projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Reset the security timer when a command is queued
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 62static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
218bb9df
GP		 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
76
0139418c 77/* ---- L2CAP channels ---- */
71ba0e56
GP		 78
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
baa7e1fa 90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa
GP		 93
94 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 95 if (c->dcid == cid)
baa7e1fa 96 return c;
0139418c 97 }
baa7e1fa
GP		 98 return NULL;
99
0139418c
MH		 100}
101
baa7e1fa 102static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa
GP		 105
106 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 107 if (c->scid == cid)
baa7e1fa 108 return c;
0139418c 109 }
baa7e1fa 110 return NULL;
0139418c
MH		 111}
112
113/* Find channel with given SCID.
114 * Returns locked socket */
baa7e1fa 115static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 116{
48454079 117 struct l2cap_chan *c;
baa7e1fa
GP		 118
119 read_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 121 if (c)
122 bh_lock_sock(c->sk);
baa7e1fa 123 read_unlock(&conn->chan_lock);
48454079 124 return c;
0139418c
MH		 125}
126
baa7e1fa 127static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 128{
48454079 129 struct l2cap_chan *c;
baa7e1fa
GP		 130
131 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 132 if (c->ident == ident)
baa7e1fa 133 return c;
0139418c 134 }
baa7e1fa 135 return NULL;
0139418c
MH		 136}
137
baa7e1fa 138static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 139{
48454079 140 struct l2cap_chan *c;
baa7e1fa
GP		 141
142 read_lock(&conn->chan_lock);
143 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 144 if (c)
145 bh_lock_sock(c->sk);
baa7e1fa 146 read_unlock(&conn->chan_lock);
48454079 147 return c;
0139418c
MH		 148}
149
23691d75 150static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 151{
23691d75 152 struct l2cap_chan *c;
9e4425ff 153
23691d75
GP		 154 list_for_each_entry(c, &chan_list, global_l) {
155 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 156 goto found;
157 }
158
23691d75 159 c = NULL;
9e4425ff 160found:
23691d75 161 return c;
9e4425ff
GP		 162}
163
164int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
165{
73b2ec18
GP		 166 int err;
167
23691d75 168 write_lock_bh(&chan_list_lock);
9e4425ff 169
23691d75 170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 171 err = -EADDRINUSE;
172 goto done;
9e4425ff
GP		 173 }
174
73b2ec18
GP		 175 if (psm) {
176 chan->psm = psm;
177 chan->sport = psm;
178 err = 0;
179 } else {
180 u16 p;
181
182 err = -EINVAL;
183 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 184 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 185 chan->psm = cpu_to_le16(p);
186 chan->sport = cpu_to_le16(p);
187 err = 0;
188 break;
189 }
190 }
9e4425ff 191
73b2ec18 192done:
23691d75 193 write_unlock_bh(&chan_list_lock);
73b2ec18 194 return err;
9e4425ff
GP		 195}
196
197int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
198{
23691d75 199 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 200
201 chan->scid = scid;
202
23691d75 203 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 204
205 return 0;
206}
207
baa7e1fa 208static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 209{
8db4dc46 210 u16 cid = L2CAP_CID_DYN_START;
0139418c 211
8db4dc46 212 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 213 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 214 return cid;
215 }
216
217 return 0;
218}
219
c9b66675 220static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 221{
774e5651 222 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 223
942ecc9c 224 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 225 chan_hold(chan);
ab07801d
GP		 226}
227
c9b66675 228static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 229{
774e5651 230 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 231
774e5651
MM		 232 if (timer_pending(timer) && del_timer(timer))
233 chan_put(chan);
ab07801d
GP		 234}
235
89bc500e
GP		 236static void l2cap_state_change(struct l2cap_chan *chan, int state)
237{
238 chan->state = state;
239 chan->ops->state_change(chan->data, state);
240}
241
ab07801d
GP		 242static void l2cap_chan_timeout(unsigned long arg)
243{
244 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
245 struct sock *sk = chan->sk;
246 int reason;
247
89bc500e 248 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 249
250 bh_lock_sock(sk);
251
252 if (sock_owned_by_user(sk)) {
253 /* sk is owned by user. Try again later */
c9b66675 254 __set_chan_timer(chan, HZ / 5);
ab07801d 255 bh_unlock_sock(sk);
71ba0e56 256 chan_put(chan);
ab07801d
GP		 257 return;
258 }
259
89bc500e 260 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 261 reason = ECONNREFUSED;
89bc500e 262 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 263 chan->sec_level != BT_SECURITY_SDP)
264 reason = ECONNREFUSED;
265 else
266 reason = ETIMEDOUT;
267
0f852724 268 l2cap_chan_close(chan, reason);
ab07801d
GP		 269
270 bh_unlock_sock(sk);
271
ba3bd0ee 272 chan->ops->close(chan->data);
71ba0e56 273 chan_put(chan);
ab07801d
GP		 274}
275
23691d75 276struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 277{
278 struct l2cap_chan *chan;
279
280 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
281 if (!chan)
282 return NULL;
283
284 chan->sk = sk;
285
23691d75
GP		 286 write_lock_bh(&chan_list_lock);
287 list_add(&chan->global_l, &chan_list);
288 write_unlock_bh(&chan_list_lock);
289
ab07801d
GP		 290 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
291
89bc500e
GP		 292 chan->state = BT_OPEN;
293
71ba0e56
GP		 294 atomic_set(&chan->refcnt, 1);
295
48454079
GP		 296 return chan;
297}
298
23691d75 299void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 300{
23691d75
GP		 301 write_lock_bh(&chan_list_lock);
302 list_del(&chan->global_l);
303 write_unlock_bh(&chan_list_lock);
304
71ba0e56 305 chan_put(chan);
6ff5abbf
GP		 306}
307
48454079 308static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 309{
af05b30b 310 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 311 chan->psm, chan->dcid);
0139418c 312
2950f21a
MH		 313 conn->disc_reason = 0x13;
314
8c1d787b 315 chan->conn = conn;
0139418c 316
715ec005 317 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 318 if (conn->hcon->type == LE_LINK) {
319 /* LE connection */
0c1bc5c6 320 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 321 chan->scid = L2CAP_CID_LE_DATA;
322 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 323 } else {
324 /* Alloc CID for connection-oriented socket */
fe4128e0 325 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 326 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 327 }
715ec005 328 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 329 /* Connectionless socket */
fe4128e0
GP		 330 chan->scid = L2CAP_CID_CONN_LESS;
331 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 332 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 333 } else {
334 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 335 chan->scid = L2CAP_CID_SIGNALING;
336 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 337 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 338 }
339
71ba0e56 340 chan_hold(chan);
baa7e1fa
GP		 341
342 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 343}
344
8e87d142 345/* Delete channel.
0139418c 346 * Must be called on the locked socket. */
4519de9a 347static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 348{
48454079 349 struct sock *sk = chan->sk;
8c1d787b 350 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 351 struct sock *parent = bt_sk(sk)->parent;
352
c9b66675 353 __clear_chan_timer(chan);
0139418c 354
49208c9c 355 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 356
8e87d142 357 if (conn) {
baa7e1fa
GP		 358 /* Delete from channel list */
359 write_lock_bh(&conn->chan_lock);
360 list_del(&chan->list);
361 write_unlock_bh(&conn->chan_lock);
71ba0e56 362 chan_put(chan);
baa7e1fa 363
8c1d787b 364 chan->conn = NULL;
0139418c
MH		 365 hci_conn_put(conn->hcon);
366 }
367
89bc500e 368 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 369 sock_set_flag(sk, SOCK_ZAPPED);
370
371 if (err)
372 sk->sk_err = err;
373
374 if (parent) {
375 bt_accept_unlink(sk);
376 parent->sk_data_ready(parent, 0);
377 } else
378 sk->sk_state_change(sk);
c13ffa62 379
c1360a1c
GP		 380 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
381 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 382 return;
2ead70b8 383
58d35f87 384 skb_queue_purge(&chan->tx_q);
c13ffa62 385
0c1bc5c6 386 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 387 struct srej_list *l, *tmp;
388
1a09bcb9
GP		 389 __clear_retrans_timer(chan);
390 __clear_monitor_timer(chan);
391 __clear_ack_timer(chan);
c13ffa62 392
f1c6775b 393 skb_queue_purge(&chan->srej_q);
c13ffa62 394
39d5a3ee 395 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 396 list_del(&l->list);
397 kfree(l);
398 }
399 }
0139418c
MH		 400}
401
4519de9a
GP		 402static void l2cap_chan_cleanup_listen(struct sock *parent)
403{
404 struct sock *sk;
405
406 BT_DBG("parent %p", parent);
407
408 /* Close not yet accepted channels */
0f852724 409 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 410 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 411 __clear_chan_timer(chan);
0f852724 412 lock_sock(sk);
ba3bd0ee 413 l2cap_chan_close(chan, ECONNRESET);
0f852724 414 release_sock(sk);
ba3bd0ee 415 chan->ops->close(chan->data);
0f852724 416 }
4519de9a
GP		 417}
418
0f852724 419void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 420{
421 struct l2cap_conn *conn = chan->conn;
422 struct sock *sk = chan->sk;
423
89bc500e 424 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 425
89bc500e 426 switch (chan->state) {
4519de9a
GP		 427 case BT_LISTEN:
428 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 429
430 l2cap_state_change(chan, BT_CLOSED);
431 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 432 break;
433
434 case BT_CONNECTED:
435 case BT_CONFIG:
715ec005 436 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 437 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 438 __clear_chan_timer(chan);
439 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 440 l2cap_send_disconn_req(conn, chan, reason);
441 } else
442 l2cap_chan_del(chan, reason);
443 break;
444
445 case BT_CONNECT2:
715ec005 446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 447 conn->hcon->type == ACL_LINK) {
448 struct l2cap_conn_rsp rsp;
449 __u16 result;
450
451 if (bt_sk(sk)->defer_setup)
452 result = L2CAP_CR_SEC_BLOCK;
453 else
454 result = L2CAP_CR_BAD_PSM;
89bc500e 455 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 456
457 rsp.scid = cpu_to_le16(chan->dcid);
458 rsp.dcid = cpu_to_le16(chan->scid);
459 rsp.result = cpu_to_le16(result);
460 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
461 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
462 sizeof(rsp), &rsp);
463 }
464
465 l2cap_chan_del(chan, reason);
466 break;
467
468 case BT_CONNECT:
469 case BT_DISCONN:
470 l2cap_chan_del(chan, reason);
471 break;
472
473 default:
474 sock_set_flag(sk, SOCK_ZAPPED);
475 break;
476 }
477}
478
4343478f 479static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 480{
715ec005 481 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 482 switch (chan->sec_level) {
8556edd3
JH		 483 case BT_SECURITY_HIGH:
484 return HCI_AT_DEDICATED_BONDING_MITM;
485 case BT_SECURITY_MEDIUM:
486 return HCI_AT_DEDICATED_BONDING;
487 default:
488 return HCI_AT_NO_BONDING;
489 }
fe4128e0 490 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 491 if (chan->sec_level == BT_SECURITY_LOW)
492 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 493
4343478f 494 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 495 return HCI_AT_NO_BONDING_MITM;
00ae4af9 496 else
8556edd3 497 return HCI_AT_NO_BONDING;
00ae4af9 498 } else {
4343478f 499 switch (chan->sec_level) {
00ae4af9 500 case BT_SECURITY_HIGH:
8556edd3 501 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 502 case BT_SECURITY_MEDIUM:
8556edd3 503 return HCI_AT_GENERAL_BONDING;
00ae4af9 504 default:
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 }
0684e5f9 507 }
8556edd3
JH		 508}
509
510/* Service level security */
4343478f 511static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 512{
8c1d787b 513 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 514 __u8 auth_type;
515
4343478f 516 auth_type = l2cap_get_auth_type(chan);
79d554a6 517
4343478f 518 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 519}
520
b5ad8b7f 521static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 522{
523 u8 id;
524
525 /* Get next available identificator.
526 * 1 - 128 are used by kernel.
527 * 129 - 199 are reserved.
528 * 200 - 254 are used by utilities like l2ping, etc.
