 break;
1852 }
1853
1854 *ptr += L2CAP_CONF_OPT_SIZE + len;
1855}
1856
c1b4f43b
GP		 1857static void l2cap_ack_timeout(unsigned long arg)
1858{
525cd185 1859 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1860
525cd185
GP		 1861 bh_lock_sock(chan->sk);
1862 l2cap_send_ack(chan);
1863 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1864}
1865
525cd185 1866static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1867{
525cd185
GP		 1868 struct sock *sk = chan->sk;
1869
42e5c802 1870 chan->expected_ack_seq = 0;
6a026610 1871 chan->unacked_frames = 0;
42e5c802 1872 chan->buffer_seq = 0;
6a026610
GP		 1873 chan->num_acked = 0;
1874 chan->frames_sent = 0;
0565c1c2 1875
e92c8e70
GP		 1876 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1877 (unsigned long) chan);
1878 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1879 (unsigned long) chan);
1880 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1881
f1c6775b
GP		 1882 skb_queue_head_init(&chan->srej_q);
1883 skb_queue_head_init(&chan->busy_q);
1890d36b 1884
39d5a3ee
GP		 1885 INIT_LIST_HEAD(&chan->srej_l);
1886
311bb895 1887 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1888
1889 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1890}
1891
f2fcfcd6
GP		 1892static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1893{
1894 switch (mode) {
1895 case L2CAP_MODE_STREAMING:
1896 case L2CAP_MODE_ERTM:
1897 if (l2cap_mode_supported(mode, remote_feat_mask))
1898 return mode;
1899 /* fall through */
1900 default:
1901 return L2CAP_MODE_BASIC;
1902 }
1903}
1904
710f9b0a 1905static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1906{
1da177e4 1907 struct l2cap_conf_req *req = data;
0c1bc5c6 1908 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1909 void *ptr = req->data;
1910
49208c9c 1911 BT_DBG("chan %p", chan);
1da177e4 1912
73ffa904 1913 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1914 goto done;
1915
0c1bc5c6 1916 switch (chan->mode) {
f2fcfcd6
GP		 1917 case L2CAP_MODE_STREAMING:
1918 case L2CAP_MODE_ERTM:
c1360a1c 1919 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1920 break;
85eb53c6 1921
2ba13ed6 1922 /* fall through */
f2fcfcd6 1923 default:
8c1d787b 1924 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1925 break;
1926 }
1927
1928done:
0c1bc5c6
GP		 1929 if (chan->imtu != L2CAP_DEFAULT_MTU)
1930 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1931
0c1bc5c6 1932 switch (chan->mode) {
65c7c491 1933 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1934 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1935 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1936 break;
1937
62547752
GP		 1938 rfc.mode = L2CAP_MODE_BASIC;
1939 rfc.txwin_size = 0;
1940 rfc.max_transmit = 0;
1941 rfc.retrans_timeout = 0;
1942 rfc.monitor_timeout = 0;
1943 rfc.max_pdu_size = 0;
1944
63406504
GP		 1945 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1946 (unsigned long) &rfc);
65c7c491
MH		 1947 break;
1948
1949 case L2CAP_MODE_ERTM:
1950 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1951 rfc.txwin_size = chan->tx_win;
1952 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1953 rfc.retrans_timeout = 0;
1954 rfc.monitor_timeout = 0;
c74e560c 1955 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1956 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1957 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1958
63406504
GP		 1959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1960 (unsigned long) &rfc);
1961
8c1d787b 1962 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1963 break;
1964
47d1ec61 1965 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1966 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1967 chan->fcs = L2CAP_FCS_NONE;
1968 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1969 }
f2fcfcd6
GP		 1970 break;
1971
1972 case L2CAP_MODE_STREAMING:
1973 rfc.mode = L2CAP_MODE_STREAMING;
1974 rfc.txwin_size = 0;
1975 rfc.max_transmit = 0;
1976 rfc.retrans_timeout = 0;
1977 rfc.monitor_timeout = 0;
c74e560c 1978 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1979 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1980 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1981
63406504
GP		 1982 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1983 (unsigned long) &rfc);
1984
8c1d787b 1985 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1986 break;
1987
47d1ec61 1988 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1989 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1990 chan->fcs = L2CAP_FCS_NONE;
1991 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1992 }
65c7c491
MH		 1993 break;
1994 }
1da177e4 1995
fe4128e0 1996 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1997 req->flags = cpu_to_le16(0);
1da177e4
LT		 1998
1999 return ptr - data;
2000}
2001
73ffa904 2002static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2003{
5dee9e7c
MH		 2004 struct l2cap_conf_rsp *rsp = data;
2005 void *ptr = rsp->data;
73ffa904
GP		 2006 void *req = chan->conf_req;
2007 int len = chan->conf_len;
5dee9e7c
MH		 2008 int type, hint, olen;
2009 unsigned long val;
6464f35f 2010 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2011 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2012 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2013
73ffa904 2014 BT_DBG("chan %p", chan);
820ae1b8 2015
5dee9e7c
MH		 2016 while (len >= L2CAP_CONF_OPT_SIZE) {
2017 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2018
589d2746 2019 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2020 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2021
2022 switch (type) {
2023 case L2CAP_CONF_MTU:
861d6882 2024 mtu = val;
5dee9e7c
MH		 2025 break;
2026
2027 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2028 chan->flush_to = val;
5dee9e7c
MH		 2029 break;
2030
2031 case L2CAP_CONF_QOS:
2032 break;
2033
6464f35f
MH		 2034 case L2CAP_CONF_RFC:
2035 if (olen == sizeof(rfc))
2036 memcpy(&rfc, (void *) val, olen);
2037 break;
2038
fcc203c3
GP		 2039 case L2CAP_CONF_FCS:
2040 if (val == L2CAP_FCS_NONE)
c1360a1c 2041 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2042
2043 break;
2044
5dee9e7c
MH		 2045 default:
2046 if (hint)
2047 break;
2048
2049 result = L2CAP_CONF_UNKNOWN;
2050 *((u8 *) ptr++) = type;
2051 break;
2052 }
2053 }
2054
73ffa904 2055 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2056 goto done;
2057
0c1bc5c6 2058 switch (chan->mode) {
f2fcfcd6
GP		 2059 case L2CAP_MODE_STREAMING:
2060 case L2CAP_MODE_ERTM:
c1360a1c 2061 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2062 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2063 chan->conn->feat_mask);
85eb53c6
GP		 2064 break;
2065 }
2066
0c1bc5c6 2067 if (chan->mode != rfc.mode)
f2fcfcd6 2068 return -ECONNREFUSED;
742e519b 2069
f2fcfcd6 2070 break;
f2fcfcd6
GP		 2071 }
2072
2073done:
0c1bc5c6 2074 if (chan->mode != rfc.mode) {
f2fcfcd6 2075 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2076 rfc.mode = chan->mode;
f2fcfcd6 2077
73ffa904 2078 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2079 return -ECONNREFUSED;
2080
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2082 sizeof(rfc), (unsigned long) &rfc);
2083 }
2084
2085
5dee9e7c
MH		 2086 if (result == L2CAP_CONF_SUCCESS) {
2087 /* Configure output options and let the other side know
2088 * which ones we don't like. */
2089
f2fcfcd6
GP		 2090 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2091 result = L2CAP_CONF_UNACCEPT;
2092 else {
0c1bc5c6 2093 chan->omtu = mtu;
c1360a1c 2094 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2095 }
0c1bc5c6 2096 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2097
f2fcfcd6
GP		 2098 switch (rfc.mode) {
2099 case L2CAP_MODE_BASIC:
47d1ec61 2100 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2101 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2102 break;
2103
2104 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2105 chan->remote_tx_win = rfc.txwin_size;
2106 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2107
8c1d787b
GP		 2108 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2109 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2110
2c03a7a4 2111 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2112
10467e9e
GP		 2113 rfc.retrans_timeout =
2114 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2115 rfc.monitor_timeout =
2116 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2117
c1360a1c 2118 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2119
2120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2121 sizeof(rfc), (unsigned long) &rfc);
2122
f2fcfcd6
GP		 2123 break;
2124
2125 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2126 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2127 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2128
2c03a7a4 2129 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2130
c1360a1c 2131 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2132
2133 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2134 sizeof(rfc), (unsigned long) &rfc);
2135
f2fcfcd6
GP		 2136 break;
2137
2138 default:
5dee9e7c 2139 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2140
6464f35f 2141 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2142 rfc.mode = chan->mode;
f2fcfcd6 2143 }
6464f35f 2144
f2fcfcd6 2145 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2146 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2147 }
fe4128e0 2148 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2149 rsp->result = cpu_to_le16(result);
2150 rsp->flags = cpu_to_le16(0x0000);
2151
2152 return ptr - data;
1da177e4
LT		 2153}
2154
b4450035 2155static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2156{
f2fcfcd6
GP		 2157 struct l2cap_conf_req *req = data;
2158 void *ptr = req->data;
2159 int type, olen;
2160 unsigned long val;
2161 struct l2cap_conf_rfc rfc;
2162
fe4128e0 2163 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2164
2165 while (len >= L2CAP_CONF_OPT_SIZE) {
2166 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2167
2168 switch (type) {
2169 case L2CAP_CONF_MTU:
2170 if (val < L2CAP_DEFAULT_MIN_MTU) {
2171 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2172 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2173 } else
0c1bc5c6
GP		 2174 chan->imtu = val;
2175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2176 break;
2177
2178 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2179 chan->flush_to = val;
