projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Make timer functions generic
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
71ba0e56
GP		 81
82static inline void chan_hold(struct l2cap_chan *c)
83{
84 atomic_inc(&c->refcnt);
85}
86
87static inline void chan_put(struct l2cap_chan *c)
88{
89 if (atomic_dec_and_test(&c->refcnt))
90 kfree(c);
91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->dcid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa
GP		 101 return NULL;
102
0139418c
MH		 103}
104
baa7e1fa 105static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa
GP		 108
109 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 110 if (c->scid == cid)
baa7e1fa 111 return c;
0139418c 112 }
baa7e1fa 113 return NULL;
0139418c
MH		 114}
115
116/* Find channel with given SCID.
117 * Returns locked socket */
baa7e1fa 118static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 read_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 124 if (c)
125 bh_lock_sock(c->sk);
baa7e1fa 126 read_unlock(&conn->chan_lock);
48454079 127 return c;
0139418c
MH		 128}
129
baa7e1fa 130static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 131{
48454079 132 struct l2cap_chan *c;
baa7e1fa
GP		 133
134 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 135 if (c->ident == ident)
baa7e1fa 136 return c;
0139418c 137 }
baa7e1fa 138 return NULL;
0139418c
MH		 139}
140
baa7e1fa 141static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 142{
48454079 143 struct l2cap_chan *c;
baa7e1fa
GP		 144
145 read_lock(&conn->chan_lock);
146 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 147 if (c)
148 bh_lock_sock(c->sk);
baa7e1fa 149 read_unlock(&conn->chan_lock);
48454079 150 return c;
0139418c
MH		 151}
152
23691d75 153static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 154{
23691d75 155 struct l2cap_chan *c;
9e4425ff 156
23691d75
GP		 157 list_for_each_entry(c, &chan_list, global_l) {
158 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 159 goto found;
160 }
161
23691d75 162 c = NULL;
9e4425ff 163found:
23691d75 164 return c;
9e4425ff
GP		 165}
166
167int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
168{
73b2ec18
GP		 169 int err;
170
23691d75 171 write_lock_bh(&chan_list_lock);
9e4425ff 172
23691d75 173 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 174 err = -EADDRINUSE;
175 goto done;
9e4425ff
GP		 176 }
177
73b2ec18
GP		 178 if (psm) {
179 chan->psm = psm;
180 chan->sport = psm;
181 err = 0;
182 } else {
183 u16 p;
184
185 err = -EINVAL;
186 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 187 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 188 chan->psm = cpu_to_le16(p);
189 chan->sport = cpu_to_le16(p);
190 err = 0;
191 break;
192 }
193 }
9e4425ff 194
73b2ec18 195done:
23691d75 196 write_unlock_bh(&chan_list_lock);
73b2ec18 197 return err;
9e4425ff
GP		 198}
199
200int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
201{
23691d75 202 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 203
204 chan->scid = scid;
205
23691d75 206 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 207
208 return 0;
209}
210
baa7e1fa 211static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 212{
8db4dc46 213 u16 cid = L2CAP_CID_DYN_START;
0139418c 214
8db4dc46 215 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 216 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 217 return cid;
218 }
219
220 return 0;
221}
222
c9b66675 223static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 224{
89bc500e
GP		 225 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
226
c9b66675 227 if (!mod_timer(timer, jiffies + timeout))
71ba0e56 228 chan_hold(chan);
ab07801d
GP		 229}
230
c9b66675 231static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 232{
89bc500e 233 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 234
c9b66675 235 if (timer_pending(timer) && del_timer(timer))
71ba0e56 236 chan_put(chan);
ab07801d
GP		 237}
238
89bc500e
GP		 239static void l2cap_state_change(struct l2cap_chan *chan, int state)
240{
241 chan->state = state;
242 chan->ops->state_change(chan->data, state);
243}
244
ab07801d
GP		 245static void l2cap_chan_timeout(unsigned long arg)
246{
247 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
248 struct sock *sk = chan->sk;
249 int reason;
250
89bc500e 251 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 252
253 bh_lock_sock(sk);
254
255 if (sock_owned_by_user(sk)) {
256 /* sk is owned by user. Try again later */
c9b66675 257 __set_chan_timer(chan, HZ / 5);
ab07801d 258 bh_unlock_sock(sk);
71ba0e56 259 chan_put(chan);
ab07801d
GP		 260 return;
261 }
262
89bc500e 263 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 264 reason = ECONNREFUSED;
89bc500e 265 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 266 chan->sec_level != BT_SECURITY_SDP)
267 reason = ECONNREFUSED;
268 else
269 reason = ETIMEDOUT;
270
0f852724 271 l2cap_chan_close(chan, reason);
ab07801d
GP		 272
273 bh_unlock_sock(sk);
274
ba3bd0ee 275 chan->ops->close(chan->data);
71ba0e56 276 chan_put(chan);
ab07801d
GP		 277}
278
23691d75 279struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 280{
281 struct l2cap_chan *chan;
282
283 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
284 if (!chan)
285 return NULL;
286
287 chan->sk = sk;
288
23691d75
GP		 289 write_lock_bh(&chan_list_lock);
290 list_add(&chan->global_l, &chan_list);
291 write_unlock_bh(&chan_list_lock);
292
ab07801d
GP		 293 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
294
89bc500e
GP		 295 chan->state = BT_OPEN;
296
71ba0e56
GP		 297 atomic_set(&chan->refcnt, 1);
298
48454079
GP		 299 return chan;
300}
301
23691d75 302void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 303{
23691d75
GP		 304 write_lock_bh(&chan_list_lock);
305 list_del(&chan->global_l);
306 write_unlock_bh(&chan_list_lock);
307
71ba0e56 308 chan_put(chan);
6ff5abbf
GP		 309}
310
48454079 311static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 312{
af05b30b 313 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 314 chan->psm, chan->dcid);
0139418c 315
2950f21a
MH		 316 conn->disc_reason = 0x13;
317
8c1d787b 318 chan->conn = conn;
0139418c 319
715ec005 320 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 321 if (conn->hcon->type == LE_LINK) {
322 /* LE connection */
0c1bc5c6 323 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 324 chan->scid = L2CAP_CID_LE_DATA;
325 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 326 } else {
327 /* Alloc CID for connection-oriented socket */
fe4128e0 328 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 329 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 330 }
715ec005 331 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 332 /* Connectionless socket */
fe4128e0
GP		 333 chan->scid = L2CAP_CID_CONN_LESS;
334 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 335 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 336 } else {
337 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 338 chan->scid = L2CAP_CID_SIGNALING;
339 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 340 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 341 }
342
71ba0e56 343 chan_hold(chan);
baa7e1fa
GP		 344
345 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 346}
347
8e87d142 348/* Delete channel.
0139418c 349 * Must be called on the locked socket. */
4519de9a 350static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 351{
48454079 352 struct sock *sk = chan->sk;
8c1d787b 353 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 354 struct sock *parent = bt_sk(sk)->parent;
355
c9b66675 356 __clear_chan_timer(chan);
0139418c 357
49208c9c 358 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 359
8e87d142 360 if (conn) {
baa7e1fa
GP		 361 /* Delete from channel list */
362 write_lock_bh(&conn->chan_lock);
363 list_del(&chan->list);
364 write_unlock_bh(&conn->chan_lock);
71ba0e56 365 chan_put(chan);
baa7e1fa 366
8c1d787b 367 chan->conn = NULL;
0139418c
MH		 368 hci_conn_put(conn->hcon);
369 }
370
89bc500e 371 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 372 sock_set_flag(sk, SOCK_ZAPPED);
373
374 if (err)
375 sk->sk_err = err;
376
377 if (parent) {
378 bt_accept_unlink(sk);
379 parent->sk_data_ready(parent, 0);
380 } else
381 sk->sk_state_change(sk);
c13ffa62 382
b4450035
GP		 383 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
384 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 385 return;
2ead70b8 386
58d35f87 387 skb_queue_purge(&chan->tx_q);
c13ffa62 388
0c1bc5c6 389 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 390 struct srej_list *l, *tmp;
391
e92c8e70
GP		 392 del_timer(&chan->retrans_timer);
393 del_timer(&chan->monitor_timer);
394 del_timer(&chan->ack_timer);
c13ffa62 395
f1c6775b
GP		 396 skb_queue_purge(&chan->srej_q);
397 skb_queue_purge(&chan->busy_q);
c13ffa62 398
39d5a3ee 399 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 400 list_del(&l->list);
401 kfree(l);
402 }
403 }
0139418c
MH		 404}
405
4519de9a
GP		 406static void l2cap_chan_cleanup_listen(struct sock *parent)
407{
408 struct sock *sk;
409
410 BT_DBG("parent %p", parent);
411
412 /* Close not yet accepted channels */
0f852724 413 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 414 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 415 __clear_chan_timer(chan);
0f852724 416 lock_sock(sk);
ba3bd0ee 417 l2cap_chan_close(chan, ECONNRESET);
0f852724 418 release_sock(sk);
ba3bd0ee 419 chan->ops->close(chan->data);
0f852724 420 }
4519de9a
GP		 421}
422
0f852724 423void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 424{
425 struct l2cap_conn *conn = chan->conn;
426 struct sock *sk = chan->sk;
427
89bc500e 428 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 429
89bc500e 430 switch (chan->state) {
4519de9a
GP		 431 case BT_LISTEN:
432 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 433
434 l2cap_state_change(chan, BT_CLOSED);
435 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 436 break;
437
438 case BT_CONNECTED:
439 case BT_CONFIG:
715ec005 440 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 441 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 442 __clear_chan_timer(chan);
443 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 444 l2cap_send_disconn_req(conn, chan, reason);
445 } else
446 l2cap_chan_del(chan, reason);
447 break;
448
449 case BT_CONNECT2:
715ec005 450 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 451 conn->hcon->type == ACL_LINK) {
452 struct l2cap_conn_rsp rsp;
453 __u16 result;
454
455 if (bt_sk(sk)->defer_setup)
456 result = L2CAP_CR_SEC_BLOCK;
457 else
458 result = L2CAP_CR_BAD_PSM;
89bc500e 459 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 460
461 rsp.scid = cpu_to_le16(chan->dcid);
462 rsp.dcid = cpu_to_le16(chan->scid);
463 rsp.result = cpu_to_le16(result);
464 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
466 sizeof(rsp), &rsp);
467 }
468
469 l2cap_chan_del(chan, reason);
470 break;
471
472 case BT_CONNECT:
473 case BT_DISCONN:
474 l2cap_chan_del(chan, reason);
475 break;
476
477 default:
478 sock_set_flag(sk, SOCK_ZAPPED);
479 break;
480 }
481}
482
4343478f 483static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 484{
715ec005 485 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 486 switch (chan->sec_level) {
8556edd3
JH		 487 case BT_SECURITY_HIGH:
488 return HCI_AT_DEDICATED_BONDING_MITM;
489 case BT_SECURITY_MEDIUM:
490 return HCI_AT_DEDICATED_BONDING;
491 default:
492 return HCI_AT_NO_BONDING;
493 }
fe4128e0 494 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 495 if (chan->sec_level == BT_SECURITY_LOW)
496 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 497
4343478f 498 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 499 return HCI_AT_NO_BONDING_MITM;
00ae4af9 500 else
8556edd3 501 return HCI_AT_NO_BONDING;
00ae4af9 502 } else {
4343478f 503 switch (chan->sec_level) {
00ae4af9 504 case BT_SECURITY_HIGH:
8556edd3 505 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 506 case BT_SECURITY_MEDIUM:
8556edd3 507 return HCI_AT_GENERAL_BONDING;
00ae4af9 508 default:
8556edd3 509 return HCI_AT_NO_BONDING;
00ae4af9 510 }
0684e5f9 511 }
8556edd3
JH		 512}
513
514/* Service level security */
4343478f 515static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 516{
8c1d787b 517 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 518 __u8 auth_type;
519
4343478f 520 auth_type = l2cap_get_auth_type(chan);
79d554a6 521
4343478f 522 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 523}
524
b5ad8b7f 525static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 526{
527 u8 id;
528
529 /* Get next available identificator.
530 * 1 - 128 are used by kernel.
531 * 129 - 199 are reserved.
532 * 200 - 254 are used by utilities like l2ping, etc.