529 */
530
531 spin_lock_bh(&conn->lock);
532
533 if (++conn->tx_ident > 128)
534 conn->tx_ident = 1;
535
536 id = conn->tx_ident;
537
538 spin_unlock_bh(&conn->lock);
539
540 return id;
541}
542
4519de9a 543static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 544{
545 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 546 u8 flags;
4e8402a3
MH		 547
548 BT_DBG("code 0x%2.2x", code);
549
550 if (!skb)
9a9c6a34 551 return;
4e8402a3 552
e702112f
AE		 553 if (lmp_no_flush_capable(conn->hcon->hdev))
554 flags = ACL_START_NO_FLUSH;
555 else
556 flags = ACL_START;
557
14b12d0b
JG		 558 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
559
e702112f 560 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 561}
562
525cd185 563static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 564{
565 struct sk_buff *skb;
566 struct l2cap_hdr *lh;
8c1d787b 567 struct l2cap_conn *conn = chan->conn;
fcc203c3 568 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 569 u8 flags;
fcc203c3 570
89bc500e 571 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 572 return;
573
47d1ec61 574 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 575 hlen += 2;
1c2acffb 576
49208c9c 577 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 578
fcc203c3 579 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 580 control |= L2CAP_CTRL_FRAME_TYPE;
581
e2ab4353 582 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
9e917af1 583 control |= L2CAP_CTRL_FINAL;
9e917af1 584
e2ab4353 585 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
f0946ccf 586 control |= L2CAP_CTRL_POLL;
f0946ccf 587
1c2acffb
GP		 588 skb = bt_skb_alloc(count, GFP_ATOMIC);
589 if (!skb)
9a9c6a34 590 return;
1c2acffb
GP		 591
592 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 593 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 594 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 595 put_unaligned_le16(control, skb_put(skb, 2));
596
47d1ec61 597 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 598 u16 fcs = crc16(0, (u8 *)lh, count - 2);
599 put_unaligned_le16(fcs, skb_put(skb, 2));
600 }
601
e702112f
AE		 602 if (lmp_no_flush_capable(conn->hcon->hdev))
603 flags = ACL_START_NO_FLUSH;
604 else
605 flags = ACL_START;
606
14b12d0b
JG		 607 bt_cb(skb)->force_active = chan->force_active;
608
8c1d787b 609 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 610}
611
525cd185 612static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 613{
e2ab4353 614 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
7e743090 615 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 616 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 617 } else
7e743090
GP		 618 control |= L2CAP_SUPER_RCV_READY;
619
42e5c802 620 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 621
525cd185 622 l2cap_send_sframe(chan, control);
7e743090
GP		 623}
624
b4450035 625static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 626{
c1360a1c 627 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 628}
629
fc7f8a7e 630static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 631{
8c1d787b 632 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 633
634 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 635 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
636 return;
637
4343478f
GP		 638 if (l2cap_check_security(chan) &&
639 __l2cap_no_conn_pending(chan)) {
b1235d79 640 struct l2cap_conn_req req;
fe4128e0
GP		 641 req.scid = cpu_to_le16(chan->scid);
642 req.psm = chan->psm;
79d554a6 643
fc7f8a7e 644 chan->ident = l2cap_get_ident(conn);
c1360a1c 645 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 646
fc7f8a7e
GP		 647 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
648 sizeof(req), &req);
b1235d79 649 }
79d554a6
MH		 650 } else {
651 struct l2cap_info_req req;
652 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
653
654 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
655 conn->info_ident = l2cap_get_ident(conn);
656
657 mod_timer(&conn->info_timer, jiffies +
658 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
659
660 l2cap_send_cmd(conn, conn->info_ident,
661 L2CAP_INFO_REQ, sizeof(req), &req);
662 }
663}
664
cf6c2c0b
GP		 665static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
666{
667 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 668 if (!disable_ertm)
cf6c2c0b
GP		 669 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
670
671 switch (mode) {
672 case L2CAP_MODE_ERTM:
673 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
674 case L2CAP_MODE_STREAMING:
675 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
676 default:
677 return 0x00;
678 }
679}
680
4519de9a 681static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 682{
e92c8e70 683 struct sock *sk;
22121fc9
GP		 684 struct l2cap_disconn_req req;
685
c13ffa62
GP		 686 if (!conn)
687 return;
688
e92c8e70
GP		 689 sk = chan->sk;
690
0c1bc5c6 691 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 692 __clear_retrans_timer(chan);
693 __clear_monitor_timer(chan);
694 __clear_ack_timer(chan);
c13ffa62
GP		 695 }
696
fe4128e0
GP		 697 req.dcid = cpu_to_le16(chan->dcid);
698 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 699 l2cap_send_cmd(conn, l2cap_get_ident(conn),
700 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 701
89bc500e 702 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 703 sk->sk_err = err;
22121fc9
GP		 704}
705
1da177e4 706/* ---- L2CAP connections ---- */
4e8402a3
MH		 707static void l2cap_conn_start(struct l2cap_conn *conn)
708{
820ffdb3 709 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 710
711 BT_DBG("conn %p", conn);
712
baa7e1fa 713 read_lock(&conn->chan_lock);
4e8402a3 714
820ffdb3 715 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 716 struct sock *sk = chan->sk;
baa7e1fa 717
4e8402a3
MH		 718 bh_lock_sock(sk);
719
715ec005 720 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 721 bh_unlock_sock(sk);
722 continue;
723 }
724
89bc500e 725 if (chan->state == BT_CONNECT) {
47731de7 726 struct l2cap_conn_req req;
79d554a6 727
4343478f 728 if (!l2cap_check_security(chan) ||
b4450035 729 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 730 bh_unlock_sock(sk);
731 continue;
732 }
79d554a6 733
c1360a1c
GP		 734 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
735 && test_bit(CONF_STATE2_DEVICE,
736 &chan->conf_state)) {
0f852724 737 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 738 * so release the lock */
2461daac 739 read_unlock(&conn->chan_lock);
89bc500e 740 l2cap_chan_close(chan, ECONNRESET);
2461daac 741 read_lock(&conn->chan_lock);
47731de7
GP		 742 bh_unlock_sock(sk);
743 continue;
b1235d79 744 }
47731de7 745
fe4128e0
GP		 746 req.scid = cpu_to_le16(chan->scid);
747 req.psm = chan->psm;
47731de7 748
fc7f8a7e 749 chan->ident = l2cap_get_ident(conn);
c1360a1c 750 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 751
fc7f8a7e
GP		 752 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
753 sizeof(req), &req);
47731de7 754
89bc500e 755 } else if (chan->state == BT_CONNECT2) {
79d554a6 756 struct l2cap_conn_rsp rsp;
e9aeb2dd 757 char buf[128];
fe4128e0
GP		 758 rsp.scid = cpu_to_le16(chan->dcid);
759 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 760
4343478f 761 if (l2cap_check_security(chan)) {
f66dc81f
MH		 762 if (bt_sk(sk)->defer_setup) {
763 struct sock *parent = bt_sk(sk)->parent;
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 766 if (parent)
767 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 768
769 } else {
89bc500e 770 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 771 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
773 }
79d554a6
MH		 774 } else {
775 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
776 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
777 }
778
fc7f8a7e
GP		 779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
780 sizeof(rsp), &rsp);
e9aeb2dd 781
c1360a1c 782 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 783 rsp.result != L2CAP_CR_SUCCESS) {
784 bh_unlock_sock(sk);
785 continue;
786 }
787
c1360a1c 788 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 789 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 790 l2cap_build_conf_req(chan, buf), buf);
791 chan->num_conf_req++;
4e8402a3
MH		 792 }
793
794 bh_unlock_sock(sk);
795 }
796
baa7e1fa 797 read_unlock(&conn->chan_lock);
4e8402a3
MH		 798}
799
b62f328b
VT		 800/* Find socket with cid and source bdaddr.
801 * Returns closest match, locked.
802 */
23691d75 803static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 804{
23691d75 805 struct l2cap_chan *c, *c1 = NULL;
b62f328b 806
23691d75 807 read_lock(&chan_list_lock);
b62f328b 808
23691d75
GP		 809 list_for_each_entry(c, &chan_list, global_l) {
810 struct sock *sk = c->sk;
fe4128e0 811
89bc500e 812 if (state && c->state != state)
b62f328b
VT		 813 continue;
814
23691d75 815 if (c->scid == cid) {
b62f328b 816 /* Exact match. */
23691d75
GP		 817 if (!bacmp(&bt_sk(sk)->src, src)) {
818 read_unlock(&chan_list_lock);
819 return c;
820 }
b62f328b
VT		 821
822 /* Closest match */
823 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 824 c1 = c;
b62f328b
VT		 825 }
826 }
280f294f 827
23691d75 828 read_unlock(&chan_list_lock);
b62f328b 829
23691d75 830 return c1;
b62f328b
VT		 831}
832
833static void l2cap_le_conn_ready(struct l2cap_conn *conn)
834{
c916fbe4 835 struct sock *parent, *sk;
23691d75 836 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 837
838 BT_DBG("");
839
840 /* Check if we have socket listening on cid */
23691d75 841 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 842 conn->src);
23691d75 843 if (!pchan)
b62f328b
VT		 844 return;
845
23691d75
GP		 846 parent = pchan->sk;
847
62f3a2cf
GP		 848 bh_lock_sock(parent);
849
b62f328b
VT		 850 /* Check for backlog size */
851 if (sk_acceptq_is_full(parent)) {
852 BT_DBG("backlog full %d", parent->sk_ack_backlog);
853 goto clean;
854 }
855
80808e43
GP		 856 chan = pchan->ops->new_connection(pchan->data);
857 if (!chan)
b62f328b
VT		 858 goto clean;
859
80808e43 860 sk = chan->sk;
5d41ce1d 861
baa7e1fa 862 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 863
864 hci_conn_hold(conn->hcon);
865
b62f328b
VT		 866 bacpy(&bt_sk(sk)->src, conn->src);
867 bacpy(&bt_sk(sk)->dst, conn->dst);
868
d1010240
GP		 869 bt_accept_enqueue(parent, sk);
870
48454079
GP		 871 __l2cap_chan_add(conn, chan);
872
c9b66675 873 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 874
89bc500e 875 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 876 parent->sk_data_ready(parent, 0);
877
baa7e1fa 878 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 879
880clean:
881 bh_unlock_sock(parent);
882}
883
f1cb9af5
VCG		 884static void l2cap_chan_ready(struct sock *sk)
885{
886 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
887 struct sock *parent = bt_sk(sk)->parent;
888
889 BT_DBG("sk %p, parent %p", sk, parent);
890
891 chan->conf_state = 0;
892 __clear_chan_timer(chan);
893
43f3dc41 894 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 895 sk->sk_state_change(sk);
896
897 if (parent)
898 parent->sk_data_ready(parent, 0);
899}
900
4e8402a3
MH		 901static void l2cap_conn_ready(struct l2cap_conn *conn)
902{
48454079 903 struct l2cap_chan *chan;
4e8402a3 904
79d554a6 905 BT_DBG("conn %p", conn);
4e8402a3 906
b62f328b
VT		 907 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
908 l2cap_le_conn_ready(conn);
909
baa7e1fa 910 read_lock(&conn->chan_lock);
4e8402a3 911
baa7e1fa 912 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 913 struct sock *sk = chan->sk;
baa7e1fa 914
79d554a6 915 bh_lock_sock(sk);
4e8402a3 916
63128451 917 if (conn->hcon->type == LE_LINK) {
b501d6a1 918 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 919 l2cap_chan_ready(sk);
acd7d370 920
63128451 921 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 922 __clear_chan_timer(chan);
89bc500e 923 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 924 sk->sk_state_change(sk);
b501d6a1 925
89bc500e 926 } else if (chan->state == BT_CONNECT)
fc7f8a7e 927 l2cap_do_start(chan);
4e8402a3 928
79d554a6 929 bh_unlock_sock(sk);
4e8402a3 930 }
79d554a6 931
baa7e1fa 932 read_unlock(&conn->chan_lock);
4e8402a3
MH		 933}
934
935/* Notify sockets that we cannot guaranty reliability anymore */
936static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
937{
48454079 938 struct l2cap_chan *chan;
4e8402a3
MH		 939
940 BT_DBG("conn %p", conn);
941
baa7e1fa 942 read_lock(&conn->chan_lock);
4e8402a3 943
baa7e1fa 944 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 945 struct sock *sk = chan->sk;
baa7e1fa 946
4343478f 947 if (chan->force_reliable)
4e8402a3
MH		 948 sk->sk_err = err;
949 }
950
baa7e1fa 951 read_unlock(&conn->chan_lock);
4e8402a3
MH		 952}
953
954static void l2cap_info_timeout(unsigned long arg)
955{
956 struct l2cap_conn *conn = (void *) arg;
957
984947dc 958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 959 conn->info_ident = 0;
984947dc 960
4e8402a3
MH		 961 l2cap_conn_start(conn);
962}
963
5d3de7df
VCG		 964static void l2cap_conn_del(struct hci_conn *hcon, int err)
965{
966 struct l2cap_conn *conn = hcon->l2cap_data;
967 struct l2cap_chan *chan, *l;
968 struct sock *sk;
969
970 if (!conn)
971 return;
972
973 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
974
975 kfree_skb(conn->rx_skb);
976
977 /* Kill channels */
978 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
979 sk = chan->sk;
980 bh_lock_sock(sk);
981 l2cap_chan_del(chan, err);
982 bh_unlock_sock(sk);
983 chan->ops->close(chan->data);
984 }
985
986 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
987 del_timer_sync(&conn->info_timer);
988
989 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
990 del_timer(&conn->security_timer);
991
992 hcon->l2cap_data = NULL;
993 kfree(conn);
994}
995
996static void security_timeout(unsigned long arg)
997{
998 struct l2cap_conn *conn = (void *) arg;
999
1000 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1001}
1002
1da177e4
LT		 1003static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1004{
0139418c 1005 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1006
0139418c 1007 if (conn || status)
1da177e4
LT		 1008 return conn;
1009
0139418c
MH		 1010 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1011 if (!conn)
1da177e4 1012 return NULL;
1da177e4
LT		 1013
1014 hcon->l2cap_data = conn;
1015 conn->hcon = hcon;
1016
0139418c
MH		 1017 BT_DBG("hcon %p conn %p", hcon, conn);
1018
acd7d370
VT		 1019 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1020 conn->mtu = hcon->hdev->le_mtu;
1021 else
1022 conn->mtu = hcon->hdev->acl_mtu;
1023
1da177e4
LT		 1024 conn->src = &hcon->hdev->bdaddr;
1025 conn->dst = &hcon->dst;
1026
4e8402a3
MH		 1027 conn->feat_mask = 0;
1028
1da177e4 1029 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1030 rwlock_init(&conn->chan_lock);
1031
1032 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1033
5d3de7df
VCG		 1034 if (hcon->type == LE_LINK)
1035 setup_timer(&conn->security_timer, security_timeout,
1036 (unsigned long) conn);
1037 else
b62f328b 1038 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1039 (unsigned long) conn);
1040
2950f21a
MH		 1041 conn->disc_reason = 0x13;
1042
1da177e4
LT		 1043 return conn;
1044}
1045
48454079 1046static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1047{
baa7e1fa 1048 write_lock_bh(&conn->chan_lock);
48454079 1049 __l2cap_chan_add(conn, chan);
baa7e1fa 1050 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1051}
1052
1da177e4 1053/* ---- Socket interface ---- */
1da177e4
LT		 1054
1055/* Find socket with psm and source bdaddr.
1056 * Returns closest match.