f2fcfcd6 2180 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2181 2, chan->flush_to);
f2fcfcd6
GP		 2182 break;
2183
2184 case L2CAP_CONF_RFC:
2185 if (olen == sizeof(rfc))
2186 memcpy(&rfc, (void *)val, olen);
2187
c1360a1c 2188 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2189 rfc.mode != chan->mode)
f2fcfcd6
GP		 2190 return -ECONNREFUSED;
2191
47d1ec61 2192 chan->fcs = 0;
f2fcfcd6
GP		 2193
2194 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2195 sizeof(rfc), (unsigned long) &rfc);
2196 break;
2197 }
2198 }
2199
0c1bc5c6 2200 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2201 return -ECONNREFUSED;
2202
0c1bc5c6 2203 chan->mode = rfc.mode;
6c2ea7a8 2204
f2fcfcd6
GP		 2205 if (*result == L2CAP_CONF_SUCCESS) {
2206 switch (rfc.mode) {
2207 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2208 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2209 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2210 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2211 break;
2212 case L2CAP_MODE_STREAMING:
47d1ec61 2213 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2214 }
2215 }
2216
fe4128e0 2217 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2218 req->flags = cpu_to_le16(0x0000);
2219
2220 return ptr - data;
2221}
2222
fe4128e0 2223static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2224{
2225 struct l2cap_conf_rsp *rsp = data;
2226 void *ptr = rsp->data;
1da177e4 2227
fe4128e0 2228 BT_DBG("chan %p", chan);
1da177e4 2229
fe4128e0 2230 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2231 rsp->result = cpu_to_le16(result);
aca3192c 2232 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2233
2234 return ptr - data;
2235}
2236
8c1d787b 2237void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2238{
2239 struct l2cap_conn_rsp rsp;
8c1d787b 2240 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2241 u8 buf[128];
2242
fe4128e0
GP		 2243 rsp.scid = cpu_to_le16(chan->dcid);
2244 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2245 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2246 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2247 l2cap_send_cmd(conn, chan->ident,
2248 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2249
c1360a1c 2250 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2251 return;
2252
710f9b0a
GP		 2253 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2254 l2cap_build_conf_req(chan, buf), buf);
2255 chan->num_conf_req++;
2256}
2257
47d1ec61 2258static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2259{
7b1c0049
GP		 2260 int type, olen;
2261 unsigned long val;
2262 struct l2cap_conf_rfc rfc;
2263
47d1ec61 2264 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2265
0c1bc5c6 2266 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2267 return;
2268
2269 while (len >= L2CAP_CONF_OPT_SIZE) {
2270 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2271
2272 switch (type) {
2273 case L2CAP_CONF_RFC:
2274 if (olen == sizeof(rfc))
2275 memcpy(&rfc, (void *)val, olen);
2276 goto done;
2277 }
2278 }
2279
2280done:
2281 switch (rfc.mode) {
2282 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2283 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2284 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2285 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2286 break;
2287 case L2CAP_MODE_STREAMING:
47d1ec61 2288 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2289 }
2290}
2291
4e8402a3
MH		 2292static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2293{
2294 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2295
2296 if (rej->reason != 0x0000)
2297 return 0;
2298
2299 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2300 cmd->ident == conn->info_ident) {
4e8402a3 2301 del_timer(&conn->info_timer);
984947dc
MH		 2302
2303 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2304 conn->info_ident = 0;
984947dc 2305
4e8402a3
MH		 2306 l2cap_conn_start(conn);
2307 }
2308
2309 return 0;
2310}
2311
1da177e4
LT		 2312static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2313{
1da177e4
LT		 2314 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2315 struct l2cap_conn_rsp rsp;
23691d75 2316 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2317 struct sock *parent, *sk = NULL;
e7c29cb1 2318 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2319
2320 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2321 __le16 psm = req->psm;
1da177e4
LT		 2322
2323 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2324
2325 /* Check if we have socket listening on psm */
23691d75
GP		 2326 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2327 if (!pchan) {
1da177e4
LT		 2328 result = L2CAP_CR_BAD_PSM;
2329 goto sendresp;
2330 }
2331
23691d75
GP		 2332 parent = pchan->sk;
2333
e0f0cb56
GP		 2334 bh_lock_sock(parent);
2335
e7c29cb1
MH		 2336 /* Check if the ACL is secure enough (if not SDP) */
2337 if (psm != cpu_to_le16(0x0001) &&
2338 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2339 conn->disc_reason = 0x05;
e7c29cb1
MH		 2340 result = L2CAP_CR_SEC_BLOCK;
2341 goto response;
2342 }
2343
1da177e4
LT		 2344 result = L2CAP_CR_NO_MEM;
2345
2346 /* Check for backlog size */
2347 if (sk_acceptq_is_full(parent)) {
8e87d142 2348 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2349 goto response;
2350 }
2351
80808e43
GP		 2352 chan = pchan->ops->new_connection(pchan->data);
2353 if (!chan)
1da177e4
LT		 2354 goto response;
2355
80808e43
GP		 2356 sk = chan->sk;
2357
baa7e1fa 2358 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2359
2360 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2361 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2362 write_unlock_bh(&conn->chan_lock);
1da177e4 2363 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2364 chan->ops->close(chan->data);
1da177e4
LT		 2365 goto response;
2366 }
2367
2368 hci_conn_hold(conn->hcon);
2369
1da177e4
LT		 2370 bacpy(&bt_sk(sk)->src, conn->src);
2371 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2372 chan->psm = psm;
2373 chan->dcid = scid;
1da177e4 2374
d1010240
GP		 2375 bt_accept_enqueue(parent, sk);
2376
48454079
GP		 2377 __l2cap_chan_add(conn, chan);
2378
fe4128e0 2379 dcid = chan->scid;
1da177e4 2380
c9b66675 2381 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2382
fc7f8a7e 2383 chan->ident = cmd->ident;
1da177e4 2384
984947dc 2385 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2386 if (l2cap_check_security(chan)) {
f66dc81f 2387 if (bt_sk(sk)->defer_setup) {
89bc500e 2388 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2389 result = L2CAP_CR_PEND;
2390 status = L2CAP_CS_AUTHOR_PEND;
2391 parent->sk_data_ready(parent, 0);
2392 } else {
89bc500e 2393 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2394 result = L2CAP_CR_SUCCESS;
2395 status = L2CAP_CS_NO_INFO;
2396 }
79d554a6 2397 } else {
89bc500e 2398 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2399 result = L2CAP_CR_PEND;
2400 status = L2CAP_CS_AUTHEN_PEND;
2401 }
2402 } else {
89bc500e 2403 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2404 result = L2CAP_CR_PEND;
2405 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2406 }
2407
baa7e1fa 2408 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2409
2410response:
2411 bh_unlock_sock(parent);
2412
2413sendresp:
aca3192c
YH		 2414 rsp.scid = cpu_to_le16(scid);
2415 rsp.dcid = cpu_to_le16(dcid);
2416 rsp.result = cpu_to_le16(result);
2417 rsp.status = cpu_to_le16(status);
1da177e4 2418 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2419
2420 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2421 struct l2cap_info_req info;
2422 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2423
2424 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2425 conn->info_ident = l2cap_get_ident(conn);
2426
2427 mod_timer(&conn->info_timer, jiffies +
2428 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2429
2430 l2cap_send_cmd(conn, conn->info_ident,
2431 L2CAP_INFO_REQ, sizeof(info), &info);
2432 }
2433
c1360a1c 2434 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2435 result == L2CAP_CR_SUCCESS) {
2436 u8 buf[128];
c1360a1c 2437 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2438 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2439 l2cap_build_conf_req(chan, buf), buf);
2440 chan->num_conf_req++;
e9aeb2dd
GP		 2441 }
2442
1da177e4
LT		 2443 return 0;
2444}
2445
2446static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2447{
2448 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2449 u16 scid, dcid, result, status;
48454079 2450 struct l2cap_chan *chan;
1da177e4
LT		 2451 struct sock *sk;
2452 u8 req[128];
2453
2454 scid = __le16_to_cpu(rsp->scid);
2455 dcid = __le16_to_cpu(rsp->dcid);
2456 result = __le16_to_cpu(rsp->result);
2457 status = __le16_to_cpu(rsp->status);
2458
2459 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2460
2461 if (scid) {
baa7e1fa 2462 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2463 if (!chan)
57d3b22b 2464 return -EFAULT;
1da177e4 2465 } else {
baa7e1fa 2466 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2467 if (!chan)
57d3b22b 2468 return -EFAULT;
1da177e4
LT		 2469 }
2470
48454079
GP		 2471 sk = chan->sk;
2472
1da177e4
LT		 2473 switch (result) {
2474 case L2CAP_CR_SUCCESS:
89bc500e 2475 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2476 chan->ident = 0;
fe4128e0 2477 chan->dcid = dcid;
c1360a1c 2478 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2479
c1360a1c 2480 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2481 break;
2482
1da177e4 2483 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2484 l2cap_build_conf_req(chan, req), req);
2485 chan->num_conf_req++;
1da177e4
LT		 2486 break;
2487
2488 case L2CAP_CR_PEND:
c1360a1c 2489 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2490 break;
2491
2492 default:
a49184c2
AE		 2493 /* don't delete l2cap channel if sk is owned by user */
2494 if (sock_owned_by_user(sk)) {
89bc500e 2495 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2496 __clear_chan_timer(chan);
2497 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2498 break;
2499 }
2500
48454079 2501 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2502 break;
2503 }
2504
2505 bh_unlock_sock(sk);
2506 return 0;
2507}
2508
47d1ec61 2509static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2510{
2511 /* FCS is enabled only in ERTM or streaming mode, if one or both
2512 * sides request it.