533 */
534
535 spin_lock_bh(&conn->lock);
536
537 if (++conn->tx_ident > 128)
538 conn->tx_ident = 1;
539
540 id = conn->tx_ident;
541
542 spin_unlock_bh(&conn->lock);
543
544 return id;
545}
546
4519de9a 547static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 548{
549 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 550 u8 flags;
4e8402a3
MH		 551
552 BT_DBG("code 0x%2.2x", code);
553
554 if (!skb)
9a9c6a34 555 return;
4e8402a3 556
e702112f
AE		 557 if (lmp_no_flush_capable(conn->hcon->hdev))
558 flags = ACL_START_NO_FLUSH;
559 else
560 flags = ACL_START;
561
14b12d0b
JG		 562 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
563
e702112f 564 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 565}
566
525cd185 567static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 568{
569 struct sk_buff *skb;
570 struct l2cap_hdr *lh;
8c1d787b 571 struct l2cap_conn *conn = chan->conn;
fcc203c3 572 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 573 u8 flags;
fcc203c3 574
89bc500e 575 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 576 return;
577
47d1ec61 578 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 579 hlen += 2;
1c2acffb 580
49208c9c 581 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 582
fcc203c3 583 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 584 control |= L2CAP_CTRL_FRAME_TYPE;
585
525cd185 586 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 587 control |= L2CAP_CTRL_FINAL;
525cd185 588 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 589 }
590
525cd185 591 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 592 control |= L2CAP_CTRL_POLL;
525cd185 593 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 594 }
595
1c2acffb
GP		 596 skb = bt_skb_alloc(count, GFP_ATOMIC);
597 if (!skb)
9a9c6a34 598 return;
1c2acffb
GP		 599
600 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 601 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 602 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 603 put_unaligned_le16(control, skb_put(skb, 2));
604
47d1ec61 605 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 606 u16 fcs = crc16(0, (u8 *)lh, count - 2);
607 put_unaligned_le16(fcs, skb_put(skb, 2));
608 }
609
e702112f
AE		 610 if (lmp_no_flush_capable(conn->hcon->hdev))
611 flags = ACL_START_NO_FLUSH;
612 else
613 flags = ACL_START;
614
14b12d0b
JG		 615 bt_cb(skb)->force_active = chan->force_active;
616
8c1d787b 617 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 618}
619
525cd185 620static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 621{
525cd185 622 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 623 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 624 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 625 } else
7e743090
GP		 626 control |= L2CAP_SUPER_RCV_READY;
627
42e5c802 628 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 629
525cd185 630 l2cap_send_sframe(chan, control);
7e743090
GP		 631}
632
b4450035 633static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 634{
b4450035 635 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 636}
637
fc7f8a7e 638static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 639{
8c1d787b 640 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 641
642 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 643 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
644 return;
645
4343478f
GP		 646 if (l2cap_check_security(chan) &&
647 __l2cap_no_conn_pending(chan)) {
b1235d79 648 struct l2cap_conn_req req;
fe4128e0
GP		 649 req.scid = cpu_to_le16(chan->scid);
650 req.psm = chan->psm;
79d554a6 651
fc7f8a7e 652 chan->ident = l2cap_get_ident(conn);
b4450035 653 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 654
fc7f8a7e
GP		 655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
656 sizeof(req), &req);
b1235d79 657 }
79d554a6
MH		 658 } else {
659 struct l2cap_info_req req;
660 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
661
662 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
663 conn->info_ident = l2cap_get_ident(conn);
664
665 mod_timer(&conn->info_timer, jiffies +
666 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
667
668 l2cap_send_cmd(conn, conn->info_ident,
669 L2CAP_INFO_REQ, sizeof(req), &req);
670 }
671}
672
cf6c2c0b
GP		 673static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
674{
675 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 676 if (!disable_ertm)
cf6c2c0b
GP		 677 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
678
679 switch (mode) {
680 case L2CAP_MODE_ERTM:
681 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
682 case L2CAP_MODE_STREAMING:
683 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
684 default:
685 return 0x00;
686 }
687}
688
4519de9a 689static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 690{
e92c8e70 691 struct sock *sk;
22121fc9
GP		 692 struct l2cap_disconn_req req;
693
c13ffa62
GP		 694 if (!conn)
695 return;
696
e92c8e70
GP		 697 sk = chan->sk;
698
0c1bc5c6 699 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 700 del_timer(&chan->retrans_timer);
701 del_timer(&chan->monitor_timer);
702 del_timer(&chan->ack_timer);
c13ffa62
GP		 703 }
704
fe4128e0
GP		 705 req.dcid = cpu_to_le16(chan->dcid);
706 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 707 l2cap_send_cmd(conn, l2cap_get_ident(conn),
708 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 709
89bc500e 710 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 711 sk->sk_err = err;
22121fc9
GP		 712}
713
1da177e4 714/* ---- L2CAP connections ---- */
4e8402a3
MH		 715static void l2cap_conn_start(struct l2cap_conn *conn)
716{
820ffdb3 717 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 718
719 BT_DBG("conn %p", conn);
720
baa7e1fa 721 read_lock(&conn->chan_lock);
4e8402a3 722
820ffdb3 723 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 724 struct sock *sk = chan->sk;
baa7e1fa 725
4e8402a3
MH		 726 bh_lock_sock(sk);
727
715ec005 728 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 729 bh_unlock_sock(sk);
730 continue;
731 }
732
89bc500e 733 if (chan->state == BT_CONNECT) {
47731de7 734 struct l2cap_conn_req req;
79d554a6 735
4343478f 736 if (!l2cap_check_security(chan) ||
b4450035 737 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 738 bh_unlock_sock(sk);
739 continue;
740 }
79d554a6 741
0c1bc5c6 742 if (!l2cap_mode_supported(chan->mode,
47731de7 743 conn->feat_mask)
b4450035 744 && chan->conf_state &
47731de7 745 L2CAP_CONF_STATE2_DEVICE) {
0f852724 746 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 747 * so release the lock */
748 read_unlock_bh(&conn->chan_lock);
89bc500e 749 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 750 read_lock_bh(&conn->chan_lock);
47731de7
GP		 751 bh_unlock_sock(sk);
752 continue;
b1235d79 753 }
47731de7 754
fe4128e0
GP		 755 req.scid = cpu_to_le16(chan->scid);
756 req.psm = chan->psm;
47731de7 757
fc7f8a7e 758 chan->ident = l2cap_get_ident(conn);
b4450035 759 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 760
fc7f8a7e
GP		 761 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
762 sizeof(req), &req);
47731de7 763
89bc500e 764 } else if (chan->state == BT_CONNECT2) {
79d554a6 765 struct l2cap_conn_rsp rsp;
e9aeb2dd 766 char buf[128];
fe4128e0
GP		 767 rsp.scid = cpu_to_le16(chan->dcid);
768 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 769
4343478f 770 if (l2cap_check_security(chan)) {
f66dc81f
MH		 771 if (bt_sk(sk)->defer_setup) {
772 struct sock *parent = bt_sk(sk)->parent;
773 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
774 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
775 parent->sk_data_ready(parent, 0);
776
777 } else {
89bc500e 778 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 779 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
780 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
781 }
79d554a6
MH		 782 } else {
783 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
784 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
785 }
786
fc7f8a7e
GP		 787 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
788 sizeof(rsp), &rsp);
e9aeb2dd 789
b4450035 790 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 791 rsp.result != L2CAP_CR_SUCCESS) {
792 bh_unlock_sock(sk);
793 continue;
794 }
795
b4450035 796 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 797 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 798 l2cap_build_conf_req(chan, buf), buf);
799 chan->num_conf_req++;
4e8402a3
MH		 800 }
801
802 bh_unlock_sock(sk);
803 }
804
baa7e1fa 805 read_unlock(&conn->chan_lock);
4e8402a3
MH		 806}
807
b62f328b
VT		 808/* Find socket with cid and source bdaddr.
809 * Returns closest match, locked.
810 */
23691d75 811static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 812{
23691d75 813 struct l2cap_chan *c, *c1 = NULL;
b62f328b 814
23691d75 815 read_lock(&chan_list_lock);
b62f328b 816
23691d75
GP		 817 list_for_each_entry(c, &chan_list, global_l) {
818 struct sock *sk = c->sk;
fe4128e0 819
89bc500e 820 if (state && c->state != state)
b62f328b
VT		 821 continue;
822
23691d75 823 if (c->scid == cid) {
b62f328b 824 /* Exact match. */
23691d75
GP		 825 if (!bacmp(&bt_sk(sk)->src, src)) {
826 read_unlock(&chan_list_lock);
827 return c;
828 }
b62f328b
VT		 829
830 /* Closest match */
831 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 832 c1 = c;
b62f328b
VT		 833 }
834 }
280f294f 835
23691d75 836 read_unlock(&chan_list_lock);
b62f328b 837
23691d75 838 return c1;
b62f328b
VT		 839}
840
841static void l2cap_le_conn_ready(struct l2cap_conn *conn)
842{
c916fbe4 843 struct sock *parent, *sk;
23691d75 844 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 845
846 BT_DBG("");
847
848 /* Check if we have socket listening on cid */
23691d75 849 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 850 conn->src);
23691d75 851 if (!pchan)
b62f328b
VT		 852 return;
853
23691d75
GP		 854 parent = pchan->sk;
855
62f3a2cf
GP		 856 bh_lock_sock(parent);
857
b62f328b
VT		 858 /* Check for backlog size */
859 if (sk_acceptq_is_full(parent)) {
860 BT_DBG("backlog full %d", parent->sk_ack_backlog);
861 goto clean;
862 }
863
80808e43
GP		 864 chan = pchan->ops->new_connection(pchan->data);
865 if (!chan)
b62f328b
VT		 866 goto clean;
867
80808e43 868 sk = chan->sk;
5d41ce1d 869
baa7e1fa 870 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 871
872 hci_conn_hold(conn->hcon);
873
b62f328b
VT		 874 bacpy(&bt_sk(sk)->src, conn->src);
875 bacpy(&bt_sk(sk)->dst, conn->dst);
876
d1010240
GP		 877 bt_accept_enqueue(parent, sk);
878
48454079
GP		 879 __l2cap_chan_add(conn, chan);
880
c9b66675 881 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 882
89bc500e 883 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 884 parent->sk_data_ready(parent, 0);
885
baa7e1fa 886 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 887
888clean:
889 bh_unlock_sock(parent);
890}
891
4e8402a3
MH		 892static void l2cap_conn_ready(struct l2cap_conn *conn)
893{
48454079 894 struct l2cap_chan *chan;
4e8402a3 895
79d554a6 896 BT_DBG("conn %p", conn);
4e8402a3 897
b62f328b
VT		 898 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
899 l2cap_le_conn_ready(conn);
900
baa7e1fa 901 read_lock(&conn->chan_lock);
4e8402a3 902
baa7e1fa 903 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 904 struct sock *sk = chan->sk;
baa7e1fa 905
79d554a6 906 bh_lock_sock(sk);
4e8402a3 907
acd7d370 908 if (conn->hcon->type == LE_LINK) {
c9b66675 909 __clear_chan_timer(chan);
89bc500e 910 l2cap_state_change(chan, BT_CONNECTED);
acd7d370
VT		 911 sk->sk_state_change(sk);
912 }
913
715ec005 914 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 915 __clear_chan_timer(chan);
89bc500e 916 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 917 sk->sk_state_change(sk);
89bc500e 918 } else if (chan->state == BT_CONNECT)
fc7f8a7e 919 l2cap_do_start(chan);
4e8402a3 920
79d554a6 921 bh_unlock_sock(sk);
4e8402a3 922 }
79d554a6 923
baa7e1fa 924 read_unlock(&conn->chan_lock);
4e8402a3
MH		 925}
926
927/* Notify sockets that we cannot guaranty reliability anymore */
928static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
929{
48454079 930 struct l2cap_chan *chan;
4e8402a3
MH		 931
932 BT_DBG("conn %p", conn);
933
baa7e1fa 934 read_lock(&conn->chan_lock);
4e8402a3 935
baa7e1fa 936 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 937 struct sock *sk = chan->sk;
baa7e1fa 938
4343478f 939 if (chan->force_reliable)
4e8402a3
MH		 940 sk->sk_err = err;
941 }
942
baa7e1fa 943 read_unlock(&conn->chan_lock);
4e8402a3
MH		 944}
945
946static void l2cap_info_timeout(unsigned long arg)
947{
948 struct l2cap_conn *conn = (void *) arg;
949
984947dc 950 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 951 conn->info_ident = 0;
984947dc 952
4e8402a3
MH		 953 l2cap_conn_start(conn);
954}
955
1da177e4
LT		 956static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
957{
0139418c 958 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 959
0139418c 960 if (conn || status)
1da177e4
LT		 961 return conn;
962
0139418c
MH		 963 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
964 if (!conn)
1da177e4 965 return NULL;
1da177e4
LT		 966
967 hcon->l2cap_data = conn;
968 conn->hcon = hcon;
969
0139418c
MH		 970 BT_DBG("hcon %p conn %p", hcon, conn);
971
acd7d370
VT		 972 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
973 conn->mtu = hcon->hdev->le_mtu;
974 else
975 conn->mtu = hcon->hdev->acl_mtu;
976
1da177e4
LT		 977 conn->src = &hcon->hdev->bdaddr;
978 conn->dst = &hcon->dst;
979
4e8402a3
MH		 980 conn->feat_mask = 0;
981
1da177e4 982 spin_lock_init(&conn->lock);
baa7e1fa
GP		 983 rwlock_init(&conn->chan_lock);
984
985 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 986
b62f328b
VT		 987 if (hcon->type != LE_LINK)
988 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 989 (unsigned long) conn);
990
2950f21a
MH		 991 conn->disc_reason = 0x13;
992
1da177e4
LT		 993 return conn;
994}
995
0139418c 996static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 997{
0139418c 998 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 999 struct l2cap_chan *chan, *l;
1da177e4
LT		 1000 struct sock *sk;
1001
0139418c
MH		 1002 if (!conn)
1003 return;
1da177e4
LT		 1004
1005 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1006
7585b97a 1007 kfree_skb(conn->rx_skb);
1da177e4
LT		 1008
1009 /* Kill channels */
baa7e1fa 1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 1011 sk = chan->sk;
1da177e4 1012 bh_lock_sock(sk);
48454079 1013 l2cap_chan_del(chan, err);
1da177e4 1014 bh_unlock_sock(sk);
ba3bd0ee 1015 chan->ops->close(chan->data);
1da177e4
LT		 1016 }
1017
8e8440f5
DY		 1018 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1019 del_timer_sync(&conn->info_timer);
3ab22731 1020
1da177e4
LT		 1021 hcon->l2cap_data = NULL;
1022 kfree(conn);
1da177e4
LT		 1023}
1024
48454079 1025static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1026{
baa7e1fa 1027 write_lock_bh(&conn->chan_lock);
48454079 1028 __l2cap_chan_add(conn, chan);
baa7e1fa 1029 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1030}
1031
1da177e4 1032/* ---- Socket interface ---- */
1da177e4
LT		 1033
1034/* Find socket with psm and source bdaddr.
1035 * Returns closest match.