1057 */
23691d75 1058static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1059{
23691d75 1060 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1061
23691d75 1062 read_lock(&chan_list_lock);
e0f0cb56 1063
23691d75
GP		 1064 list_for_each_entry(c, &chan_list, global_l) {
1065 struct sock *sk = c->sk;
fe4128e0 1066
89bc500e 1067 if (state && c->state != state)
1da177e4
LT		 1068 continue;
1069
23691d75 1070 if (c->psm == psm) {
1da177e4 1071 /* Exact match. */
23691d75 1072 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1073 read_unlock(&chan_list_lock);
23691d75
GP		 1074 return c;
1075 }
1da177e4
LT		 1076
1077 /* Closest match */
1078 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1079 c1 = c;
1da177e4
LT		 1080 }
1081 }
1da177e4 1082
23691d75 1083 read_unlock(&chan_list_lock);
e0f0cb56 1084
23691d75 1085 return c1;
1da177e4
LT		 1086}
1087
77a74c7e 1088int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1089{
5d41ce1d 1090 struct sock *sk = chan->sk;
1da177e4
LT		 1091 bdaddr_t *src = &bt_sk(sk)->src;
1092 bdaddr_t *dst = &bt_sk(sk)->dst;
1093 struct l2cap_conn *conn;
1094 struct hci_conn *hcon;
1095 struct hci_dev *hdev;
09ab6f4c 1096 __u8 auth_type;
44d0e48e 1097 int err;
1da177e4 1098
f29972de 1099 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1100 chan->psm);
1da177e4 1101
af05b30b
GP		 1102 hdev = hci_get_route(dst, src);
1103 if (!hdev)
1da177e4
LT		 1104 return -EHOSTUNREACH;
1105
1106 hci_dev_lock_bh(hdev);
1107
4343478f 1108 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1109
fe4128e0 1110 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1111 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1112 chan->sec_level, auth_type);
acd7d370
VT		 1113 else
1114 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1115 chan->sec_level, auth_type);
acd7d370 1116
30e76272
VT		 1117 if (IS_ERR(hcon)) {
1118 err = PTR_ERR(hcon);
1da177e4 1119 goto done;
30e76272 1120 }
1da177e4
LT		 1121
1122 conn = l2cap_conn_add(hcon, 0);
1123 if (!conn) {
1124 hci_conn_put(hcon);
30e76272 1125 err = -ENOMEM;
1da177e4
LT		 1126 goto done;
1127 }
1128
1da177e4
LT		 1129 /* Update source addr of the socket */
1130 bacpy(src, conn->src);
1131
48454079
GP		 1132 l2cap_chan_add(conn, chan);
1133
89bc500e 1134 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1135 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1136
1137 if (hcon->state == BT_CONNECTED) {
715ec005 1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1139 __clear_chan_timer(chan);
4343478f 1140 if (l2cap_check_security(chan))
89bc500e 1141 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1142 } else
fc7f8a7e 1143 l2cap_do_start(chan);
1da177e4
LT		 1144 }
1145
30e76272
VT		 1146 err = 0;
1147
1da177e4
LT		 1148done:
1149 hci_dev_unlock_bh(hdev);
1150 hci_dev_put(hdev);
1151 return err;
1152}
1153
dcba0dba 1154int __l2cap_wait_ack(struct sock *sk)
6161c038 1155{
8c1d787b 1156 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1157 DECLARE_WAITQUEUE(wait, current);
1158 int err = 0;
1159 int timeo = HZ/5;
1160
2b0b05dd 1161 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1162 set_current_state(TASK_INTERRUPTIBLE);
1163 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1164 if (!timeo)
1165 timeo = HZ/5;
1166
1167 if (signal_pending(current)) {
1168 err = sock_intr_errno(timeo);
1169 break;
1170 }
1171
1172 release_sock(sk);
1173 timeo = schedule_timeout(timeo);
1174 lock_sock(sk);
a71a0cf4 1175 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1176
1177 err = sock_error(sk);
1178 if (err)
1179 break;
1180 }
1181 set_current_state(TASK_RUNNING);
2b0b05dd 1182 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1183 return err;
1184}
1185
e90bac06
GP		 1186static void l2cap_monitor_timeout(unsigned long arg)
1187{
525cd185
GP		 1188 struct l2cap_chan *chan = (void *) arg;
1189 struct sock *sk = chan->sk;
e90bac06 1190
525cd185 1191 BT_DBG("chan %p", chan);
0e98958d 1192
e686219a 1193 bh_lock_sock(sk);
2c03a7a4 1194 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1195 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1196 bh_unlock_sock(sk);
e90bac06
GP		 1197 return;
1198 }
1199
6a026610 1200 chan->retry_count++;
1a09bcb9 1201 __set_monitor_timer(chan);
e90bac06 1202
525cd185 1203 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1204 bh_unlock_sock(sk);
e90bac06
GP		 1205}
1206
1207static void l2cap_retrans_timeout(unsigned long arg)
1208{
525cd185
GP		 1209 struct l2cap_chan *chan = (void *) arg;
1210 struct sock *sk = chan->sk;
e90bac06 1211
49208c9c 1212 BT_DBG("chan %p", chan);
0e98958d 1213
e686219a 1214 bh_lock_sock(sk);
6a026610 1215 chan->retry_count = 1;
1a09bcb9 1216 __set_monitor_timer(chan);
e90bac06 1217
e2ab4353 1218 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1219
525cd185 1220 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1221 bh_unlock_sock(sk);
e90bac06
GP		 1222}
1223
42e5c802 1224static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1225{
1c2acffb 1226 struct sk_buff *skb;
1da177e4 1227
58d35f87 1228 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1229 chan->unacked_frames) {
42e5c802 1230 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1231 break;
1da177e4 1232
58d35f87 1233 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1234 kfree_skb(skb);
1da177e4 1235
6a026610 1236 chan->unacked_frames--;
1c2acffb 1237 }
1da177e4 1238
6a026610 1239 if (!chan->unacked_frames)
1a09bcb9 1240 __clear_retrans_timer(chan);
1c2acffb 1241}
1da177e4 1242
4343478f 1243void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1244{
8c1d787b 1245 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1246 u16 flags;
1c2acffb 1247
4343478f 1248 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1249
4343478f 1250 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1251 flags = ACL_START_NO_FLUSH;
1252 else
1253 flags = ACL_START;
1254
14b12d0b 1255 bt_cb(skb)->force_active = chan->force_active;
e702112f 1256 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1257}
1258
42e5c802 1259void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1260{
ccbb84af 1261 struct sk_buff *skb;
fcc203c3 1262 u16 control, fcs;
6840ed07 1263
58d35f87 1264 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1265 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1266 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1267 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1268
47d1ec61 1269 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1270 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1271 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1272 }
1273
4343478f 1274 l2cap_do_send(chan, skb);
6840ed07 1275
42e5c802 1276 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1277 }
6840ed07
GP		 1278}
1279
525cd185 1280static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1281{
8f17154f
GP		 1282 struct sk_buff *skb, *tx_skb;
1283 u16 control, fcs;
8f17154f 1284
58d35f87 1285 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1286 if (!skb)
1287 return;
8f17154f 1288
f11d676d
GP		 1289 do {
1290 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1291 break;
8f17154f 1292
58d35f87 1293 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1294 return;
8f17154f 1295
58d35f87 1296 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1297
2c03a7a4
GP		 1298 if (chan->remote_max_tx &&
1299 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1300 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1301 return;
1302 }
1303
1304 tx_skb = skb_clone(skb, GFP_ATOMIC);
1305 bt_cb(skb)->retries++;
1306 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1307 control &= L2CAP_CTRL_SAR;
3cb123d1 1308
e2ab4353 1309 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
3cb123d1 1310 control |= L2CAP_CTRL_FINAL;
95ffa978 1311
42e5c802 1312 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1313 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1314
f11d676d
GP		 1315 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1316
47d1ec61 1317 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1318 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1319 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1320 }
1321
4343478f 1322 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1323}
1324
525cd185 1325int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1326{
1327 struct sk_buff *skb, *tx_skb;
fcc203c3 1328 u16 control, fcs;
9a9c6a34 1329 int nsent = 0;
1c2acffb 1330
89bc500e 1331 if (chan->state != BT_CONNECTED)
c13ffa62 1332 return -ENOTCONN;
e90bac06 1333
58d35f87 1334 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1335
2c03a7a4
GP		 1336 if (chan->remote_max_tx &&
1337 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1338 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1339 break;
1340 }
1341
e420aba3
AE		 1342 tx_skb = skb_clone(skb, GFP_ATOMIC);
1343
e90bac06
GP		 1344 bt_cb(skb)->retries++;
1345
1c2acffb 1346 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1347 control &= L2CAP_CTRL_SAR;
1348
e2ab4353 1349 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
d5392c8f 1350 control |= L2CAP_CTRL_FINAL;
e2ab4353 1351
42e5c802
GP		 1352 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1353 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1354 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1355
e90bac06 1356
47d1ec61 1357 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1358 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1359 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1360 }
1361
4343478f 1362 l2cap_do_send(chan, tx_skb);
9a9c6a34 1363
1a09bcb9 1364 __set_retrans_timer(chan);
1c2acffb 1365
42e5c802
GP		 1366 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1367 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1368
23e9fde2 1369 if (bt_cb(skb)->retries == 1)
6a026610 1370 chan->unacked_frames++;
23e9fde2 1371
6a026610 1372 chan->frames_sent++;
1c2acffb 1373
58d35f87
GP		 1374 if (skb_queue_is_last(&chan->tx_q, skb))
1375 chan->tx_send_head = NULL;
1c2acffb 1376 else
58d35f87 1377 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1378
1379 nsent++;
1c2acffb
GP		 1380 }
1381
9e917af1
GP		 1382 return nsent;
1383}
1384
525cd185 1385static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1386{
dfc909be
GP		 1387 int ret;
1388
58d35f87
GP		 1389 if (!skb_queue_empty(&chan->tx_q))
1390 chan->tx_send_head = chan->tx_q.next;
dfc909be 1391
42e5c802 1392 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1393 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1394 return ret;
1395}
1396
525cd185 1397static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1398{
9e917af1
GP		 1399 u16 control = 0;
1400
42e5c802 1401 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1402
e2ab4353 1403 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
9e917af1 1404 control |= L2CAP_SUPER_RCV_NOT_READY;
e2ab4353 1405 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1406 l2cap_send_sframe(chan, control);
9a9c6a34 1407 return;
9e917af1 1408 }
dfc909be 1409
525cd185 1410 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1411 return;
1412
1413 control |= L2CAP_SUPER_RCV_READY;
525cd185 1414 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1415}
1416
525cd185 1417static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1418{
1419 struct srej_list *tail;
1420 u16 control;
1421
1422 control = L2CAP_SUPER_SELECT_REJECT;
1423 control |= L2CAP_CTRL_FINAL;
1424
39d5a3ee 1425 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1426 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1427
525cd185 1428 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1429}
1430
1c2acffb
GP		 1431static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1432{
8c1d787b 1433 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1434 struct sk_buff **frag;
1435 int err, sent = 0;
1da177e4 1436
59203a21 1437 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1438 return -EFAULT;
1da177e4
LT		 1439
1440 sent += count;
1441 len -= count;
1442
1443 /* Continuation fragments (no L2CAP header) */
1444 frag = &skb_shinfo(skb)->frag_list;
1445 while (len) {
1446 count = min_t(unsigned int, conn->mtu, len);
1447
1448 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1449 if (!*frag)
0175d629 1450 return err;
1c2acffb
GP		 1451 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1452 return -EFAULT;
1da177e4
LT		 1453
1454 sent += count;
1455 len -= count;
1456
1457 frag = &(*frag)->next;
1458 }
1da177e4
LT		 1459
1460 return sent;
1c2acffb 1461}
1da177e4 1462
fe4128e0 1463struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1464{
fe4128e0 1465 struct sock *sk = chan->sk;
8c1d787b 1466 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1467 struct sk_buff *skb;
1468 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1469 struct l2cap_hdr *lh;
1470
1471 BT_DBG("sk %p len %d", sk, (int)len);
1472
1473 count = min_t(unsigned int, (conn->mtu - hlen), len);
1474 skb = bt_skb_send_alloc(sk, count + hlen,
1475 msg->msg_flags & MSG_DONTWAIT, &err);
1476 if (!skb)
0175d629 1477 return ERR_PTR(err);
1c2acffb
GP		 1478
1479 /* Create L2CAP header */
1480 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1481 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1482 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1483 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1484
1485 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1486 if (unlikely(err < 0)) {
1487 kfree_skb(skb);
1488 return ERR_PTR(err);
1489 }
1490 return skb;
1491}
1492
fe4128e0 1493struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1494{
fe4128e0 1495 struct sock *sk = chan->sk;
8c1d787b 1496 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1497 struct sk_buff *skb;
1498 int err, count, hlen = L2CAP_HDR_SIZE;
1499 struct l2cap_hdr *lh;
1500
1501 BT_DBG("sk %p len %d", sk, (int)len);
1502
1503 count = min_t(unsigned int, (conn->mtu - hlen), len);
1504 skb = bt_skb_send_alloc(sk, count + hlen,
1505 msg->msg_flags & MSG_DONTWAIT, &err);
1506 if (!skb)
0175d629 1507 return ERR_PTR(err);
1c2acffb
GP		 1508
1509 /* Create L2CAP header */
1510 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1511 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1512 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1513
1514 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1515 if (unlikely(err < 0)) {
1516 kfree_skb(skb);
1517 return ERR_PTR(err);
1518 }
1519 return skb;
1520}
1521
47d1ec61 1522struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1523{
47d1ec61 1524 struct sock *sk = chan->sk;
8c1d787b 1525 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1526 struct sk_buff *skb;
1527 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1528 struct l2cap_hdr *lh;
1529
1530 BT_DBG("sk %p len %d", sk, (int)len);
1531
0ee0d208
GP		 1532 if (!conn)
1533 return ERR_PTR(-ENOTCONN);
1534
c74e560c
GP		 1535 if (sdulen)
1536 hlen += 2;
1537
47d1ec61 1538 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1539 hlen += 2;
1540
1c2acffb
GP		 1541 count = min_t(unsigned int, (conn->mtu - hlen), len);
1542 skb = bt_skb_send_alloc(sk, count + hlen,
1543 msg->msg_flags & MSG_DONTWAIT, &err);
1544 if (!skb)
0175d629 1545 return ERR_PTR(err);
1c2acffb
GP		 1546
1547 /* Create L2CAP header */
1548 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1549 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1550 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1551 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1552 if (sdulen)
1553 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1554
1555 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1556 if (unlikely(err < 0)) {
1557 kfree_skb(skb);
1558 return ERR_PTR(err);
1559 }
e90bac06 1560
47d1ec61 1561 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1562 put_unaligned_le16(0, skb_put(skb, 2));
1563
e90bac06 1564 bt_cb(skb)->retries = 0;
1c2acffb 1565 return skb;
1da177e4
LT		 1566}
1567
2c03a7a4 1568int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1569{
c74e560c
GP		 1570 struct sk_buff *skb;
1571 struct sk_buff_head sar_queue;
1572 u16 control;
1573 size_t size = 0;
1574
ff12fd64 1575 skb_queue_head_init(&sar_queue);
c74e560c 1576 control = L2CAP_SDU_START;
47d1ec61 1577 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1578 if (IS_ERR(skb))
1579 return PTR_ERR(skb);
1580
1581 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1582 len -= chan->remote_mps;
1583 size += chan->remote_mps;
c74e560c
GP		 1584
1585 while (len > 0) {
1586 size_t buflen;
1587
2c03a7a4 1588 if (len > chan->remote_mps) {
44651b85 1589 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1590 buflen = chan->remote_mps;
c74e560c 1591 } else {
44651b85 1592 control = L2CAP_SDU_END;
c74e560c
GP		 1593 buflen = len;
1594 }
1595