2513 */
0c1bc5c6 2514 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2515 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2516 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2517 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2518}
2519
88219a0f 2520static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2521{
2522 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2523 u16 dcid, flags;
2524 u8 rsp[64];
48454079 2525 struct l2cap_chan *chan;
1da177e4 2526 struct sock *sk;
5dee9e7c 2527 int len;
1da177e4
LT		 2528
2529 dcid = __le16_to_cpu(req->dcid);
2530 flags = __le16_to_cpu(req->flags);
2531
2532 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2533
baa7e1fa 2534 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2535 if (!chan)
1da177e4
LT		 2536 return -ENOENT;
2537
48454079
GP		 2538 sk = chan->sk;
2539
89bc500e 2540 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2541 struct l2cap_cmd_rej rej;
2542
2543 rej.reason = cpu_to_le16(0x0002);
2544 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2545 sizeof(rej), &rej);
354f60a9 2546 goto unlock;
df6bd743 2547 }
354f60a9 2548
5dee9e7c 2549 /* Reject if config buffer is too small. */
88219a0f 2550 len = cmd_len - sizeof(*req);
73ffa904 2551 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2552 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2553 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2554 L2CAP_CONF_REJECT, flags), rsp);
2555 goto unlock;
2556 }
2557
2558 /* Store config. */
73ffa904
GP		 2559 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2560 chan->conf_len += len;
1da177e4
LT		 2561
2562 if (flags & 0x0001) {
2563 /* Incomplete config. Send empty response. */
2564 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2565 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2566 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2567 goto unlock;
2568 }
2569
2570 /* Complete config. */
73ffa904 2571 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2572 if (len < 0) {
e92c8e70 2573 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2574 goto unlock;
f2fcfcd6 2575 }
1da177e4 2576
5dee9e7c 2577 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2578 chan->num_conf_rsp++;
5dee9e7c 2579
5dee9e7c 2580 /* Reset config buffer. */
73ffa904 2581 chan->conf_len = 0;
5dee9e7c 2582
c1360a1c 2583 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2584 goto unlock;
2585
c1360a1c 2586 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2587 set_default_fcs(chan);
fcc203c3 2588
89bc500e 2589 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2590
42e5c802
GP		 2591 chan->next_tx_seq = 0;
2592 chan->expected_tx_seq = 0;
58d35f87 2593 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2594 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2595 l2cap_ertm_init(chan);
0565c1c2 2596
1da177e4 2597 l2cap_chan_ready(sk);
876d9484
MH		 2598 goto unlock;
2599 }
2600
c1360a1c 2601 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2602 u8 buf[64];
1da177e4 2603 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2604 l2cap_build_conf_req(chan, buf), buf);
2605 chan->num_conf_req++;
1da177e4
LT		 2606 }
2607
2608unlock:
2609 bh_unlock_sock(sk);
2610 return 0;
2611}
2612
2613static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2614{
2615 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2616 u16 scid, flags, result;
48454079 2617 struct l2cap_chan *chan;
1da177e4 2618 struct sock *sk;
7b1c0049 2619 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2620
2621 scid = __le16_to_cpu(rsp->scid);
2622 flags = __le16_to_cpu(rsp->flags);
2623 result = __le16_to_cpu(rsp->result);
2624
af05b30b
GP		 2625 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2626 scid, flags, result);
1da177e4 2627
baa7e1fa 2628 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2629 if (!chan)
1da177e4
LT		 2630 return 0;
2631
48454079
GP		 2632 sk = chan->sk;
2633
1da177e4
LT		 2634 switch (result) {
2635 case L2CAP_CONF_SUCCESS:
47d1ec61 2636 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2637 break;
2638
2639 case L2CAP_CONF_UNACCEPT:
73ffa904 2640 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2641 char req[64];
2642
c2c77ec8 2643 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2644 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2645 goto done;
2646 }
2647
f2fcfcd6
GP		 2648 /* throw out any old stored conf requests */
2649 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2650 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2651 req, &result);
f2fcfcd6 2652 if (len < 0) {
e92c8e70 2653 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2654 goto done;
2655 }
2656
2657 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2658 L2CAP_CONF_REQ, len, req);
73ffa904 2659 chan->num_conf_req++;
f2fcfcd6
GP		 2660 if (result != L2CAP_CONF_SUCCESS)
2661 goto done;
2662 break;
1da177e4
LT		 2663 }
2664
8e87d142 2665 default:
b1235d79 2666 sk->sk_err = ECONNRESET;
c9b66675 2667 __set_chan_timer(chan, HZ * 5);
e92c8e70 2668 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2669 goto done;
2670 }
2671
2672 if (flags & 0x01)
2673 goto done;
2674
c1360a1c 2675 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2676
c1360a1c 2677 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2678 set_default_fcs(chan);
fcc203c3 2679
89bc500e 2680 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2681 chan->next_tx_seq = 0;
2682 chan->expected_tx_seq = 0;
58d35f87 2683 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2684 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2685 l2cap_ertm_init(chan);
0565c1c2 2686
1da177e4
LT		 2687 l2cap_chan_ready(sk);
2688 }
2689
2690done:
2691 bh_unlock_sock(sk);
2692 return 0;
2693}
2694
2695static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2696{
2697 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2698 struct l2cap_disconn_rsp rsp;
2699 u16 dcid, scid;
48454079 2700 struct l2cap_chan *chan;
1da177e4
LT		 2701 struct sock *sk;
2702
2703 scid = __le16_to_cpu(req->scid);
2704 dcid = __le16_to_cpu(req->dcid);
2705
2706 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2707
baa7e1fa 2708 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2709 if (!chan)
1da177e4
LT		 2710 return 0;
2711
48454079
GP		 2712 sk = chan->sk;
2713
fe4128e0
GP		 2714 rsp.dcid = cpu_to_le16(chan->scid);
2715 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2716 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2717
2718 sk->sk_shutdown = SHUTDOWN_MASK;
2719
a49184c2
AE		 2720 /* don't delete l2cap channel if sk is owned by user */
2721 if (sock_owned_by_user(sk)) {
89bc500e 2722 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2723 __clear_chan_timer(chan);
2724 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2725 bh_unlock_sock(sk);
2726 return 0;
2727 }
2728
48454079 2729 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2730 bh_unlock_sock(sk);
2731
ba3bd0ee 2732 chan->ops->close(chan->data);
1da177e4
LT		 2733 return 0;
2734}
2735
2736static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2737{
2738 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2739 u16 dcid, scid;
48454079 2740 struct l2cap_chan *chan;
1da177e4
LT		 2741 struct sock *sk;
2742
2743 scid = __le16_to_cpu(rsp->scid);
2744 dcid = __le16_to_cpu(rsp->dcid);
2745
2746 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2747
baa7e1fa 2748 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2749 if (!chan)
1da177e4
LT		 2750 return 0;
2751
48454079
GP		 2752 sk = chan->sk;
2753
a49184c2
AE		 2754 /* don't delete l2cap channel if sk is owned by user */
2755 if (sock_owned_by_user(sk)) {
89bc500e 2756 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2757 __clear_chan_timer(chan);
2758 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2759 bh_unlock_sock(sk);
2760 return 0;
2761 }
2762
48454079 2763 l2cap_chan_del(chan, 0);
1da177e4
LT		 2764 bh_unlock_sock(sk);
2765
ba3bd0ee 2766 chan->ops->close(chan->data);
1da177e4
LT		 2767 return 0;
2768}
2769
2770static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2771{
2772 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2773 u16 type;
2774
2775 type = __le16_to_cpu(req->type);
2776
2777 BT_DBG("type 0x%4.4x", type);
2778
f0709e03
MH		 2779 if (type == L2CAP_IT_FEAT_MASK) {
2780 u8 buf[8];
44dd46de 2781 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2782 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2783 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2784 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2785 if (!disable_ertm)
fcc203c3
GP		 2786 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2787 | L2CAP_FEAT_FCS;
1b7bf4ed 2788 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2789 l2cap_send_cmd(conn, cmd->ident,
2790 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2791 } else if (type == L2CAP_IT_FIXED_CHAN) {
2792 u8 buf[12];
2793 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2794 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2795 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2796 memcpy(buf + 4, l2cap_fixed_chan, 8);
2797 l2cap_send_cmd(conn, cmd->ident,
2798 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2799 } else {
2800 struct l2cap_info_rsp rsp;
2801 rsp.type = cpu_to_le16(type);
2802 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2803 l2cap_send_cmd(conn, cmd->ident,
2804 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2805 }
1da177e4
LT		 2806
2807 return 0;
2808}
2809
2810static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2811{
2812 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2813 u16 type, result;
2814
2815 type = __le16_to_cpu(rsp->type);
2816 result = __le16_to_cpu(rsp->result);
2817
2818 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2819
e90165be
AE		 2820 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2821 if (cmd->ident != conn->info_ident ||
2822 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2823 return 0;
2824
4e8402a3
MH		 2825 del_timer(&conn->info_timer);
2826
adb08ede
VT		 2827 if (result != L2CAP_IR_SUCCESS) {
2828 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2829 conn->info_ident = 0;
2830
2831 l2cap_conn_start(conn);
2832
2833 return 0;
2834 }
2835
984947dc 2836 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2837 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2838
47ec1dcd 2839 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2840 struct l2cap_info_req req;
2841 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2842
2843 conn->info_ident = l2cap_get_ident(conn);
2844
2845 l2cap_send_cmd(conn, conn->info_ident,
2846 L2CAP_INFO_REQ, sizeof(req), &req);
2847 } else {
2848 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2849 conn->info_ident = 0;
2850
2851 l2cap_conn_start(conn);