1036 */
23691d75 1037static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1038{
23691d75 1039 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1040
23691d75 1041 read_lock(&chan_list_lock);
e0f0cb56 1042
23691d75
GP		 1043 list_for_each_entry(c, &chan_list, global_l) {
1044 struct sock *sk = c->sk;
fe4128e0 1045
89bc500e 1046 if (state && c->state != state)
1da177e4
LT		 1047 continue;
1048
23691d75 1049 if (c->psm == psm) {
1da177e4 1050 /* Exact match. */
23691d75 1051 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1052 read_unlock(&chan_list_lock);
23691d75
GP		 1053 return c;
1054 }
1da177e4
LT		 1055
1056 /* Closest match */
1057 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1058 c1 = c;
1da177e4
LT		 1059 }
1060 }
1da177e4 1061
23691d75 1062 read_unlock(&chan_list_lock);
e0f0cb56 1063
23691d75 1064 return c1;
1da177e4
LT		 1065}
1066
77a74c7e 1067int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1068{
5d41ce1d 1069 struct sock *sk = chan->sk;
1da177e4
LT		 1070 bdaddr_t *src = &bt_sk(sk)->src;
1071 bdaddr_t *dst = &bt_sk(sk)->dst;
1072 struct l2cap_conn *conn;
1073 struct hci_conn *hcon;
1074 struct hci_dev *hdev;
09ab6f4c 1075 __u8 auth_type;
44d0e48e 1076 int err;
1da177e4 1077
f29972de 1078 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1079 chan->psm);
1da177e4 1080
af05b30b
GP		 1081 hdev = hci_get_route(dst, src);
1082 if (!hdev)
1da177e4
LT		 1083 return -EHOSTUNREACH;
1084
1085 hci_dev_lock_bh(hdev);
1086
4343478f 1087 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1088
fe4128e0 1089 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1090 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1091 chan->sec_level, auth_type);
acd7d370
VT		 1092 else
1093 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1094 chan->sec_level, auth_type);
acd7d370 1095
30e76272
VT		 1096 if (IS_ERR(hcon)) {
1097 err = PTR_ERR(hcon);
1da177e4 1098 goto done;
30e76272 1099 }
1da177e4
LT		 1100
1101 conn = l2cap_conn_add(hcon, 0);
1102 if (!conn) {
1103 hci_conn_put(hcon);
30e76272 1104 err = -ENOMEM;
1da177e4
LT		 1105 goto done;
1106 }
1107
1da177e4
LT		 1108 /* Update source addr of the socket */
1109 bacpy(src, conn->src);
1110
48454079
GP		 1111 l2cap_chan_add(conn, chan);
1112
89bc500e 1113 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1114 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1115
1116 if (hcon->state == BT_CONNECTED) {
715ec005 1117 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1118 __clear_chan_timer(chan);
4343478f 1119 if (l2cap_check_security(chan))
89bc500e 1120 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1121 } else
fc7f8a7e 1122 l2cap_do_start(chan);
1da177e4
LT		 1123 }
1124
30e76272
VT		 1125 err = 0;
1126
1da177e4
LT		 1127done:
1128 hci_dev_unlock_bh(hdev);
1129 hci_dev_put(hdev);
1130 return err;
1131}
1132
dcba0dba 1133int __l2cap_wait_ack(struct sock *sk)
6161c038 1134{
8c1d787b 1135 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1136 DECLARE_WAITQUEUE(wait, current);
1137 int err = 0;
1138 int timeo = HZ/5;
1139
2b0b05dd 1140 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1141 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1142 set_current_state(TASK_INTERRUPTIBLE);
1143
1144 if (!timeo)
1145 timeo = HZ/5;
1146
1147 if (signal_pending(current)) {
1148 err = sock_intr_errno(timeo);
1149 break;
1150 }
1151
1152 release_sock(sk);
1153 timeo = schedule_timeout(timeo);
1154 lock_sock(sk);
1155
1156 err = sock_error(sk);
1157 if (err)
1158 break;
1159 }
1160 set_current_state(TASK_RUNNING);
2b0b05dd 1161 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1162 return err;
1163}
1164
e90bac06
GP		 1165static void l2cap_monitor_timeout(unsigned long arg)
1166{
525cd185
GP		 1167 struct l2cap_chan *chan = (void *) arg;
1168 struct sock *sk = chan->sk;
e90bac06 1169
525cd185 1170 BT_DBG("chan %p", chan);
0e98958d 1171
e686219a 1172 bh_lock_sock(sk);
2c03a7a4 1173 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1174 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1175 bh_unlock_sock(sk);
e90bac06
GP		 1176 return;
1177 }
1178
6a026610 1179 chan->retry_count++;
e90bac06
GP		 1180 __mod_monitor_timer();
1181
525cd185 1182 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1183 bh_unlock_sock(sk);
e90bac06
GP		 1184}
1185
1186static void l2cap_retrans_timeout(unsigned long arg)
1187{
525cd185
GP		 1188 struct l2cap_chan *chan = (void *) arg;
1189 struct sock *sk = chan->sk;
e90bac06 1190
49208c9c 1191 BT_DBG("chan %p", chan);
0e98958d 1192
e686219a 1193 bh_lock_sock(sk);
6a026610 1194 chan->retry_count = 1;
e90bac06
GP		 1195 __mod_monitor_timer();
1196
525cd185 1197 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1198
525cd185 1199 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1200 bh_unlock_sock(sk);
e90bac06
GP		 1201}
1202
42e5c802 1203static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1204{
1c2acffb 1205 struct sk_buff *skb;
1da177e4 1206
58d35f87 1207 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1208 chan->unacked_frames) {
42e5c802 1209 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1210 break;
1da177e4 1211
58d35f87 1212 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1213 kfree_skb(skb);
1da177e4 1214
6a026610 1215 chan->unacked_frames--;
1c2acffb 1216 }
1da177e4 1217
6a026610 1218 if (!chan->unacked_frames)
e92c8e70 1219 del_timer(&chan->retrans_timer);
1c2acffb 1220}
1da177e4 1221
4343478f 1222void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1223{
8c1d787b 1224 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1225 u16 flags;
1c2acffb 1226
4343478f 1227 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1228
4343478f 1229 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1230 flags = ACL_START_NO_FLUSH;
1231 else
1232 flags = ACL_START;
1233
14b12d0b 1234 bt_cb(skb)->force_active = chan->force_active;
e702112f 1235 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1236}
1237
42e5c802 1238void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1239{
ccbb84af 1240 struct sk_buff *skb;
fcc203c3 1241 u16 control, fcs;
6840ed07 1242
58d35f87 1243 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1244 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1245 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1246 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1247
47d1ec61 1248 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1249 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1250 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1251 }
1252
4343478f 1253 l2cap_do_send(chan, skb);
6840ed07 1254
42e5c802 1255 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1256 }
6840ed07
GP		 1257}
1258
525cd185 1259static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1260{
8f17154f
GP		 1261 struct sk_buff *skb, *tx_skb;
1262 u16 control, fcs;
8f17154f 1263
58d35f87 1264 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1265 if (!skb)
1266 return;
8f17154f 1267
f11d676d
GP		 1268 do {
1269 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1270 break;
8f17154f 1271
58d35f87 1272 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1273 return;
8f17154f 1274
58d35f87 1275 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1276
2c03a7a4
GP		 1277 if (chan->remote_max_tx &&
1278 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1279 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1280 return;
1281 }
1282
1283 tx_skb = skb_clone(skb, GFP_ATOMIC);
1284 bt_cb(skb)->retries++;
1285 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1286 control &= L2CAP_CTRL_SAR;
3cb123d1 1287
525cd185 1288 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1289 control |= L2CAP_CTRL_FINAL;
525cd185 1290 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1291 }
95ffa978 1292
42e5c802 1293 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1294 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1295
f11d676d
GP		 1296 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1297
47d1ec61 1298 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1299 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1300 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1301 }
1302
4343478f 1303 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1304}
1305
525cd185 1306int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1307{
1308 struct sk_buff *skb, *tx_skb;
fcc203c3 1309 u16 control, fcs;
9a9c6a34 1310 int nsent = 0;
1c2acffb 1311
89bc500e 1312 if (chan->state != BT_CONNECTED)
c13ffa62 1313 return -ENOTCONN;
e90bac06 1314
58d35f87 1315 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1316
2c03a7a4
GP		 1317 if (chan->remote_max_tx &&
1318 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1319 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1320 break;
1321 }
1322
e420aba3
AE		 1323 tx_skb = skb_clone(skb, GFP_ATOMIC);
1324
e90bac06
GP		 1325 bt_cb(skb)->retries++;
1326
1c2acffb 1327 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1328 control &= L2CAP_CTRL_SAR;
1329
525cd185 1330 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1331 control |= L2CAP_CTRL_FINAL;
525cd185 1332 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1333 }
42e5c802
GP		 1334 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1335 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1336 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1337
e90bac06 1338
47d1ec61 1339 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1340 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1341 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1342 }
1343
4343478f 1344 l2cap_do_send(chan, tx_skb);
9a9c6a34 1345
e90bac06 1346 __mod_retrans_timer();
1c2acffb 1347
42e5c802
GP		 1348 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1349 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1350
23e9fde2 1351 if (bt_cb(skb)->retries == 1)
6a026610 1352 chan->unacked_frames++;
23e9fde2 1353
6a026610 1354 chan->frames_sent++;
1c2acffb 1355
58d35f87
GP		 1356 if (skb_queue_is_last(&chan->tx_q, skb))
1357 chan->tx_send_head = NULL;
1c2acffb 1358 else
58d35f87 1359 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1360
1361 nsent++;
1c2acffb
GP		 1362 }
1363
9e917af1
GP		 1364 return nsent;
1365}
1366
525cd185 1367static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1368{
dfc909be
GP		 1369 int ret;
1370
58d35f87
GP		 1371 if (!skb_queue_empty(&chan->tx_q))
1372 chan->tx_send_head = chan->tx_q.next;
dfc909be 1373
42e5c802 1374 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1375 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1376 return ret;
1377}
1378
525cd185 1379static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1380{
9e917af1
GP		 1381 u16 control = 0;
1382
42e5c802 1383 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1384
525cd185 1385 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1386 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1387 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1388 l2cap_send_sframe(chan, control);
9a9c6a34 1389 return;
9e917af1 1390 }
dfc909be 1391
525cd185 1392 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1393 return;
1394
1395 control |= L2CAP_SUPER_RCV_READY;
525cd185 1396 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1397}
1398
525cd185 1399static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1400{
1401 struct srej_list *tail;
1402 u16 control;
1403
1404 control = L2CAP_SUPER_SELECT_REJECT;
1405 control |= L2CAP_CTRL_FINAL;
1406
39d5a3ee 1407 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1408 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1409
525cd185 1410 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1411}
1412
1c2acffb
GP		 1413static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1414{
8c1d787b 1415 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1416 struct sk_buff **frag;
1417 int err, sent = 0;
1da177e4 1418
59203a21 1419 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1420 return -EFAULT;
1da177e4
LT		 1421
1422 sent += count;
1423 len -= count;
1424
1425 /* Continuation fragments (no L2CAP header) */
1426 frag = &skb_shinfo(skb)->frag_list;
1427 while (len) {
1428 count = min_t(unsigned int, conn->mtu, len);
1429
1430 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1431 if (!*frag)
0175d629 1432 return err;
1c2acffb
GP		 1433 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1434 return -EFAULT;
1da177e4
LT		 1435
1436 sent += count;
1437 len -= count;
1438
1439 frag = &(*frag)->next;
1440 }
1da177e4
LT		 1441
1442 return sent;
1c2acffb 1443}
1da177e4 1444
fe4128e0 1445struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1446{
fe4128e0 1447 struct sock *sk = chan->sk;
8c1d787b 1448 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1449 struct sk_buff *skb;
1450 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1451 struct l2cap_hdr *lh;
1452
1453 BT_DBG("sk %p len %d", sk, (int)len);
1454
1455 count = min_t(unsigned int, (conn->mtu - hlen), len);
1456 skb = bt_skb_send_alloc(sk, count + hlen,
1457 msg->msg_flags & MSG_DONTWAIT, &err);
1458 if (!skb)
0175d629 1459 return ERR_PTR(err);
1c2acffb
GP		 1460
1461 /* Create L2CAP header */
1462 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1463 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1464 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1465 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1466
1467 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1468 if (unlikely(err < 0)) {
1469 kfree_skb(skb);
1470 return ERR_PTR(err);
1471 }
1472 return skb;
1473}
1474
fe4128e0 1475struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1476{
fe4128e0 1477 struct sock *sk = chan->sk;
8c1d787b 1478 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1479 struct sk_buff *skb;
1480 int err, count, hlen = L2CAP_HDR_SIZE;
1481 struct l2cap_hdr *lh;
1482
1483 BT_DBG("sk %p len %d", sk, (int)len);
1484
1485 count = min_t(unsigned int, (conn->mtu - hlen), len);
1486 skb = bt_skb_send_alloc(sk, count + hlen,
1487 msg->msg_flags & MSG_DONTWAIT, &err);
1488 if (!skb)
0175d629 1489 return ERR_PTR(err);
1c2acffb
GP		 1490
1491 /* Create L2CAP header */
1492 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1493 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1494 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1495
1496 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1497 if (unlikely(err < 0)) {
1498 kfree_skb(skb);
1499 return ERR_PTR(err);
1500 }
1501 return skb;
1502}
1503
47d1ec61 1504struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1505{
47d1ec61 1506 struct sock *sk = chan->sk;
8c1d787b 1507 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1508 struct sk_buff *skb;
1509 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1510 struct l2cap_hdr *lh;
1511
1512 BT_DBG("sk %p len %d", sk, (int)len);
1513
0ee0d208
GP		 1514 if (!conn)
1515 return ERR_PTR(-ENOTCONN);
1516
c74e560c
GP		 1517 if (sdulen)
1518 hlen += 2;
1519
47d1ec61 1520 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1521 hlen += 2;
1522
1c2acffb
GP		 1523 count = min_t(unsigned int, (conn->mtu - hlen), len);
1524 skb = bt_skb_send_alloc(sk, count + hlen,
1525 msg->msg_flags & MSG_DONTWAIT, &err);
1526 if (!skb)
0175d629 1527 return ERR_PTR(err);
1c2acffb
GP		 1528
1529 /* Create L2CAP header */
1530 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1531 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1532 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1533 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1534 if (sdulen)
1535 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1536
1537 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1538 if (unlikely(err < 0)) {
1539 kfree_skb(skb);
1540 return ERR_PTR(err);
1541 }
e90bac06 1542
47d1ec61 1543 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1544 put_unaligned_le16(0, skb_put(skb, 2));
1545
e90bac06 1546 bt_cb(skb)->retries = 0;
1c2acffb 1547 return skb;
1da177e4
LT		 1548}
1549
2c03a7a4 1550int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1551{
c74e560c
GP		 1552 struct sk_buff *skb;
1553 struct sk_buff_head sar_queue;
1554 u16 control;
1555 size_t size = 0;
1556
ff12fd64 1557 skb_queue_head_init(&sar_queue);
c74e560c 1558 control = L2CAP_SDU_START;
47d1ec61 1559 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1560 if (IS_ERR(skb))
1561 return PTR_ERR(skb);
1562
1563 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1564 len -= chan->remote_mps;
1565 size += chan->remote_mps;
c74e560c
GP		 1566
1567 while (len > 0) {
1568 size_t buflen;
1569
2c03a7a4 1570 if (len > chan->remote_mps) {
44651b85 1571 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1572 buflen = chan->remote_mps;
c74e560c 1573 } else {
44651b85 1574 control = L2CAP_SDU_END;
c74e560c
GP		 1575 buflen = len;
1576 }
1577
47d1ec61 1578 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1579 if (IS_ERR(skb)) {
1580 skb_queue_purge(&sar_queue);
1581 return PTR_ERR(skb);
1582 }
1583
1584 __skb_queue_tail(&sar_queue, skb);
1585 len -= buflen;
1586 size += buflen;
c74e560c 1587 }
58d35f87
GP		 1588 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1589 if (chan->tx_send_head == NULL)
1590 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1591
1592 return size;
1593}
1594
9a91a04a
GP		 1595int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1596{
9a91a04a
GP		 1597 struct sk_buff *skb;
1598 u16 control;
1599 int err;
1600
1601 /* Connectionless channel */
715ec005 1602 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1603 skb = l2cap_create_connless_pdu(chan, msg, len);
1604 if (IS_ERR(skb))
1605 return PTR_ERR(skb);
1606
1607 l2cap_do_send(chan, skb);
1608 return len;
1609 }
1610
1611 switch (chan->mode) {
1612 case L2CAP_MODE_BASIC:
1613 /* Check outgoing MTU */
1614 if (len > chan->omtu)
1615 return -EMSGSIZE;
1616
1617 /* Create a basic PDU */
1618 skb = l2cap_create_basic_pdu(chan, msg, len);
1619 if (IS_ERR(skb))
1620 return PTR_ERR(skb);
1621
1622 l2cap_do_send(chan, skb);
1623 err = len;
1624 break;
1625
1626 case L2CAP_MODE_ERTM:
1627 case L2CAP_MODE_STREAMING:
1628 /* Entire SDU fits into one PDU */
1629 if (len <= chan->remote_mps) {
1630 control = L2CAP_SDU_UNSEGMENTED;
1631 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1632 0);
1633 if (IS_ERR(skb))
1634 return PTR_ERR(skb);
1635
1636 __skb_queue_tail(&chan->tx_q, skb);
1637
1638 if (chan->tx_send_head == NULL)
1639 chan->tx_send_head = skb;
1640
1641 } else {
1642 /* Segment SDU into multiples PDUs */
1643 err = l2cap_sar_segment_sdu(chan, msg, len);
1644 if (err < 0)
1645 return err;
1646 }
1647
1648 if (chan->mode == L2CAP_MODE_STREAMING) {
1649 l2cap_streaming_send(chan);
1650 err = len;
1651 break;
1652 }
1653
1654 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1655 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1656 err = len;
1657 break;
1658 }
1659
1660 err = l2cap_ertm_send(chan);
1661 if (err >= 0)
1662 err = len;
1663
1664 break;
1665
1666 default:
1667 BT_DBG("bad state %1.1x", chan->mode);
1668 err = -EBADFD;
1669 }
1670
1671 return err;
1672}
1673
1da177e4
LT		 1674static void l2cap_chan_ready(struct sock *sk)
1675{
1676 struct sock *parent = bt_sk(sk)->parent;
b4450035 1677 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1678
1679 BT_DBG("sk %p, parent %p", sk, parent);
1680
b4450035 1681 chan->conf_state = 0;
c9b66675 1682 __clear_chan_timer(chan);
1da177e4
LT		 1683
1684 if (!parent) {
1685 /* Outgoing channel.
1686 * Wake up socket sleeping on connect.