47d1ec61 1596 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1597 if (IS_ERR(skb)) {
1598 skb_queue_purge(&sar_queue);
1599 return PTR_ERR(skb);
1600 }
1601
1602 __skb_queue_tail(&sar_queue, skb);
1603 len -= buflen;
1604 size += buflen;
c74e560c 1605 }
58d35f87
GP		 1606 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1607 if (chan->tx_send_head == NULL)
1608 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1609
1610 return size;
1611}
1612
9a91a04a
GP		 1613int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1614{
9a91a04a
GP		 1615 struct sk_buff *skb;
1616 u16 control;
1617 int err;
1618
1619 /* Connectionless channel */
715ec005 1620 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1621 skb = l2cap_create_connless_pdu(chan, msg, len);
1622 if (IS_ERR(skb))
1623 return PTR_ERR(skb);
1624
1625 l2cap_do_send(chan, skb);
1626 return len;
1627 }
1628
1629 switch (chan->mode) {
1630 case L2CAP_MODE_BASIC:
1631 /* Check outgoing MTU */
1632 if (len > chan->omtu)
1633 return -EMSGSIZE;
1634
1635 /* Create a basic PDU */
1636 skb = l2cap_create_basic_pdu(chan, msg, len);
1637 if (IS_ERR(skb))
1638 return PTR_ERR(skb);
1639
1640 l2cap_do_send(chan, skb);
1641 err = len;
1642 break;
1643
1644 case L2CAP_MODE_ERTM:
1645 case L2CAP_MODE_STREAMING:
1646 /* Entire SDU fits into one PDU */
1647 if (len <= chan->remote_mps) {
1648 control = L2CAP_SDU_UNSEGMENTED;
1649 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1650 0);
1651 if (IS_ERR(skb))
1652 return PTR_ERR(skb);
1653
1654 __skb_queue_tail(&chan->tx_q, skb);
1655
1656 if (chan->tx_send_head == NULL)
1657 chan->tx_send_head = skb;
1658
1659 } else {
1660 /* Segment SDU into multiples PDUs */
1661 err = l2cap_sar_segment_sdu(chan, msg, len);
1662 if (err < 0)
1663 return err;
1664 }
1665
1666 if (chan->mode == L2CAP_MODE_STREAMING) {
1667 l2cap_streaming_send(chan);
1668 err = len;
1669 break;
1670 }
1671
e2ab4353
GP		 1672 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1673 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1674 err = len;
1675 break;
1676 }
1677
1678 err = l2cap_ertm_send(chan);
1679 if (err >= 0)
1680 err = len;
1681
1682 break;
1683
1684 default:
1685 BT_DBG("bad state %1.1x", chan->mode);
1686 err = -EBADFD;
1687 }
1688
1689 return err;
1690}
1691
1da177e4
LT		 1692/* Copy frame to all raw sockets on that connection */
1693static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1694{
1da177e4 1695 struct sk_buff *nskb;
48454079 1696 struct l2cap_chan *chan;
1da177e4
LT		 1697
1698 BT_DBG("conn %p", conn);
1699
baa7e1fa
GP		 1700 read_lock(&conn->chan_lock);
1701 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1702 struct sock *sk = chan->sk;
715ec005 1703 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1704 continue;
1705
1706 /* Don't send frame to the socket it came from */
1707 if (skb->sk == sk)
1708 continue;
af05b30b
GP		 1709 nskb = skb_clone(skb, GFP_ATOMIC);
1710 if (!nskb)
1da177e4
LT		 1711 continue;
1712
23070494 1713 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1714 kfree_skb(nskb);
1715 }
baa7e1fa 1716 read_unlock(&conn->chan_lock);
1da177e4
LT		 1717}
1718
1719/* ---- L2CAP signalling commands ---- */
1720static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1721 u8 code, u8 ident, u16 dlen, void *data)
1722{
1723 struct sk_buff *skb, **frag;
1724 struct l2cap_cmd_hdr *cmd;
1725 struct l2cap_hdr *lh;
1726 int len, count;
1727
af05b30b
GP		 1728 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1729 conn, code, ident, dlen);
1da177e4
LT		 1730
1731 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1732 count = min_t(unsigned int, conn->mtu, len);
1733
1734 skb = bt_skb_alloc(count, GFP_ATOMIC);
1735 if (!skb)
1736 return NULL;
1737
1738 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1739 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1740
1741 if (conn->hcon->type == LE_LINK)
1742 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1743 else
1744 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1745
1746 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1747 cmd->code = code;
1748 cmd->ident = ident;
aca3192c 1749 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1750
1751 if (dlen) {
1752 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1753 memcpy(skb_put(skb, count), data, count);
1754 data += count;
1755 }
1756
1757 len -= skb->len;
1758
1759 /* Continuation fragments (no L2CAP header) */
1760 frag = &skb_shinfo(skb)->frag_list;
1761 while (len) {
1762 count = min_t(unsigned int, conn->mtu, len);
1763
1764 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1765 if (!*frag)
1766 goto fail;
1767
1768 memcpy(skb_put(*frag, count), data, count);
1769
1770 len -= count;
1771 data += count;
1772
1773 frag = &(*frag)->next;
1774 }
1775
1776 return skb;
1777
1778fail:
1779 kfree_skb(skb);
1780 return NULL;
1781}
1782
1783static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1784{
1785 struct l2cap_conf_opt *opt = *ptr;
1786 int len;
1787
1788 len = L2CAP_CONF_OPT_SIZE + opt->len;
1789 *ptr += len;
1790
1791 *type = opt->type;
1792 *olen = opt->len;
1793
1794 switch (opt->len) {
1795 case 1:
1796 *val = *((u8 *) opt->val);
1797 break;
1798
1799 case 2:
bfaaeb3e 1800 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1801 break;
1802
1803 case 4:
bfaaeb3e 1804 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1805 break;
1806
1807 default:
1808 *val = (unsigned long) opt->val;
1809 break;
1810 }
1811
1812 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1813 return len;
1814}
1815
1da177e4
LT		 1816static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1817{
1818 struct l2cap_conf_opt *opt = *ptr;
1819
1820 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1821
1822 opt->type = type;
1823 opt->len = len;
1824
1825 switch (len) {
1826 case 1:
1827 *((u8 *) opt->val) = val;
1828 break;
1829
1830 case 2:
4f8b691c 1831 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1832 break;
1833
1834 case 4:
4f8b691c 1835 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1836 break;
1837
1838 default:
1839 memcpy(opt->val, (void *) val, len);
1840 break;
1841 }
1842
1843 *ptr += L2CAP_CONF_OPT_SIZE + len;
1844}
1845
c1b4f43b
GP		 1846static void l2cap_ack_timeout(unsigned long arg)
1847{
525cd185 1848 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1849
525cd185
GP		 1850 bh_lock_sock(chan->sk);
1851 l2cap_send_ack(chan);
1852 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1853}
1854
525cd185 1855static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1856{
525cd185
GP		 1857 struct sock *sk = chan->sk;
1858
42e5c802 1859 chan->expected_ack_seq = 0;
6a026610 1860 chan->unacked_frames = 0;
42e5c802 1861 chan->buffer_seq = 0;
6a026610
GP		 1862 chan->num_acked = 0;
1863 chan->frames_sent = 0;
0565c1c2 1864
e92c8e70
GP		 1865 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1866 (unsigned long) chan);
1867 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1868 (unsigned long) chan);
1869 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1870
f1c6775b 1871 skb_queue_head_init(&chan->srej_q);
1890d36b 1872
39d5a3ee
GP		 1873 INIT_LIST_HEAD(&chan->srej_l);
1874
218bb9df
GP		 1875
1876 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1877}
1878
f2fcfcd6
GP		 1879static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1880{
1881 switch (mode) {
1882 case L2CAP_MODE_STREAMING:
1883 case L2CAP_MODE_ERTM:
1884 if (l2cap_mode_supported(mode, remote_feat_mask))
1885 return mode;
1886 /* fall through */
1887 default:
1888 return L2CAP_MODE_BASIC;
1889 }
1890}
1891
710f9b0a 1892static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1893{
1da177e4 1894 struct l2cap_conf_req *req = data;
0c1bc5c6 1895 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1896 void *ptr = req->data;
1897
49208c9c 1898 BT_DBG("chan %p", chan);
1da177e4 1899
73ffa904 1900 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1901 goto done;
1902
0c1bc5c6 1903 switch (chan->mode) {
f2fcfcd6
GP		 1904 case L2CAP_MODE_STREAMING:
1905 case L2CAP_MODE_ERTM:
c1360a1c 1906 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1907 break;
85eb53c6 1908
2ba13ed6 1909 /* fall through */
f2fcfcd6 1910 default:
8c1d787b 1911 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1912 break;
1913 }
1914
1915done:
0c1bc5c6
GP		 1916 if (chan->imtu != L2CAP_DEFAULT_MTU)
1917 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1918
0c1bc5c6 1919 switch (chan->mode) {
65c7c491 1920 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1921 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1922 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1923 break;
1924
62547752
GP		 1925 rfc.mode = L2CAP_MODE_BASIC;
1926 rfc.txwin_size = 0;
1927 rfc.max_transmit = 0;
1928 rfc.retrans_timeout = 0;
1929 rfc.monitor_timeout = 0;
1930 rfc.max_pdu_size = 0;
1931
63406504
GP		 1932 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1933 (unsigned long) &rfc);
65c7c491
MH		 1934 break;
1935
1936 case L2CAP_MODE_ERTM:
1937 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1938 rfc.txwin_size = chan->tx_win;
1939 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1940 rfc.retrans_timeout = 0;
1941 rfc.monitor_timeout = 0;
c74e560c 1942 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1943 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1944 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1945
63406504
GP		 1946 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1947 (unsigned long) &rfc);
1948
8c1d787b 1949 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1950 break;
1951
47d1ec61 1952 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1953 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1954 chan->fcs = L2CAP_FCS_NONE;
1955 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1956 }
f2fcfcd6
GP		 1957 break;
1958
1959 case L2CAP_MODE_STREAMING:
1960 rfc.mode = L2CAP_MODE_STREAMING;
1961 rfc.txwin_size = 0;
1962 rfc.max_transmit = 0;
1963 rfc.retrans_timeout = 0;
1964 rfc.monitor_timeout = 0;
c74e560c 1965 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1966 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1967 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1968
63406504
GP		 1969 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1970 (unsigned long) &rfc);
1971
8c1d787b 1972 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1973 break;
1974
47d1ec61 1975 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 1976 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 1977 chan->fcs = L2CAP_FCS_NONE;
1978 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1979 }
65c7c491
MH		 1980 break;
1981 }
1da177e4 1982
fe4128e0 1983 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1984 req->flags = cpu_to_le16(0);
1da177e4
LT		 1985
1986 return ptr - data;
1987}
1988
73ffa904 1989static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1990{
5dee9e7c
MH		 1991 struct l2cap_conf_rsp *rsp = data;
1992 void *ptr = rsp->data;
73ffa904
GP		 1993 void *req = chan->conf_req;
1994 int len = chan->conf_len;
5dee9e7c
MH		 1995 int type, hint, olen;
1996 unsigned long val;
6464f35f 1997 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1998 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1999 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2000
73ffa904 2001 BT_DBG("chan %p", chan);
820ae1b8 2002
5dee9e7c
MH		 2003 while (len >= L2CAP_CONF_OPT_SIZE) {
2004 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2005
589d2746 2006 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2007 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2008
2009 switch (type) {
2010 case L2CAP_CONF_MTU:
861d6882 2011 mtu = val;
5dee9e7c
MH		 2012 break;
2013
2014 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2015 chan->flush_to = val;
5dee9e7c
MH		 2016 break;
2017
2018 case L2CAP_CONF_QOS:
2019 break;
2020
6464f35f
MH		 2021 case L2CAP_CONF_RFC:
2022 if (olen == sizeof(rfc))
2023 memcpy(&rfc, (void *) val, olen);
2024 break;
2025
fcc203c3
GP		 2026 case L2CAP_CONF_FCS:
2027 if (val == L2CAP_FCS_NONE)
c1360a1c 2028 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2029
2030 break;
2031
5dee9e7c
MH		 2032 default:
2033 if (hint)
2034 break;
2035
2036 result = L2CAP_CONF_UNKNOWN;
2037 *((u8 *) ptr++) = type;
2038 break;
2039 }
2040 }
2041
73ffa904 2042 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2043 goto done;
2044
0c1bc5c6 2045 switch (chan->mode) {
f2fcfcd6
GP		 2046 case L2CAP_MODE_STREAMING:
2047 case L2CAP_MODE_ERTM:
c1360a1c 2048 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2049 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2050 chan->conn->feat_mask);
85eb53c6
GP		 2051 break;
2052 }
2053
0c1bc5c6 2054 if (chan->mode != rfc.mode)
f2fcfcd6 2055 return -ECONNREFUSED;
742e519b 2056
f2fcfcd6 2057 break;
f2fcfcd6
GP		 2058 }
2059
2060done:
0c1bc5c6 2061 if (chan->mode != rfc.mode) {
f2fcfcd6 2062 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2063 rfc.mode = chan->mode;
f2fcfcd6 2064
73ffa904 2065 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2066 return -ECONNREFUSED;
2067
2068 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2069 sizeof(rfc), (unsigned long) &rfc);
2070 }
2071
2072
5dee9e7c
MH		 2073 if (result == L2CAP_CONF_SUCCESS) {
2074 /* Configure output options and let the other side know
2075 * which ones we don't like. */
2076
f2fcfcd6
GP		 2077 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2078 result = L2CAP_CONF_UNACCEPT;
2079 else {
0c1bc5c6 2080 chan->omtu = mtu;
c1360a1c 2081 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2082 }
0c1bc5c6 2083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2084
f2fcfcd6
GP		 2085 switch (rfc.mode) {
2086 case L2CAP_MODE_BASIC:
47d1ec61 2087 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2088 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2089 break;
2090
2091 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2092 chan->remote_tx_win = rfc.txwin_size;
2093 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2094
8c1d787b
GP		 2095 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2096 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2097
2c03a7a4 2098 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2099
10467e9e
GP		 2100 rfc.retrans_timeout =
2101 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2102 rfc.monitor_timeout =
2103 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2104
c1360a1c 2105 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2106
2107 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2108 sizeof(rfc), (unsigned long) &rfc);
2109
f2fcfcd6
GP		 2110 break;
2111
2112 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2113 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2114 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2115
2c03a7a4 2116 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2117
c1360a1c 2118 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2119
2120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2121 sizeof(rfc), (unsigned long) &rfc);
2122
f2fcfcd6
GP		 2123 break;
2124
2125 default:
5dee9e7c 2126 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2127
6464f35f 2128 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2129 rfc.mode = chan->mode;
f2fcfcd6 2130 }
6464f35f 2131
f2fcfcd6 2132 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2133 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2134 }
fe4128e0 2135 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2136 rsp->result = cpu_to_le16(result);
2137 rsp->flags = cpu_to_le16(0x0000);
2138
2139 return ptr - data;
1da177e4
LT		 2140}
2141
b4450035 2142static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2143{
f2fcfcd6
GP		 2144 struct l2cap_conf_req *req = data;
2145 void *ptr = req->data;
2146 int type, olen;
2147 unsigned long val;
2148 struct l2cap_conf_rfc rfc;
2149
fe4128e0 2150 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2151
2152 while (len >= L2CAP_CONF_OPT_SIZE) {
2153 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2154
2155 switch (type) {
2156 case L2CAP_CONF_MTU:
2157 if (val < L2CAP_DEFAULT_MIN_MTU) {
2158 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2159 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2160 } else
0c1bc5c6
GP		 2161 chan->imtu = val;
2162 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2163 break;
2164
2165 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2166 chan->flush_to = val;
f2fcfcd6 2167 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2168 2, chan->flush_to);
f2fcfcd6
GP		 2169 break;
2170
2171 case L2CAP_CONF_RFC:
2172 if (olen == sizeof(rfc))
2173 memcpy(&rfc, (void *)val, olen);
2174
c1360a1c 2175 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2176 rfc.mode != chan->mode)
f2fcfcd6
GP		 2177 return -ECONNREFUSED;
2178
47d1ec61 2179 chan->fcs = 0;
f2fcfcd6
GP		 2180