2852 }
2853 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2854 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2855 conn->info_ident = 0;
984947dc
MH		 2856
2857 l2cap_conn_start(conn);
2858 }
4e8402a3 2859
1da177e4
LT		 2860 return 0;
2861}
2862
e2174ca4 2863static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2864 u16 to_multiplier)
2865{
2866 u16 max_latency;
2867
2868 if (min > max || min < 6 || max > 3200)
2869 return -EINVAL;
2870
2871 if (to_multiplier < 10 || to_multiplier > 3200)
2872 return -EINVAL;
2873
2874 if (max >= to_multiplier * 8)
2875 return -EINVAL;
2876
2877 max_latency = (to_multiplier * 8 / max) - 1;
2878 if (latency > 499 || latency > max_latency)
2879 return -EINVAL;
2880
2881 return 0;
2882}
2883
2884static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2885 struct l2cap_cmd_hdr *cmd, u8 *data)
2886{
2887 struct hci_conn *hcon = conn->hcon;
2888 struct l2cap_conn_param_update_req *req;
2889 struct l2cap_conn_param_update_rsp rsp;
2890 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2891 int err;
de73115a
CT		 2892
2893 if (!(hcon->link_mode & HCI_LM_MASTER))
2894 return -EINVAL;
2895
2896 cmd_len = __le16_to_cpu(cmd->len);
2897 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2898 return -EPROTO;
2899
2900 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2901 min = __le16_to_cpu(req->min);
2902 max = __le16_to_cpu(req->max);
de73115a
CT		 2903 latency = __le16_to_cpu(req->latency);
2904 to_multiplier = __le16_to_cpu(req->to_multiplier);
2905
2906 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2907 min, max, latency, to_multiplier);
2908
2909 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2910
2911 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2912 if (err)
de73115a
CT		 2913 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2914 else
2915 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2916
2917 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2918 sizeof(rsp), &rsp);
2919
2ce603eb
CT		 2920 if (!err)
2921 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2922
de73115a
CT		 2923 return 0;
2924}
2925
3300d9a9
CT		 2926static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2927 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2928{
2929 int err = 0;
2930
2931 switch (cmd->code) {
2932 case L2CAP_COMMAND_REJ:
2933 l2cap_command_rej(conn, cmd, data);
2934 break;
2935
2936 case L2CAP_CONN_REQ:
2937 err = l2cap_connect_req(conn, cmd, data);
2938 break;
2939
2940 case L2CAP_CONN_RSP:
2941 err = l2cap_connect_rsp(conn, cmd, data);
2942 break;
2943
2944 case L2CAP_CONF_REQ:
2945 err = l2cap_config_req(conn, cmd, cmd_len, data);
2946 break;
2947
2948 case L2CAP_CONF_RSP:
2949 err = l2cap_config_rsp(conn, cmd, data);
2950 break;
2951
2952 case L2CAP_DISCONN_REQ:
2953 err = l2cap_disconnect_req(conn, cmd, data);
2954 break;
2955
2956 case L2CAP_DISCONN_RSP:
2957 err = l2cap_disconnect_rsp(conn, cmd, data);
2958 break;
2959
2960 case L2CAP_ECHO_REQ:
2961 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2962 break;
2963
2964 case L2CAP_ECHO_RSP:
2965 break;
2966
2967 case L2CAP_INFO_REQ:
2968 err = l2cap_information_req(conn, cmd, data);
2969 break;
2970
2971 case L2CAP_INFO_RSP:
2972 err = l2cap_information_rsp(conn, cmd, data);
2973 break;
2974
2975 default:
2976 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2977 err = -EINVAL;
2978 break;
2979 }
2980
2981 return err;
2982}
2983
2984static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2985 struct l2cap_cmd_hdr *cmd, u8 *data)
2986{
2987 switch (cmd->code) {
2988 case L2CAP_COMMAND_REJ:
2989 return 0;
2990
2991 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2992 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2993
2994 case L2CAP_CONN_PARAM_UPDATE_RSP:
2995 return 0;
2996
2997 default:
2998 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2999 return -EINVAL;
3000 }
3001}
3002
3003static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3004 struct sk_buff *skb)
1da177e4
LT		 3005{
3006 u8 *data = skb->data;
3007 int len = skb->len;
3008 struct l2cap_cmd_hdr cmd;
3300d9a9 3009 int err;
1da177e4
LT		 3010
3011 l2cap_raw_recv(conn, skb);
3012
3013 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3014 u16 cmd_len;
1da177e4
LT		 3015 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3016 data += L2CAP_CMD_HDR_SIZE;
3017 len -= L2CAP_CMD_HDR_SIZE;
3018
88219a0f 3019 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3020
88219a0f 3021 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3022
88219a0f 3023 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3024 BT_DBG("corrupted command");
3025 break;
3026 }
3027
3300d9a9
CT		 3028 if (conn->hcon->type == LE_LINK)
3029 err = l2cap_le_sig_cmd(conn, &cmd, data);
3030 else
3031 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3032
3033 if (err) {
3034 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3035
3036 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3037
3038 /* FIXME: Map err to a valid reason */
aca3192c 3039 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3040 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3041 }
3042
88219a0f
AV		 3043 data += cmd_len;
3044 len -= cmd_len;
1da177e4
LT		 3045 }
3046
3047 kfree_skb(skb);
3048}
3049
47d1ec61 3050static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3051{
3052 u16 our_fcs, rcv_fcs;
3053 int hdr_size = L2CAP_HDR_SIZE + 2;
3054
47d1ec61 3055 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3056 skb_trim(skb, skb->len - 2);
3057 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3058 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3059
3060 if (our_fcs != rcv_fcs)
7a560e5c 3061 return -EBADMSG;
fcc203c3
GP		 3062 }
3063 return 0;
3064}
3065
525cd185 3066static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3067{
d5392c8f
GP		 3068 u16 control = 0;
3069
6a026610 3070 chan->frames_sent = 0;
d5392c8f 3071
42e5c802 3072 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3073
525cd185 3074 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3075 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3076 l2cap_send_sframe(chan, control);
3077 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3078 }
3079
525cd185
GP		 3080 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3081 l2cap_retransmit_frames(chan);
d5392c8f 3082
525cd185 3083 l2cap_ertm_send(chan);
d5392c8f 3084
525cd185 3085 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3086 chan->frames_sent == 0) {
d5392c8f 3087 control |= L2CAP_SUPER_RCV_READY;
525cd185 3088 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3089 }
3090}
3091
42e5c802 3092static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3093{
3094 struct sk_buff *next_skb;
bfbacc11 3095 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3096
3097 bt_cb(skb)->tx_seq = tx_seq;
3098 bt_cb(skb)->sar = sar;
3099
f1c6775b 3100 next_skb = skb_peek(&chan->srej_q);
8f17154f 3101 if (!next_skb) {
f1c6775b 3102 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3103 return 0;
8f17154f
GP		 3104 }
3105
42e5c802 3106 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3107 if (tx_seq_offset < 0)
3108 tx_seq_offset += 64;
3109
8f17154f 3110 do {
9b53350d
JPRV		 3111 if (bt_cb(next_skb)->tx_seq == tx_seq)
3112 return -EINVAL;
3113
bfbacc11 3114 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3115 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3116 if (next_tx_seq_offset < 0)
3117 next_tx_seq_offset += 64;
3118
3119 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3120 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3121 return 0;
8f17154f
GP		 3122 }
3123
f1c6775b 3124 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3125 break;
3126
f1c6775b 3127 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3128
f1c6775b 3129 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3130
3131 return 0;
8f17154f
GP		 3132}
3133
525cd185 3134static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3135{
18778a63 3136 struct sk_buff *_skb;
1890d36b 3137 int err;
18778a63
GP		 3138
3139 switch (control & L2CAP_CTRL_SAR) {
3140 case L2CAP_SDU_UNSEGMENTED:
525cd185 3141 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3142 goto drop;
3143
23070494 3144 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3145
3146 case L2CAP_SDU_START:
525cd185 3147 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3148 goto drop;
3149
6f61fd47 3150 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3151
0c1bc5c6 3152 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3153 goto disconnect;
3154
6f61fd47
GP		 3155 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3156 if (!chan->sdu)
1890d36b
GP		 3157 return -ENOMEM;
3158
3159 /* pull sdu_len bytes only after alloc, because of Local Busy
3160 * condition we have to be sure that this will be executed
3161 * only once, i.e., when alloc does not fail */
3162 skb_pull(skb, 2);
18778a63 3163
6f61fd47 3164 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3165
525cd185 3166 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3167 chan->partial_sdu_len = skb->len;
18778a63
GP		 3168 break;
3169
3170 case L2CAP_SDU_CONTINUE:
525cd185 3171 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3172 goto disconnect;
3173
6f61fd47 3174 if (!chan->sdu)
18778a63
GP		 3175 goto disconnect;
3176
6f61fd47
GP		 3177 chan->partial_sdu_len += skb->len;
3178 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3179 goto drop;
3180
6f61fd47 3181 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3182
18778a63
GP		 3183 break;
3184
3185 case L2CAP_SDU_END:
525cd185 3186 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3187 goto disconnect;
3188
6f61fd47 3189 if (!chan->sdu)
18778a63
GP		 3190 goto disconnect;
3191
525cd185 3192 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3193 chan->partial_sdu_len += skb->len;
18778a63 3194
0c1bc5c6 3195 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3196 goto drop;
18778a63 3197
6f61fd47 3198 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3199 goto drop;
4178ba46 3200
6f61fd47 3201 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3202 }
18778a63 3203
6f61fd47 3204 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3205 if (!_skb) {
525cd185 3206 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3207 return -ENOMEM;
3208 }
3209
23070494 3210 err = chan->ops->recv(chan->data, _skb);
1890d36b 3211 if (err < 0) {
18778a63 3212 kfree_skb(_skb);
525cd185 3213 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3214 return err;
3215 }
3216
525cd185
GP		 3217 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3218 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3219
6f61fd47 3220 kfree_skb(chan->sdu);
18778a63
GP		 3221 break;
3222 }
3223
3224 kfree_skb(skb);
1890d36b 3225 return 0;
18778a63