1687 */
89bc500e 1688 l2cap_state_change(chan, BT_CONNECTED);
1da177e4
LT		 1689 sk->sk_state_change(sk);
1690 } else {
1691 /* Incoming channel.
1692 * Wake up socket sleeping on accept.
1693 */
1694 parent->sk_data_ready(parent, 0);
1695 }
1696}
1697
1698/* Copy frame to all raw sockets on that connection */
1699static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1700{
1da177e4 1701 struct sk_buff *nskb;
48454079 1702 struct l2cap_chan *chan;
1da177e4
LT		 1703
1704 BT_DBG("conn %p", conn);
1705
baa7e1fa
GP		 1706 read_lock(&conn->chan_lock);
1707 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1708 struct sock *sk = chan->sk;
715ec005 1709 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1710 continue;
1711
1712 /* Don't send frame to the socket it came from */
1713 if (skb->sk == sk)
1714 continue;
af05b30b
GP		 1715 nskb = skb_clone(skb, GFP_ATOMIC);
1716 if (!nskb)
1da177e4
LT		 1717 continue;
1718
23070494 1719 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1720 kfree_skb(nskb);
1721 }
baa7e1fa 1722 read_unlock(&conn->chan_lock);
1da177e4
LT		 1723}
1724
1725/* ---- L2CAP signalling commands ---- */
1726static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1727 u8 code, u8 ident, u16 dlen, void *data)
1728{
1729 struct sk_buff *skb, **frag;
1730 struct l2cap_cmd_hdr *cmd;
1731 struct l2cap_hdr *lh;
1732 int len, count;
1733
af05b30b
GP		 1734 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1735 conn, code, ident, dlen);
1da177e4
LT		 1736
1737 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1738 count = min_t(unsigned int, conn->mtu, len);
1739
1740 skb = bt_skb_alloc(count, GFP_ATOMIC);
1741 if (!skb)
1742 return NULL;
1743
1744 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1745 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1746
1747 if (conn->hcon->type == LE_LINK)
1748 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1749 else
1750 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1751
1752 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1753 cmd->code = code;
1754 cmd->ident = ident;
aca3192c 1755 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1756
1757 if (dlen) {
1758 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1759 memcpy(skb_put(skb, count), data, count);
1760 data += count;
1761 }
1762
1763 len -= skb->len;
1764
1765 /* Continuation fragments (no L2CAP header) */
1766 frag = &skb_shinfo(skb)->frag_list;
1767 while (len) {
1768 count = min_t(unsigned int, conn->mtu, len);
1769
1770 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1771 if (!*frag)
1772 goto fail;
1773
1774 memcpy(skb_put(*frag, count), data, count);
1775
1776 len -= count;
1777 data += count;
1778
1779 frag = &(*frag)->next;
1780 }
1781
1782 return skb;
1783
1784fail:
1785 kfree_skb(skb);
1786 return NULL;
1787}
1788
1789static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1790{
1791 struct l2cap_conf_opt *opt = *ptr;
1792 int len;
1793
1794 len = L2CAP_CONF_OPT_SIZE + opt->len;
1795 *ptr += len;
1796
1797 *type = opt->type;
1798 *olen = opt->len;
1799
1800 switch (opt->len) {
1801 case 1:
1802 *val = *((u8 *) opt->val);
1803 break;
1804
1805 case 2:
bfaaeb3e 1806 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1807 break;
1808
1809 case 4:
bfaaeb3e 1810 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1811 break;
1812
1813 default:
1814 *val = (unsigned long) opt->val;
1815 break;
1816 }
1817
1818 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1819 return len;
1820}
1821
1da177e4
LT		 1822static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1823{
1824 struct l2cap_conf_opt *opt = *ptr;
1825
1826 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1827
1828 opt->type = type;
1829 opt->len = len;
1830
1831 switch (len) {
1832 case 1:
1833 *((u8 *) opt->val) = val;
1834 break;
1835
1836 case 2:
4f8b691c 1837 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1838 break;
1839
1840 case 4:
4f8b691c 1841 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1842 break;
1843
1844 default:
1845 memcpy(opt->val, (void *) val, len);
1846 break;
1847 }
1848
1849 *ptr += L2CAP_CONF_OPT_SIZE + len;
1850}
1851
c1b4f43b
GP		 1852static void l2cap_ack_timeout(unsigned long arg)
1853{
525cd185 1854 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1855
525cd185
GP		 1856 bh_lock_sock(chan->sk);
1857 l2cap_send_ack(chan);
1858 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1859}
1860
525cd185 1861static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1862{
525cd185
GP		 1863 struct sock *sk = chan->sk;
1864
42e5c802 1865 chan->expected_ack_seq = 0;
6a026610 1866 chan->unacked_frames = 0;
42e5c802 1867 chan->buffer_seq = 0;
6a026610
GP		 1868 chan->num_acked = 0;
1869 chan->frames_sent = 0;
0565c1c2 1870
e92c8e70
GP		 1871 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1872 (unsigned long) chan);
1873 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1874 (unsigned long) chan);
1875 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1876
f1c6775b
GP		 1877 skb_queue_head_init(&chan->srej_q);
1878 skb_queue_head_init(&chan->busy_q);
1890d36b 1879
39d5a3ee
GP		 1880 INIT_LIST_HEAD(&chan->srej_l);
1881
311bb895 1882 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1883
1884 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1885}
1886
f2fcfcd6
GP		 1887static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1888{
1889 switch (mode) {
1890 case L2CAP_MODE_STREAMING:
1891 case L2CAP_MODE_ERTM:
1892 if (l2cap_mode_supported(mode, remote_feat_mask))
1893 return mode;
1894 /* fall through */
1895 default:
1896 return L2CAP_MODE_BASIC;
1897 }
1898}
1899
710f9b0a 1900static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1901{
1da177e4 1902 struct l2cap_conf_req *req = data;
0c1bc5c6 1903 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1904 void *ptr = req->data;
1905
49208c9c 1906 BT_DBG("chan %p", chan);
1da177e4 1907
73ffa904 1908 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1909 goto done;
1910
0c1bc5c6 1911 switch (chan->mode) {
f2fcfcd6
GP		 1912 case L2CAP_MODE_STREAMING:
1913 case L2CAP_MODE_ERTM:
b4450035 1914 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1915 break;
85eb53c6 1916
2ba13ed6 1917 /* fall through */
f2fcfcd6 1918 default:
8c1d787b 1919 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1920 break;
1921 }
1922
1923done:
0c1bc5c6
GP		 1924 if (chan->imtu != L2CAP_DEFAULT_MTU)
1925 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1926
0c1bc5c6 1927 switch (chan->mode) {
65c7c491 1928 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1929 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1930 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1931 break;
1932
62547752
GP		 1933 rfc.mode = L2CAP_MODE_BASIC;
1934 rfc.txwin_size = 0;
1935 rfc.max_transmit = 0;
1936 rfc.retrans_timeout = 0;
1937 rfc.monitor_timeout = 0;
1938 rfc.max_pdu_size = 0;
1939
63406504
GP		 1940 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1941 (unsigned long) &rfc);
65c7c491
MH		 1942 break;
1943
1944 case L2CAP_MODE_ERTM:
1945 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1946 rfc.txwin_size = chan->tx_win;
1947 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1948 rfc.retrans_timeout = 0;
1949 rfc.monitor_timeout = 0;
c74e560c 1950 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1951 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1952 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1953
63406504
GP		 1954 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1955 (unsigned long) &rfc);
1956
8c1d787b 1957 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1958 break;
1959
47d1ec61 1960 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1961 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1962 chan->fcs = L2CAP_FCS_NONE;
1963 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1964 }
f2fcfcd6
GP		 1965 break;
1966
1967 case L2CAP_MODE_STREAMING:
1968 rfc.mode = L2CAP_MODE_STREAMING;
1969 rfc.txwin_size = 0;
1970 rfc.max_transmit = 0;
1971 rfc.retrans_timeout = 0;
1972 rfc.monitor_timeout = 0;
c74e560c 1973 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1974 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1975 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1976
63406504
GP		 1977 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1978 (unsigned long) &rfc);
1979
8c1d787b 1980 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1981 break;
1982
47d1ec61 1983 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1984 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1985 chan->fcs = L2CAP_FCS_NONE;
1986 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1987 }
65c7c491
MH		 1988 break;
1989 }
1da177e4 1990
fe4128e0 1991 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1992 req->flags = cpu_to_le16(0);
1da177e4
LT		 1993
1994 return ptr - data;
1995}
1996
73ffa904 1997static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1998{
5dee9e7c
MH		 1999 struct l2cap_conf_rsp *rsp = data;
2000 void *ptr = rsp->data;
73ffa904
GP		 2001 void *req = chan->conf_req;
2002 int len = chan->conf_len;
5dee9e7c
MH		 2003 int type, hint, olen;
2004 unsigned long val;
6464f35f 2005 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2006 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2007 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2008
73ffa904 2009 BT_DBG("chan %p", chan);
820ae1b8 2010
5dee9e7c
MH		 2011 while (len >= L2CAP_CONF_OPT_SIZE) {
2012 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2013
589d2746 2014 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2015 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2016
2017 switch (type) {
2018 case L2CAP_CONF_MTU:
861d6882 2019 mtu = val;
5dee9e7c
MH		 2020 break;
2021
2022 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2023 chan->flush_to = val;
5dee9e7c
MH		 2024 break;
2025
2026 case L2CAP_CONF_QOS:
2027 break;
2028
6464f35f
MH		 2029 case L2CAP_CONF_RFC:
2030 if (olen == sizeof(rfc))
2031 memcpy(&rfc, (void *) val, olen);
2032 break;
2033
fcc203c3
GP		 2034 case L2CAP_CONF_FCS:
2035 if (val == L2CAP_FCS_NONE)
b4450035 2036 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2037
2038 break;
2039
5dee9e7c
MH		 2040 default:
2041 if (hint)
2042 break;
2043
2044 result = L2CAP_CONF_UNKNOWN;
2045 *((u8 *) ptr++) = type;
2046 break;
2047 }
2048 }
2049
73ffa904 2050 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2051 goto done;
2052
0c1bc5c6 2053 switch (chan->mode) {
f2fcfcd6
GP		 2054 case L2CAP_MODE_STREAMING:
2055 case L2CAP_MODE_ERTM:
b4450035 2056 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2057 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2058 chan->conn->feat_mask);
85eb53c6
GP		 2059 break;
2060 }
2061
0c1bc5c6 2062 if (chan->mode != rfc.mode)
f2fcfcd6 2063 return -ECONNREFUSED;
742e519b 2064
f2fcfcd6 2065 break;
f2fcfcd6
GP		 2066 }
2067
2068done:
0c1bc5c6 2069 if (chan->mode != rfc.mode) {
f2fcfcd6 2070 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2071 rfc.mode = chan->mode;
f2fcfcd6 2072
73ffa904 2073 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2074 return -ECONNREFUSED;
2075
2076 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2077 sizeof(rfc), (unsigned long) &rfc);
2078 }
2079
2080
5dee9e7c
MH		 2081 if (result == L2CAP_CONF_SUCCESS) {
2082 /* Configure output options and let the other side know
2083 * which ones we don't like. */
2084
f2fcfcd6
GP		 2085 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2086 result = L2CAP_CONF_UNACCEPT;
2087 else {
0c1bc5c6 2088 chan->omtu = mtu;
b4450035 2089 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2090 }
0c1bc5c6 2091 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2092
f2fcfcd6
GP		 2093 switch (rfc.mode) {
2094 case L2CAP_MODE_BASIC:
47d1ec61 2095 chan->fcs = L2CAP_FCS_NONE;
b4450035 2096 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2097 break;
2098
2099 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2100 chan->remote_tx_win = rfc.txwin_size;
2101 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2102
8c1d787b
GP		 2103 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2104 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2105
2c03a7a4 2106 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2107
10467e9e
GP		 2108 rfc.retrans_timeout =
2109 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2110 rfc.monitor_timeout =
2111 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2112
b4450035 2113 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2114
2115 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2116 sizeof(rfc), (unsigned long) &rfc);
2117
f2fcfcd6
GP		 2118 break;
2119
2120 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2121 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2122 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2123
2c03a7a4 2124 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2125
b4450035 2126 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2127
2128 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2129 sizeof(rfc), (unsigned long) &rfc);
2130
f2fcfcd6
GP		 2131 break;
2132
2133 default:
5dee9e7c 2134 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2135
6464f35f 2136 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2137 rfc.mode = chan->mode;
f2fcfcd6 2138 }
6464f35f 2139
f2fcfcd6 2140 if (result == L2CAP_CONF_SUCCESS)
b4450035 2141 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2142 }
fe4128e0 2143 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2144 rsp->result = cpu_to_le16(result);
2145 rsp->flags = cpu_to_le16(0x0000);
2146
2147 return ptr - data;
1da177e4
LT		 2148}
2149
b4450035 2150static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2151{
f2fcfcd6
GP		 2152 struct l2cap_conf_req *req = data;
2153 void *ptr = req->data;
2154 int type, olen;
2155 unsigned long val;
2156 struct l2cap_conf_rfc rfc;
2157
fe4128e0 2158 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2159
2160 while (len >= L2CAP_CONF_OPT_SIZE) {
2161 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2162
2163 switch (type) {
2164 case L2CAP_CONF_MTU:
2165 if (val < L2CAP_DEFAULT_MIN_MTU) {
2166 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2167 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2168 } else
0c1bc5c6
GP		 2169 chan->imtu = val;
2170 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2171 break;
2172
2173 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2174 chan->flush_to = val;
f2fcfcd6 2175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2176 2, chan->flush_to);
f2fcfcd6
GP		 2177 break;
2178
2179 case L2CAP_CONF_RFC:
2180 if (olen == sizeof(rfc))
2181 memcpy(&rfc, (void *)val, olen);
2182
b4450035 2183 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2184 rfc.mode != chan->mode)
f2fcfcd6
GP		 2185 return -ECONNREFUSED;
2186
47d1ec61 2187 chan->fcs = 0;
f2fcfcd6
GP		 2188
2189 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2190 sizeof(rfc), (unsigned long) &rfc);
2191 break;
2192 }
2193 }
2194
0c1bc5c6 2195 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2196 return -ECONNREFUSED;
2197
0c1bc5c6 2198 chan->mode = rfc.mode;
6c2ea7a8 2199
f2fcfcd6
GP		 2200 if (*result == L2CAP_CONF_SUCCESS) {
2201 switch (rfc.mode) {
2202 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2203 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2204 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2205 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2206 break;
2207 case L2CAP_MODE_STREAMING:
47d1ec61 2208 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2209 }
2210 }
2211
fe4128e0 2212 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2213 req->flags = cpu_to_le16(0x0000);
2214
2215 return ptr - data;
2216}
2217
fe4128e0 2218static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2219{
2220 struct l2cap_conf_rsp *rsp = data;
2221 void *ptr = rsp->data;
1da177e4 2222
fe4128e0 2223 BT_DBG("chan %p", chan);
1da177e4 2224
fe4128e0 2225 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2226 rsp->result = cpu_to_le16(result);
aca3192c 2227 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2228
2229 return ptr - data;
2230}
2231
8c1d787b 2232void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2233{
2234 struct l2cap_conn_rsp rsp;
8c1d787b 2235 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2236 u8 buf[128];
2237
fe4128e0
GP		 2238 rsp.scid = cpu_to_le16(chan->dcid);
2239 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2240 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2241 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2242 l2cap_send_cmd(conn, chan->ident,
2243 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2244
b4450035 2245 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2246 return;
2247
b4450035 2248 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2249 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2250 l2cap_build_conf_req(chan, buf), buf);
2251 chan->num_conf_req++;
2252}
2253