2181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2182 sizeof(rfc), (unsigned long) &rfc);
2183 break;
2184 }
2185 }
2186
0c1bc5c6 2187 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2188 return -ECONNREFUSED;
2189
0c1bc5c6 2190 chan->mode = rfc.mode;
6c2ea7a8 2191
f2fcfcd6
GP		 2192 if (*result == L2CAP_CONF_SUCCESS) {
2193 switch (rfc.mode) {
2194 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2195 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2196 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2197 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2198 break;
2199 case L2CAP_MODE_STREAMING:
47d1ec61 2200 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2201 }
2202 }
2203
fe4128e0 2204 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2205 req->flags = cpu_to_le16(0x0000);
2206
2207 return ptr - data;
2208}
2209
fe4128e0 2210static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2211{
2212 struct l2cap_conf_rsp *rsp = data;
2213 void *ptr = rsp->data;
1da177e4 2214
fe4128e0 2215 BT_DBG("chan %p", chan);
1da177e4 2216
fe4128e0 2217 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2218 rsp->result = cpu_to_le16(result);
aca3192c 2219 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2220
2221 return ptr - data;
2222}
2223
8c1d787b 2224void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2225{
2226 struct l2cap_conn_rsp rsp;
8c1d787b 2227 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2228 u8 buf[128];
2229
fe4128e0
GP		 2230 rsp.scid = cpu_to_le16(chan->dcid);
2231 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2232 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2233 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2234 l2cap_send_cmd(conn, chan->ident,
2235 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2236
c1360a1c 2237 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2238 return;
2239
710f9b0a
GP		 2240 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2241 l2cap_build_conf_req(chan, buf), buf);
2242 chan->num_conf_req++;
2243}
2244
47d1ec61 2245static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2246{
7b1c0049
GP		 2247 int type, olen;
2248 unsigned long val;
2249 struct l2cap_conf_rfc rfc;
2250
47d1ec61 2251 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2252
0c1bc5c6 2253 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2254 return;
2255
2256 while (len >= L2CAP_CONF_OPT_SIZE) {
2257 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2258
2259 switch (type) {
2260 case L2CAP_CONF_RFC:
2261 if (olen == sizeof(rfc))
2262 memcpy(&rfc, (void *)val, olen);
2263 goto done;
2264 }
2265 }
2266
2267done:
2268 switch (rfc.mode) {
2269 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2270 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2271 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2272 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2273 break;
2274 case L2CAP_MODE_STREAMING:
47d1ec61 2275 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2276 }
2277}
2278
4e8402a3
MH		 2279static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2280{
e2fd318e 2281 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2282
e2fd318e 2283 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2284 return 0;
2285
2286 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2287 cmd->ident == conn->info_ident) {
4e8402a3 2288 del_timer(&conn->info_timer);
984947dc
MH		 2289
2290 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2291 conn->info_ident = 0;
984947dc 2292
4e8402a3
MH		 2293 l2cap_conn_start(conn);
2294 }
2295
2296 return 0;
2297}
2298
1da177e4
LT		 2299static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2300{
1da177e4
LT		 2301 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2302 struct l2cap_conn_rsp rsp;
23691d75 2303 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2304 struct sock *parent, *sk = NULL;
e7c29cb1 2305 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2306
2307 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2308 __le16 psm = req->psm;
1da177e4
LT		 2309
2310 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2311
2312 /* Check if we have socket listening on psm */
23691d75
GP		 2313 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2314 if (!pchan) {
1da177e4
LT		 2315 result = L2CAP_CR_BAD_PSM;
2316 goto sendresp;
2317 }
2318
23691d75
GP		 2319 parent = pchan->sk;
2320
e0f0cb56
GP		 2321 bh_lock_sock(parent);
2322
e7c29cb1
MH		 2323 /* Check if the ACL is secure enough (if not SDP) */
2324 if (psm != cpu_to_le16(0x0001) &&
2325 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2326 conn->disc_reason = 0x05;
e7c29cb1
MH		 2327 result = L2CAP_CR_SEC_BLOCK;
2328 goto response;
2329 }
2330
1da177e4
LT		 2331 result = L2CAP_CR_NO_MEM;
2332
2333 /* Check for backlog size */
2334 if (sk_acceptq_is_full(parent)) {
8e87d142 2335 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2336 goto response;
2337 }
2338
80808e43
GP		 2339 chan = pchan->ops->new_connection(pchan->data);
2340 if (!chan)
1da177e4
LT		 2341 goto response;
2342
80808e43
GP		 2343 sk = chan->sk;
2344
baa7e1fa 2345 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2346
2347 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2348 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2349 write_unlock_bh(&conn->chan_lock);
1da177e4 2350 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2351 chan->ops->close(chan->data);
1da177e4
LT		 2352 goto response;
2353 }
2354
2355 hci_conn_hold(conn->hcon);
2356
1da177e4
LT		 2357 bacpy(&bt_sk(sk)->src, conn->src);
2358 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2359 chan->psm = psm;
2360 chan->dcid = scid;
1da177e4 2361
d1010240
GP		 2362 bt_accept_enqueue(parent, sk);
2363
48454079
GP		 2364 __l2cap_chan_add(conn, chan);
2365
fe4128e0 2366 dcid = chan->scid;
1da177e4 2367
c9b66675 2368 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2369
fc7f8a7e 2370 chan->ident = cmd->ident;
1da177e4 2371
984947dc 2372 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2373 if (l2cap_check_security(chan)) {
f66dc81f 2374 if (bt_sk(sk)->defer_setup) {
89bc500e 2375 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2376 result = L2CAP_CR_PEND;
2377 status = L2CAP_CS_AUTHOR_PEND;
2378 parent->sk_data_ready(parent, 0);
2379 } else {
89bc500e 2380 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2381 result = L2CAP_CR_SUCCESS;
2382 status = L2CAP_CS_NO_INFO;
2383 }
79d554a6 2384 } else {
89bc500e 2385 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2386 result = L2CAP_CR_PEND;
2387 status = L2CAP_CS_AUTHEN_PEND;
2388 }
2389 } else {
89bc500e 2390 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2391 result = L2CAP_CR_PEND;
2392 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2393 }
2394
baa7e1fa 2395 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2396
2397response:
2398 bh_unlock_sock(parent);
2399
2400sendresp:
aca3192c
YH		 2401 rsp.scid = cpu_to_le16(scid);
2402 rsp.dcid = cpu_to_le16(dcid);
2403 rsp.result = cpu_to_le16(result);
2404 rsp.status = cpu_to_le16(status);
1da177e4 2405 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2406
2407 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2408 struct l2cap_info_req info;
2409 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2410
2411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2412 conn->info_ident = l2cap_get_ident(conn);
2413
2414 mod_timer(&conn->info_timer, jiffies +
2415 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2416
2417 l2cap_send_cmd(conn, conn->info_ident,
2418 L2CAP_INFO_REQ, sizeof(info), &info);
2419 }
2420
c1360a1c 2421 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2422 result == L2CAP_CR_SUCCESS) {
2423 u8 buf[128];
c1360a1c 2424 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2425 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2426 l2cap_build_conf_req(chan, buf), buf);
2427 chan->num_conf_req++;
e9aeb2dd
GP		 2428 }
2429
1da177e4
LT		 2430 return 0;
2431}
2432
2433static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2434{
2435 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2436 u16 scid, dcid, result, status;
48454079 2437 struct l2cap_chan *chan;
1da177e4
LT		 2438 struct sock *sk;
2439 u8 req[128];
2440
2441 scid = __le16_to_cpu(rsp->scid);
2442 dcid = __le16_to_cpu(rsp->dcid);
2443 result = __le16_to_cpu(rsp->result);
2444 status = __le16_to_cpu(rsp->status);
2445
2446 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2447
2448 if (scid) {
baa7e1fa 2449 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2450 if (!chan)
57d3b22b 2451 return -EFAULT;
1da177e4 2452 } else {
baa7e1fa 2453 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2454 if (!chan)
57d3b22b 2455 return -EFAULT;
1da177e4
LT		 2456 }
2457
48454079
GP		 2458 sk = chan->sk;
2459
1da177e4
LT		 2460 switch (result) {
2461 case L2CAP_CR_SUCCESS:
89bc500e 2462 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2463 chan->ident = 0;
fe4128e0 2464 chan->dcid = dcid;
c1360a1c 2465 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2466
c1360a1c 2467 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2468 break;
2469
1da177e4 2470 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2471 l2cap_build_conf_req(chan, req), req);
2472 chan->num_conf_req++;
1da177e4
LT		 2473 break;
2474
2475 case L2CAP_CR_PEND:
c1360a1c 2476 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2477 break;
2478
2479 default:
a49184c2
AE		 2480 /* don't delete l2cap channel if sk is owned by user */
2481 if (sock_owned_by_user(sk)) {
89bc500e 2482 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2483 __clear_chan_timer(chan);
2484 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2485 break;
2486 }
2487
48454079 2488 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2489 break;
2490 }
2491
2492 bh_unlock_sock(sk);
2493 return 0;
2494}
2495
47d1ec61 2496static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2497{
2498 /* FCS is enabled only in ERTM or streaming mode, if one or both
2499 * sides request it.
2500 */
0c1bc5c6 2501 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2502 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2503 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2504 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2505}
2506
88219a0f 2507static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2508{
2509 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2510 u16 dcid, flags;
2511 u8 rsp[64];
48454079 2512 struct l2cap_chan *chan;
1da177e4 2513 struct sock *sk;
5dee9e7c 2514 int len;
1da177e4
LT		 2515
2516 dcid = __le16_to_cpu(req->dcid);
2517 flags = __le16_to_cpu(req->flags);
2518
2519 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2520
baa7e1fa 2521 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2522 if (!chan)
1da177e4
LT		 2523 return -ENOENT;
2524
48454079
GP		 2525 sk = chan->sk;
2526
033b1142 2527 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2528 struct l2cap_cmd_rej_cid rej;
2529
2530 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2531 rej.scid = cpu_to_le16(chan->scid);
2532 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2533
df6bd743
GP		 2534 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2535 sizeof(rej), &rej);
354f60a9 2536 goto unlock;
df6bd743 2537 }
354f60a9 2538
5dee9e7c 2539 /* Reject if config buffer is too small. */
88219a0f 2540 len = cmd_len - sizeof(*req);
7ac28817 2541 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2542 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2543 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2544 L2CAP_CONF_REJECT, flags), rsp);
2545 goto unlock;
2546 }
2547
2548 /* Store config. */
73ffa904
GP		 2549 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2550 chan->conf_len += len;
1da177e4
LT		 2551
2552 if (flags & 0x0001) {
2553 /* Incomplete config. Send empty response. */
2554 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2555 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2556 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2557 goto unlock;
2558 }
2559
2560 /* Complete config. */
73ffa904 2561 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2562 if (len < 0) {
e92c8e70 2563 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2564 goto unlock;
f2fcfcd6 2565 }
1da177e4 2566
5dee9e7c 2567 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2568 chan->num_conf_rsp++;
5dee9e7c 2569
5dee9e7c 2570 /* Reset config buffer. */
73ffa904 2571 chan->conf_len = 0;
5dee9e7c 2572
c1360a1c 2573 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2574 goto unlock;
2575
c1360a1c 2576 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2577 set_default_fcs(chan);
fcc203c3 2578
89bc500e 2579 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2580
42e5c802
GP		 2581 chan->next_tx_seq = 0;
2582 chan->expected_tx_seq = 0;
58d35f87 2583 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2584 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2585 l2cap_ertm_init(chan);
0565c1c2 2586
1da177e4 2587 l2cap_chan_ready(sk);
876d9484
MH		 2588 goto unlock;
2589 }
2590
c1360a1c 2591 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2592 u8 buf[64];
1da177e4 2593 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2594 l2cap_build_conf_req(chan, buf), buf);
2595 chan->num_conf_req++;
1da177e4
LT		 2596 }
2597
2598unlock:
2599 bh_unlock_sock(sk);
2600 return 0;
2601}
2602
2603static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2604{
2605 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2606 u16 scid, flags, result;
48454079 2607 struct l2cap_chan *chan;
1da177e4 2608 struct sock *sk;
7b1c0049 2609 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2610
2611 scid = __le16_to_cpu(rsp->scid);
2612 flags = __le16_to_cpu(rsp->flags);
2613 result = __le16_to_cpu(rsp->result);
2614
af05b30b
GP		 2615 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2616 scid, flags, result);
1da177e4 2617
baa7e1fa 2618 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2619 if (!chan)
1da177e4
LT		 2620 return 0;
2621
48454079
GP		 2622 sk = chan->sk;
2623
1da177e4
LT		 2624 switch (result) {
2625 case L2CAP_CONF_SUCCESS:
47d1ec61 2626 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2627 break;
2628
2629 case L2CAP_CONF_UNACCEPT:
73ffa904 2630 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2631 char req[64];
2632
c2c77ec8 2633 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2634 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2635 goto done;
2636 }
2637
f2fcfcd6
GP		 2638 /* throw out any old stored conf requests */
2639 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2640 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2641 req, &result);
f2fcfcd6 2642 if (len < 0) {
e92c8e70 2643 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2644 goto done;
2645 }
2646
2647 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2648 L2CAP_CONF_REQ, len, req);
73ffa904 2649 chan->num_conf_req++;
f2fcfcd6
GP		 2650 if (result != L2CAP_CONF_SUCCESS)
2651 goto done;
2652 break;
1da177e4
LT		 2653 }
2654
8e87d142 2655 default:
b1235d79 2656 sk->sk_err = ECONNRESET;
c9b66675 2657 __set_chan_timer(chan, HZ * 5);
e92c8e70 2658 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2659 goto done;
2660 }
2661
2662 if (flags & 0x01)
2663 goto done;
2664
c1360a1c 2665 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2666
c1360a1c 2667 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2668 set_default_fcs(chan);
fcc203c3 2669
89bc500e 2670 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2671 chan->next_tx_seq = 0;
2672 chan->expected_tx_seq = 0;
58d35f87 2673 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2674 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2675 l2cap_ertm_init(chan);
0565c1c2 2676
1da177e4
LT		 2677 l2cap_chan_ready(sk);
2678 }
2679
2680done:
2681 bh_unlock_sock(sk);
2682 return 0;
2683}
2684
2685static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2686{
2687 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2688 struct l2cap_disconn_rsp rsp;
2689 u16 dcid, scid;
48454079 2690 struct l2cap_chan *chan;
1da177e4
LT		 2691 struct sock *sk;
2692
2693 scid = __le16_to_cpu(req->scid);
2694 dcid = __le16_to_cpu(req->dcid);
2695
2696 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2697
baa7e1fa 2698 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2699 if (!chan)
1da177e4
LT		 2700 return 0;
2701
48454079
GP		 2702 sk = chan->sk;
2703
fe4128e0
GP		 2704 rsp.dcid = cpu_to_le16(chan->scid);
2705 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2706 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2707
2708 sk->sk_shutdown = SHUTDOWN_MASK;
2709
a49184c2
AE		 2710 /* don't delete l2cap channel if sk is owned by user */
2711 if (sock_owned_by_user(sk)) {