GP		 3226
3227drop:
6f61fd47
GP		 3228 kfree_skb(chan->sdu);
3229 chan->sdu = NULL;
18778a63
GP		 3230
3231disconnect:
8c1d787b 3232 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3233 kfree_skb(skb);
3234 return 0;
3235}
3236
525cd185 3237static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3238{
712132eb
GP		 3239 struct sk_buff *skb;
3240 u16 control;
3241 int err;
3242
f1c6775b 3243 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3244 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3245 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3246 if (err < 0) {
f1c6775b 3247 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3248 return -EBUSY;
3249 }
3250
42e5c802 3251 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3252 }
3253
525cd185 3254 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3255 goto done;
3256
42e5c802 3257 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3258 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3259 l2cap_send_sframe(chan, control);
6a026610 3260 chan->retry_count = 1;
712132eb 3261
1a09bcb9
GP		 3262 __clear_retrans_timer(chan);
3263 __set_monitor_timer(chan);
712132eb 3264
525cd185 3265 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3266
3267done:
525cd185
GP		 3268 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3269 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3270
49208c9c 3271 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3272
3273 return 0;
3274}
3275
1890d36b
GP		 3276static void l2cap_busy_work(struct work_struct *work)
3277{
3278 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3279 struct l2cap_chan *chan =
3280 container_of(work, struct l2cap_chan, busy_work);
3281 struct sock *sk = chan->sk;
1890d36b
GP		 3282 int n_tries = 0, timeo = HZ/5, err;
3283 struct sk_buff *skb;
1890d36b
GP		 3284
3285 lock_sock(sk);
3286
2b0b05dd 3287 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3288 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3289 set_current_state(TASK_INTERRUPTIBLE);
3290
3291 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3292 err = -EBUSY;
8c1d787b 3293 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3294 break;
1890d36b
GP		 3295 }
3296
3297 if (!timeo)
3298 timeo = HZ/5;
3299
3300 if (signal_pending(current)) {
3301 err = sock_intr_errno(timeo);
712132eb 3302 break;
1890d36b
GP		 3303 }
3304
3305 release_sock(sk);
3306 timeo = schedule_timeout(timeo);
3307 lock_sock(sk);
3308
3309 err = sock_error(sk);
3310 if (err)
712132eb 3311 break;
1890d36b 3312
311bb895 3313 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3314 break;
3315 }
3316
1890d36b 3317 set_current_state(TASK_RUNNING);
2b0b05dd 3318 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3319
3320 release_sock(sk);
3321}
3322
525cd185 3323static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3324{
1890d36b
GP		 3325 int sctrl, err;
3326
525cd185 3327 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3328 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3329 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3330 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3331
3332
1890d36b
GP		 3333 }
3334
525cd185 3335 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3336 if (err >= 0) {
42e5c802 3337 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3338 return err;
3339 }
3340
3341 /* Busy Condition */
311bb895 3342 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3343
525cd185 3344 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3345 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3346 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3347
42e5c802 3348 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3349 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3350 l2cap_send_sframe(chan, sctrl);
1890d36b 3351
525cd185 3352 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3353
1a09bcb9 3354 __clear_ack_timer(chan);
7fe9b298 3355
311bb895 3356 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3357
3358 return err;
3359}
3360
525cd185 3361static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3362{
c74e560c
GP		 3363 struct sk_buff *_skb;
3364 int err = -EINVAL;
3365
18778a63
GP		 3366 /*
3367 * TODO: We have to notify the userland if some data is lost with the
3368 * Streaming Mode.
3369 */
3370
c74e560c
GP		 3371 switch (control & L2CAP_CTRL_SAR) {
3372 case L2CAP_SDU_UNSEGMENTED:
525cd185 3373 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3374 kfree_skb(chan->sdu);
c74e560c
GP		 3375 break;
3376 }
3377
23070494 3378 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3379 if (!err)
3380 return 0;
3381
3382 break;
3383
3384 case L2CAP_SDU_START:
525cd185 3385 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3386 kfree_skb(chan->sdu);
c74e560c
GP		 3387 break;
3388 }
3389
6f61fd47 3390 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3391 skb_pull(skb, 2);
3392
0c1bc5c6 3393 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3394 err = -EMSGSIZE;
3395 break;
3396 }
3397
6f61fd47
GP		 3398 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3399 if (!chan->sdu) {
c74e560c
GP		 3400 err = -ENOMEM;
3401 break;
3402 }
3403
6f61fd47 3404 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3405
525cd185 3406 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3407 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3408 err = 0;
3409 break;
3410
3411 case L2CAP_SDU_CONTINUE:
525cd185 3412 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3413 break;
3414
6f61fd47 3415 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3416
6f61fd47
GP		 3417 chan->partial_sdu_len += skb->len;
3418 if (chan->partial_sdu_len > chan->sdu_len)
3419 kfree_skb(chan->sdu);
c74e560c
GP		 3420 else
3421 err = 0;
3422
3423 break;
3424
3425 case L2CAP_SDU_END:
525cd185 3426 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3427 break;
3428
6f61fd47 3429 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3430
525cd185 3431 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3432 chan->partial_sdu_len += skb->len;
c74e560c 3433
0c1bc5c6 3434 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3435 goto drop;
3436
6f61fd47
GP		 3437 if (chan->partial_sdu_len == chan->sdu_len) {
3438 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3439 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3440 if (err < 0)
3441 kfree_skb(_skb);
3442 }
c74e560c
GP		 3443 err = 0;
3444
36f2fd58 3445drop:
6f61fd47 3446 kfree_skb(chan->sdu);
c74e560c
GP		 3447 break;
3448 }
3449
3450 kfree_skb(skb);
3451 return err;
3452}
3453
525cd185 3454static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3455{
3456 struct sk_buff *skb;
afefdbc4 3457 u16 control;
8f17154f 3458
f1c6775b 3459 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3460 if (bt_cb(skb)->tx_seq != tx_seq)
3461 break;
3462
f1c6775b 3463 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3464 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3465 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3466 chan->buffer_seq_srej =
3467 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3468 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3469 }
3470}
3471
525cd185 3472static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3473{
8f17154f
GP		 3474 struct srej_list *l, *tmp;
3475 u16 control;
3476
39d5a3ee 3477 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3478 if (l->tx_seq == tx_seq) {
3479 list_del(&l->list);
3480 kfree(l);
3481 return;
3482 }
3483 control = L2CAP_SUPER_SELECT_REJECT;
3484 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3485 l2cap_send_sframe(chan, control);
8f17154f 3486 list_del(&l->list);
39d5a3ee 3487 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3488 }
3489}
3490
525cd185 3491static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3492{
8f17154f
GP		 3493 struct srej_list *new;
3494 u16 control;
3495
42e5c802 3496 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3497 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3498 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3499 l2cap_send_sframe(chan, control);
8f17154f
GP		 3500
3501 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3502 new->tx_seq = chan->expected_tx_seq;
3503 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3504 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3505 }
42e5c802 3506 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3507}
3508
525cd185 3509static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3510{
1c2acffb 3511 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3512 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3513 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3514 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3515 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3516 int err = 0;
3517
525cd185
GP		 3518 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3519 tx_seq, rx_control);
1c2acffb 3520
9b16dc65 3521 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3522 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3523 __clear_monitor_timer(chan);
6a026610 3524 if (chan->unacked_frames > 0)
1a09bcb9 3525 __set_retrans_timer(chan);
525cd185 3526 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3527 }
3528
42e5c802
GP		 3529 chan->expected_ack_seq = req_seq;
3530 l2cap_drop_acked_frames(chan);
9f121a5a 3531
42e5c802 3532 if (tx_seq == chan->expected_tx_seq)
8f17154f 3533 goto expected;
1c2acffb 3534
42e5c802 3535 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3536 if (tx_seq_offset < 0)
3537 tx_seq_offset += 64;
3538
3539 /* invalid tx_seq */
47d1ec61 3540 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3541 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3542 goto drop;
3543 }
3544
e6949280 3545 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3546 goto drop;
3547
525cd185 3548 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3549 struct srej_list *first;
30afb5b2 3550
39d5a3ee 3551 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3552 struct srej_list, list);
3553 if (tx_seq == first->tx_seq) {
42e5c802 3554 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3555 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3556
3557 list_del(&first->list);
3558 kfree(first);
3559
39d5a3ee 3560 if (list_empty(&chan->srej_l)) {
42e5c802 3561 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3562 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3563 l2cap_send_ack(chan);
49208c9c 3564 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3565 }
3566 } else {
3567 struct srej_list *l;
9b53350d
JPRV		 3568
3569 /* duplicated tx_seq */
42e5c802 3570 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3571 goto drop;
8f17154f 3572
39d5a3ee 3573 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3574 if (l->tx_seq == tx_seq) {