47d1ec61 2254static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2255{
7b1c0049
GP		 2256 int type, olen;
2257 unsigned long val;
2258 struct l2cap_conf_rfc rfc;
2259
47d1ec61 2260 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2261
0c1bc5c6 2262 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2263 return;
2264
2265 while (len >= L2CAP_CONF_OPT_SIZE) {
2266 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2267
2268 switch (type) {
2269 case L2CAP_CONF_RFC:
2270 if (olen == sizeof(rfc))
2271 memcpy(&rfc, (void *)val, olen);
2272 goto done;
2273 }
2274 }
2275
2276done:
2277 switch (rfc.mode) {
2278 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2279 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2280 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2281 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2282 break;
2283 case L2CAP_MODE_STREAMING:
47d1ec61 2284 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2285 }
2286}
2287
4e8402a3
MH		 2288static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2289{
2290 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2291
2292 if (rej->reason != 0x0000)
2293 return 0;
2294
2295 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2296 cmd->ident == conn->info_ident) {
4e8402a3 2297 del_timer(&conn->info_timer);
984947dc
MH		 2298
2299 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2300 conn->info_ident = 0;
984947dc 2301
4e8402a3
MH		 2302 l2cap_conn_start(conn);
2303 }
2304
2305 return 0;
2306}
2307
1da177e4
LT		 2308static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2309{
1da177e4
LT		 2310 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2311 struct l2cap_conn_rsp rsp;
23691d75 2312 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2313 struct sock *parent, *sk = NULL;
e7c29cb1 2314 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2315
2316 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2317 __le16 psm = req->psm;
1da177e4
LT		 2318
2319 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2320
2321 /* Check if we have socket listening on psm */
23691d75
GP		 2322 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2323 if (!pchan) {
1da177e4
LT		 2324 result = L2CAP_CR_BAD_PSM;
2325 goto sendresp;
2326 }
2327
23691d75
GP		 2328 parent = pchan->sk;
2329
e0f0cb56
GP		 2330 bh_lock_sock(parent);
2331
e7c29cb1
MH		 2332 /* Check if the ACL is secure enough (if not SDP) */
2333 if (psm != cpu_to_le16(0x0001) &&
2334 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2335 conn->disc_reason = 0x05;
e7c29cb1
MH		 2336 result = L2CAP_CR_SEC_BLOCK;
2337 goto response;
2338 }
2339
1da177e4
LT		 2340 result = L2CAP_CR_NO_MEM;
2341
2342 /* Check for backlog size */
2343 if (sk_acceptq_is_full(parent)) {
8e87d142 2344 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2345 goto response;
2346 }
2347
80808e43
GP		 2348 chan = pchan->ops->new_connection(pchan->data);
2349 if (!chan)
1da177e4
LT		 2350 goto response;
2351
80808e43
GP		 2352 sk = chan->sk;
2353
baa7e1fa 2354 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2355
2356 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2357 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2358 write_unlock_bh(&conn->chan_lock);
1da177e4 2359 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2360 chan->ops->close(chan->data);
1da177e4
LT		 2361 goto response;
2362 }
2363
2364 hci_conn_hold(conn->hcon);
2365
1da177e4
LT		 2366 bacpy(&bt_sk(sk)->src, conn->src);
2367 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2368 chan->psm = psm;
2369 chan->dcid = scid;
1da177e4 2370
d1010240
GP		 2371 bt_accept_enqueue(parent, sk);
2372
48454079
GP		 2373 __l2cap_chan_add(conn, chan);
2374
fe4128e0 2375 dcid = chan->scid;
1da177e4 2376
c9b66675 2377 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2378
fc7f8a7e 2379 chan->ident = cmd->ident;
1da177e4 2380
984947dc 2381 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2382 if (l2cap_check_security(chan)) {
f66dc81f 2383 if (bt_sk(sk)->defer_setup) {
89bc500e 2384 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2385 result = L2CAP_CR_PEND;
2386 status = L2CAP_CS_AUTHOR_PEND;
2387 parent->sk_data_ready(parent, 0);
2388 } else {
89bc500e 2389 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2390 result = L2CAP_CR_SUCCESS;
2391 status = L2CAP_CS_NO_INFO;
2392 }
79d554a6 2393 } else {
89bc500e 2394 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2395 result = L2CAP_CR_PEND;
2396 status = L2CAP_CS_AUTHEN_PEND;
2397 }
2398 } else {
89bc500e 2399 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2400 result = L2CAP_CR_PEND;
2401 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2402 }
2403
baa7e1fa 2404 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2405
2406response:
2407 bh_unlock_sock(parent);
2408
2409sendresp:
aca3192c
YH		 2410 rsp.scid = cpu_to_le16(scid);
2411 rsp.dcid = cpu_to_le16(dcid);
2412 rsp.result = cpu_to_le16(result);
2413 rsp.status = cpu_to_le16(status);
1da177e4 2414 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2415
2416 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2417 struct l2cap_info_req info;
2418 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2419
2420 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2421 conn->info_ident = l2cap_get_ident(conn);
2422
2423 mod_timer(&conn->info_timer, jiffies +
2424 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2425
2426 l2cap_send_cmd(conn, conn->info_ident,
2427 L2CAP_INFO_REQ, sizeof(info), &info);
2428 }
2429
b4450035 2430 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2431 result == L2CAP_CR_SUCCESS) {
2432 u8 buf[128];
b4450035 2433 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2434 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2435 l2cap_build_conf_req(chan, buf), buf);
2436 chan->num_conf_req++;
e9aeb2dd
GP		 2437 }
2438
1da177e4
LT		 2439 return 0;
2440}
2441
2442static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2443{
2444 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2445 u16 scid, dcid, result, status;
48454079 2446 struct l2cap_chan *chan;
1da177e4
LT		 2447 struct sock *sk;
2448 u8 req[128];
2449
2450 scid = __le16_to_cpu(rsp->scid);
2451 dcid = __le16_to_cpu(rsp->dcid);
2452 result = __le16_to_cpu(rsp->result);
2453 status = __le16_to_cpu(rsp->status);
2454
2455 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2456
2457 if (scid) {
baa7e1fa 2458 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2459 if (!chan)
57d3b22b 2460 return -EFAULT;
1da177e4 2461 } else {
baa7e1fa 2462 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2463 if (!chan)
57d3b22b 2464 return -EFAULT;
1da177e4
LT		 2465 }
2466
48454079
GP		 2467 sk = chan->sk;
2468
1da177e4
LT		 2469 switch (result) {
2470 case L2CAP_CR_SUCCESS:
89bc500e 2471 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2472 chan->ident = 0;
fe4128e0 2473 chan->dcid = dcid;
b4450035 2474 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2475
b4450035 2476 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2477 break;
2478
b4450035 2479 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2480
1da177e4 2481 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2482 l2cap_build_conf_req(chan, req), req);
2483 chan->num_conf_req++;
1da177e4
LT		 2484 break;
2485
2486 case L2CAP_CR_PEND:
b4450035 2487 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2488 break;
2489
2490 default:
a49184c2
AE		 2491 /* don't delete l2cap channel if sk is owned by user */
2492 if (sock_owned_by_user(sk)) {
89bc500e 2493 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2494 __clear_chan_timer(chan);
2495 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2496 break;
2497 }
2498
48454079 2499 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2500 break;
2501 }
2502
2503 bh_unlock_sock(sk);
2504 return 0;
2505}
2506
47d1ec61 2507static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2508{
47d1ec61
GP		 2509 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2510
8c462b60
MM		 2511 /* FCS is enabled only in ERTM or streaming mode, if one or both
2512 * sides request it.
2513 */
0c1bc5c6 2514 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2515 chan->fcs = L2CAP_FCS_NONE;
b4450035 2516 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2517 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2518}
2519
88219a0f 2520static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2521{
2522 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2523 u16 dcid, flags;
2524 u8 rsp[64];
48454079 2525 struct l2cap_chan *chan;
1da177e4 2526 struct sock *sk;
5dee9e7c 2527 int len;
1da177e4
LT		 2528
2529 dcid = __le16_to_cpu(req->dcid);
2530 flags = __le16_to_cpu(req->flags);
2531
2532 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2533
baa7e1fa 2534 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2535 if (!chan)
1da177e4
LT		 2536 return -ENOENT;
2537
48454079
GP		 2538 sk = chan->sk;
2539
89bc500e 2540 if (chan->state != BT_CONFIG) {
df6bd743
GP		 2541 struct l2cap_cmd_rej rej;
2542
2543 rej.reason = cpu_to_le16(0x0002);
2544 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2545 sizeof(rej), &rej);
354f60a9 2546 goto unlock;
df6bd743 2547 }
354f60a9 2548
5dee9e7c 2549 /* Reject if config buffer is too small. */
88219a0f 2550 len = cmd_len - sizeof(*req);
73ffa904 2551 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2552 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2553 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2554 L2CAP_CONF_REJECT, flags), rsp);
2555 goto unlock;
2556 }
2557
2558 /* Store config. */
73ffa904
GP		 2559 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2560 chan->conf_len += len;
1da177e4
LT		 2561
2562 if (flags & 0x0001) {
2563 /* Incomplete config. Send empty response. */
2564 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2565 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2566 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2567 goto unlock;
2568 }
2569
2570 /* Complete config. */
73ffa904 2571 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2572 if (len < 0) {
e92c8e70 2573 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2574 goto unlock;
f2fcfcd6 2575 }
1da177e4 2576
5dee9e7c 2577 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2578 chan->num_conf_rsp++;
5dee9e7c 2579
5dee9e7c 2580 /* Reset config buffer. */
73ffa904 2581 chan->conf_len = 0;
5dee9e7c 2582
b4450035 2583 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2584 goto unlock;
2585
b4450035 2586 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2587 set_default_fcs(chan);
fcc203c3 2588
89bc500e 2589 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2590
42e5c802
GP		 2591 chan->next_tx_seq = 0;
2592 chan->expected_tx_seq = 0;
58d35f87 2593 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2594 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2595 l2cap_ertm_init(chan);
0565c1c2 2596
1da177e4 2597 l2cap_chan_ready(sk);
876d9484
MH		 2598 goto unlock;
2599 }
2600
b4450035 2601 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2602 u8 buf[64];
b4450035 2603 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2604 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2605 l2cap_build_conf_req(chan, buf), buf);
2606 chan->num_conf_req++;
1da177e4
LT		 2607 }
2608
2609unlock:
2610 bh_unlock_sock(sk);
2611 return 0;
2612}
2613
2614static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2615{
2616 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2617 u16 scid, flags, result;
48454079 2618 struct l2cap_chan *chan;
1da177e4 2619 struct sock *sk;
7b1c0049 2620 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2621
2622 scid = __le16_to_cpu(rsp->scid);
2623 flags = __le16_to_cpu(rsp->flags);
2624 result = __le16_to_cpu(rsp->result);
2625
af05b30b
GP		 2626 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2627 scid, flags, result);
1da177e4 2628
baa7e1fa 2629 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2630 if (!chan)
1da177e4
LT		 2631 return 0;
2632
48454079
GP		 2633 sk = chan->sk;
2634
1da177e4
LT		 2635 switch (result) {
2636 case L2CAP_CONF_SUCCESS:
47d1ec61 2637 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2638 break;
2639
2640 case L2CAP_CONF_UNACCEPT:
73ffa904 2641 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2642 char req[64];
2643
c2c77ec8 2644 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2645 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2646 goto done;
2647 }
2648
f2fcfcd6
GP		 2649 /* throw out any old stored conf requests */
2650 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2651 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2652 req, &result);
f2fcfcd6 2653 if (len < 0) {
e92c8e70 2654 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2655 goto done;
2656 }
2657
2658 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2659 L2CAP_CONF_REQ, len, req);
73ffa904 2660 chan->num_conf_req++;
f2fcfcd6
GP		 2661 if (result != L2CAP_CONF_SUCCESS)
2662 goto done;
2663 break;
1da177e4
LT		 2664 }
2665
8e87d142 2666 default:
b1235d79 2667 sk->sk_err = ECONNRESET;
c9b66675 2668 __set_chan_timer(chan, HZ * 5);
e92c8e70 2669 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2670 goto done;
2671 }
2672
2673 if (flags & 0x01)
2674 goto done;
2675
b4450035 2676 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2677
b4450035 2678 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2679 set_default_fcs(chan);
fcc203c3 2680
89bc500e 2681 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2682 chan->next_tx_seq = 0;
2683 chan->expected_tx_seq = 0;
58d35f87 2684 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2685 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2686 l2cap_ertm_init(chan);
0565c1c2 2687
1da177e4
LT		 2688 l2cap_chan_ready(sk);
2689 }
2690
2691done:
2692 bh_unlock_sock(sk);
2693 return 0;
2694}
2695
2696static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2697{
2698 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2699 struct l2cap_disconn_rsp rsp;
2700 u16 dcid, scid;
48454079 2701 struct l2cap_chan *chan;
1da177e4
LT		 2702 struct sock *sk;
2703
2704 scid = __le16_to_cpu(req->scid);
2705 dcid = __le16_to_cpu(req->dcid);
2706
2707 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2708
baa7e1fa 2709 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2710 if (!chan)
1da177e4
LT		 2711 return 0;
2712
48454079
GP		 2713 sk = chan->sk;
2714
fe4128e0
GP		 2715 rsp.dcid = cpu_to_le16(chan->scid);
2716 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2717 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2718
2719 sk->sk_shutdown = SHUTDOWN_MASK;
2720
a49184c2
AE		 2721 /* don't delete l2cap channel if sk is owned by user */
2722 if (sock_owned_by_user(sk)) {
89bc500e 2723 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2724 __clear_chan_timer(chan);
2725 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2726 bh_unlock_sock(sk);
2727 return 0;
2728 }
2729
48454079 2730 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2731 bh_unlock_sock(sk);
2732
ba3bd0ee 2733 chan->ops->close(chan->data);
1da177e4
LT		 2734 return 0;
2735}
2736
2737static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2738{
2739 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2740 u16 dcid, scid;
48454079 2741 struct l2cap_chan *chan;
1da177e4
LT		 2742 struct sock *sk;
2743
2744 scid = __le16_to_cpu(rsp->scid);
2745 dcid = __le16_to_cpu(rsp->dcid);
2746
2747 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2748
baa7e1fa 2749 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2750 if (!chan)
1da177e4
LT		 2751 return 0;
2752
48454079
GP		 2753 sk = chan->sk;
2754
a49184c2
AE		 2755 /* don't delete l2cap channel if sk is owned by user */
2756 if (sock_owned_by_user(sk)) {
89bc500e 2757 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2758 __clear_chan_timer(chan);
2759 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2760 bh_unlock_sock(sk);
2761 return 0;
2762 }
2763
48454079 2764 l2cap_chan_del(chan, 0);
1da177e4
LT		 2765 bh_unlock_sock(sk);
2766
ba3bd0ee 2767 chan->ops->close(chan->data);
1da177e4
LT		 2768 return 0;
2769}
2770
2771static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2772{
2773 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2774 u16 type;
2775
2776 type = __le16_to_cpu(req->type);
2777
2778 BT_DBG("type 0x%4.4x", type);
2779
f0709e03
MH		 2780 if (type == L2CAP_IT_FEAT_MASK) {
2781 u8 buf[8];
44dd46de 2782 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2783 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2784 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2785 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2786 if (!disable_ertm)
fcc203c3
GP		 2787 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2788 | L2CAP_FEAT_FCS;
1b7bf4ed 2789 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2790 l2cap_send_cmd(conn, cmd->ident,
2791 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2792 } else if (type == L2CAP_IT_FIXED_CHAN) {