89bc500e 2712 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2713 __clear_chan_timer(chan);
2714 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2715 bh_unlock_sock(sk);
2716 return 0;
2717 }
2718
48454079 2719 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2720 bh_unlock_sock(sk);
2721
ba3bd0ee 2722 chan->ops->close(chan->data);
1da177e4
LT		 2723 return 0;
2724}
2725
2726static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2727{
2728 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2729 u16 dcid, scid;
48454079 2730 struct l2cap_chan *chan;
1da177e4
LT		 2731 struct sock *sk;
2732
2733 scid = __le16_to_cpu(rsp->scid);
2734 dcid = __le16_to_cpu(rsp->dcid);
2735
2736 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2737
baa7e1fa 2738 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2739 if (!chan)
1da177e4
LT		 2740 return 0;
2741
48454079
GP		 2742 sk = chan->sk;
2743
a49184c2
AE		 2744 /* don't delete l2cap channel if sk is owned by user */
2745 if (sock_owned_by_user(sk)) {
89bc500e 2746 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2747 __clear_chan_timer(chan);
2748 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2749 bh_unlock_sock(sk);
2750 return 0;
2751 }
2752
48454079 2753 l2cap_chan_del(chan, 0);
1da177e4
LT		 2754 bh_unlock_sock(sk);
2755
ba3bd0ee 2756 chan->ops->close(chan->data);
1da177e4
LT		 2757 return 0;
2758}
2759
2760static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2761{
2762 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2763 u16 type;
2764
2765 type = __le16_to_cpu(req->type);
2766
2767 BT_DBG("type 0x%4.4x", type);
2768
f0709e03
MH		 2769 if (type == L2CAP_IT_FEAT_MASK) {
2770 u8 buf[8];
44dd46de 2771 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2772 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2773 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2774 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2775 if (!disable_ertm)
fcc203c3
GP		 2776 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2777 | L2CAP_FEAT_FCS;
1b7bf4ed 2778 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2779 l2cap_send_cmd(conn, cmd->ident,
2780 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2781 } else if (type == L2CAP_IT_FIXED_CHAN) {
2782 u8 buf[12];
2783 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2784 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2785 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2786 memcpy(buf + 4, l2cap_fixed_chan, 8);
2787 l2cap_send_cmd(conn, cmd->ident,
2788 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2789 } else {
2790 struct l2cap_info_rsp rsp;
2791 rsp.type = cpu_to_le16(type);
2792 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2793 l2cap_send_cmd(conn, cmd->ident,
2794 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2795 }
1da177e4
LT		 2796
2797 return 0;
2798}
2799
2800static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2801{
2802 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2803 u16 type, result;
2804
2805 type = __le16_to_cpu(rsp->type);
2806 result = __le16_to_cpu(rsp->result);
2807
2808 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2809
e90165be
AE		 2810 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2811 if (cmd->ident != conn->info_ident ||
2812 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2813 return 0;
2814
4e8402a3
MH		 2815 del_timer(&conn->info_timer);
2816
adb08ede
VT		 2817 if (result != L2CAP_IR_SUCCESS) {
2818 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2819 conn->info_ident = 0;
2820
2821 l2cap_conn_start(conn);
2822
2823 return 0;
2824 }
2825
984947dc 2826 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2827 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2828
47ec1dcd 2829 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2830 struct l2cap_info_req req;
2831 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2832
2833 conn->info_ident = l2cap_get_ident(conn);
2834
2835 l2cap_send_cmd(conn, conn->info_ident,
2836 L2CAP_INFO_REQ, sizeof(req), &req);
2837 } else {
2838 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2839 conn->info_ident = 0;
2840
2841 l2cap_conn_start(conn);
2842 }
2843 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2844 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2845 conn->info_ident = 0;
984947dc
MH		 2846
2847 l2cap_conn_start(conn);
2848 }
4e8402a3 2849
1da177e4
LT		 2850 return 0;
2851}
2852
e2174ca4 2853static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2854 u16 to_multiplier)
2855{
2856 u16 max_latency;
2857
2858 if (min > max || min < 6 || max > 3200)
2859 return -EINVAL;
2860
2861 if (to_multiplier < 10 || to_multiplier > 3200)
2862 return -EINVAL;
2863
2864 if (max >= to_multiplier * 8)
2865 return -EINVAL;
2866
2867 max_latency = (to_multiplier * 8 / max) - 1;
2868 if (latency > 499 || latency > max_latency)
2869 return -EINVAL;
2870
2871 return 0;
2872}
2873
2874static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2875 struct l2cap_cmd_hdr *cmd, u8 *data)
2876{
2877 struct hci_conn *hcon = conn->hcon;
2878 struct l2cap_conn_param_update_req *req;
2879 struct l2cap_conn_param_update_rsp rsp;
2880 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2881 int err;
de73115a
CT		 2882
2883 if (!(hcon->link_mode & HCI_LM_MASTER))
2884 return -EINVAL;
2885
2886 cmd_len = __le16_to_cpu(cmd->len);
2887 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2888 return -EPROTO;
2889
2890 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2891 min = __le16_to_cpu(req->min);
2892 max = __le16_to_cpu(req->max);
de73115a
CT		 2893 latency = __le16_to_cpu(req->latency);
2894 to_multiplier = __le16_to_cpu(req->to_multiplier);
2895
2896 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2897 min, max, latency, to_multiplier);
2898
2899 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2900
2901 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2902 if (err)
de73115a
CT		 2903 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2904 else
2905 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2906
2907 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2908 sizeof(rsp), &rsp);
2909
2ce603eb
CT		 2910 if (!err)
2911 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2912
de73115a
CT		 2913 return 0;
2914}
2915
3300d9a9
CT		 2916static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2917 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2918{
2919 int err = 0;
2920
2921 switch (cmd->code) {
2922 case L2CAP_COMMAND_REJ:
2923 l2cap_command_rej(conn, cmd, data);
2924 break;
2925
2926 case L2CAP_CONN_REQ:
2927 err = l2cap_connect_req(conn, cmd, data);
2928 break;
2929
2930 case L2CAP_CONN_RSP:
2931 err = l2cap_connect_rsp(conn, cmd, data);
2932 break;
2933
2934 case L2CAP_CONF_REQ:
2935 err = l2cap_config_req(conn, cmd, cmd_len, data);
2936 break;
2937
2938 case L2CAP_CONF_RSP:
2939 err = l2cap_config_rsp(conn, cmd, data);
2940 break;
2941
2942 case L2CAP_DISCONN_REQ:
2943 err = l2cap_disconnect_req(conn, cmd, data);
2944 break;
2945
2946 case L2CAP_DISCONN_RSP:
2947 err = l2cap_disconnect_rsp(conn, cmd, data);
2948 break;
2949
2950 case L2CAP_ECHO_REQ:
2951 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2952 break;
2953
2954 case L2CAP_ECHO_RSP:
2955 break;
2956
2957 case L2CAP_INFO_REQ:
2958 err = l2cap_information_req(conn, cmd, data);
2959 break;
2960
2961 case L2CAP_INFO_RSP:
2962 err = l2cap_information_rsp(conn, cmd, data);
2963 break;
2964
2965 default:
2966 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2967 err = -EINVAL;
2968 break;
2969 }
2970
2971 return err;
2972}
2973
2974static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2975 struct l2cap_cmd_hdr *cmd, u8 *data)
2976{
2977 switch (cmd->code) {
2978 case L2CAP_COMMAND_REJ:
2979 return 0;
2980
2981 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2982 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2983
2984 case L2CAP_CONN_PARAM_UPDATE_RSP:
2985 return 0;
2986
2987 default:
2988 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2989 return -EINVAL;
2990 }
2991}
2992
2993static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2994 struct sk_buff *skb)
1da177e4
LT		 2995{
2996 u8 *data = skb->data;
2997 int len = skb->len;
2998 struct l2cap_cmd_hdr cmd;
3300d9a9 2999 int err;
1da177e4
LT		 3000
3001 l2cap_raw_recv(conn, skb);
3002
3003 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3004 u16 cmd_len;
1da177e4
LT		 3005 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3006 data += L2CAP_CMD_HDR_SIZE;
3007 len -= L2CAP_CMD_HDR_SIZE;
3008
88219a0f 3009 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3010
88219a0f 3011 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3012
88219a0f 3013 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3014 BT_DBG("corrupted command");
3015 break;
3016 }
3017
3300d9a9
CT		 3018 if (conn->hcon->type == LE_LINK)
3019 err = l2cap_le_sig_cmd(conn, &cmd, data);
3020 else
3021 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3022
3023 if (err) {
e2fd318e 3024 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3025
3026 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3027
3028 /* FIXME: Map err to a valid reason */
e2fd318e 3029 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3030 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3031 }
3032
88219a0f
AV		 3033 data += cmd_len;
3034 len -= cmd_len;
1da177e4
LT		 3035 }
3036
3037 kfree_skb(skb);
3038}
3039
47d1ec61 3040static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3041{
3042 u16 our_fcs, rcv_fcs;
3043 int hdr_size = L2CAP_HDR_SIZE + 2;
3044
47d1ec61 3045 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3046 skb_trim(skb, skb->len - 2);
3047 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3048 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3049
3050 if (our_fcs != rcv_fcs)
7a560e5c 3051 return -EBADMSG;
fcc203c3
GP		 3052 }
3053 return 0;
3054}
3055
525cd185 3056static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3057{
d5392c8f
GP		 3058 u16 control = 0;
3059
6a026610 3060 chan->frames_sent = 0;
d5392c8f 3061
42e5c802 3062 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3063
e2ab4353 3064 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
64988868 3065 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3066 l2cap_send_sframe(chan, control);
e2ab4353 3067 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3068 }
3069
e2ab4353 3070 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3071 l2cap_retransmit_frames(chan);
d5392c8f 3072
525cd185 3073 l2cap_ertm_send(chan);
d5392c8f 3074
e2ab4353 3075 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3076 chan->frames_sent == 0) {
d5392c8f 3077 control |= L2CAP_SUPER_RCV_READY;
525cd185 3078 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3079 }
3080}
3081
42e5c802 3082static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3083{
3084 struct sk_buff *next_skb;
bfbacc11 3085 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3086
3087 bt_cb(skb)->tx_seq = tx_seq;
3088 bt_cb(skb)->sar = sar;
3089
f1c6775b 3090 next_skb = skb_peek(&chan->srej_q);
8f17154f 3091 if (!next_skb) {
f1c6775b 3092 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3093 return 0;
8f17154f
GP		 3094 }
3095
42e5c802 3096 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3097 if (tx_seq_offset < 0)
3098 tx_seq_offset += 64;
3099
8f17154f 3100 do {
9b53350d
JPRV		 3101 if (bt_cb(next_skb)->tx_seq == tx_seq)
3102 return -EINVAL;
3103
bfbacc11 3104 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3105 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3106 if (next_tx_seq_offset < 0)
3107 next_tx_seq_offset += 64;
3108
3109 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3110 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3111 return 0;
8f17154f
GP		 3112 }
3113
f1c6775b 3114 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3115 break;
3116
f1c6775b 3117 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3118
f1c6775b 3119 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3120
3121 return 0;
8f17154f
GP		 3122}
3123
525cd185 3124static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3125{
18778a63 3126 struct sk_buff *_skb;
1890d36b 3127 int err;
18778a63
GP		 3128
3129 switch (control & L2CAP_CTRL_SAR) {
3130 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3131 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3132 goto drop;
3133
23070494 3134 return chan->ops->recv(chan->data, skb);
18778a63
GP		 3135
3136 case L2CAP_SDU_START:
e2ab4353 3137 if (test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3138 goto drop;
3139
6f61fd47 3140 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3141
0c1bc5c6 3142 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3143 goto disconnect;
3144
6f61fd47
GP		 3145 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3146 if (!chan->sdu)
1890d36b
GP		 3147 return -ENOMEM;
3148
3149 /* pull sdu_len bytes only after alloc, because of Local Busy
3150 * condition we have to be sure that this will be executed
3151 * only once, i.e., when alloc does not fail */
3152 skb_pull(skb, 2);
18778a63 3153
6f61fd47 3154 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3155
e2ab4353 3156 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3157 chan->partial_sdu_len = skb->len;
18778a63
GP		 3158 break;
3159
3160 case L2CAP_SDU_CONTINUE:
e2ab4353 3161 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3162 goto disconnect;
3163
6f61fd47 3164 if (!chan->sdu)
18778a63
GP		 3165 goto disconnect;
3166
6f61fd47
GP		 3167 chan->partial_sdu_len += skb->len;
3168 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3169 goto drop;
3170
6f61fd47 3171 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3172
18778a63
GP		 3173 break;
3174
3175 case L2CAP_SDU_END:
e2ab4353 3176 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
18778a63
GP		 3177 goto disconnect;
3178
6f61fd47 3179 if (!chan->sdu)
18778a63
GP		 3180 goto disconnect;
3181
fadd192e 3182 chan->partial_sdu_len += skb->len;
18778a63 3183
fadd192e
MM		 3184 if (chan->partial_sdu_len > chan->imtu)
3185 goto drop;
18778a63 3186
fadd192e
MM		 3187 if (chan->partial_sdu_len != chan->sdu_len)
3188 goto drop;
4178ba46 3189
fadd192e 3190 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3191
6f61fd47 3192 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3193 if (!_skb) {
1890d36b
GP		 3194 return -ENOMEM;
3195 }
3196
23070494 3197 err = chan->ops->recv(chan->data, _skb);
1890d36b 3198 if (err < 0) {
18778a63 3199 kfree_skb(_skb);
1890d36b
GP		 3200 return err;
3201 }
3202
e2ab4353 3203 clear_bit(CONN_SAR_SDU, &chan->conn_state);
18778a63 3204
6f61fd47 3205 kfree_skb(chan->sdu);
18778a63
GP		 3206 break;
3207 }
3208
3209 kfree_skb(skb);
1890d36b 3210 return 0;
18778a63
GP		 3211
3212drop:
6f61fd47
GP		 3213 kfree_skb(chan->sdu);
3214 chan->sdu = NULL;
18778a63
GP		 3215
3216disconnect:
8c1d787b 3217 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3218 kfree_skb(skb);
3219 return 0;
3220}
3221
26f880d2 3222static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3223{
712132eb 3224 u16 control;
712132eb 3225
26f880d2 3226 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3227
26f880d2
MM		 3228 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3229
3230 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3231 control |= L2CAP_SUPER_RCV_NOT_READY;
3232 l2cap_send_sframe(chan, control);
3233
3234 set_bit(CONN_RNR_SENT, &chan->conn_state);
3235
3236 __clear_ack_timer(chan);
3237}
3238
3239static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3240{
3241 u16 control;
712132eb 3242
e2ab4353 3243 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3244 goto done;
3245
42e5c802 3246 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3247 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3248 l2cap_send_sframe(chan, control);
6a026610 3249 chan->retry_count = 1;
712132eb 3250
1a09bcb9
GP		 3251 __clear_retrans_timer(chan);
3252 __set_monitor_timer(chan);
712132eb 3253
e2ab4353 3254 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3255
3256done:
e2ab4353
GP		 3257 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3258 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3259
49208c9c 3260 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3261}
3262
e328140f 3263void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3264{
e328140f
MM		 3265 if (chan->mode == L2CAP_MODE_ERTM) {
3266 if (busy)
3267 l2cap_ertm_enter_local_busy(chan);
3268 else
3269 l2cap_ertm_exit_local_busy(chan);
1890d36b 3270 }
1890d36b
GP		 3271}
3272
525cd185 3273static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3274{
c74e560c
GP		 3275 struct sk_buff *_skb;
3276 int err = -EINVAL;
3277
18778a63
GP		 3278 /*
3279 * TODO: We have to notify the userland if some data is lost with the
3280 * Streaming Mode.