525cd185 3575 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3576 return 0;
3577 }
3578 }
525cd185 3579 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3580 }
3581 } else {
9b53350d 3582 expected_tx_seq_offset =
42e5c802 3583 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3584 if (expected_tx_seq_offset < 0)
3585 expected_tx_seq_offset += 64;
3586
3587 /* duplicated tx_seq */
3588 if (tx_seq_offset < expected_tx_seq_offset)
3589 goto drop;
3590
525cd185 3591 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3592
49208c9c 3593 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3594
39d5a3ee 3595 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3596 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3597
f1c6775b
GP		 3598 __skb_queue_head_init(&chan->srej_q);
3599 __skb_queue_head_init(&chan->busy_q);
42e5c802 3600 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3601
525cd185 3602 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3603
525cd185 3604 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3605
1a09bcb9 3606 __clear_ack_timer(chan);
1c2acffb 3607 }
30afb5b2
GP		 3608 return 0;
3609
8f17154f 3610expected:
42e5c802 3611 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3612
525cd185 3613 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3614 bt_cb(skb)->tx_seq = tx_seq;
3615 bt_cb(skb)->sar = sar;
f1c6775b 3616 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3617 return 0;
3618 }
3619
525cd185 3620 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3621 if (err < 0)
3622 return 0;
3623
4ec10d97 3624 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3625 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3626 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3627 else
525cd185 3628 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3629 }
3630
1a09bcb9 3631 __set_ack_timer(chan);
c1b4f43b 3632
6a026610
GP		 3633 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3634 if (chan->num_acked == num_to_ack - 1)
525cd185 3635 l2cap_send_ack(chan);
9e917af1 3636
8f17154f 3637 return 0;
9b53350d
JPRV		 3638
3639drop:
3640 kfree_skb(skb);
3641 return 0;
1c2acffb
GP		 3642}
3643
525cd185 3644static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3645{
49208c9c 3646 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3647 rx_control);
3648
42e5c802
GP		 3649 chan->expected_ack_seq = __get_reqseq(rx_control);
3650 l2cap_drop_acked_frames(chan);
1c2acffb 3651
e072745f 3652 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3653 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3654 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3655 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3656 (chan->unacked_frames > 0))
1a09bcb9 3657 __set_retrans_timer(chan);
05fbd89d 3658
525cd185
GP		 3659 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3660 l2cap_send_srejtail(chan);
05fbd89d 3661 } else {
525cd185 3662 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3663 }
1d8f5d16 3664
e072745f 3665 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3666 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3667
525cd185
GP		 3668 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3669 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3670 else
525cd185 3671 l2cap_retransmit_frames(chan);
2246b2f1 3672
e072745f 3673 } else {
525cd185 3674 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3675 (chan->unacked_frames > 0))
1a09bcb9 3676 __set_retrans_timer(chan);
1c2acffb 3677
525cd185
GP		 3678 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3679 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3680 l2cap_send_ack(chan);
894718a6 3681 else
525cd185 3682 l2cap_ertm_send(chan);
e072745f
GP		 3683 }
3684}
2246b2f1 3685
525cd185 3686static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3687{
e072745f 3688 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3689
525cd185 3690 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3691
525cd185 3692 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3693
42e5c802
GP		 3694 chan->expected_ack_seq = tx_seq;
3695 l2cap_drop_acked_frames(chan);
e072745f
GP		 3696
3697 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3698 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3699 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3700 else
525cd185 3701 l2cap_retransmit_frames(chan);
e072745f 3702 } else {
525cd185 3703 l2cap_retransmit_frames(chan);
30afb5b2 3704
525cd185
GP		 3705 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3706 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3707 }
3708}
525cd185 3709static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3710{
e072745f 3711 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3712
525cd185 3713 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3714
525cd185 3715 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3716
e072745f 3717 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3718 chan->expected_ack_seq = tx_seq;
3719 l2cap_drop_acked_frames(chan);
3cb123d1 3720
525cd185
GP		 3721 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3722 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3723
525cd185 3724 l2cap_ertm_send(chan);
dfc909be 3725
525cd185 3726 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3727 chan->srej_save_reqseq = tx_seq;
525cd185 3728 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3729 }
e072745f 3730 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3731 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3732 chan->srej_save_reqseq == tx_seq)
525cd185 3733 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3734 else
525cd185 3735 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3736 } else {
525cd185
GP		 3737 l2cap_retransmit_one_frame(chan, tx_seq);
3738 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3739 chan->srej_save_reqseq = tx_seq;
525cd185 3740 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3741 }
e072745f
GP		 3742 }
3743}
3744
525cd185 3745static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3746{
e072745f
GP		 3747 u8 tx_seq = __get_reqseq(rx_control);
3748
525cd185 3749 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3750
525cd185 3751 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3752 chan->expected_ack_seq = tx_seq;
3753 l2cap_drop_acked_frames(chan);
e072745f 3754
3cb123d1 3755 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3756 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3757
525cd185 3758 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
1a09bcb9 3759 __clear_retrans_timer(chan);
a2e12a2a 3760 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3761 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3762 return;
e072745f 3763 }
99b0d4b7
GP		 3764
3765 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3766 l2cap_send_srejtail(chan);
99b0d4b7 3767 else
525cd185 3768 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3769}
3770
525cd185 3771static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3772{
525cd185 3773 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3774
9b16dc65 3775 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3776 chan->conn_state & L2CAP_CONN_WAIT_F) {
1a09bcb9 3777 __clear_monitor_timer(chan);
6a026610 3778 if (chan->unacked_frames > 0)
1a09bcb9 3779 __set_retrans_timer(chan);
525cd185 3780 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3781 }
3782
3783 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3784 case L2CAP_SUPER_RCV_READY:
525cd185 3785 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3786 break;
3787
e072745f 3788 case L2CAP_SUPER_REJECT:
525cd185 3789 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3790 break;
2246b2f1 3791
e072745f 3792 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3793 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3794 break;
3795
3796 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3797 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3798 break;
3799 }
3800
faaebd19 3801 kfree_skb(skb);
1c2acffb
GP		 3802 return 0;
3803}
3804
218bb9df
GP		 3805static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3806{
525cd185 3807 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3808 u16 control;
3809 u8 req_seq;
3810 int len, next_tx_seq_offset, req_seq_offset;
3811
3812 control = get_unaligned_le16(skb->data);
3813 skb_pull(skb, 2);
3814 len = skb->len;
3815
3816 /*
3817 * We can just drop the corrupted I-frame here.
3818 * Receiver will miss it and start proper recovery
3819 * procedures and ask retransmission.
3820 */
47d1ec61 3821 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3822 goto drop;
3823
3824 if (__is_sar_start(control) && __is_iframe(control))
3825 len -= 2;
3826
47d1ec61 3827 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3828 len -= 2;
3829
47d1ec61 3830 if (len > chan->mps) {
8c1d787b 3831 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3832 goto drop;
3833 }
3834
3835 req_seq = __get_reqseq(control);
42e5c802 3836 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3837 if (req_seq_offset < 0)
3838 req_seq_offset += 64;
3839
3840 next_tx_seq_offset =
42e5c802 3841 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3842 if (next_tx_seq_offset < 0)
3843 next_tx_seq_offset += 64;
3844
3845 /* check for invalid req-seq */
3846 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3847 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3848 goto drop;
3849 }
3850
3851 if (__is_iframe(control)) {
3852 if (len < 0) {
8c1d787b 3853 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3854 goto drop;
3855 }
3856
525cd185 3857 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3858 } else {
3859 if (len != 0) {
3860 BT_ERR("%d", len);
8c1d787b 3861 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3862 goto drop;
3863 }
3864
525cd185 3865 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3866 }
3867
3868 return 0;
3869
3870drop:
3871 kfree_skb(skb);
3872 return 0;
3873}
3874
1da177e4
LT		 3875static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3876{
48454079 3877 struct l2cap_chan *chan;
bf734843 3878 struct sock *sk = NULL;
51893f88 3879 u16 control;
218bb9df
GP		 3880 u8 tx_seq;
3881 int len;
1da177e4 3882
baa7e1fa 3883 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3884 if (!chan) {
1da177e4
LT		 3885 BT_DBG("unknown cid 0x%4.4x", cid);
3886 goto drop;
3887 }
3888
48454079 3889 sk = chan->sk;
6840ed07 3890
49208c9c 3891 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3892
89bc500e 3893 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3894 goto drop;
3895
0c1bc5c6 3896 switch (chan->mode) {
1c2acffb
GP		 3897 case L2CAP_MODE_BASIC:
3898 /* If socket recv buffers overflows we drop data here
3899 * which is *bad* because L2CAP has to be reliable.