2793 u8 buf[12];
2794 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2795 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2796 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2797 memcpy(buf + 4, l2cap_fixed_chan, 8);
2798 l2cap_send_cmd(conn, cmd->ident,
2799 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2800 } else {
2801 struct l2cap_info_rsp rsp;
2802 rsp.type = cpu_to_le16(type);
2803 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2804 l2cap_send_cmd(conn, cmd->ident,
2805 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2806 }
1da177e4
LT		 2807
2808 return 0;
2809}
2810
2811static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2812{
2813 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2814 u16 type, result;
2815
2816 type = __le16_to_cpu(rsp->type);
2817 result = __le16_to_cpu(rsp->result);
2818
2819 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2820
e90165be
AE		 2821 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2822 if (cmd->ident != conn->info_ident ||
2823 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2824 return 0;
2825
4e8402a3
MH		 2826 del_timer(&conn->info_timer);
2827
adb08ede
VT		 2828 if (result != L2CAP_IR_SUCCESS) {
2829 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2830 conn->info_ident = 0;
2831
2832 l2cap_conn_start(conn);
2833
2834 return 0;
2835 }
2836
984947dc 2837 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2838 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2839
47ec1dcd 2840 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2841 struct l2cap_info_req req;
2842 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2843
2844 conn->info_ident = l2cap_get_ident(conn);
2845
2846 l2cap_send_cmd(conn, conn->info_ident,
2847 L2CAP_INFO_REQ, sizeof(req), &req);
2848 } else {
2849 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2850 conn->info_ident = 0;
2851
2852 l2cap_conn_start(conn);
2853 }
2854 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2855 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2856 conn->info_ident = 0;
984947dc
MH		 2857
2858 l2cap_conn_start(conn);
2859 }
4e8402a3 2860
1da177e4
LT		 2861 return 0;
2862}
2863
e2174ca4 2864static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2865 u16 to_multiplier)
2866{
2867 u16 max_latency;
2868
2869 if (min > max || min < 6 || max > 3200)
2870 return -EINVAL;
2871
2872 if (to_multiplier < 10 || to_multiplier > 3200)
2873 return -EINVAL;
2874
2875 if (max >= to_multiplier * 8)
2876 return -EINVAL;
2877
2878 max_latency = (to_multiplier * 8 / max) - 1;
2879 if (latency > 499 || latency > max_latency)
2880 return -EINVAL;
2881
2882 return 0;
2883}
2884
2885static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2886 struct l2cap_cmd_hdr *cmd, u8 *data)
2887{
2888 struct hci_conn *hcon = conn->hcon;
2889 struct l2cap_conn_param_update_req *req;
2890 struct l2cap_conn_param_update_rsp rsp;
2891 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2892 int err;
de73115a
CT		 2893
2894 if (!(hcon->link_mode & HCI_LM_MASTER))
2895 return -EINVAL;
2896
2897 cmd_len = __le16_to_cpu(cmd->len);
2898 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2899 return -EPROTO;
2900
2901 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2902 min = __le16_to_cpu(req->min);
2903 max = __le16_to_cpu(req->max);
de73115a
CT		 2904 latency = __le16_to_cpu(req->latency);
2905 to_multiplier = __le16_to_cpu(req->to_multiplier);
2906
2907 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2908 min, max, latency, to_multiplier);
2909
2910 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2911
2912 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2913 if (err)
de73115a
CT		 2914 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2915 else
2916 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2917
2918 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2919 sizeof(rsp), &rsp);
2920
2ce603eb
CT		 2921 if (!err)
2922 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2923
de73115a
CT		 2924 return 0;
2925}
2926
3300d9a9
CT		 2927static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2928 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2929{
2930 int err = 0;
2931
2932 switch (cmd->code) {
2933 case L2CAP_COMMAND_REJ:
2934 l2cap_command_rej(conn, cmd, data);
2935 break;
2936
2937 case L2CAP_CONN_REQ:
2938 err = l2cap_connect_req(conn, cmd, data);
2939 break;
2940
2941 case L2CAP_CONN_RSP:
2942 err = l2cap_connect_rsp(conn, cmd, data);
2943 break;
2944
2945 case L2CAP_CONF_REQ:
2946 err = l2cap_config_req(conn, cmd, cmd_len, data);
2947 break;
2948
2949 case L2CAP_CONF_RSP:
2950 err = l2cap_config_rsp(conn, cmd, data);
2951 break;
2952
2953 case L2CAP_DISCONN_REQ:
2954 err = l2cap_disconnect_req(conn, cmd, data);
2955 break;
2956
2957 case L2CAP_DISCONN_RSP:
2958 err = l2cap_disconnect_rsp(conn, cmd, data);
2959 break;
2960
2961 case L2CAP_ECHO_REQ:
2962 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2963 break;
2964
2965 case L2CAP_ECHO_RSP:
2966 break;
2967
2968 case L2CAP_INFO_REQ:
2969 err = l2cap_information_req(conn, cmd, data);
2970 break;
2971
2972 case L2CAP_INFO_RSP:
2973 err = l2cap_information_rsp(conn, cmd, data);
2974 break;
2975
2976 default:
2977 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2978 err = -EINVAL;
2979 break;
2980 }
2981
2982 return err;
2983}
2984
2985static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2986 struct l2cap_cmd_hdr *cmd, u8 *data)
2987{
2988 switch (cmd->code) {
2989 case L2CAP_COMMAND_REJ:
2990 return 0;
2991
2992 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2993 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2994
2995 case L2CAP_CONN_PARAM_UPDATE_RSP:
2996 return 0;
2997
2998 default:
2999 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3000 return -EINVAL;
3001 }
3002}
3003
3004static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3005 struct sk_buff *skb)
1da177e4
LT		 3006{
3007 u8 *data = skb->data;
3008 int len = skb->len;
3009 struct l2cap_cmd_hdr cmd;
3300d9a9 3010 int err;
1da177e4
LT		 3011
3012 l2cap_raw_recv(conn, skb);
3013
3014 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3015 u16 cmd_len;
1da177e4
LT		 3016 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3017 data += L2CAP_CMD_HDR_SIZE;
3018 len -= L2CAP_CMD_HDR_SIZE;
3019
88219a0f 3020 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3021
88219a0f 3022 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3023
88219a0f 3024 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3025 BT_DBG("corrupted command");
3026 break;
3027 }
3028
3300d9a9
CT		 3029 if (conn->hcon->type == LE_LINK)
3030 err = l2cap_le_sig_cmd(conn, &cmd, data);
3031 else
3032 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3033
3034 if (err) {
3035 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3036
3037 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3038
3039 /* FIXME: Map err to a valid reason */
aca3192c 3040 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3041 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3042 }
3043
88219a0f
AV		 3044 data += cmd_len;
3045 len -= cmd_len;
1da177e4
LT		 3046 }
3047
3048 kfree_skb(skb);
3049}
3050
47d1ec61 3051static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3052{
3053 u16 our_fcs, rcv_fcs;
3054 int hdr_size = L2CAP_HDR_SIZE + 2;
3055
47d1ec61 3056 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3057 skb_trim(skb, skb->len - 2);
3058 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3059 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3060
3061 if (our_fcs != rcv_fcs)
7a560e5c 3062 return -EBADMSG;
fcc203c3
GP		 3063 }
3064 return 0;
3065}
3066
525cd185 3067static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3068{
d5392c8f
GP		 3069 u16 control = 0;
3070
6a026610 3071 chan->frames_sent = 0;
d5392c8f 3072
42e5c802 3073 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3074
525cd185 3075 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3076 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3077 l2cap_send_sframe(chan, control);
3078 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3079 }
3080
525cd185
GP		 3081 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3082 l2cap_retransmit_frames(chan);
d5392c8f 3083
525cd185 3084 l2cap_ertm_send(chan);
d5392c8f 3085
525cd185 3086 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3087 chan->frames_sent == 0) {
d5392c8f 3088 control |= L2CAP_SUPER_RCV_READY;
525cd185 3089 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3090 }
3091}
3092
42e5c802 3093static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3094{
3095 struct sk_buff *next_skb;
bfbacc11 3096 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3097
3098 bt_cb(skb)->tx_seq = tx_seq;
3099 bt_cb(skb)->sar = sar;
3100
f1c6775b 3101 next_skb = skb_peek(&chan->srej_q);
8f17154f 3102 if (!next_skb) {
f1c6775b 3103 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3104 return 0;
8f17154f
GP		 3105 }
3106
42e5c802 3107 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3108 if (tx_seq_offset < 0)
3109 tx_seq_offset += 64;
3110
8f17154f 3111 do {
9b53350d
JPRV		 3112 if (bt_cb(next_skb)->tx_seq == tx_seq)
3113 return -EINVAL;
3114
bfbacc11 3115 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3116 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3117 if (next_tx_seq_offset < 0)
3118 next_tx_seq_offset += 64;
3119
3120 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3121 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3122 return 0;
8f17154f
GP		 3123 }
3124
f1c6775b 3125 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3126 break;
3127
f1c6775b 3128 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3129
f1c6775b 3130 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3131
3132 return 0;
8f17154f
GP		 3133}
3134
525cd185 3135static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3136{
18778a63 3137 struct sk_buff *_skb;
1890d36b 3138 int err;
18778a63
GP		 3139
3140 switch (control & L2CAP_CTRL_SAR) {
3141 case L2CAP_SDU_UNSEGMENTED:
525cd185 3142 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3143 goto drop;
3144
23070494 3145 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3146
3147 case L2CAP_SDU_START:
525cd185 3148 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3149 goto drop;
3150
6f61fd47 3151 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3152
0c1bc5c6 3153 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3154 goto disconnect;
3155
6f61fd47
GP		 3156 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3157 if (!chan->sdu)
1890d36b
GP		 3158 return -ENOMEM;
3159
3160 /* pull sdu_len bytes only after alloc, because of Local Busy
3161 * condition we have to be sure that this will be executed
3162 * only once, i.e., when alloc does not fail */
3163 skb_pull(skb, 2);
18778a63 3164
6f61fd47 3165 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3166
525cd185 3167 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3168 chan->partial_sdu_len = skb->len;
18778a63
GP		 3169 break;
3170
3171 case L2CAP_SDU_CONTINUE:
525cd185 3172 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3173 goto disconnect;
3174
6f61fd47 3175 if (!chan->sdu)
18778a63
GP		 3176 goto disconnect;
3177
6f61fd47
GP		 3178 chan->partial_sdu_len += skb->len;
3179 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3180 goto drop;
3181
6f61fd47 3182 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3183
18778a63
GP		 3184 break;
3185
3186 case L2CAP_SDU_END:
525cd185 3187 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3188 goto disconnect;
3189
6f61fd47 3190 if (!chan->sdu)
18778a63
GP		 3191 goto disconnect;
3192
525cd185 3193 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3194 chan->partial_sdu_len += skb->len;
18778a63 3195
0c1bc5c6 3196 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3197 goto drop;
18778a63 3198
6f61fd47 3199 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3200 goto drop;
4178ba46 3201
6f61fd47 3202 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3203 }
18778a63 3204
6f61fd47 3205 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3206 if (!_skb) {
525cd185 3207 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3208 return -ENOMEM;
3209 }
3210
23070494 3211 err = chan->ops->recv(chan->data, _skb);
1890d36b 3212 if (err < 0) {
18778a63 3213 kfree_skb(_skb);
525cd185 3214 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3215 return err;
3216 }
3217
525cd185
GP		 3218 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3219 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3220
6f61fd47 3221 kfree_skb(chan->sdu);
18778a63
GP		 3222 break;
3223 }
3224
3225 kfree_skb(skb);
1890d36b 3226 return 0;
18778a63
GP		 3227
3228drop:
6f61fd47
GP		 3229 kfree_skb(chan->sdu);
3230 chan->sdu = NULL;
18778a63
GP		 3231
3232disconnect:
8c1d787b 3233 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3234 kfree_skb(skb);
3235 return 0;
3236}
3237
525cd185 3238static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3239{
712132eb
GP		 3240 struct sk_buff *skb;
3241 u16 control;
3242 int err;
3243
f1c6775b 3244 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3245 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3246 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3247 if (err < 0) {
f1c6775b 3248 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3249 return -EBUSY;
3250 }
3251
42e5c802 3252 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3253 }
3254
525cd185 3255 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3256 goto done;
3257
42e5c802 3258 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3259 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3260 l2cap_send_sframe(chan, control);
6a026610 3261 chan->retry_count = 1;
712132eb 3262
e92c8e70 3263 del_timer(&chan->retrans_timer);
712132eb
GP		 3264 __mod_monitor_timer();
3265
525cd185 3266 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3267
3268done:
525cd185
GP		 3269 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3270 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3271
49208c9c 3272 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3273
3274 return 0;
3275}
3276
1890d36b
GP		 3277static void l2cap_busy_work(struct work_struct *work)
3278{
3279 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3280 struct l2cap_chan *chan =
3281 container_of(work, struct l2cap_chan, busy_work);
3282 struct sock *sk = chan->sk;
1890d36b
GP		 3283 int n_tries = 0, timeo = HZ/5, err;
3284 struct sk_buff *skb;
1890d36b
GP		 3285
3286 lock_sock(sk);
3287
2b0b05dd 3288 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3289 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3290 set_current_state(TASK_INTERRUPTIBLE);
3291
3292 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3293 err = -EBUSY;
8c1d787b 3294 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3295 break;
1890d36b
GP		 3296 }
3297
3298 if (!timeo)
3299 timeo = HZ/5;
3300
3301 if (signal_pending(current)) {
3302 err = sock_intr_errno(timeo);
712132eb 3303 break;
1890d36b
GP		 3304 }
3305
3306 release_sock(sk);
3307 timeo = schedule_timeout(timeo);
3308 lock_sock(sk);
3309
3310 err = sock_error(sk);
3311 if (err)
712132eb 3312 break;
1890d36b 3313
311bb895 3314 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3315 break;
3316 }
3317
1890d36b 3318 set_current_state(TASK_RUNNING);
2b0b05dd 3319 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3320
3321 release_sock(sk);
3322}
3323
525cd185 3324static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3325{
1890d36b
GP		 3326 int sctrl, err;
3327
525cd185 3328 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3329 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3330 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3331 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3332
3333
1890d36b
GP		 3334 }
3335
525cd185 3336 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3337 if (err >= 0) {
42e5c802 3338 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3339 return err;
3340 }
3341
3342 /* Busy Condition */
311bb895 3343 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3344
525cd185 3345 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3346 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3347 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3348
42e5c802 3349 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3350 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3351 l2cap_send_sframe(chan, sctrl);
1890d36b 3352
525cd185 3353 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3354
e92c8e70 3355 del_timer(&chan->ack_timer);
7fe9b298 3356
311bb895 3357 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3358
3359 return err;
3360}
3361
525cd185 3362static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3363{
c74e560c
GP		 3364 struct sk_buff *_skb;
3365 int err = -EINVAL;
3366
18778a63
GP		 3367 /*
3368 * TODO: We have to notify the userland if some data is lost with the
3369 * Streaming Mode.