3281 */
3282
c74e560c
GP		 3283 switch (control & L2CAP_CTRL_SAR) {
3284 case L2CAP_SDU_UNSEGMENTED:
e2ab4353 3285 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3286 kfree_skb(chan->sdu);
c74e560c
GP		 3287 break;
3288 }
3289
23070494 3290 err = chan->ops->recv(chan->data, skb);
c74e560c
GP		 3291 if (!err)
3292 return 0;
3293
3294 break;
3295
3296 case L2CAP_SDU_START:
e2ab4353 3297 if (test_bit(CONN_SAR_SDU, &chan->conn_state)) {
6f61fd47 3298 kfree_skb(chan->sdu);
c74e560c
GP		 3299 break;
3300 }
3301
6f61fd47 3302 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3303 skb_pull(skb, 2);
3304
0c1bc5c6 3305 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3306 err = -EMSGSIZE;
3307 break;
3308 }
3309
6f61fd47
GP		 3310 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3311 if (!chan->sdu) {
c74e560c
GP		 3312 err = -ENOMEM;
3313 break;
3314 }
3315
6f61fd47 3316 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3317
e2ab4353 3318 set_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3319 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3320 err = 0;
3321 break;
3322
3323 case L2CAP_SDU_CONTINUE:
e2ab4353 3324 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3325 break;
3326
6f61fd47 3327 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3328
6f61fd47
GP		 3329 chan->partial_sdu_len += skb->len;
3330 if (chan->partial_sdu_len > chan->sdu_len)
3331 kfree_skb(chan->sdu);
c74e560c
GP		 3332 else
3333 err = 0;
3334
3335 break;
3336
3337 case L2CAP_SDU_END:
e2ab4353 3338 if (!test_bit(CONN_SAR_SDU, &chan->conn_state))
c74e560c
GP		 3339 break;
3340
6f61fd47 3341 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3342
e2ab4353 3343 clear_bit(CONN_SAR_SDU, &chan->conn_state);
6f61fd47 3344 chan->partial_sdu_len += skb->len;
c74e560c 3345
0c1bc5c6 3346 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3347 goto drop;
3348
6f61fd47
GP		 3349 if (chan->partial_sdu_len == chan->sdu_len) {
3350 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
23070494 3351 err = chan->ops->recv(chan->data, _skb);
c74e560c
GP		 3352 if (err < 0)
3353 kfree_skb(_skb);
3354 }
c74e560c
GP		 3355 err = 0;
3356
36f2fd58 3357drop:
6f61fd47 3358 kfree_skb(chan->sdu);
c74e560c
GP		 3359 break;
3360 }
3361
3362 kfree_skb(skb);
3363 return err;
3364}
3365
525cd185 3366static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3367{
3368 struct sk_buff *skb;
afefdbc4 3369 u16 control;
8f17154f 3370
e328140f
MM		 3371 while ((skb = skb_peek(&chan->srej_q)) &&
3372 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3373 int err;
3374
8f17154f
GP		 3375 if (bt_cb(skb)->tx_seq != tx_seq)
3376 break;
3377
f1c6775b 3378 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3379 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
e328140f
MM		 3380 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3381
3382 if (err < 0) {
3383 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3384 break;
3385 }
3386
42e5c802
GP		 3387 chan->buffer_seq_srej =
3388 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3389 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3390 }
3391}
3392
525cd185 3393static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3394{
8f17154f
GP		 3395 struct srej_list *l, *tmp;
3396 u16 control;
3397
39d5a3ee 3398 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3399 if (l->tx_seq == tx_seq) {
3400 list_del(&l->list);
3401 kfree(l);
3402 return;
3403 }
3404 control = L2CAP_SUPER_SELECT_REJECT;
3405 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3406 l2cap_send_sframe(chan, control);
8f17154f 3407 list_del(&l->list);
39d5a3ee 3408 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3409 }
3410}
3411
525cd185 3412static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3413{
8f17154f
GP		 3414 struct srej_list *new;
3415 u16 control;
3416
42e5c802 3417 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3418 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3419 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3420 l2cap_send_sframe(chan, control);
8f17154f
GP		 3421
3422 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3423 new->tx_seq = chan->expected_tx_seq;
3424 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3425 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3426 }
42e5c802 3427 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3428}
3429
525cd185 3430static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3431{
1c2acffb 3432 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3433 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3434 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3435 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3436 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3437 int err = 0;
3438
525cd185
GP		 3439 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3440 tx_seq, rx_control);
1c2acffb 3441
9b16dc65 3442 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3443 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3444 __clear_monitor_timer(chan);
6a026610 3445 if (chan->unacked_frames > 0)
1a09bcb9 3446 __set_retrans_timer(chan);
e2ab4353 3447 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3448 }
3449
42e5c802
GP		 3450 chan->expected_ack_seq = req_seq;
3451 l2cap_drop_acked_frames(chan);
9f121a5a 3452
42e5c802 3453 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3454 if (tx_seq_offset < 0)
3455 tx_seq_offset += 64;
3456
3457 /* invalid tx_seq */
47d1ec61 3458 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3459 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3460 goto drop;
3461 }
3462
e2ab4353 3463 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3464 goto drop;
3465
02f1b641
MM		 3466 if (tx_seq == chan->expected_tx_seq)
3467 goto expected;
3468
e2ab4353 3469 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3470 struct srej_list *first;
30afb5b2 3471
39d5a3ee 3472 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3473 struct srej_list, list);
3474 if (tx_seq == first->tx_seq) {
42e5c802 3475 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3476 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3477
3478 list_del(&first->list);
3479 kfree(first);
3480
39d5a3ee 3481 if (list_empty(&chan->srej_l)) {
42e5c802 3482 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3483 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3484 l2cap_send_ack(chan);
49208c9c 3485 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3486 }
3487 } else {
3488 struct srej_list *l;
9b53350d
JPRV		 3489
3490 /* duplicated tx_seq */
42e5c802 3491 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3492 goto drop;
8f17154f 3493
39d5a3ee 3494 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3495 if (l->tx_seq == tx_seq) {
525cd185 3496 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3497 return 0;
3498 }
3499 }
525cd185 3500 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3501 }
3502 } else {
9b53350d 3503 expected_tx_seq_offset =
42e5c802 3504 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3505 if (expected_tx_seq_offset < 0)
3506 expected_tx_seq_offset += 64;
3507
3508 /* duplicated tx_seq */
3509 if (tx_seq_offset < expected_tx_seq_offset)
3510 goto drop;
3511
e2ab4353 3512 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3513
49208c9c 3514 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3515
39d5a3ee 3516 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3517 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3518
f1c6775b 3519 __skb_queue_head_init(&chan->srej_q);
42e5c802 3520 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3521
e2ab4353 3522 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3523
525cd185 3524 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3525
1a09bcb9 3526 __clear_ack_timer(chan);
1c2acffb 3527 }
30afb5b2
GP		 3528 return 0;
3529
8f17154f 3530expected:
42e5c802 3531 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3532
e2ab4353 3533 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3534 bt_cb(skb)->tx_seq = tx_seq;
3535 bt_cb(skb)->sar = sar;
f1c6775b 3536 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3537 return 0;
3538 }
3539
fadd192e
MM		 3540 err = l2cap_ertm_reassembly_sdu(chan, skb, rx_control);
3541 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
e328140f
MM		 3542 if (err < 0) {
3543 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3544 return err;
3545 }
2ece3684 3546
4ec10d97 3547 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3548 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3549 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3550 }
3551
1a09bcb9 3552 __set_ack_timer(chan);
c1b4f43b 3553
6a026610
GP		 3554 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3555 if (chan->num_acked == num_to_ack - 1)
525cd185 3556 l2cap_send_ack(chan);
9e917af1 3557
8f17154f 3558 return 0;
9b53350d
JPRV		 3559
3560drop:
3561 kfree_skb(skb);
3562 return 0;
1c2acffb
GP		 3563}
3564
525cd185 3565static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3566{
49208c9c 3567 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3568 rx_control);
3569
42e5c802
GP		 3570 chan->expected_ack_seq = __get_reqseq(rx_control);
3571 l2cap_drop_acked_frames(chan);
1c2acffb 3572
e072745f 3573 if (rx_control & L2CAP_CTRL_POLL) {
e2ab4353
GP		 3574 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3575 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3576 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3577 (chan->unacked_frames > 0))
1a09bcb9 3578 __set_retrans_timer(chan);
05fbd89d 3579
e2ab4353 3580 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3581 l2cap_send_srejtail(chan);
05fbd89d 3582 } else {
525cd185 3583 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3584 }
1d8f5d16 3585
e072745f 3586 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3587 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3588
e2ab4353 3589 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3590 l2cap_retransmit_frames(chan);
2246b2f1 3591
e072745f 3592 } else {
e2ab4353 3593 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3594 (chan->unacked_frames > 0))
1a09bcb9 3595 __set_retrans_timer(chan);
1c2acffb 3596
e2ab4353
GP		 3597 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3598 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3599 l2cap_send_ack(chan);
894718a6 3600 else
525cd185 3601 l2cap_ertm_send(chan);
e072745f
GP		 3602 }
3603}
2246b2f1 3604
525cd185 3605static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3606{
e072745f 3607 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3608
525cd185 3609 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3610
e2ab4353 3611 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3612
42e5c802
GP		 3613 chan->expected_ack_seq = tx_seq;
3614 l2cap_drop_acked_frames(chan);
e072745f
GP		 3615
3616 if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3617 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3618 l2cap_retransmit_frames(chan);
e072745f 3619 } else {
525cd185 3620 l2cap_retransmit_frames(chan);
30afb5b2 3621
e2ab4353
GP		 3622 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3623 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3624 }
3625}
525cd185 3626static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3627{
e072745f 3628 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3629
525cd185 3630 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3631
e2ab4353 3632 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3633
e072745f 3634 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3635 chan->expected_ack_seq = tx_seq;
3636 l2cap_drop_acked_frames(chan);
3cb123d1 3637
e2ab4353 3638 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3639 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3640
525cd185 3641 l2cap_ertm_send(chan);
dfc909be 3642
e2ab4353 3643 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3644 chan->srej_save_reqseq = tx_seq;
e2ab4353 3645 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3646 }
e072745f 3647 } else if (rx_control & L2CAP_CTRL_FINAL) {
e2ab4353 3648 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3649 chan->srej_save_reqseq == tx_seq)
e2ab4353 3650 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3651 else
525cd185 3652 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3653 } else {
525cd185 3654 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3655 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3656 chan->srej_save_reqseq = tx_seq;
e2ab4353 3657 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3658 }
e072745f
GP		 3659 }
3660}
3661
525cd185 3662static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3663{
e072745f
GP		 3664 u8 tx_seq = __get_reqseq(rx_control);
3665
525cd185 3666 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3667
e2ab4353 3668 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3669 chan->expected_ack_seq = tx_seq;
3670 l2cap_drop_acked_frames(chan);
e072745f 3671
3cb123d1 3672 if (rx_control & L2CAP_CTRL_POLL)
e2ab4353 3673 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3674
e2ab4353 3675 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3676 __clear_retrans_timer(chan);
a2e12a2a 3677 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3678 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3679 return;
e072745f 3680 }
99b0d4b7
GP		 3681
3682 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3683 l2cap_send_srejtail(chan);
99b0d4b7 3684 else
525cd185 3685 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3686}
3687
525cd185 3688static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3689{
525cd185 3690 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3691
9b16dc65 3692 if (L2CAP_CTRL_FINAL & rx_control &&
e2ab4353 3693 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3694 __clear_monitor_timer(chan);
6a026610 3695 if (chan->unacked_frames > 0)
1a09bcb9 3696 __set_retrans_timer(chan);
e2ab4353 3697 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3698 }
3699
3700 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3701 case L2CAP_SUPER_RCV_READY:
525cd185 3702 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3703 break;
3704
e072745f 3705 case L2CAP_SUPER_REJECT:
525cd185 3706 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3707 break;
2246b2f1 3708
e072745f 3709 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3710 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3711 break;
3712
3713 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3714 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3715 break;
3716 }
3717
faaebd19 3718 kfree_skb(skb);
1c2acffb
GP		 3719 return 0;
3720}
3721
218bb9df
GP		 3722static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3723{
525cd185 3724 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3725 u16 control;
3726 u8 req_seq;
3727 int len, next_tx_seq_offset, req_seq_offset;
3728
3729 control = get_unaligned_le16(skb->data);
3730 skb_pull(skb, 2);
3731 len = skb->len;
3732
3733 /*
3734 * We can just drop the corrupted I-frame here.
3735 * Receiver will miss it and start proper recovery
3736 * procedures and ask retransmission.
3737 */
47d1ec61 3738 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3739 goto drop;
3740
3741 if (__is_sar_start(control) && __is_iframe(control))
3742 len -= 2;
3743
47d1ec61 3744 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3745 len -= 2;
3746
47d1ec61 3747 if (len > chan->mps) {
8c1d787b 3748 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3749 goto drop;
3750 }
3751
3752 req_seq = __get_reqseq(control);
42e5c802 3753 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3754 if (req_seq_offset < 0)
3755 req_seq_offset += 64;
3756
3757 next_tx_seq_offset =
42e5c802 3758 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3759 if (next_tx_seq_offset < 0)
3760 next_tx_seq_offset += 64;
3761
3762 /* check for invalid req-seq */
3763 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3764 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3765 goto drop;
3766 }
3767
3768 if (__is_iframe(control)) {
3769 if (len < 0) {
8c1d787b 3770 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3771 goto drop;
3772 }
3773
525cd185 3774 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3775 } else {
3776 if (len != 0) {
3777 BT_ERR("%d", len);
8c1d787b 3778 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3779 goto drop;
3780 }
3781
525cd185 3782 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3783 }
3784
3785 return 0;
3786
3787drop:
3788 kfree_skb(skb);
3789 return 0;
3790}
3791
1da177e4
LT		 3792static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3793{
48454079 3794 struct l2cap_chan *chan;
bf734843 3795 struct sock *sk = NULL;
51893f88 3796 u16 control;
218bb9df
GP		 3797 u8 tx_seq;
3798 int len;
1da177e4 3799
baa7e1fa 3800 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3801 if (!chan) {
1da177e4
LT		 3802 BT_DBG("unknown cid 0x%4.4x", cid);
3803 goto drop;
3804 }
3805
48454079 3806 sk = chan->sk;
6840ed07 3807
49208c9c 3808 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3809
89bc500e 3810 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3811 goto drop;
3812
0c1bc5c6 3813 switch (chan->mode) {
1c2acffb
GP		 3814 case L2CAP_MODE_BASIC:
3815 /* If socket recv buffers overflows we drop data here
3816 * which is *bad* because L2CAP has to be reliable.