3900 * But we don't have any other choice. L2CAP doesn't
3901 * provide flow control mechanism. */
1da177e4 3902
0c1bc5c6 3903 if (chan->imtu < skb->len)
1c2acffb 3904 goto drop;
1da177e4 3905
23070494 3906 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3907 goto done;
3908 break;
3909
3910 case L2CAP_MODE_ERTM:
218bb9df
GP		 3911 if (!sock_owned_by_user(sk)) {
3912 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3913 } else {
218bb9df 3914 if (sk_add_backlog(sk, skb))
277ffbe3 3915 goto drop;
277ffbe3 3916 }
1c2acffb 3917
fcafde2e 3918 goto done;
1c2acffb 3919
6840ed07
GP		 3920 case L2CAP_MODE_STREAMING:
3921 control = get_unaligned_le16(skb->data);
3922 skb_pull(skb, 2);
3923 len = skb->len;
3924
47d1ec61 3925 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3926 goto drop;
3927
6840ed07
GP		 3928 if (__is_sar_start(control))
3929 len -= 2;
3930
47d1ec61 3931 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3932 len -= 2;
3933
47d1ec61 3934 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3935 goto drop;
3936
3937 tx_seq = __get_txseq(control);
3938
42e5c802
GP		 3939 if (chan->expected_tx_seq == tx_seq)
3940 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3941 else
42e5c802 3942 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3943
525cd185 3944 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3945
3946 goto done;
3947
1c2acffb 3948 default:
0c1bc5c6 3949 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3950 break;
3951 }
1da177e4
LT		 3952
3953drop:
3954 kfree_skb(skb);
3955
3956done:
0139418c
MH		 3957 if (sk)
3958 bh_unlock_sock(sk);
3959
1da177e4
LT		 3960 return 0;
3961}
3962
8e036fc3 3963static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3964{
6dcae1ea 3965 struct sock *sk = NULL;
23691d75 3966 struct l2cap_chan *chan;
1da177e4 3967
23691d75
GP		 3968 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3969 if (!chan)
1da177e4
LT		 3970 goto drop;
3971
23691d75
GP		 3972 sk = chan->sk;
3973
e0f0cb56
GP		 3974 bh_lock_sock(sk);
3975
1da177e4
LT		 3976 BT_DBG("sk %p, len %d", sk, skb->len);
3977
89bc500e 3978 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3979 goto drop;
3980
0c1bc5c6 3981 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3982 goto drop;
3983
23070494 3984 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3985 goto done;
3986
3987drop:
3988 kfree_skb(skb);
3989
3990done:
af05b30b
GP		 3991 if (sk)
3992 bh_unlock_sock(sk);
1da177e4
LT		 3993 return 0;
3994}
3995
9f69bda6
GP		 3996static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3997{
6dcae1ea 3998 struct sock *sk = NULL;
23691d75 3999 struct l2cap_chan *chan;
9f69bda6 4000
23691d75
GP		 4001 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4002 if (!chan)
9f69bda6
GP		 4003 goto drop;
4004
23691d75
GP		 4005 sk = chan->sk;
4006
9f69bda6
GP		 4007 bh_lock_sock(sk);
4008
4009 BT_DBG("sk %p, len %d", sk, skb->len);
4010
89bc500e 4011 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4012 goto drop;
4013
0c1bc5c6 4014 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4015 goto drop;
4016
23070494 4017 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4018 goto done;
4019
4020drop:
4021 kfree_skb(skb);
4022
4023done:
4024 if (sk)
4025 bh_unlock_sock(sk);
4026 return 0;
4027}
4028
1da177e4
LT		 4029static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4030{
4031 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4032 u16 cid, len;
4033 __le16 psm;
1da177e4
LT		 4034
4035 skb_pull(skb, L2CAP_HDR_SIZE);
4036 cid = __le16_to_cpu(lh->cid);
4037 len = __le16_to_cpu(lh->len);
4038
1c2acffb
GP		 4039 if (len != skb->len) {
4040 kfree_skb(skb);
4041 return;
4042 }
4043
1da177e4
LT		 4044 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4045
4046 switch (cid) {
3300d9a9 4047 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4048 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4049 l2cap_sig_channel(conn, skb);
4050 break;
4051
8db4dc46 4052 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4053 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4054 skb_pull(skb, 2);
4055 l2cap_conless_channel(conn, psm, skb);
4056 break;
4057
9f69bda6
GP		 4058 case L2CAP_CID_LE_DATA:
4059 l2cap_att_channel(conn, cid, skb);
4060 break;
4061
b501d6a1
AB		 4062 case L2CAP_CID_SMP:
4063 if (smp_sig_channel(conn, skb))
4064 l2cap_conn_del(conn->hcon, EACCES);
4065 break;
4066
1da177e4
LT		 4067 default:
4068 l2cap_data_channel(conn, cid, skb);
4069 break;
4070 }
4071}
4072
4073/* ---- L2CAP interface with lower layer (HCI) ---- */
4074
4075static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4076{
4077 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4078 struct l2cap_chan *c;
1da177e4
LT		 4079
4080 if (type != ACL_LINK)
963cf687 4081 return -EINVAL;
1da177e4
LT		 4082
4083 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4084
4085 /* Find listening sockets and check their link_mode */
23691d75
GP		 4086 read_lock(&chan_list_lock);
4087 list_for_each_entry(c, &chan_list, global_l) {
4088 struct sock *sk = c->sk;
4343478f 4089
89bc500e 4090 if (c->state != BT_LISTEN)
1da177e4
LT		 4091 continue;
4092
4093 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4094 lm1 |= HCI_LM_ACCEPT;
23691d75 4095 if (c->role_switch)
2af6b9d5 4096 lm1 |= HCI_LM_MASTER;
1da177e4 4097 exact++;
2af6b9d5
MH		 4098 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4099 lm2 |= HCI_LM_ACCEPT;
23691d75 4100 if (c->role_switch)
2af6b9d5
MH		 4101 lm2 |= HCI_LM_MASTER;
4102 }
1da177e4 4103 }
23691d75 4104 read_unlock(&chan_list_lock);
1da177e4
LT		 4105
4106 return exact ? lm1 : lm2;
4107}
4108
4109static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4110{
0139418c
MH		 4111 struct l2cap_conn *conn;
4112
1da177e4
LT		 4113 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4114
acd7d370 4115 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4116 return -EINVAL;
1da177e4
LT		 4117
4118 if (!status) {
1da177e4
LT		 4119 conn = l2cap_conn_add(hcon, status);
4120 if (conn)
4121 l2cap_conn_ready(conn);
0139418c 4122 } else
1da177e4
LT		 4123 l2cap_conn_del(hcon, bt_err(status));
4124
4125 return 0;
4126}
4127
2950f21a
MH		 4128static int l2cap_disconn_ind(struct hci_conn *hcon)
4129{
4130 struct l2cap_conn *conn = hcon->l2cap_data;
4131
4132 BT_DBG("hcon %p", hcon);
4133
b5694506 4134 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4135 return 0x13;
4136
4137 return conn->disc_reason;
4138}
4139
4140static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4141{
4142 BT_DBG("hcon %p reason %d", hcon, reason);
4143
acd7d370 4144 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4145 return -EINVAL;
1da177e4
LT		 4146
4147 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4148
1da177e4
LT		 4149 return 0;
4150}
4151
4343478f 4152static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4153{
715ec005 4154 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4155 return;
4156
f62e4323 4157 if (encrypt == 0x00) {
4343478f 4158 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4159 __clear_chan_timer(chan);
4160 __set_chan_timer(chan, HZ * 5);
4343478f 4161 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4162 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4163 } else {
4343478f 4164 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4165 __clear_chan_timer(chan);
f62e4323
MH		 4166 }
4167}
4168
8c1b2355 4169static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4170{
0139418c 4171 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4172 struct l2cap_chan *chan;
1da177e4 4173
0139418c 4174 if (!conn)
1da177e4 4175 return 0;
0139418c 4176
1da177e4
LT		 4177 BT_DBG("conn %p", conn);
4178
baa7e1fa 4179 read_lock(&conn->chan_lock);
1da177e4 4180
baa7e1fa 4181 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4182 struct sock *sk = chan->sk;
baa7e1fa 4183
1da177e4
LT		 4184 bh_lock_sock(sk);
4185
f1cb9af5
VCG		 4186 BT_DBG("chan->scid %d", chan->scid);
4187
4188 if (chan->scid == L2CAP_CID_LE_DATA) {
4189 if (!status && encrypt) {
4190 chan->sec_level = hcon->sec_level;