3370 */
3371
c74e560c
GP		 3372 switch (control & L2CAP_CTRL_SAR) {
3373 case L2CAP_SDU_UNSEGMENTED:
525cd185 3374 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3375 kfree_skb(chan->sdu);
c74e560c
GP		 3376 break;
3377 }
3378
23070494 3379 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3380 if (!err)
3381 return 0;
3382
3383 break;
3384
3385 case L2CAP_SDU_START:
525cd185 3386 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3387 kfree_skb(chan->sdu);
c74e560c
GP		 3388 break;
3389 }
3390
6f61fd47 3391 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3392 skb_pull(skb, 2);
3393
0c1bc5c6 3394 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3395 err = -EMSGSIZE;
3396 break;
3397 }
3398
6f61fd47
GP		 3399 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3400 if (!chan->sdu) {
c74e560c
GP		 3401 err = -ENOMEM;
3402 break;
3403 }
3404
6f61fd47 3405 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3406
525cd185 3407 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3408 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3409 err = 0;
3410 break;
3411
3412 case L2CAP_SDU_CONTINUE:
525cd185 3413 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3414 break;
3415
6f61fd47 3416 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3417
6f61fd47
GP		 3418 chan->partial_sdu_len += skb->len;
3419 if (chan->partial_sdu_len > chan->sdu_len)
3420 kfree_skb(chan->sdu);
c74e560c
GP		 3421 else
3422 err = 0;
3423
3424 break;
3425
3426 case L2CAP_SDU_END:
525cd185 3427 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3428 break;
3429
6f61fd47 3430 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3431
525cd185 3432 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3433 chan->partial_sdu_len += skb->len;
c74e560c 3434
0c1bc5c6 3435 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3436 goto drop;
3437
6f61fd47
GP		 3438 if (chan->partial_sdu_len == chan->sdu_len) {
3439 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3440 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3441 if (err < 0)
3442 kfree_skb(_skb);
3443 }
c74e560c
GP		 3444 err = 0;
3445
36f2fd58 3446drop:
6f61fd47 3447 kfree_skb(chan->sdu);
c74e560c
GP		 3448 break;
3449 }
3450
3451 kfree_skb(skb);
3452 return err;
3453}
3454
525cd185 3455static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3456{
3457 struct sk_buff *skb;
afefdbc4 3458 u16 control;
8f17154f 3459
f1c6775b 3460 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3461 if (bt_cb(skb)->tx_seq != tx_seq)
3462 break;
3463
f1c6775b 3464 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3465 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3466 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3467 chan->buffer_seq_srej =
3468 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3469 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3470 }
3471}
3472
525cd185 3473static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3474{
8f17154f
GP		 3475 struct srej_list *l, *tmp;
3476 u16 control;
3477
39d5a3ee 3478 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3479 if (l->tx_seq == tx_seq) {
3480 list_del(&l->list);
3481 kfree(l);
3482 return;
3483 }
3484 control = L2CAP_SUPER_SELECT_REJECT;
3485 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3486 l2cap_send_sframe(chan, control);
8f17154f 3487 list_del(&l->list);
39d5a3ee 3488 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3489 }
3490}
3491
525cd185 3492static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3493{
8f17154f
GP		 3494 struct srej_list *new;
3495 u16 control;
3496
42e5c802 3497 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3498 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3499 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3500 l2cap_send_sframe(chan, control);
8f17154f
GP		 3501
3502 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3503 new->tx_seq = chan->expected_tx_seq;
3504 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3505 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3506 }
42e5c802 3507 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3508}
3509
525cd185 3510static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3511{
1c2acffb 3512 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3513 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3514 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3515 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3516 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3517 int err = 0;
3518
525cd185
GP		 3519 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3520 tx_seq, rx_control);
1c2acffb 3521
9b16dc65 3522 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3523 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3524 del_timer(&chan->monitor_timer);
6a026610 3525 if (chan->unacked_frames > 0)
1d8f5d16 3526 __mod_retrans_timer();
525cd185 3527 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3528 }
3529
42e5c802
GP		 3530 chan->expected_ack_seq = req_seq;
3531 l2cap_drop_acked_frames(chan);
9f121a5a 3532
42e5c802 3533 if (tx_seq == chan->expected_tx_seq)
8f17154f 3534 goto expected;
1c2acffb 3535
42e5c802 3536 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3537 if (tx_seq_offset < 0)
3538 tx_seq_offset += 64;
3539
3540 /* invalid tx_seq */
47d1ec61 3541 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3542 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3543 goto drop;
3544 }
3545
e6949280 3546 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3547 goto drop;
3548
525cd185 3549 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3550 struct srej_list *first;
30afb5b2 3551
39d5a3ee 3552 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3553 struct srej_list, list);
3554 if (tx_seq == first->tx_seq) {
42e5c802 3555 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3556 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3557
3558 list_del(&first->list);
3559 kfree(first);
3560
39d5a3ee 3561 if (list_empty(&chan->srej_l)) {
42e5c802 3562 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3563 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3564 l2cap_send_ack(chan);
49208c9c 3565 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3566 }
3567 } else {
3568 struct srej_list *l;
9b53350d
JPRV		 3569
3570 /* duplicated tx_seq */
42e5c802 3571 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3572 goto drop;
8f17154f 3573
39d5a3ee 3574 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3575 if (l->tx_seq == tx_seq) {
525cd185 3576 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3577 return 0;
3578 }
3579 }
525cd185 3580 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3581 }
3582 } else {
9b53350d 3583 expected_tx_seq_offset =
42e5c802 3584 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3585 if (expected_tx_seq_offset < 0)
3586 expected_tx_seq_offset += 64;
3587
3588 /* duplicated tx_seq */
3589 if (tx_seq_offset < expected_tx_seq_offset)
3590 goto drop;
3591
525cd185 3592 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3593
49208c9c 3594 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3595
39d5a3ee 3596 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3597 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3598
f1c6775b
GP		 3599 __skb_queue_head_init(&chan->srej_q);
3600 __skb_queue_head_init(&chan->busy_q);
42e5c802 3601 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3602
525cd185 3603 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3604
525cd185 3605 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3606
e92c8e70 3607 del_timer(&chan->ack_timer);
1c2acffb 3608 }
30afb5b2
GP		 3609 return 0;
3610
8f17154f 3611expected:
42e5c802 3612 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3613
525cd185 3614 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3615 bt_cb(skb)->tx_seq = tx_seq;
3616 bt_cb(skb)->sar = sar;
f1c6775b 3617 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3618 return 0;
3619 }
3620
525cd185 3621 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3622 if (err < 0)
3623 return 0;
3624
4ec10d97 3625 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3626 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3627 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3628 else
525cd185 3629 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3630 }
3631
c1b4f43b
GP		 3632 __mod_ack_timer();
3633
6a026610
GP		 3634 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3635 if (chan->num_acked == num_to_ack - 1)
525cd185 3636 l2cap_send_ack(chan);
9e917af1 3637
8f17154f 3638 return 0;
9b53350d
JPRV		 3639
3640drop:
3641 kfree_skb(skb);
3642 return 0;
1c2acffb
GP		 3643}
3644
525cd185 3645static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3646{
49208c9c 3647 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3648 rx_control);
3649
42e5c802
GP		 3650 chan->expected_ack_seq = __get_reqseq(rx_control);
3651 l2cap_drop_acked_frames(chan);
1c2acffb 3652
e072745f 3653 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3654 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3655 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3656 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3657 (chan->unacked_frames > 0))
05fbd89d
GP		 3658 __mod_retrans_timer();
3659
525cd185
GP		 3660 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3661 l2cap_send_srejtail(chan);
05fbd89d 3662 } else {
525cd185 3663 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3664 }
1d8f5d16 3665
e072745f 3666 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3667 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3668
525cd185
GP		 3669 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3670 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3671 else
525cd185 3672 l2cap_retransmit_frames(chan);
2246b2f1 3673
e072745f 3674 } else {
525cd185 3675 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3676 (chan->unacked_frames > 0))
e072745f 3677 __mod_retrans_timer();
1c2acffb 3678
525cd185
GP		 3679 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3680 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3681 l2cap_send_ack(chan);
894718a6 3682 else
525cd185 3683 l2cap_ertm_send(chan);
e072745f
GP		 3684 }
3685}
2246b2f1 3686
525cd185 3687static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3688{
e072745f 3689 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3690
525cd185 3691 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3692
525cd185 3693 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3694
42e5c802
GP		 3695 chan->expected_ack_seq = tx_seq;
3696 l2cap_drop_acked_frames(chan);
e072745f
GP		 3697
3698 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3699 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3700 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3701 else
525cd185 3702 l2cap_retransmit_frames(chan);
e072745f 3703 } else {
525cd185 3704 l2cap_retransmit_frames(chan);
30afb5b2 3705
525cd185
GP		 3706 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3707 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3708 }
3709}
525cd185 3710static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3711{
e072745f 3712 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3713
525cd185 3714 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3715
525cd185 3716 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3717
e072745f 3718 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3719 chan->expected_ack_seq = tx_seq;
3720 l2cap_drop_acked_frames(chan);
3cb123d1 3721
525cd185
GP		 3722 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3723 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3724
525cd185 3725 l2cap_ertm_send(chan);
dfc909be 3726
525cd185 3727 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3728 chan->srej_save_reqseq = tx_seq;
525cd185 3729 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3730 }
e072745f 3731 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3732 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3733 chan->srej_save_reqseq == tx_seq)
525cd185 3734 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3735 else
525cd185 3736 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3737 } else {
525cd185
GP		 3738 l2cap_retransmit_one_frame(chan, tx_seq);
3739 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3740 chan->srej_save_reqseq = tx_seq;
525cd185 3741 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3742 }
e072745f
GP		 3743 }
3744}
3745
525cd185 3746static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3747{
e072745f
GP		 3748 u8 tx_seq = __get_reqseq(rx_control);
3749
525cd185 3750 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3751
525cd185 3752 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3753 chan->expected_ack_seq = tx_seq;
3754 l2cap_drop_acked_frames(chan);
e072745f 3755
3cb123d1 3756 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3757 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3758
525cd185 3759 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3760 del_timer(&chan->retrans_timer);
a2e12a2a 3761 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3762 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3763 return;
e072745f 3764 }
99b0d4b7
GP		 3765
3766 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3767 l2cap_send_srejtail(chan);
99b0d4b7 3768 else
525cd185 3769 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3770}
3771
525cd185 3772static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3773{
525cd185 3774 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3775
9b16dc65 3776 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3777 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3778 del_timer(&chan->monitor_timer);
6a026610 3779 if (chan->unacked_frames > 0)
e072745f 3780 __mod_retrans_timer();
525cd185 3781 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3782 }
3783
3784 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3785 case L2CAP_SUPER_RCV_READY:
525cd185 3786 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3787 break;
3788
e072745f 3789 case L2CAP_SUPER_REJECT:
525cd185 3790 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3791 break;
2246b2f1 3792
e072745f 3793 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3794 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3795 break;
3796
3797 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3798 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3799 break;
3800 }
3801
faaebd19 3802 kfree_skb(skb);
1c2acffb
GP		 3803 return 0;
3804}
3805
218bb9df
GP		 3806static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3807{
525cd185 3808 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3809 u16 control;
3810 u8 req_seq;
3811 int len, next_tx_seq_offset, req_seq_offset;
3812
3813 control = get_unaligned_le16(skb->data);
3814 skb_pull(skb, 2);
3815 len = skb->len;
3816
3817 /*
3818 * We can just drop the corrupted I-frame here.
3819 * Receiver will miss it and start proper recovery
3820 * procedures and ask retransmission.
3821 */
47d1ec61 3822 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3823 goto drop;
3824
3825 if (__is_sar_start(control) && __is_iframe(control))
3826 len -= 2;
3827
47d1ec61 3828 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3829 len -= 2;
3830
47d1ec61 3831 if (len > chan->mps) {
8c1d787b 3832 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3833 goto drop;
3834 }
3835
3836 req_seq = __get_reqseq(control);
42e5c802 3837 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3838 if (req_seq_offset < 0)
3839 req_seq_offset += 64;
3840
3841 next_tx_seq_offset =
42e5c802 3842 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3843 if (next_tx_seq_offset < 0)
3844 next_tx_seq_offset += 64;
3845
3846 /* check for invalid req-seq */
3847 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3848 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3849 goto drop;
3850 }
3851
3852 if (__is_iframe(control)) {
3853 if (len < 0) {
8c1d787b 3854 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3855 goto drop;
3856 }
3857
525cd185 3858 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3859 } else {
3860 if (len != 0) {
3861 BT_ERR("%d", len);
8c1d787b 3862 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3863 goto drop;
3864 }
3865
525cd185 3866 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3867 }
3868
3869 return 0;
3870
3871drop:
3872 kfree_skb(skb);
3873 return 0;
3874}
3875
1da177e4
LT		 3876static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3877{
48454079 3878 struct l2cap_chan *chan;
bf734843 3879 struct sock *sk = NULL;
51893f88 3880 u16 control;
218bb9df
GP		 3881 u8 tx_seq;
3882 int len;
1da177e4 3883
baa7e1fa 3884 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3885 if (!chan) {
1da177e4
LT		 3886 BT_DBG("unknown cid 0x%4.4x", cid);
3887 goto drop;
3888 }
3889
48454079 3890 sk = chan->sk;
6840ed07 3891
49208c9c 3892 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3893
89bc500e 3894 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3895 goto drop;
3896
0c1bc5c6 3897 switch (chan->mode) {
1c2acffb
GP		 3898 case L2CAP_MODE_BASIC:
3899 /* If socket recv buffers overflows we drop data here
3900 * which is *bad* because L2CAP has to be reliable.