3817 * But we don't have any other choice. L2CAP doesn't
3818 * provide flow control mechanism. */
1da177e4 3819
0c1bc5c6 3820 if (chan->imtu < skb->len)
1c2acffb 3821 goto drop;
1da177e4 3822
23070494 3823 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3824 goto done;
3825 break;
3826
3827 case L2CAP_MODE_ERTM:
218bb9df
GP		 3828 if (!sock_owned_by_user(sk)) {
3829 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3830 } else {
218bb9df 3831 if (sk_add_backlog(sk, skb))
277ffbe3 3832 goto drop;
277ffbe3 3833 }
1c2acffb 3834
fcafde2e 3835 goto done;
1c2acffb 3836
6840ed07
GP		 3837 case L2CAP_MODE_STREAMING:
3838 control = get_unaligned_le16(skb->data);
3839 skb_pull(skb, 2);
3840 len = skb->len;
3841
47d1ec61 3842 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3843 goto drop;
3844
6840ed07
GP		 3845 if (__is_sar_start(control))
3846 len -= 2;
3847
47d1ec61 3848 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3849 len -= 2;
3850
47d1ec61 3851 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3852 goto drop;
3853
3854 tx_seq = __get_txseq(control);
3855
42e5c802
GP		 3856 if (chan->expected_tx_seq == tx_seq)
3857 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3858 else
42e5c802 3859 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3860
525cd185 3861 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3862
3863 goto done;
3864
1c2acffb 3865 default:
0c1bc5c6 3866 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3867 break;
3868 }
1da177e4
LT		 3869
3870drop:
3871 kfree_skb(skb);
3872
3873done:
0139418c
MH		 3874 if (sk)
3875 bh_unlock_sock(sk);
3876
1da177e4
LT		 3877 return 0;
3878}
3879
8e036fc3 3880static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3881{
6dcae1ea 3882 struct sock *sk = NULL;
23691d75 3883 struct l2cap_chan *chan;
1da177e4 3884
23691d75
GP		 3885 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3886 if (!chan)
1da177e4
LT		 3887 goto drop;
3888
23691d75
GP		 3889 sk = chan->sk;
3890
e0f0cb56
GP		 3891 bh_lock_sock(sk);
3892
1da177e4
LT		 3893 BT_DBG("sk %p, len %d", sk, skb->len);
3894
89bc500e 3895 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3896 goto drop;
3897
e13e21dc 3898 if (chan->imtu < skb->len)
1da177e4
LT		 3899 goto drop;
3900
23070494 3901 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3902 goto done;
3903
3904drop:
3905 kfree_skb(skb);
3906
3907done:
af05b30b
GP		 3908 if (sk)
3909 bh_unlock_sock(sk);
1da177e4
LT		 3910 return 0;
3911}
3912
9f69bda6
GP		 3913static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3914{
6dcae1ea 3915 struct sock *sk = NULL;
23691d75 3916 struct l2cap_chan *chan;
9f69bda6 3917
23691d75
GP		 3918 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3919 if (!chan)
9f69bda6
GP		 3920 goto drop;
3921
23691d75
GP		 3922 sk = chan->sk;
3923
9f69bda6
GP		 3924 bh_lock_sock(sk);
3925
3926 BT_DBG("sk %p, len %d", sk, skb->len);
3927
89bc500e 3928 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3929 goto drop;
3930
e13e21dc 3931 if (chan->imtu < skb->len)
9f69bda6
GP		 3932 goto drop;
3933
23070494 3934 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 3935 goto done;
3936
3937drop:
3938 kfree_skb(skb);
3939
3940done:
3941 if (sk)
3942 bh_unlock_sock(sk);
3943 return 0;
3944}
3945
1da177e4
LT		 3946static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3947{
3948 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3949 u16 cid, len;
3950 __le16 psm;
1da177e4
LT		 3951
3952 skb_pull(skb, L2CAP_HDR_SIZE);
3953 cid = __le16_to_cpu(lh->cid);
3954 len = __le16_to_cpu(lh->len);
3955
1c2acffb
GP		 3956 if (len != skb->len) {
3957 kfree_skb(skb);
3958 return;
3959 }
3960
1da177e4
LT		 3961 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3962
3963 switch (cid) {
3300d9a9 3964 case L2CAP_CID_LE_SIGNALING:
8db4dc46 3965 case L2CAP_CID_SIGNALING:
1da177e4
LT		 3966 l2cap_sig_channel(conn, skb);
3967 break;
3968
8db4dc46 3969 case L2CAP_CID_CONN_LESS:
1b7bf4ed 3970 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 3971 skb_pull(skb, 2);
3972 l2cap_conless_channel(conn, psm, skb);
3973 break;
3974
9f69bda6
GP		 3975 case L2CAP_CID_LE_DATA:
3976 l2cap_att_channel(conn, cid, skb);
3977 break;
3978
b501d6a1
AB		 3979 case L2CAP_CID_SMP:
3980 if (smp_sig_channel(conn, skb))
3981 l2cap_conn_del(conn->hcon, EACCES);
3982 break;
3983
1da177e4
LT		 3984 default:
3985 l2cap_data_channel(conn, cid, skb);
3986 break;
3987 }
3988}
3989
3990/* ---- L2CAP interface with lower layer (HCI) ---- */
3991
3992static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3993{
3994 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 3995 struct l2cap_chan *c;
1da177e4
LT		 3996
3997 if (type != ACL_LINK)
963cf687 3998 return -EINVAL;
1da177e4
LT		 3999
4000 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4001
4002 /* Find listening sockets and check their link_mode */
23691d75
GP		 4003 read_lock(&chan_list_lock);
4004 list_for_each_entry(c, &chan_list, global_l) {
4005 struct sock *sk = c->sk;
4343478f 4006
89bc500e 4007 if (c->state != BT_LISTEN)
1da177e4
LT		 4008 continue;
4009
4010 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4011 lm1 |= HCI_LM_ACCEPT;
23691d75 4012 if (c->role_switch)
2af6b9d5 4013 lm1 |= HCI_LM_MASTER;
1da177e4 4014 exact++;
2af6b9d5
MH		 4015 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4016 lm2 |= HCI_LM_ACCEPT;
23691d75 4017 if (c->role_switch)
2af6b9d5
MH		 4018 lm2 |= HCI_LM_MASTER;
4019 }
1da177e4 4020 }
23691d75 4021 read_unlock(&chan_list_lock);
1da177e4
LT		 4022
4023 return exact ? lm1 : lm2;
4024}
4025
4026static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4027{
0139418c
MH		 4028 struct l2cap_conn *conn;
4029
1da177e4
LT		 4030 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4031
acd7d370 4032 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4033 return -EINVAL;
1da177e4
LT		 4034
4035 if (!status) {
1da177e4
LT		 4036 conn = l2cap_conn_add(hcon, status);
4037 if (conn)
4038 l2cap_conn_ready(conn);
0139418c 4039 } else
e175072f 4040 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4041
4042 return 0;
4043}
4044
2950f21a
MH		 4045static int l2cap_disconn_ind(struct hci_conn *hcon)
4046{
4047 struct l2cap_conn *conn = hcon->l2cap_data;
4048
4049 BT_DBG("hcon %p", hcon);
4050
b5694506 4051 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4052 return 0x13;
4053
4054 return conn->disc_reason;
4055}
4056
4057static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4058{
4059 BT_DBG("hcon %p reason %d", hcon, reason);
4060
acd7d370 4061 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4062 return -EINVAL;
1da177e4 4063
e175072f 4064 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4065
1da177e4
LT		 4066 return 0;
4067}
4068
4343478f 4069static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4070{
715ec005 4071 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4072 return;
4073
f62e4323 4074 if (encrypt == 0x00) {
4343478f 4075 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4076 __clear_chan_timer(chan);
4077 __set_chan_timer(chan, HZ * 5);
4343478f 4078 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4079 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4080 } else {
4343478f 4081 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4082 __clear_chan_timer(chan);
f62e4323
MH		 4083 }
4084}
4085
8c1b2355 4086static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4087{
0139418c 4088 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4089 struct l2cap_chan *chan;
1da177e4 4090
0139418c 4091 if (!conn)
1da177e4 4092 return 0;
0139418c 4093
1da177e4
LT		 4094 BT_DBG("conn %p", conn);
4095
baa7e1fa 4096 read_lock(&conn->chan_lock);
1da177e4 4097
baa7e1fa 4098 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4099 struct sock *sk = chan->sk;
baa7e1fa 4100
1da177e4
LT		 4101 bh_lock_sock(sk);
4102
f1cb9af5
VCG		 4103 BT_DBG("chan->scid %d", chan->scid);
4104
4105 if (chan->scid == L2CAP_CID_LE_DATA) {
4106 if (!status && encrypt) {
4107 chan->sec_level = hcon->sec_level;
5d3de7df 4108 del_timer(&conn->security_timer);
f1cb9af5 4109 l2cap_chan_ready(sk);
7034b911 4110 smp_distribute_keys(conn, 0);
f1cb9af5
VCG		 4111 }
4112
4113 bh_unlock_sock(sk);
4114 continue;
4115 }
4116
c1360a1c 4117 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4118 bh_unlock_sock(sk);
4119 continue;
4120 }
4121
89bc500e
GP		 4122 if (!status && (chan->state == BT_CONNECTED ||
4123 chan->state == BT_CONFIG)) {
4343478f 4124 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4125 bh_unlock_sock(sk);
4126 continue;
4127 }
4128
89bc500e 4129 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4130 if (!status) {
4131 struct l2cap_conn_req req;
fe4128e0
GP		 4132 req.scid = cpu_to_le16(chan->scid);
4133 req.psm = chan->psm;
1da177e4 4134
fc7f8a7e 4135 chan->ident = l2cap_get_ident(conn);
c1360a1c 4136 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4137
fc7f8a7e 4138 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4139 L2CAP_CONN_REQ, sizeof(req), &req);
4140 } else {
c9b66675
GP		 4141 __clear_chan_timer(chan);
4142 __set_chan_timer(chan, HZ / 10);
b1235d79 4143 }
89bc500e 4144 } else if (chan->state == BT_CONNECT2) {
b1235d79 4145 struct l2cap_conn_rsp rsp;
df3c3931 4146 __u16 res, stat;
1da177e4 4147
b1235d79 4148 if (!status) {
df3c3931
JH		 4149 if (bt_sk(sk)->defer_setup) {
4150 struct sock *parent = bt_sk(sk)->parent;
4151 res = L2CAP_CR_PEND;
4152 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4153 if (parent)
4154 parent->sk_data_ready(parent, 0);
df3c3931 4155 } else {
05558911 4156 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4157 res = L2CAP_CR_SUCCESS;
4158 stat = L2CAP_CS_NO_INFO;
4159 }
b1235d79 4160 } else {
89bc500e 4161 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4162 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4163 res = L2CAP_CR_SEC_BLOCK;
4164 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4165 }
4166
fe4128e0
GP		 4167 rsp.scid = cpu_to_le16(chan->dcid);
4168 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4169 rsp.result = cpu_to_le16(res);
4170 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4171 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4172 sizeof(rsp), &rsp);
b1235d79 4173 }
1da177e4
LT		 4174
4175 bh_unlock_sock(sk);
4176 }
4177
baa7e1fa 4178 read_unlock(&conn->chan_lock);
b1235d79 4179
1da177e4
LT		 4180 return 0;
4181}
4182
4183static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4184{
4185 struct l2cap_conn *conn = hcon->l2cap_data;
4186
5a08ecce
AE		 4187 if (!conn)
4188 conn = l2cap_conn_add(hcon, 0);
4189
4190 if (!conn)
1da177e4
LT		 4191 goto drop;
4192
4193 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4194
e702112f 4195 if (!(flags & ACL_CONT)) {
1da177e4 4196 struct l2cap_hdr *hdr;
48454079 4197 struct l2cap_chan *chan;
89794813 4198 u16 cid;
1da177e4
LT		 4199 int len;
4200
4201 if (conn->rx_len) {
4202 BT_ERR("Unexpected start frame (len %d)", skb->len);
4203 kfree_skb(conn->rx_skb);
4204 conn->rx_skb = NULL;
4205 conn->rx_len = 0;
4206 l2cap_conn_unreliable(conn, ECOMM);
4207 }
4208
aae7fe22
AE		 4209 /* Start fragment always begin with Basic L2CAP header */
4210 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4211 BT_ERR("Frame is too short (len %d)", skb->len);
4212 l2cap_conn_unreliable(conn, ECOMM);
4213 goto drop;
4214 }
4215
4216 hdr = (struct l2cap_hdr *) skb->data;
4217 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4218 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4219
4220 if (len == skb->len) {
4221 /* Complete frame received */
4222 l2cap_recv_frame(conn, skb);
4223 return 0;
4224 }
4225
4226 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4227
4228 if (skb->len > len) {
4229 BT_ERR("Frame is too long (len %d, expected len %d)",
4230 skb->len, len);
4231 l2cap_conn_unreliable(conn, ECOMM);
4232 goto drop;
4233 }
4234
baa7e1fa 4235 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4236
48454079
GP		 4237 if (chan && chan->sk) {
4238 struct sock *sk = chan->sk;
89794813 4239
0c1bc5c6 4240 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4241 BT_ERR("Frame exceeding recv MTU (len %d, "
4242 "MTU %d)", len,
0c1bc5c6 4243 chan->imtu);
48454079
GP		 4244 bh_unlock_sock(sk);
4245 l2cap_conn_unreliable(conn, ECOMM);
4246 goto drop;
4247 }
89794813 4248 bh_unlock_sock(sk);
48454079 4249 }
89794813 4250
1da177e4 4251 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4252 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4253 if (!conn->rx_skb)
1da177e4
LT		 4254 goto drop;
4255
d626f62b 4256 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4257 skb->len);
1da177e4
LT		 4258 conn->rx_len = len - skb->len;
4259 } else {
4260 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4261
4262 if (!conn->rx_len) {
4263 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4264 l2cap_conn_unreliable(conn, ECOMM);
4265 goto drop;
4266 }
4267
4268 if (skb->len > conn->rx_len) {
4269 BT_ERR("Fragment is too long (len %d, expected %d)",
4270 skb->len, conn->rx_len);
4271 kfree_skb(conn->rx_skb);
4272 conn->rx_skb = NULL;
4273 conn->rx_len = 0;
4274 l2cap_conn_unreliable(conn, ECOMM);
4275 goto drop;
4276 }
4277
d626f62b 4278 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4279 skb->len);
1da177e4
LT		 4280 conn->rx_len -= skb->len;
4281
4282 if (!conn->rx_len) {
4283 /* Complete frame received */
4284 l2cap_recv_frame(conn, conn->rx_skb);
4285 conn->rx_skb = NULL;
4286 }
4287 }
4288
4289drop:
4290 kfree_skb(skb);
4291 return 0;
4292}
4293
aef7d97c 4294static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4295{
23691d75 4296 struct l2cap_chan *c;
1da177e4 4297
23691d75 4298 read_lock_bh(&chan_list_lock);
1da177e4 4299
23691d75
GP		 4300 list_for_each_entry(c, &chan_list, global_l) {
4301 struct sock *sk = c->sk;
101545f6 4302
903d343e 4303 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4304 batostr(&bt_sk(sk)->src),
4305 batostr(&bt_sk(sk)->dst),
89bc500e 4306 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4307 c->scid, c->dcid, c->imtu, c->omtu,
4308 c->sec_level, c->mode);
05558911 4309}
1da177e4 4310
23691d75 4311 read_unlock_bh(&chan_list_lock);
1da177e4 4312
aef7d97c 4313 return 0;
1da177e4
LT		 4314}
4315
aef7d97c
MH		 4316static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4317{
4318 return single_open(file, l2cap_debugfs_show, inode->i_private);
4319}
4320
4321static const struct file_operations l2cap_debugfs_fops = {
4322 .open = l2cap_debugfs_open,
4323 .read = seq_read,
4324 .llseek = seq_lseek,
4325 .release = single_release,
4326};
4327
4328static struct dentry *l2cap_debugfs;
1da177e4 4329
1da177e4
LT		 4330static struct hci_proto l2cap_hci_proto = {
4331 .name = "L2CAP",
4332 .id = HCI_PROTO_L2CAP,
4333 .connect_ind = l2cap_connect_ind,
4334 .connect_cfm = l2cap_connect_cfm,
4335 .disconn_ind = l2cap_disconn_ind,
2950f21a 4336 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4337 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4338 .recv_acldata = l2cap_recv_acldata
4339};
4340
64274518 4341int __init l2cap_init(void)
1da177e4
LT		 4342{
4343 int err;
be9d1227 4344
bb58f747 4345 err = l2cap_init_sockets();
1da177e4
LT		 4346 if (err < 0)
4347 return err;
4348
1da177e4
LT		 4349 err = hci_register_proto(&l2cap_hci_proto);
4350 if (err < 0) {
4351 BT_ERR("L2CAP protocol registration failed");
4352 bt_sock_unregister(BTPROTO_L2CAP);
4353 goto error;
4354 }
4355
aef7d97c
MH		 4356 if (bt_debugfs) {
4357 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4358 bt_debugfs, NULL, &l2cap_debugfs_fops);
4359 if (!l2cap_debugfs)
4360 BT_ERR("Failed to create L2CAP debug file");
4361 }
1da177e4 4362
1da177e4
LT		 4363 return 0;
4364
4365error:
bb58f747 4366 l2cap_cleanup_sockets();
1da177e4
LT		 4367 return err;
4368}
4369
64274518 4370void l2cap_exit(void)
1da177e4 4371{
aef7d97c 4372 debugfs_remove(l2cap_debugfs);
1da177e4 4373
1da177e4
LT		 4374 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4375 BT_ERR("L2CAP protocol unregistration failed");
4376
bb58f747 4377 l2cap_cleanup_sockets();
1da177e4
LT		 4378}
4379
d1c4a17d
GP		 4380module_param(disable_ertm, bool, 0644);
4381MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)