5d3de7df 4191 del_timer(&conn->security_timer);
f1cb9af5
VCG		 4192 l2cap_chan_ready(sk);
4193 }
4194
4195 bh_unlock_sock(sk);
4196 continue;
4197 }
4198
c1360a1c 4199 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4200 bh_unlock_sock(sk);
4201 continue;
4202 }
4203
89bc500e
GP		 4204 if (!status && (chan->state == BT_CONNECTED ||
4205 chan->state == BT_CONFIG)) {
4343478f 4206 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4207 bh_unlock_sock(sk);
4208 continue;
4209 }
4210
89bc500e 4211 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4212 if (!status) {
4213 struct l2cap_conn_req req;
fe4128e0
GP		 4214 req.scid = cpu_to_le16(chan->scid);
4215 req.psm = chan->psm;
1da177e4 4216
fc7f8a7e 4217 chan->ident = l2cap_get_ident(conn);
c1360a1c 4218 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4219
fc7f8a7e 4220 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4221 L2CAP_CONN_REQ, sizeof(req), &req);
4222 } else {
c9b66675
GP		 4223 __clear_chan_timer(chan);
4224 __set_chan_timer(chan, HZ / 10);
b1235d79 4225 }
89bc500e 4226 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4227 struct l2cap_conn_rsp rsp;
4228 __u16 result;
1da177e4 4229
b1235d79 4230 if (!status) {
89bc500e 4231 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4232 result = L2CAP_CR_SUCCESS;
4233 } else {
89bc500e 4234 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4235 __set_chan_timer(chan, HZ / 10);
b1235d79
MH		 4236 result = L2CAP_CR_SEC_BLOCK;
4237 }
4238
fe4128e0
GP		 4239 rsp.scid = cpu_to_le16(chan->dcid);
4240 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4241 rsp.result = cpu_to_le16(result);
e7c29cb1 4242 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4243 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4244 sizeof(rsp), &rsp);
b1235d79 4245 }
1da177e4
LT		 4246
4247 bh_unlock_sock(sk);
4248 }
4249
baa7e1fa 4250 read_unlock(&conn->chan_lock);
b1235d79 4251
1da177e4
LT		 4252 return 0;
4253}
4254
4255static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4256{
4257 struct l2cap_conn *conn = hcon->l2cap_data;
4258
5a08ecce
AE		 4259 if (!conn)
4260 conn = l2cap_conn_add(hcon, 0);
4261
4262 if (!conn)
1da177e4
LT		 4263 goto drop;
4264
4265 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4266
e702112f 4267 if (!(flags & ACL_CONT)) {
1da177e4 4268 struct l2cap_hdr *hdr;
48454079 4269 struct l2cap_chan *chan;
89794813 4270 u16 cid;
1da177e4
LT		 4271 int len;
4272
4273 if (conn->rx_len) {
4274 BT_ERR("Unexpected start frame (len %d)", skb->len);
4275 kfree_skb(conn->rx_skb);
4276 conn->rx_skb = NULL;
4277 conn->rx_len = 0;
4278 l2cap_conn_unreliable(conn, ECOMM);
4279 }
4280
aae7fe22
AE		 4281 /* Start fragment always begin with Basic L2CAP header */
4282 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4283 BT_ERR("Frame is too short (len %d)", skb->len);
4284 l2cap_conn_unreliable(conn, ECOMM);
4285 goto drop;
4286 }
4287
4288 hdr = (struct l2cap_hdr *) skb->data;
4289 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4290 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4291
4292 if (len == skb->len) {
4293 /* Complete frame received */
4294 l2cap_recv_frame(conn, skb);
4295 return 0;
4296 }
4297
4298 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4299
4300 if (skb->len > len) {
4301 BT_ERR("Frame is too long (len %d, expected len %d)",
4302 skb->len, len);
4303 l2cap_conn_unreliable(conn, ECOMM);
4304 goto drop;
4305 }
4306
baa7e1fa 4307 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4308
48454079
GP		 4309 if (chan && chan->sk) {
4310 struct sock *sk = chan->sk;
89794813 4311
0c1bc5c6 4312 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4313 BT_ERR("Frame exceeding recv MTU (len %d, "
4314 "MTU %d)", len,
0c1bc5c6 4315 chan->imtu);
48454079
GP		 4316 bh_unlock_sock(sk);
4317 l2cap_conn_unreliable(conn, ECOMM);
4318 goto drop;
4319 }
89794813 4320 bh_unlock_sock(sk);
48454079 4321 }
89794813 4322
1da177e4 4323 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4324 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4325 if (!conn->rx_skb)
1da177e4
LT		 4326 goto drop;
4327
d626f62b 4328 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4329 skb->len);
1da177e4
LT		 4330 conn->rx_len = len - skb->len;
4331 } else {
4332 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4333
4334 if (!conn->rx_len) {
4335 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4336 l2cap_conn_unreliable(conn, ECOMM);
4337 goto drop;
4338 }
4339
4340 if (skb->len > conn->rx_len) {
4341 BT_ERR("Fragment is too long (len %d, expected %d)",
4342 skb->len, conn->rx_len);
4343 kfree_skb(conn->rx_skb);
4344 conn->rx_skb = NULL;
4345 conn->rx_len = 0;
4346 l2cap_conn_unreliable(conn, ECOMM);
4347 goto drop;
4348 }
4349
d626f62b 4350 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4351 skb->len);
1da177e4
LT		 4352 conn->rx_len -= skb->len;
4353
4354 if (!conn->rx_len) {
4355 /* Complete frame received */
4356 l2cap_recv_frame(conn, conn->rx_skb);
4357 conn->rx_skb = NULL;
4358 }
4359 }
4360
4361drop:
4362 kfree_skb(skb);
4363 return 0;
4364}
4365
aef7d97c 4366static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4367{
23691d75 4368 struct l2cap_chan *c;
1da177e4 4369
23691d75 4370 read_lock_bh(&chan_list_lock);
1da177e4 4371
23691d75
GP		 4372 list_for_each_entry(c, &chan_list, global_l) {
4373 struct sock *sk = c->sk;
101545f6 4374
903d343e 4375 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4376 batostr(&bt_sk(sk)->src),
4377 batostr(&bt_sk(sk)->dst),
89bc500e 4378 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4379 c->scid, c->dcid, c->imtu, c->omtu,
4380 c->sec_level, c->mode);
be9d1227 4381 }
1da177e4 4382
23691d75 4383 read_unlock_bh(&chan_list_lock);
1da177e4 4384
aef7d97c 4385 return 0;
1da177e4
LT		 4386}
4387
aef7d97c
MH		 4388static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4389{
4390 return single_open(file, l2cap_debugfs_show, inode->i_private);
4391}
4392
4393static const struct file_operations l2cap_debugfs_fops = {
4394 .open = l2cap_debugfs_open,
4395 .read = seq_read,
4396 .llseek = seq_lseek,
4397 .release = single_release,
4398};
4399
4400static struct dentry *l2cap_debugfs;
1da177e4 4401
1da177e4
LT		 4402static struct hci_proto l2cap_hci_proto = {
4403 .name = "L2CAP",
4404 .id = HCI_PROTO_L2CAP,
4405 .connect_ind = l2cap_connect_ind,
4406 .connect_cfm = l2cap_connect_cfm,
4407 .disconn_ind = l2cap_disconn_ind,
2950f21a 4408 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4409 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4410 .recv_acldata = l2cap_recv_acldata
4411};
4412
64274518 4413int __init l2cap_init(void)
1da177e4
LT		 4414{
4415 int err;
be9d1227 4416
bb58f747 4417 err = l2cap_init_sockets();
1da177e4
LT		 4418 if (err < 0)
4419 return err;
4420
1890d36b 4421 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4422 if (!_busy_wq) {
bb58f747 4423 err = -ENOMEM;
1da177e4
LT		 4424 goto error;
4425 }
4426
4427 err = hci_register_proto(&l2cap_hci_proto);
4428 if (err < 0) {
4429 BT_ERR("L2CAP protocol registration failed");
4430 bt_sock_unregister(BTPROTO_L2CAP);
4431 goto error;
4432 }
4433
aef7d97c
MH		 4434 if (bt_debugfs) {
4435 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4436 bt_debugfs, NULL, &l2cap_debugfs_fops);
4437 if (!l2cap_debugfs)
4438 BT_ERR("Failed to create L2CAP debug file");
4439 }
1da177e4 4440
1da177e4
LT		 4441 return 0;
4442
4443error:
b78d7b4f 4444 destroy_workqueue(_busy_wq);
bb58f747 4445 l2cap_cleanup_sockets();
1da177e4
LT		 4446 return err;
4447}
4448
64274518 4449void l2cap_exit(void)
1da177e4 4450{
aef7d97c 4451 debugfs_remove(l2cap_debugfs);
1da177e4 4452
1890d36b
GP		 4453 flush_workqueue(_busy_wq);
4454 destroy_workqueue(_busy_wq);
4455
1da177e4
LT		 4456 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4457 BT_ERR("L2CAP protocol unregistration failed");
4458
bb58f747 4459 l2cap_cleanup_sockets();
1da177e4
LT		 4460}
4461
d1c4a17d
GP		 4462module_param(disable_ertm, bool, 0644);
4463MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)