3901 * But we don't have any other choice. L2CAP doesn't
3902 * provide flow control mechanism. */
1da177e4 3903
0c1bc5c6 3904 if (chan->imtu < skb->len)
1c2acffb 3905 goto drop;
1da177e4 3906
23070494 3907 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3908 goto done;
3909 break;
3910
3911 case L2CAP_MODE_ERTM:
218bb9df
GP		 3912 if (!sock_owned_by_user(sk)) {
3913 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3914 } else {
218bb9df 3915 if (sk_add_backlog(sk, skb))
277ffbe3 3916 goto drop;
277ffbe3 3917 }
1c2acffb 3918
fcafde2e 3919 goto done;
1c2acffb 3920
6840ed07
GP		 3921 case L2CAP_MODE_STREAMING:
3922 control = get_unaligned_le16(skb->data);
3923 skb_pull(skb, 2);
3924 len = skb->len;
3925
47d1ec61 3926 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3927 goto drop;
3928
6840ed07
GP		 3929 if (__is_sar_start(control))
3930 len -= 2;
3931
47d1ec61 3932 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3933 len -= 2;
3934
47d1ec61 3935 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3936 goto drop;
3937
3938 tx_seq = __get_txseq(control);
3939
42e5c802
GP		 3940 if (chan->expected_tx_seq == tx_seq)
3941 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3942 else
42e5c802 3943 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3944
525cd185 3945 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3946
3947 goto done;
3948
1c2acffb 3949 default:
0c1bc5c6 3950 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3951 break;
3952 }
1da177e4
LT		 3953
3954drop:
3955 kfree_skb(skb);
3956
3957done:
0139418c
MH		 3958 if (sk)
3959 bh_unlock_sock(sk);
3960
1da177e4
LT		 3961 return 0;
3962}
3963
8e036fc3 3964static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3965{
6dcae1ea 3966 struct sock *sk = NULL;
23691d75 3967 struct l2cap_chan *chan;
1da177e4 3968
23691d75
GP		 3969 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3970 if (!chan)
1da177e4
LT		 3971 goto drop;
3972
23691d75
GP		 3973 sk = chan->sk;
3974
e0f0cb56
GP		 3975 bh_lock_sock(sk);
3976
1da177e4
LT		 3977 BT_DBG("sk %p, len %d", sk, skb->len);
3978
89bc500e 3979 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3980 goto drop;
3981
0c1bc5c6 3982 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3983 goto drop;
3984
23070494 3985 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3986 goto done;
3987
3988drop:
3989 kfree_skb(skb);
3990
3991done:
af05b30b
GP		 3992 if (sk)
3993 bh_unlock_sock(sk);
1da177e4
LT		 3994 return 0;
3995}
3996
9f69bda6
GP		 3997static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3998{
6dcae1ea 3999 struct sock *sk = NULL;
23691d75 4000 struct l2cap_chan *chan;
9f69bda6 4001
23691d75
GP		 4002 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4003 if (!chan)
9f69bda6
GP		 4004 goto drop;
4005
23691d75
GP		 4006 sk = chan->sk;
4007
9f69bda6
GP		 4008 bh_lock_sock(sk);
4009
4010 BT_DBG("sk %p, len %d", sk, skb->len);
4011
89bc500e 4012 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4013 goto drop;
4014
0c1bc5c6 4015 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4016 goto drop;
4017
23070494 4018 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4019 goto done;
4020
4021drop:
4022 kfree_skb(skb);
4023
4024done:
4025 if (sk)
4026 bh_unlock_sock(sk);
4027 return 0;
4028}
4029
1da177e4
LT		 4030static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4031{
4032 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4033 u16 cid, len;
4034 __le16 psm;
1da177e4
LT		 4035
4036 skb_pull(skb, L2CAP_HDR_SIZE);
4037 cid = __le16_to_cpu(lh->cid);
4038 len = __le16_to_cpu(lh->len);
4039
1c2acffb
GP		 4040 if (len != skb->len) {
4041 kfree_skb(skb);
4042 return;
4043 }
4044
1da177e4
LT		 4045 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4046
4047 switch (cid) {
3300d9a9 4048 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4049 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4050 l2cap_sig_channel(conn, skb);
4051 break;
4052
8db4dc46 4053 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4054 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4055 skb_pull(skb, 2);
4056 l2cap_conless_channel(conn, psm, skb);
4057 break;
4058
9f69bda6
GP		 4059 case L2CAP_CID_LE_DATA:
4060 l2cap_att_channel(conn, cid, skb);
4061 break;
4062
1da177e4
LT		 4063 default:
4064 l2cap_data_channel(conn, cid, skb);
4065 break;
4066 }
4067}
4068
4069/* ---- L2CAP interface with lower layer (HCI) ---- */
4070
4071static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4072{
4073 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4074 struct l2cap_chan *c;
1da177e4
LT		 4075
4076 if (type != ACL_LINK)
963cf687 4077 return -EINVAL;
1da177e4
LT		 4078
4079 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4080
4081 /* Find listening sockets and check their link_mode */
23691d75
GP		 4082 read_lock(&chan_list_lock);
4083 list_for_each_entry(c, &chan_list, global_l) {
4084 struct sock *sk = c->sk;
4343478f 4085
89bc500e 4086 if (c->state != BT_LISTEN)
1da177e4
LT		 4087 continue;
4088
4089 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4090 lm1 |= HCI_LM_ACCEPT;
23691d75 4091 if (c->role_switch)
2af6b9d5 4092 lm1 |= HCI_LM_MASTER;
1da177e4 4093 exact++;
2af6b9d5
MH		 4094 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4095 lm2 |= HCI_LM_ACCEPT;
23691d75 4096 if (c->role_switch)
2af6b9d5
MH		 4097 lm2 |= HCI_LM_MASTER;
4098 }
1da177e4 4099 }
23691d75 4100 read_unlock(&chan_list_lock);
1da177e4
LT		 4101
4102 return exact ? lm1 : lm2;
4103}
4104
4105static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4106{
0139418c
MH		 4107 struct l2cap_conn *conn;
4108
1da177e4
LT		 4109 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4110
acd7d370 4111 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4112 return -EINVAL;
1da177e4
LT		 4113
4114 if (!status) {
1da177e4
LT		 4115 conn = l2cap_conn_add(hcon, status);
4116 if (conn)
4117 l2cap_conn_ready(conn);
0139418c 4118 } else
1da177e4
LT		 4119 l2cap_conn_del(hcon, bt_err(status));
4120
4121 return 0;
4122}
4123
2950f21a
MH		 4124static int l2cap_disconn_ind(struct hci_conn *hcon)
4125{
4126 struct l2cap_conn *conn = hcon->l2cap_data;
4127
4128 BT_DBG("hcon %p", hcon);
4129
4130 if (hcon->type != ACL_LINK || !conn)
4131 return 0x13;
4132
4133 return conn->disc_reason;
4134}
4135
4136static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4137{
4138 BT_DBG("hcon %p reason %d", hcon, reason);
4139
acd7d370 4140 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4141 return -EINVAL;
1da177e4
LT		 4142
4143 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4144
1da177e4
LT		 4145 return 0;
4146}
4147
4343478f 4148static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4149{
715ec005 4150 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4151 return;
4152
f62e4323 4153 if (encrypt == 0x00) {
4343478f 4154 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4155 __clear_chan_timer(chan);
4156 __set_chan_timer(chan, HZ * 5);
4343478f 4157 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4158 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4159 } else {
4343478f 4160 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4161 __clear_chan_timer(chan);
f62e4323
MH		 4162 }
4163}
4164
8c1b2355 4165static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4166{
0139418c 4167 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4168 struct l2cap_chan *chan;
1da177e4 4169
0139418c 4170 if (!conn)
1da177e4 4171 return 0;
0139418c 4172
1da177e4
LT		 4173 BT_DBG("conn %p", conn);
4174
baa7e1fa 4175 read_lock(&conn->chan_lock);
1da177e4 4176
baa7e1fa 4177 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4178 struct sock *sk = chan->sk;
baa7e1fa 4179
1da177e4
LT		 4180 bh_lock_sock(sk);
4181
b4450035 4182 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4183 bh_unlock_sock(sk);
4184 continue;
4185 }
4186
89bc500e
GP		 4187 if (!status && (chan->state == BT_CONNECTED ||
4188 chan->state == BT_CONFIG)) {
4343478f 4189 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4190 bh_unlock_sock(sk);
4191 continue;
4192 }
4193
89bc500e 4194 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4195 if (!status) {
4196 struct l2cap_conn_req req;
fe4128e0
GP		 4197 req.scid = cpu_to_le16(chan->scid);
4198 req.psm = chan->psm;
1da177e4 4199
fc7f8a7e 4200 chan->ident = l2cap_get_ident(conn);
b4450035 4201 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4202
fc7f8a7e 4203 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4204 L2CAP_CONN_REQ, sizeof(req), &req);
4205 } else {
c9b66675
GP		 4206 __clear_chan_timer(chan);
4207 __set_chan_timer(chan, HZ / 10);
b1235d79 4208 }
89bc500e 4209 } else if (chan->state == BT_CONNECT2) {
b1235d79
MH		 4210 struct l2cap_conn_rsp rsp;
4211 __u16 result;
1da177e4 4212
b1235d79 4213 if (!status) {
89bc500e 4214 l2cap_state_change(chan, BT_CONFIG);
b1235d79
MH		 4215 result = L2CAP_CR_SUCCESS;
4216 } else {
89bc500e 4217 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4218 __set_chan_timer(chan, HZ / 10);
b1235d79
MH		 4219 result = L2CAP_CR_SEC_BLOCK;
4220 }
4221
fe4128e0
GP		 4222 rsp.scid = cpu_to_le16(chan->dcid);
4223 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4224 rsp.result = cpu_to_le16(result);
e7c29cb1 4225 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4226 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4227 sizeof(rsp), &rsp);
b1235d79 4228 }
1da177e4
LT		 4229
4230 bh_unlock_sock(sk);
4231 }
4232
baa7e1fa 4233 read_unlock(&conn->chan_lock);
b1235d79 4234
1da177e4
LT		 4235 return 0;
4236}
4237
4238static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4239{
4240 struct l2cap_conn *conn = hcon->l2cap_data;
4241
5a08ecce
AE		 4242 if (!conn)
4243 conn = l2cap_conn_add(hcon, 0);
4244
4245 if (!conn)
1da177e4
LT		 4246 goto drop;
4247
4248 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4249
e702112f 4250 if (!(flags & ACL_CONT)) {
1da177e4 4251 struct l2cap_hdr *hdr;
48454079 4252 struct l2cap_chan *chan;
89794813 4253 u16 cid;
1da177e4
LT		 4254 int len;
4255
4256 if (conn->rx_len) {
4257 BT_ERR("Unexpected start frame (len %d)", skb->len);
4258 kfree_skb(conn->rx_skb);
4259 conn->rx_skb = NULL;
4260 conn->rx_len = 0;
4261 l2cap_conn_unreliable(conn, ECOMM);
4262 }
4263
aae7fe22
AE		 4264 /* Start fragment always begin with Basic L2CAP header */
4265 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4266 BT_ERR("Frame is too short (len %d)", skb->len);
4267 l2cap_conn_unreliable(conn, ECOMM);
4268 goto drop;
4269 }
4270
4271 hdr = (struct l2cap_hdr *) skb->data;
4272 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4273 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4274
4275 if (len == skb->len) {
4276 /* Complete frame received */
4277 l2cap_recv_frame(conn, skb);
4278 return 0;
4279 }
4280
4281 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4282
4283 if (skb->len > len) {
4284 BT_ERR("Frame is too long (len %d, expected len %d)",
4285 skb->len, len);
4286 l2cap_conn_unreliable(conn, ECOMM);
4287 goto drop;
4288 }
4289
baa7e1fa 4290 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4291
48454079
GP		 4292 if (chan && chan->sk) {
4293 struct sock *sk = chan->sk;
89794813 4294
0c1bc5c6 4295 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4296 BT_ERR("Frame exceeding recv MTU (len %d, "
4297 "MTU %d)", len,
0c1bc5c6 4298 chan->imtu);
48454079
GP		 4299 bh_unlock_sock(sk);
4300 l2cap_conn_unreliable(conn, ECOMM);
4301 goto drop;
4302 }
89794813 4303 bh_unlock_sock(sk);
48454079 4304 }
89794813 4305
1da177e4 4306 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4307 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4308 if (!conn->rx_skb)
1da177e4
LT		 4309 goto drop;
4310
d626f62b 4311 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4312 skb->len);
1da177e4
LT		 4313 conn->rx_len = len - skb->len;
4314 } else {
4315 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4316
4317 if (!conn->rx_len) {
4318 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4319 l2cap_conn_unreliable(conn, ECOMM);
4320 goto drop;
4321 }
4322
4323 if (skb->len > conn->rx_len) {
4324 BT_ERR("Fragment is too long (len %d, expected %d)",
4325 skb->len, conn->rx_len);
4326 kfree_skb(conn->rx_skb);
4327 conn->rx_skb = NULL;
4328 conn->rx_len = 0;
4329 l2cap_conn_unreliable(conn, ECOMM);
4330 goto drop;
4331 }
4332
d626f62b 4333 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4334 skb->len);
1da177e4
LT		 4335 conn->rx_len -= skb->len;
4336
4337 if (!conn->rx_len) {
4338 /* Complete frame received */
4339 l2cap_recv_frame(conn, conn->rx_skb);
4340 conn->rx_skb = NULL;
4341 }
4342 }
4343
4344drop:
4345 kfree_skb(skb);
4346 return 0;
4347}
4348
aef7d97c 4349static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4350{
23691d75 4351 struct l2cap_chan *c;
1da177e4 4352
23691d75 4353 read_lock_bh(&chan_list_lock);
1da177e4 4354
23691d75
GP		 4355 list_for_each_entry(c, &chan_list, global_l) {
4356 struct sock *sk = c->sk;
101545f6 4357
903d343e 4358 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4359 batostr(&bt_sk(sk)->src),
4360 batostr(&bt_sk(sk)->dst),
89bc500e 4361 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4362 c->scid, c->dcid, c->imtu, c->omtu,
4363 c->sec_level, c->mode);
be9d1227 4364 }
1da177e4 4365
23691d75 4366 read_unlock_bh(&chan_list_lock);
1da177e4 4367
aef7d97c 4368 return 0;
1da177e4
LT		 4369}
4370
aef7d97c
MH		 4371static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4372{
4373 return single_open(file, l2cap_debugfs_show, inode->i_private);
4374}
4375
4376static const struct file_operations l2cap_debugfs_fops = {
4377 .open = l2cap_debugfs_open,
4378 .read = seq_read,
4379 .llseek = seq_lseek,
4380 .release = single_release,
4381};
4382
4383static struct dentry *l2cap_debugfs;
1da177e4 4384
1da177e4
LT		 4385static struct hci_proto l2cap_hci_proto = {
4386 .name = "L2CAP",
4387 .id = HCI_PROTO_L2CAP,
4388 .connect_ind = l2cap_connect_ind,
4389 .connect_cfm = l2cap_connect_cfm,
4390 .disconn_ind = l2cap_disconn_ind,
2950f21a 4391 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4392 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4393 .recv_acldata = l2cap_recv_acldata
4394};
4395
64274518 4396int __init l2cap_init(void)
1da177e4
LT		 4397{
4398 int err;
be9d1227 4399
bb58f747 4400 err = l2cap_init_sockets();
1da177e4
LT		 4401 if (err < 0)
4402 return err;
4403
1890d36b 4404 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4405 if (!_busy_wq) {
bb58f747 4406 err = -ENOMEM;
1da177e4
LT		 4407 goto error;
4408 }
4409
4410 err = hci_register_proto(&l2cap_hci_proto);
4411 if (err < 0) {
4412 BT_ERR("L2CAP protocol registration failed");
4413 bt_sock_unregister(BTPROTO_L2CAP);
4414 goto error;
4415 }
4416
aef7d97c
MH		 4417 if (bt_debugfs) {
4418 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4419 bt_debugfs, NULL, &l2cap_debugfs_fops);
4420 if (!l2cap_debugfs)
4421 BT_ERR("Failed to create L2CAP debug file");
4422 }
1da177e4 4423
1da177e4
LT		 4424 return 0;
4425
4426error:
b78d7b4f 4427 destroy_workqueue(_busy_wq);
bb58f747 4428 l2cap_cleanup_sockets();
1da177e4
LT		 4429 return err;
4430}
4431
64274518 4432void l2cap_exit(void)
1da177e4 4433{
aef7d97c 4434 debugfs_remove(l2cap_debugfs);
1da177e4 4435
1890d36b
GP		 4436 flush_workqueue(_busy_wq);
4437 destroy_workqueue(_busy_wq);
4438
1da177e4
LT		 4439 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4440 BT_ERR("L2CAP protocol unregistration failed");
4441
bb58f747 4442 l2cap_cleanup_sockets();
1da177e4
LT		 4443}
4444
d1c4a17d
GP		 4445module_param(disable_ertm, bool, 0644);
4446MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)